From: Remi Tricot-Le Breton Date: Mon, 11 Aug 2025 13:55:35 +0000 (+0200) Subject: BUG/MINOR: init: Initialize random seed earlier in the init process X-Git-Tag: v3.3-dev7~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15ee49e8222be2b34663fac838aa74e62f6c82ea;p=thirdparty%2Fhaproxy.git BUG/MINOR: init: Initialize random seed earlier in the init process The random seed used in ha_random functions needs to be first initialized by calling ha_random_boot. This function was called rather late in the init process, after the init functions (INITCALLS) are called and after the configuration parsing for instance which means that any ha_random call in an init function would return 0. This was the case in 'vars_init' and 'cache_init' which tried to build seeds for specific hash calculations but ended up not being seeded. This patch can be backported on all stable branches. --- diff --git a/src/haproxy.c b/src/haproxy.c index 213794d9e..e0f196a34 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -2215,19 +2215,6 @@ static void step_init_2(int argc, char** argv) if (global.mode & MODE_DUMP_CFG) deinit_and_exit(0); -#ifdef USE_OPENSSL - - /* Initialize SSL random generator. Must be called before chroot for - * access to /dev/urandom, and before ha_random_boot() which may use - * RAND_bytes(). - */ - if (!ssl_initialize_random()) { - ha_alert("OpenSSL random data generator initialization failed.\n"); - exit(EXIT_FAILURE); - } -#endif - ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy - /* now we know the buffer size, we can initialize the channels and buffers */ init_buffer(); @@ -3154,6 +3141,19 @@ int main(int argc, char **argv) rlim_fd_cur_at_boot = limit.rlim_cur; rlim_fd_max_at_boot = limit.rlim_max; +#ifdef USE_OPENSSL + + /* Initialize SSL random generator. Must be called before chroot for + * access to /dev/urandom, and before ha_random_boot() which may use + * RAND_bytes(). + */ + if (!ssl_initialize_random()) { + ha_alert("OpenSSL random data generator initialization failed.\n"); + exit(EXIT_FAILURE); + } +#endif + ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy + /* process all initcalls in order of potential dependency */ RUN_INITCALLS(STG_PREPARE); RUN_INITCALLS(STG_LOCK);