On Fri, Aug 3, 2012 at 12:00 PM, Ben Pfaff <b...@nicira.com> wrote: > Debian bug #683665, Red Hat bug #845350, and CVE-2012-3449 all claim that > ovs-pki's "incoming" directory is a security vulnerability. I do not think > that this is the case, but I do not know of any users for this feature, so > on balance I prefer to remove it and the ovs-pki-cgi program associated > with it, just to be sure. > > CVE-2012-3449. > Bug-report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683665 > Bug-report: https://bugzilla.redhat.com/show_bug.cgi?id=84535 > Reported-by: Andreas Beckmann <deb...@abeckmann.de> > Signed-off-by: Ben Pfaff <b...@nicira.com> > --- > NEWS | 8 +++- > utilities/automake.mk | 3 - > utilities/ovs-pki-cgi.in | 55 ------------------- > utilities/ovs-pki.8.in | 99 ++--------------------------------- > utilities/ovs-pki.in | 132 > +--------------------------------------------- > 5 files changed, 12 insertions(+), 285 deletions(-) > delete mode 100755 utilities/ovs-pki-cgi.in > > diff --git a/NEWS b/NEWS > index d673b74..54a7114 100644 > --- a/NEWS > +++ b/NEWS > @@ -9,9 +9,15 @@ post-v1.8.0 > - OpenFlow: > - Allow bitwise masking for SHA and THA fields in ARP, SLL and TLL > fields in IPv6 neighbor discovery messages, and IPv6 flow label. > - - ovs-dpctl > + - ovs-dpctl: > - Support requesting the port number with the "port_no" option in > the "add-if" command. > + - ovs-pki: The "online PKI" features have been removed, along with > + the ovs-pki-cgi program that facilitated it, because of some > + alarmist insecurity claims. We do not believe that these claims > + are true, but because we do not know of any users for this > + feature it seems better on balance to remove it. (The ovs-pki-cgi > + program was not included in distribution packaging.) > > > v1.8.0 - xx xxx xxxx > diff --git a/utilities/automake.mk b/utilities/automake.mk > index 7bb2c6d..fdd26b8 100644 > --- a/utilities/automake.mk > +++ b/utilities/automake.mk > @@ -13,7 +13,6 @@ bin_SCRIPTS += \ > utilities/ovs-test \ > utilities/ovs-vlan-test > endif > -noinst_SCRIPTS += utilities/ovs-pki-cgi > scripts_SCRIPTS += \ > utilities/ovs-check-dead-ifs \ > utilities/ovs-ctl \ > @@ -27,7 +26,6 @@ EXTRA_DIST += \ > utilities/ovs-lib.in \ > utilities/ovs-parse-leaks.in \ > utilities/ovs-pcap.in \ > - utilities/ovs-pki-cgi.in \ > utilities/ovs-pki.in \ > utilities/ovs-save \ > utilities/ovs-tcpundump.in \ > @@ -65,7 +63,6 @@ DISTCLEANFILES += \ > utilities/ovs-pcap \ > utilities/ovs-pcap.1 \ > utilities/ovs-pki \ > - utilities/ovs-pki-cgi \ > utilities/ovs-pki.8 \ > utilities/ovs-tcpundump \ > utilities/ovs-tcpundump.1 \ > diff --git a/utilities/ovs-pki-cgi.in b/utilities/ovs-pki-cgi.in > deleted file mode 100755 > index 3ef900e..0000000 > --- a/utilities/ovs-pki-cgi.in > +++ /dev/null > @@ -1,55 +0,0 @@ > -#! @PERL@ > - > -# Copyright (c) 2008, 2009 Nicira, Inc. > -# > -# Licensed under the Apache License, Version 2.0 (the "License"); > -# you may not use this file except in compliance with the License. > -# You may obtain a copy of the License at: > -# > -# http://www.apache.org/licenses/LICENSE-2.0 > -# > -# Unless required by applicable law or agreed to in writing, software > -# distributed under the License is distributed on an "AS IS" BASIS, > -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > -# See the License for the specific language governing permissions and > -# limitations under the License. > - > -use CGI; > -use Digest::SHA1; > -use Fcntl; > - > -$CGI::POST_MAX = 65536; # Limit POSTs to 64 kB. > - > -use strict; > -use warnings; > - > -my $pkidir = '@PKIDIR@'; > -my $q = new CGI; > - > -die unless $q->request_method() eq 'POST'; > - > -my $type = $q->param('type'); > -die unless defined $type; > -die unless $type eq 'switch' or $type eq 'controller'; > - > -my $req = $q->param('req'); > -die unless defined $req; > -die unless $req =~ /^-----BEGIN CERTIFICATE REQUEST-----$/m; > -die unless $req =~ /^-----END CERTIFICATE REQUEST-----$/m; > - > -my $digest = Digest::SHA1::sha1_hex($req); > -my $incoming = "$pkidir/${type}ca/incoming"; > -my $dst = "$incoming/$digest-req.pem"; > - > -sysopen(REQUEST, "$dst.tmp", O_RDWR | O_CREAT | O_EXCL, 0600) > - or die "sysopen $dst.tmp: $!"; > -print REQUEST $req; > -close(REQUEST) or die "close $dst.tmp: $!"; > - > -rename("$dst.tmp", $dst) or die "rename $dst.tmp to $dst: $!"; > - > -print $q->header('text/html', '204 No response'); > - > -# Local Variables: > -# mode: perl > -# End: > diff --git a/utilities/ovs-pki.8.in b/utilities/ovs-pki.8.in > index e40fdee..d63aa0a 100644 > --- a/utilities/ovs-pki.8.in > +++ b/utilities/ovs-pki.8.in > @@ -9,9 +9,11 @@ > ovs\-pki \- OpenFlow public key infrastructure management utility > > .SH SYNOPSIS > +Each command takes the form: > +.sp > \fBovs\-pki\fR [\fIOPTIONS\fR] \fICOMMAND\fR [\fIARGS\fR] > .sp > -Stand\-alone commands with their arguments: > +The implemented commands and their arguments are: > .br > \fBovs\-pki\fR \fBinit\fR > .br > @@ -27,20 +29,6 @@ Stand\-alone commands with their arguments: > .br > \fBovs\-pki\fR \fBself\-sign\fR \fINAME\fR > .sp > -The following additional commands manage an online PKI: > -.br > -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR] > -.br > -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR] > -.br > -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR] > -.br > -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR] > -.br > -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR] > -.br > -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR] > -.sp > Each \fITYPE\fR above is a certificate type, either \fBswitch\fR > (default) or \fBcontroller\fR. > .sp > @@ -195,85 +183,6 @@ been produced with \fBovs\-pki req\fR. > > Some controllers accept such self-signed certificates. > > -.SH "ONLINE COMMANDS" > - > -An OpenFlow PKI can be administered online, in conjunction with > -.BR ovs\-pki\-cgi (8) > -and a web server such as Apache: > - > -.IP \(bu > -The web server exports the contents of the PKI via HTTP. All files in > -a PKI hierarchy files may be made public, except for the files > -\fBpki/controllerca/private/cakey.pem\fR and > -\fBpki/switchca/private/cakey.pem\fR, which must not be exposed. > - > -.IP \(bu > -\fBovs\-pki\-cgi\fR allows newly generated certificate requests for > -controllers and switches to be uploaded into the > -\fBpki/controllerca/incoming\fR and \fBpki/switchca/incoming\fR > -directories, respectively. Uploaded certificate requests are stored > -in those directories under names of the form > -\fIFINGERPRINT\fB\-req.pem\fR, which \fIFINGERPRINT\fR is the SHA\-1 > -hash of the file. > - > -.IP \(bu > -These \fBovs\-pki\fR commands allow incoming certificate requests to > -be approved or rejected, in a form are suitable for use by humans or > -other software. > - > -.PP > -The following \fBovs\-pki\fR commands support online administration: > - > -.TP > -\fBovs\-pki\fR \fBls\fR [\fIPREFIX\fR] [\fITYPE\fR] > -Lists all of the incoming certificate requests of the given \fITYPE\fR > -(either \fBswitch\fR, the default, or \fBcontroller\fR). If > -\fIPREFIX\fR, which must be at least 4 characters long, is specified, > -it causes the list to be limited to files whose names begin with > -\fIPREFIX\fR. This is useful, for example, to avoid typing in an > -entire fingerprint when checking that a specific certificate request > -has been received. > - > -.TP > -\fBovs\-pki\fR \fBflush\fR [\fITYPE\fR] > -Deletes all certificate requests of the given \fITYPE\fR. > - > -.TP > -\fBovs\-pki\fR \fBreject\fR \fIPREFIX\fR [\fITYPE\fR] > -Rejects