Re: does openssl get to use dns?

Mon, 30 Nov 2015 17:18:43 -0800 

I think that's correct.   I believe this may have been missed when
"dns" was introduced in pledged - openssl got done early.

On Mon, Nov 30, 2015 at 6:12 PM, Theo Buehler <t...@math.ethz.ch> wrote:
> On Fri, Nov 20, 2015 at 01:58:57PM +0100, Jérémie Courrèges-Anglas wrote:
>> "Todd T. Fries" <t...@fries.net> writes:
>>
>> > To demonstrate:
>> >
>> >   openssl s_client -connect www.google.com:443
>>
>> Heh.
>>
>> > A fix, probably not the full or correct one:
>>
>> ok jca@
>>
>> do_accept(), in s_socket.c calls gethostbyaddr, then gethostbyname if
>> the former fails...
>
> I ran into this today as well.  Can the patch below be committed or
> should there be a different fix?
>
>>
>> > Index: openssl.c
>> > ===================================================================
>> > RCS file: /cvs/src/usr.bin/openssl/openssl.c,v
>> > retrieving revision 1.19
>> > diff -u -p -u -r1.19 openssl.c
>> > --- openssl.c       17 Oct 2015 07:51:10 -0000      1.19
>> > +++ openssl.c       20 Nov 2015 06:06:47 -0000
>> > @@ -438,7 +438,7 @@ main(int argc, char **argv)
>> >     arg.data = NULL;
>> >     arg.count = 0;
>> >
>> > -   if (pledge("stdio inet rpath wpath cpath proc flock tty", NULL) == -1) 
>> > {
>> > +   if (pledge("stdio inet rpath wpath cpath proc flock tty dns", NULL) == 
>> > -1) {
>> >             fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
>> >             exit(1);
>> >     }
>> > Index: s_client.c
>> > ===================================================================
>> > RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
>> > retrieving revision 1.23
>> > diff -u -p -u -r1.23 s_client.c
>> > --- s_client.c      17 Oct 2015 15:00:11 -0000      1.23
>> > +++ s_client.c      20 Nov 2015 06:06:47 -0000
>> > @@ -365,7 +365,7 @@ s_client_main(int argc, char **argv)
>> >     long socket_mtu = 0;
>> >
>> >     if (single_execution) {
>> > -           if (pledge("stdio inet rpath wpath cpath tty", NULL) == -1) {
>> > +           if (pledge("stdio inet rpath wpath cpath tty dns", NULL) == 
>> > -1) {
>> >                     perror("pledge");
>> >                     exit(1);
>> >             }
>>
>> --
>> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE
>>
>

Reply via email to