From 35da11e690978a55d3a0b72ec667212bffa44aad Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Aug 15 2013 05:07:38 +0000
Subject: Check that OpenSSL's RNG is ready for keygen


Check if OpenSSL's PRNG is ready for key generation.  If it isn't, just
error out, because up until now we've been assuming that the right thing
was happening automatically, and not taking corrective action here will
flush out any places where that's been the wrong thing.

---

diff --git a/src/keygen-o.c b/src/keygen-o.c
index c540e49..1856827 100644
--- a/src/keygen-o.c
+++ b/src/keygen-o.c
@@ -30,6 +30,7 @@
 
 #include <openssl/err.h>
 #include <openssl/pem.h>
+#include <openssl/rand.h>
 #include <openssl/rsa.h>
 
 #include <talloc.h>
@@ -78,6 +79,10 @@ cm_keygen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
 	case cm_key_rsa:
 		util_o_init();
 		ERR_load_crypto_strings();
+		if (RAND_status() != 1) {
+			cm_log(1, "PRNG not seeded for generating key.\n");
+			_exit(CM_STATUS_ERROR_INTERNAL);
+		}
 		pkey = EVP_PKEY_new();
 		if (pkey == NULL) {
 			cm_log(1, "Internal error generating key.\n");