connection failed when using gnutls/cryptodev, due to wrongly closing the fd(/dev/crypto) in worker/main function
Description of problem:
Building gnultls with hw accelerated, ocserv connection always failed on SHA1 calculation. Using strace to trace "open, close, ioctl", it's found that "/dev/crypto" was opened as fd=1 as the STDOUT_FILENO. and fd=1 was closed earlier than we begin to use gnutls SHA1 by cryptodev/ioctl.
Searching in source code, seems this issue is caused in worker/main function, "close(STDOUT_FILENO);".
BTW, there is also a possible typo, not STDIN, if you really meant to close STDOUT and STDERR.
diff --git a/src/worker.c b/src/worker.c
index 1e915c3..25a1915 100644
--- a/src/worker.c
+++ b/src/worker.c
@@ -126,8 +126,9 @@ int main(int argc, char **argv)
// Close stdout and stderr early to avoid spurious logs
/* we don't need them */
- close(STDIN_FILENO);
- close(STDOUT_FILENO);
+//bynj: STDOUT_FILENO as fd=1, actually might be not for stdout, but for open(/dev/crypto). closing here will break all gnutls/cryptodev
+// close(STDIN_FILENO);
+// close(STDOUT_FILENO);
Version of ocserv used:
ocserv-1.1.2 GnuTLS 3.7.0
Client used:
anyconnect, and openconnect
Distributor of ocserv
(e.g., Ubuntu, Fedora, RHEL)
How reproducible:
Describe the steps to reproduce the issue:
- build gnultls with cryptodev enabled
- make sure ocserv server running with the GnuTLS above
- client connects
Actual results:
(Describe the actual results after following the instructions above)
Expected results:
(Describe the expected results)