Simpler checking of permissions on private RSA key and other fixes.

[tinc] / src / net_setup.c
diff --git a/src/net_setup.c b/src/net_setup.c

index 6f7f70a..c7c1250 100644 (file)
--- a/src/net_setup.c
+++ b/src/net_setup.c
@@ -17,7 +17,7 @@
      along with this program; if not, write to the Free Software
      Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  
-    $Id: net_setup.c,v 1.1.2.39 2003/07/23 22:17:31 guus Exp $
+    $Id: net_setup.c,v 1.1.2.42 2003/08/08 22:11:54 guus Exp $
  */
  
  #include "system.h"
@@ -149,6 +149,7 @@ bool read_rsa_private_key(void)
  {
         FILE *fp;
         char *fname, *key;
+       struct stat s;
  
         cp();
  
@@ -164,32 +165,39 @@ bool read_rsa_private_key(void)
         if(!get_config_string(lookup_config(config_tree, "PrivateKeyFile"), &fname))
                 asprintf(&fname, "%s/rsa_key.priv", confbase);
  
-       if(is_safe_path(fname)) {
-               fp = fopen(fname, "r");
+       fp = fopen(fname, "r");
  
-               if(!fp) {
-                       logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
-                                  fname, strerror(errno));
-                       free(fname);
-                       return false;
-               }
+       if(!fp) {
+               logger(LOG_ERR, _("Error reading RSA private key file `%s': %s"),
+                          fname, strerror(errno));
+               free(fname);
+               return false;
+       }
  
+#if !defined(HAVE_MINGW) && !defined(HAVE_CYGWIN)
+       if(fstat(fileno(fp), &s)) {
+               logger(LOG_ERR, _("Could not stat RSA private key file `%s': %s'"),
+                               fname, strerror(errno));
                 free(fname);
-               myself->connection->rsa_key =
-                       PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
-               fclose(fp);
+               return false;
+       }
  
-               if(!myself->connection->rsa_key) {
-                       logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
-                                  fname, strerror(errno));
-                       return false;
-               }
+       if(s.st_mode & ~0700)
+               logger(LOG_WARNING, _("Warning: insecure file permissions for RSA private key file `%s'!"), fname);
+#endif
  
-               return true;
+       myself->connection->rsa_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
+       fclose(fp);
+
+       if(!myself->connection->rsa_key) {
+               logger(LOG_ERR, _("Reading RSA private key file `%s' failed: %s"),
+                          fname, strerror(errno));
+               free(fname);
+               return false;
         }
  
         free(fname);
-       return false;
+       return true;
  }
  
  /*
@@ -202,7 +210,7 @@ bool setup_myself(void)
         char *name, *hostname, *mode, *afname, *cipher, *digest;
         char *address = NULL;
         char *envp[5];
-       struct addrinfo hint, *ai, *aip;
+       struct addrinfo *ai, *aip, hint = {0};
         bool choice;
         int i, err;
  
@@ -444,8 +452,6 @@ bool setup_myself(void)
  
         /* Open sockets */
  
-       memset(&hint, 0, sizeof(hint));
-
         get_config_string(lookup_config(config_tree, "BindToAddress"), &address);
  
         hint.ai_family = addressfamily;