commit a065ee49d9a6aa6e1798b970f010a744f7b83762 from: rsadowski date: Thu Mar 5 07:27:01 2026 UTC Fix relayd reload race crash Instead of terminating with fatalx() when a private key hash cannot be found, log a warning and send an error back to the relay worker. This prevents a race condition during "reload" where a request might reach the CA process while keys are being repopulated. Reported by Nick Owens; thanks! OK tb@ commit - 802f4c96216ce8ba445b0fa0a1be479daa94db54 commit + a065ee49d9a6aa6e1798b970f010a744f7b83762 blob - 0a34c5ca7bc64acf232d92b59114b83318ac3d17 blob + c4f527fa96f5b64a702d682f9d59ef92cf46d9d4 --- ca.c +++ ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.49 2026/03/05 05:30:09 tb Exp $ */ +/* $OpenBSD: ca.c,v 1.50 2026/03/05 07:27:01 rsadowski Exp $ */ /* * Copyright (c) 2014 Reyk Floeter @@ -235,9 +235,21 @@ ca_dispatch_relay(int fd, struct privsep_proc *p, stru fatalx("%s: invalid relay proc", __func__); if (IMSG_DATA_SIZE(imsg) != (sizeof(cko) + cko.cko_flen)) fatalx("%s: invalid key operation", __func__); - if ((pkey = pkey_find(env, cko.cko_hash)) == NULL) - fatalx("%s: invalid relay hash '%s'", + + if ((pkey = pkey_find(env, cko.cko_hash)) == NULL) { + log_warnx("%s: invalid relay hash '%s'", __func__, cko.cko_hash); + /* Signal failure to the waiting relay worker. */ + cko.cko_tlen = -1; + iov[c].iov_base = &cko; + iov[c++].iov_len = sizeof(cko); + if (proc_composev_imsg(env->sc_ps, PROC_RELAY, + cko.cko_proc, imsg->hdr.type, -1, -1, iov, + c) == -1) + log_warn("%s: proc_composev_imsg", __func__); + break; + } + if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) fatalx("%s: invalid relay key", __func__); @@ -393,7 +405,11 @@ rsae_send_imsg(int flen, const u_char *from, u_char *t fatalx("invalid response"); ret = cko.cko_tlen; - if (ret > 0) { + if (ret == -1) { + log_warnx("%s: priv%s failed for key %s", + __func__, cmd == IMSG_CA_PRIVENC ? + "enc" : "dec", cko.cko_hash); + } else if (ret > 0) { if (IMSG_DATA_SIZE(&imsg) != (sizeof(cko) + ret)) fatalx("data size");