diff options
| author | jsing <> | 2017-06-22 18:03:57 +0000 | 
|---|---|---|
| committer | jsing <> | 2017-06-22 18:03:57 +0000 | 
| commit | c9b1852dc910671bb8042219d73820d7a47138dd (patch) | |
| tree | fd55783db0a8125ddd4a355217eca79710738964 /src/lib/libtls/tls_server.c | |
| parent | 3895fcdf85644002ad1f9d8ea60c0027856ffac8 (diff) | |
| download | openbsd-c9b1852dc910671bb8042219d73820d7a47138dd.tar.gz openbsd-c9b1852dc910671bb8042219d73820d7a47138dd.tar.bz2 openbsd-c9b1852dc910671bb8042219d73820d7a47138dd.zip | |
Use the tls_password_cb() callback with all PEM_read_bio_*() calls, so that
we can prevent libcrypto from going behind our back and trying to read
passwords from standard input (which we may not be permitted to do).
Found by jsg@ with httpd and password protected keys.
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libtls/tls_server.c | 5 | 
1 files changed, 3 insertions, 2 deletions
| diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index ea8f0ce728..fd5a617582 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.38 2017/06/22 17:34:25 jsing Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.39 2017/06/22 18:03:57 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -215,7 +215,8 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error, | |||
| 215 | tls_error_set(error, "failed to create certificate bio"); | 215 | tls_error_set(error, "failed to create certificate bio"); | 
| 216 | goto err; | 216 | goto err; | 
| 217 | } | 217 | } | 
| 218 | if ((*cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) == NULL) { | 218 | if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb, | 
| 219 | NULL)) == NULL) { | ||
| 219 | if ((ssl_err = ERR_peek_error()) != 0) | 220 | if ((ssl_err = ERR_peek_error()) != 0) | 
| 220 | errstr = ERR_error_string(ssl_err, NULL); | 221 | errstr = ERR_error_string(ssl_err, NULL); | 
| 221 | tls_error_set(error, "failed to load certificate: %s", errstr); | 222 | tls_error_set(error, "failed to load certificate: %s", errstr); | 
