[ovs-dev] [PATCH 1/3] ovs-pki: Remove "online PKI" features and ovs-pki-cgi.

Gurucharan Shetty gshetty at nicira.com
Mon Aug 6 16:21:07 UTC 2012


On Fri, Aug 3, 2012 at 12:00 PM, Ben Pfaff <blp at nicira.com> wrote:

> Debian bug #683665, Red Hat bug #845350, and CVE-2012-3449 all claim that
> ovs-pki's "incoming" directory is a security vulnerability.  I do not think
> that this is the case, but I do not know of any users for this feature, so
> on balance I prefer to remove it and the ovs-pki-cgi program associated
> with it, just to be sure.
>
> CVE-2012-3449.
> Bug-report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665
> Bug-report: https://bugzilla.redhat.com/show_bug.cgi?id=84535
> Reported-by: Andreas Beckmann <debian at abeckmann.de>
> Signed-off-by: Ben Pfaff <blp at nicira.com>
> ---
>  NEWS                     |    8 +++-
>  utilities/automake.mk    |    3 -
>  utilities/ovs-pki-cgi.in |   55 -------------------
>  utilities/ovs-pki.8.in   |   99 ++---------------------------------
>  utilities/ovs-pki.in     |  132
> +---------------------------------------------
>  5 files changed, 12 insertions(+), 285 deletions(-)
>  delete mode 100755 utilities/ovs-pki-cgi.in
>
> diff --git a/NEWS b/NEWS
> index d673b74..54a7114 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -9,9 +9,15 @@ post-v1.8.0
>      - OpenFlow:
>        - Allow bitwise masking for SHA and THA fields in ARP, SLL and TLL
>          fields in IPv6 neighbor discovery messages, and IPv6 flow label.
> -    - ovs-dpctl
> +    - ovs-dpctl:
>        - Support requesting the port number with the "port_no" option in
>          the "add-if" command.
> +    - ovs-pki: The "online PKI" features have been removed, along with
> +      the ovs-pki-cgi program that facilitated it, because of some
> +      alarmist insecurity claims.  We do not believe that these claims
> +      are true, but because we do not know of any users for this
> +      feature it seems better on balance to remove it.  (The ovs-pki-cgi
> +      program was not included in distribution packaging.)
>
>
>  v1.8.0 - xx xxx xxxx
> diff --git a/utilities/automake.mk b/utilities/automake.mk
> index 7bb2c6d..fdd26b8 100644
> --- a/utilities/automake.mk
> +++ b/utilities/automake.mk
> @@ -13,7 +13,6 @@ bin_SCRIPTS += \
>         utilities/ovs-test \
>         utilities/ovs-vlan-test
>  endif
> -noinst_SCRIPTS += utilities/ovs-pki-cgi
>  scripts_SCRIPTS += \
>         utilities/ovs-check-dead-ifs \
>         utilities/ovs-ctl \
> @@ -27,7 +26,6 @@ EXTRA_DIST += \
>         utilities/ovs-lib.in \
>         utilities/ovs-parse-leaks.in \
>         utilities/ovs-pcap.in \
> -       utilities/ovs-pki-cgi.in \
>         utilities/ovs-pki.in \
>         utilities/ovs-save \
>         utilities/ovs-tcpundump.in \
> @@ -65,7 +63,6 @@ DISTCLEANFILES += \
>         utilities/ovs-pcap \
>         utilities/ovs-pcap.1 \
>         utilities/ovs-pki \
> -       utilities/ovs-pki-cgi \
>         utilities/ovs-pki.8 \
>         utilities/ovs-tcpundump \
>         utilities/ovs-tcpundump.1 \
> diff --git a/utilities/ovs-pki-cgi.in b/utilities/ovs-pki-cgi.in
> deleted file mode 100755
> index 3ef900e..0000000
> --- a/utilities/ovs-pki-cgi.in
> +++ /dev/null
> @@ -1,55 +0,0 @@
> -#! @PERL@
> -
> -# Copyright (c) 2008, 2009 Nicira, Inc.
> -#
> -# Licensed under the Apache License, Version 2.0 (the "License");
> -# you may not use this file except in compliance with the License.
> -# You may obtain a copy of the License at:
> -#
> -#     http://www.apache.org/licenses/LICENSE-2.0
> -#
> -# Unless required by applicable law or agreed to in writing, software
> -# distributed under the License is distributed on an "AS IS" BASIS,
> -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> -# See the License for the specific language governing permissions and
> -# limitations under the License.
> -
> -use CGI;
> -use Digest::SHA1;
> -use Fcntl;
> -
> -$CGI::POST_MAX = 65536;    # Limit POSTs to 64 kB.
> -
> -use strict;
> -use warnings;
> -
> -my $pkidir = '@PKIDIR@';
> -my $q = new CGI;
> -
> -die unless $q->request_method() eq 'POST';
> -
> -my $type = $q->param('type');
> -die unless defined $type;
> -die unless $type eq 'switch' or $type eq 'controller';
> -
> -my $req = $q->param('req');
> -die unless defined $req;
> -die unless $req =~ /^-----BEGIN CERTIFICATE REQUEST-----$/m;
> -die unless $req =~ /^-----END CERTIFICATE REQUEST-----$/m;
> -
> -my $digest = Digest::SHA1::sha1_hex($req);
> -my $incoming = "$pkidir/${type}ca/incoming";
> -my $dst = "$incoming/$digest-req.pem";
> -
> -sysopen(REQUEST, "$dst.tmp", O_RDWR | O_CREAT | O_EXCL, 0600)
> -  or die "sysopen $dst.tmp: $!";
> -print REQUEST $req;
> -close(REQUEST) or die "close $dst.tmp: $!";
> -
> -rename("$dst.tmp", $dst) or die "rename $dst.tmp to $dst: $!";
> -
> -print $q->header('text/html', '204 No response');
> -
> -# Local Variables:
> -# mode: perl
> -# End:
