diff options
Diffstat (limited to 'security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch')
-rw-r--r-- | security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch | 171 |
1 files changed, 0 insertions, 171 deletions
diff --git a/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch b/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch deleted file mode 100644 index 81d95f0bcf93..000000000000 --- a/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001 -From: Steffan Karger <steffan@karger.me> -Date: Sun, 22 Mar 2015 19:51:25 +0100 -Subject: [PATCH] Reload OpenSSL engines after forking - -As reported in trac ticket #480, the cryptodev OpenSSL engine opens -/dev/crypto on load, but runs into trouble when the pid changes due to a -call to daemon(). We cannot simply call daemon() before intilializing, -because that will change the interpretation of relative paths in the config -file. To work around that, not only fixup the PKCS#11 state after calling -daemon(), but also reload the OpenSSL engines. - -Signed-off-by: Steffan Karger <steffan@karger.me> ---- - src/openvpn/crypto.c | 17 +++++++++++++++++ - src/openvpn/crypto.h | 7 +++++++ - src/openvpn/crypto_backend.h | 8 +++++++- - src/openvpn/crypto_openssl.c | 21 +++++++++++++-------- - src/openvpn/crypto_polarssl.c | 5 +++++ - src/openvpn/init.c | 4 +--- - 6 files changed, 50 insertions(+), 12 deletions(-) - -diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index c1b9df3..5353479 100644 ---- a/src/openvpn/crypto.c -+++ b/src/openvpn/crypto.c -@@ -36,6 +36,7 @@ - #include "crypto.h" - #include "error.h" - #include "misc.h" -+#include "pkcs11.h" - - #include "memdbg.h" - -@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame, - __func__, crypto_overhead); - } - -+void -+crypto_fork_fixup(const char *crypto_engine) -+{ -+#if defined(ENABLE_PKCS11) -+ pkcs11_forkFixup (); -+#endif -+ -+ if (crypto_engine) -+ { -+ /* Reload crypto engines, because a cryptodev engine opens file -+ * descriptors, which might no longer be usable after forking. */ -+ crypto_uninit_lib_engine(); -+ crypto_init_lib_engine(crypto_engine); -+ } -+} -+ - /* - * Build a struct key_type. - */ -diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h -index 82158f9..2e57765 100644 ---- a/src/openvpn/crypto.h -+++ b/src/openvpn/crypto.h -@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame, - bool packet_id, - bool packet_id_long_form); - -+/** -+ * Try to fixup crypto stuff that breaks after forking. -+ * -+ * @param crypto_engine Name of the crypto engine to reload. -+ */ -+void crypto_fork_fixup(const char *crypto_engine); -+ - - /* Minimum length of the nonce used by the PRNG */ - #define NONCE_SECRET_LEN_MIN 16 -diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h -index 4e45df0..db6421a 100644 ---- a/src/openvpn/crypto_backend.h -+++ b/src/openvpn/crypto_backend.h -@@ -49,11 +49,17 @@ void crypto_uninit_lib (void); - - void crypto_clear_error (void); - --/* -+/** - * Initialise the given named crypto engine. - */ - void crypto_init_lib_engine (const char *engine_name); - -+/** -+ * Uninitialise previously loaded crypto engines. -+ */ -+void crypto_uninit_lib_engine (void); -+ -+ - #ifdef DMALLOC - /* - * OpenSSL memory debugging. If dmalloc debugging is enabled, tell -diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c -index 2d81a6d..5e91752 100644 ---- a/src/openvpn/crypto_openssl.c -+++ b/src/openvpn/crypto_openssl.c -@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name) - #endif - } - -+void -+crypto_uninit_lib_engine (void) { -+#if HAVE_OPENSSL_ENGINE -+ if (engine_initialized) -+ { -+ ENGINE_cleanup (); -+ engine_persist = NULL; -+ engine_initialized = false; -+ } -+#endif -+} -+ - /* - * - * Functions related to the core crypto library -@@ -168,14 +180,7 @@ crypto_uninit_lib (void) - fclose (fp); - #endif - --#if HAVE_OPENSSL_ENGINE -- if (engine_initialized) -- { -- ENGINE_cleanup (); -- engine_persist = NULL; -- engine_initialized = false; -- } --#endif -+ crypto_uninit_lib_engine(); - } - - void -diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c -index c038f8e..900a98a 100644 ---- a/src/openvpn/crypto_polarssl.c -+++ b/src/openvpn/crypto_polarssl.c -@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name) - "available"); - } - -+void -+crypto_uninit_lib_engine (void) -+{ -+} -+ - /* - * - * Functions related to the core crypto library -diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index b97d2da..2680c59 100644 ---- a/src/openvpn/init.c -+++ b/src/openvpn/init.c -@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options) - if (options->log) - set_std_files_to_null (true); - --#if defined(ENABLE_PKCS11) -- pkcs11_forkFixup (); --#endif -+ crypto_fork_fixup (options->engine); - - ret = true; - } --- -2.1.0 - |