I'll add the patch within a couple days (compiling as I report this). This update includes a fix for a security issue without CVE regarding a directory traversal. See: https://git.sr.ht/~int80h/gemserv/refs
^Triage: If there is a changelog or release notes URL available for this version, please add it to the URL field.
Created attachment 235880 [details] net/gemserv: update to 0.6.6 While at it, use Makefile.crates as in other rust ports and fix a couple complains from portlint -A Note that a previous patch needed for powerpc is not necessary due to a newer version of the libc crate being used. I checked that indeed the changes are incorporated, but am unable to test against that arch.
Hi, thanks for the patch, it does build ok, just tried to build the package in 13.1 jail. But server wouldn't start with error message: thread 'main' panicked at 'error loading key: General("The server certificate is not valid for the given name")', src/lib/tls.rs:55:14 although I double checked and the generated test cert does have CN corresponding to FQDN of jail's hostname, which also resolves in DNS to jail's IP. Any clue ?
Thanks for taking a look! I'm certainly not well versed in rust, but my wild guess is: are you using self-signed certificates? There might be an issue with gemserv there, basing the guess on this comment in the source code: https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/src/lib/tls.rs#L123 Note the TLS logic has been completely rewritten since last version we have on FreeBSD repos. FWIW I've been running 0.6.6 off my pkg repositories for a few days without issues now.
Hi, thanks for pointing to the comment in the source code, indeed, I was testing with self-signed cert. So I grabbed one of my Letsencrypt issued certs, and got this in /var/log/messages: Aug 17 07:54:04 gemserv gemserv[81330]: 2022-08-17 05:54:04,555 INFO [gemserv] Serving 1 vhosts Aug 17 07:54:04 gemserv gemserv[81330]: thread 'main' panicked at 'removal index (is 0) should be < len (is 0)', src/lib/tls.rs:46:42 Aug 17 07:54:04 gemserv gemserv[81330]: stack backtrace: Aug 17 07:54:04 gemserv gemserv[81330]: 0: 0x26ac1dff085d - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hf271a1988635e66b Aug 17 07:54:04 gemserv gemserv[81330]: 1: 0x26ac1ded30ae - core::fmt::write::h06f611de0d6a5aeb Aug 17 07:54:04 gemserv gemserv[81330]: 2: 0x26ac1dfcabd4 - std::io::Write::write_fmt::h825a3caddcfda349 Aug 17 07:54:04 gemserv gemserv[81330]: 3: 0x26ac1dfd8ba6 - std::panicking::default_hook::{{closure}}::h48207883971a61ed Aug 17 07:54:04 gemserv gemserv[81330]: 4: 0x26ac1dfd97bf - std::panicking::rust_panic_with_hook::hb1605447e655ad18 Aug 17 07:54:04 gemserv gemserv[81330]: 5: 0x26ac1dff0c22 - std::panicking::begin_panic_handler::{{closure}}::h72e6f0c380d86540 Aug 17 07:54:04 gemserv gemserv[81330]: 6: 0x26ac1dff0b96 - std::sys_common::backtrace::__rust_end_short_backtrace::h9602d023f6801785 Aug 17 07:54:04 gemserv gemserv[81330]: 7: 0x26ac1dfd9182 - rust_begin_unwind Aug 17 07:54:04 gemserv gemserv[81330]: 8: 0x26ac1ded5b02 - core::panicking::panic_fmt::h735f12c53d12ea24 Aug 17 07:54:04 gemserv gemserv[81330]: 9: 0x26ac1dec78b1 - alloc::vec::Vec<T,A>::remove::assert_failed::h89829a84e8dde3ab Aug 17 07:54:04 gemserv gemserv[81330]: 10: 0x26ac1de9e931 - gemserv::lib::tls::tls_acceptor_conf::he7ebc86cebbbbfe9 Aug 17 07:54:04 gemserv gemserv[81330]: 11: 0x26ac1dea2f9e - gemserv::run::{{closure}}::h47eb3bc4db1af29a Aug 17 07:54:04 gemserv gemserv[81330]: 12: 0x26ac1de837a0 - <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll::h7096b8765f4e0031 Aug 17 07:54:04 gemserv gemserv[81330]: 13: 0x26ac1deb20a1 - gemserv::main::h1794507196c913e9 Aug 17 07:54:04 gemserv gemserv[81330]: 14: 0x26ac1de520b3 - std::sys_common::backtrace::__rust_begin_short_backtrace::h469d0ba2741643ee Aug 17 07:54:04 gemserv gemserv[81330]: 15: 0x26ac1de52e9d - std::rt::lang_start::{{closure}}::he3ab2a2e7f3b24d0 Aug 17 07:54:04 gemserv gemserv[81330]: 16: 0x26ac1deb3f6d - main Tried with "cert.pem", then "fullchain.pem", same error. Which CA certs are you using ?
