commit - 237095fd9a40120ef4e4bb7b7525d45c89c6cfb0
commit + ba290ef3affaad8a51b789eeadab269df1ffd0af
blob - 251095ccaad5a57252183e4a64fefaa6d140f5ee
blob + 3b19dea29be1114a6755a2c9fa0e859d00cae3e6
--- config.c
+++ config.c
conf->prefork = 3;
+#ifdef __OpenBSD__
+ conf->use_privsep_crypto = 1;
+#endif
+
conf->sock4 = -1;
conf->sock6 = -1;
struct envlist *e, *te;
struct alist *a, *ta;
struct pki *pki, *tpki;
+ int use_privsep_crypto;
ps = conf->ps;
+ use_privsep_crypto = conf->use_privsep_crypto;
if (conf->sock4 != -1) {
event_del(&conf->evsock4);
memset(conf, 0, sizeof(*conf));
conf->ps = ps;
+ conf->use_privsep_crypto = use_privsep_crypto;
conf->sock4 = conf->sock6 = -1;
conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
init_mime(&conf->mime);
config_send_kp(struct privsep *ps, int cert_type, int key_type,
const char *cert, const char *key)
{
- int fd, d;
+ struct conf *conf = ps->ps_env;
+ int fd, d, key_target;
log_debug("sending %s", cert);
if ((fd = open(cert, O_RDONLY)) == -1)
close(d);
return -1;
}
- if (config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
+ if (conf->use_privsep_crypto &&
+ config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1)
return -1;
log_debug("sending %s", key);
if ((fd = open(key, O_RDONLY)) == -1)
return -1;
- if (config_send_file(ps, PROC_CRYPTO, key_type, fd, NULL, 0) == -1)
+
+ key_target = PROC_CRYPTO;
+ if (!conf->use_privsep_crypto)
+ key_target = PROC_SERVER;
+
+ if (config_send_file(ps, key_target, key_type, fd, NULL, 0) == -1)
return -1;
if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1)
blob - 36b9dd9e410f68e5a4b59ffe052cf44e14b96857
blob + 546238c5191be2527c8e9930084573199f139bac
--- ge.c
+++ ge.c
log_setverbose(0);
conf = config_new();
+ /* ge doesn't do privsep so no privsep crypto engine. */
+ conf->use_privsep_crypto = 0;
+
while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) {
switch (ch) {
case 'd':
blob - 515f29c18bbd3cc8cb425842806655999e890366
blob + c68ab92ae218c467ce325262729266d389a51687
--- gmid.h
+++ gmid.h
char user[LOGIN_NAME_MAX];
int prefork;
int reload;
+ int use_privsep_crypto;
int sock4;
struct event evsock4;
blob - 79fcc155cf49bf3bafe5b72b2b9370b85c59be2a
blob + acf77034dc98e86c92242eed876d37aa6b8b10d3
--- server.c
+++ server.c
if ((tlsconf = tls_config_new()) == NULL)
fatal("tls_config_new");
- /*
- * ge doesn't use the privsep crypto engine; it doesn't use
- * privsep at all so `ps' is NULL.
- */
- if (conf->ps != NULL)
+ if (conf->use_privsep_crypto)
tls_config_use_fake_private_key(tlsconf);
/* optionally accept client certs, but don't try to verify them */
void
server_init(struct privsep *ps, struct privsep_proc *p, void *arg)
{
+ struct conf *c;
+
SPLAY_INIT(&clients);
#ifdef SIGINFO
* ge doesn't use the privsep crypto engine; it doesn't use
* privsep at all so `ps' is NULL.
*/
- if (ps != NULL)
- crypto_engine_init(ps->ps_env);
+ if (ps != NULL) {
+ c = ps->ps_env;
+ if (c->use_privsep_crypto)
+ crypto_engine_init(ps->ps_env);
+ }
}
int