import certmonger-0.79.7-6.el8

This commit is contained in:
CentOS Sources 2020-04-28 04:56:43 -04:00 committed by Andrew Lukoshko
parent 434855d374
commit 09ef8f82dc
8 changed files with 807 additions and 3 deletions

View File

@ -0,0 +1,134 @@
From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 5 Sep 2019 12:45:52 -0400
Subject: [PATCH] Optimize closing open file descriptors
When forking, the code would close all unused file descriptors up
to maximum number of files. In the default case this is 1024. In
the container case this is 1048576. Huge delays in startup were
seen due to this.
Even in a default 1024 ulimit case this drastically reduces the
number of file descriptors to mark FD_CLOEXEC but in the container
default case this saves another order of magnitude of work.
This patch takes inspiration from systemd[1] and walks /proc/self/fd
if it is available to determine the list of open descriptors. It
falls back to the "close all fds we don't care about up to limit"
method.
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
---
src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 62 insertions(+), 9 deletions(-)
diff --git a/src/subproc.c b/src/subproc.c
index e49e3762..8df836ae 100644
--- a/src/subproc.c
+++ b/src/subproc.c
@@ -19,6 +19,7 @@
#include <sys/types.h>
#include <sys/wait.h>
+#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <paths.h>
@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error)
return argv;
}
+/* Based heavily on systemd version */
+static
+int safe_atoi(const char *s, int *ret_i) {
+ char *x = NULL;
+ long l;
+
+ errno = 0;
+ l = strtol(s, &x, 0);
+ if (errno > 0)
+ return -1;
+ if (!x || x == s || *x != 0)
+ return -1;
+ if ((long) (int) l != l)
+ return -1;
+
+ *ret_i = (int) l;
+ return 0;
+}
+
/* Redirect stdio to /dev/null, and mark everything else as close-on-exec,
* except for perhaps one to three of them that are passed in by number. */
void
@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
{
int i;
long l;
+ DIR *dir = NULL;
+ struct dirent *de;
+
if ((fd != STDIN_FILENO) &&
(fd2 != STDIN_FILENO) &&
(fd3 != STDIN_FILENO)) {
@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
close(STDERR_FILENO);
}
}
- for (i = getdtablesize() - 1; i >= 3; i--) {
- if ((i == fd) ||
- (i == fd2) ||
- (i == fd3)) {
- continue;
+ dir = opendir("/proc/self/fd");
+ if (!dir) {
+ /* /proc isn't available, fall back to old way */
+ for (i = getdtablesize() - 1; i >= 3; i--) {
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
+ }
}
- l = fcntl(i, F_GETFD);
- if (l != -1) {
- if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
- cm_log(0, "Potentially leaking FD %d.\n", i);
+ } else {
+ while ((de = readdir(dir)) != NULL) {
+ int i = -1;
+
+ if (safe_atoi(de->d_name, &i) < 0) {
+ continue;
+ }
+
+ if ((i == fd) ||
+ (i == fd2) ||
+ (i == fd3)) {
+ continue;
+ }
+
+ if (i == dirfd(dir)) {
+ continue;
+ }
+
+ l = fcntl(i, F_GETFD);
+ if (l != -1) {
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
+ cm_log(0, "Potentially leaking FD %d.\n", i);
+ }
}
}
+ closedir(dir);
}
}
--
2.21.0

View File

@ -0,0 +1,33 @@
From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 16:28:18 -0400
Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/cadata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cadata.c b/src/cadata.c
index eb87eb76..3e916c96 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
}
return -1;
}
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

View File

@ -0,0 +1,35 @@
From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 25 Oct 2019 20:25:36 +0000
Subject: [PATCH] Don't close STDERR when submitting request
cm_subproc_mark_most_cloexec() now closes all open file
descriptors except for up to three requested for stdin, stdout
and stderr. Before the optimization those three were always
left open.
This was causing errors in the IPA helper ipa-server-guard
because it tries to display the contents of stderr which was
always being closed, causing ipa-server-guard to blow up.
---
src/submit-e.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/submit-e.c b/src/submit-e.c
index d6158d7a..69b4f8e2 100644
--- a/src/submit-e.c
+++ b/src/submit-e.c
@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
}
return -1;
}
- cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]);
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
+ cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]);
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]);
execvp(argv[0], argv);
u = errno;
--
2.21.0

