From owner-svn-ports-all@FreeBSD.ORG  Mon Mar 30 18:37:25 2015
Return-Path: <owner-svn-ports-all@FreeBSD.ORG>
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 656C21FC;
 Mon, 30 Mar 2015 18:37:25 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F6C1F8C;
 Mon, 30 Mar 2015 18:37:25 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2UIbP5Y044703;
 Mon, 30 Mar 2015 18:37:25 GMT (envelope-from mandree@FreeBSD.org)
Received: (from mandree@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2UIbOjD044701;
 Mon, 30 Mar 2015 18:37:24 GMT (envelope-from mandree@FreeBSD.org)
Message-Id: <201503301837.t2UIbOjD044701@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: mandree set sender to
 mandree@FreeBSD.org using -f
From: Matthias Andree <mandree@FreeBSD.org>
Date: Mon, 30 Mar 2015 18:37:24 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r382705 - in head/security/openvpn: . files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 18:37:25 -0000

Author: mandree
Date: Mon Mar 30 18:37:23 2015
New Revision: 382705
URL: https://svnweb.freebsd.org/changeset/ports/382705
QAT: https://qat.redports.org/buildarchive/r382705/

Log:
  Add an experimental patch for bug #195004.
  Needs to be enabled through a port option.
  
  PR: 195004

Added:
  head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch   (contents, props changed)
Modified:
  head/security/openvpn/Makefile

Modified: head/security/openvpn/Makefile
==============================================================================
--- head/security/openvpn/Makefile	Mon Mar 30 18:28:20 2015	(r382704)
+++ head/security/openvpn/Makefile	Mon Mar 30 18:37:23 2015	(r382705)
@@ -3,7 +3,7 @@
 
 PORTNAME=		openvpn
 DISTVERSION=		2.3.6
-PORTREVISION=		2
+PORTREVISION=		3
 CATEGORIES=		security net
 MASTER_SITES=		http://swupdate.openvpn.net/community/releases/ \
 			http://build.openvpn.net/downloads/releases/
@@ -25,7 +25,7 @@ SHEBANG_FILES=		sample/sample-scripts/ve
 CPPFLAGS+=		-I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
-OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME
+OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME ENGINEFIX
 OPTIONS_DEFAULT=	EASYRSA OPENSSL
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
@@ -34,6 +34,7 @@ PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 POLARSSL_DESC=		SSL/TLS support via PolarSSL
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (only with OpenSSL)
+ENGINEFIX_DESC=		EXPERIMENTAL patch to fix SSL engine use
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 
@@ -46,6 +47,10 @@ X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-a
 
 .include <bsd.port.options.mk>
 
+.if ${PORT_OPTIONS:MENGINEFIX}
+EXTRA_PATCHES+=		${FILESDIR}/150322-Reload-OpenSSL-engines-after-forking.patch:-p1
+.endif
+
 .if ${PORT_OPTIONS:MPOLARSSL}
 . if ${PORT_OPTIONS:MX509ALTUSERNAME}
 BROKEN=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with PolarSSL. Disable X509ALTUSERNAME, or use OpenSSL instead

