On Fri, Aug 3, 2012 at 12:00 PM, Ben Pfaff <b...@nicira.com> wrote:
> Debian bug #683665, Red Hat bug #845350, and CVE-2012-3449 all claim that
> ovs-pki's "incoming" directory is a security vulnerability. I do not think
> that this is the case, but I do not know of any users for this feature, so
> on balance I prefer to remove it and the ovs-pki-cgi program associated
> with it, just to be sure.
>
> CVE-2012-3449.
> Bug-report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665
> Bug-report: https://bugzilla.redhat.com/show_bug.cgi?id=84535
> Reported-by: Andreas Beckmann <deb...@abeckmann.de>
> Signed-off-by: Ben Pfaff <b...@nicira.com>
> ---
> NEWS | 8 +++-
> utilities/automake.mk | 3 -
> utilities/ovs-pki-cgi.in | 55 -------------------
> utilities/ovs-pki.8.in | 99 ++---------------------------------
> utilities/ovs-pki.in | 132
> +---------------------------------------------
> 5 files changed, 12 insertions(+), 285 deletions(-)
> delete mode 100755 utilities/ovs-pki-cgi.in
>
> diff --git a/NEWS b/NEWS
> index d673b74..54a7114 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -9,9 +9,15 @@ post-v1.8.0
> - OpenFlow:
> - Allow bitwise masking for SHA and THA fields in ARP, SLL and TLL
> fields in IPv6 neighbor discovery messages, and IPv6 flow label.
> - - ovs-dpctl
> + - ovs-dpctl:
> - Support requesting the port number with the "port_no" option in
> the "add-if" command.
> + - ovs-pki: The "online PKI" features have been removed, along with
> + the ovs-pki-cgi program that facilitated it, because of some
> + alarmist insecurity claims. We do not believe that these claims
> + are true, but because we do not know of any users for this
> + feature it seems better on balance to remove it. (The ovs-pki-cgi
> + program was not included in distribution packaging.)
>
>
> v1.8.0 - xx xxx xxxx
> diff --git a/utilities/automake.mk b/utilities/automake.mk
> index 7bb2c6d..fdd26b8 100644
> --- a/utilities/automake.mk
> +++ b/utilities/automake.mk
> @@ -13,7 +13,6 @@ bin_SCRIPTS += \
> utilities/ovs-test \
> utilities/ovs-vlan-test
> endif
> -noinst_SCRIPTS += utilities/ovs-pki-cgi
> scripts_SCRIPTS += \
> utilities/ovs-check-dead-ifs \
> utilities/ovs-ctl \
> @@ -27,7 +26,6 @@ EXTRA_DIST += \
> utilities/ovs-lib.in \
> utilities/ovs-parse-leaks.in \
> utilities/ovs-pcap.in \
> - utilities/ovs-pki-cgi.in \
> utilities/ovs-pki.in \
> utilities/ovs-save \
> utilities/ovs-tcpundump.in \
> @@ -65,7 +63,6 @@ DISTCLEANFILES += \
> utilities/ovs-pcap \
> utilities/ovs-pcap.1 \
> utilities/ovs-pki \
> - utilities/ovs-pki-cgi \
> utilities/ovs-pki.8 \
> utilities/ovs-tcpundump \
> utilities/ovs-tcpundump.1 \
> diff --git a/utilities/ovs-pki-cgi.in b/utilities/ovs-pki-cgi.in
> deleted file mode 100755
> index 3ef900e..0000000
> --- a/utilities/ovs-pki-cgi.in
> +++ /dev/null
> @@ -1,55 +0,0 @@
> -#! @PERL@
> -
> -# Copyright (c) 2008, 2009 Nicira, Inc.
> -#
> -# Licensed under the Apache License, Version 2.0 (the "License");
> -# you may not use this file except in compliance with the License.
> -# You may obtain a copy of the License at:
> -#
> -# http://www.apache.org/licenses/LICENSE-2.0
> -#
> -# Unless required by applicable law or agreed to in writing, software
> -# distributed under the License is distributed on an "AS IS" BASIS,
> -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> -# See the License for the specific language governing permissions and
> -# limitations under the License.
> -
> -use CGI;
> -use Digest::SHA1;
> -use Fcntl;
> -
> -$CGI::POST_MAX = 65536; # Limit POSTs to 64 kB.
