tls: add initial seeding to cryptorand generator, as we don't do it i…

…n core

- add initial seeding to cryptorand generator initialization to main proces
- only as additional fallback in case of no access to system entropy sources
- not needed for 5.3 - we do it in here in the core for all processes

src/modules/tls/tls_mod.c

@@ -567,6 +567,7 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	LM_DBG("setting cryptorand random engine\n");
+	ksr_cryptorand_seed_init();
 	RAND_set_rand_method(RAND_ksr_cryptorand_method());
 #endif
 

src/modules/tls/tls_rand.c

@@ -171,4 +171,19 @@ const RAND_METHOD *RAND_ksr_cryptorand_method(void)
     return &_ksr_cryptorand_method;
 }
 
+/* seed the generator during startup, internally it will also use system entropy */
+void ksr_cryptorand_seed_init() {
+        u_int8_t bytes[4];
+        unsigned int seed;
+
+        seed = fastrand();
+        bytes[0] = (seed >> 24) & 0xFF;
+        bytes[1] = (seed >> 16) & 0xFF;
+        bytes[2] = (seed >> 8)  & 0xFF;
+        bytes[3] = seed & 0xFF;
+
+        LM_DBG("seeding cryptorand generator with %u\n", seed);
+        sr_add_entropy(bytes, 4);
+}
+
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */

src/modules/tls/tls_rand.h

@@ -29,5 +29,7 @@ const RAND_METHOD *RAND_ksr_krand_method(void);
 const RAND_METHOD *RAND_ksr_fastrand_method(void);
 const RAND_METHOD *RAND_ksr_cryptorand_method(void);
 
+void ksr_cryptorand_seed_init();
+
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 #endif