Double check that the OpenSSL RNG has been seeded, do so otherwise

1 files changed, 33 insertions, 0 deletions

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index f0a16ea94..d8c66dca0 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -24,6 +24,7 @@
 #include "openssl_plugin.h"
 
 #include <library.h>
+#include <debug.h>
 #include <threading/thread.h>
 #include <threading/mutex.h>
 #include "openssl_util.h"
@@ -151,6 +152,31 @@ static void threading_init()
 }
 
 /**
+ * Seed the OpenSSL RNG, if required
+ */
+static bool seed_rng()
+{
+	rng_t *rng = NULL;
+	char buf[32];
+
+	while (RAND_status() != 1)
+	{
+		if (!rng)
+		{
+			rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+			if (!rng)
+			{
+				return FALSE;
+			}
+		}
+		rng->get_bytes(rng, sizeof(buf), buf);
+		RAND_seed(buf, sizeof(buf));
+	}
+	DESTROY_IF(rng);
+	return TRUE;
+}
+
+/**
  * cleanup OpenSSL threading locks
  */
 static void threading_cleanup()
@@ -233,6 +259,13 @@ plugin_t *openssl_plugin_create()
 	ENGINE_register_all_complete();
 #endif /* OPENSSL_NO_ENGINE */
 
+	if (!seed_rng())
+	{
+		DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
+		destroy(this);
+		return NULL;
+	}
+
 	/* crypter */
 	lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
 					(crypter_constructor_t)openssl_crypter_create);