Fail early in folly::ssl::init() if we can't initialize

Reviewed By: yfeldblum

Differential Revision: D15610738

fbshipit-source-id: 367919db6465536e215735400652d33290930ca0

folly/ssl/Init.cpp

@@ -36,8 +36,18 @@ void initializeOpenSSLLocked() {
   if (initialized_) {
     return;
   }
-  OPENSSL_init_ssl(0, nullptr);
-  randomize();
+  if (OPENSSL_init_ssl(0, nullptr) != 1) {
+    // Fail early if we fail to initialize OpenSSL. Ignoring this means that
+    // future OpenSSL methods may segfault, since there is an implicit
+    // precondition that initialization properly initializes internal OpenSSL
+    // pointers to global resources.
+    throw std::runtime_error("Failed to initialize OpenSSL.");
+  }
+  if (RAND_poll() != 1) {
+    // Similarly, if we fail to seed the RNG, future crypto operations
+    // may no longer be safe to use; fail fast and hard here.
+    throw std::runtime_error("Failed to initialize OpenSSL RNG.");
+  }
   initialized_ = true;
 }
 
@@ -84,10 +94,6 @@ void setLockTypes(LockTypeMapping inLockTypes) {
   detail::setLockTypes(std::move(inLockTypes));
 }
 
-void randomize() {
-  RAND_poll();
-}
-
 bool isLockDisabled(int lockId) {
   return detail::isSSLLockDisabled(lockId);
 }

folly/ssl/Init.h

@@ -21,6 +21,7 @@
 
 namespace folly {
 namespace ssl {
+
 /**
  * Initializes openssl. This should be invoked once, during the start of an
  * application. Subsequent calls to this function are no-ops.
@@ -81,8 +82,5 @@ void setLockTypes(LockTypeMapping inLockTypes);
 void setLockTypesAndInit(LockTypeMapping lockTypes);
 
 bool isLockDisabled(int lockId);
-
-void randomize();
-
 } // namespace ssl
 } // namespace folly