mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 01:51:26 +00:00
Code Issues Releases Wiki Activity

ovs-pki: Remove "online PKI" features and ovs-pki-cgi.

Browse Source 
Debian bug #683665, Red Hat bug #845350, and CVE-2012-3449 all claim that
ovs-pki's "incoming" directory is a security vulnerability.  I do not think
that this is the case, but I do not know of any users for this feature, so
on balance I prefer to remove it and the ovs-pki-cgi program associated
with it, just to be sure.

CVE-2012-3449.
Bug-report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665
Bug-report: https://bugzilla.redhat.com/show_bug.cgi?id=84535
Reported-by: Andreas Beckmann <debian@abeckmann.de>
Signed-off-by: Ben Pfaff <blp@nicira.com>
This commit is contained in:
Ben Pfaff 2012-08-03 11:56:33 -07:00
parent 79b8c36c58
commit 2562714aa5
5 changed files with 13 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
NEWS
View File

@ -9,9 +9,15 @@ post-v1.8.0
- OpenFlow:
- Allow bitwise masking for SHA and THA fields in ARP, SLL and TLL
fields in IPv6 neighbor discovery messages, and IPv6 flow label.
- ovs-dpctl
- ovs-dpctl:
- Support requesting the port number with the "port_no" option in
the "add-if" command.
- ovs-pki: The "online PKI" features have been removed, along with
the ovs-pki-cgi program that facilitated it, because of some
alarmist insecurity claims. We do not believe that these claims
are true, but because we do not know of any users for this
feature it seems better on balance to remove it. (The ovs-pki-cgi
program was not included in distribution packaging.)
v1.8.0 - xx xxx xxxx

3
utilities/automake.mk
View File

@ -13,7 +13,6 @@ bin_SCRIPTS += \
utilities/ovs-test \
utilities/ovs-vlan-test
endif
noinst_SCRIPTS += utilities/ovs-pki-cgi
scripts_SCRIPTS += \
utilities/ovs-check-dead-ifs \
utilities/ovs-ctl \
@ -27,7 +26,6 @@ EXTRA_DIST += \
utilities/ovs-lib.in \
utilities/ovs-parse-leaks.in \
utilities/ovs-pcap.in \
utilities/ovs-pki-cgi.in \
utilities/ovs-pki.in \
utilities/ovs-save \
utilities/ovs-tcpundump.in \
@ -65,7 +63,6 @@ DISTCLEANFILES += \
utilities/ovs-pcap \
utilities/ovs-pcap.1 \
utilities/ovs-pki \
utilities/ovs-pki-cgi \
utilities/ovs-pki.8 \
utilities/ovs-tcpundump \
utilities/ovs-tcpundump.1 \

55
utilities/ovs-pki-cgi.in
View File

@ -1,55 +0,0 @@
#! @PERL@
# Copyright (c) 2008, 2009 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
use CGI;
use Digest::SHA1;
use Fcntl;
$CGI::POST_MAX = 65536; # Limit POSTs to 64 kB.
use strict;
use warnings;
my $pkidir = '@PKIDIR@';
my $q = new CGI;
die unless $q->request_method() eq 'POST';
my $type = $q->param('type');
die unless defined $type;
die unless $type eq 'switch' or $type eq 'controller';
my $req = $q->param('req');
die unless defined $req;
die unless $req =~ /^-----BEGIN CERTIFICATE REQUEST-----$/m;
die unless $req =~ /^-----END CERTIFICATE REQUEST-----$/m;
my $digest = Digest::SHA1::sha1_hex($req);
my $incoming = "$pkidir/${type}ca/incoming";
my $dst = "$incoming/$digest-req.pem";
sysopen(REQUEST, "$dst.tmp", O_RDWR | O_CREAT | O_EXCL, 0600)
or die "sysopen $dst.tmp: $!";
print REQUEST $req;
close(REQUEST) or die "close $dst.tmp: $!";
rename("$dst.tmp", $dst) or die "rename $dst.tmp to $dst: $!";
print $q->header('text/html', '204 No response');
# Local Variables:
# mode: perl
# End:

