RT2547: Tighten perms on generated privkey files (3b061a00) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -41,6 +41,10 @@
	code and the associated standard is no longer considered fit-for-purpose.		code and the associated standard is no longer considered fit-for-purpose.
	[Matt Caswell]		[Matt Caswell]

			*) RT2547 was closed. When generating a private key, try to make the
			output file readable only by the owner. This behavior change might
			be noticeable when interacting with other software.

	*) Added HTTP GET support to the ocsp command.		*) Added HTTP GET support to the ocsp command.
	[Rich Salz]		[Rich Salz]

apps/apps.c

+0 −1

Original line number	Original line	Diff line number	Diff line
	@@ -124,7 +124,6 @@
	#include <sys/types.h>		#include <sys/types.h>
	#include <ctype.h>		#include <ctype.h>
	#include <errno.h>		#include <errno.h>
	#include <assert.h>
	#include <openssl/err.h>		#include <openssl/err.h>
	#include <openssl/x509.h>		#include <openssl/x509.h>
	#include <openssl/x509v3.h>		#include <openssl/x509v3.h>

apps/apps.h

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -113,6 +113,7 @@
	# define HEADER_APPS_H		# define HEADER_APPS_H

	# include "e_os.h"		# include "e_os.h"
			# include <assert.h>

	# include <openssl/bio.h>		# include <openssl/bio.h>
	# include <openssl/x509.h>		# include <openssl/x509.h>
	@@ -153,6 +154,7 @@ extern BIO *bio_out;
	extern BIO *bio_err;		extern BIO *bio_err;
	BIO *dup_bio_in(void);		BIO *dup_bio_in(void);
	BIO *dup_bio_out(void);		BIO *dup_bio_out(void);
			BIO bio_open_owner(const char filename, const char *mode, int private);
	BIO bio_open_default(const char filename, const char *mode);		BIO bio_open_default(const char filename, const char *mode);
	BIO bio_open_default_quiet(const char filename, const char *mode);		BIO bio_open_default_quiet(const char filename, const char *mode);
	CONF app_load_config(const char filename);		CONF app_load_config(const char filename);

apps/dsa.c

+20 −6

Original line number	Original line	Diff line number	Diff line
	@@ -114,6 +114,7 @@ int dsa_main(int argc, char **argv)
	OPTION_CHOICE o;		OPTION_CHOICE o;
	int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;		int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
	int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;		int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
			int private = 0;

	prog = opt_init(argc, argv, dsa_options);		prog = opt_init(argc, argv, dsa_options);
	while ((o = opt_next()) != OPT_EOF) {		while ((o = opt_next()) != OPT_EOF) {
	@@ -192,6 +193,9 @@ int dsa_main(int argc, char **argv)
	}		}
	argc = opt_num_rest();		argc = opt_num_rest();
	argv = opt_rest();		argv = opt_rest();
			private = pubin \|\| pubout ? 0 : 1;
			if (text)
			private = 1;

	if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {		if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
	BIO_printf(bio_err, "Error getting passwords\n");		BIO_printf(bio_err, "Error getting passwords\n");
	@@ -221,16 +225,18 @@ int dsa_main(int argc, char **argv)
	goto end;		goto end;
	}		}

	out = bio_open_default(outfile, "w");		out = bio_open_owner(outfile, "w", private);
	if (out == NULL)		if (out == NULL)
	goto end;		goto end;

	if (text)		if (text) {
			assert(private);
	if (!DSA_print(out, dsa, 0)) {		if (!DSA_print(out, dsa, 0)) {
	perror(outfile);		perror(outfile);
	ERR_print_errors(bio_err);		ERR_print_errors(bio_err);
	goto end;		goto end;
	}		}
			}

