diff options
author | Florian Dold <florian@dold.me> | 2021-07-29 13:04:55 +0200 |
---|---|---|
committer | Florian Dold <florian@dold.me> | 2021-07-29 13:04:55 +0200 |
commit | 036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1 (patch) | |
tree | 5af2eb2adb5d6a71746b1781920cacc0ed30e5c6 | |
parent | dae09f1a43b58778b01f4bb436504ee2fe8f5357 (diff) | |
download | exchange-036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1.tar.gz exchange-036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1.zip |
secmod: services create their own client dirs with correct permissions
-rw-r--r-- | src/util/crypto_helper_denom.c | 27 | ||||
-rw-r--r-- | src/util/crypto_helper_esign.c | 25 | ||||
-rw-r--r-- | src/util/taler-exchange-secmod-eddsa.c | 39 | ||||
-rw-r--r-- | src/util/taler-exchange-secmod-eddsa.conf | 3 | ||||
-rw-r--r-- | src/util/taler-exchange-secmod-rsa.c | 39 | ||||
-rw-r--r-- | src/util/taler-exchange-secmod-rsa.conf | 5 |
6 files changed, 116 insertions, 22 deletions
diff --git a/src/util/crypto_helper_denom.c b/src/util/crypto_helper_denom.c index bd9802d2f..2cc140c8e 100644 --- a/src/util/crypto_helper_denom.c +++ b/src/util/crypto_helper_denom.c | |||
@@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect ( | |||
228 | 228 | ||
229 | if (GNUNET_OK != | 229 | if (GNUNET_OK != |
230 | GNUNET_CONFIGURATION_get_value_filename (cfg, | 230 | GNUNET_CONFIGURATION_get_value_filename (cfg, |
231 | "PATHS", | 231 | "taler-exchange-secmod-rsa", |
232 | "TALER_RUNTIME_DIR", | 232 | "CLIENT_DIR", |
233 | &tmpdir)) | 233 | &tmpdir)) |
234 | { | 234 | { |
235 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, | 235 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, |
236 | "PATHS", | 236 | "taler-exchange-secmod-rsa", |
237 | "TALER_RUNTIME_DIR"); | 237 | "CLIENT_DIR"); |
238 | tmpdir = GNUNET_strdup ("/tmp"); | 238 | return NULL; |
239 | } | 239 | } |
240 | GNUNET_asprintf (&template, | 240 | GNUNET_asprintf (&template, |
241 | "%s/crypto-rsa-client/cli", | 241 | "%s/cli", |
242 | tmpdir); | 242 | tmpdir); |
243 | GNUNET_free (tmpdir); | 243 | /* We expect the service to create the client directory */ |
244 | if (GNUNET_OK != | 244 | if (GNUNET_OK != |
245 | GNUNET_DISK_directory_create_for_file (template)) | 245 | GNUNET_DISK_directory_test (tmpdir, |
246 | GNUNET_YES)) | ||
246 | { | 247 | { |
247 | GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, | 248 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, |
248 | "mkdir", | 249 | "Unable to read secmod client directory (%s)\n", |
249 | template); | 250 | tmpdir); |
250 | GNUNET_free (dh); | 251 | GNUNET_free (dh); |
251 | GNUNET_free (template); | 252 | GNUNET_free (template); |
253 | GNUNET_free (tmpdir); | ||
252 | return NULL; | 254 | return NULL; |
253 | } | 255 | } |
256 | GNUNET_free (tmpdir); | ||
254 | dh->template = template; | 257 | dh->template = template; |
255 | if (strlen (template) >= sizeof (dh->sa.sun_path)) | 258 | if (strlen (template) >= sizeof (dh->sa.sun_path)) |
256 | { | 259 | { |
diff --git a/src/util/crypto_helper_esign.c b/src/util/crypto_helper_esign.c index a1fb9319d..d5baa9348 100644 --- a/src/util/crypto_helper_esign.c +++ b/src/util/crypto_helper_esign.c | |||
@@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect ( | |||
229 | 229 | ||
230 | if (GNUNET_OK != | 230 | if (GNUNET_OK != |
231 | GNUNET_CONFIGURATION_get_value_filename (cfg, | 231 | GNUNET_CONFIGURATION_get_value_filename (cfg, |
232 | "PATHS", | 232 | "taler-exchange-secmod-eddsa", |
233 | "TALER_RUNTIME_DIR", | 233 | "CLIENT_DIR", |
234 | &tmpdir)) | 234 | &tmpdir)) |
235 | { | 235 | { |
