1 files changed, 26 insertions, 15 deletions

diff --git a/entropy.c b/entropy.c
index c178c00cf61c..31a7f1c3ef54 100644
--- a/entropy.c
+++ b/entropy.c
@@ -24,6 +24,8 @@
 
 #include "includes.h"
 
+#define RANDOM_SEED_SIZE 48
+
 #ifdef WITH_OPENSSL
 
 #include <sys/types.h>
@@ -64,8 +66,6 @@
  */
 #ifndef OPENSSL_PRNG_ONLY
 
-#define RANDOM_SEED_SIZE 48
-
 /*
  * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon
  * listening either on 'tcp_port', or via Unix domain socket at *
@@ -216,35 +216,46 @@ rexec_recv_rng_seed(struct sshbuf *m)
 void
 seed_rng(void)
 {
-#ifndef OPENSSL_PRNG_ONLY
 	unsigned char buf[RANDOM_SEED_SIZE];
-#endif
-	if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
+
+	/* Initialise libcrypto */
+	ssh_libcrypto_init();
+
+	if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
+	    OpenSSL_version_num()))
 		fatal("OpenSSL version mismatch. Built against %lx, you "
-		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+		    "have %lx", (u_long)OPENSSL_VERSION_NUMBER,
+		    OpenSSL_version_num());
 
 #ifndef OPENSSL_PRNG_ONLY
-	if (RAND_status() == 1) {
+	if (RAND_status() == 1)
 		debug3("RNG is ready, skipping seeding");
-		return;
+	else {
+		if (seed_from_prngd(buf, sizeof(buf)) == -1)
+			fatal("Could not obtain seed from PRNGd");
+		RAND_add(buf, sizeof(buf), sizeof(buf));
 	}
-
-	if (seed_from_prngd(buf, sizeof(buf)) == -1)
-		fatal("Could not obtain seed from PRNGd");
-	RAND_add(buf, sizeof(buf), sizeof(buf));
-	memset(buf, '\0', sizeof(buf));
-
 #endif /* OPENSSL_PRNG_ONLY */
+
 	if (RAND_status() != 1)
 		fatal("PRNG is not seeded");
+
+	/* Ensure arc4random() is primed */
+	arc4random_buf(buf, sizeof(buf));
+	explicit_bzero(buf, sizeof(buf));
 }
 
 #else /* WITH_OPENSSL */
 
-/* Handled in arc4random() */
+/* Acutal initialisation is handled in arc4random() */
 void
 seed_rng(void)
 {
+	unsigned char buf[RANDOM_SEED_SIZE];
+
+	/* Ensure arc4random() is primed */
+	arc4random_buf(buf, sizeof(buf));
+	explicit_bzero(buf, sizeof(buf));
 }
 
 #endif /* WITH_OPENSSL */