>From 575e0655cfdc4a59362924ad4f129e001fab45cc Mon Sep 17 00:00:00 2001 From: Ander Juarist Date: Sat, 28 Apr 2018 20:07:46 +0200 Subject: [PATCH 2/3] OpenSSL: Better seeding of PRNG * src/openssl.c (init_prng): keep gathering entropy even though we already have enough (ssl_connect_with_timeout_callback): reseed PRNG again just before the handshake Reported-by: Jeffrey Walton --- src/openssl.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/src/openssl.c b/src/openssl.c index 3f155b05..6cf4afe9 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -67,10 +67,6 @@ init_prng (void) char namebuf[256]; const char *random_file; - if (RAND_status ()) - /* The PRNG has been seeded; no further action is necessary. */ - return; - /* Seed from a file specified by the user. This will be the file specified with --random-file, $RANDFILE, if set, or ~/.rnd, if it exists. */ @@ -88,18 +84,12 @@ init_prng (void) curl) from random file. */ RAND_load_file (random_file, 16384); - if (RAND_status ()) - return; - #ifdef HAVE_RAND_EGD /* Get random data from EGD if opt.egd_file was used. */ if (opt.egd_file && *opt.egd_file) RAND_egd (opt.egd_file); #endif - if (RAND_status ()) - return; - #ifdef WINDOWS /* Under Windows, we can try to seed the PRNG using screen content. This may or may not work, depending on whether we'll calling Wget @@ -638,6 +628,15 @@ ssl_connect_wget (int fd, const char *hostname, int *continue_session) goto error; SSL_set_connect_state (conn); + /* Re-seed the PRNG before the SSL handshake */ + init_prng (); + if (RAND_status () != 1) + { + logprintf(LOG_NOTQUIET, + _("WARNING: Could not seed PRNG. Consider using --random-file.\n")); + goto error; + } + scwt_ctx.ssl = conn; if (run_with_timeout(opt.read_timeout, ssl_connect_with_timeout_callback, &scwt_ctx)) { -- 2.14.1