From 2562714aa5d065e26a7d03a59c01d76b27cfc1d2 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Fri, 3 Aug 2012 11:56:33 -0700 Subject: [PATCH] ovs-pki: Remove "online PKI" features and ovs-pki-cgi. Debian bug #683665, Red Hat bug #845350, and CVE-2012-3449 all claim that ovs-pki's "incoming" directory is a security vulnerability. I do not think that this is the case, but I do not know of any users for this feature, so on balance I prefer to remove it and the ovs-pki-cgi program associated with it, just to be sure. CVE-2012-3449. Bug-report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665 Bug-report: https://bugzilla.redhat.com/show_bug.cgi?id=84535 Reported-by: Andreas Beckmann Signed-off-by: Ben Pfaff --- NEWS | 8 ++- utilities/automake.mk | 3 - utilities/ovs-pki-cgi.in | 55 ---------------- utilities/ovs-pki.8.in | 102 ++---------------------------- utilities/ovs-pki.in | 132 +-------------------------------------- 5 files changed, 13 insertions(+), 287 deletions(-) delete mode 100755 utilities/ovs-pki-cgi.in diff --git a/NEWS b/NEWS index d673b748..54a71149 100644 --- a/NEWS +++ b/NEWS @@ -9,9 +9,15 @@ post-v1.8.0 - OpenFlow: - Allow bitwise masking for SHA and THA fields in ARP, SLL and TLL fields in IPv6 neighbor discovery messages, and IPv6 flow label. - - ovs-dpctl + - ovs-dpctl: - Support requesting the port number with the "port_no" option in the "add-if" command. + - ovs-pki: The "online PKI" features have been removed, along with + the ovs-pki-cgi program that facilitated it, because of some + alarmist insecurity claims. We do not believe that these claims + are true, but because we do not know of any users for this + feature it seems better on balance to remove it. (The ovs-pki-cgi + program was not included in distribution packaging.) v1.8.0 - xx xxx xxxx diff --git a/utilities/automake.mk b/utilities/automake.mk index 7bb2c6d6..fdd26b82 100644 --- a/utilities/automake.mk +++ b/utilities/automake.mk @@ -13,7 +13,6 @@ bin_SCRIPTS += \ utilities/ovs-test \ utilities/ovs-vlan-test endif -noinst_SCRIPTS += utilities/ovs-pki-cgi scripts_SCRIPTS += \ utilities/ovs-check-dead-ifs \ utilities/ovs-ctl \ @@ -27,7 +26,6 @@ EXTRA_DIST += \ utilities/ovs-lib.in \ utilities/ovs-parse-leaks.in \ utilities/ovs-pcap.in \ - utilities/ovs-pki-cgi.in \ utilities/ovs-pki.in \ utilities/ovs-save \ utilities/ovs-tcpundump.in \ @@ -65,7 +63,6 @@ DISTCLEANFILES += \ utilities/ovs-pcap \ utilities/ovs-pcap.1 \ utilities/ovs-pki \ - utilities/ovs-pki-cgi \ utilities/ovs-pki.8 \ utilities/ovs-tcpundump \ utilities/ovs-tcpundump.1 \ diff --git a/utilities/ovs-pki-cgi.in b/utilities/ovs-pki-cgi.in deleted file mode 100755 index 3ef900ef..00000000 --- a/utilities/ovs-pki-cgi.in +++ /dev/null @@ -1,55 +0,0 @@ -#! @PERL@ - -# Copyright (c) 2008, 2009 Nicira, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -use CGI; -use Digest::SHA1; -use Fcntl; - -$CGI::POST_MAX = 65536; # Limit POSTs to 64 kB. - -use strict; -use warnings; - -my $pkidir = '@PKIDIR@'; -my $q = new CGI; - -die unless $q->request_method() eq 'POST'; - -my $type = $q->param('type'); -die unless defined $type; -die unless $type eq 'switch' or $type eq 'controller'; - -my $req = $q->param('req'); -die unless defined $req; -die unless $req =~ /^-----BEGIN CERTIFICATE REQUEST-----$/m; -die unless $req =~ /^-----END CERTIFICATE REQUEST-----$/m; - -my $digest = Digest::SHA1::sha1_hex($req); -my $incoming = "$pkidir/${type}ca/incoming"; -my $dst = "$incoming/$digest-req.pem"; - -sysopen(REQUEST, "$dst.tmp", O_RDWR | O_CREAT | O_EXCL, 0600) - or die "sysopen $dst.tmp: $!"; -print REQUEST $req; -close(REQUEST) or die "close $dst.tmp: $!"; - -rename("$dst.tmp", $dst) or die "rename $dst.tmp to $dst: $!"; - -print $q->header('text/html', '204 No response'); - -# Local Variables: -# mode: perl -# End: diff --git a/utilities/ovs-pki.8.in b/utilities/ovs-pki.8.in index e40fdeea..f602ac82 100644 --- a/utilities/ovs-pki.8.in +++ b/utilities/ovs-pki.8.in @@ -9,9 +9,11 @@ ovs\-pki \- OpenFlow public key infrastructure management utility .SH SYNOPSIS +Each command takes the form: +.sp \fBovs\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR] .sp -Stand\-alone commands with their arguments: +The implemented commands and their arguments are: .br \fBovs\-pki\fR \fBinit\fR .br @@ -27,20 +29,6 @@ Stand\-alone commands with their arguments: .br \fBovs\-pki\fR \fBself\-sign\fR \fINAME\fR .sp -The following additional commands manage an online PKI: -.br -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR] -.br -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR] -.br -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR] -.br -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR] -.br -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR] -.br -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR] -.sp Each \fITYPE\fR above is a certificate type, either \fBswitch\fR (default) or \fBcontroller\fR. .sp @@ -195,85 +183,6 @@ been produced with \fBovs\-pki req\fR. Some controllers accept such self-signed certificates. -.SH "ONLINE COMMANDS" - -An OpenFlow PKI can be administered online, in conjunction with -.BR ovs\-pki\-cgi (8) -and a web server such as Apache: - -.IP \(bu -The web server exports the contents of the PKI via HTTP. All files in -a PKI hierarchy files may be made public, except for the files -\fBpki/controllerca/private/cakey.pem\fR and -\fBpki/switchca/private/cakey.pem\fR, which must not be exposed. - -.IP \(bu -\fBovs\-pki\-cgi\fR allows newly generated certificate requests for -controllers and switches to be uploaded into the -\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR -directories, respectively. Uploaded certificate requests are stored -in those directories under names of the form -\fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1 -hash of the file. - -.IP \(bu -These \fBovs\-pki\fR commands allow incoming certificate requests to -be approved or rejected, in a form are suitable for use by humans or -other software. - -.PP -The following \fBovs\-pki\fR commands support online administration: - -.TP -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR] -Lists all of the incoming certificate requests of the given \fITYPE\fR -(either \fBswitch\fR, the default, or \fBcontroller\fR). If -\fIPREFIX\fR, which must be at least 4 characters long, is specified, -it causes the list to be limited to files whose names begin with -\fIPREFIX\fR. This is useful, for example, to avoid typing in an -entire fingerprint when checking that a specific certificate request -has been received. - -.TP -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR] -Deletes all certificate requests of the given \fITYPE\fR. - -.TP -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR] -Rejects the certificate request whose name begins with \fIPREFIX\fR, -which must be at least 4 characters long, of the given type (either -\fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR must -match exactly one certificate request; its purpose is to allow the -user to type fewer characters, not to match multiple certificate -requests. - -.TP -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR] -Approves the certificate request whose name begins with \fIPREFIX\fR, -which must be at least 4 characters long, of the given \fITYPE\fR -(either \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR -must match exactly one certificate request; its purpose is to allow -the user to type fewer characters, not to match multiple certificate -requests. - -The command will output a fingerprint to stdout and request that you -verify that it is correct. (The \fB\-b\fR or \fB\-\^\-batch\fR option -suppresses the verification step.) - -.TP -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR] -Prompts the user for each incoming certificate request of the given -\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR). -Based on the certificate request's fingerprint, the user is given the -option of approving, rejecting, or skipping the certificate request. - -.TP -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR] - -Rejects all the incoming certificate requests, of either type, that is -older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR, -\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR. The default is \fB1day\fR. - .SH OPTIONS .IP "\fB\-k\fR \fItype\fR" .IQ "\fB\-\^\-key=\fItype\fR" @@ -306,7 +215,7 @@ The default is \fBdsaparam.pem\fR under the PKI hierarchy. .IP "\fB\-b\fR" .IQ "\fB\-\^\-batch\fR" Suppresses the interactive verification of fingerprints that the -\fBsign\fR and \fBapprove\fR commands by default require. +\fBsign\fR command by default requires. .IP "\fB\-d\fR \fIdir\fR" .IQ "\fB\-\^\-dir=\fR\fIdir\fR" @@ -330,5 +239,4 @@ Prints a help usage message and exits. .SH "SEE ALSO" -.BR ovs\-controller (8), -.BR ovs\-pki\-cgi (8) +.BR ovs\-controller (8). diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 2dc40603..2a67d538 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -95,20 +95,6 @@ The valid stand-alone commands and their arguments are: fingerprint FILE Prints the fingerprint for FILE self-sign NAME Sign NAME-req.pem