- OpenFlow:
- Allow bitwise masking for SHA and THA fields in ARP, SLL and TLL
fields in IPv6 neighbor discovery messages, and IPv6 flow label.
- - ovs-dpctl
+ - ovs-dpctl:
- Support requesting the port number with the "port_no" option in
the "add-if" command.
+ - ovs-pki: The "online PKI" features have been removed, along with
+ the ovs-pki-cgi program that facilitated it, because of some
+ alarmist insecurity claims. We do not believe that these claims
+ are true, but because we do not know of any users for this
+ feature it seems better on balance to remove it. (The ovs-pki-cgi
+ program was not included in distribution packaging.)
v1.8.0 - xx xxx xxxx
utilities/ovs-test \
utilities/ovs-vlan-test
endif
-noinst_SCRIPTS += utilities/ovs-pki-cgi
scripts_SCRIPTS += \
utilities/ovs-check-dead-ifs \
utilities/ovs-ctl \
utilities/ovs-lib.in \
utilities/ovs-parse-leaks.in \
utilities/ovs-pcap.in \
- utilities/ovs-pki-cgi.in \
utilities/ovs-pki.in \
utilities/ovs-save \
utilities/ovs-tcpundump.in \
utilities/ovs-pcap \
utilities/ovs-pcap.1 \
utilities/ovs-pki \
- utilities/ovs-pki-cgi \
utilities/ovs-pki.8 \
utilities/ovs-tcpundump \
utilities/ovs-tcpundump.1 \
+++ /dev/null
-#! @PERL@
-
-# Copyright (c) 2008, 2009 Nicira, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-use CGI;
-use Digest::SHA1;
-use Fcntl;
-
-$CGI::POST_MAX = 65536; # Limit POSTs to 64 kB.
-
-use strict;
-use warnings;
-
-my $pkidir = '@PKIDIR@';
-my $q = new CGI;
-
-die unless $q->request_method() eq 'POST';
-
-my $type = $q->param('type');
-die unless defined $type;
-die unless $type eq 'switch' or $type eq 'controller';
-
-my $req = $q->param('req');
-die unless defined $req;
-die unless $req =~ /^-----BEGIN CERTIFICATE REQUEST-----$/m;
-die unless $req =~ /^-----END CERTIFICATE REQUEST-----$/m;
-
-my $digest = Digest::SHA1::sha1_hex($req);
-my $incoming = "$pkidir/${type}ca/incoming";
-my $dst = "$incoming/$digest-req.pem";
-
-sysopen(REQUEST, "$dst.tmp", O_RDWR | O_CREAT | O_EXCL, 0600)
- or die "sysopen $dst.tmp: $!";
-print REQUEST $req;
-close(REQUEST) or die "close $dst.tmp: $!";
-
-rename("$dst.tmp", $dst) or die "rename $dst.tmp to $dst: $!";
-
-print $q->header('text/html', '204 No response');
-
-# Local Variables:
-# mode: perl
-# End:
ovs\-pki \- OpenFlow public key infrastructure management utility
.SH SYNOPSIS
+Each command takes the form:
+.sp
\fBovs\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR]
.sp
-Stand\-alone commands with their arguments:
+The implemented commands and their arguments are:
.br
\fBovs\-pki\fR \fBinit\fR
.br
.br
\fBovs\-pki\fR \fBself\-sign\fR \fINAME\fR
.sp
-The following additional commands manage an online PKI:
-.br
-\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
-.br
-\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
-.sp
Each \fITYPE\fR above is a certificate type, either \fBswitch\fR
(default) or \fBcontroller\fR.
.sp
Some controllers accept such self-signed certificates.
-.SH "ONLINE COMMANDS"
-
-An OpenFlow PKI can be administered online, in conjunction with
-.BR ovs\-pki\-cgi (8)
-and a web server such as Apache:
-
-.IP \(bu
-The web server exports the contents of the PKI via HTTP. All files in
-a PKI hierarchy files may be made public, except for the files
-\fBpki/controllerca/private/cakey.pem\fR and
-\fBpki/switchca/private/cakey.pem\fR, which must not be exposed.
