From: Oliver Kurth <okurth@vmware.com>
Date: Fri, 15 Sep 2017 18:23:52 +0000 (-0700)
Subject: Re-gen rabbitproxy key if its perms are bad
X-Git-Tag: stable-10.2.0~86
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e5f9a8025926b56e77d63f11cff70b606dfd0be;p=thirdparty%2Fopen-vm-tools.git

Re-gen rabbitproxy key if its perms are bad

Make sure nothing has played with our keyfile permissions.
The old (9.10) VB script that generated the key left it world-readable,
and it's also possible someone could mess up the perms.
This change checks the perms, and if they're wrong, regenerates
the cert & key.
---

diff --git a/open-vm-tools/guestproxycerttool/cert_key.h b/open-vm-tools/guestproxycerttool/cert_key.h
index 8b70bdea8..771a9457c 100644
--- a/open-vm-tools/guestproxycerttool/cert_key.h
+++ b/open-vm-tools/guestproxycerttool/cert_key.h
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2014-2016 VMware, Inc. All rights reserved.
+ * Copyright (C) 2014-2017 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -44,4 +44,9 @@ WritePemFile(EVP_PKEY *pkey,                     // IN
 
 gchar *
 GetSSLError(gchar **errorStr);                   // OUT
+
+#ifdef _WIN32
+gboolean
+CheckKeyFile(const gchar *keyFile);
+#endif
 #endif // #ifndef _CERT_KEY_H_
diff --git a/open-vm-tools/guestproxycerttool/cert_tool.c b/open-vm-tools/guestproxycerttool/cert_tool.c
index a50783922..a09894cd3 100644
--- a/open-vm-tools/guestproxycerttool/cert_tool.c
+++ b/open-vm-tools/guestproxycerttool/cert_tool.c
@@ -1,5 +1,5 @@
 /*********************************************************
- * Copyright (C) 2014-2016 VMware, Inc. All rights reserved.
+ * Copyright (C) 2014-2017 VMware, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU Lesser General Public License as published
@@ -640,6 +640,26 @@ main(int argc, char **argv)
 
    InitProxyPaths(CertUtil_GetToolDir());
 
+#ifdef _WIN32
+   /*
+    * The old VB script created the key with bad perms; regenerate if we
+    * find it looks bad.
+    */
+   {
+      gchar *keyFilename = g_build_filename(guestProxyServerDir,
+                                            "key.pem", NULL);
+
+      if (g_file_test(keyFilename, G_FILE_TEST_EXISTS)) {
+         if (!CheckKeyFile(keyFilename)) {
+            printf("Warning!  Insecure keyfile (%s) found,"
+                  " regenerating key and cert.\n", keyFilename);
+            options.force = TRUE;
+         }
+      }
+      g_free(keyFilename);
+   }
+#endif
+
    if ((options.generateCert && !CreateKeyCert(options.force)) ||
        (options.displayCert && !DisplayServerCert(options.outputCert)) ||
        (options.addCert && !AddTrustCert(options.addCert)) ||