with NAME-privkey.pem, producing self-signed certificate NAME-cert.pem - -The following additional commands manage an online PKI: - ls [PREFIX] [TYPE] Lists incoming requests of the given TYPE, optionally - limited to those whose fingerprint begins with PREFIX - flush [TYPE] Rejects all incoming requests of the given TYPE - reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint begins - with PREFIX and has the given TYPE - approve PREFIX [TYPE] Approves the incoming request whose fingerprint begins - with PREFIX and has the given TYPE - expire [AGE] Rejects all incoming requests older than AGE, in - one of the forms Ns, Nmin, Nh, Nday (default: 1day) - prompt [TYPE] Interactively prompts to accept or reject each incoming - request of the given TYPE - Each TYPE above is a certificate type: 'switch' (default) or 'controller'. Options for 'init', 'req', and 'req+sign' only: @@ -117,7 +103,7 @@ Options for 'init', 'req', and 'req+sign' only: this has an effect only on 'init'. -D, --dsaparam=FILE File with DSA parameters (DSA only) (default: dsaparam.pem within PKI directory) -Options for use with the 'sign' and 'approve' commands: +Options for use with the 'sign' command: -b, --batch Skip fingerprint verification Options that apply to any command: -d, --dir=DIR Directory where the PKI is located @@ -251,7 +237,6 @@ if test "$command" = "init"; then mkdir -p certs crl newcerts mkdir -p -m 0700 private - mkdir -p -m 0733 incoming touch index.txt test -e crlnumber || echo 01 > crlnumber test -e serial || echo 01 > serial @@ -334,13 +319,6 @@ one_arg() { fi } -zero_or_one_args() { - if test -n "$arg2"; then - echo "$0: $command must have zero or one arguments; use --help for help" >&2 - exit 1 - fi -} - one_or_two_args() { if test -z "$arg1"; then echo "$0: $command must have one or two arguments; use --help for help" >&2 @@ -355,38 +333,6 @@ must_not_exist() { fi } -resolve_prefix() { - test -n "$type" || exit 123 # Forgot to call check_type? - - case $1 in - ????*) - ;; - *) - echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2 - exit 0 - ;; - esac - - fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | sed 's/-req\.pem$//') - case $fingerprint in - "${1}*") - echo "No certificate requests matching $1" >&2 - exit 1 - ;; - *" "*) - echo "$1 matches more than one certificate request:" >&2 - echo $fingerprint | sed 's/ /\ -/g' >&2 - exit 1 - ;; - *) - # Nothing to do. - ;; - esac - req="$pkidir/${type}ca/incoming/$fingerprint-req.pem" - cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem" -} - make_tmpdir() { TMP=/tmp/ovs-pki.tmp$$ rm -rf $TMP @@ -571,82 +517,6 @@ elif test "$command" = self-sign; then # Reset the permissions on the certificate to the user's default. cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" rm -f "$arg1-cert.pem.tmp" -elif test "$command" = ls; then - check_type "$arg2" - - cd "$pkidir/${type}ca/incoming" - for file in $(glob "$arg1*-req.pem"); do - fingerprint $file - done -elif test "$command" = flush; then - check_type "$arg1" - - rm -f "$pkidir/${type}ca/incoming/"* -elif test "$command" = reject; then - one_or_two_args - check_type "$arg2" - resolve_prefix "$arg1" - - rm -f "$req" -elif test "$command" = approve; then - one_or_two_args - check_type "$arg2" - resolve_prefix "$arg1" - - make_tmpdir - cp "$req" "$TMP/$req" - verify_fingerprint "$TMP/$req" - sign_request "$TMP/$req" - rm -f "$req" "$TMP/$req" -elif test "$command" = prompt; then - zero_or_one_args - check_type "$arg1" - - make_tmpdir - cd "$pkidir/${type}ca/incoming" - for req in $(glob "*-req.pem"); do - cp "$req" "$TMP/$req" - - cert=$(echo "$pkidir/${type}ca/certs/$req" | - sed 's/-req.pem/-cert.pem/') - if test -f $cert; then - echo "Request $req already approved--dropping duplicate request" - rm -f "$req" "$TMP/$req" - continue - fi - - echo - echo - fingerprint "$TMP/$req" "$req" - printf "Disposition for this request (skip/approve/reject)? " - read answer - case $answer in - approve) - echo "Approving $req" - sign_request "$TMP/$req" "$cert" - rm -f "$req" "$TMP/$req" - ;; - r*) - echo "Rejecting $req" - rm -f "$req" "$TMP/$req" - ;; - *) - echo "Skipping $req" - ;; - esac - done -elif test "$command" = expire; then - zero_or_one_args - cutoff=$(($(date +%s) - $(parse_age ${arg1-1day}))) - for type in switch controller; do - cd "$pkidir/${type}ca/incoming" || exit 1 - for file in $(glob "*"); do - time=$(file_mod_epoch "$file") - if test "$time" -lt "$cutoff"; then - rm -f "$file" - fi - done - done else echo "$0: $command command unknown; use --help for help" >&2 exit 1 -- 2.30.2