commit ba290ef3affaad8a51b789eeadab269df1ffd0af from: Omar Polo date: Sun Jun 11 12:18:27 2023 UTC disable the privsep crypto engine on !OpenBSD it fails bandly at runtime on various linux distros and on freebsd. Until a fix is found, disable it so I can move forward. commit - 237095fd9a40120ef4e4bb7b7525d45c89c6cfb0 commit + ba290ef3affaad8a51b789eeadab269df1ffd0af blob - 251095ccaad5a57252183e4a64fefaa6d140f5ee blob + 3b19dea29be1114a6755a2c9fa0e859d00cae3e6 --- config.c +++ config.c @@ -46,6 +46,10 @@ config_new(void) conf->prefork = 3; +#ifdef __OpenBSD__ + conf->use_privsep_crypto = 1; +#endif + conf->sock4 = -1; conf->sock6 = -1; @@ -63,8 +67,10 @@ config_purge(struct conf *conf) struct envlist *e, *te; struct alist *a, *ta; struct pki *pki, *tpki; + int use_privsep_crypto; ps = conf->ps; + use_privsep_crypto = conf->use_privsep_crypto; if (conf->sock4 != -1) { event_del(&conf->evsock4); @@ -136,6 +142,7 @@ config_purge(struct conf *conf) memset(conf, 0, sizeof(*conf)); conf->ps = ps; + conf->use_privsep_crypto = use_privsep_crypto; conf->sock4 = conf->sock6 = -1; conf->protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3; init_mime(&conf->mime); @@ -184,7 +191,8 @@ static int config_send_kp(struct privsep *ps, int cert_type, int key_type, const char *cert, const char *key) { - int fd, d; + struct conf *conf = ps->ps_env; + int fd, d, key_target; log_debug("sending %s", cert); if ((fd = open(cert, O_RDONLY)) == -1) @@ -196,13 +204,19 @@ config_send_kp(struct privsep *ps, int cert_type, int close(d); return -1; } - if (config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1) + if (conf->use_privsep_crypto && + config_send_file(ps, PROC_CRYPTO, cert_type, d, NULL, 0) == -1) return -1; log_debug("sending %s", key); if ((fd = open(key, O_RDONLY)) == -1) return -1; - if (config_send_file(ps, PROC_CRYPTO, key_type, fd, NULL, 0) == -1) + + key_target = PROC_CRYPTO; + if (!conf->use_privsep_crypto) + key_target = PROC_SERVER; + + if (config_send_file(ps, key_target, key_type, fd, NULL, 0) == -1) return -1; if (proc_flush_imsg(ps, PROC_SERVER, -1) == -1) blob - 36b9dd9e410f68e5a4b59ffe052cf44e14b96857 blob + 546238c5191be2527c8e9930084573199f139bac --- ge.c +++ ge.c @@ -249,6 +249,9 @@ main(int argc, char **argv) log_setverbose(0); conf = config_new(); + /* ge doesn't do privsep so no privsep crypto engine. */ + conf->use_privsep_crypto = 0; + while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) { switch (ch) { case 'd': blob - 515f29c18bbd3cc8cb425842806655999e890366 blob + c68ab92ae218c467ce325262729266d389a51687 --- gmid.h +++ gmid.h @@ -228,6 +228,7 @@ struct conf { char user[LOGIN_NAME_MAX]; int prefork; int reload; + int use_privsep_crypto; int sock4; struct event evsock4; blob - 79fcc155cf49bf3bafe5b72b2b9370b85c59be2a blob + acf77034dc98e86c92242eed876d37aa6b8b10d3 --- server.c +++ server.c @@ -1395,11 +1395,7 @@ setup_tls(struct conf *conf) if ((tlsconf = tls_config_new()) == NULL) fatal("tls_config_new"); - /* - * ge doesn't use the privsep crypto engine; it doesn't use - * privsep at all so `ps' is NULL. - */ - if (conf->ps != NULL) + if (conf->use_privsep_crypto) tls_config_use_fake_private_key(tlsconf); /* optionally accept client certs, but don't try to verify them */ @@ -1462,6 +1458,8 @@ server(struct privsep *ps, struct privsep_proc *p) void server_init(struct privsep *ps, struct privsep_proc *p, void *arg) { + struct conf *c; + SPLAY_INIT(&clients); #ifdef SIGINFO @@ -1477,8 +1475,11 @@ server_init(struct privsep *ps, struct privsep_proc *p * ge doesn't use the privsep crypto engine; it doesn't use * privsep at all so `ps' is NULL. */ - if (ps != NULL) - crypto_engine_init(ps->ps_env); + if (ps != NULL) { + c = ps->ps_env; + if (c->use_privsep_crypto) + crypto_engine_init(ps->ps_env); + } } int