aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Dold <florian@dold.me>2021-07-29 13:04:55 +0200
committerFlorian Dold <florian@dold.me>2021-07-29 13:04:55 +0200
commit036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1 (patch)
tree5af2eb2adb5d6a71746b1781920cacc0ed30e5c6
parentdae09f1a43b58778b01f4bb436504ee2fe8f5357 (diff)
downloadexchange-036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1.tar.gz
exchange-036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1.zip
secmod: services create their own client dirs with correct permissions
-rw-r--r--src/util/crypto_helper_denom.c27
-rw-r--r--src/util/crypto_helper_esign.c25
-rw-r--r--src/util/taler-exchange-secmod-eddsa.c39
-rw-r--r--src/util/taler-exchange-secmod-eddsa.conf3
-rw-r--r--src/util/taler-exchange-secmod-rsa.c39
-rw-r--r--src/util/taler-exchange-secmod-rsa.conf5
6 files changed, 116 insertions, 22 deletions
diff --git a/src/util/crypto_helper_denom.c b/src/util/crypto_helper_denom.c
index bd9802d2f..2cc140c8e 100644
--- a/src/util/crypto_helper_denom.c
+++ b/src/util/crypto_helper_denom.c
@@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect (
228 228
229 if (GNUNET_OK != 229 if (GNUNET_OK !=
230 GNUNET_CONFIGURATION_get_value_filename (cfg, 230 GNUNET_CONFIGURATION_get_value_filename (cfg,
231 "PATHS", 231 "taler-exchange-secmod-rsa",
232 "TALER_RUNTIME_DIR", 232 "CLIENT_DIR",
233 &tmpdir)) 233 &tmpdir))
234 { 234 {
235 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, 235 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
236 "PATHS", 236 "taler-exchange-secmod-rsa",
237 "TALER_RUNTIME_DIR"); 237 "CLIENT_DIR");
238 tmpdir = GNUNET_strdup ("/tmp"); 238 return NULL;
239 } 239 }
240 GNUNET_asprintf (&template, 240 GNUNET_asprintf (&template,
241 "%s/crypto-rsa-client/cli", 241 "%s/cli",
242 tmpdir); 242 tmpdir);
243 GNUNET_free (tmpdir); 243 /* We expect the service to create the client directory */
244 if (GNUNET_OK != 244 if (GNUNET_OK !=
245 GNUNET_DISK_directory_create_for_file (template)) 245 GNUNET_DISK_directory_test (tmpdir,
246 GNUNET_YES))
246 { 247 {
247 GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, 248 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
248 "mkdir", 249 "Unable to read secmod client directory (%s)\n",
249 template); 250 tmpdir);
250 GNUNET_free (dh); 251 GNUNET_free (dh);
251 GNUNET_free (template); 252 GNUNET_free (template);
253 GNUNET_free (tmpdir);
252 return NULL; 254 return NULL;
253 } 255 }
256 GNUNET_free (tmpdir);
254 dh->template = template; 257 dh->template = template;
255 if (strlen (template) >= sizeof (dh->sa.sun_path)) 258 if (strlen (template) >= sizeof (dh->sa.sun_path))
256 { 259 {
diff --git a/src/util/crypto_helper_esign.c b/src/util/crypto_helper_esign.c
index a1fb9319d..d5baa9348 100644
--- a/src/util/crypto_helper_esign.c
+++ b/src/util/crypto_helper_esign.c
@@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect (
229 229
230 if (GNUNET_OK != 230 if (GNUNET_OK !=
231 GNUNET_CONFIGURATION_get_value_filename (cfg, 231 GNUNET_CONFIGURATION_get_value_filename (cfg,
232 "PATHS", 232 "taler-exchange-secmod-eddsa",
233 "TALER_RUNTIME_DIR", 233 "CLIENT_DIR",
234 &tmpdir)) 234 &tmpdir))
235 { 235 {
236 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, 236 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
237 "PATHS", 237 "taler-exchange-secmod-eddsa",
238 "TALER_RUNTIME_DIR"); 238 "CLIENT_DIR");
239 tmpdir = GNUNET_strdup ("/tmp"); 239 GNUNET_free (esh);
240 return NULL;
240 } 241 }
241 GNUNET_asprintf (&template, 242 GNUNET_asprintf (&template,
242 "%s/crypto-eddsa-client/cli", 243 "%s/cli",
243 tmpdir); 244 tmpdir);
244 GNUNET_free (tmpdir); 245 /* We expect the service to create the client directory */
245 if (GNUNET_OK != 246 if (GNUNET_OK !=
246 GNUNET_DISK_directory_create_for_file (template)) 247 GNUNET_DISK_directory_test (tmpdir,
248 GNUNET_YES))
247 { 249 {
250 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
251 "Unable to read secmod client directory (%s)\n",
252 tmpdir);
248 GNUNET_free (esh); 253 GNUNET_free (esh);
249 GNUNET_free (template); 254 GNUNET_free (template);
255 GNUNET_free (tmpdir);
250 return NULL; 256 return NULL;
251 } 257 }
258 GNUNET_free (tmpdir);
252 esh->template = template; 259 esh->template = template;
253 if (strlen (template) >= sizeof (esh->sa.sun_path)) 260 if (strlen (template) >= sizeof (esh->sa.sun_path))
254 { 261 {
diff --git a/src/util/taler-exchange-secmod-eddsa.c b/src/util/taler-exchange-secmod-eddsa.c
index ac4bfc61b..48dcdf718 100644
--- a/src/util/taler-exchange-secmod-eddsa.c
+++ b/src/util/taler-exchange-secmod-eddsa.c
@@ -1522,6 +1522,45 @@ run (void *cls,
1522 return; 1522 return;