> -
> -use strict;
> -use warnings;
> -
> -my $pkidir = '@PKIDIR@';
> -my $q = new CGI;
> -
> -die unless $q->request_method() eq 'POST';
> -
> -my $type = $q->param('type');
> -die unless defined $type;
> -die unless $type eq 'switch' or $type eq 'controller';
> -
> -my $req = $q->param('req');
> -die unless defined $req;
> -die unless $req =~ /^-----BEGIN CERTIFICATE REQUEST-----$/m;
> -die unless $req =~ /^-----END CERTIFICATE REQUEST-----$/m;
> -
> -my $digest = Digest::SHA1::sha1_hex($req);
> -my $incoming = "$pkidir/${type}ca/incoming";
> -my $dst = "$incoming/$digest-req.pem";
> -
> -sysopen(REQUEST, "$dst.tmp", O_RDWR | O_CREAT | O_EXCL, 0600)
> - or die "sysopen $dst.tmp: $!";
> -print REQUEST $req;
> -close(REQUEST) or die "close $dst.tmp: $!";
> -
> -rename("$dst.tmp", $dst) or die "rename $dst.tmp to $dst: $!";
> -
> -print $q->header('text/html', '204 No response');
> -
> -# Local Variables:
> -# mode: perl
> -# End:
> diff --git a/utilities/ovs-pki.8.in b/utilities/ovs-pki.8.in
> index e40fdee..d63aa0a 100644
> --- a/utilities/ovs-pki.8.in
> +++ b/utilities/ovs-pki.8.in
> @@ -9,9 +9,11 @@
> ovs\-pki \- OpenFlow public key infrastructure management utility
>
> .SH SYNOPSIS
> +Each command takes the form:
> +.sp
> \fBovs\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR]
> .sp
> -Stand\-alone commands with their arguments:
> +The implemented commands and their arguments are:
> .br
> \fBovs\-pki\fR \fBinit\fR
> .br
> @@ -27,20 +29,6 @@ Stand\-alone commands with their arguments:
> .br
> \fBovs\-pki\fR \fBself\-sign\fR \fINAME\fR
> .sp
> -The following additional commands manage an online PKI:
> -.br
> -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
> -.br
> -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
> -.sp
> Each \fITYPE\fR above is a certificate type, either \fBswitch\fR
> (default) or \fBcontroller\fR.
> .sp
> @@ -195,85 +183,6 @@ been produced with \fBovs\-pki req\fR.
>
> Some controllers accept such self-signed certificates.
>
> -.SH "ONLINE COMMANDS"
> -
> -An OpenFlow PKI can be administered online, in conjunction with
> -.BR ovs\-pki\-cgi (8)
> -and a web server such as Apache:
> -
> -.IP \(bu
> -The web server exports the contents of the PKI via HTTP. All files in
> -a PKI hierarchy files may be made public, except for the files
> -\fBpki/controllerca/private/cakey.pem\fR and
> -\fBpki/switchca/private/cakey.pem\fR, which must not be exposed.
> -
> -.IP \(bu
> -\fBovs\-pki\-cgi\fR allows newly generated certificate requests for
> -controllers and switches to be uploaded into the
> -\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR
> -directories, respectively. Uploaded certificate requests are stored
> -in those directories under names of the form
> -\fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1
> -hash of the file.
> -
> -.IP \(bu
> -These \fBovs\-pki\fR commands allow incoming certificate requests to
> -be approved or rejected, in a form are suitable for use by humans or
> -other software.
> -
> -.PP
> -The following \fBovs\-pki\fR commands support online administration:
> -
> -.TP
> -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR]
> -Lists all of the incoming certificate requests of the given \fITYPE\fR
> -(either \fBswitch\fR, the default, or \fBcontroller\fR). If
> -\fIPREFIX\fR, which must be at least 4 characters long, is specified,
> -it causes the list to be limited to files whose names begin with
> -\fIPREFIX\fR. This is useful, for example, to avoid typing in an
> -entire fingerprint when checking that a specific certificate request
> -has been received.
> -
> -.TP
> -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR]
> -Deletes all certificate requests of the given \fITYPE\fR.
