Merge branch 'freebsd/current/main' into hardened/current/master

5fad5fd0 · HardenedBSD Sync Service · 5c4f0c87 · b387a075 · 5fad5fd0 · 5fad5fd0
Commit 5fad5fd0 authored May 22, 2022 by HardenedBSD Sync Service
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -261,6 +261,13 @@ _pam_exec(pam_handle_t *pamh,
 			/* don't prompt, only expose existing token */
 			rc = pam_get_item(pamh, PAM_AUTHTOK, &item);
 			authtok = item;
+			if (authtok == NULL && rc == PAM_SUCCESS) {
+				openpam_log(PAM_LOG_ERROR, 
+				    "%s: pam_get_authtok(): %s",
+				    func, "authentication token not available");
+				OUT(PAM_SYSTEM_ERR);
+			}
+
 		} else {
 			rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
 		}

--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.8
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.8
@@ -26,7 +26,7 @@
 .\" $FreeBSD$
 .\"
 .\" Modified from gssd.8 for rpc.tlsclntd.8 by Rick Macklem.
-.Dd February 17, 2021
+.Dd May 22, 2022
 .Dt RPC.TLSCLNTD 8
 .Os
 .Sh NAME
@@ -34,7 +34,8 @@
 .Nd "Sun RPC over TLS Client Daemon"
 .Sh SYNOPSIS
 .Nm
-.Op Fl C Ar preferred_ciphers
+.Op Fl 2
+.Op Fl C Ar available_ciphers
 .Op Fl D Ar certdir
 .Op Fl d
 .Op Fl l Ar CAfile
@@ -92,15 +93,33 @@ option has been specified.
 .Pp
 The options are as follows:
 .Bl -tag -width indent
-.It Fl C Ar preferred_ciphers , Fl Fl ciphers= Ns Ar preferred_ciphers
-Specify what preferred ciphers are to be used.
+.It Fl 2 , Fl Fl usetls1_2
+Specify the use of TLS version 1.2.
+By default, the client will
+use TLS version 1.3, as required by the RFC.
+However, early
+.Fx
+.Pq 13.0 and 13.1
+servers require
+this option, since they only support TLS version 1.2.
+.It Fl C Ar available_ciphers , Fl Fl ciphers= Ns Ar available_ciphers
+Specify which ciphers are available during TLS handshake.
 If this option is specified,
-.Dq SSL_CTX_set_cipher_list()
+.Dq SSL_CTX_set_ciphersuites()
 will be called with
-.Dq preferred_ciphers
+.Dq available_ciphers
 as the argument.
 If this option is not specified, the cipher will be chosen by
-.Xr ssl 7 .
+.Xr ssl 7 ,
+which should be adequate for most cases.
+The format for the available ciphers is a simple
+.So
+:
+.Sc
+separated list, in order of preference.
+The command
+.Dq openssl ciphers -s -tls1_3
+lists available ciphers.
 .It Fl D Ar certdir , Fl Fl certdir= Ns Ar certdir
 Use
 .Dq certdir

--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
@@ -188,7 +188,8 @@ main(int argc, char **argv)
 			break;
 		default:
 			fprintf(stderr, "usage: %s "
-			    "[-C/--ciphers preferred_ciphers] "
+			    "[-2/--usetls1_2] "
+			    "[-C/--ciphers available_ciphers] "
 			    "[-D/--certdir certdir] [-d/--debuglevel] "
 			    "[-l/--verifylocs CAfile] [-m/--mutualverf] "
 			    "[-p/--verifydir CApath] [-r/--crl CRLfile] "
@@ -486,13 +487,13 @@ rpctls_setupcl_ssl(void)

 	if (rpctls_ciphers != NULL) {
 		/*
-		 * Set preferred ciphers, since KERN_TLS only supports a
+		 * Set available ciphers, since KERN_TLS only supports a
 		 * few of them.
 		 */
-		ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+		ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers);
 		if (ret == 0) {
 			rpctls_verbose_out("rpctls_setupcl_ssl: "
-			    "SSL_CTX_set_cipher_list failed: %s\n",
+			    "SSL_CTX_set_ciphersuites failed: %s\n",
 			    rpctls_ciphers);
 			SSL_CTX_free(ctx);
 			return (NULL);

--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.8
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.8
@@ -26,7 +26,7 @@
 .\" $FreeBSD$
 .\"
 .\" Modified from gssd.8 for rpc.tlsservd.8 by Rick Macklem.
-.Dd May 17, 2022
+.Dd May 22, 2022
 .Dt RPC.TLSSERVD 8
 .Os
 .Sh NAME
@@ -34,6 +34,7 @@
 .Nd "Sun RPC over TLS Server Daemon"
 .Sh SYNOPSIS
 .Nm
+.Op Fl 2
 .Op Fl C Ar available_ciphers
 .Op Fl D Ar certdir
 .Op Fl d
@@ -141,6 +142,15 @@ option has been specified.
 .Pp
 The options are as follows:
 .Bl -tag -width indent
+.It Fl 2 , Fl Fl allowtls1_2
+Permit clients to mount using TLS version 1.2.
+By default, the daemon will only allow mounts
+using TLS version 1.3, as required by the RFC.
+However, early
+.Fx
+.Pq 13.0 and 13.1
+clients require
+this option, since they use TLS version 1.2.
 .It Fl C Ar available_ciphers , Fl Fl ciphers= Ns Ar available_ciphers
 Specify which ciphers are available during TLS handshake.
 If this option is specified,

--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -237,6 +237,8 @@ main(int argc, char **argv)
 			break;
 		default:
 			fprintf(stderr, "usage: %s "
+			    "[-2/--allowtls1_2] "
+			    "[-C/--ciphers available_ciphers] "
 			    "[-D/--certdir certdir] [-d/--debuglevel] "
 			    "[-h/--checkhost] "
 			    "[-l/--verifylocs CAfile] [-m/--mutualverf] "
@@ -570,14 +572,14 @@ rpctls_setup_ssl(const char *certdir)

 	if (rpctls_ciphers != NULL) {
 		/*
-		 * Set preferred ciphers, since KERN_TLS only supports a
+		 * Set available ciphers, since KERN_TLS only supports a
 		 * few of them.  Normally, not doing this should be ok,
 		 * since the library defaults will work.
 		 */
-		ret = SSL_CTX_set_cipher_list(ctx, rpctls_ciphers);
+		ret = SSL_CTX_set_ciphersuites(ctx, rpctls_ciphers);
 		if (ret == 0) {
 			rpctls_verbose_out("rpctls_setup_ssl: "
-			    "SSL_CTX_set_cipher_list failed: %s\n",
+			    "SSL_CTX_set_ciphersuites failed: %s\n",
 			    rpctls_ciphers);
 			SSL_CTX_free(ctx);
 			return (NULL);