rdelaage
/
gmid
mirror of https://github.com/omar-polo/gmid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

disable the privsep crypto engine on !OpenBSD 

it fails bandly at runtime on various linux distros and on freebsd.
Until a fix is found, disable it so I can move forward.
This commit is contained in:
Omar Polo 2023-06-11 12:18:27 +00:00
parent 237095fd9a
commit ba290ef3af
4 changed files with 29 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
config.c
View File

@ -46,6 +46,10 @@ config_new(void)
conf->prefork = 3;
#ifdef __OpenBSD__
conf->use_privsep_crypto = 1;
#endif
conf->sock4 = -1;
conf->sock6 = -1;
@ -63,8 +67,10 @@ config_purge(struct conf *conf)
struct envlist *e, *te;
struct alist *a, *ta;
struct pki *pki, *tpki;
int use_privsep_crypto;
ps = conf->ps;
use_privsep_crypto = conf->use_privsep_crypto;
if (conf->sock4 != -1) {
event_del(&conf->evsock4);
@ -136,6 +142,7 @@ config_purge(struct conf *conf)
memset(conf, 0, sizeof(*conf));
conf->ps = ps;
conf->use_privsep_crypto = use_privsep_crypto;
conf->sock4 = conf->sock6 = -1;
conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
init_mime(&conf->mime);
@ -184,7 +191,8 @@ static int
config_send_kp(struct privsep *ps, int cert_type, int key_type,
const char *cert, const char *key)
{
int fd, d;
struct conf *conf = ps->ps_env;
int fd, d, key_target;
log_debug("sending %s", cert);
if ((fd = open(cert, O_RDONLY)) == -1)
@ -196,13 +204,19 @@ config_send_kp(struct privsep *ps, int cert_type, int key_type,
close(d);
return -1;
}
if (config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
if (conf->use_privsep_crypto &&
config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
return -1;
log_debug("sending %s", key);
if ((fd = open(key, O_RDONLY)) == -1)
return -1;
if (config_send_file(ps, PROC_CRYPTO, key_type, fd, NULL, 0) == -1)
key_target = PROC_CRYPTO;
if (!conf->use_privsep_crypto)
key_target = PROC_SERVER;
if (config_send_file(ps, key_target, key_type, fd, NULL, 0) == -1)
return -1;
if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1)

3
ge.c
View File

@ -249,6 +249,9 @@ main(int argc, char **argv)
log_setverbose(0);
conf = config_new();
/* ge doesn't do privsep so no privsep crypto engine. */
conf->use_privsep_crypto = 0;
while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) {
switch (ch) {
case 'd':

1
gmid.h
View File

@ -228,6 +228,7 @@ struct conf {
char user[LOGIN_NAME_MAX];
int prefork;
int reload;
int use_privsep_crypto;
int sock4;
struct event evsock4;

15
server.c
View File

@ -1395,11 +1395,7 @@ setup_tls(struct conf *conf)
if ((tlsconf = tls_config_new()) == NULL)
fatal("tls_config_new");
/*
* ge doesn't use the privsep crypto engine; it doesn't use
* privsep at all so `ps' is NULL.
*/
if (conf->ps != NULL)
if (conf->use_privsep_crypto)
tls_config_use_fake_private_key(tlsconf);
/* optionally accept client certs, but don't try to verify them */
@ -1462,6 +1458,8 @@ server(struct privsep *ps, struct privsep_proc *p)
void
server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
{
struct conf *c;
SPLAY_INIT(&clients);
#ifdef SIGINFO
@ -1477,8 +1475,11 @@ server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
* ge doesn't use the privsep crypto engine; it doesn't use
* privsep at all so `ps' is NULL.
*/
if (ps != NULL)
crypto_engine_init(ps->ps_env);
if (ps != NULL) {
c = ps->ps_env;
if (c->use_privsep_crypto)
crypto_engine_init(ps->ps_env);
}
}
int