Bug 265800 - net/gemserv: Update to 0.6.6
Summary: net/gemserv: Update to 0.6.6
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL: https://git.sr.ht/~int80h/gemserv/tre...
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2022-08-12 17:58 UTC by Evilham
Modified: 2022-08-17 13:41 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (ea)


Attachments
net/gemserv: update to 0.6.6 (40.07 KB, patch)
2022-08-13 13:53 UTC, Evilham
no flags Details | Diff
net/gemserv: update to 0.6.6 (41.81 KB, patch)
2022-08-17 13:41 UTC, Evilham
contact: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Evilham 2022-08-12 17:58:49 UTC
I'll add the patch within a couple days (compiling as I report this).

This update includes a fix for a security issue without CVE regarding a directory traversal.

See: https://git.sr.ht/~int80h/gemserv/refs
Comment 1 Fernando Apesteguía freebsd_committer 2022-08-12 18:06:23 UTC
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.
Comment 2 Evilham 2022-08-13 13:53:42 UTC
Created attachment 235880 [details]
net/gemserv: update to 0.6.6

While at it, use Makefile.crates as in other rust ports and fix a couple complains from portlint -A

Note that a previous patch needed for powerpc is not necessary due to a newer version of the libc crate being used. I checked that indeed the changes are incorporated, but am unable to test against that arch.
Comment 3 Evaldas Auryla 2022-08-16 14:06:32 UTC
Hi, thanks for the patch, it does build ok, just tried to build the package in 13.1 jail. But server wouldn't start with error message:

thread 'main' panicked at 'error loading key: General("The server certificate is not valid for the given name")', src/lib/tls.rs:55:14

although I double checked and the generated test cert does have CN corresponding to FQDN of jail's hostname, which also resolves in DNS to jail's IP. Any clue ?
Comment 4 Evilham 2022-08-16 14:25:01 UTC
Thanks for taking a look!

I'm certainly not well versed in rust, but my wild guess is: are you using self-signed certificates?
There might be an issue with gemserv there, basing the guess on this comment in the source code:
https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/src/lib/tls.rs#L123
Note the TLS logic has been completely rewritten since last version we have on FreeBSD repos.

FWIW I've been running 0.6.6 off my pkg repositories for a few days without issues now.
Comment 5 Evaldas Auryla 2022-08-17 07:27:46 UTC
Hi, thanks for pointing to the comment in the source code, indeed, I was testing with self-signed cert. So I grabbed one of my Letsencrypt issued certs, and got this in /var/log/messages:

