diff options
| author |   tb <tb@openbsd.org> | 2020-01-23 03:53:39 +0000 |
|---|---|---|
| committer | tb <tb@openbsd.org> | 2020-01-23 03:53:39 +0000 |
| commit | c322fddd36d6f61fd42cdd2318c94ce4e1e96a4c (patch) | |
| tree | baab7421e142d3fc25900b5de4c7a086dddf094c /lib/libssl/tls13_lib.c | |
| parent | Check for and warn about StrictModes permission problems. ok tb@ (diff) | |
| download | wireguard-openbsd-c322fddd36d6f61fd42cdd2318c94ce4e1e96a4c.tar.xz wireguard-openbsd-c322fddd36d6f61fd42cdd2318c94ce4e1e96a4c.zip | |
The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find
CA certs it couldn't find otherwise. This may lead to a pledge rpath
violation reported by Kor, son of Rynar. Unfortunately, providing certs
inside a directory is common in linuxes, so we need to keep this
functionality for portable.
Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge
accordingly. Add unveils to restrict this program further on a
default OpenBSD install. Fix -C to look only inside the provided
root bundle.
Input from jsing and sthen, tests by sthen and Kor
ok beck, jsing, sthen (after much back and forth)
Diffstat (limited to 'lib/libssl/tls13_lib.c')
0 files changed, 0 insertions, 0 deletions