introduce TALER_OS_init() to safely handle static linkage

2021-08-08 16:45:32 +02:00 · 2021-08-08 16:45:32 +02:00 · b58605a79d
commit b58605a79d
parent 7fd4f1d846
18 changed files with 59 additions and 17 deletions
--- a/debian/etc-taler-exchange/taler/conf.d/exchange-business.conf
+++ b/debian/etc-taler-exchange/taler/conf.d/exchange-business.conf
@ -26,6 +26,10 @@ BASE_URL =

 enable_credit = yes
 enable_debit = yes
+
+# Account identifier in the form of an RFC-8905 payto:// URI.
+# For SEPA, looks like payto://sepa/$IBAN?receiver-name=$NAME
+# Make sure to URL-encode spaces in $NAME!
 payto_uri =

 # Credentials to access the account are in a separate
--- a/doc/audit/response-202109.tex
+++ b/doc/audit/response-202109.tex
@ -4,7 +4,7 @@
 %\topmargin=-0.2in

 \usepackage[ansinew]{inputenc}
-\usepackage{makeidx,amsmath,amssymb,exscale,multicol,epsfig,graphics}
+\usepackage{makeidx,amsmath,amssymb,exscale,multicol,epsfig,graphics,url}

 \begin{document}
 \pagestyle{headings}
@ -138,6 +138,12 @@ use callbacks {\em excessively}.  Rewriting the code in another language
 may indeed make this part easier to understand, alas would have other
 disadvantages as pointed out previously.

+{\bf Update:} We introduced additional functions to replace
+variadic calls to functions that cannot be type-checked by
+the compiler (like libjansson's {\tt json\_pack()}) with
+type-safe versions (like the new {\tt GNUNET\_JSON\_PACK()}).
+
+
 \subsection{Initializing structs with memset}

 Using {\tt memset()} first prevents compiler (or valgrind) warnings about
@ -241,6 +247,11 @@ the interaction with offline key signing mechanism.  The remaining disk accesses
 quite fundamental configuration data (which ports to bind to, configuration to
 access the database, etc.), and of course the program logic itself.

+{\bf Update:} We have also restructured the configuration such that only
+the {\tt taler-exchange-transfer} and {\tt taler-exchange-wirewatch} programs
+need to have access to the more sensitive bank account configuration data,
+and so that these processes can run as a separate user.
+

 \subsection{Avoid dlopen}

@ -270,4 +281,11 @@ provided on a best-effort basis.  Fortunately, even a best-effort append-only
 transaction log would serve to limit the financial damage incurred by the
 exchange in an active database compromise scenario.

+{\bf Update:} We have tightened the installation instructions for the
+Taler exchange to guide users towards a more restricted Postgres setup,
+tightening which components of the Exchange need what level of access
+to the exchange database.
+
+
+
 \end{document}
--- a/src/auditor/taler-auditor-dbinit.c
+++ b/src/auditor/taler-auditor-dbinit.c
@ -136,14 +136,14 @@ main (int argc,
  };
  enum GNUNET_GenericReturnValue ret;

-  /* force linker to link against libtalerutil; if we do
-     not do this, the linker may "optimize" libtalerutil
-     away and skip #TALER_OS_init(), which we do need */
-  (void) TALER_project_data_default ();
  if (GNUNET_OK !=
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  /* force linker to link against libtalerutil; if we do
+     not do this, the linker may "optimize" libtalerutil
+     away and skip #TALER_OS_init(), which we do need */
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-auditor-dbinit",
--- a/src/auditor/taler-auditor-httpd.c
+++ b/src/auditor/taler-auditor-httpd.c
@ -571,6 +571,7 @@ main (int argc,
  int fh = -1;
  enum TALER_MHD_GlobalOptions go;

+  TALER_OS_init ();
  {
    int ret;

--- a/src/auditor/taler-auditor-sync.c
+++ b/src/auditor/taler-auditor-sync.c
@ -593,6 +593,7 @@ main (int argc,
    GNUNET_GETOPT_OPTION_END
  };

+  TALER_OS_init ();
  TALER_gcrypt_init (); /* must trigger initialization manually at this point! */
  {
    int ret;
--- a/src/bank-lib/bank_api_admin.c
+++ b/src/bank-lib/bank_api_admin.c
@ -129,6 +129,11 @@ handle_admin_add_incoming_finished (void *cls,
       We should pass the JSON reply to the application */
    ec = TALER_JSON_get_error_code (j);
    break;
+  case MHD_HTTP_CONFLICT:
+    /* Nothign to verify, we used the same wire subject
+       twice? */
+    ec = TALER_JSON_get_error_code (j);
+    break;
  case MHD_HTTP_INTERNAL_SERVER_ERROR:
    /* Server had an internal issue; we should retry, but this API
       leaves this to the application */
--- a/src/bank-lib/fakebank.c
+++ b/src/bank-lib/fakebank.c
@ -824,7 +824,7 @@ make_admin_transfer (
  if (NULL != t)
  {
    /* duplicate reserve public key not allowed */
-    GNUNET_break (0);
+    GNUNET_break_op (0);
    return GNUNET_NO;
  }

