From: Amaury Denoyelle Date: Wed, 19 May 2021 13:35:29 +0000 (+0200) Subject: MINOR: ssl: always initialize random generator X-Git-Tag: v2.5-dev1~79 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c593bcdb434b6af6a20225e5aec74bc11558e32e;p=thirdparty%2Fhaproxy.git MINOR: ssl: always initialize random generator Explicitly call ssl_initialize_random to initialize the random generator in init() global function. If the initialization fails, the startup is interrupted. This commit is in preparation for support of ssl on dynamic servers. To be able to activate ssl on dynamic servers, it is necessary to ensure that the random generator is initialized on startup regardless of the config. It cannot be called at runtime as access to /dev/urandom is required. This also has the effect to fix the previous non-consistent behavior. Indeed, if bind or server in the config are using ssl, the initialization function was called, and if it failed, the startup was interrupted. Otherwise, the ssl initialization code could have been called through the ssl server for lua, but this times without blocking the startup on error. Or not called at all if lua was deactivated. --- diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h index 9978abc08d..cb9c0b86ca 100644 --- a/include/haproxy/ssl_sock.h +++ b/include/haproxy/ssl_sock.h @@ -120,6 +120,7 @@ int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err); int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err); int ssl_sock_load_srv_cert(char *path, struct server *server, char **err); void ssl_free_global_issuers(void); +int ssl_initialize_random(void); int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err); int ssl_init_single_engine(const char *engine_id, const char *def_algorithms); #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) diff --git a/src/haproxy.c b/src/haproxy.c index c05f18d76e..7e0141335e 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -1510,6 +1510,16 @@ static void init(int argc, char **argv) if (init_acl() != 0) exit(1); +#ifdef USE_OPENSSL + /* Initialize the random generator. + * Must be called before chroot for access to /dev/urandom + */ + if (!ssl_initialize_random()) { + ha_alert("OpenSSL random data generator initialization failed.\n"); + exit(1); + } +#endif + /* Initialise lua. */ hlua_init(); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 059fef3f42..4ebf56f2a6 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3536,7 +3536,7 @@ static int ssl_sock_load_srv_ckchs(const char *path, struct ckch_store *ckchs, * if the random is said as not implemented, because we expect that openssl * will use another method once needed. */ -static int ssl_initialize_random() +int ssl_initialize_random(void) { unsigned char random; static int random_initialized = 0; @@ -4640,12 +4640,6 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) int cfgerr = 0; SSL_CTX *ctx = srv->ssl_ctx.ctx; - /* Make sure openssl opens /dev/urandom before the chroot */ - if (!ssl_initialize_random()) { - ha_alert("OpenSSL random data generator initialization failed.\n"); - cfgerr++; - } - /* Automatic memory computations need to know we use SSL there */ global.ssl_used_backend = 1; @@ -4898,11 +4892,6 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf) /* Automatic memory computations need to know we use SSL there */ global.ssl_used_frontend = 1; - /* Make sure openssl opens /dev/urandom before the chroot */ - if (!ssl_initialize_random()) { - ha_alert("OpenSSL random data generator initialization failed.\n"); - err++; - } /* Create initial_ctx used to start the ssl connection before do switchctx */ if (!bind_conf->initial_ctx) { err += ssl_initial_ctx(bind_conf);