does openssl get to use dns?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

does openssl get to use dns?

Todd T. Fries-2
To demonstrate:

  openssl s_client -connect www.google.com:443

A fix, probably not the full or correct one:

Index: openssl.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/openssl.c,v
retrieving revision 1.19
diff -u -p -u -r1.19 openssl.c
--- openssl.c 17 Oct 2015 07:51:10 -0000 1.19
+++ openssl.c 20 Nov 2015 06:06:47 -0000
@@ -438,7 +438,7 @@ main(int argc, char **argv)
  arg.data = NULL;
  arg.count = 0;
 
- if (pledge("stdio inet rpath wpath cpath proc flock tty", NULL) == -1) {
+ if (pledge("stdio inet rpath wpath cpath proc flock tty dns", NULL) == -1) {
  fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
  exit(1);
  }
Index: s_client.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
retrieving revision 1.23
diff -u -p -u -r1.23 s_client.c
--- s_client.c 17 Oct 2015 15:00:11 -0000 1.23
+++ s_client.c 20 Nov 2015 06:06:47 -0000
@@ -365,7 +365,7 @@ s_client_main(int argc, char **argv)
  long socket_mtu = 0;
 
  if (single_execution) {
- if (pledge("stdio inet rpath wpath cpath tty", NULL) == -1) {
+ if (pledge("stdio inet rpath wpath cpath tty dns", NULL) == -1) {
  perror("pledge");
  exit(1);
  }
--
Todd Fries .. [hidden email]

 ____________________________________________
|                                            \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com            \  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \  sip:[hidden email]
| "..in support of free software solutions." \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: does openssl get to use dns?

Jeremie Courreges-Anglas-2
"Todd T. Fries" <[hidden email]> writes:

> To demonstrate:
>
>   openssl s_client -connect www.google.com:443

Heh.

> A fix, probably not the full or correct one:

ok jca@

do_accept(), in s_socket.c calls gethostbyaddr, then gethostbyname if
the former fails...

> Index: openssl.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/openssl/openssl.c,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 openssl.c
> --- openssl.c 17 Oct 2015 07:51:10 -0000 1.19
> +++ openssl.c 20 Nov 2015 06:06:47 -0000
> @@ -438,7 +438,7 @@ main(int argc, char **argv)
>   arg.data = NULL;
>   arg.count = 0;
>  
> - if (pledge("stdio inet rpath wpath cpath proc flock tty", NULL) == -1) {
> + if (pledge("stdio inet rpath wpath cpath proc flock tty dns", NULL) == -1) {
>   fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
>   exit(1);
>   }
> Index: s_client.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
> retrieving revision 1.23
> diff -u -p -u -r1.23 s_client.c
> --- s_client.c 17 Oct 2015 15:00:11 -0000 1.23
> +++ s_client.c 20 Nov 2015 06:06:47 -0000
> @@ -365,7 +365,7 @@ s_client_main(int argc, char **argv)
>   long socket_mtu = 0;
>  
>   if (single_execution) {
> - if (pledge("stdio inet rpath wpath cpath tty", NULL) == -1) {
> + if (pledge("stdio inet rpath wpath cpath tty dns", NULL) == -1) {
>   perror("pledge");
>   exit(1);
>   }

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: does openssl get to use dns?

Theo Buehler
On Fri, Nov 20, 2015 at 01:58:57PM +0100, Jérémie Courrèges-Anglas wrote:

> "Todd T. Fries" <[hidden email]> writes:
>
> > To demonstrate:
> >
> >   openssl s_client -connect www.google.com:443
>
> Heh.
>
> > A fix, probably not the full or correct one:
>
> ok jca@
>
> do_accept(), in s_socket.c calls gethostbyaddr, then gethostbyname if
> the former fails...

I ran into this today as well.  Can the patch below be committed or
should there be a different fix?

