git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
tang
1
0
Fork 0
Files
Tree: d2826dace1
Branches Tags
tang
/
debian
/
patches
/
bookworm
/
1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch

1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. Subject: Fix race condition when creating/rotating keys (#123)
    2. 

  2. Origin: v13-3-g8dbbed1 <https://github.com/latchset/tang/commit/v13-3-g8dbbed1>
    3. 

  3. Upstream-Author: Sergio Correia <scorreia@redhat.com>
    4. 

  4. Date: Wed Jun 14 10:53:20 2023 -0300
    5. 

  5. 

  6.     When we create/rotate keys using either the tangd-keygen and
    7. 

  7.     tangd-rotate-keys helpers, there is a small window between the
    8. 

  8.     keys being created and then the proper ownership permissions being
    9. 

  9.     set. This also happens when there are no keys and tang creates a
    10. 

  10.     pair of keys itself.
    11. 

  11. 

  12.     In certain situations, such as the keys directory having wide open
    13. 

  13.     permissions, a user with local access could exploit this race
    14. 

  14.     condition and read the keys before they are set to more restrictive
    15. 

  15.     permissions.
    16. 

  16. 

  17.     To prevent this issue, we now set the default umask to 0337 before
    18. 

  18.     creating the files, so that they are already created with restrictive
    19. 

  19.     permissions; afterwards, we set the proper ownership as usual.
    20. 

  20. 

  21.     Issue reported by Brian McDermott of CENSUS labs.
    22. 

  22. 

  23.     Fixes CVE-2023-1672
    24. 

  24. 

  25. 

  26.     Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
    27. 

  27.     Signed-off-by: Sergio Correia <scorreia@redhat.com>
    28. 

  28. 

  29. --- a/src/keys.c
    30. 

  30. +++ b/src/keys.c
    31. 

  31. @@ -307,6 +307,9 @@
    32. 

  32.  {
    33. 

  33.      const char* alg[] = {"ES512", "ECMR", NULL};
    34. 

  34.      char path[PATH_MAX];
    35. 

  35. +
    36. 

  36. +    /* Set default umask for file creation. */
    37. 

  37. +    umask(0337);
    38. 

  38.      for (int i = 0; alg[i] != NULL; i++) {
    39. 

  39.          json_auto_t* jwk = jwk_generate(alg[i]);
    40. 

  40.          if (!jwk) {
    41. 

  41. --- a/src/tangd-keygen.in
    42. 

  42. +++ b/src/tangd-keygen.in
    43. 

  43. @@ -38,6 +38,10 @@
    44. 

  44.  [ $# -eq 3 ] && sig=$2 && exc=$3
    45. 

  45.  
    46. 

  46.  THP_DEFAULT_HASH=S256     # SHA-256.
    47. 

  47. +
    48. 

  48. +# Set default umask for file creation.
    49. 

  49. +umask 0337
    50. 

  50. +
    51. 

  51.  jwe=$(jose jwk gen -i '{"alg":"ES512"}')
    52. 

  52.  [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
    53. 

  53.  echo "$jwe" > "$1/$sig.jwk"
    54. 

  54. --- a/src/tangd-rotate-keys.in
    55. 

  55. +++ b/src/tangd-rotate-keys.in
    56. 

  56. @@ -79,6 +79,10 @@
    57. 

  57.  
    58. 

  58.      # Create a new set of keys.
    59. 

  59.      DEFAULT_THP_HASH="S256"
    60. 

  60. +
    61. 

  61. +    # Set default umask for file creation.
    62. 

  62. +    umask 0337
    63. 

  63. +
    64. 

  64.      for alg in "ES512" "ECMR"; do
    65. 

  65.          json="$(printf '{"alg": "%s"}' "${alg}")"
    66. 

  66.          jwe="$(jose jwk gen --input "${json}")"
    67.