Date: Mon, 30 Mar 2015 18:37:24 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r382705 - in head/security/openvpn: . files Message-ID: <201503301837.t2UIbOjD044701@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Mon Mar 30 18:37:23 2015 New Revision: 382705 URL: https://svnweb.freebsd.org/changeset/ports/382705 QAT: https://qat.redports.org/buildarchive/r382705/ Log: Add an experimental patch for bug #195004. Needs to be enabled through a port option. PR: 195004 Added: head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch (contents, props changed) Modified: head/security/openvpn/Makefile Modified: head/security/openvpn/Makefile ============================================================================== --- head/security/openvpn/Makefile Mon Mar 30 18:28:20 2015 (r382704) +++ head/security/openvpn/Makefile Mon Mar 30 18:37:23 2015 (r382705) @@ -3,7 +3,7 @@ PORTNAME= openvpn DISTVERSION= 2.3.6 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ @@ -25,7 +25,7 @@ SHEBANG_FILES= sample/sample-scripts/ve CPPFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib -OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME +OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX OPTIONS_DEFAULT= EASYRSA OPENSSL OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL POLARSSL @@ -34,6 +34,7 @@ PKCS11_DESC= Use security/pkcs11-helper EASYRSA_DESC= Install security/easy-rsa RSA helper package POLARSSL_DESC= SSL/TLS support via PolarSSL X509ALTUSERNAME_DESC= Enable --x509-username-field (only with OpenSSL) +ENGINEFIX_DESC= EXPERIMENTAL patch to fix SSL engine use EASYRSA_RUN_DEPENDS= easy-rsa>=0:${PORTSDIR}/security/easy-rsa @@ -46,6 +47,10 @@ X509ALTUSERNAME_CONFIGURE_ENABLE= x509-a .include <bsd.port.options.mk> +.if ${PORT_OPTIONS:MENGINEFIX} +EXTRA_PATCHES+= ${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1 +.endif + .if ${PORT_OPTIONS:MPOLARSSL} . if ${PORT_OPTIONS:MX509ALTUSERNAME} BROKEN= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead Added: head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch Mon Mar 30 18:37:23 2015 (r382705) @@ -0,0 +1,171 @@ +From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001 +From: Steffan Karger <steffan@karger.me> +Date: Sun, 22 Mar 2015 19:51:25 +0100 +Subject: [PATCH] Reload OpenSSL engines after forking + +As reported in trac ticket #480, the cryptodev OpenSSL engine opens +/dev/crypto on load, but runs into trouble when the pid changes due to a +call to daemon(). We cannot simply call daemon() before intilializing, +because that will change the interpretation of relative paths in the config +file. To work around that, not only fixup the PKCS#11 state after calling +daemon(), but also reload the OpenSSL engines. + +Signed-off-by: Steffan Karger <steffan@karger.me> +--- + src/openvpn/crypto.c | 17 +++++++++++++++++ + src/openvpn/crypto.h | 7 +++++++ + src/openvpn/crypto_backend.h | 8 +++++++- + src/openvpn/crypto_openssl.c | 21 +++++++++++++-------- + src/openvpn/crypto_polarssl.c | 5 +++++ + src/openvpn/init.c | 4 +--- + 6 files changed, 50 insertions(+), 12 deletions(-) + +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c +index c1b9df3..5353479 100644 +--- a/src/openvpn/crypto.c ++++ b/src/openvpn/crypto.c +@@ -36,6 +36,7 @@ + #include "crypto.h" + #include "error.h" + #include "misc.h" ++#include "pkcs11.h" + + #include "memdbg.h" + +@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame, + __func__, crypto_overhead); + } + ++void ++crypto_fork_fixup(const char *crypto_engine) ++{ ++#if defined(ENABLE_PKCS11) ++ pkcs11_forkFixup (); ++#endif ++ ++ if (crypto_engine) ++ { ++ /* Reload crypto engines, because a cryptodev engine opens file ++ * descriptors, which might no longer be usable after forking. */ ++ crypto_uninit_lib_engine(); ++ crypto_init_lib_engine(crypto_engine); ++ } ++} ++ + /* + * Build a struct key_type. + */ +diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h +index 82158f9..2e57765 100644 +--- a/src/openvpn/crypto.h ++++ b/src/openvpn/crypto.h +@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame, + bool packet_id, + bool packet_id_long_form); + ++/** ++ * Try to fixup crypto stuff that breaks after forking. ++ * ++ * @param crypto_engine Name of the crypto engine to reload. ++ */ ++void crypto_fork_fixup(const char *crypto_engine); ++ + + /* Minimum length of the nonce used by the PRNG */ + #define NONCE_SECRET_LEN_MIN 16 +diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h +index 4e45df0..db6421a 100644 +--- a/src/openvpn/crypto_backend.h ++++ b/src/openvpn/crypto_backend.h +@@ -49,11 +49,17 @@ void crypto_uninit_lib (void); + + void crypto_clear_error (void); + +-/* ++/** + * Initialise the given named crypto engine. + */ + void crypto_init_lib_engine (const char *engine_name); + ++/** ++ * Uninitialise previously loaded crypto engines. ++ */ ++void crypto_uninit_lib_engine (void); ++ ++ + #ifdef DMALLOC + /* + * OpenSSL memory debugging. If dmalloc debugging is enabled, tell +diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c +index 2d81a6d..5e91752 100644 +--- a/src/openvpn/crypto_openssl.c ++++ b/src/openvpn/crypto_openssl.c +@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name) + #endif + } + ++void ++crypto_uninit_lib_engine (void) { ++#if HAVE_OPENSSL_ENGINE ++ if (engine_initialized) ++ { ++ ENGINE_cleanup (); ++ engine_persist = NULL; ++ engine_initialized = false; ++ } ++#endif ++} ++ + /* + * + * Functions related to the core crypto library +@@ -168,14 +180,7 @@ crypto_uninit_lib (void) + fclose (fp); + #endif + +-#if HAVE_OPENSSL_ENGINE +- if (engine_initialized) +- { +- ENGINE_cleanup (); +- engine_persist = NULL; +- engine_initialized = false; +- } +-#endif ++ crypto_uninit_lib_engine(); + } + + void +diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c +index c038f8e..900a98a 100644 +--- a/src/openvpn/crypto_polarssl.c ++++ b/src/openvpn/crypto_polarssl.c +@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name) + "available"); + } + ++void ++crypto_uninit_lib_engine (void) ++{ ++} ++ + /* + * + * Functions related to the core crypto library +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index b97d2da..2680c59 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options) + if (options->log) + set_std_files_to_null (true); + +-#if defined(ENABLE_PKCS11) +- pkcs11_forkFixup (); +-#endif ++ crypto_fork_fixup (options->engine); + + ret = true; + } +-- +2.1.0 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201503301837.t2UIbOjD044701>