From 5194446b7607f0cc057bbd268ce2979059dd9625 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Mon, 16 May 2022 16:24:31 +0200 Subject: [PATCH] MEDIUM: ssl: Delay random generator initialization after config parsing The random generator initialization needs to be performed before the chroot but it is not needed before. If we want to add provider configuration option to the configuration file, they need to be processed before any call to a crypto-related OpenSSL function. We can then delay the initialization until after the configuration file is parsed and processed. --- src/haproxy.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index d2cfbc0f3..f3cf30ec9 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1507,19 +1507,6 @@ static void init_early(int argc, char **argv) exit(EXIT_FAILURE); } - /* Initialize the random generators */ -#ifdef USE_OPENSSL - /* Initialize SSL random generator. Must be called before chroot for - * access to /dev/urandom, and before ha_random_boot() which may use - * RAND_bytes(). - */ - if (!ssl_initialize_random()) { - ha_alert("OpenSSL random data generator initialization failed.\n"); - exit(EXIT_FAILURE); - } -#endif - ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy - /* Some CPU affinity stuff may have to be initialized */ #ifdef USE_CPU_AFFINITY { @@ -2229,6 +2216,19 @@ static void init(int argc, char **argv) cfg_run_diagnostics(); } + /* Initialize the random generators */ +#ifdef USE_OPENSSL + /* Initialize SSL random generator. Must be called before chroot for + * access to /dev/urandom, and before ha_random_boot() which may use + * RAND_bytes(). + */ + if (!ssl_initialize_random()) { + ha_alert("OpenSSL random data generator initialization failed.\n"); + exit(EXIT_FAILURE); + } +#endif + ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy + /* now we know the buffer size, we can initialize the channels and buffers */ init_buffer();