Mercurial > illumos > illumos-gate

changeset 5321:0d8bd7d3764e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
5053475 certlib_load() error messages need improving. 6614180 file permissions on public keys and CRLs should be more open 6614741 keying material with insecure permissions should not be trusted
author pwernau
date Wed, 24 Oct 2007 13:59:51 -0700
parents 43bde2b01a59
children 010e79fdab36
files usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c usr/src/lib/libipsecutil/common/ipsec_util.h usr/src/pkgdefs/SUNWcnetr/postinstall usr/src/tools/scripts/bfu.sh
diffstat 4 files changed, 57 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c	Wed Oct 24 13:53:20 2007 -0700
+++ b/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c	Wed Oct 24 13:59:51 2007 -0700
@@ -33,7 +33,6 @@
 
 #pragma ident	"%Z%%M%	%I%	%E% SMI"
 
-
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
@@ -3178,6 +3177,7 @@
 	FILE *infile = stdin, *savefile;
 	boolean_t dosave = B_FALSE, readfile = B_FALSE;
 	char *configfile = NULL;
+	struct stat sbuf;
 
 	(void) setlocale(LC_ALL, "");
 #if !defined(TEXT_DOMAIN)
@@ -3220,6 +3220,28 @@
 				EXIT_BADCONFIG2("Unable to open configuration "
 				    "file: %s\n", optarg);
 			}
+			/*
+			 * Check file permissions/ownership and warn or
+			 * fail depending on state of SMF control.
+			 */
+			if (fstat(fileno(infile), &sbuf) == -1) {
+				(void) fclose(infile);
+				EXIT_BADCONFIG2("Unable to stat configuration "
+				    "file: %s\n", optarg);
+			}
+			if (INSECURE_PERMS(sbuf)) {
+				if (my_fmri != NULL) {
+					(void) fclose(infile);
+					EXIT_BADCONFIG2("Config file "
+					    "%s has insecure permissions.",
+					    optarg);
+				} else 	{
+					(void) fprintf(stderr, "%s %s\n",
+					    optarg, gettext(
+					    "has insecure permissions, will be "
+					    "rejected in permanent config."));
+				}
+			}
 			configfile = strdup(optarg);
 			readfile = B_TRUE;
 			break;
--- a/usr/src/lib/libipsecutil/common/ipsec_util.h	Wed Oct 24 13:53:20 2007 -0700
+++ b/usr/src/lib/libipsecutil/common/ipsec_util.h	Wed Oct 24 13:59:51 2007 -0700
@@ -79,6 +79,11 @@
 #define	TBUF_SIZE	50
 #define	TIME_MAX	LONG_MAX
 
+#ifndef INSECURE_PERMS
+#define	INSECURE_PERMS(sbuf)	(((sbuf).st_uid != 0) || \
+	((sbuf).st_mode & S_IRWXG) || ((sbuf).st_mode & S_IRWXO))
+#endif
+
 /* For keyword-lookup tables */
 typedef struct keywdtab {
 	uint_t	kw_tag;
--- a/usr/src/pkgdefs/SUNWcnetr/postinstall	Wed Oct 24 13:53:20 2007 -0700
+++ b/usr/src/pkgdefs/SUNWcnetr/postinstall	Wed Oct 24 13:59:51 2007 -0700
@@ -32,3 +32,17 @@
 	removef $PKGINST /etc/aggregation.conf > /dev/null
 	removef -f $PKGINST > /dev/null 2>&1
 fi
+
+#
+# Change permissions of public IKE certificates and CRLs
+# that may have been incorrectly created as private
+# PKCS#11 hints files must be left root-only readable.
+# Make sure this files starts with "30 82"
+#
+for file in `ls ${PKG_INSTALL_ROOT}/etc/inet/ike/crls/* \
+    ${PKG_INSTALL_ROOT}/etc/inet/ike/publickeys/* 2>/dev/null`; do
+	if /bin/od -tx1 -N3 < $file | grep '30 82' >/dev/null 2>&1
+	then
+	    chmod 644 $file
+	fi
+done
--- a/usr/src/tools/scripts/bfu.sh	Wed Oct 24 13:53:20 2007 -0700
+++ b/usr/src/tools/scripts/bfu.sh	Wed Oct 24 13:59:51 2007 -0700
@@ -7124,6 +7124,21 @@
 	fi
 
 	echo
+
+	#
+	# Change permissions of public IKE certificates and CRLs
+	# that may have been incorrectly created as private
+	# PKCS#11 hints files must be left root-only readable.
+	# Make sure this files starts with "30 82"
+	#
+	for file in `ls $rootprefix/etc/inet/ike/crls/* \
+	    $rootprefix/etc/inet/ike/publickeys/* 2>/dev/null`; do
+		if /bin/od -tx1 -N3 < $file | grep '30 82' >/dev/null 2>&1
+		then
+			chmod 644 $file
+		fi
+	done
+
 	# Simulate installation of SUNWcry* - these are in the bfu archives.
 	if [ -f $rootprefix/etc/crypto/kcf.conf -a \
 	    -f $rootprefix/etc/crypto/pkcs11.conf ]; then