Add an experimental patch for bug #195004.

Needs to be enabled through a port option. PR: 195004
author: Matthias Andree <mandree@FreeBSD.org> 2015-03-30 18:37:23 +0000
committer: Matthias Andree <mandree@FreeBSD.org> 2015-03-30 18:37:23 +0000
commit: 68b40e0f603fd89dbe4185219ccf0d1762519019 (patch)
tree: c39ae12eb4f26e49f13df86fe9dbb9cc1ffc3acc /security
parent: x11-toolkits/py-kivy: use new USE_GITHUB. (diff)
2 files changed, 178 insertions, 2 deletions
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index d6c2b8b47167..0e54e1b7f56d 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME=		openvpn
 DISTVERSION=		2.3.6
-PORTREVISION=		2
+PORTREVISION=		3
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
@@ -25,7 +25,7 @@ SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 CPPFLAGS+=		-I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
-OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME
+OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX
 OPTIONS_DEFAULT=	EASYRSA OPENSSL
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
@@ -34,6 +34,7 @@ PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS support via PolarSSL
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (only with OpenSSL)
+ENGINEFIX_DESC=		EXPERIMENTAL patch to fix SSL engine use
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 
@@ -46,6 +47,10 @@ X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 .include <bsd.port.options.mk>
 
+.if ${PORT_OPTIONS:MENGINEFIX}
+EXTRA_PATCHES+=		${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1
+.endif
+
 .if ${PORT_OPTIONS:MPOLARSSL}
 . if ${PORT_OPTIONS:MX509ALTUSERNAME}
 BROKEN=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead
diff --git a/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch b/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
new file mode 100644
index 000000000000..81d95f0bcf93
--- /dev/null
+++ b/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
@@ -0,0 +1,171 @@
+From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 22 Mar 2015 19:51:25 +0100
+Subject: [PATCH] Reload OpenSSL engines after forking
+
+As reported in trac ticket #480, the cryptodev OpenSSL engine opens
+/dev/crypto on load, but runs into trouble when the pid changes due to a
+call to daemon().  We cannot simply call daemon() before intilializing,
+because that will change the interpretation of relative paths in the config
+file.  To work around that, not only fixup the PKCS#11 state after calling
+daemon(), but also reload the OpenSSL engines.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+---
+ src/openvpn/crypto.c          | 17 +++++++++++++++++
+ src/openvpn/crypto.h          |  7 +++++++
+ src/openvpn/crypto_backend.h  |  8 +++++++-
+ src/openvpn/crypto_openssl.c  | 21 +++++++++++++--------
+ src/openvpn/crypto_polarssl.c |  5 +++++
+ src/openvpn/init.c            |  4 +---
+ 6 files changed, 50 insertions(+), 12 deletions(-)
+
+diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
+index c1b9df3..5353479 100644
+--- a/src/openvpn/crypto.c
++++ b/src/openvpn/crypto.c
+@@ -36,6 +36,7 @@
+ #include "crypto.h"
+ #include "error.h"
+ #include "misc.h"
++#include "pkcs11.h"
+ 
+ #include "memdbg.h"
+ 
+@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame,
+       __func__, crypto_overhead);
+ }
+ 
++void
++crypto_fork_fixup(const char *crypto_engine)
++{
++#if defined(ENABLE_PKCS11)
++  pkcs11_forkFixup ();
++#endif
++
++  if (crypto_engine)
++    {
++      /* Reload crypto engines, because a cryptodev engine opens file
++       * descriptors, which might no longer be usable after forking. */
++      crypto_uninit_lib_engine();
++      crypto_init_lib_engine(crypto_engine);
++    }
++}
++
+ /*
+  * Build a struct key_type.
+  */
+diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
+index 82158f9..2e57765 100644
+--- a/src/openvpn/crypto.h
++++ b/src/openvpn/crypto.h
+@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame,
+ 				    bool packet_id,
+ 				    bool packet_id_long_form);
+ 
++/**
++ * Try to fixup crypto stuff that breaks after forking.
++ *
++ * @param crypto_engine		Name of the crypto engine to reload.
++ */
++void crypto_fork_fixup(const char *crypto_engine);
++
+ 
+ /* Minimum length of the nonce used by the PRNG */
+ #define NONCE_SECRET_LEN_MIN 16
+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
+index 4e45df0..db6421a 100644
+--- a/src/openvpn/crypto_backend.h
++++ b/src/openvpn/crypto_backend.h
+@@ -49,11 +49,17 @@ void crypto_uninit_lib (void);
+ 
+ void crypto_clear_error (void);
+ 
+-/*
++/**
+  * Initialise the given named crypto engine.
+  */
+ void crypto_init_lib_engine (const char *engine_name);
+ 
++/**
++ * Uninitialise previously loaded crypto engines.
++ */
++void crypto_uninit_lib_engine (void);
++
++
+ #ifdef DMALLOC
+ /*
+  * OpenSSL memory debugging.  If dmalloc debugging is enabled, tell
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 2d81a6d..5e91752 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name)
+ #endif
+ }
+ 
++void
++crypto_uninit_lib_engine (void) {
++#if HAVE_OPENSSL_ENGINE
++  if (engine_initialized)
++    {
++      ENGINE_cleanup ();
++      engine_persist = NULL;
++      engine_initialized = false;
++    }
++#endif
++}
++
+ /*
+  *
+  * Functions related to the core crypto library
+@@ -168,14 +180,7 @@ crypto_uninit_lib (void)
+   fclose (fp);
+ #endif
+ 
+-#if HAVE_OPENSSL_ENGINE
+-  if (engine_initialized)
+-    {
+-      ENGINE_cleanup ();
+-      engine_persist = NULL;
+-      engine_initialized = false;
+-    }
+-#endif
++  crypto_uninit_lib_engine();
+ }
+ 
+ void
+diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
+index c038f8e..900a98a 100644
+--- a/src/openvpn/crypto_polarssl.c
++++ b/src/openvpn/crypto_polarssl.c
+@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name)
+       "available");
+ }
+ 
++void
++crypto_uninit_lib_engine (void)
++{
++}
++
+ /*
+  *
+  * Functions related to the core crypto library
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index b97d2da..2680c59 100644
+--- a/src/openvpn/init.c
++++ b/src/openvpn/init.c
+@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options)
+       if (options->log)
+ 	set_std_files_to_null (true);
+ 
+-#if defined(ENABLE_PKCS11)
+-      pkcs11_forkFixup ();
+-#endif
++      crypto_fork_fixup (options->engine);
+ 
+       ret = true;
+     }
+-- 
+2.1.0
+
author	Matthias Andree <mandree@FreeBSD.org>	2015-03-30 18:37:23 +0000
committer	Matthias Andree <mandree@FreeBSD.org>	2015-03-30 18:37:23 +0000
commit	68b40e0f603fd89dbe4185219ccf0d1762519019 (patch)
tree	c39ae12eb4f26e49f13df86fe9dbb9cc1ffc3acc /security
parent	x11-toolkits/py-kivy: use new USE_GITHUB. (diff)