From 1f8da42f9aebcb024e3b7fa11b5001ab565916c7 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 4 May 2020 11:29:42 -0600 Subject: [PATCH] Warn about tls errors during startup so the user has a clue. We write messages to stderr until we become a daemon. --- logsrvd/logsrvd.c | 147 ++++++++++++++++----------------- plugins/sudoers/iolog_client.c | 19 +++-- 2 files changed, 85 insertions(+), 81 deletions(-) diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c index 93aee6dd2..eb32bf0ce 100644 --- a/logsrvd/logsrvd.c +++ b/logsrvd/logsrvd.c @@ -1053,55 +1053,60 @@ exit: static bool init_tls_ciphersuites(SSL_CTX *ctx, const struct logsrvd_tls_config *tls_config) { + const char *errstr; + int success = 0; debug_decl(init_tls_ciphersuites, SUDO_DEBUG_UTIL); if (tls_config->ciphers_v12) { /* try to set TLS v1.2 ciphersuite list from config if given */ - if (SSL_CTX_set_cipher_list(ctx, tls_config->ciphers_v12)) { + success = SSL_CTX_set_cipher_list(ctx, tls_config->ciphers_v12); + if (success) { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "TLS v1.2 ciphersuite list is set from config"); + "TLS 1.2 ciphersuite list set to %s", tls_config->ciphers_v12); } else { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to set configured TLS v1.2 ciphersuite list (%s). Falling back to default...", - ERR_error_string(ERR_get_error(), NULL)); - debug_return_bool(false); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"), + tls_config->ciphers_v12, errstr); } - } else { + } + if (!success) { /* fallback to default ciphersuites for TLS v1.2 */ if (SSL_CTX_set_cipher_list(ctx, LOGSRVD_DEFAULT_CIPHER_LST12) <= 0) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to load default TLS v1.2 ciphersuite list: %s", - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.2 ciphersuite to %s: %s"), + LOGSRVD_DEFAULT_CIPHER_LST12, errstr); debug_return_bool(false); } else { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "TLS v1.2 ciphersuite list is set to default (%s)", + "TLS v1.2 ciphersuite list set to %s (default)", LOGSRVD_DEFAULT_CIPHER_LST12); } } # if defined(HAVE_SSL_CTX_SET_CIPHERSUITES) + success = 0; if (tls_config->ciphers_v13) { /* try to set TLSv1.3 ciphersuite list from config */ - if (SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13)) { + success = SSL_CTX_set_ciphersuites(ctx, tls_config->ciphers_v13); + if (success) { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "TLS v1.3 ciphersuite list is set from config"); + "TLS v1.3 ciphersuite list set to %s", tls_config->ciphers_v13); } else { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to load configured TLS v1.3 ciphersuite list (%s). Falling back to default...", - ERR_error_string(ERR_get_error(), NULL)); - debug_return_bool(false); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"), + tls_config->ciphers_v13, errstr); } - } else { + } + if (!success) { /* fallback to default ciphersuites for TLS v1.3 */ if (SSL_CTX_set_ciphersuites(ctx, LOGSRVD_DEFAULT_CIPHER_LST13) <= 0) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to load default TLS v1.3 ciphersuite list: %s", - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set TLS 1.3 ciphersuite to %s: %s"), + LOGSRVD_DEFAULT_CIPHER_LST13, errstr); debug_return_bool(false); } else { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, - "TLS v1.3 ciphersuite list is set to default (%s)", + "TLS v1.3 ciphersuite list set to %s (default)", LOGSRVD_DEFAULT_CIPHER_LST13); } } @@ -1123,6 +1128,7 @@ init_tls_server_context(void) struct logsrvd_tls_runtime *tls_runtime = logsrvd_get_tls_runtime(); const struct logsrvd_tls_config *tls_config = logsrvd_get_tls_config(); bool ca_bundle_required = tls_config->verify | tls_config->check_peer; + const char *errstr; debug_decl(init_tls_server_context, SUDO_DEBUG_UTIL); SSL_library_init(); @@ -1130,22 +1136,20 @@ init_tls_server_context(void) SSL_load_error_strings(); if ((method = TLS_server_method()) == NULL) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "creation of SSL_METHOD failed: %s", - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to get TLS server method: %s"), errstr); goto bad; } if ((ctx = SSL_CTX_new(method)) == NULL) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "creation of new SSL_CTX object failed: %s", - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to create TLS context: %s"), errstr); goto bad; } if (SSL_CTX_use_certificate_chain_file(ctx, tls_config->cert_path) <= 0) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to load cert %s: %s", tls_config->cert_path, - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("%s: %s"), tls_config->cert_path, errstr); + sudo_warnx(U_("unable to load certificate %s"), tls_config->cert_path); goto bad; } @@ -1154,30 +1158,28 @@ init_tls_server_context(void) if (tls_config->cacert_path != NULL) { STACK_OF(X509_NAME) *cacerts = SSL_load_client_CA_file(tls_config->cacert_path); - if (cacerts == NULL) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "calling SSL_load_client_CA_file() failed: %s", - ERR_error_string(ERR_get_error(), NULL)); - goto bad; - } else { - SSL_CTX_set_client_CA_list(ctx, cacerts); - /* set the location of the CA bundle file for verification */ - if (SSL_CTX_load_verify_locations(ctx, tls_config->cacert_path, NULL) <= 0) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "calling SSL_CTX_load_verify_locations() failed: %s", - ERR_error_string(ERR_get_error(), NULL)); - goto bad; - } + if (cacerts == NULL) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("%s: %s"), tls_config->cacert_path, errstr); + sudo_warnx(U_("unable to load certificate authority bundle %s"), + tls_config->cacert_path); + goto bad; + } + SSL_CTX_set_client_CA_list(ctx, cacerts); + + /* set the location of the CA bundle file for verification */ + if (SSL_CTX_load_verify_locations(ctx, tls_config->cacert_path, NULL) <= 0) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx("SSL_CTX_load_verify_locations: %s", errstr); + goto bad; } } /* only verify server cert if it is set in the configuration */ if (tls_config->verify) { - - if (!verify_server_cert(ctx, tls_config)) { + if (!verify_server_cert(ctx, tls_config)) goto bad; - } } else { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "skipping server cert check"); @@ -1195,16 +1197,11 @@ init_tls_server_context(void) /* if private key file was not set, assume that the cert file contains the private key */ char* pkey = (tls_config->pkey_path == NULL ? tls_config->cert_path : tls_config->pkey_path); - if (!SSL_CTX_use_PrivateKey_file(ctx, pkey, SSL_FILETYPE_PEM)) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to load key file %s: %s", pkey, - ERR_error_string(ERR_get_error(), NULL)); - goto bad; - } - if (!SSL_CTX_check_private_key(ctx)) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to verify key file %s: %s", pkey, - ERR_error_string(ERR_get_error(), NULL)); + if (!SSL_CTX_use_PrivateKey_file(ctx, pkey, SSL_FILETYPE_PEM) || + !SSL_CTX_check_private_key(ctx)) { + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("%s: %s"), pkey, errstr); + sudo_warnx(U_("unable to load private key %s"), pkey); goto bad; } @@ -1217,20 +1214,21 @@ init_tls_server_context(void) if (tls_config->dhparams_path != NULL) dhparam_file = fopen(tls_config->dhparams_path, "r"); if (dhparam_file != NULL) { - DH* dhparams; - if ((dhparams = PEM_read_DHparams(dhparam_file, NULL, NULL, NULL)) != NULL) { + DH *dhparams = PEM_read_DHparams(dhparam_file, NULL, NULL, NULL); + if (dhparams != NULL) { if (!SSL_CTX_set_tmp_dh(ctx, dhparams)) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to set dh parameters: %s", - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set diffie-hellman parameters: %s"), + errstr); + DH_free(dhparams); } else { sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "diffie-hellman parameters are loaded"); } } else { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "dhparam file can't be loaded: %s", - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set diffie-hellman parameters: %s"), + errstr); } fclose(dhparam_file); } else { @@ -1238,12 +1236,12 @@ init_tls_server_context(void) "dhparam file not found, will use default parameters"); } - /* audit server supports TLS ver1.2 or higher */ + /* audit server supports TLS version 1.2 or higher */ #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "unable to restrict min. protocol version: %s", - ERR_error_string(ERR_get_error(), NULL)); + errstr = ERR_reason_error_string(ERR_get_error()); + sudo_warnx(U_("unable to set minimum protocol version to TLS 1.2: %s"), + errstr); goto bad; } #else @@ -1600,7 +1598,7 @@ server_setup(struct sudo_event_base *base) struct listen_address *addr; struct listener *l; int nlisteners = 0; - bool config_tls = false; + bool ret, config_tls = false; debug_decl(server_setup, SUDO_DEBUG_UTIL); /* Free old listeners (if any) and register new ones. */ @@ -1615,15 +1613,16 @@ server_setup(struct sudo_event_base *base) if (addr->tls) config_tls = true; } + ret = nlisteners > 0; - if (config_tls) { + if (ret && config_tls) { #if defined(HAVE_OPENSSL) if (!init_tls_server_context()) - sudo_fatal(NULL); + ret = false; #endif } - debug_return_bool(nlisteners > 0); + debug_return_bool(ret); } /* diff --git a/plugins/sudoers/iolog_client.c b/plugins/sudoers/iolog_client.c index a88372df7..bd45678c6 100644 --- a/plugins/sudoers/iolog_client.c +++ b/plugins/sudoers/iolog_client.c @@ -216,8 +216,10 @@ tls_init(struct client_closure *closure) if (SSL_CTX_load_verify_locations(closure->ssl_ctx, closure->log_details->ca_bundle, NULL) <= 0) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("Calling SSL_CTX_load_verify_locations() failed: %s"), - errstr); + sudo_warnx(U_("%s: %s"), closure->log_details->ca_bundle, + errstr); + sudo_warnx(U_("unable to load certificate authority bundle %s"), + closure->log_details->ca_bundle); goto bad; } } @@ -229,8 +231,9 @@ tls_init(struct client_closure *closure) if (!SSL_CTX_use_certificate_chain_file(closure->ssl_ctx, closure->log_details->cert_file)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("Unable to load cert into the ssl context: %s"), - errstr); + sudo_warnx(U_("%s: %s"), closure->log_details->cert_file, errstr); + sudo_warnx(U_("unable to load certificate %s"), + closure->log_details->cert_file); goto bad; } if (closure->log_details->key_file == NULL) { @@ -238,10 +241,12 @@ tls_init(struct client_closure *closure) closure->log_details->key_file = closure->log_details->cert_file; } if (!SSL_CTX_use_PrivateKey_file(closure->ssl_ctx, - closure->log_details->key_file, X509_FILETYPE_PEM)) { + closure->log_details->key_file, SSL_FILETYPE_PEM) || + !SSL_CTX_check_private_key(closure->ssl_ctx)) { errstr = ERR_reason_error_string(ERR_get_error()); - sudo_warnx(U_("Unable to load private key into the ssl context: %s"), - errstr); + sudo_warnx(U_("%s: %s"), closure->log_details->key_file, errstr); + sudo_warnx(U_("unable to load private key %s"), + closure->log_details->key_file); goto bad; } }