From 2298d3964f1ce32d35bb7585e4fa224c5bf2c8d4 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Wed, 26 Jul 2023 15:19:55 +0200 Subject: [PATCH] provider: Default debug directory to /tmp but make it configurable The IBMCA provider debug logs were written to the /var/log/ibmca/ directory, but this required that directory to be world-writable, because we don't know under which user an application runs that uses the provider. A world-writable directory under /var has security implications and should be avoided. Change the default log directory to /tmp which is world-writable anyway. Additionally the log directory can now be configured via the 'debug-path' option in the IBMCA provider section of the OpenSSL config file, or via environment variable 'IBMCA_DEBUG_PATH'. Closes: https://github.com/opencryptoki/openssl-ibmca/issues/107 Signed-off-by: Ingo Franzki --- configure.ac | 2 +- src/provider/Makefile.am | 4 --- src/provider/doc/ibmca-provider.man | 38 +++++++++++++++++++++++------ src/provider/p_ibmca.c | 25 ++++++++++++++++++- src/provider/p_ibmca.h | 3 +++ test/provider/openssl-test.cnf | 1 + 6 files changed, 59 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index cea8ce8f..57b32050 100644 --- a/configure.ac +++ b/configure.ac @@ -10,7 +10,7 @@ AM_INIT_AUTOMAKE([foreign]) AC_PATH_PROG([CHMOD], [chmod], [/bin/chmod]) -logdir=$localstatedir/log/ibmca +logdir=/tmp AC_SUBST(logdir) # Cmdline arguments. diff --git a/src/provider/Makefile.am b/src/provider/Makefile.am index da45a52e..f2d1d50b 100644 --- a/src/provider/Makefile.am +++ b/src/provider/Makefile.am @@ -25,7 +25,3 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = doc noinst_SCRIPTS = ibmca-provider-opensslconfig - -install-data-hook: - $(MKDIR_P) $(DESTDIR)$(logdir) - $(CHMOD) 0777 $(DESTDIR)$(logdir) diff --git a/src/provider/doc/ibmca-provider.man b/src/provider/doc/ibmca-provider.man index 52350e47..846d6070 100644 --- a/src/provider/doc/ibmca-provider.man +++ b/src/provider/doc/ibmca-provider.man @@ -94,13 +94,25 @@ provider if you are on an IBM z15 or later. This would actually make it slower. .IP "debug = yes | no | stderr" .RS Enables debug output for the IBMCA provider. If this option is not specified, -no debuging output is produced. If \fBdebug = stderr\fP is specified, +no debugging output is produced. If \fBdebug = stderr\fP is specified, debugging messages are printed to stderr. Otherwise the debug output is written -into a trace file in \fB[/usr/local]/var/log/ibmca/trace-.\fP, -where is the name of the IBMCA provider from the identity -option, and is the process ID of the current process. You can also -enable debugging by setting the environment variable \fBIBMCA_DEBUG\fP to -\fBon\fP or \fBstderr\fP. +into a trace file in \fB/trace-.\fP, +where is the path name of a directory to where the debug files are +written (default: \fB/tmp\fP), is the name of the IBMCA provider +from the identity option, and is the process ID of the current process. +You can also enable debugging by setting the environment variable +\fBIBMCA_DEBUG\fP to \fBon\fP or \fBstderr\fP. +.RE +.PP +.IP "debug-path = /dir/to/debug/directory" +.RS +Sets the directory path to where debug files are written when debug is enabled +via \fBdebug = yes\fP or via environment variable \fBIBMCA_DEBUG=on\fP. +You can also set the debug path by setting the environment variable +\fBIBMCA_DEBUG_PATH\fP to the directory path. It must be ensured that the user +under which the application that uses the IBMCA provider runs has write access +to that directory. If this option is not specified, the default debug path is +\fB/tmp\fP. .RE .PP .IP "fips = yes | no" @@ -153,8 +165,18 @@ If .B $IBMCA_DEBUG is set to \fBstderr\fP debug output to stderr for the IBMCA provider is enabled. If it is set to \fBon\fP the debug output is written into a trace file in -\fB[/usr/local]/var/log/ibmca/trace-.\fP, where is -the process ID of the current process. +\fB/trace-.