> -
> -.TP
> -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR]
> -Rejects the certificate request whose name begins with \fIPREFIX\fR,
> -which must be at least 4 characters long, of the given type (either
> -\fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR must
> -match exactly one certificate request; its purpose is to allow the
> -user to type fewer characters, not to match multiple certificate
> -requests.
> -
> -.TP
> -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR]
> -Approves the certificate request whose name begins with \fIPREFIX\fR,
> -which must be at least 4 characters long, of the given \fITYPE\fR
> -(either \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR
> -must match exactly one certificate request; its purpose is to allow
> -the user to type fewer characters, not to match multiple certificate
> -requests.
> -
> -The command will output a fingerprint to stdout and request that you
> -verify that it is correct. (The \fB\-b\fR or \fB\-\^\-batch\fR option
> -suppresses the verification step.)
> -
> -.TP
> -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR]
> -Prompts the user for each incoming certificate request of the given
> -\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR).
> -Based on the certificate request's fingerprint, the user is given the
> -option of approving, rejecting, or skipping the certificate request.
> -
> -.TP
> -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR]
> -
> -Rejects all the incoming certificate requests, of either type, that is
> -older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR,
> -\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR. The default is \fB1day\fR.
> -
> .SH OPTIONS
> .IP "\fB\-k\fR \fItype\fR"
> .IQ "\fB\-\^\-key=\fItype\fR"
> @@ -306,7 +215,7 @@ The default is \fBdsaparam.pem\fR under the PKI
> hierarchy.
> .IP "\fB\-b\fR"
> .IQ "\fB\-\^\-batch\fR"
> Suppresses the interactive verification of fingerprints that the
> -\fBsign\fR and \fBapprove\fR commands by default require.
> +\fBsign\fR command by default requires.
>
> .IP "\fB\-d\fR \fIdir\fR"
> .IQ "\fB\-\^\-dir=\fR\fIdir\fR"
>
At the end of the file:
.SH "SEE ALSO"
.BR ovs\-controller (8),
.BR ovs\-pki\-cgi (8)
Should we remove the reference to ovs-pki-cgi?
Otherwise, looks good to me.
Thanks,
Guru
> diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> index 2dc4060..2a67d53 100755
> --- a/utilities/ovs-pki.in
> +++ b/utilities/ovs-pki.in
> @@ -95,20 +95,6 @@ The valid stand-alone commands and their arguments are:
> fingerprint FILE Prints the fingerprint for FILE
> self-sign NAME Sign NAME-req.pem with NAME-privkey.pem,
> producing self-signed certificate NAME-cert.pem
> -
> -The following additional commands manage an online PKI:
> - ls [PREFIX] [TYPE] Lists incoming requests of the given TYPE,
> optionally
> - limited to those whose fingerprint begins with
> PREFIX
> - flush [TYPE] Rejects all incoming requests of the given TYPE
> - reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint
> begins
> - with PREFIX and has the given TYPE
> - approve PREFIX [TYPE] Approves the incoming request whose fingerprint
> begins
> - with PREFIX and has the given TYPE
> - expire [AGE] Rejects all incoming requests older than AGE, in
> - one of the forms Ns, Nmin, Nh, Nday (default: 1day)
> - prompt [TYPE] Interactively prompts to accept or reject each
> incoming
> - request of the given TYPE
> -
> Each TYPE above is a certificate type: 'switch' (default) or 'controller'.
>
> Options for 'init', 'req', and 'req+sign' only:
> @@ -117,7 +103,7 @@ Options for 'init', 'req', and 'req+sign' only:
> this has an effect only on 'init'.
> -D, --dsaparam=FILE File with DSA parameters (DSA only)
> (default: dsaparam.pem within PKI directory)
> -Options for use with the 'sign' and 'approve' commands:
> +Options for use with the 'sign' command:
> -b, --batch Skip fingerprint verification
> Options that apply to any command:
> -d, --dir=DIR Directory where the PKI is located
> @@ -251,7 +237,6 @@ if test "$command" = "init"; then
>
> mkdir -p certs crl newcerts
> mkdir -p -m 0700 private
> - mkdir -p -m 0733 incoming
> touch index.txt
> test -e crlnumber || echo 01 > crlnumber
> test -e serial || echo 01 > serial
> @@ -334,13 +319,6 @@ one_arg() {
> fi
> }
>
> -zero_or_one_args() {
> - if test -n "$arg2"; then
> - echo "$0: $command must have zero or one arguments; use --help
> for help" >&2
> - exit 1
> - fi
> -}
> -
> one_or_two_args() {
> if test -z "$arg1"; then
> echo "$0: $command must have one or two arguments; use --help for
> help" >&2
> @@ -355,38 +333,6 @@ must_not_exist() {
> fi
> }
>
> -resolve_prefix() {
> - test -n "$type" || exit 123 # Forgot to call check_type?
