MEDIUM: ssl: Delay random generator initialization after config parsing
The random generator initialization needs to be performed before the
chroot but it is not needed before. If we want to add provider
configuration option to the configuration file, they need to be
processed before any call to a crypto-related OpenSSL function.
We can then delay the initialization until after the configuration file
is parsed and processed.
diff --git a/src/haproxy.c b/src/haproxy.c
index d2cfbc0..f3cf30e 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -1507,19 +1507,6 @@
exit(EXIT_FAILURE);
}
- /* Initialize the random generators */
-#ifdef USE_OPENSSL
- /* Initialize SSL random generator. Must be called before chroot for
- * access to /dev/urandom, and before ha_random_boot() which may use
- * RAND_bytes().
- */
- if (!ssl_initialize_random()) {
- ha_alert("OpenSSL random data generator initialization failed.\n");
- exit(EXIT_FAILURE);
- }
-#endif
- ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy
-
/* Some CPU affinity stuff may have to be initialized */
#ifdef USE_CPU_AFFINITY
{
@@ -2229,6 +2216,19 @@
cfg_run_diagnostics();
}
+ /* Initialize the random generators */
+#ifdef USE_OPENSSL
+ /* Initialize SSL random generator. Must be called before chroot for
+ * access to /dev/urandom, and before ha_random_boot() which may use
+ * RAND_bytes().
+ */
+ if (!ssl_initialize_random()) {
+ ha_alert("OpenSSL random data generator initialization failed.\n");
+ exit(EXIT_FAILURE);
+ }
+#endif
+ ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy
+
/* now we know the buffer size, we can initialize the channels and buffers */
init_buffer();