>
> > Index: openssl.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/openssl/openssl.c,v
> > retrieving revision 1.19
> > diff -u -p -u -r1.19 openssl.c
> > --- openssl.c 17 Oct 2015 07:51:10 -0000 1.19
> > +++ openssl.c 20 Nov 2015 06:06:47 -0000
> > @@ -438,7 +438,7 @@ main(int argc, char **argv)
> >   arg.data = NULL;
> >   arg.count = 0;
> >  
> > - if (pledge("stdio inet rpath wpath cpath proc flock tty", NULL) == -1) {
> > + if (pledge("stdio inet rpath wpath cpath proc flock tty dns", NULL) == -1) {
> >   fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
> >   exit(1);
> >   }
> > Index: s_client.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
> > retrieving revision 1.23
> > diff -u -p -u -r1.23 s_client.c
> > --- s_client.c 17 Oct 2015 15:00:11 -0000 1.23
> > +++ s_client.c 20 Nov 2015 06:06:47 -0000
> > @@ -365,7 +365,7 @@ s_client_main(int argc, char **argv)
> >   long socket_mtu = 0;
> >  
> >   if (single_execution) {
> > - if (pledge("stdio inet rpath wpath cpath tty", NULL) == -1) {
> > + if (pledge("stdio inet rpath wpath cpath tty dns", NULL) == -1) {
> >   perror("pledge");
> >   exit(1);
> >   }
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
>

Reply | Threaded
Open this post in threaded view
|

Re: does openssl get to use dns?

Bob Beck-3
I think that's correct.   I believe this may have been missed when
"dns" was introduced in pledged - openssl got done early.

On Mon, Nov 30, 2015 at 6:12 PM, Theo Buehler <[hidden email]> wrote:

> On Fri, Nov 20, 2015 at 01:58:57PM +0100, Jérémie Courrèges-Anglas wrote:
>> "Todd T. Fries" <[hidden email]> writes:
>>
>> > To demonstrate:
>> >
>> >   openssl s_client -connect www.google.com:443
>>
>> Heh.
>>
>> > A fix, probably not the full or correct one:
>>
>> ok jca@
>>
>> do_accept(), in s_socket.c calls gethostbyaddr, then gethostbyname if
>> the former fails...
>
> I ran into this today as well.  Can the patch below be committed or
> should there be a different fix?
>
>>
>> > Index: openssl.c
>> > ===================================================================
>> > RCS file: /cvs/src/usr.bin/openssl/openssl.c,v
>> > retrieving revision 1.19
>> > diff -u -p -u -r1.19 openssl.c
>> > --- openssl.c       17 Oct 2015 07:51:10 -0000      1.19
>> > +++ openssl.c       20 Nov 2015 06:06:47 -0000
>> > @@ -438,7 +438,7 @@ main(int argc, char **argv)
>> >     arg.data = NULL;
>> >     arg.count = 0;
>> >
>> > -   if (pledge("stdio inet rpath wpath cpath proc flock tty", NULL) == -1) {
>> > +   if (pledge("stdio inet rpath wpath cpath proc flock tty dns", NULL) == -1) {
>> >             fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
>> >             exit(1);
>> >     }
>> > Index: s_client.c
>> > ===================================================================
>> > RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
>> > retrieving revision 1.23
>> > diff -u -p -u -r1.23 s_client.c
>> > --- s_client.c      17 Oct 2015 15:00:11 -0000      1.23
>> > +++ s_client.c      20 Nov 2015 06:06:47 -0000
>> > @@ -365,7 +365,7 @@ s_client_main(int argc, char **argv)
>> >     long socket_mtu = 0;
>> >
>> >     if (single_execution) {
>> > -           if (pledge("stdio inet rpath wpath cpath tty", NULL) == -1) {
>> > +           if (pledge("stdio inet rpath wpath cpath tty dns", NULL) == -1) {
>> >                     perror("pledge");
>> >                     exit(1);
>> >             }
>>
>> --
>> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
>>
>