-
-.IP \(bu
-\fBovs\-pki\-cgi\fR allows newly generated certificate requests for
-controllers and switches to be uploaded into the
-\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR
-directories, respectively. Uploaded certificate requests are stored
-in those directories under names of the form
-\fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1
-hash of the file.
-
-.IP \(bu
-These \fBovs\-pki\fR commands allow incoming certificate requests to
-be approved or rejected, in a form are suitable for use by humans or
-other software.
-
-.PP
-The following \fBovs\-pki\fR commands support online administration:
-
-.TP
-\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
-Lists all of the incoming certificate requests of the given \fITYPE\fR
-(either \fBswitch\fR, the default, or \fBcontroller\fR). If
-\fIPREFIX\fR, which must be at least 4 characters long, is specified,
-it causes the list to be limited to files whose names begin with
-\fIPREFIX\fR. This is useful, for example, to avoid typing in an
-entire fingerprint when checking that a specific certificate request
-has been received.
-
-.TP
-\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
-Deletes all certificate requests of the given \fITYPE\fR.
-
-.TP
-\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
-Rejects the certificate request whose name begins with \fIPREFIX\fR,
-which must be at least 4 characters long, of the given type (either
-\fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR must
-match exactly one certificate request; its purpose is to allow the
-user to type fewer characters, not to match multiple certificate
-requests.
-
-.TP
-\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
-Approves the certificate request whose name begins with \fIPREFIX\fR,
-which must be at least 4 characters long, of the given \fITYPE\fR
-(either \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR
-must match exactly one certificate request; its purpose is to allow
-the user to type fewer characters, not to match multiple certificate
-requests.
-
-The command will output a fingerprint to stdout and request that you
-verify that it is correct. (The \fB\-b\fR or \fB\-\^\-batch\fR option
-suppresses the verification step.)
-
-.TP
-\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
-Prompts the user for each incoming certificate request of the given
-\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR).
-Based on the certificate request's fingerprint, the user is given the
-option of approving, rejecting, or skipping the certificate request.
-
-.TP
-\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
-
-Rejects all the incoming certificate requests, of either type, that is
-older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR,
-\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR. The default is \fB1day\fR.
-
.SH OPTIONS
.IP "\fB\-k\fR \fItype\fR"
.IQ "\fB\-\^\-key=\fItype\fR"
.IP "\fB\-b\fR"
.IQ "\fB\-\^\-batch\fR"
Suppresses the interactive verification of fingerprints that the
-\fBsign\fR and \fBapprove\fR commands by default require.
+\fBsign\fR command by default requires.
.IP "\fB\-d\fR \fIdir\fR"
.IQ "\fB\-\^\-dir=\fR\fIdir\fR"
.SH "SEE ALSO"
-.BR ovs\-controller (8),
-.BR ovs\-pki\-cgi (8)
+.BR ovs\-controller (8).
fingerprint FILE Prints the fingerprint for FILE
self-sign NAME Sign NAME-req.pem with NAME-privkey.pem,
producing self-signed certificate NAME-cert.pem
-
-The following additional commands manage an online PKI:
- ls [PREFIX] [TYPE] Lists incoming requests of the given TYPE, optionally
- limited to those whose fingerprint begins with PREFIX
- flush [TYPE] Rejects all incoming requests of the given TYPE
- reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint begins
- with PREFIX and has the given TYPE
- approve PREFIX [TYPE] Approves the incoming request whose fingerprint begins
- with PREFIX and has the given TYPE
- expire [AGE] Rejects all incoming requests older than AGE, in
- one of the forms Ns, Nmin, Nh, Nday (default: 1day)
- prompt [TYPE] Interactively prompts to accept or reject each incoming
- request of the given TYPE
-
Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
Options for 'init', 'req', and 'req+sign' only:
this has an effect only on 'init'.
