From a192468a6a296bf47a6f2939ab2280c765a76555 Mon Sep 17 00:00:00 2001 From: jsing Date: Thu, 22 Jun 2017 18:03:57 +0000 Subject: [PATCH] Use the tls_password_cb() callback with all PEM_read_bio_*() calls, so that we can prevent libcrypto from going behind our back and trying to read passwords from standard input (which we may not be permitted to do). Found by jsg@ with httpd and password protected keys. --- lib/libtls/tls.c | 12 ++++++------ lib/libtls/tls_internal.h | 4 +++- lib/libtls/tls_server.c | 5 +++-- lib/libtls/tls_util.c | 4 ++-- 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index b75fae7f2b3..f64f6d76326 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.66 2017/06/22 17:58:54 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.67 2017/06/22 18:03:57 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -289,11 +289,11 @@ tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash) *hash = NULL; - if ((membio = BIO_new_mem_buf(keypair->cert_mem, keypair->cert_len)) - == NULL) + if ((membio = BIO_new_mem_buf(keypair->cert_mem, + keypair->cert_len)) == NULL) goto err; - - if ((cert = PEM_read_bio_X509_AUX(membio, NULL, NULL, NULL)) == NULL) + if ((cert = PEM_read_bio_X509_AUX(membio, NULL, tls_password_cb, + NULL)) == NULL) goto err; rv = tls_cert_hash(cert, hash); @@ -344,7 +344,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, tls_set_errorx(ctx, "failed to create buffer"); goto err; } - if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, + if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, NULL)) == NULL) { tls_set_errorx(ctx, "failed to read private key"); goto err; diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 2b451697dc8..c0c55216dff 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.60 2017/05/07 03:27:06 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.61 2017/06/22 18:03:57 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -246,6 +246,8 @@ int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out, size_t *_outlen); int tls_cert_hash(X509 *_cert, char **_hash); +int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u); + __END_HIDDEN_DECLS /* XXX this function is not fully hidden so relayd can use it */ diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c index ea8f0ce7286..fd5a6175826 100644 --- a/lib/libtls/tls_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.38 2017/06/22 17:34:25 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.39 2017/06/22 18:03:57 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -215,7 +215,8 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, tls_error_set(error, "failed to create certificate bio"); goto err; } - if ((*cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) == NULL) { + if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb, + NULL)) == NULL) { if ((ssl_err = ERR_peek_error()) != 0) errstr = ERR_error_string(ssl_err, NULL); tls_error_set(error, "failed to load certificate: %s", errstr); diff --git a/lib/libtls/tls_util.c b/lib/libtls/tls_util.c index b7dd5ed472c..aaa3eef49f1 100644 --- a/lib/libtls/tls_util.c +++ b/lib/libtls/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.8 2017/05/06 21:34:13 jsing Exp $ */ +/* $OpenBSD: tls_util.c,v 1.9 2017/06/22 18:03:57 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * Copyright (c) 2015 Reyk Floeter @@ -86,7 +86,7 @@ tls_host_port(const char *hostport, char **host, char **port) return (rv); } -static int +int tls_password_cb(char *buf, int size, int rwflag, void *u) { size_t len; -- 2.20.1