From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 15 Oct 2019 12:04:08 +0000 (+0200)
Subject: BUG/MINOR: mworker/ssl: close openssl FDs unconditionally
X-Git-Tag: v2.1-dev3~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5fdb5b36e1e0bef9b8a79c3550bd7a8751bac396;p=thirdparty%2Fhaproxy.git

BUG/MINOR: mworker/ssl: close openssl FDs unconditionally

Patch 56996da ("BUG/MINOR: mworker/ssl: close OpenSSL FDs on reload")
fixes a issue where the /dev/random FD was leaked by OpenSSL upon a
reload in master worker mode. Indeed the FD was not flagged with
CLOEXEC.

The fix was checking if ssl_used_frontend or ssl_used_backend were set
to close the FD. This is wrong, indeed the lua init code creates an SSL
server without increasing the backend value, so the deinit is never
done when you don't use SSL in your configuration.

To reproduce the problem you just need to build haproxy with openssl and
lua with an openssl which does not use the getrandom() syscall.  No
openssl nor lua configuration are required for haproxy.

This patch must be backported as far as 1.8.

Fix issue #314.
---

diff --git a/src/haproxy.c b/src/haproxy.c
index a4f2e0df53..a7f294d6a0 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -757,9 +757,8 @@ void mworker_reload()
 			deinit_pollers();
 	}
 #if defined(USE_OPENSSL) && (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
-	if (global.ssl_used_frontend || global.ssl_used_backend)
-		/* close random device FDs */
-		RAND_keep_random_devices_open(0);
+	/* close random device FDs */
+	RAND_keep_random_devices_open(0);
 #endif
 
 	/* restore the initial FD limits */