> diff --git a/utilities/ovs-pki.8.in b/utilities/ovs-pki.8.in
> index e40fdee..d63aa0a 100644
> --- a/utilities/ovs-pki.8.in
> +++ b/utilities/ovs-pki.8.in
> @@ -9,9 +9,11 @@
>  ovs\-pki \- OpenFlow public key infrastructure management utility
>
>  .SH SYNOPSIS
> +Each command takes the form:
> +.sp
>  \fBovs\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR]
>  .sp
> -Stand\-alone commands with their arguments:
> +The implemented commands and their arguments are:
>  .br
>  \fBovs\-pki\fR \fBinit\fR
>  .br
> @@ -27,20 +29,6 @@ Stand\-alone commands with their arguments:
>  .br
>  \fBovs\-pki\fR \fBself\-sign\fR \fINAME\fR
>  .sp
> -The following additional commands manage an online PKI:
> -.br
> -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
> -.sp
>  Each \fITYPE\fR above is a certificate type, either \fBswitch\fR
>  (default) or \fBcontroller\fR.
>  .sp
> @@ -195,85 +183,6 @@ been produced with \fBovs\-pki req\fR.
>
>  Some controllers accept such self-signed certificates.
>
> -.SH "ONLINE COMMANDS"
> -
> -An OpenFlow PKI can be administered online, in conjunction with
> -.BR ovs\-pki\-cgi (8)
> -and a web server such as Apache:
> -
> -.IP \(bu
> -The web server exports the contents of the PKI via HTTP.  All files in
> -a PKI hierarchy files may be made public, except for the files
> -\fBpki/controllerca/private/cakey.pem\fR and
> -\fBpki/switchca/private/cakey.pem\fR, which must not be exposed.
> -
> -.IP \(bu
> -\fBovs\-pki\-cgi\fR allows newly generated certificate requests for
> -controllers and switches to be uploaded into the
> -\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR
> -directories, respectively.  Uploaded certificate requests are stored
> -in those directories under names of the form
> -\fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1
> -hash of the file.
> -
> -.IP \(bu
> -These \fBovs\-pki\fR commands allow incoming certificate requests to
> -be approved or rejected, in a form are suitable for use by humans or
> -other software.
> -
> -.PP
> -The following \fBovs\-pki\fR commands support online administration:
> -
> -.TP
> -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
> -Lists all of the incoming certificate requests of the given \fITYPE\fR
> -(either \fBswitch\fR, the default, or \fBcontroller\fR).  If
> -\fIPREFIX\fR, which must be at least 4 characters long, is specified,
> -it causes the list to be limited to files whose names begin with
> -\fIPREFIX\fR.  This is useful, for example, to avoid typing in an
> -entire fingerprint when checking that a specific certificate request
> -has been received.
> -
> -.TP
> -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
> -Deletes all certificate requests of the given \fITYPE\fR.
> -
> -.TP
> -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
> -Rejects the certificate request whose name begins with \fIPREFIX\fR,
> -which must be at least 4 characters long, of the given type (either
> -\fBswitch\fR, the default, or \fBcontroller\fR).  \fIPREFIX\fR must
> -match exactly one certificate request; its purpose is to allow the
> -user to type fewer characters, not to match multiple certificate
> -requests.
> -
> -.TP
> -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
> -Approves the certificate request whose name begins with \fIPREFIX\fR,
> -which must be at least 4 characters long, of the given \fITYPE\fR
> -(either \fBswitch\fR, the default, or \fBcontroller\fR).  \fIPREFIX\fR
> -must match exactly one certificate request; its purpose is to allow
> -the user to type fewer characters, not to match multiple certificate
> -requests.
> -
> -The command will output a fingerprint to stdout and request that you
> -verify that it is correct.  (The \fB\-b\fR or \fB\-\^\-batch\fR option
> -suppresses the verification step.)
> -
> -.TP
> -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
> -Prompts the user for each incoming certificate request of the given
> -\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR).
> -Based on the certificate request's fingerprint, the user is given the
> -option of approving, rejecting, or skipping the certificate request.
> -
> -.TP
> -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
> -
> -Rejects all the incoming certificate requests, of either type, that is
> -older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR,
> -\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR.  The default is \fB1day\fR.
> -
>  .SH OPTIONS
>  .IP "\fB\-k\fR \fItype\fR"
>  .IQ "\fB\-\^\-key=\fItype\fR"
> @@ -306,7 +215,7 @@ The default is \fBdsaparam.pem\fR under the PKI
> hierarchy.
>  .IP "\fB\-b\fR"
>  .IQ "\fB\-\^\-batch\fR"
>  Suppresses the interactive verification of fingerprints that the
> -\fBsign\fR and \fBapprove\fR commands by default require.
> +\fBsign\fR command by default requires.
>
>  .IP "\fB\-d\fR \fIdir\fR"
>  .IQ "\fB\-\^\-dir=\fR\fIdir\fR"
>
At the end of the file:
.SH "SEE ALSO"

