From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 12 Sep 2019 14:15:46 +0000 (+0200)
Subject: openssl: Don't manually seed DRBG with OpenSSL 1.1.1
X-Git-Tag: 5.8.2dr1~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=095a2c2eac4b5e9dbd9034afa6e86f3a0fee1036;p=thirdparty%2Fstrongswan.git

openssl: Don't manually seed DRBG with OpenSSL 1.1.1

According to the documentation, it's generally not necessary to manually
seed OpenSSL's DRBG (and it actually can cause the daemon to lock up
during start up on systems with low entropy if OpenSSL is already trying
to seed it itself and holds the lock).  While that might already have been
the case with earlier versions, it's not explicitly stated in their
documentation.  So we keep the code for these versions.
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index c2dbf53286..069136df0c 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -243,8 +243,11 @@ static void threading_cleanup()
 
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x1010100fL
 /**
  * Seed the OpenSSL RNG, if required
+ * Not necessary anymore with OpenSSL 1.1.1 (maybe wasn't already earlier, but
+ * it's now explicitly mentioned in the documentation).
  */
 static bool seed_rng()
 {
@@ -271,6 +274,7 @@ static bool seed_rng()
 	DESTROY_IF(rng);
 	return TRUE;
 }
+#endif /* OPENSSL_VERSION_NUMBER */
 
 /**
  * Generic key loader
@@ -839,12 +843,14 @@ plugin_t *openssl_plugin_create()
 		"openssl FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
 #endif /* OPENSSL_FIPS */
 
+#if OPENSSL_VERSION_NUMBER < 0x1010100fL
 	if (!seed_rng())
 	{
 		DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
 		destroy(this);
 		return NULL;
 	}
+#endif /* OPENSSL_VERSION_NUMBER */
 
 	return &this->public.plugin;
 }