libtls syslogd pledge abort

Thu, 29 Dec 2016 15:15:06 -0800 

Hi,

The previous commit to libtls makes syslogd abort due to pledge if
certification verification is turned off.  This happens in the
chrooted child process.

 87878 syslogd  CALL  open(0x2d203ce4,0<O_RDONLY>)
 87878 syslogd  NAMI  "/etc/ssl/cert.pem"
 87878 syslogd  PLDG  open, "rpath", errno 1 Operation not permitted
 87878 syslogd  PSIG  SIGABRT SIG_DFL code <-538976289>

We can either preload the cert in syslogd even if verification is
turned off.

Index: usr.sbin/syslogd/syslogd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.225
diff -u -p -r1.225 syslogd.c
--- usr.sbin/syslogd/syslogd.c  27 Dec 2016 19:16:24 -0000      1.225
+++ usr.sbin/syslogd/syslogd.c  29 Dec 2016 22:57:41 -0000
@@ -590,16 +590,14 @@ main(int argc, char *argv[])
                if (NoVerify) {
                        tls_config_insecure_noverifycert(client_config);
                        tls_config_insecure_noverifyname(client_config);
-               } else {
-                       if (tls_config_set_ca_file(client_config,
-                           CAfile) == -1) {
-                               logerrortlsconf("Load client TLS CA failed",
-                                   client_config);
-                               /* avoid reading default certs in chroot */
-                               tls_config_set_ca_mem(client_config, "", 0);
-                       } else
-                               logdebug("CAfile %s\n", CAfile);
                }
+               if (tls_config_set_ca_file(client_config, CAfile) == -1) {
+                       logerrortlsconf("Load client TLS CA failed",
+                           client_config);
+                       /* avoid reading default certs in chroot */
+                       tls_config_set_ca_mem(client_config, "", 0);
+               } else
+                       logdebug("CAfile %s\n", CAfile);
                if (ClientCertfile && ClientKeyfile) {
                        if (tls_config_set_cert_file(client_config,
                            ClientCertfile) == -1)

Or do not call tls_configure_ssl_verify() if verification is turned
off.

Index: lib/libtls/tls_client.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v
retrieving revision 1.38
diff -u -p -r1.38 tls_client.c
--- lib/libtls/tls_client.c     26 Dec 2016 16:20:58 -0000      1.38
+++ lib/libtls/tls_client.c     29 Dec 2016 22:56:23 -0000
@@ -195,7 +195,9 @@ tls_connect_common(struct tls *ctx, cons
                }
        }
 
-       if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
+       if (ctx->config->verify_cert &&
+           (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
+            SSL_VERIFY_PEER) == -1))
                goto err;
 
        if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 
1) {

I would prefer the fix in libtls as
- this problem may also affect other daemons
- avoid to do unnecsessary stuff
- syslogd could run on a system without cert.pem

comments? ok?

bluhm

Reply via email to