> -
> - case $1 in
> - ????*)
> - ;;
> - *)
> - echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2
> - exit 0
> - ;;
> - esac
> -
> - fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem |
> sed 's/-req\.pem$//')
> - case $fingerprint in
> - "${1}*")
> - echo "No certificate requests matching $1" >&2
> - exit 1
> - ;;
> - *" "*)
> - echo "$1 matches more than one certificate request:" >&2
> - echo $fingerprint | sed 's/ /\
> -/g' >&2
> - exit 1
> - ;;
> - *)
> - # Nothing to do.
> - ;;
> - esac
> - req="$pkidir/${type}ca/incoming/$fingerprint-req.pem"
> - cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem"
> -}
> -
> make_tmpdir() {
> TMP=/tmp/ovs-pki.tmp$$
> rm -rf $TMP
> @@ -571,82 +517,6 @@ elif test "$command" = self-sign; then
> # Reset the permissions on the certificate to the user's default.
> cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem"
> rm -f "$arg1-cert.pem.tmp"
> -elif test "$command" = ls; then
> - check_type "$arg2"
> -
> - cd "$pkidir/${type}ca/incoming"
> - for file in $(glob "$arg1*-req.pem"); do
> - fingerprint $file
> - done
> -elif test "$command" = flush; then
> - check_type "$arg1"
> -
> - rm -f "$pkidir/${type}ca/incoming/"*
> -elif test "$command" = reject; then
> - one_or_two_args
> - check_type "$arg2"
> - resolve_prefix "$arg1"
> -
> - rm -f "$req"
> -elif test "$command" = approve; then
> - one_or_two_args
> - check_type "$arg2"
> - resolve_prefix "$arg1"
> -
> - make_tmpdir
> - cp "$req" "$TMP/$req"
> - verify_fingerprint "$TMP/$req"
> - sign_request "$TMP/$req"
> - rm -f "$req" "$TMP/$req"
> -elif test "$command" = prompt; then
> - zero_or_one_args
> - check_type "$arg1"
> -
> - make_tmpdir
> - cd "$pkidir/${type}ca/incoming"
> - for req in $(glob "*-req.pem"); do
> - cp "$req" "$TMP/$req"
> -
> - cert=$(echo "$pkidir/${type}ca/certs/$req" |
> - sed 's/-req.pem/-cert.pem/')
> - if test -f $cert; then
> - echo "Request $req already approved--dropping duplicate
> request"
> - rm -f "$req" "$TMP/$req"
> - continue
> - fi
> -
> - echo
> - echo
> - fingerprint "$TMP/$req" "$req"
> - printf "Disposition for this request (skip/approve/reject)? "
> - read answer
> - case $answer in
> - approve)
> - echo "Approving $req"
> - sign_request "$TMP/$req" "$cert"
> - rm -f "$req" "$TMP/$req"
> - ;;
> - r*)
> - echo "Rejecting $req"
> - rm -f "$req" "$TMP/$req"
> - ;;
> - *)
> - echo "Skipping $req"
> - ;;
> - esac
> - done
> -elif test "$command" = expire; then
> - zero_or_one_args
> - cutoff=$(($(date +%s) - $(parse_age ${arg1-1day})))
> - for type in switch controller; do
> - cd "$pkidir/${type}ca/incoming" || exit 1
> - for file in $(glob "*"); do
> - time=$(file_mod_epoch "$file")
> - if test "$time" -lt "$cutoff"; then
> - rm -f "$file"
> - fi
> - done
> - done
> else
> echo "$0: $command command unknown; use --help for help" >&2
> exit 1
> --
> 1.7.2.5
>
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