Hunch: you are using RSA keys that are not in PKCS8 format and we just found a newly introduced bug in gemserv :-). Can you confirm that your key's PEM headers look like this? -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- If that's the case, and removing "RSA " (aka, leaving only "BEGIN/END PRIVATE KEY") should get you a PKCS8 formatted key that ought to work. Basing this hunch on: https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/src/lib/tls.rs#L37 And: https://docs.rs/rustls-pemfile/0.2.1/rustls_pemfile/fn.pkcs8_private_keys.html If this is confirmed maybe we can use: https://docs.rs/rustls-pemfile/0.2.1/rustls_pemfile/fn.rsa_private_keys.html To join that with the PKCS8 ones and publish 0.6.6 in ports with the patch, while submitting it upstream.
Yes, works after removing "RSA" in key.pem. Not sure what to think of it. Maybe this should be baked in server code ? The requirement to use third-party CA issued certs is it coming from Rust ? Sounds like it's not lined up with that strong recommendation to use self-signed certs together with some lightweight TOFU as per gemini specs.
Regarding CAs: IDK, that's up to gemserv's developers. But could it be that your first issue was a mixture of: custom code to handle these cases + non-PKCS8 RSA key? Could you try again with the self-signed cert, making sure that the private key is PKCS8-formatted?
Tried again with self-signed cert, generated with same CN, key.pem has no "RSA", this is what goes out in /var/log/messages: Aug 17 11:25:19 pkg gemserv[87249]: thread 'main' panicked at 'error loading key: General("The server certificate is not valid for the given name")', src/lib/tls.rs:55:14
Created attachment 235966 [details] net/gemserv: update to 0.6.6 This adds a patch to support reading both PKCS8 and OpenSSL-generated RSA private keys. The patch has been sent upstream so it gets incoroporated or re-implemented in a way they see fit.
The last patch is not approved by maintainer. What's the status of this PR?
(In reply to Fernando Apesteguía from comment #11) I'd guess maintainer timeout, upstream hasnt incorporated or replied to the patch either :-(. FWIW it's been deployed in multiple servers without issues since first posted here.
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=740042a4126b6461d79eae867b50abb7a693938c commit 740042a4126b6461d79eae867b50abb7a693938c Author: Evilham <contact@evilham.com> AuthorDate: 2023-01-26 17:53:00 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2023-01-26 18:14:06 +0000 net/gemserv: Update to 0.6.6 ChangeLog: https://git.sr.ht/~int80h/gemserv/tree/v0.6.6/item/README#L79 This update fixes a security issue for which there is no CVE assigned: https://git.sr.ht/~int80h/gemserv/refs PR: 265800 Reported by: contact@evilham.com Approved by: ea@uoga.net (maintainer) net/gemserv/Makefile | 80 +----- net/gemserv/Makefile.crates (new) | 103 ++++++++ net/gemserv/distinfo | 366 +++++++++++++++------------ net/gemserv/files/config.toml.sample.in | 38 ++- net/gemserv/files/gemserv.in | 2 + net/gemserv/files/patch-powerpc (gone) | 62 ----- net/gemserv/files/patch-src_lib_tls.rs (new) | 35 +++ net/gemserv/pkg-message | 12 +- 8 files changed, 391 insertions(+), 307 deletions(-)