-D, --dsaparam=FILE File with DSA parameters (DSA only)
(default: dsaparam.pem within PKI directory)
-Options for use with the 'sign' and 'approve' commands:
+Options for use with the 'sign' command:
-b, --batch Skip fingerprint verification
Options that apply to any command:
-d, --dir=DIR Directory where the PKI is located
mkdir -p certs crl newcerts
mkdir -p -m 0700 private
- mkdir -p -m 0733 incoming
touch index.txt
test -e crlnumber || echo 01 > crlnumber
test -e serial || echo 01 > serial
fi
}
-zero_or_one_args() {
- if test -n "$arg2"; then
- echo "$0: $command must have zero or one arguments; use --help for help" >&2
- exit 1
- fi
-}
-
one_or_two_args() {
if test -z "$arg1"; then
echo "$0: $command must have one or two arguments; use --help for help" >&2
fi
}
-resolve_prefix() {
- test -n "$type" || exit 123 # Forgot to call check_type?
-
- case $1 in
- ????*)
- ;;
- *)
- echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2
- exit 0
- ;;
- esac
-
- fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | sed 's/-req\.pem$//')
- case $fingerprint in
- "${1}*")
- echo "No certificate requests matching $1" >&2
- exit 1
- ;;
- *" "*)
- echo "$1 matches more than one certificate request:" >&2
- echo $fingerprint | sed 's/ /\
-/g' >&2
- exit 1
- ;;
- *)
- # Nothing to do.
- ;;
- esac
- req="$pkidir/${type}ca/incoming/$fingerprint-req.pem"
- cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem"
-}
-
make_tmpdir() {
TMP=/tmp/ovs-pki.tmp$$
rm -rf $TMP
# Reset the permissions on the certificate to the user's default.
cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
rm -f "$arg1-cert.pem.tmp"
-elif test "$command" = ls; then
- check_type "$arg2"
-
- cd "$pkidir/${type}ca/incoming"
- for file in $(glob "$arg1*-req.pem"); do
- fingerprint $file
- done
-elif test "$command" = flush; then
- check_type "$arg1"
-
- rm -f "$pkidir/${type}ca/incoming/"*
-elif test "$command" = reject; then
- one_or_two_args
- check_type "$arg2"
- resolve_prefix "$arg1"
-
- rm -f "$req"
-elif test "$command" = approve; then
- one_or_two_args
- check_type "$arg2"
- resolve_prefix "$arg1"
-
- make_tmpdir
- cp "$req" "$TMP/$req"
- verify_fingerprint "$TMP/$req"
- sign_request "$TMP/$req"
- rm -f "$req" "$TMP/$req"
-elif test "$command" = prompt; then
- zero_or_one_args
- check_type "$arg1"
-
- make_tmpdir
- cd "$pkidir/${type}ca/incoming"
- for req in $(glob "*-req.pem"); do
- cp "$req" "$TMP/$req"
-
- cert=$(echo "$pkidir/${type}ca/certs/$req" |
- sed 's/-req.pem/-cert.pem/')
- if test -f $cert; then
- echo "Request $req already approved--dropping duplicate request"
- rm -f "$req" "$TMP/$req"
- continue
- fi
-
- echo
- echo
- fingerprint "$TMP/$req" "$req"
- printf "Disposition for this request (skip/approve/reject)? "
- read answer
- case $answer in
- approve)
- echo "Approving $req"
- sign_request "$TMP/$req" "$cert"
- rm -f "$req" "$TMP/$req"
- ;;
- r*)
- echo "Rejecting $req"
- rm -f "$req" "$TMP/$req"
- ;;
- *)
- echo "Skipping $req"
- ;;
- esac
- done
-elif test "$command" = expire; then
- zero_or_one_args
- cutoff=$(($(date +%s) - $(parse_age ${arg1-1day})))
- for type in switch controller; do
- cd "$pkidir/${type}ca/incoming" || exit 1
- for file in $(glob "*"); do
- time=$(file_mod_epoch "$file")
- if test "$time" -lt "$cutoff"; then
- rm -f "$file"
- fi
- done
- done
else
echo "$0: $command command unknown; use --help for help" >&2
exit 1