the certificate request whose name begins with \fIPREFIX\fR, > -which must be at least 4 characters long, of the given type (either > -\fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR must > -match exactly one certificate request; its purpose is to allow the > -user to type fewer characters, not to match multiple certificate > -requests. > - > -.TP > -\fBovs\-pki\fR \fBapprove\fR \fIPREFIX\fR [\fITYPE\fR] > -Approves the certificate request whose name begins with \fIPREFIX\fR, > -which must be at least 4 characters long, of the given \fITYPE\fR > -(either \fBswitch\fR, the default, or \fBcontroller\fR). \fIPREFIX\fR > -must match exactly one certificate request; its purpose is to allow > -the user to type fewer characters, not to match multiple certificate > -requests. > - > -The command will output a fingerprint to stdout and request that you > -verify that it is correct. (The \fB\-b\fR or \fB\-\^\-batch\fR option > -suppresses the verification step.) > - > -.TP > -\fBovs\-pki\fR \fBprompt\fR [\fITYPE\fR] > -Prompts the user for each incoming certificate request of the given > -\fITYPE\fR (either \fBswitch\fR, the default, or \fBcontroller\fR). > -Based on the certificate request's fingerprint, the user is given the > -option of approving, rejecting, or skipping the certificate request. > - > -.TP > -\fBovs\-pki\fR \fBexpire\fR [\fIAGE\fR] > - > -Rejects all the incoming certificate requests, of either type, that is > -older than \fIAGE\fR, which must in one of the forms \fIN\fBs\fR, > -\fIN\fBmin\fR, \fIN\fBh\fR, \fIN\fBday\fR. The default is \fB1day\fR. > - > .SH OPTIONS > .IP "\fB\-k\fR \fItype\fR" > .IQ "\fB\-\^\-key=\fItype\fR" > @@ -306,7 +215,7 @@ The default is \fBdsaparam.pem\fR under the PKI > hierarchy. > .IP "\fB\-b\fR" > .IQ "\fB\-\^\-batch\fR" > Suppresses the interactive verification of fingerprints that the > -\fBsign\fR and \fBapprove\fR commands by default require. > +\fBsign\fR command by default requires. > > .IP "\fB\-d\fR \fIdir\fR" > .IQ "\fB\-\^\-dir=\fR\fIdir\fR" > At the end of the file: .SH "SEE ALSO"
.BR ovs\-controller (8), .BR ovs\-pki\-cgi (8) Should we remove the reference to ovs-pki-cgi? Otherwise, looks good to me. Thanks, Guru > diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in > index 2dc4060..2a67d53 100755 > --- a/utilities/ovs-pki.in > +++ b/utilities/ovs-pki.in > @@ -95,20 +95,6 @@ The valid stand-alone commands and their arguments are: > fingerprint FILE Prints the fingerprint for FILE > self-sign NAME Sign NAME-req.pem with NAME-privkey.pem, > producing self-signed certificate NAME-cert.pem > - > -The following additional commands manage an online PKI: > - ls [PREFIX] [TYPE] Lists incoming requests of the given TYPE, > optionally > - limited to those whose fingerprint begins with > PREFIX > - flush [TYPE] Rejects all incoming requests of the given TYPE > - reject PREFIX [TYPE] Rejects the incoming request(s) whose fingerprint > begins > - with PREFIX and has the given TYPE > - approve PREFIX [TYPE] Approves the incoming request whose fingerprint > begins > - with PREFIX and has the given TYPE > - expire [AGE] Rejects all incoming requests older than AGE, in > - one of the forms Ns, Nmin, Nh, Nday (default: 1day) > - prompt [TYPE] Interactively prompts to accept or reject each > incoming > - request of the given TYPE > - > Each TYPE above is a certificate type: 'switch' (default) or 'controller'. > > Options for 'init', 'req', and 'req+sign' only: > @@ -117,7 +103,7 @@ Options for 'init', 'req', and 'req+sign' only: > this has an effect only on 'init'. > -D, --dsaparam=FILE File with DSA parameters (DSA only) > (default: dsaparam.pem within PKI directory) > -Options for use with the 'sign' and 'approve' commands: > +Options for use with the 'sign' command: > -b, --batch