Aug 17 07:54:04 gemserv gemserv[81330]: 2022-08-17 05:54:04,555 INFO  [gemserv] Serving 1 vhosts
Aug 17 07:54:04 gemserv gemserv[81330]: thread 'main' panicked at 'removal index (is 0) should be < len (is 0)', src/lib/tls.rs:46:42
Aug 17 07:54:04 gemserv gemserv[81330]: stack backtrace:
Aug 17 07:54:04 gemserv gemserv[81330]:    0:     0x26ac1dff085d - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hf271a1988635e66b
Aug 17 07:54:04 gemserv gemserv[81330]:    1:     0x26ac1ded30ae - core::fmt::write::h06f611de0d6a5aeb
Aug 17 07:54:04 gemserv gemserv[81330]:    2:     0x26ac1dfcabd4 - std::io::Write::write_fmt::h825a3caddcfda349
Aug 17 07:54:04 gemserv gemserv[81330]:    3:     0x26ac1dfd8ba6 - std::panicking::default_hook::{{closure}}::h48207883971a61ed
Aug 17 07:54:04 gemserv gemserv[81330]:    4:     0x26ac1dfd97bf - std::panicking::rust_panic_with_hook::hb1605447e655ad18
Aug 17 07:54:04 gemserv gemserv[81330]:    5:     0x26ac1dff0c22 - std::panicking::begin_panic_handler::{{closure}}::h72e6f0c380d86540
Aug 17 07:54:04 gemserv gemserv[81330]:    6:     0x26ac1dff0b96 - std::sys_common::backtrace::__rust_end_short_backtrace::h9602d023f6801785
Aug 17 07:54:04 gemserv gemserv[81330]:    7:     0x26ac1dfd9182 - rust_begin_unwind
Aug 17 07:54:04 gemserv gemserv[81330]:    8:     0x26ac1ded5b02 - core::panicking::panic_fmt::h735f12c53d12ea24
Aug 17 07:54:04 gemserv gemserv[81330]:    9:     0x26ac1dec78b1 - alloc::vec::Vec<T,A>::remove::assert_failed::h89829a84e8dde3ab
Aug 17 07:54:04 gemserv gemserv[81330]:   10:     0x26ac1de9e931 - gemserv::lib::tls::tls_acceptor_conf::he7ebc86cebbbbfe9
Aug 17 07:54:04 gemserv gemserv[81330]:   11:     0x26ac1dea2f9e - gemserv::run::{{closure}}::h47eb3bc4db1af29a
Aug 17 07:54:04 gemserv gemserv[81330]:   12:     0x26ac1de837a0 - <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll::h7096b8765f4e0031
Aug 17 07:54:04 gemserv gemserv[81330]:   13:     0x26ac1deb20a1 - gemserv::main::h1794507196c913e9
Aug 17 07:54:04 gemserv gemserv[81330]:   14:     0x26ac1de520b3 - std::sys_common::backtrace::__rust_begin_short_backtrace::h469d0ba2741643ee
Aug 17 07:54:04 gemserv gemserv[81330]:   15:     0x26ac1de52e9d - std::rt::lang_start::{{closure}}::he3ab2a2e7f3b24d0
Aug 17 07:54:04 gemserv gemserv[81330]:   16:     0x26ac1deb3f6d - main

Tried with "cert.pem", then "fullchain.pem", same error. Which CA certs are you using ?
Comment 6 Evilham 2022-08-17 08:00:19 UTC
Hunch: you are using RSA keys that are not in PKCS8 format and we just found a newly introduced bug in gemserv :-).

Can you confirm that your key's PEM headers look like this?

    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----

If that's the case, and removing "RSA " (aka, leaving only "BEGIN/END PRIVATE KEY") should get you a PKCS8 formatted key that ought to work.

Basing this hunch on:
https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/src/lib/tls.rs#L37
And: https://docs.rs/rustls-pemfile/0.2.1/rustls_pemfile/fn.pkcs8_private_keys.html

If this is confirmed maybe we can use: https://docs.rs/rustls-pemfile/0.2.1/rustls_pemfile/fn.rsa_private_keys.html
To join that with the PKCS8 ones and publish 0.6.6 in ports with the patch, while submitting it upstream.
Comment 7 Evaldas Auryla 2022-08-17 08:48:56 UTC
Yes, works after removing "RSA" in key.pem. Not sure what to think of it. Maybe this should be baked in server code ?

The requirement to use third-party CA issued certs is it coming from Rust ? Sounds like it's not lined up with that strong recommendation to use self-signed certs together with some lightweight TOFU as per gemini specs.
Comment 8 Evilham 2022-08-17 09:10:46 UTC
Regarding CAs: IDK, that's up to gemserv's developers.

But could it be that your first issue was a mixture of: custom code to handle these cases + non-PKCS8 RSA key? Could you try again with the self-signed cert, making sure that the private key is PKCS8-formatted?
Comment 9 Evaldas Auryla 2022-08-17 09:30:38 UTC
Tried again with self-signed cert, generated with same CN, key.pem has no "RSA", this is what goes out in /var/log/messages:

Aug 17 11:25:19 pkg gemserv[87249]: thread 'main' panicked at 'error loading key: General("The server certificate is not valid for the given name")', src/lib/tls.rs:55:14
Comment 10 Evilham 2022-08-17 13:41:29 UTC
Created attachment 235966 [details]
net/gemserv: update to 0.6.6

This adds a patch to support reading both PKCS8 and OpenSSL-generated RSA private keys.

The patch has been sent upstream so it gets incoroporated or re-implemented in a way they see fit.