From 095a2c2eac4b5e9dbd9034afa6e86f3a0fee1036 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 12 Sep 2019 16:15:46 +0200 Subject: [PATCH] openssl: Don't manually seed DRBG with OpenSSL 1.1.1 According to the documentation, it's generally not necessary to manually seed OpenSSL's DRBG (and it actually can cause the daemon to lock up during start up on systems with low entropy if OpenSSL is already trying to seed it itself and holds the lock). While that might already have been the case with earlier versions, it's not explicitly stated in their documentation. So we keep the code for these versions. --- src/libstrongswan/plugins/openssl/openssl_plugin.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index c2dbf53286..069136df0c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -243,8 +243,11 @@ static void threading_cleanup() #endif +#if OPENSSL_VERSION_NUMBER < 0x1010100fL /** * Seed the OpenSSL RNG, if required + * Not necessary anymore with OpenSSL 1.1.1 (maybe wasn't already earlier, but + * it's now explicitly mentioned in the documentation). */ static bool seed_rng() { @@ -271,6 +274,7 @@ static bool seed_rng() DESTROY_IF(rng); return TRUE; } +#endif /* OPENSSL_VERSION_NUMBER */ /** * Generic key loader @@ -839,12 +843,14 @@ plugin_t *openssl_plugin_create() "openssl FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis"); #endif /* OPENSSL_FIPS */ +#if OPENSSL_VERSION_NUMBER < 0x1010100fL if (!seed_rng()) { DBG1(DBG_CFG, "no RNG found to seed OpenSSL"); destroy(this); return NULL; } +#endif /* OPENSSL_VERSION_NUMBER */ return &this->public.plugin; } -- 2.47.2