From 2fea87e997b86bf03417b38f1041596bfc002779 Mon Sep 17 00:00:00 2001 From: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com> Date: Fri, 9 May 2025 13:35:17 -0700 Subject: [PATCH] SymCrypt-OpenSSL -- Update mechanism for creating keysinuse logging directory. (#13735) (cherry picked from commit e45ad9e69c848810478437e1f0deb10c17c14c58) --- SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec | 26 ++++++++++++-------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec index 3d0f421faef..e55aae5709d 100644 --- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec +++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec @@ -1,7 +1,7 @@ Summary: The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations Name: SymCrypt-OpenSSL Version: 1.8.0 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -49,6 +49,7 @@ mkdir -p %{buildroot}%{_libdir}/engines-3/ mkdir -p %{buildroot}%{_libdir}/ossl-modules/ mkdir -p %{buildroot}%{_includedir} mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/ +mkdir -p %{buildroot}%{_localstatedir}/log/keysinuse/ # We still install the engine for backwards compatibility with legacy applications. Callers must # explicitly load the engine to use it. It will be removed in a future release. @@ -57,15 +58,6 @@ install bin/SymCryptProvider/symcryptprovider.so %{buildroot}%{_libdir}/ossl-mod install SymCryptEngine/inc/e_scossl.h %{buildroot}%{_includedir}/e_scossl.h install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/symcrypt_prov.cnf -%post -mkdir -p -m 1733 /var/log/keysinuse - -%preun -# Remove the logging directory on uninstall, leaving it there on upgrade. -if [ "${1}" = "0" ]; then - rm -rf /var/log/keysinuse -fi - %check ./bin/SslPlay/SslPlay @@ -76,7 +68,21 @@ fi %{_includedir}/e_scossl.h %{_sysconfdir}/pki/tls/symcrypt_prov.cnf +# The log directory for certsinuse logging has permissions set to 1733. +# These permissions are a result of a security review to mitigate potential risks: +# - Group and others are denied read access to prevent user-level code from inferring +# details about other running applications and their certsinuse usage. +# - All users have write and execute permissions to create new log files and to +# check file attributes (e.g., to ensure a log file hasn't been tampered with or +# replaced by a symlink). +# - The sticky bit is set to prevent malicious users from deleting the log files +# and interfering with certsinuse alerting mechanisms. +%dir %attr(1733, root, root) %{_localstatedir}/log/keysinuse/ + %changelog +* Thu May 08 2025 Tobias Brick - 1.8.0-2 +- Update mechanism for creating keysinuse logging directory. + * Thu Mar 27 2025 Maxwell Moyer-McKee - 1.8.0-1 - Upgrade to SymCrypt-OpenSSL 1.8.0 with PBKDF2 and minor bugfixes