.BR ovs\-controller (8),
.BR ovs\-pki\-cgi (8)

Should we remove the reference to ovs-pki-cgi?
Otherwise, looks good to me.

Thanks,
Guru


> diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> index 2dc4060..2a67d53 100755
> --- a/utilities/ovs-pki.in
> +++ b/utilities/ovs-pki.in
> @@ -95,20 +95,6 @@ The valid stand-alone commands and their arguments are:
>    fingerprint FILE     Prints the fingerprint for FILE
>    self-sign NAME       Sign NAME-req.pem with NAME-privkey.pem,
>                         producing self-signed certificate NAME-cert.pem
> -
> -The following additional commands manage an online PKI:
> -  ls [PREFIX] [TYPE]   Lists incoming requests of the given TYPE,
> optionally
> -                       limited to those whose fingerprint begins with
> PREFIX
> -  flush [TYPE]         Rejects all incoming requests of the given TYPE
> -  reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint
> begins
> -                       with PREFIX and has the given TYPE
> -  approve PREFIX [TYPE] Approves the incoming request whose fingerprint
> begins
> -                       with PREFIX and has the given TYPE
> -  expire [AGE]         Rejects all incoming requests older than AGE, in
> -                       one of the forms Ns, Nmin, Nh, Nday (default: 1day)
> -  prompt [TYPE]        Interactively prompts to accept or reject each
> incoming
> -                       request of the given TYPE
> -
>  Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
>
>  Options for 'init', 'req', and 'req+sign' only:
> @@ -117,7 +103,7 @@ Options for 'init', 'req', and 'req+sign' only:
>                           this has an effect only on 'init'.
>    -D, --dsaparam=FILE  File with DSA parameters (DSA only)
>                           (default: dsaparam.pem within PKI directory)
> -Options for use with the 'sign' and 'approve' commands:
> +Options for use with the 'sign' command:
>    -b, --batch          Skip fingerprint verification
>  Options that apply to any command:
>    -d, --dir=DIR        Directory where the PKI is located
> @@ -251,7 +237,6 @@ if test "$command" = "init"; then
>
>          mkdir -p certs crl newcerts
>          mkdir -p -m 0700 private
> -        mkdir -p -m 0733 incoming
>          touch index.txt
>          test -e crlnumber || echo 01 > crlnumber
>          test -e serial || echo 01 > serial
> @@ -334,13 +319,6 @@ one_arg() {
>      fi
>  }
>
> -zero_or_one_args() {
> -    if test -n "$arg2"; then
> -        echo "$0: $command must have zero or one arguments; use --help
> for help" >&2
> -        exit 1
> -    fi
> -}
> -
>  one_or_two_args() {
>      if test -z "$arg1"; then
>          echo "$0: $command must have one or two arguments; use --help for
> help" >&2
> @@ -355,38 +333,6 @@ must_not_exist() {
>      fi
>  }
>
> -resolve_prefix() {
> -    test -n "$type" || exit 123 # Forgot to call check_type?
> -
> -    case $1 in
> -        ????*)
> -            ;;
> -        *)
> -            echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2
> -            exit 0
> -            ;;
> -    esac
> -
> -    fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem |
> sed 's/-req\.pem$//')
> -    case $fingerprint in
> -        "${1}*")
> -            echo "No certificate requests matching $1" >&2