@ -1074,7 +1074,7 @@ handle_admin_add_incoming (struct TALER_FAKEBANK_Handle *h,
    GNUNET_free (debit);
    if (GNUNET_OK != ret)
    {
-      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+      GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
                  "Reserve public key not unique\n");
      return TALER_MHD_reply_with_error (
        connection,
--- a/src/exchange-tools/taler-auditor-offline.c
+++ b/src/exchange-tools/taler-auditor-offline.c
@ -1454,14 +1454,14 @@ main (int argc,
  };
  enum GNUNET_GenericReturnValue ret;

-  /* force linker to link against libtalerutil; if we do
-     not do this, the linker may "optimize" libtalerutil
-     away and skip #TALER_OS_init(), which we do need */
-  (void) TALER_project_data_default ();
  if (GNUNET_OK !=
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  /* force linker to link against libtalerutil; if we do
+     not do this, the linker may "optimize" libtalerutil
+     away and skip #TALER_OS_init(), which we do need */
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-auditor-offline",
--- a/src/exchange-tools/taler-exchange-dbinit.c
+++ b/src/exchange-tools/taler-exchange-dbinit.c
@ -120,14 +120,14 @@ main (int argc,
  };
  enum GNUNET_GenericReturnValue ret;

-  /* force linker to link against libtalerutil; if we do
-     not do this, the linker may "optimize" libtalerutil
-     away and skip #TALER_OS_init(), which we do need */
-  (void) TALER_project_data_default ();
  if (GNUNET_OK !=
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  /* force linker to link against libtalerutil; if we do
+     not do this, the linker may "optimize" libtalerutil
+     away and skip #TALER_OS_init(), which we do need */
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-exchange-dbinit",
--- a/src/exchange-tools/taler-exchange-offline.c
+++ b/src/exchange-tools/taler-exchange-offline.c
@ -3456,6 +3456,7 @@ main (int argc,
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-exchange-offline",
--- a/src/exchange/taler-exchange-aggregator.c
+++ b/src/exchange/taler-exchange-aggregator.c
@ -1013,6 +1013,7 @@ main (int argc,
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-exchange-aggregator",
--- a/src/exchange/taler-exchange-closer.c
+++ b/src/exchange/taler-exchange-closer.c
@ -547,6 +547,7 @@ main (int argc,
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-exchange-closer",
--- a/src/exchange/taler-exchange-httpd.c
+++ b/src/exchange/taler-exchange-httpd.c
@ -1669,6 +1669,7 @@ main (int argc,
  int fh = -1;
  enum TALER_MHD_GlobalOptions go;

+  TALER_OS_init ();
  ret = GNUNET_GETOPT_run ("taler-exchange-httpd",
                           options,
                           argc, argv);
--- a/src/exchange/taler-exchange-transfer.c
+++ b/src/exchange/taler-exchange-transfer.c
@ -559,6 +559,7 @@ main (int argc,
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-exchange-transfer",
--- a/src/exchange/taler-exchange-wirewatch.c
+++ b/src/exchange/taler-exchange-wirewatch.c
@ -768,6 +768,7 @@ main (int argc,
      GNUNET_STRINGS_get_utf8_args (argc, argv,
                                    &argc, &argv))
    return EXIT_INVALIDARGUMENT;
+  TALER_OS_init ();
  ret = GNUNET_PROGRAM_run (
    argc, argv,
    "taler-exchange-wirewatch",
--- a/src/include/taler_util.h
+++ b/src/include/taler_util.h
@ -174,6 +174,13 @@ const struct GNUNET_OS_ProjectData *
 TALER_project_data_default (void);


+/**
+ * Initialize libtalerutil.
+ */
+void
+TALER_OS_init (void);
+
+
 /**
 * URL-encode a string according to rfc3986.
 *
--- a/src/util/taler-exchange-secmod-eddsa.c
+++ b/src/util/taler-exchange-secmod-eddsa.c
@ -1680,7 +1680,7 @@ main (int argc,
  /* force linker to link against libtalerutil; if we do
   not do this, the linker may "optimize" libtalerutil
   away and skip #TALER_OS_init(), which we do need */
-  GNUNET_OS_init (TALER_project_data_default ());
+  TALER_OS_init ();
  now = now_tmp = GNUNET_TIME_absolute_get ();
  ret = GNUNET_PROGRAM_run (argc, argv,
                            "taler-exchange-secmod-eddsa",
--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@ -2081,7 +2081,7 @@ main (int argc,
  /* force linker to link against libtalerutil; if we do
   not do this, the linker may "optimize" libtalerutil
   away and skip #TALER_OS_init(), which we do need */
-  GNUNET_OS_init (TALER_project_data_default ());
+  TALER_OS_init ();
  now = now_tmp = GNUNET_TIME_absolute_get ();
  ret = GNUNET_PROGRAM_run (argc, argv,
                            "taler-exchange-secmod-rsa",