	if (modulus) {		if (modulus) {
	BIO_printf(out, "Public Key=");		BIO_printf(out, "Public Key=");
	@@ -246,25 +252,33 @@ int dsa_main(int argc, char **argv)
	if (outformat == FORMAT_ASN1) {		if (outformat == FORMAT_ASN1) {
	if (pubin \|\| pubout)		if (pubin \|\| pubout)
	i = i2d_DSA_PUBKEY_bio(out, dsa);		i = i2d_DSA_PUBKEY_bio(out, dsa);
	else		else {
			assert(private);
	i = i2d_DSAPrivateKey_bio(out, dsa);		i = i2d_DSAPrivateKey_bio(out, dsa);
			}
	} else if (outformat == FORMAT_PEM) {		} else if (outformat == FORMAT_PEM) {
	if (pubin \|\| pubout)		if (pubin \|\| pubout)
	i = PEM_write_bio_DSA_PUBKEY(out, dsa);		i = PEM_write_bio_DSA_PUBKEY(out, dsa);
	else		else {
			assert(private);
	i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,		i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
	NULL, 0, NULL, passout);		NULL, 0, NULL, passout);
			}
	# if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)		# if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
	} else if (outformat == FORMAT_MSBLOB \|\| outformat == FORMAT_PVK) {		} else if (outformat == FORMAT_MSBLOB \|\| outformat == FORMAT_PVK) {
	EVP_PKEY *pk;		EVP_PKEY *pk;
	pk = EVP_PKEY_new();		pk = EVP_PKEY_new();
	EVP_PKEY_set1_DSA(pk, dsa);		EVP_PKEY_set1_DSA(pk, dsa);
	if (outformat == FORMAT_PVK)		if (outformat == FORMAT_PVK) {
			assert(private);
	i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);		i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
			}
	else if (pubin \|\| pubout)		else if (pubin \|\| pubout)
	i = i2b_PublicKey_bio(out, pk);		i = i2b_PublicKey_bio(out, pk);
	else		else {
			assert(private);
	i = i2b_PrivateKey_bio(out, pk);		i = i2b_PrivateKey_bio(out, pk);
			}
	EVP_PKEY_free(pk);		EVP_PKEY_free(pk);
	# endif		# endif
	} else {		} else {

apps/dsaparam.c

+5 −5

Original line number	Original line	Diff line number	Diff line
	@@ -58,7 +58,6 @@
	#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */		#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */

	#ifndef OPENSSL_NO_DSA		#ifndef OPENSSL_NO_DSA
	# include <assert.h>
	# include <stdio.h>		# include <stdio.h>
	# include <stdlib.h>		# include <stdlib.h>
	# include <time.h>		# include <time.h>
	@@ -118,9 +117,8 @@ int dsaparam_main(int argc, char **argv)
	BIO in = NULL, out = NULL;		BIO in = NULL, out = NULL;
	BN_GENCB *cb = NULL;		BN_GENCB *cb = NULL;
	int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0;		int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0;
	int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0, ret =		int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
	1;		int ret = 1, i, text = 0, private = 0;
	int i, text = 0;
	# ifdef GENCB_TEST		# ifdef GENCB_TEST
	int timebomb = 0;		int timebomb = 0;
	# endif		# endif
	@@ -195,11 +193,12 @@ int dsaparam_main(int argc, char **argv)
	numbits = num;		numbits = num;
	need_rand = 1;		need_rand = 1;
	}		}
			private = genkey ? 1 : 0;

	in = bio_open_default(infile, "r");		in = bio_open_default(infile, "r");
	if (in == NULL)		if (in == NULL)
	goto end;		goto end;
	out = bio_open_default(outfile, "w");		out = bio_open_owner(outfile, "w", private);
	if (out == NULL)		if (out == NULL)
	goto end;		goto end;

	@@ -320,6 +319,7 @@ int dsaparam_main(int argc, char **argv)
	DSA_free(dsakey);		DSA_free(dsakey);
	goto end;		goto end;
	}		}
			assert(private);
	if (outformat == FORMAT_ASN1)		if (outformat == FORMAT_ASN1)
	i = i2d_DSAPrivateKey_bio(out, dsakey);		i = i2d_DSAPrivateKey_bio(out, dsakey);
	else		else

Admin message