236 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, | 236 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, |
237 | "PATHS", | 237 | "taler-exchange-secmod-eddsa", |
238 | "TALER_RUNTIME_DIR"); | 238 | "CLIENT_DIR"); |
239 | tmpdir = GNUNET_strdup ("/tmp"); | 239 | GNUNET_free (esh); |
240 | return NULL; | ||
240 | } | 241 | } |
241 | GNUNET_asprintf (&template, | 242 | GNUNET_asprintf (&template, |
242 | "%s/crypto-eddsa-client/cli", | 243 | "%s/cli", |
243 | tmpdir); | 244 | tmpdir); |
244 | GNUNET_free (tmpdir); | 245 | /* We expect the service to create the client directory */ |
245 | if (GNUNET_OK != | 246 | if (GNUNET_OK != |
246 | GNUNET_DISK_directory_create_for_file (template)) | 247 | GNUNET_DISK_directory_test (tmpdir, |
248 | GNUNET_YES)) | ||
247 | { | 249 | { |
250 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
251 | "Unable to read secmod client directory (%s)\n", | ||
252 | tmpdir); | ||
248 | GNUNET_free (esh); | 253 | GNUNET_free (esh); |
249 | GNUNET_free (template); | 254 | GNUNET_free (template); |
255 | GNUNET_free (tmpdir); | ||
250 | return NULL; | 256 | return NULL; |
251 | } | 257 | } |
258 | GNUNET_free (tmpdir); | ||
252 | esh->template = template; | 259 | esh->template = template; |
253 | if (strlen (template) >= sizeof (esh->sa.sun_path)) | 260 | if (strlen (template) >= sizeof (esh->sa.sun_path)) |
254 | { | 261 | { |
diff --git a/src/util/taler-exchange-secmod-eddsa.c b/src/util/taler-exchange-secmod-eddsa.c index ac4bfc61b..48dcdf718 100644 --- a/src/util/taler-exchange-secmod-eddsa.c +++ b/src/util/taler-exchange-secmod-eddsa.c | |||
@@ -1522,6 +1522,45 @@ run (void *cls, | |||
1522 | return; | 1522 | return; |
1523 | } | 1523 | } |
1524 | 1524 | ||
1525 | /* Create client directory and set permissions. */ | ||
1526 | { | ||
1527 | char *client_dir; | ||
1528 | |||
1529 | if (GNUNET_OK != | ||
1530 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | ||
1531 | "taler-exchange-secmod-eddsa", | ||
1532 | "CLIENT_DIR", | ||
1533 | &client_dir)) | ||
1534 | { | ||
1535 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, | ||
1536 | "taler-exchange-secmod-eddsa", | ||
1537 | "CLIENT_DIR"); | ||
1538 | global_ret = 3; | ||
1539 | return; | ||
1540 | } | ||
1541 | |||
1542 | if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir)) | ||
1543 | { | ||
1544 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1545 | "Can't create client directory (%s)\n", | ||
1546 | client_dir); | ||
1547 | global_ret = 3; | ||
1548 | return; | ||
1549 | } | ||
1550 | /* Set sticky group bit, so that clients will be writeable by the current service. */ | ||
1551 | if (0 != chmod (client_dir, | ||
1552 | S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID)) | ||
1553 | { | ||
1554 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1555 | "Can't set permissions for client directory (%s)\n", | ||
1556 | client_dir); | ||
1557 | global_ret = 3; | ||
1558 | return; | ||
1559 | } | ||
1560 | |||
1561 | GNUNET_free (client_dir); | ||
1562 | } | ||
1563 | |||
1525 | if (GNUNET_OK != | 1564 | if (GNUNET_OK != |
1526 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | 1565 | GNUNET_CONFIGURATION_get_value_filename (kcfg, |
1527 | "taler-exchange-secmod-eddsa", | 1566 | "taler-exchange-secmod-eddsa", |
diff --git a/src/util/taler-exchange-secmod-eddsa.conf b/src/util/taler-exchange-secmod-eddsa.conf index 8a171353d..8227c908f 100644 --- a/src/util/taler-exchange-secmod-eddsa.conf +++ b/src/util/taler-exchange-secmod-eddsa.conf | |||
@@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/ | |||
