diff options
| author |   jsing <jsing@openbsd.org> | 2016-10-04 15:49:42 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2016-10-04 15:49:42 +0000 |
| commit | 25ca385b35d0d844a2588b8e7f05f4025fe82584 (patch) | |
| tree | eacee9c4c9a2b9d18a03f6df7f69a06a3bd146f6 | |
| parent | s/letsencrypt/ACME/ (diff) | |
| download | wireguard-openbsd-25ca385b35d0d844a2588b8e7f05f4025fe82584.tar.xz wireguard-openbsd-25ca385b35d0d844a2588b8e7f05f4025fe82584.zip | |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad
idea, so stop doing that. Instead, use a single tls_config, set it up and
configure the CA file to use while we still have rpath, then drop rpath.
This also avoids creating a new tls_config for each and every HTTPS
connection, which is unnecessary.
ok benno@ florian@
| -rw-r--r-- | usr.sbin/acme-client/http.c | 71 | ||||
| -rw-r--r-- | usr.sbin/acme-client/http.h | 4 | ||||
| -rw-r--r-- | usr.sbin/acme-client/netproc.c | 12 |
3 files changed, 61 insertions, 26 deletions
diff --git a/usr.sbin/acme-client/http.c b/usr.sbin/acme-client/http.c index 0033f070125..552886b52e6 100644 --- a/usr.sbin/acme-client/http.c +++ b/usr.sbin/acme-client/http.c @@ -1,4 +1,4 @@ -/* $Id: http.c,v 1.12 2016/10/04 15:39:58 jsing Exp $ */ +/* $Id: http.c,v 1.13 2016/10/04 15:49:42 jsing Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -33,6 +33,8 @@ #include "http.h" #include "extern.h" +#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" + /* * A buffer for transferring HTTP/S data. */ @@ -57,12 +59,13 @@ struct http { struct source src; /* endpoint (raw) host */ char *path; /* path to request */ char *host; /* name of endpoint host */ - struct tls_config *cfg; /* if TLS */ struct tls *ctx; /* if TLS */ writefp writer; /* write function */ readfp reader; /* read function */ }; +struct tls_config *tlscfg; + static ssize_t dosysread(char *buf, size_t sz, const struct http *http) { @@ -115,6 +118,43 @@ dotlswrite(const void *buf, size_t sz, const struct http *http) return (rc); } +int +http_init() +{ + if (NULL != tlscfg) + return (0); + + if (-1 == tls_init()) { + warn("tls_init"); + goto err; + } + + tlscfg = tls_config_new(); + if (NULL == tlscfg) { + warn("tls_config_new"); + goto err; + } + + tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL); + + if (-1 == tls_config_set_ca_file(tlscfg, DEFAULT_CA_FILE)) { + warn("tls_config_set_ca_file: %s", tls_config_error(tlscfg)); + goto err; + } + if (-1 == tls_config_set_ciphers(tlscfg, "compat")) { + warn("tls_config_set_ciphers: %s", tls_config_error(tlscfg)); + goto err; + } + + return (0); + + err: + tls_config_free(tlscfg); + tlscfg = NULL; + + return (-1); +} + static ssize_t http_read(char *buf, size_t sz, const struct http *http) { @@ -182,7 +222,6 @@ http_free(struct http *http) if (NULL == http) return; http_disconnect(http); - tls_config_free(http->cfg); free(http->host); free(http->path); free(http->src.ip); @@ -278,29 +317,10 @@ again: http->writer = dotlswrite; http->reader = dotlsread; - if (-1 == tls_init()) { - warn("tls_init"); - goto err; - } - - http->cfg = tls_config_new(); - if (NULL == http->cfg) { - warn("tls_config_new"); - goto err; - } - - tls_config_set_protocols(http->cfg, TLS_PROTOCOLS_ALL); - - /* FIXME: is this necessary? */ - tls_config_insecure_noverifycert(http->cfg); - - if (-1 == tls_config_set_ciphers(http->cfg, "compat")) { - warn("tls_config_set_ciphers"); - goto err; - } else if (NULL == (http->ctx = tls_client())) { + if (NULL == (http->ctx = tls_client())) { warn("tls_client"); goto err; - } else if (-1 == tls_configure(http->ctx, http->cfg)) { + } else if (-1 == tls_configure(http->ctx, tlscfg)) { warnx("%s: tls_configure: %s", http->src.ip, tls_error(http->ctx)); goto err; @@ -741,6 +761,9 @@ main(void) addrsz = 2; #endif + if (http_init() == -1) + errx(EXIT_FAILURE, "http_init"); + #if 0 g = http_get(addrs, addrsz, "localhost", 80, "/index.html"); #else diff --git a/usr.sbin/acme-client/http.h b/usr.sbin/acme-client/http.h index 53bb91c65d9..1bbb922ca7d 100644 --- a/usr.sbin/acme-client/http.h +++ b/usr.sbin/acme-client/http.h @@ -1,4 +1,4 @@ -/* $Id: http.h,v 1.2 2016/08/31 23:08:49 benno Exp $ */ +/* $Id: http.h,v 1.3 2016/10/04 15:49:42 jsing Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -63,6 +63,8 @@ struct httpget { __BEGIN_DECLS +int http_init(void); + /* Convenience functions. */ struct httpget *http_get(const struct source *, size_t, const char *, short, const char *, diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c index 4a216c05095..24ab4bfea49 100644 --- a/usr.sbin/acme-client/netproc.c +++ b/usr.sbin/acme-client/netproc.c @@ -1,4 +1,4 @@ -/* $Id: netproc.c,v 1.9 2016/10/04 15:41:07 jsing Exp $ */ +/* $Id: netproc.c,v 1.10 2016/10/04 15:49:42 jsing Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -579,6 +579,16 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, memset(&paths, 0, sizeof(struct capaths)); memset(&c, 0, sizeof(struct conn)); + if (pledge("stdio inet rpath", NULL) == -1) { + warn("pledge"); + goto out; + } + + if (http_init() == -1) { + warn("http_init"); + goto out; + } + if (pledge("stdio inet", NULL) == -1) { warn("pledge"); goto out; |