Added: head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn/files/150322-Reload-OpenSSL-engines-after-forking.patch	Mon Mar 30 18:37:23 2015	(r382705)
@@ -0,0 +1,171 @@
+From 37816d2fbb3e66fa1eb09d0e8f4dadd3f376324f Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 22 Mar 2015 19:51:25 +0100
+Subject: [PATCH] Reload OpenSSL engines after forking
+
+As reported in trac ticket #480, the cryptodev OpenSSL engine opens
+/dev/crypto on load, but runs into trouble when the pid changes due to a
+call to daemon().  We cannot simply call daemon() before intilializing,
+because that will change the interpretation of relative paths in the config
+file.  To work around that, not only fixup the PKCS#11 state after calling
+daemon(), but also reload the OpenSSL engines.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+---
+ src/openvpn/crypto.c          | 17 +++++++++++++++++
+ src/openvpn/crypto.h          |  7 +++++++
+ src/openvpn/crypto_backend.h  |  8 +++++++-
+ src/openvpn/crypto_openssl.c  | 21 +++++++++++++--------
+ src/openvpn/crypto_polarssl.c |  5 +++++
+ src/openvpn/init.c            |  4 +---
+ 6 files changed, 50 insertions(+), 12 deletions(-)
+
+diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
+index c1b9df3..5353479 100644
+--- a/src/openvpn/crypto.c
++++ b/src/openvpn/crypto.c
+@@ -36,6 +36,7 @@
+ #include "crypto.h"
+ #include "error.h"
+ #include "misc.h"
++#include "pkcs11.h"
+ 
+ #include "memdbg.h"
+ 
+@@ -426,6 +427,22 @@ crypto_adjust_frame_parameters(struct frame *frame,
+       __func__, crypto_overhead);
+ }
+ 
++void
++crypto_fork_fixup(const char *crypto_engine)
++{
++#if defined(ENABLE_PKCS11)
++  pkcs11_forkFixup ();
++#endif
++
++  if (crypto_engine)
++    {
++      /* Reload crypto engines, because a cryptodev engine opens file
++       * descriptors, which might no longer be usable after forking. */
++      crypto_uninit_lib_engine();
++      crypto_init_lib_engine(crypto_engine);
++    }
++}
++
+ /*
+  * Build a struct key_type.
+  */
+diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
+index 82158f9..2e57765 100644
+--- a/src/openvpn/crypto.h
++++ b/src/openvpn/crypto.h
+@@ -354,6 +354,13 @@ void crypto_adjust_frame_parameters(struct frame *frame,
+ 				    bool packet_id,
+ 				    bool packet_id_long_form);
+ 
++/**
++ * Try to fixup crypto stuff that breaks after forking.
++ *
++ * @param crypto_engine		Name of the crypto engine to reload.
++ */
++void crypto_fork_fixup(const char *crypto_engine);
++
+ 
+ /* Minimum length of the nonce used by the PRNG */
+ #define NONCE_SECRET_LEN_MIN 16
+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
+index 4e45df0..db6421a 100644
+--- a/src/openvpn/crypto_backend.h
++++ b/src/openvpn/crypto_backend.h
+@@ -49,11 +49,17 @@ void crypto_uninit_lib (void);
+ 
+ void crypto_clear_error (void);
+ 
+-/*
++/**
+  * Initialise the given named crypto engine.
+  */
+ void crypto_init_lib_engine (const char *engine_name);
+ 
++/**
++ * Uninitialise previously loaded crypto engines.
++ */
++void crypto_uninit_lib_engine (void);
++
++
+ #ifdef DMALLOC
+ /*
+  * OpenSSL memory debugging.  If dmalloc debugging is enabled, tell
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 2d81a6d..5e91752 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -138,6 +138,18 @@ crypto_init_lib_engine (const char *engine_name)
+ #endif
+ }
+ 
++void
++crypto_uninit_lib_engine (void) {
++#if HAVE_OPENSSL_ENGINE
++  if (engine_initialized)
++    {
++      ENGINE_cleanup ();
++      engine_persist = NULL;
++      engine_initialized = false;
++    }
++#endif
++}
++
+ /*
+  *
+  * Functions related to the core crypto library
+@@ -168,14 +180,7 @@ crypto_uninit_lib (void)
+   fclose (fp);
+ #endif
+ 
+-#if HAVE_OPENSSL_ENGINE
+-  if (engine_initialized)
+-    {
+-      ENGINE_cleanup ();
+-      engine_persist = NULL;
+-      engine_initialized = false;
+-    }
+-#endif
++  crypto_uninit_lib_engine();
+ }
+ 
+ void
+diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
+index c038f8e..900a98a 100644
+--- a/src/openvpn/crypto_polarssl.c
++++ b/src/openvpn/crypto_polarssl.c
+@@ -66,6 +66,11 @@ crypto_init_lib_engine (const char *engine_name)
+       "available");
+ }
+ 
++void
++crypto_uninit_lib_engine (void)
++{
++}
++
+ /*
+  *
+  * Functions related to the core crypto library
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index b97d2da..2680c59 100644
+--- a/src/openvpn/init.c
++++ b/src/openvpn/init.c
+@@ -929,9 +929,7 @@ possibly_become_daemon (const struct options *options)
+       if (options->log)
+ 	set_std_files_to_null (true);
+ 
+-#if defined(ENABLE_PKCS11)
+-      pkcs11_forkFixup ();
+-#endif
++      crypto_fork_fixup (options->engine);
+ 
+       ret = true;
+     }
+-- 
+2.1.0
+