mirror of https://github.com/omar-polo/gmid.git
disable the privsep crypto engine on !OpenBSD
it fails bandly at runtime on various linux distros and on freebsd. Until a fix is found, disable it so I can move forward.
This commit is contained in:
parent
237095fd9a
commit
ba290ef3af
20
config.c
20
config.c
|
@ -46,6 +46,10 @@ config_new(void)
|
||||||
|
|
||||||
conf->prefork = 3;
|
conf->prefork = 3;
|
||||||
|
|
||||||
|
#ifdef __OpenBSD__
|
||||||
|
conf->use_privsep_crypto = 1;
|
||||||
|
#endif
|
||||||
|
|
||||||
conf->sock4 = -1;
|
conf->sock4 = -1;
|
||||||
conf->sock6 = -1;
|
conf->sock6 = -1;
|
||||||
|
|
||||||
|
@ -63,8 +67,10 @@ config_purge(struct conf *conf)
|
||||||
struct envlist *e, *te;
|
struct envlist *e, *te;
|
||||||
struct alist *a, *ta;
|
struct alist *a, *ta;
|
||||||
struct pki *pki, *tpki;
|
struct pki *pki, *tpki;
|
||||||
|
int use_privsep_crypto;
|
||||||
|
|
||||||
ps = conf->ps;
|
ps = conf->ps;
|
||||||
|
use_privsep_crypto = conf->use_privsep_crypto;
|
||||||
|
|
||||||
if (conf->sock4 != -1) {
|
if (conf->sock4 != -1) {
|
||||||
event_del(&conf->evsock4);
|
event_del(&conf->evsock4);
|
||||||
|
@ -136,6 +142,7 @@ config_purge(struct conf *conf)
|
||||||
memset(conf, 0, sizeof(*conf));
|
memset(conf, 0, sizeof(*conf));
|
||||||
|
|
||||||
conf->ps = ps;
|
conf->ps = ps;
|
||||||
|
conf->use_privsep_crypto = use_privsep_crypto;
|
||||||
conf->sock4 = conf->sock6 = -1;
|
conf->sock4 = conf->sock6 = -1;
|
||||||
conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
|
conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
|
||||||
init_mime(&conf->mime);
|
init_mime(&conf->mime);
|
||||||
|
@ -184,7 +191,8 @@ static int
|
||||||
config_send_kp(struct privsep *ps, int cert_type, int key_type,
|
config_send_kp(struct privsep *ps, int cert_type, int key_type,
|
||||||
const char *cert, const char *key)
|
const char *cert, const char *key)
|
||||||
{
|
{
|
||||||
int fd, d;
|
struct conf *conf = ps->ps_env;
|
||||||
|
int fd, d, key_target;
|
||||||
|
|
||||||
log_debug("sending %s", cert);
|
log_debug("sending %s", cert);
|
||||||
if ((fd = open(cert, O_RDONLY)) == -1)
|
if ((fd = open(cert, O_RDONLY)) == -1)
|
||||||
|
@ -196,13 +204,19 @@ config_send_kp(struct privsep *ps, int cert_type, int key_type,
|
||||||
close(d);
|
close(d);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
|
if (conf->use_privsep_crypto &&
|
||||||
|
config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
log_debug("sending %s", key);
|
log_debug("sending %s", key);
|
||||||
if ((fd = open(key, O_RDONLY)) == -1)
|
if ((fd = open(key, O_RDONLY)) == -1)
|
||||||
return -1;
|
return -1;
|
||||||
if (config_send_file(ps, PROC_CRYPTO, key_type, fd, NULL, 0) == -1)
|
|
||||||
|
key_target = PROC_CRYPTO;
|
||||||
|
if (!conf->use_privsep_crypto)
|
||||||
|
key_target = PROC_SERVER;
|
||||||
|
|
||||||
|
if (config_send_file(ps, key_target, key_type, fd, NULL, 0) == -1)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1)
|
if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1)
|
||||||
|
|
3
ge.c
3
ge.c
|
@ -249,6 +249,9 @@ main(int argc, char **argv)
|
||||||
log_setverbose(0);
|
log_setverbose(0);
|
||||||
conf = config_new();
|
conf = config_new();
|
||||||
|
|
||||||
|
/* ge doesn't do privsep so no privsep crypto engine. */
|
||||||
|
conf->use_privsep_crypto = 0;
|
||||||
|
|
||||||
while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) {
|
while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) {
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
case 'd':
|
case 'd':
|
||||||
|
|
1
gmid.h
1
gmid.h
|
@ -228,6 +228,7 @@ struct conf {
|
||||||
char user[LOGIN_NAME_MAX];
|
char user[LOGIN_NAME_MAX];
|
||||||
int prefork;
|
int prefork;
|
||||||
int reload;
|
int reload;
|
||||||
|
int use_privsep_crypto;
|
||||||
|
|
||||||
int sock4;
|
int sock4;
|
||||||
struct event evsock4;
|
struct event evsock4;
|
||||||
|
|
13
server.c
13
server.c
|
@ -1395,11 +1395,7 @@ setup_tls(struct conf *conf)
|
||||||
if ((tlsconf = tls_config_new()) == NULL)
|
if ((tlsconf = tls_config_new()) == NULL)
|
||||||
fatal("tls_config_new");
|
fatal("tls_config_new");
|
||||||
|
|
||||||
/*
|
if (conf->use_privsep_crypto)
|
||||||
* ge doesn't use the privsep crypto engine; it doesn't use
|
|
||||||
* privsep at all so `ps' is NULL.
|
|
||||||
*/
|
|
||||||
if (conf->ps != NULL)
|
|
||||||
tls_config_use_fake_private_key(tlsconf);
|
tls_config_use_fake_private_key(tlsconf);
|
||||||
|
|
||||||
/* optionally accept client certs, but don't try to verify them */
|
/* optionally accept client certs, but don't try to verify them */
|
||||||
|
@ -1462,6 +1458,8 @@ server(struct privsep *ps, struct privsep_proc *p)
|
||||||
void
|
void
|
||||||
server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
|
server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
|
||||||
{
|
{
|
||||||
|
struct conf *c;
|
||||||
|
|
||||||
SPLAY_INIT(&clients);
|
SPLAY_INIT(&clients);
|
||||||
|
|
||||||
#ifdef SIGINFO
|
#ifdef SIGINFO
|
||||||
|
@ -1477,8 +1475,11 @@ server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
|
||||||
* ge doesn't use the privsep crypto engine; it doesn't use
|
* ge doesn't use the privsep crypto engine; it doesn't use
|
||||||
* privsep at all so `ps' is NULL.
|
* privsep at all so `ps' is NULL.
|
||||||
*/
|
*/
|
||||||
if (ps != NULL)
|
if (ps != NULL) {
|
||||||
|
c = ps->ps_env;
|
||||||
|
if (c->use_privsep_crypto)
|
||||||
crypto_engine_init(ps->ps_env);
|
crypto_engine_init(ps->ps_env);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|
Loading…
Reference in New Issue