From df14e6cc81c296d91e9124cd09f25a83defb522f Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Fri, 12 Jun 2026 21:19:25 +0200 Subject: irmd: Fail OAP config load on read errors load_sec_config_file() treated any fopen() failure as an absent config and silently disabled encryption. file_exists() similarly lumped non-ENOENT stat() errors in with "present". Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- include/ouroboros/pthread.h | 6 ++++++ src/irmd/oap/io.c | 8 +++++++- src/lib/crypt.c | 11 ++++++++--- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/include/ouroboros/pthread.h b/include/ouroboros/pthread.h index cd500795..3ca79d10 100644 --- a/include/ouroboros/pthread.h +++ b/include/ouroboros/pthread.h @@ -24,6 +24,7 @@ #define OUROBOROS_LIB_PTHREAD_H #include +#include static int __attribute__((unused)) __timedwait(pthread_cond_t * cond, pthread_mutex_t * mtx, @@ -48,4 +49,9 @@ static void __attribute__((unused)) __cleanup_mutex_unlock(void * mutex) pthread_mutex_unlock((pthread_mutex_t *) mutex); } +static void __attribute__((unused)) __cleanup_fclose(void * fp) +{ + fclose((FILE *) fp); +} + #endif /* OUROBOROS_LIB_PTHREAD_H */ diff --git a/src/irmd/oap/io.c b/src/irmd/oap/io.c index 5c560ea5..7b661435 100644 --- a/src/irmd/oap/io.c +++ b/src/irmd/oap/io.c @@ -50,11 +50,17 @@ static bool file_exists(const char * path) { struct stat s; - if (stat(path, &s) < 0 && errno == ENOENT) { + if (stat(path, &s) == 0) + return true; + + if (errno == ENOENT) { log_dbg("File %s does not exist.", path); return false; } + /* Can't stat for another reason; assume present, fail on load */ + log_warn("Failed to stat %s: %s.", path, strerror(errno)); + return true; } diff --git a/src/lib/crypt.c b/src/lib/crypt.c index 73cb0b51..9728ac8c 100644 --- a/src/lib/crypt.c +++ b/src/lib/crypt.c @@ -265,12 +265,17 @@ int load_sec_config_file(struct sec_config * cfg, fp = fopen(path, "r"); if (fp == NULL) { - /* File doesn't exist - disable encryption */ - CLEAR_KEX_ALGO(cfg); - return 0; + /* Absent config disables encryption; other errors fail */ + if (errno == ENOENT) { + CLEAR_KEX_ALGO(cfg); + return 0; + } + return -errno; } + pthread_cleanup_push(__cleanup_fclose, fp); ret = parse_sec_config(cfg, fp); + pthread_cleanup_pop(0); fclose(fp); -- cgit v1.2.3