*/
#include "includes.h"
+#include "system/filesys.h"
#include "lib/events/events.h"
#include "lib/socket/socket.h"
#include "lib/tls/tls.h"
{
struct tls_params *params;
int ret;
+ struct stat st;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const char *keyfile = lpcfg_tls_keyfile(tmp_ctx, lp_ctx);
const char *certfile = lpcfg_tls_certfile(tmp_ctx, lp_ctx);
talloc_free(hostname);
}
+ if (file_exist(keyfile) &&
+ !file_check_permissions(keyfile, geteuid(), 0600, &st))
+ {
+ DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
+ "owner uid %u should be %u, mode 0%o should be 0%o\n"
+ "This is known as CVE-2013-4476.\n"
+ "Removing all tls .pem files will cause an "
+ "auto-regeneration with the correct permissions.\n",
+ keyfile,
+ (unsigned int)st.st_uid, geteuid(),
+ (unsigned int)(st.st_mode & 0777), 0600));
+ talloc_free(tmp_ctx);
+ return NULL;
+ }
+
ret = gnutls_global_init();
if (ret < 0) goto init_failed;
#include "includes.h"
#include "system/network.h"
+#include "system/filesys.h"
#include "../util/tevent_unix.h"
#include "../lib/tsocket/tsocket.h"
#include "../lib/tsocket/tsocket_internal.h"
struct tstream_tls_params *tlsp;
#if ENABLE_GNUTLS
int ret;
+ struct stat st;
if (!enabled || key_file == NULL || *key_file == 0) {
tlsp = talloc_zero(mem_ctx, struct tstream_tls_params);
key_file, cert_file, ca_file);
}
+ if (file_exist(key_file) &&
+ !file_check_permissions(key_file, geteuid(), 0600, &st))
+ {
+ DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n"
+ "owner uid %u should be %u, mode 0%o should be 0%o\n"
+ "This is known as CVE-2013-4476.\n"
+ "Removing all tls .pem files will cause an "
+ "auto-regeneration with the correct permissions.\n",
+ key_file,
+ (unsigned int)st.st_uid, geteuid(),
+ (unsigned int)(st.st_mode & 0777), 0600));
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
ret = gnutls_certificate_allocate_credentials(&tlsp->x509_cred);
if (ret != GNUTLS_E_SUCCESS) {
DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));