\fP, where is the path +name of a directory to where the debug files are written (default: \fB/tmp\fP), + is the name of the IBMCA provider from the identity option, +and is the process ID of the current process. +.PP +.TP +.BR IBMCA_DEBUG_PATH +Sets the directory path to where debug files are written when debug is enabled +via \fBdebug = yes\fP configuration option or via environment variable +\fBIBMCA_DEBUG=on\fP. It must be ensured that the user under which the +application that uses the IBMCA provider runs has write access to that +directory. .PP .SH SEE ALSO .B provider(1) diff --git a/src/provider/p_ibmca.c b/src/provider/p_ibmca.c index 80f03685..ffb9b5dd 100644 --- a/src/provider/p_ibmca.c +++ b/src/provider/p_ibmca.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -58,6 +59,8 @@ struct ibmca_config_item { static int ibmca_config_debug(struct ibmca_prov_ctx *provctx, const char *key, const char *value); +static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx, + const char *key, const char *value); static int ibmca_config_fips(struct ibmca_prov_ctx *provctx, const char *key, const char *value); static int ibmca_config_algorithms(struct ibmca_prov_ctx *provctx, @@ -70,6 +73,7 @@ static int ibmca_config_openssl_version(struct ibmca_prov_ctx *provctx, const char *key, const char *value); static const struct ibmca_config_item config_items[] = { + { IBMCA_CONF_DEBUG_PATH, ibmca_config_debug_path }, { IBMCA_CONF_DEBUG, ibmca_config_debug }, { IBMCA_CONF_FIPS, ibmca_config_fips }, { IBMCA_CONF_ALGORITHMS, ibmca_config_algorithms }, @@ -881,7 +885,9 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx, *p = '_'; if (snprintf(debug_file, sizeof(debug_file), "%s/trace-%s.%d", - IBMCA_LOGDIR, prov_name, provctx->debug_pid) + provctx->debug_path != NULL ? provctx->debug_path : + IBMCA_LOGDIR, + prov_name, provctx->debug_pid) >= (int)sizeof(debug_file)) { put_error_ctx(provctx, IBMCA_ERR_INTERNAL_ERROR, "IBMCA_LOGDIR too long: '%s'", IBMCA_LOGDIR); @@ -904,6 +910,20 @@ static int ibmca_config_debug(struct ibmca_prov_ctx *provctx, return 1; } +static int ibmca_config_debug_path(struct ibmca_prov_ctx *provctx, + const char *key, const char *value) +{ + /* + * If the debug path is already set (e.g. due to IBMCA_DEBUG_PATH + * environment variable) do not override the setting. + */ + if (provctx->debug_path != NULL) + return 1; + + return ibmca_config_const_string(provctx, key, value, + &provctx->debug_path); +} + static int ibmca_config_fips(struct ibmca_prov_ctx *provctx, const char *key, const char *value) { @@ -1302,6 +1322,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, ctx->c_free = c_free; ctx->ica_adapter = DRIVER_NOT_LOADED; + val = secure_getenv(IBMCA_DEBUG_PATH_ENVVAR); + if (val != NULL) + ibmca_config_debug_path(ctx, IBMCA_CONF_DEBUG_PATH, val); val = getenv(IBMCA_DEBUG_ENVVAR); if (val != NULL) ibmca_config_debug(ctx, IBMCA_CONF_DEBUG, val); diff --git a/src/provider/p_ibmca.h b/src/provider/p_ibmca.h index 3b3d4f04..c47a6aa9 100644 --- a/src/provider/p_ibmca.h +++ b/src/provider/p_ibmca.h @@ -27,9 +27,11 @@ /* Environment variable name to enable debug */ #define IBMCA_DEBUG_ENVVAR "IBMCA_DEBUG" +#define IBMCA_DEBUG_PATH_ENVVAR "IBMCA_DEBUG_PATH" /* IBMCA provider configuration key words */ #define IBMCA_CONF_DEBUG "debug" +#define IBMCA_CONF_DEBUG_PATH "debug-path" #define IBMCA_CONF_ALGORITHMS "algorithms" #define IBMCA_CONF_FIPS "fips" #define IBMCA_CONF_FALLBACK_PROPS "fallback-properties" @@ -64,6 +66,7 @@ struct ibmca_prov_ctx { OSSL_FUNC_CRYPTO_secure_clear_free_fn *c_secure_clear_free; OSSL_FUNC_OPENSSL_cleanse_fn *c_cleanse; bool debug; + const char *debug_path; FILE *debug_file; pid_t debug_pid; pthread_mutex_t debug_mutex; diff --git a/test/provider/openssl-test.cnf b/test/provider/openssl-test.cnf index 7866f4e9..e8132a6b 100644 --- a/test/provider/openssl-test.cnf +++ b/test/provider/openssl-test.cnf @@ -16,6 +16,7 @@ identity = ibmca module = ibmca-provider.so activate = 1 #debug = yes +#debug-path = /dir/to/debug/directory #fips=yes #algorithms = RSA,EC,DH algorithms = ALL