13 | # Where does the helper listen for requests? | 13 | # Where does the helper listen for requests? |
14 | UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock | 14 | UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock |
15 | 15 | ||
16 | # Directory for clients. | ||
17 | CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client | ||
18 | |||
16 | # Where should the security module store it's private key? | 19 | # Where should the security module store it's private key? |
17 | SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key | 20 | SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key |
18 | 21 | ||
diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c index 3c1f81c26..1307b8f45 100644 --- a/src/util/taler-exchange-secmod-rsa.c +++ b/src/util/taler-exchange-secmod-rsa.c | |||
@@ -1896,6 +1896,45 @@ run (void *cls, | |||
1896 | return; | 1896 | return; |
1897 | } | 1897 | } |
1898 | 1898 | ||
1899 | /* Create client directory and set permissions. */ | ||
1900 | { | ||
1901 | char *client_dir; | ||
1902 | |||
1903 | if (GNUNET_OK != | ||
1904 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | ||
1905 | "taler-exchange-secmod-rsa", | ||
1906 | "CLIENT_DIR", | ||
1907 | &client_dir)) | ||
1908 | { | ||
1909 | GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, | ||
1910 | "taler-exchange-secmod-rsa", | ||
1911 | "CLIENT_DIR"); | ||
1912 | global_ret = 3; | ||
1913 | return; | ||
1914 | } | ||
1915 | |||
1916 | if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir)) | ||
1917 | { | ||
1918 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1919 | "Can't create client directory (%s)\n", | ||
1920 | client_dir); | ||
1921 | global_ret = 3; | ||
1922 | return; | ||
1923 | } | ||
1924 | /* Set sticky group bit, so that clients will be writeable by the current service. */ | ||
1925 | if (0 != chmod (client_dir, | ||
1926 | S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID)) | ||
1927 | { | ||
1928 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, | ||
1929 | "Can't set permissions for client directory (%s)\n", | ||
1930 | client_dir); | ||
1931 | global_ret = 3; | ||
1932 | return; | ||
1933 | } | ||
1934 | |||
1935 | GNUNET_free (client_dir); | ||
1936 | } | ||
1937 | |||
1899 | if (GNUNET_OK != | 1938 | if (GNUNET_OK != |
1900 | GNUNET_CONFIGURATION_get_value_filename (kcfg, | 1939 | GNUNET_CONFIGURATION_get_value_filename (kcfg, |
1901 | "taler-exchange-secmod-rsa", | 1940 | "taler-exchange-secmod-rsa", |
diff --git a/src/util/taler-exchange-secmod-rsa.conf b/src/util/taler-exchange-secmod-rsa.conf index f9a6c7d1f..c653fa4f4 100644 --- a/src/util/taler-exchange-secmod-rsa.conf +++ b/src/util/taler-exchange-secmod-rsa.conf | |||
@@ -13,8 +13,11 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/ | |||
13 | # Where does the helper listen for requests? | 13 | # Where does the helper listen for requests? |
14 | UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock | 14 | UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock |
15 | 15 | ||
16 | # Directory for clients. | ||
17 | CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client | ||
18 | |||
16 | # Where should the security module store it's private key? | 19 | # Where should the security module store it's private key? |
17 | SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key | 20 | SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key |
18 | 21 | ||
19 | # For how long into the future do we pre-generate keys? | 22 | # For how long into the future do we pre-generate keys? |
20 | LOOKAHEAD_SIGN = 1 year \ No newline at end of file | 23 | LOOKAHEAD_SIGN = 1 year |