|
@@ -0,0 +1,73 @@
|
|
|
+Subject: Fix race condition when creating/rotating keys (#123)
|
|
|
+Origin: v13-3-g8dbbed1 <https://github.com/latchset/tang/commit/v13-3-g8dbbed1>
|
|
|
+Upstream-Author: Sergio Correia <scorreia@redhat.com>
|
|
|
+Date: Wed Jun 14 10:53:20 2023 -0300
|
|
|
+
|
|
|
+ When we create/rotate keys using either the tangd-keygen and
|
|
|
+ tangd-rotate-keys helpers, there is a small window between the
|
|
|
+ keys being created and then the proper ownership permissions being
|
|
|
+ set. This also happens when there are no keys and tang creates a
|
|
|
+ pair of keys itself.
|
|
|
+
|
|
|
+ In certain situations, such as the keys directory having wide open
|
|
|
+ permissions, a user with local access could exploit this race
|
|
|
+ condition and read the keys before they are set to more restrictive
|
|
|
+ permissions.
|
|
|
+
|
|
|
+ To prevent this issue, we now set the default umask to 0337 before
|
|
|
+ creating the files, so that they are already created with restrictive
|
|
|
+ permissions; afterwards, we set the proper ownership as usual.
|
|
|
+
|
|
|
+ Issue reported by Brian McDermott of CENSUS labs.
|
|
|
+
|
|
|
+ Fixes CVE-2023-1672
|
|
|
+
|
|
|
+
|
|
|
+ Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
|
|
|
+ Signed-off-by: Sergio Correia <scorreia@redhat.com>
|
|
|
+
|
|
|
+--- a/src/keys.c
|
|
|
++++ b/src/keys.c
|
|
|
+@@ -17,6 +17,7 @@
|
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
+ */
|
|
|
+
|
|
|
++#include <sys/stat.h>
|
|
|
+ #include <stdlib.h>
|
|
|
+ #include <string.h>
|
|
|
+ #include <dirent.h>
|
|
|
+@@ -304,6 +305,9 @@
|
|
|
+ const char** hashes = supported_hashes();
|
|
|
+ const char* alg[] = {"ES512", "ECMR", NULL};
|
|
|
+ char path[PATH_MAX];
|
|
|
++
|
|
|
++ /* Set default umask for file creation. */
|
|
|
++ umask(0337);
|
|
|
+ for (int i = 0; alg[i] != NULL; i++) {
|
|
|
+ json_auto_t* jwk = jwk_generate(alg[i]);
|
|
|
+ if (!jwk) {
|
|
|
+--- a/src/tangd-keygen
|
|
|
++++ b/src/tangd-keygen
|
|
|
+@@ -27,6 +27,9 @@
|
|
|
+
|
|
|
+ [ $# -eq 3 ] && sig=$2 && exc=$3
|
|
|
+
|
|
|
++# Set default umask for file creation.
|
|
|
++umask 0337
|
|
|
++
|
|
|
+ jwe=`jose jwk gen -i '{"alg":"ES512"}'`
|
|
|
+ [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
|
|
|
+ echo "$jwe" > $1/$sig.jwk
|
|
|
+--- a/src/tangd-rotate-keys
|
|
|
++++ b/src/tangd-rotate-keys
|
|
|
+@@ -72,6 +72,10 @@
|
|
|
+
|
|
|
+ # Create a new set of keys.
|
|
|
+ DEFAULT_THP_HASH="S256"
|
|
|
++
|
|
|
++ # Set default umask for file creation.
|
|
|
++ umask 0337
|
|
|
++
|
|
|
+ for alg in "ES512" "ECMR"; do
|
|
|
+ json="$(printf '{"alg": "%s"}' "${alg}")"
|
|
|
+ jwe="$(jose jwk gen --input "${json}")"
|