1523 } 1523 }
1524 1524
1525 /* Create client directory and set permissions. */
1526 {
1527 char *client_dir;
1528
1529 if (GNUNET_OK !=
1530 GNUNET_CONFIGURATION_get_value_filename (kcfg,
1531 "taler-exchange-secmod-eddsa",
1532 "CLIENT_DIR",
1533 &client_dir))
1534 {
1535 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
1536 "taler-exchange-secmod-eddsa",
1537 "CLIENT_DIR");
1538 global_ret = 3;
1539 return;
1540 }
1541
1542 if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
1543 {
1544 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1545 "Can't create client directory (%s)\n",
1546 client_dir);
1547 global_ret = 3;
1548 return;
1549 }
1550 /* Set sticky group bit, so that clients will be writeable by the current service. */
1551 if (0 != chmod (client_dir,
1552 S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
1553 {
1554 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1555 "Can't set permissions for client directory (%s)\n",
1556 client_dir);
1557 global_ret = 3;
1558 return;
1559 }
1560
1561 GNUNET_free (client_dir);
1562 }
1563
1525 if (GNUNET_OK != 1564 if (GNUNET_OK !=
1526 GNUNET_CONFIGURATION_get_value_filename (kcfg, 1565 GNUNET_CONFIGURATION_get_value_filename (kcfg,
1527 "taler-exchange-secmod-eddsa", 1566 "taler-exchange-secmod-eddsa",
diff --git a/src/util/taler-exchange-secmod-eddsa.conf b/src/util/taler-exchange-secmod-eddsa.conf
index 8a171353d..8227c908f 100644
--- a/src/util/taler-exchange-secmod-eddsa.conf
+++ b/src/util/taler-exchange-secmod-eddsa.conf
@@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/
13# Where does the helper listen for requests? 13# Where does the helper listen for requests?
14UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock 14UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock
15 15
16# Directory for clients.
17CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client
18
16# Where should the security module store it's private key? 19# Where should the security module store it's private key?
17SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key 20SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key
18 21
diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c
index 3c1f81c26..1307b8f45 100644
--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@@ -1896,6 +1896,45 @@ run (void *cls,
1896 return; 1896 return;
1897 } 1897 }
1898 1898
1899 /* Create client directory and set permissions. */
1900 {
1901 char *client_dir;
1902
1903 if (GNUNET_OK !=
1904 GNUNET_CONFIGURATION_get_value_filename (kcfg,
1905 "taler-exchange-secmod-rsa",
1906 "CLIENT_DIR",
1907 &client_dir))
1908 {
1909 GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
1910 "taler-exchange-secmod-rsa",
1911 "CLIENT_DIR");
1912 global_ret = 3;
1913 return;
1914 }
1915
1916 if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
1917 {
1918 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1919 "Can't create client directory (%s)\n",
1920 client_dir);
1921 global_ret = 3;
1922 return;
1923 }
1924 /* Set sticky group bit, so that clients will be writeable by the current service. */
1925 if (0 != chmod (client_dir,
1926 S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
1927 {
1928 GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
1929 "Can't set permissions for client directory (%s)\n",
1930 client_dir);
1931 global_ret = 3;
1932 return;
1933 }
1934
1935 GNUNET_free (client_dir);
1936 }
1937
1899 if (GNUNET_OK != 1938 if (GNUNET_OK !=
1900 GNUNET_CONFIGURATION_get_value_filename (kcfg, 1939 GNUNET_CONFIGURATION_get_value_filename (kcfg,
1901 "taler-exchange-secmod-rsa", 1940 "taler-exchange-secmod-rsa",
diff --git a/src/util/taler-exchange-secmod-rsa.conf b/src/util/taler-exchange-secmod-rsa.conf
index f9a6c7d1f..c653fa4f4 100644
--- a/src/util/taler-exchange-secmod-rsa.conf
+++ b/src/util/taler-exchange-secmod-rsa.conf
@@ -13,8 +13,11 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/
13# Where does the helper listen for requests? 13# Where does the helper listen for requests?
14UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock 14UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock
15 15
16# Directory for clients.
17CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client
18
16# Where should the security module store it's private key? 19# Where should the security module store it's private key?
17SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key 20SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key
18 21
19# For how long into the future do we pre-generate keys? 22# For how long into the future do we pre-generate keys?
20LOOKAHEAD_SIGN = 1 year \ No newline at end of file 23LOOKAHEAD_SIGN = 1 year