px5g-wolfssl: Fix permission of private key

Store the private key with read and write permission for the user only
and not with read permissions for everyone. This converts the
write_file() function from fopen() to open() because open allows to
specify the permission mask of the newly created file. It also adds and
fixes some existing error handling.

OpenSSL does this in the same way already.

With this change it looks like this:
root@OpenWrt:/# ls -al /etc/uhttpd.*
-rw-r--r--    1 root     root           749 Nov  6 23:14 /etc/uhttpd.crt
-rw-------    1 root     root           121 Nov  6 23:14 /etc/uhttpd.key

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens 2023-11-07 00:33:38 +01:00
parent 929c9a58c9
commit 6aad5ab099
2 changed files with 30 additions and 17 deletions

View File

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=px5g-wolfssl PKG_NAME:=px5g-wolfssl
PKG_RELEASE:=8.2 PKG_RELEASE:=9
PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE:=GPL-2.0-or-later
PKG_BUILD_FLAGS:=no-mips16 PKG_BUILD_FLAGS:=no-mips16

View File

@ -7,6 +7,8 @@
#include <stdint.h> #include <stdint.h>
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <wolfssl/options.h> #include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/asn.h> #include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/asn_public.h> #include <wolfssl/wolfcrypt/asn_public.h>
@ -24,27 +26,38 @@ enum {
RSA_KEY_TYPE = 1, RSA_KEY_TYPE = 1,
}; };
int write_file(byte *buf, int bufSz, char *path) { int write_file(byte *buf, int bufSz, char *path, bool cert) {
int ret; mode_t mode = S_IRUSR | S_IWUSR;
FILE *file; ssize_t written;
int err;
int fd;
if (cert)
mode |= S_IRGRP | S_IROTH;
if (path) { if (path) {
file = fopen(path, "wb"); fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, mode);
if (file == NULL) { if (fd < 0) {
perror("Error opening file"); perror("Error opening file");
exit(1); exit(1);
} }
} else { } else {
file = stdout; fd = STDERR_FILENO;
}
written = write(fd, buf, bufSz);
if (written != bufSz) {
perror("Error write file");
exit(1);
}
err = fsync(fd);
if (err < 0) {
perror("Error fsync file");
exit(1);
} }
ret = (int)fwrite(buf, 1, bufSz, file);
if (path) { if (path) {
fclose(file); close(fd);
} }
if (ret > 0) { return 0;
/* ret > 0 indicates a successful file write, set to zero for return */
ret = 0;
}
return ret;
} }
int write_key(ecc_key *ecKey, RsaKey *rsaKey, int type, int keySz, char *fName, int write_key(ecc_key *ecKey, RsaKey *rsaKey, int type, int keySz, char *fName,
@ -73,9 +86,9 @@ int write_key(ecc_key *ecKey, RsaKey *rsaKey, int type, int keySz, char *fName,
fprintf(stderr, "DER to PEM failed: %d\n", ret); fprintf(stderr, "DER to PEM failed: %d\n", ret);
} }
pemSz = ret; pemSz = ret;
ret = write_file(pem, pemSz, fName); ret = write_file(pem, pemSz, fName, false);
} else { } else {
ret = write_file(der, derSz, fName); ret = write_file(der, derSz, fName, false);
} }
return ret; return ret;
} }
@ -281,7 +294,7 @@ int selfsigned(WC_RNG *rng, char **arg) {
} }
pemSz = ret; pemSz = ret;
ret = write_file(pemBuf, pemSz, certpath); ret = write_file(pemBuf, pemSz, certpath, true);
if (ret != 0) { if (ret != 0) {
fprintf(stderr, "Write Cert failed: %d\n", ret); fprintf(stderr, "Write Cert failed: %d\n", ret);
return ret; return ret;