102
utilities/ovs-pki.8.in
View File

@ -9,9 +9,11 @@
ovs\-pki \- OpenFlow public key infrastructure management utility
.SH SYNOPSIS
Each command takes the form:
.sp
\fBovs\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR]
.sp
Stand\-alone commands with their arguments:
The implemented commands and their arguments are:
.br
\fBovs\-pki\fR \fBinit\fR
.br
@ -27,20 +29,6 @@ Stand\-alone commands with their arguments:
.br
\fBovs\-pki\fR \fBself\-sign\fR \fINAME\fR
.sp
The following additional commands manage an online PKI:
.br
\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
.br
\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
.br
\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
.br
\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
.br
\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
.br
\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
.sp
Each \fITYPE\fR above is a certificate type, either \fBswitch\fR
(default) or \fBcontroller\fR.
.sp
@ -195,85 +183,6 @@ been produced with \fBovs\-pki req\fR.
Some controllers accept such self-signed certificates.
.SH "ONLINE COMMANDS"
An OpenFlow PKI can be administered online, in conjunction with
.BR ovs\-pki\-cgi (8)
and a web server such as Apache:
.IP \(bu
The web server exports the contents of the PKI via HTTP. All files in
a PKI hierarchy files may be made public, except for the files
\fBpki/controllerca/private/cakey.pem\fR and
\fBpki/switchca/private/cakey.pem\fR, which must not be exposed.
.IP \(bu
\fBovs\-pki\-cgi\fR allows newly generated certificate requests for
controllers and switches to be uploaded into the
\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR
directories, respectively. Uploaded certificate requests are stored
in those directories under names of the form
\fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1
hash of the file.
.IP \(bu
These \fBovs\-pki\fR commands allow incoming certificate requests to
be approved or rejected, in a form are suitable for use by humans or
other software.
.PP
The following \fBovs\-pki\fR commands support online administration:
.TP
\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
Lists all of the incoming certificate requests of the given \fITYPE\fR
(either \fBswitch\fR, the default, or \fBcontroller\fR). If
\fIPREFIX\fR, which must be at least 4 characters long, is specified,
it causes the list to be limited to files whose names begin with
\fIPREFIX\fR. This is useful, for example, to avoid typing in an
entire fingerprint when checking that a specific certificate request
has been received.
.TP
\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
Deletes all certificate requests of the given \fITYPE\fR.
.TP
\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
Rejects the certificate request whose name begins with \fIPREFIX\fR,
which must be at least 4 characters long, of the given type (either
\fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR must
match exactly one certificate request; its purpose is to allow the
user to type fewer characters, not to match multiple certificate
requests.
.TP
\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
Approves the certificate request whose name begins with \fIPREFIX\fR,
which must be at least 4 characters long, of the given \fITYPE\fR
(either \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR
must match exactly one certificate request; its purpose is to allow
the user to type fewer characters, not to match multiple certificate
requests.
The command will output a fingerprint to stdout and request that you
verify that it is correct. (The \fB\-b\fR or \fB\-\^\-batch\fR option
suppresses the verification step.)
.TP
\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
Prompts the user for each incoming certificate request of the given
\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR).
Based on the certificate request's fingerprint, the user is given the
option of approving, rejecting, or skipping the certificate request.
.TP
\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
Rejects all the incoming certificate requests, of either type, that is
older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR,
\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR. The default is \fB1day\fR.
.SH OPTIONS
.IP "\fB\-k\fR \fItype\fR"
.IQ "\fB\-\^\-key=\fItype\fR"
@ -306,7 +215,7 @@ The default is \fBdsaparam.pem\fR under the PKI hierarchy.
.IP "\fB\-b\fR"
.IQ "\fB\-\^\-batch\fR"
Suppresses the interactive verification of fingerprints that the
\fBsign\fR and \fBapprove\fR commands by default require.
\fBsign\fR command by default requires.
.IP "\fB\-d\fR \fIdir\fR"
.IQ "\fB\-\^\-dir=\fR\fIdir\fR"
@ -330,5 +239,4 @@ Prints a help usage message and exits.
.SH "SEE ALSO"
.BR ovs\-controller (8),
.BR ovs\-pki\-cgi (8)
.BR ovs\-controller (8).

