Commit 5fad5fd0 authored by HardenedBSD Sync Service's avatar HardenedBSD Sync Service
Browse files

Merge branch 'freebsd/current/main' into hardened/current/master

parents 5c4f0c87 b387a075
......@@ -261,6 +261,13 @@ _pam_exec(pam_handle_t *pamh,
/* don't prompt, only expose existing token */
rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
authtok = item;
if (authtok == NULL && rc == PAM_SUCCESS) {
openpam_log(PAM_LOG_ERROR,
"%s: pam_get_authtok(): %s",
func, "authentication token not available");
OUT(PAM_SYSTEM_ERR);
}
} else {
rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
}
......
......@@ -26,7 +26,7 @@
.\" $FreeBSD$
.\"
.\" Modified from gssd.8 for rpc.tlsclntd.8 by Rick Macklem.
.Dd February 17, 2021
.Dd May 22, 2022
.Dt RPC.TLSCLNTD 8
.Os
.Sh NAME
......@@ -34,7 +34,8 @@
.Nd "Sun RPC over TLS Client Daemon"
.Sh SYNOPSIS
.Nm
.Op Fl C Ar preferred_ciphers
.Op Fl 2
.Op Fl C Ar available_ciphers
.Op Fl D Ar certdir
.Op Fl d
.Op Fl l Ar CAfile
......@@ -92,15 +93,33 @@ option has been specified.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl C Ar preferred_ciphers , Fl Fl ciphers= Ns Ar preferred_ciphers
Specify what preferred ciphers are to be used.
.It Fl 2 , Fl Fl usetls1_2
Specify the use of TLS version 1.2.
By default, the client will
use TLS version 1.3, as required by the RFC.
However, early
.Fx
.Pq 13.0 and 13.1
servers require
this option, since they only support TLS version 1.2.
.It Fl C Ar available_ciphers , Fl Fl ciphers= Ns Ar available_ciphers
Specify which ciphers are available during TLS handshake.
If this option is specified,
.Dq SSL_CTX_set_cipher_list()
.Dq SSL_CTX_set_ciphersuites()
will be called with
.Dq preferred_ciphers
.Dq available_ciphers
as the argument.
If this option is not specified, the cipher will be chosen by
.Xr ssl 7 .
.Xr ssl 7 ,
which should be adequate for most cases.
The format for the available ciphers is a simple
.So
:
.Sc
separated list, in order of preference.
The command
.Dq openssl ciphers -s -tls1_3
lists available ciphers.
.It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir
Use
.Dq certdir
......
......@@ -188,7 +188,8 @@ main(int argc, char **argv)
break;
default:
fprintf(stderr, "usage: %s "
"[-C/--ciphers preferred_ciphers] "
"[-2/--usetls1_2] "
"[-C/--ciphers available_ciphers] "
"[-D/--certdir certdir] [-d/--debuglevel] "
"[-l/--verifylocs CAfile] [-m/--mutualverf] "
"[-p/--verifydir CApath] [-r/--crl CRLfile] "
......@@ -486,13 +487,13 @@ rpctls_setupcl_ssl(void)
if (rpctls_ciphers != NULL) {
/*
* Set preferred ciphers, since KERN_TLS only supports a
* Set available ciphers, since KERN_TLS only supports a
* few of them.
*/
ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers);
if (ret == 0) {
rpctls_verbose_out("rpctls_setupcl_ssl: "
"SSL_CTX_set_cipher_list failed: %s\n",
"SSL_CTX_set_ciphersuites failed: %s\n",
rpctls_ciphers);
SSL_CTX_free(ctx);
return (NULL);
......
......@@ -26,7 +26,7 @@
.\" $FreeBSD$
.\"
.\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem.
.Dd May 17, 2022
.Dd May 22, 2022
.Dt RPC.TLSSERVD 8
.Os
.Sh NAME
......@@ -34,6 +34,7 @@
.Nd "Sun RPC over TLS Server Daemon"
.Sh SYNOPSIS
.Nm
.Op Fl 2
.Op Fl C Ar available_ciphers
.Op Fl D Ar certdir
.Op Fl d
......@@ -141,6 +142,15 @@ option has been specified.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl 2 , Fl Fl allowtls1_2
Permit clients to mount using TLS version 1.2.
By default, the daemon will only allow mounts
using TLS version 1.3, as required by the RFC.
However, early
.Fx
.Pq 13.0 and 13.1
clients require
this option, since they use TLS version 1.2.
.It Fl C Ar available_ciphers , Fl Fl ciphers= Ns Ar available_ciphers
Specify which ciphers are available during TLS handshake.
If this option is specified,
......
......@@ -237,6 +237,8 @@ main(int argc, char **argv)
break;
default:
fprintf(stderr, "usage: %s "
"[-2/--allowtls1_2] "
"[-C/--ciphers available_ciphers] "
"[-D/--certdir certdir] [-d/--debuglevel] "
"[-h/--checkhost] "
"[-l/--verifylocs CAfile] [-m/--mutualverf] "
......@@ -570,14 +572,14 @@ rpctls_setup_ssl(const char *certdir)
if (rpctls_ciphers != NULL) {
/*
* Set preferred ciphers, since KERN_TLS only supports a
* Set available ciphers, since KERN_TLS only supports a
* few of them. Normally, not doing this should be ok,
* since the library defaults will work.
*/
ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers);
if (ret == 0) {
rpctls_verbose_out("rpctls_setup_ssl: "
"SSL_CTX_set_cipher_list failed: %s\n",
"SSL_CTX_set_ciphersuites failed: %s\n",
rpctls_ciphers);
SSL_CTX_free(ctx);
return (NULL);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment