From 5fdb5b36e1e0bef9b8a79c3550bd7a8751bac396 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 15 Oct 2019 14:04:08 +0200
Subject: [PATCH] BUG/MINOR: mworker/ssl: close openssl FDs unconditionally

Patch 56996da ("BUG/MINOR: mworker/ssl: close OpenSSL FDs on reload")
fixes a issue where the /dev/random FD was leaked by OpenSSL upon a
reload in master worker mode. Indeed the FD was not flagged with
CLOEXEC.

The fix was checking if ssl_used_frontend or ssl_used_backend were set
to close the FD. This is wrong, indeed the lua init code creates an SSL
server without increasing the backend value, so the deinit is never
done when you don't use SSL in your configuration.

To reproduce the problem you just need to build haproxy with openssl and
lua with an openssl which does not use the getrandom() syscall.  No
openssl nor lua configuration are required for haproxy.

This patch must be backported as far as 1.8.

Fix issue #314.
---
 src/haproxy.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/haproxy.c b/src/haproxy.c
index a4f2e0df5..a7f294d6a 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -757,9 +757,8 @@ void mworker_reload()
 			deinit_pollers();
 	}
 #if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
-	if (global.ssl_used_frontend || global.ssl_used_backend)
-		/* close random device FDs */
-		RAND_keep_random_devices_open(0);
+	/* close random device FDs */
+	RAND_keep_random_devices_open(0);
 #endif
 
 	/* restore the initial FD limits */