From: Martin Willi <martin@revosec.ch>
Date: Wed, 11 Aug 2010 08:11:57 +0000 (+0200)
Subject: Double check that the OpenSSL RNG has been seeded, do so otherwise
X-Git-Tag: 4.5.0~535
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ec53e95f5d8d490d82bf3c4c50f9517463b2185;p=thirdparty%2Fstrongswan.git

Double check that the OpenSSL RNG has been seeded, do so otherwise
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index f0a16ea945..d8c66dca0d 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -24,6 +24,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -150,6 +151,31 @@ static void threading_init()
 	}
 }
 
+/**
+ * Seed the OpenSSL RNG, if required
+ */
+static bool seed_rng()
+{
+	rng_t *rng = NULL;
+	char buf[32];
+
+	while (RAND_status() != 1)
+	{
+		if (!rng)
+		{
+			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+			if (!rng)
+			{
+				return FALSE;
+			}
+		}
+		rng->get_bytes(rng, sizeof(buf), buf);
+		RAND_seed(buf, sizeof(buf));
+	}
+	DESTROY_IF(rng);
+	return TRUE;
+}
+
 /**
  * cleanup OpenSSL threading locks
  */
@@ -233,6 +259,13 @@ plugin_t *openssl_plugin_create()
 	ENGINE_register_all_complete();
 #endif /* OPENSSL_NO_ENGINE */
 
+	if (!seed_rng())
+	{
+		DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
+		destroy(this);
+		return NULL;
+	}
+
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);