Re: openssl: s_time needs dns pledge promise
ok mestre@
On 19:07 Wed 01 Nov , Scott Cheloha wrote:
> Hi,
>
> The following (and similar invocations) gets SIGABRT'd:
>
> openssl s_time -connect openbsd.org:443
>
> BIO_set_conn_hostname(3), or whatever BIO_ctrl(3) is doing
> underneath, tries to resolve your target host and the process
> gets signaled when it enters socket(2).
>
> Adding "dns" to the pledge(2) promise corrects this.
>
> It looks like this has been broken since ~2015 but I have no
> release machines handy to confirm.
>
> --
> Scott Cheloha
>
> Index: usr.bin/openssl/s_time.c
> ===
> RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 s_time.c
> --- usr.bin/openssl/s_time.c 20 Jan 2017 08:57:12 - 1.17
> +++ usr.bin/openssl/s_time.c 1 Nov 2017 23:30:23 -
> @@ -254,7 +254,7 @@ s_time_main(int argc, char **argv)
> int ver;
>
> if (single_execution) {
> - if (pledge("stdio rpath inet", NULL) == -1) {
> + if (pledge("stdio rpath inet dns", NULL) == -1) {
> perror("pledge");
> exit(1);
> }
>
openssl: s_time needs dns pledge promise
Hi,
The following (and similar invocations) gets SIGABRT'd:
openssl s_time -connect openbsd.org:443
BIO_set_conn_hostname(3), or whatever BIO_ctrl(3) is doing
underneath, tries to resolve your target host and the process
gets signaled when it enters socket(2).
Adding "dns" to the pledge(2) promise corrects this.
It looks like this has been broken since ~2015 but I have no
release machines handy to confirm.
--
Scott Cheloha
Index: usr.bin/openssl/s_time.c
===
RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
retrieving revision 1.17
diff -u -p -r1.17 s_time.c
--- usr.bin/openssl/s_time.c20 Jan 2017 08:57:12 - 1.17
+++ usr.bin/openssl/s_time.c1 Nov 2017 23:30:23 -
@@ -254,7 +254,7 @@ s_time_main(int argc, char **argv)
int ver;
if (single_execution) {
- if (pledge("stdio rpath inet", NULL) == -1) {
+ if (pledge("stdio rpath inet dns", NULL) == -1) {
perror("pledge");
exit(1);
}
