Double check that the OpenSSL RNG has been seeded, do so otherwise

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index f0a16ea9454808d8e865f298a0817055f94ac3f0..d8c66dca0db5d68c9cbc70a758e955c28c0face1 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -24,6 +24,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -150,6 +151,31 @@ static void threading_init()
        }
 }
 
+/**
+ * Seed the OpenSSL RNG, if required
+ */
+static bool seed_rng()
+{
+       rng_t *rng = NULL;
+       char buf[32];
+
+       while (RAND_status() != 1)
+       {
+               if (!rng)
+               {
+                       rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+                       if (!rng)
+                       {
+                               return FALSE;
+                       }
+               }
+               rng->get_bytes(rng, sizeof(buf), buf);
+               RAND_seed(buf, sizeof(buf));
+       }
+       DESTROY_IF(rng);
+       return TRUE;
+}
+
 /**
  * cleanup OpenSSL threading locks
  */
@@ -233,6 +259,13 @@ plugin_t *openssl_plugin_create()
        ENGINE_register_all_complete();
 #endif /* OPENSSL_NO_ENGINE */
 
+       if (!seed_rng())
+       {
+               DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
+               destroy(this);
+               return NULL;
+       }
+
        /* crypter */
        lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
                                        (crypter_constructor_t)openssl_crypter_create);