Skip fingerprint verification > Options that apply to any command: > -d, --dir=DIR Directory where the PKI is located > @@ -251,7 +237,6 @@ if test "$command" = "init"; then > > mkdir -p certs crl newcerts > mkdir -p -m 0700 private > - mkdir -p -m 0733 incoming > touch index.txt > test -e crlnumber || echo 01 > crlnumber > test -e serial || echo 01 > serial > @@ -334,13 +319,6 @@ one_arg() { > fi > } > > -zero_or_one_args() { > - if test -n "$arg2"; then > - echo "$0: $command must have zero or one arguments; use --help > for help" >&2 > - exit 1 > - fi > -} > - > one_or_two_args() { > if test -z "$arg1"; then > echo "$0: $command must have one or two arguments; use --help for > help" >&2 > @@ -355,38 +333,6 @@ must_not_exist() { > fi > } > > -resolve_prefix() { > - test -n "$type" || exit 123 # Forgot to call check_type? > - > - case $1 in > - ????*) > - ;; > - *) > - echo "Prefix $arg1 is too short (less than 4 hex digits)" >&2 > - exit 0 > - ;; > - esac > - > - fingerprint=$(cd "$pkidir/${type}ca/incoming" && echo "$1"*-req.pem | > sed 's/-req\.pem$//') > - case $fingerprint in > - "${1}*") > - echo "No certificate requests matching $1" >&2 > - exit 1 > - ;; > - *" "*) > - echo "$1 matches more than one certificate request:" >&2 > - echo $fingerprint | sed 's/ /\ > -/g' >&2 > - exit 1 > - ;; > - *) > - # Nothing to do. > - ;; > - esac > - req="$pkidir/${type}ca/incoming/$fingerprint-req.pem" > - cert="$pkidir/${type}ca/certs/$fingerprint-cert.pem" > -} > - > make_tmpdir() { > TMP=/tmp/ovs-pki.tmp$$ > rm -rf $TMP > @@ -571,82 +517,6 @@ elif test "$command" = self-sign; then > # Reset the permissions on the certificate to the user's default. > cat "$arg1-cert.pem.tmp" > "$arg1-cert.pem" > rm -f "$arg1-cert.pem.tmp" > -elif test "$command" = ls; then > - check_type "$arg2" > - > - cd "$pkidir/${type}ca/incoming" > - for file in $(glob "$arg1*-req.pem"); do > - fingerprint $file > - done > -elif test "$command" = flush; then > - check_type "$arg1" > - > - rm -f "$pkidir/${type}ca/incoming/"* > -elif test "$command" = reject; then > - one_or_two_args > - check_type "$arg2" > - resolve_prefix "$arg1" > - > - rm -f "$req" > -elif test "$command" = approve; then > - one_or_two_args > - check_type "$arg2" > - resolve_prefix "$arg1" > - > - make_tmpdir > - cp "$req" "$TMP/$req" > - verify_fingerprint "$TMP/$req" > - sign_request "$TMP/$req" > - rm -f "$req" "$TMP/$req" > -elif test "$command" = prompt; then > - zero_or_one_args > - check_type "$arg1" > - > - make_tmpdir > - cd "$pkidir/${type}ca/incoming" > - for req in $(glob "*-req.pem"); do > - cp "$req" "$TMP/$req" > - > - cert=$(echo "$pkidir/${type}ca/certs/$req" | > - sed 's/-req.pem/-cert.pem/') > - if test -f $cert; then > - echo "Request $req already approved--dropping duplicate > request" > - rm -f "$req" "$TMP/$req" > - continue > - fi > - > - echo > - echo > - fingerprint "$TMP/$req" "$req" > - printf "Disposition for this request (skip/approve/reject)? " > - read answer > - case $answer in > - approve) > - echo "Approving $req" > - sign_request "$TMP/$req" "$cert" > - rm -f "$req" "$TMP/$req" > - ;; > - r*) > - echo "Rejecting $req" > - rm -f "$req" "$TMP/$req" > - ;; > - *) > - echo "Skipping $req" > - ;; > - esac > - done > -elif test "$command" = expire; then > - zero_or_one_args > - cutoff=$(($(date +%s) - $(parse_age ${arg1-1day}))) > - for type in switch controller; do > - cd "$pkidir/${type}ca/incoming" || exit 1 > - for file in $(glob "*"); do > - time=$(file_mod_epoch "$file") > - if test "$time" -lt "$cutoff"; then > - rm -f "$file" > - fi > - done > - done > else > echo "$0: $command command unknown; use --help for help" >&2 > exit 1 > -- > 1.7.2.5 > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev >
_______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev