Re: libtls syslogd pledge abort

2016-12-29 Thread Bob Beck



> Or do not call tls_configure_ssl_verify() if verification is turned
> off.

This makes sense to me. 

> 
> Index: lib/libtls/tls_client.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v
> retrieving revision 1.38
> diff -u -p -r1.38 tls_client.c
> --- lib/libtls/tls_client.c   26 Dec 2016 16:20:58 -  1.38
> +++ lib/libtls/tls_client.c   29 Dec 2016 22:56:23 -
> @@ -195,7 +195,9 @@ tls_connect_common(struct tls *ctx, cons
>   }
>   }
>  
> - if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
> + if (ctx->config->verify_cert &&
> + (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
> +  SSL_VERIFY_PEER) == -1))
>   goto err;
>  
>   if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 
> 1) {
> 

ok beck@

> I would prefer the fix in libtls as
> - this problem may also affect other daemons
> - avoid to do unnecsessary stuff
> - syslogd could run on a system without cert.pem
> 
> comments? ok?
> 
> bluhm



libtls syslogd pledge abort

2016-12-29 Thread Alexander Bluhm
Hi,

The previous commit to libtls makes syslogd abort due to pledge if
certification verification is turned off.  This happens in the
chrooted child process.

 87878 syslogd  CALL  open(0x2d203ce4,0)
 87878 syslogd  NAMI  "/etc/ssl/cert.pem"
 87878 syslogd  PLDG  open, "rpath", errno 1 Operation not permitted
 87878 syslogd  PSIG  SIGABRT SIG_DFL code <-538976289>

We can either preload the cert in syslogd even if verification is
turned off.

Index: usr.sbin/syslogd/syslogd.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.225
diff -u -p -r1.225 syslogd.c
--- usr.sbin/syslogd/syslogd.c  27 Dec 2016 19:16:24 -  1.225
+++ usr.sbin/syslogd/syslogd.c  29 Dec 2016 22:57:41 -
@@ -590,16 +590,14 @@ main(int argc, char *argv[])
if (NoVerify) {
tls_config_insecure_noverifycert(client_config);
tls_config_insecure_noverifyname(client_config);
-   } else {
-   if (tls_config_set_ca_file(client_config,
-   CAfile) == -1) {
-   logerrortlsconf("Load client TLS CA failed",
-   client_config);
-   /* avoid reading default certs in chroot */
-   tls_config_set_ca_mem(client_config, "", 0);
-   } else
-   logdebug("CAfile %s\n", CAfile);
}
+   if (tls_config_set_ca_file(client_config, CAfile) == -1) {
+   logerrortlsconf("Load client TLS CA failed",
+   client_config);
+   /* avoid reading default certs in chroot */
+   tls_config_set_ca_mem(client_config, "", 0);
+   } else
+   logdebug("CAfile %s\n", CAfile);
if (ClientCertfile && ClientKeyfile) {
if (tls_config_set_cert_file(client_config,
ClientCertfile) == -1)

Or do not call tls_configure_ssl_verify() if verification is turned
off.

Index: lib/libtls/tls_client.c
===
RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v
retrieving revision 1.38
diff -u -p -r1.38 tls_client.c
--- lib/libtls/tls_client.c 26 Dec 2016 16:20:58 -  1.38
+++ lib/libtls/tls_client.c 29 Dec 2016 22:56:23 -
@@ -195,7 +195,9 @@ tls_connect_common(struct tls *ctx, cons
}
}
 
-   if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
+   if (ctx->config->verify_cert &&
+   (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
+SSL_VERIFY_PEER) == -1))
goto err;
 
if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 
1) {

I would prefer the fix in libtls as
- this problem may also affect other daemons
- avoid to do unnecsessary stuff
- syslogd could run on a system without cert.pem

comments? ok?

bluhm