Hi,
The new load_file() feature in libtls allows to simplify the code
to preload the CA cert, server cert and server key in syslogd before
calling chroot(2).
ok?
bluhm
Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.208
diff -u -p -r1.208 syslogd.c
--- usr.sbin/syslogd/syslogd.c 6 Jul 2016 19:29:13 -0000 1.208
+++ usr.sbin/syslogd/syslogd.c 6 Jul 2016 22:22:29 -0000
@@ -223,7 +223,7 @@ char *path_ctlsock = NULL; /* Path to co
struct tls *server_ctx;
struct tls_config *client_config, *server_config;
-const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */
+const char *CAfile = NULL; /* file containing CA certificates */
int NoVerify = 0; /* do not verify TLS server x509 certificate */
int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */
@@ -552,110 +552,44 @@ main(int argc, char *argv[])
if (NoVerify) {
tls_config_insecure_noverifycert(client_config);
tls_config_insecure_noverifyname(client_config);
- } else {
- struct stat sb;
- int fail = 1;
-
- fd = -1;
- p = NULL;
- if ((fd = open(CAfile, O_RDONLY)) == -1) {
- logerror("open CAfile");
- } else if (fstat(fd, &sb) == -1) {
- logerror("fstat CAfile");
- } else if (sb.st_size > 50*1024*1024) {
- logerrorx("CAfile larger than 50MB");
- } else if ((p = calloc(sb.st_size, 1)) == NULL) {
- logerror("calloc CAfile");
- } else if (read(fd, p, sb.st_size) != sb.st_size) {
- logerror("read CAfile");
- } else if (tls_config_set_ca_mem(client_config, p,
- sb.st_size) == -1) {
- logerrorx("tls_config_set_ca_mem");
- } else {
- fail = 0;
- logdebug("CAfile %s, size %lld\n",
- CAfile, sb.st_size);
- }
- /* avoid reading default certs in chroot */
- if (fail)
- tls_config_set_ca_mem(client_config, "", 0);
- free(p);
- close(fd);
+ } else if (CAfile) {
+ if (tls_config_set_ca_file(client_config, CAfile) == -1)
+ logerrorx("tls_config_set_ca_file");
+ else
+ logdebug("CAfile %s\n", CAfile);
}
tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL);
if (tls_config_set_ciphers(client_config, "compat") != 0)
logerror("tls set client ciphers");
}
if (server_config && server_ctx) {
- struct stat sb;
- char *path;
+ const char *names[2];
- fd = -1;
- p = NULL;
- path = NULL;
- if (asprintf(&path, "/etc/ssl/private/%s.key", tls_hostport)
- == -1 || (fd = open(path, O_RDONLY)) == -1) {
- free(path);
- path = NULL;
- if (asprintf(&path, "/etc/ssl/private/%s.key", tls_host)
- == -1 || (fd = open(path, O_RDONLY)) == -1) {
- free(path);
- path = NULL;
+ names[0] = tls_hostport;
+ names[1] = tls_host;
+
+ for (i = 0; i < 2; i++) {
+ if (asprintf(&p, "/etc/ssl/private/%s.key", names[i])
+ == -1)
+ continue;
+ if (tls_config_set_key_file(server_config, p) == -1) {
+ free(p);
+ logerrorx("tls_config_set_key_file");
+ continue;
}
- }
- if (fd == -1) {
- logerror("open keyfile");
- } else if (fstat(fd, &sb) == -1) {
- logerror("fstat keyfile");
- } else if (sb.st_size > 50*1024) {
- logerrorx("keyfile larger than 50KB");
- } else if ((p = calloc(sb.st_size, 1)) == NULL) {
- logerror("calloc keyfile");
- } else if (read(fd, p, sb.st_size) != sb.st_size) {
- logerror("read keyfile");
- } else if (tls_config_set_key_mem(server_config, p,
- sb.st_size) == -1) {
- logerrorx("tls_config_set_key_mem");
- } else {
- logdebug("Keyfile %s, size %lld\n", path, sb.st_size);
- }
- free(p);
- close(fd);
- free(path);
-
- fd = -1;
- p = NULL;
- path = NULL;
- if (asprintf(&path, "/etc/ssl/%s.crt", tls_hostport)
- == -1 || (fd = open(path, O_RDONLY)) == -1) {
- free(path);
- path = NULL;
- if (asprintf(&path, "/etc/ssl/%s.crt", tls_host)
- == -1 || (fd = open(path, O_RDONLY)) == -1) {
- free(path);
- path = NULL;
+ logdebug("Keyfile %s\n", p);
+ free(p);
+ if (asprintf(&p, "/etc/ssl/%s.crt", names[i]) == -1)
+ continue;
+ if (tls_config_set_cert_file(server_config, p) == -1) {
+ free(p);
+ logerrorx("tls_config_set_cert_file");
+ continue;
}
+ logdebug("Certfile %s\n", p);
+ free(p);
+ break;
}
- if (fd == -1) {
- logerror("open certfile");
- } else if (fstat(fd, &sb) == -1) {
- logerror("fstat certfile");
- } else if (sb.st_size > 50*1024) {
- logerrorx("certfile larger than 50KB");
- } else if ((p = calloc(sb.st_size, 1)) == NULL) {
- logerror("calloc certfile");
- } else if (read(fd, p, sb.st_size) != sb.st_size) {
- logerror("read certfile");
- } else if (tls_config_set_cert_mem(server_config, p,
- sb.st_size) == -1) {
- logerrorx("tls_config_set_cert_mem");
- } else {
- logdebug("Certfile %s, size %lld\n",
- path, sb.st_size);
- }
- free(p);
- close(fd);
- free(path);
tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL);
if (tls_config_set_ciphers(server_config, "compat") != 0)
