openssl: s_time needs dns pledge promise

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl: s_time needs dns pledge promise

Scott Cheloha
Hi,

The following (and similar invocations) gets SIGABRT'd:

        openssl s_time -connect openbsd.org:443

BIO_set_conn_hostname(3), or whatever BIO_ctrl(3) is doing
underneath, tries to resolve your target host and the process
gets signaled when it enters socket(2).

Adding "dns" to the pledge(2) promise corrects this.

It looks like this has been broken since ~2015 but I have no
release machines handy to confirm.

--
Scott Cheloha

Index: usr.bin/openssl/s_time.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
retrieving revision 1.17
diff -u -p -r1.17 s_time.c
--- usr.bin/openssl/s_time.c 20 Jan 2017 08:57:12 -0000 1.17
+++ usr.bin/openssl/s_time.c 1 Nov 2017 23:30:23 -0000
@@ -254,7 +254,7 @@ s_time_main(int argc, char **argv)
  int ver;
 
  if (single_execution) {
- if (pledge("stdio rpath inet", NULL) == -1) {
+ if (pledge("stdio rpath inet dns", NULL) == -1) {
  perror("pledge");
  exit(1);
  }

Reply | Threaded
Open this post in threaded view
|

Re: openssl: s_time needs dns pledge promise

Ricardo Mestre-2
ok mestre@

On 19:07 Wed 01 Nov     , Scott Cheloha wrote:

> Hi,
>
> The following (and similar invocations) gets SIGABRT'd:
>
> openssl s_time -connect openbsd.org:443
>
> BIO_set_conn_hostname(3), or whatever BIO_ctrl(3) is doing
> underneath, tries to resolve your target host and the process
> gets signaled when it enters socket(2).
>
> Adding "dns" to the pledge(2) promise corrects this.
>
> It looks like this has been broken since ~2015 but I have no
> release machines handy to confirm.
>
> --
> Scott Cheloha
>
> Index: usr.bin/openssl/s_time.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 s_time.c
> --- usr.bin/openssl/s_time.c 20 Jan 2017 08:57:12 -0000 1.17
> +++ usr.bin/openssl/s_time.c 1 Nov 2017 23:30:23 -0000
> @@ -254,7 +254,7 @@ s_time_main(int argc, char **argv)
>   int ver;
>  
>   if (single_execution) {
> - if (pledge("stdio rpath inet", NULL) == -1) {
> + if (pledge("stdio rpath inet dns", NULL) == -1) {
>   perror("pledge");
>   exit(1);
>   }
>