Ticket #480: 150406-Reload-OpenSSL-engines-after-forking-v2.patch

File 150406-Reload-OpenSSL-engines-after-forking-v2.patch, 4.5 KB (added by Steffan Karger, 10 years ago)
  • src/openvpn/crypto.c

    From ec7f2d7d48e89ad5763a42a6b8cef9078a5fbd1c Mon Sep 17 00:00:00 2001
    From: Steffan Karger <steffan@karger.me>
    Date: Mon, 6 Apr 2015 10:06:20 +0200
    Subject: [PATCH] Reload OpenSSL engines after forking
    
    As reported in trac ticket #480, the cryptodev OpenSSL engine opens
    /dev/crypto on load, but runs into trouble when the pid changes due to a
    call to daemon().  We cannot simply call daemon() before initializing,
    because that will change the interpretation of relative paths in the config
    file.  To work around that, not only fixup the PKCS#11 state after calling
    daemon(), but also reload the OpenSSL engines.
    
    v2 - always call ENGINE_cleanup() on fork, even when we did not initialize
         engines ourselves.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    ---
     src/openvpn/crypto.c          | 17 +++++++++++++++++
     src/openvpn/crypto.h          |  7 +++++++
     src/openvpn/crypto_backend.h  |  8 +++++++-
     src/openvpn/crypto_openssl.c  | 21 +++++++++++++--------
     src/openvpn/crypto_polarssl.c |  5 +++++
     src/openvpn/init.c            |  4 +---
     6 files changed, 50 insertions(+), 12 deletions(-)
    
    diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
    index 588d9f0..e9856d9 100644
    a b  
    3636#include "crypto.h"
    3737#include "error.h"
    3838#include "misc.h"
     39#include "pkcs11.h"
    3940
    4041#include "memdbg.h"
    4142
    crypto_adjust_frame_parameters(struct frame *frame, 
    426427      __func__, crypto_overhead);
    427428}
    428429
     430void
     431crypto_fork_fixup(const char *crypto_engine)
     432{
     433#if defined(ENABLE_PKCS11)
     434  pkcs11_forkFixup ();
     435#endif
     436
     437  if (crypto_engine)
     438    {
     439      /* Reload crypto engines, because a cryptodev engine opens file
     440       * descriptors, which might no longer be usable after forking. */
     441      crypto_uninit_lib_engine();
     442      crypto_init_lib_engine(crypto_engine);
     443    }
     444}
     445
    429446/*
    430447 * Build a struct key_type.
    431448 */
  • src/openvpn/crypto.h

    diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
    index 504896d..c2d7486 100644
    a b void crypto_adjust_frame_parameters(struct frame *frame, 
    354354                                    bool packet_id,
    355355                                    bool packet_id_long_form);
    356356
     357/**
     358 * Try to fixup crypto stuff that breaks after forking.
     359 *
     360 * @param crypto_engine         Name of the crypto engine to reload.
     361 */
     362void crypto_fork_fixup(const char *crypto_engine);
     363
    357364
    358365/* Minimum length of the nonce used by the PRNG */
    359366#define NONCE_SECRET_LEN_MIN 16
  • src/openvpn/crypto_backend.h

    diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
    index 4e45df0..db6421a 100644
    a b void crypto_uninit_lib (void); 
    4949
    5050void crypto_clear_error (void);
    5151
    52 /*
     52/**
    5353 * Initialise the given named crypto engine.
    5454 */
    5555void crypto_init_lib_engine (const char *engine_name);
    5656
     57/**
     58 * Uninitialise previously loaded crypto engines.
     59 */
     60void crypto_uninit_lib_engine (void);
     61
     62
    5763#ifdef DMALLOC
    5864/*
    5965 * OpenSSL memory debugging.  If dmalloc debugging is enabled, tell
  • src/openvpn/crypto_openssl.c

    diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
    index 2d81a6d..2602c57 100644
    a b crypto_init_lib_engine (const char *engine_name) 
    138138#endif
    139139}
    140140
     141void
     142crypto_uninit_lib_engine (void) {
     143#if HAVE_OPENSSL_ENGINE
     144  ENGINE_cleanup ();
     145  if (engine_initialized)
     146    {
     147      engine_persist = NULL;
     148      engine_initialized = false;
     149    }
     150#endif
     151}
     152
    141153/*
    142154 *
    143155 * Functions related to the core crypto library
    crypto_uninit_lib (void) 
    168180  fclose (fp);
    169181#endif
    170182
    171 #if HAVE_OPENSSL_ENGINE
    172   if (engine_initialized)
    173     {
    174       ENGINE_cleanup ();
    175       engine_persist = NULL;
    176       engine_initialized = false;
    177     }
    178 #endif
     183  crypto_uninit_lib_engine();
    179184}
    180185
    181186void
  • src/openvpn/crypto_polarssl.c

    diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
    index c038f8e..900a98a 100644
    a b crypto_init_lib_engine (const char *engine_name) 
    6666      "available");
    6767}
    6868
     69void
     70crypto_uninit_lib_engine (void)
     71{
     72}
     73
    6974/*
    7075 *
    7176 * Functions related to the core crypto library
  • src/openvpn/init.c

    diff --git a/src/openvpn/init.c b/src/openvpn/init.c
    index 73c6aff..fddb744 100644
    a b possibly_become_daemon (const struct options *options) 
    929929      if (options->log)
    930930        set_std_files_to_null (true);
    931931
    932 #if defined(ENABLE_PKCS11)
    933       pkcs11_forkFixup ();
    934 #endif
     932      crypto_fork_fixup (options->engine);
    935933
    936934      ret = true;
    937935    }