MINOR: ssl: always initialize random generator

Explicitly call ssl_initialize_random to initialize the random generator
in init() global function. If the initialization fails, the startup is
interrupted.

This commit is in preparation for support of ssl on dynamic servers. To
be able to activate ssl on dynamic servers, it is necessary to ensure
that the random generator is initialized on startup regardless of the
config. It cannot be called at runtime as access to /dev/urandom is
required.

This also has the effect to fix the previous non-consistent behavior.
Indeed, if bind or server in the config are using ssl, the
initialization function was called, and if it failed, the startup was
interrupted. Otherwise, the ssl initialization code could have been
called through the ssl server for lua, but this times without blocking
the startup on error. Or not called at all if lua was deactivated.

include/haproxy/ssl_sock.h

@@ -120,6 +120,7 @@ int ssl_load_global_issuer_from_BIO(BIO *in, char *fp, char **err);
 int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, char **err);
 int ssl_sock_load_srv_cert(char *path, struct server *server, char **err);
 void ssl_free_global_issuers(void);
+int ssl_initialize_random(void);
 int ssl_sock_load_cert_list_file(char *file, int dir, struct bind_conf *bind_conf, struct proxy *curproxy, char **err);
 int ssl_init_single_engine(const char *engine_id, const char *def_algorithms);
 #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)

src/haproxy.c

@@ -1510,6 +1510,16 @@ static void init(int argc, char **argv)
 	if (init_acl() != 0)
 		exit(1);
 
+#ifdef USE_OPENSSL
+	/* Initialize the random generator.
+	 * Must be called before chroot for access to /dev/urandom
+	 */
+	if (!ssl_initialize_random()) {
+		ha_alert("OpenSSL random data generator initialization failed.\n");
+		exit(1);
+	}
+#endif
+
 	/* Initialise lua. */
 	hlua_init();
 

src/ssl_sock.c

@@ -3536,7 +3536,7 @@ static int ssl_sock_load_srv_ckchs(const char *path, struct ckch_store *ckchs,
  * if the random is said as not implemented, because we expect that openssl
  * will use another method once needed.
  */
-static int ssl_initialize_random()
+int ssl_initialize_random(void)
 {
 	unsigned char random;
 	static int random_initialized = 0;
@@ -4640,12 +4640,6 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
 	int cfgerr = 0;
 	SSL_CTX *ctx = srv->ssl_ctx.ctx;
 
-	/* Make sure openssl opens /dev/urandom before the chroot */
-	if (!ssl_initialize_random()) {
-		ha_alert("OpenSSL random data generator initialization failed.\n");
-		cfgerr++;
-	}
-
 	/* Automatic memory computations need to know we use SSL there */
 	global.ssl_used_backend = 1;
 
@@ -4898,11 +4892,6 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf)
 	/* Automatic memory computations need to know we use SSL there */
 	global.ssl_used_frontend = 1;
 
-	/* Make sure openssl opens /dev/urandom before the chroot */
-	if (!ssl_initialize_random()) {
-		ha_alert("OpenSSL random data generator initialization failed.\n");
-		err++;
-	}
 	/* Create initial_ctx used to start the ssl connection before do switchctx */
 	if (!bind_conf->initial_ctx) {
 		err += ssl_initial_ctx(bind_conf);