132
utilities/ovs-pki.in
View File

@ -95,20 +95,6 @@ The valid stand-alone commands and their arguments are:
fingerprint FILE Prints the fingerprint for FILE
self-sign NAME Sign NAME-req.pem with NAME-privkey.pem,
producing self-signed certificate NAME-cert.pem
The following additional commands manage an online PKI:
ls [PREFIX] [TYPE] Lists incoming requests of the given TYPE, optionally
limited to those whose fingerprint begins with PREFIX
flush [TYPE] Rejects all incoming requests of the given TYPE
reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint begins
with PREFIX and has the given TYPE
approve PREFIX [TYPE] Approves the incoming request whose fingerprint begins
with PREFIX and has the given TYPE
expire [AGE] Rejects all incoming requests older than AGE, in
one of the forms Ns, Nmin, Nh, Nday (default: 1day)
prompt [TYPE] Interactively prompts to accept or reject each incoming
request of the given TYPE
Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
Options for 'init', 'req', and 'req+sign' only:
@ -117,7 +103,7 @@ Options for 'init', 'req', and 'req+sign' only:
this has an effect only on 'init'.
-D, --dsaparam=FILE File with DSA parameters (DSA only)
(default: dsaparam.pem within PKI directory)
Options for use with the 'sign' and 'approve' commands:
Options for use with the 'sign' command:
-b, --batch Skip fingerprint verification
Options that apply to any command:
-d, --dir=DIR Directory where the PKI is located
@ -251,7 +237,6 @@ if test "$command" = "init"; then
mkdir -p certs crl newcerts
mkdir -p -m 0700 private
mkdir -p -m 0733 incoming
touch index.txt
test -e crlnumber || echo 01 > crlnumber
test -e serial || echo 01 > serial
@ -334,13 +319,6 @@ one_arg() {
fi
}
zero_or_one_args() {
if test -n "$arg2"; then
echo "$0: $command must have zero or one arguments; use --help for help" >&2
exit 1
fi
}
one_or_two_args() {
if test -z "$arg1"; then
echo "$0: $command must have one or two arguments; use --help for help" >&2
@ -355,38 +333,6 @@ must_not_exist() {
fi
}
resolve_prefix() {
test -n "$type" || exit 123 # Forgot to call check_type?
case $1 in
????*)
;;
*)
echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2
exit 0
;;
esac
fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | sed 's/-req\.pem$//')
case $fingerprint in
"${1}*")
echo "No certificate requests matching $1" >&2
exit 1
;;
*" "*)
echo "$1 matches more than one certificate request:" >&2
echo $fingerprint | sed 's/ /\
/g' >&2
exit 1
;;
*)
# Nothing to do.
;;
esac
req="$pkidir/${type}ca/incoming/$fingerprint-req.pem"
cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem"
}
make_tmpdir() {
TMP=/tmp/ovs-pki.tmp$$
rm -rf $TMP
@ -571,82 +517,6 @@ elif test "$command" = self-sign; then
# Reset the permissions on the certificate to the user's default.
cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
rm -f "$arg1-cert.pem.tmp"
elif test "$command" = ls; then
check_type "$arg2"
cd "$pkidir/${type}ca/incoming"
for file in $(glob "$arg1*-req.pem"); do
fingerprint $file
done
elif test "$command" = flush; then
check_type "$arg1"
rm -f "$pkidir/${type}ca/incoming/"*
elif test "$command" = reject; then
one_or_two_args
check_type "$arg2"
resolve_prefix "$arg1"
rm -f "$req"
elif test "$command" = approve; then
one_or_two_args
check_type "$arg2"
resolve_prefix "$arg1"
make_tmpdir
cp "$req" "$TMP/$req"
verify_fingerprint "$TMP/$req"
sign_request "$TMP/$req"
rm -f "$req" "$TMP/$req"
elif test "$command" = prompt; then
zero_or_one_args
check_type "$arg1"
make_tmpdir
cd "$pkidir/${type}ca/incoming"
for req in $(glob "*-req.pem"); do
cp "$req" "$TMP/$req"
cert=$(echo "$pkidir/${type}ca/certs/$req" |
sed 's/-req.pem/-cert.pem/')
if test -f $cert; then
echo "Request $req already approved--dropping duplicate request"
rm -f "$req" "$TMP/$req"
continue
fi
echo
echo
fingerprint "$TMP/$req" "$req"
printf "Disposition for this request (skip/approve/reject)? "
read answer
case $answer in
approve)
echo "Approving $req"
sign_request "$TMP/$req" "$cert"
rm -f "$req" "$TMP/$req"
;;
r*)
echo "Rejecting $req"
rm -f "$req" "$TMP/$req"
;;
*)
echo "Skipping $req"
;;
esac
done
elif test "$command" = expire; then
zero_or_one_args
cutoff=$(($(date +%s) - $(parse_age ${arg1-1day})))
for type in switch controller; do
cd "$pkidir/${type}ca/incoming" || exit 1
for file in $(glob "*"); do
time=$(file_mod_epoch "$file")
if test "$time" -lt "$cutoff"; then
rm -f "$file"
fi
done
done
else
echo "$0: $command command unknown; use --help for help" >&2
exit 1