MEDIUM: ssl: Delay random generator initialization after config parsing

The random generator initialization needs to be performed before the chroot but it is not needed before. If we want to add provider configuration option to the configuration file, they need to be processed before any call to a crypto-related OpenSSL function. We can then delay the initialization until after the configuration file is parsed and processed.
2025-04-17 04:26:59 +00:00 · 2022-05-16 16:24:31 +02:00 · 2022-05-16 16:24:31 +02:00 · 5194446b76
commit 5194446b76
parent 18c13d3bd8
1 changed files with 13 additions and 13 deletions
--- a/src/haproxy.c
+++ b/src/haproxy.c
@ -1507,19 +1507,6 @@ static void init_early(int argc, char **argv)
 		exit(EXIT_FAILURE);
 	}

-	/* Initialize the random generators */
-#ifdef USE_OPENSSL
-	/* Initialize SSL random generator. Must be called before chroot for
-	 * access to /dev/urandom, and before ha_random_boot() which may use
-	 * RAND_bytes().
-	 */
-	if (!ssl_initialize_random()) {
-		ha_alert("OpenSSL random data generator initialization failed.\n");
-		exit(EXIT_FAILURE);
-	}
-#endif
-	ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy
-
 	/* Some CPU affinity stuff may have to be initialized */
 #ifdef USE_CPU_AFFINITY
 	{
@ -2229,6 +2216,19 @@ static void init(int argc, char **argv)
 		cfg_run_diagnostics();
 	}

+	/* Initialize the random generators */
+#ifdef USE_OPENSSL
+	/* Initialize SSL random generator. Must be called before chroot for
+	 * access to /dev/urandom, and before ha_random_boot() which may use
+	 * RAND_bytes().
+	 */
+	if (!ssl_initialize_random()) {
+		ha_alert("OpenSSL random data generator initialization failed.\n");
+		exit(EXIT_FAILURE);
+	}
+#endif
+	ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy
+
 	/* now we know the buffer size, we can initialize the channels and buffers */
 	init_buffer();