mirror of
https://git.freebsd.org/ports.git
synced 2025-05-25 15:36:35 -04:00
171 lines
4.4 KiB
Diff
171 lines
4.4 KiB
Diff
From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001
|
|
From: Steffan Karger <steffan@karger.me>
|
|
Date: Sun, 22 Mar 2015 19:51:25 +0100
|
|
Subject: [PATCH] Reload OpenSSL engines after forking
|
|
|
|
As reported in trac ticket #480, the cryptodev OpenSSL engine opens
|
|
/dev/crypto on load, but runs into trouble when the pid changes due to a
|
|
call to daemon(). We cannot simply call daemon() before intilializing,
|
|
because that will change the interpretation of relative paths in the config
|
|
file. To work around that, not only fixup the PKCS#11 state after calling
|
|
daemon(), but also reload the OpenSSL engines.
|
|
|
|
Signed-off-by: Steffan Karger <steffan@karger.me>
|
|
---
|
|
src/openvpn/crypto.c | 17 +++++++++++++++++
|
|
src/openvpn/crypto.h | 7 +++++++
|
|
src/openvpn/crypto_backend.h | 8 +++++++-
|
|
src/openvpn/crypto_openssl.c | 21 +++++++++++++--------
|
|
src/openvpn/crypto_polarssl.c | 5 +++++
|
|
src/openvpn/init.c | 4 +---
|
|
6 files changed, 50 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
|
|
index c1b9df3..5353479 100644
|
|
--- a/src/openvpn/crypto.c
|
|
+++ b/src/openvpn/crypto.c
|
|
@@ -36,6 +36,7 @@
|
|
#include "crypto.h"
|
|
#include "error.h"
|
|
#include "misc.h"
|
|
+#include "pkcs11.h"
|
|
|
|
#include "memdbg.h"
|
|
|
|
@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame,
|
|
__func__, crypto_overhead);
|
|
}
|
|
|
|
+void
|
|
+crypto_fork_fixup(const char *crypto_engine)
|
|
+{
|
|
+#if defined(ENABLE_PKCS11)
|
|
+ pkcs11_forkFixup ();
|
|
+#endif
|
|
+
|
|
+ if (crypto_engine)
|
|
+ {
|
|
+ /* Reload crypto engines, because a cryptodev engine opens file
|
|
+ * descriptors, which might no longer be usable after forking. */
|
|
+ crypto_uninit_lib_engine();
|
|
+ crypto_init_lib_engine(crypto_engine);
|
|
+ }
|
|
+}
|
|
+
|
|
/*
|
|
* Build a struct key_type.
|
|
*/
|
|
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
|
|
index 82158f9..2e57765 100644
|
|
--- a/src/openvpn/crypto.h
|
|
+++ b/src/openvpn/crypto.h
|
|
@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame,
|
|
bool packet_id,
|
|
bool packet_id_long_form);
|
|
|
|
+/**
|
|
+ * Try to fixup crypto stuff that breaks after forking.
|
|
+ *
|
|
+ * @param crypto_engine Name of the crypto engine to reload.
|
|
+ */
|
|
+void crypto_fork_fixup(const char *crypto_engine);
|
|
+
|
|
|
|
/* Minimum length of the nonce used by the PRNG */
|
|
#define NONCE_SECRET_LEN_MIN 16
|
|
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
|
|
index 4e45df0..db6421a 100644
|
|
--- a/src/openvpn/crypto_backend.h
|
|
+++ b/src/openvpn/crypto_backend.h
|
|
@@ -49,11 +49,17 @@ void crypto_uninit_lib (void);
|
|
|
|
void crypto_clear_error (void);
|
|
|
|
-/*
|
|
+/**
|
|
* Initialise the given named crypto engine.
|
|
*/
|
|
void crypto_init_lib_engine (const char *engine_name);
|
|
|
|
+/**
|
|
+ * Uninitialise previously loaded crypto engines.
|
|
+ */
|
|
+void crypto_uninit_lib_engine (void);
|
|
+
|
|
+
|
|
#ifdef DMALLOC
|
|
/*
|
|
* OpenSSL memory debugging. If dmalloc debugging is enabled, tell
|
|
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
|
|
index 2d81a6d..5e91752 100644
|
|
--- a/src/openvpn/crypto_openssl.c
|
|
+++ b/src/openvpn/crypto_openssl.c
|
|
@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name)
|
|
#endif
|
|
}
|
|
|
|
+void
|
|
+crypto_uninit_lib_engine (void) {
|
|
+#if HAVE_OPENSSL_ENGINE
|
|
+ if (engine_initialized)
|
|
+ {
|
|
+ ENGINE_cleanup ();
|
|
+ engine_persist = NULL;
|
|
+ engine_initialized = false;
|
|
+ }
|
|
+#endif
|
|
+}
|
|
+
|
|
/*
|
|
*
|
|
* Functions related to the core crypto library
|
|
@@ -168,14 +180,7 @@ crypto_uninit_lib (void)
|
|
fclose (fp);
|
|
#endif
|
|
|
|
-#if HAVE_OPENSSL_ENGINE
|
|
- if (engine_initialized)
|
|
- {
|
|
- ENGINE_cleanup ();
|
|
- engine_persist = NULL;
|
|
- engine_initialized = false;
|
|
- }
|
|
-#endif
|
|
+ crypto_uninit_lib_engine();
|
|
}
|
|
|
|
void
|
|
diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
|
|
index c038f8e..900a98a 100644
|
|
--- a/src/openvpn/crypto_polarssl.c
|
|
+++ b/src/openvpn/crypto_polarssl.c
|
|
@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name)
|
|
"available");
|
|
}
|
|
|
|
+void
|
|
+crypto_uninit_lib_engine (void)
|
|
+{
|
|
+}
|
|
+
|
|
/*
|
|
*
|
|
* Functions related to the core crypto library
|
|
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
|
|
index b97d2da..2680c59 100644
|
|
--- a/src/openvpn/init.c
|
|
+++ b/src/openvpn/init.c
|
|
@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options)
|
|
if (options->log)
|
|
set_std_files_to_null (true);
|
|
|
|
-#if defined(ENABLE_PKCS11)
|
|
- pkcs11_forkFixup ();
|
|
-#endif
|
|
+ crypto_fork_fixup (options->engine);
|
|
|
|
ret = true;
|
|
}
|
|
--
|
|
2.1.0
|
|
|