diff options
author | mandree <mandree@FreeBSD.org> | 2015-03-31 02:37:23 +0800 |
---|---|---|
committer | mandree <mandree@FreeBSD.org> | 2015-03-31 02:37:23 +0800 |
commit | 4e5e180dea4391d3f591f549da52f59ac388efda (patch) | |
tree | c39ae12eb4f26e49f13df86fe9dbb9cc1ffc3acc /security | |
parent | b3360dc7a0f37cb189124d911503a1e5118f5b67 (diff) | |
download | freebsd-ports-gnome-4e5e180dea4391d3f591f549da52f59ac388efda.tar.gz freebsd-ports-gnome-4e5e180dea4391d3f591f549da52f59ac388efda.tar.zst freebsd-ports-gnome-4e5e180dea4391d3f591f549da52f59ac388efda.zip |
Add an experimental patch for bug #195004.
Needs to be enabled through a port option.
PR: 195004
Diffstat (limited to 'security')
-rw-r--r-- | security/openvpn/Makefile | 9 | ||||
-rw-r--r-- | security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch | 171 |
2 files changed, 178 insertions, 2 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index d6c2b8b47167..0e54e1b7f56d 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -3,7 +3,7 @@ PORTNAME= openvpn DISTVERSION= 2.3.6 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security net MASTER_SITES= http://swupdate.openvpn.net/community/releases/ \ http://build.openvpn.net/downloads/releases/ @@ -25,7 +25,7 @@ SHEBANG_FILES= sample/sample-scripts/verify-cn \ CPPFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib -OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME +OPTIONS_DEFINE= PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX OPTIONS_DEFAULT= EASYRSA OPENSSL OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL POLARSSL @@ -34,6 +34,7 @@ PKCS11_DESC= Use security/pkcs11-helper EASYRSA_DESC= Install security/easy-rsa RSA helper package POLARSSL_DESC= SSL/TLS support via PolarSSL X509ALTUSERNAME_DESC= Enable --x509-username-field (only with OpenSSL) +ENGINEFIX_DESC= EXPERIMENTAL patch to fix SSL engine use EASYRSA_RUN_DEPENDS= easy-rsa>=0:${PORTSDIR}/security/easy-rsa @@ -46,6 +47,10 @@ X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username .include <bsd.port.options.mk> +.if ${PORT_OPTIONS:MENGINEFIX} +EXTRA_PATCHES+= ${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1 +.endif + .if ${PORT_OPTIONS:MPOLARSSL} . if ${PORT_OPTIONS:MX509ALTUSERNAME} BROKEN= OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead diff --git a/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch b/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch new file mode 100644 index 000000000000..81d95f0bcf93 --- /dev/null +++ b/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch @@ -0,0 +1,171 @@ +From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001 +From: Steffan Karger <steffan@karger.me> +Date: Sun, 22 Mar 2015 19:51:25 +0100 +Subject: [PATCH] Reload OpenSSL engines after forking + +As reported in trac ticket #480, the cryptodev OpenSSL engine opens +/dev/crypto on load, but runs into trouble when the pid changes due to a +call to daemon(). We cannot simply call daemon() before intilializing, +because that will change the interpretation of relative paths in the config +file. To work around that, not only fixup the PKCS#11 state after calling +daemon(), but also reload the OpenSSL engines. + +Signed-off-by: Steffan Karger <steffan@karger.me> +--- + src/openvpn/crypto.c | 17 +++++++++++++++++ + src/openvpn/crypto.h | 7 +++++++ + src/openvpn/crypto_backend.h | 8 +++++++- + src/openvpn/crypto_openssl.c | 21 +++++++++++++-------- + src/openvpn/crypto_polarssl.c | 5 +++++ + src/openvpn/init.c | 4 +--- + 6 files changed, 50 insertions(+), 12 deletions(-) + +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c +index c1b9df3..5353479 100644 +--- a/src/openvpn/crypto.c ++++ b/src/openvpn/crypto.c +@@ -36,6 +36,7 @@ + #include "crypto.h" + #include "error.h" + #include "misc.h" ++#include "pkcs11.h" + + #include "memdbg.h" + +@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame, + __func__, crypto_overhead); + } + ++void ++crypto_fork_fixup(const char *crypto_engine) ++{ ++#if defined(ENABLE_PKCS11) ++ pkcs11_forkFixup (); ++#endif ++ ++ if (crypto_engine) ++ { ++ /* Reload crypto engines, because a cryptodev engine opens file ++ * descriptors, which might no longer be usable after forking. */ ++ crypto_uninit_lib_engine(); ++ crypto_init_lib_engine(crypto_engine); ++ } ++} ++ + /* + * Build a struct key_type. + */ +diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h +index 82158f9..2e57765 100644 +--- a/src/openvpn/crypto.h ++++ b/src/openvpn/crypto.h +@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame, + bool packet_id, + bool packet_id_long_form); + ++/** ++ * Try to fixup crypto stuff that breaks after forking. ++ * ++ * @param crypto_engine Name of the crypto engine to reload. ++ */ ++void crypto_fork_fixup(const char *crypto_engine); ++ + + /* Minimum length of the nonce used by the PRNG */ + #define NONCE_SECRET_LEN_MIN 16 +diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h +index 4e45df0..db6421a 100644 +--- a/src/openvpn/crypto_backend.h ++++ b/src/openvpn/crypto_backend.h +@@ -49,11 +49,17 @@ void crypto_uninit_lib (void); + + void crypto_clear_error (void); + +-/* ++/** + * Initialise the given named crypto engine. + */ + void crypto_init_lib_engine (const char *engine_name); + ++/** ++ * Uninitialise previously loaded crypto engines. ++ */ ++void crypto_uninit_lib_engine (void); ++ ++ + #ifdef DMALLOC + /* + * OpenSSL memory debugging. If dmalloc debugging is enabled, tell +diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c +index 2d81a6d..5e91752 100644 +--- a/src/openvpn/crypto_openssl.c ++++ b/src/openvpn/crypto_openssl.c +@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name) + #endif + } + ++void ++crypto_uninit_lib_engine (void) { ++#if HAVE_OPENSSL_ENGINE ++ if (engine_initialized) ++ { ++ ENGINE_cleanup (); ++ engine_persist = NULL; ++ engine_initialized = false; ++ } ++#endif ++} ++ + /* + * + * Functions related to the core crypto library +@@ -168,14 +180,7 @@ crypto_uninit_lib (void) + fclose (fp); + #endif + +-#if HAVE_OPENSSL_ENGINE +- if (engine_initialized) +- { +- ENGINE_cleanup (); +- engine_persist = NULL; +- engine_initialized = false; +- } +-#endif ++ crypto_uninit_lib_engine(); + } + + void +diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c +index c038f8e..900a98a 100644 +--- a/src/openvpn/crypto_polarssl.c ++++ b/src/openvpn/crypto_polarssl.c +@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name) + "available"); + } + ++void ++crypto_uninit_lib_engine (void) ++{ ++} ++ + /* + * + * Functions related to the core crypto library +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index b97d2da..2680c59 100644 +--- a/src/openvpn/init.c ++++ b/src/openvpn/init.c +@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options) + if (options->log) + set_std_files_to_null (true); + +-#if defined(ENABLE_PKCS11) +- pkcs11_forkFixup (); +-#endif ++ crypto_fork_fixup (options->engine); + + ret = true; + } +-- +2.1.0 + |