Use the tls_password_cb() callback with all PEM_read_bio_*() calls, so that

we can prevent libcrypto from going behind our back and trying to read
passwords from standard input (which we may not be permitted to do).

Found by jsg@ with httpd and password protected keys.

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index b75fae7..f64f6d7 100644 (file)
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.66 2017/06/22 17:58:54 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.67 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -289,11 +289,11 @@ tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash)
 
        *hash = NULL;
 
-       if ((membio = BIO_new_mem_buf(keypair->cert_mem, keypair->cert_len))
-           == NULL)
+       if ((membio = BIO_new_mem_buf(keypair->cert_mem,
+           keypair->cert_len)) == NULL)
                goto err;
-
-       if ((cert = PEM_read_bio_X509_AUX(membio, NULL, NULL, NULL)) == NULL)
+       if ((cert = PEM_read_bio_X509_AUX(membio, NULL, tls_password_cb,
+           NULL)) == NULL)
                goto err;
 
        rv = tls_cert_hash(cert, hash);
@@ -344,7 +344,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
                        tls_set_errorx(ctx, "failed to create buffer");
                        goto err;
                }
-               if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL,
+               if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
                    NULL)) == NULL) {
                        tls_set_errorx(ctx, "failed to read private key");
                        goto err;

diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index 2b45169..c0c5521 100644 (file)
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.60 2017/05/07 03:27:06 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.61 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -246,6 +246,8 @@ int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out,
     size_t *_outlen);
 int tls_cert_hash(X509 *_cert, char **_hash);
 
+int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
+
 __END_HIDDEN_DECLS
 
 /* XXX this function is not fully hidden so relayd can use it */

diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index ea8f0ce..fd5a617 100644 (file)
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.38 2017/06/22 17:34:25 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.39 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -215,7 +215,8 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
                tls_error_set(error, "failed to create certificate bio");
                goto err;
        }
-       if ((*cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) == NULL) {
+       if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
+           NULL)) == NULL) {
                if ((ssl_err = ERR_peek_error()) != 0)
                    errstr = ERR_error_string(ssl_err, NULL);
                tls_error_set(error, "failed to load certificate: %s", errstr);

diff --git a/lib/libtls/tls_util.c b/lib/libtls/tls_util.c
index b7dd5ed..aaa3eef 100644 (file)
--- a/lib/libtls/tls_util.c
+++ b/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.8 2017/05/06 21:34:13 jsing Exp $ */
+/* $OpenBSD: tls_util.c,v 1.9 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -86,7 +86,7 @@ tls_host_port(const char *hostport, char **host, char **port)
        return (rv);
 }
 
-static int
+int
 tls_password_cb(char *buf, int size, int rwflag, void *u)
 {
        size_t len;