From 06d4f75a6563919e3d99434b3669e65a9a3c300b Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Mon, 11 Aug 2025 15:55:35 +0200 Subject: [PATCH] BUG/MINOR: init: Initialize random seed earlier in the init process The random seed used in ha_random functions needs to be first initialized by calling ha_random_boot. This function was called rather late in the init process, after the init functions (INITCALLS) are called and after the configuration parsing for instance which means that any ha_random call in an init function would return 0. This was the case in 'vars_init' and 'cache_init' which tried to build seeds for specific hash calculations but ended up not being seeded. This patch can be backported on all stable branches. (cherry picked from commit 15ee49e8222be2b34663fac838aa74e62f6c82ea) Signed-off-by: Amaury Denoyelle (cherry picked from commit f7fbb55f0dcbbb44f6d20950bc1c0835699c85b6) Signed-off-by: Christopher Faulet (cherry picked from commit 0429f236a3adae23ca173cf11b74ccfd8099168f) Signed-off-by: Christopher Faulet --- src/haproxy.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/haproxy.c b/src/haproxy.c index 5b79414..f01ad2a 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -2486,19 +2486,6 @@ static void init(int argc, char **argv) if (global.mode & MODE_DUMP_CFG) deinit_and_exit(0); -#ifdef USE_OPENSSL - - /* Initialize SSL random generator. Must be called before chroot for - * access to /dev/urandom, and before ha_random_boot() which may use - * RAND_bytes(). - */ - if (!ssl_initialize_random()) { - ha_alert("OpenSSL random data generator initialization failed.\n"); - exit(EXIT_FAILURE); - } -#endif - ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy - /* now we know the buffer size, we can initialize the channels and buffers */ init_buffer(); @@ -3449,6 +3436,19 @@ int main(int argc, char **argv) rlim_fd_cur_at_boot = limit.rlim_cur; rlim_fd_max_at_boot = limit.rlim_max; +#ifdef USE_OPENSSL + + /* Initialize SSL random generator. Must be called before chroot for + * access to /dev/urandom, and before ha_random_boot() which may use + * RAND_bytes(). + */ + if (!ssl_initialize_random()) { + ha_alert("OpenSSL random data generator initialization failed.\n"); + exit(EXIT_FAILURE); + } +#endif + ha_random_boot(argv); // the argv pointer brings some kernel-fed entropy + /* process all initcalls in order of potential dependency */ RUN_INITCALLS(STG_PREPARE); RUN_INITCALLS(STG_LOCK); -- 1.7.10.4