> Am 06.06.2017 um 22:41 schrieb Florian Obser <[email protected]>:
>
>> On Tue, Jun 06, 2017 at 09:18:25PM +1000, Jonathan Gray wrote:
>> when using a server.key with a passphrase, ie
>>
>> openssl genrsa -aes256 -out /etc/ssl/private/server.key 2048
>>
>> server "default" {
>> listen on * port 80
>> listen on * tls port 443
>> directory { auto index }
>> }
>>
>> types {
>> include "/usr/share/misc/mime.types"
>> text/plain "log"
>> }
>>
>> httpd(96368): syscall 5 "wpath"
>> httpd(87490): syscall 5 "wpath"
>> httpd(30649): syscall 5 "wpath"
>
> This very much sounds like "Doctor! Doctor! If I do this it hurts!"
>
> In case anyone wonders if adding wpath to the pledge would solve this,
> it is not the right solution, also it will not get you very far since
> libcrypto is trying to dick around with /dev/tty. You will probably be
> killed shortly afterwards because of missing tty pledge...
>
Right, protected private keys are currently not supported. Workarounds wouldn't
help.
I have ideas how to implement it properly.
> I'm wondering if relayd is handling this better. If yes, we should
> bring over the crypto engine, if no we should fix relayd and then
> bring over the crypto engine.
>
No, it doesn't handle it better.
Reyk
>>
>> #0 0x0000022b9356bc0a in _thread_sys_open () at {standard input}:5
>> #1 0x0000022b935d6299 in *_libc_open_cancel (path=Variable "path" is not
>> available.
>> ) at /usr/src/lib/libc/sys/w_open.c:36
>> #2 0x0000022b9359a642 in *_libc_fopen (file=0x22b2db5c9be "/dev/tty",
>> mode=Variable "mode" is not available.
>> ) at /usr/src/lib/libc/stdio/fopen.c:54
>> #3 0x0000022b2d92d26f in open_console (ui=Variable "ui" is not available.
>> ) at /usr/src/lib/libcrypto/ui/ui_openssl.c:304
>> #4 0x0000022b2d9e65da in UI_process (ui=0x22b217187c0) at
>> /usr/src/lib/libcrypto/ui/ui_lib.c:455
>> #5 0x0000022b2d954b8f in EVP_read_pw_string_min (buf=0x7f7fffff19f0 "",
>> min=4, len=Variable "len" is not available.
>> ) at /usr/src/lib/libcrypto/evp/evp_key.c:117
>> #6 0x0000022b2d9dc018 in PEM_def_callback (buf=0x7f7fffff19f0 "", num=1024,
>> w=0, key=Variable "key" is not available.
>> ) at /usr/src/lib/libcrypto/pem/pem_lib.c:113
>> #7 0x0000022b2d9dc2c4 in PEM_do_header (cipher=0x7f7fffff1ec0,
>> data=0x22bc09b6000
>> "d\vQ\212\222Åííó\035\006\227\221\004ÛÇ.H\033\225YͧÄ\nmKql}1i\034PÇåz\033a@Ä\232Ä\220Nÿ\037ÁAPfVs\005r\226ñ\030\2273Tã
>> W\t\201î ý\217Í+\2033¼괸^\226D\2340z:-+g\226´ã*à\034", plen=0x7f7fffff1ee8,
>> callback=Variable "callback" is not available.
>> )
>> at /usr/src/lib/libcrypto/pem/pem_lib.c:447
>> #8 0x0000022b2d9dc64c in PEM_bytes_read_bio (pdata=0x7f7fffff1f68,
>> plen=0x7f7fffff1f60, pnm=0x7f7fffff1f78,
>> name=0x22b2db5dcb5 "ANY PRIVATE KEY", bp=0x22b514c9e00, cb=0, u=0x0) at
>> /usr/src/lib/libcrypto/pem/pem_lib.c:296
>> #9 0x0000022b2d93112f in PEM_read_bio_PrivateKey (bp=Variable "bp" is not
>> available.
>> ) at /usr/src/lib/libcrypto/pem/pem_pkey.c:90
>> #10 0x0000022b6ef43b62 in tls_configure_ssl_keypair (ctx=0x22b514c9e80,
>> ssl_ctx=0x22bcc86ce00, keypair=0x22b9294df00, required=Variable "required"
>> is not available.
>> )
>> at /usr/src/lib/libtls/tls.c:347
>> #11 0x0000022b6ef42135 in tls_configure_server_ssl (ctx=0x22b514c9e80,
>> ssl_ctx=0x22b514c9eb8, keypair=0x22b9294df00)
>> at /usr/src/lib/libtls/tls_server.c:261
>> #12 0x0000022b6ef427a1 in tls_configure_server (ctx=0x22b514c9e80) at
>> /usr/src/lib/libtls/tls_server.c:361
>> #13 0x0000022920b1413c in server_tls_init (srv=0x22bd885d000) at
>> /usr/src/usr.sbin/httpd/server.c:297
>> #14 0x0000022920b1431c in server_launch () at
>> /usr/src/usr.sbin/httpd/server.c:359
>> #15 0x0000022920b16759 in server_dispatch_parent (fd=3, p=0x22920d301c0,
>> imsg=0x7f7fffff25a0) at /usr/src/usr.sbin/httpd/server.c:1289
>> #16 0x0000022920b12f99 in proc_dispatch (fd=3, event=2, arg=0x22c12810000)
>> at /usr/src/usr.sbin/httpd/proc.c:652
>> #17 0x0000022c070a0808 in event_base_loop (base=0x22b94f5d000,
>> flags=Variable "flags" is not available.
>> ) at /usr/src/lib/libevent/event.c:350
>> #18 0x0000022920b12db4 in proc_run (ps=0x22c0f506000, p=0x22920d30080,
>> procs=0x22920d301c0, nproc=2, run=0x22920b1424d <server_init>,
>> arg=0x0) at /usr/src/usr.sbin/httpd/proc.c:594
>> #19 0x0000022920b137b1 in server (ps=0x22c0f506000, p=0x22920d30080) at
>> /usr/src/usr.sbin/httpd/server.c:87
>> #20 0x0000022920b11da5 in proc_init (ps=0x22c0f506000, procs=0x22920d30080,
>> nproc=2, argc=5, argv=0x7f7fffff2898, proc_id=PROC_SERVER)
>> at /usr/src/usr.sbin/httpd/proc.c:249
>> #21 0x0000022920b0ac57 in main (argc=0, argv=0x7f7fffff2898) at
>> /usr/src/usr.sbin/httpd/httpd.c:218
>>
>
> --
> I'm not entirely sure you are real.
>