> -            exit 1
> -            ;;
> -        *" "*)
> -            echo "$1 matches more than one certificate request:" >&2
> -            echo $fingerprint | sed 's/ /\
> -/g' >&2
> -            exit 1
> -            ;;
> -        *)
> -            # Nothing to do.
> -            ;;
> -    esac
> -    req="$pkidir/${type}ca/incoming/$fingerprint-req.pem"
> -    cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem"
> -}
> -
>  make_tmpdir() {
>      TMP=/tmp/ovs-pki.tmp$$
>      rm -rf $TMP
> @@ -571,82 +517,6 @@ elif test "$command" = self-sign; then
>      # Reset the permissions on the certificate to the user's default.
>      cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
>      rm -f "$arg1-cert.pem.tmp"
> -elif test "$command" = ls; then
> -    check_type "$arg2"
> -
> -    cd "$pkidir/${type}ca/incoming"
> -    for file in $(glob "$arg1*-req.pem"); do
> -        fingerprint $file
> -    done
> -elif test "$command" = flush; then
> -    check_type "$arg1"
> -
> -    rm -f "$pkidir/${type}ca/incoming/"*
> -elif test "$command" = reject; then
> -    one_or_two_args
> -    check_type "$arg2"
> -    resolve_prefix "$arg1"
> -
> -    rm -f "$req"
> -elif test "$command" = approve; then
> -    one_or_two_args
> -    check_type "$arg2"
> -    resolve_prefix "$arg1"
> -
> -    make_tmpdir
> -    cp "$req" "$TMP/$req"
> -    verify_fingerprint "$TMP/$req"
> -    sign_request "$TMP/$req"
> -    rm -f "$req" "$TMP/$req"
> -elif test "$command" = prompt; then
> -    zero_or_one_args
> -    check_type "$arg1"
> -
> -    make_tmpdir
> -    cd "$pkidir/${type}ca/incoming"
> -    for req in $(glob "*-req.pem"); do
> -        cp "$req" "$TMP/$req"
> -
> -        cert=$(echo "$pkidir/${type}ca/certs/$req" |
> -               sed 's/-req.pem/-cert.pem/')
> -        if test -f $cert; then
> -            echo "Request $req already approved--dropping duplicate
> request"
> -            rm -f "$req" "$TMP/$req"
> -            continue
> -        fi
> -
> -        echo
> -        echo
> -        fingerprint "$TMP/$req" "$req"
> -        printf "Disposition for this request (skip/approve/reject)? "
> -        read answer
> -        case $answer in
> -            approve)
> -                echo "Approving $req"
> -                sign_request "$TMP/$req" "$cert"
> -                rm -f "$req" "$TMP/$req"
> -                ;;
> -            r*)
> -                echo "Rejecting $req"
> -                rm -f "$req" "$TMP/$req"
> -                ;;
> -            *)
> -                echo "Skipping $req"
> -                ;;
> -        esac
> -    done
> -elif test "$command" = expire; then
> -    zero_or_one_args
> -    cutoff=$(($(date +%s) - $(parse_age ${arg1-1day})))
> -    for type in switch controller; do
> -        cd "$pkidir/${type}ca/incoming" || exit 1
> -        for file in $(glob "*"); do
> -            time=$(file_mod_epoch "$file")
> -            if test "$time" -lt "$cutoff"; then
> -                rm -f "$file"
> -            fi
> -        done
> -    done
>  else
>      echo "$0: $command command unknown; use --help for help" >&2
>      exit 1
> --
> 1.7.2.5
>



>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-dev/attachments/20120806/b87b9431/attachment-0003.html>


More information about the dev mailing list