Re-gen rabbitproxy key if its perms are bad

Make sure nothing has played with our keyfile permissions.
The old (9.10) VB script that generated the key left it world-readable,
and it's also possible someone could mess up the perms.
This change checks the perms, and if they're wrong, regenerates
the cert & key.

diff --git a/open-vm-tools/guestproxycerttool/cert_key.h b/open-vm-tools/guestproxycerttool/cert_key.h
index 8b70bdea8c254c6d71e514e4dfebeb3eaa51dda9..771a9457c7df9f6cc6d03c58a032e59ca384f576 100644 (file)
--- a/open-vm-tools/guestproxycerttool/cert_key.h
+++ b/open-vm-tools/guestproxycerttool/cert_key.h
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2014-2016 VMware, Inc. All rights reserved.
+ * Copyright (C) 2014-2017 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -44,4 +44,9 @@ WritePemFile(EVP_PKEY *pkey,                     // IN
 
 gchar *
 GetSSLError(gchar **errorStr);                   // OUT
+
+#ifdef _WIN32
+gboolean
+CheckKeyFile(const gchar *keyFile);
+#endif
 #endif // #ifndef _CERT_KEY_H_

diff --git a/open-vm-tools/guestproxycerttool/cert_tool.c b/open-vm-tools/guestproxycerttool/cert_tool.c
index a50783922f3cd0d29123db8869443c4118a4ce20..a09894cd37ea51fa81d98ea253f2ee969d19e59b 100644 (file)
--- a/open-vm-tools/guestproxycerttool/cert_tool.c
+++ b/open-vm-tools/guestproxycerttool/cert_tool.c
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2014-2016 VMware, Inc. All rights reserved.
+ * Copyright (C) 2014-2017 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -640,6 +640,26 @@ main(int argc, char **argv)
 
    InitProxyPaths(CertUtil_GetToolDir());
 
+#ifdef _WIN32
+   /*
+    * The old VB script created the key with bad perms; regenerate if we
+    * find it looks bad.
+    */
+   {
+      gchar *keyFilename = g_build_filename(guestProxyServerDir,
+                                            "key.pem", NULL);
+
+      if (g_file_test(keyFilename, G_FILE_TEST_EXISTS)) {
+         if (!CheckKeyFile(keyFilename)) {
+            printf("Warning!  Insecure keyfile (%s) found,"
+                  " regenerating key and cert.\n", keyFilename);
+            options.force = TRUE;
+         }
+      }
+      g_free(keyFilename);
+   }
+#endif
+
    if ((options.generateCert && !CreateKeyCert(options.force)) ||
        (options.displayCert && !DisplayServerCert(options.outputCert)) ||
        (options.addCert && !AddTrustCert(options.addCert)) ||