Hi, The new load_file() feature in libtls allows to simplify the code to preload the CA cert, server cert and server key in syslogd before calling chroot(2).
ok? bluhm Index: usr.sbin/syslogd/syslogd.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.208 diff -u -p -r1.208 syslogd.c --- usr.sbin/syslogd/syslogd.c 6 Jul 2016 19:29:13 -0000 1.208 +++ usr.sbin/syslogd/syslogd.c 6 Jul 2016 22:22:29 -0000 @@ -223,7 +223,7 @@ char *path_ctlsock = NULL; /* Path to co struct tls *server_ctx; struct tls_config *client_config, *server_config; -const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ +const char *CAfile = NULL; /* file containing CA certificates */ int NoVerify = 0; /* do not verify TLS server x509 certificate */ int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ @@ -552,110 +552,44 @@ main(int argc, char *argv[]) if (NoVerify) { tls_config_insecure_noverifycert(client_config); tls_config_insecure_noverifyname(client_config); - } else { - struct stat sb; - int fail = 1; - - fd = -1; - p = NULL; - if ((fd = open(CAfile, O_RDONLY)) == -1) { - logerror("open CAfile"); - } else if (fstat(fd, &sb) == -1) { - logerror("fstat CAfile"); - } else if (sb.st_size > 50*1024*1024) { - logerrorx("CAfile larger than 50MB"); - } else if ((p = calloc(sb.st_size, 1)) == NULL) { - logerror("calloc CAfile"); - } else if (read(fd, p, sb.st_size) != sb.st_size) { - logerror("read CAfile"); - } else if (tls_config_set_ca_mem(client_config, p, - sb.st_size) == -1) { - logerrorx("tls_config_set_ca_mem"); - } else { - fail = 0; - logdebug("CAfile %s, size %lld\n", - CAfile, sb.st_size); - } - /* avoid reading default certs in chroot */ - if (fail) - tls_config_set_ca_mem(client_config, "", 0); - free(p); - close(fd); + } else if (CAfile) { + if (tls_config_set_ca_file(client_config, CAfile) == -1) + logerrorx("tls_config_set_ca_file"); + else + logdebug("CAfile %s\n", CAfile); } tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL); if (tls_config_set_ciphers(client_config, "compat") != 0) logerror("tls set client ciphers"); } if (server_config && server_ctx) { - struct stat sb; - char *path; + const char *names[2]; - fd = -1; - p = NULL; - path = NULL; - if (asprintf(&path, "/etc/ssl/private/%s.key", tls_hostport) - == -1 || (fd = open(path, O_RDONLY)) == -1) { - free(path); - path = NULL; - if (asprintf(&path, "/etc/ssl/private/%s.key", tls_host) - == -1 || (fd = open(path, O_RDONLY)) == -1) { - free(path); - path = NULL; + names[0] = tls_hostport; + names[1] = tls_host; + + for (i = 0; i < 2; i++) { + if (asprintf(&p, "/etc/ssl/private/%s.key", names[i]) + == -1) + continue; + if (tls_config_set_key_file(server_config, p) == -1) { + free(p); + logerrorx("tls_config_set_key_file"); + continue; } - } - if (fd == -1) { - logerror("open keyfile"); - } else if (fstat(fd, &sb) == -1) { - logerror("fstat keyfile"); - } else if (sb.st_size > 50*1024) { - logerrorx("keyfile larger than 50KB"); - } else if ((p = calloc(sb.st_size, 1)) == NULL) { - logerror("calloc keyfile"); - } else if (read(fd, p, sb.st_size) != sb.st_size) { - logerror("read keyfile"); - } else if (tls_config_set_key_mem(server_config, p, - sb.st_size) == -1) { - logerrorx("tls_config_set_key_mem"); - } else { - logdebug("Keyfile %s, size %lld\n", path, sb.st_size); - } - free(p); - close(fd); - free(path); - - fd = -1; - p = NULL; - path = NULL; - if (asprintf(&path, "/etc/ssl/%s.crt", tls_hostport) - == -1 || (fd = open(path, O_RDONLY)) == -1) { - free(path); - path = NULL; - if (asprintf(&path, "/etc/ssl/%s.crt", tls_host) - == -1 || (fd = open(path, O_RDONLY)) == -1) { - free(path); - path = NULL; + logdebug("Keyfile %s\n", p); + free(p); + if (asprintf(&p, "/etc/ssl/%s.crt", names[i]) == -1) + continue; + if (tls_config_set_cert_file(server_config, p) == -1) { + free(p); + logerrorx("tls_config_set_cert_file"); + continue; } + logdebug("Certfile %s\n", p); + free(p); + break; } - if (fd == -1) { - logerror("open certfile"); - } else if (fstat(fd, &sb) == -1) { - logerror("fstat certfile"); - } else if (sb.st_size > 50*1024) { - logerrorx("certfile larger than 50KB"); - } else if ((p = calloc(sb.st_size, 1)) == NULL) { - logerror("calloc certfile"); - } else if (read(fd, p, sb.st_size) != sb.st_size) { - logerror("read certfile"); - } else if (tls_config_set_cert_mem(server_config, p, - sb.st_size) == -1) { - logerrorx("tls_config_set_cert_mem"); - } else { - logdebug("Certfile %s, size %lld\n", - path, sb.st_size); - } - free(p); - close(fd); - free(path); tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL); if (tls_config_set_ciphers(server_config, "compat") != 0)