View File

@ -0,0 +1,259 @@
From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 26 Aug 2019 22:01:35 +0000
Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
tokens
The NSS databases were almost universally initialized with the
NOMODDB flag. I'm not sure if something changed in NSS but the
PKCS#11 modules were not being initialized. Adding this back after
permission checks are done results in tokens working again.
When looking for certs and keys try the full token:nickname string
as well as just nickname when comparing values.
https://pagure.io/certmonger/issue/125
---
src/casave.c | 3 +--
src/certread-n.c | 33 ++++++++++++++++-----------------
src/certsave-n.c | 5 +++++
src/dogtag.c | 3 +--
src/keygen-n.c | 5 +++++
src/keyiread-n.c | 11 ++++++++++-
src/scepgen-n.c | 5 +++++
src/submit-n.c | 5 +++++
src/toklist.c | 2 +-
9 files changed, 49 insertions(+), 23 deletions(-)
diff --git a/src/casave.c b/src/casave.c
index bde63f99..1cf5a406 100644
--- a/src/casave.c
+++ b/src/casave.c
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
break;
default:
flags = NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB;
+ NSS_INIT_NOROOTINIT;
/* Sigh. Not a lot of detail. Check
* if we succeed in read-only mode,
* which we'll interpret as lack of
diff --git a/src/certread-n.c b/src/certread-n.c
index d535030b..bb61b61b 100644
--- a/src/certread-n.c
+++ b/src/certread-n.c
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
cm_log(1, "Unable to open NSS database.\n");
_exit(status);
}
+ /* Re-open the database with modules enabled */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
es = util_n_fips_hook();
if (es != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
}
- /* Allocate a memory pool. */
- arena = PORT_NewArena(sizeof(double));
- if (arena == NULL) {
- cm_log(1, "Error opening database '%s'.\n",
- entry->cm_cert_storage_location);
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
- cm_log(1, "Error shutting down NSS.\n");
- }
- _exit(ENOMEM);
- }
/* Find the tokens that we might use for cert storage. */
mech = CKM_RSA_X_509;
slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
if (slotlist == NULL) {
cm_log(1, "Error getting list of tokens.\n");
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* If we need to log in in order to read certificates, do so. */
if (PK11_NeedLogin(sle->slot)) {
+ cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
if (cm_pin_read_for_cert(entry, &pin) != 0) {
cm_log(1, "Error reading PIN for cert db, "
"skipping.\n");
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
/* Walk the list of certificates in the slot, looking for one
* which matches the specified nickname. */
certs = PK11_ListCertsInSlot(sle->slot);
+ cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
if (certs != NULL) {
for (node = CERT_LIST_HEAD(certs);
!CERT_LIST_EMPTY(certs) &&
!CERT_LIST_END(node, certs);
node = CERT_LIST_NEXT(node)) {
- if (strcmp(node->cert->nickname,
- entry->cm_cert_nickname) == 0) {
+ cm_log(3, "certread-n: Slot nickname %s\n",
+ node->cert->nickname);
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token, entry->cm_cert_nickname);
+ if ((strcmp(node->cert->nickname,
+ entry->cm_cert_nickname) == 0) ||
+ (strcmp(node->cert->nickname, es) == 0)) {
cm_log(3, "Located the certificate "
"\"%s\".\n",
entry->cm_cert_nickname);
@@ -321,7 +323,6 @@ next_slot:
if (cert == NULL) {
cm_log(1, "Error locating certificate.\n");
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -332,7 +333,6 @@ next_slot:
fclose(fp);
CERT_DestroyCertificate(cert);
PK11_FreeSlotList(slotlist);
- PORT_FreeArena(arena, PR_TRUE);
if (NSS_ShutdownContext(ctx) != SECSuccess) {
cm_log(1, "Error shutting down NSS.\n");
}
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/certsave-n.c b/src/certsave-n.c
index 972a1dfa..eda03b34 100644
--- a/src/certsave-n.c
+++ b/src/certsave-n.c
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
} else {
/* We don't try to force FIPS mode here, as it seems to get in
* the way of saving the certificate. */
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
/* Allocate a memory pool. */
arena = PORT_NewArena(sizeof(double));
diff --git a/src/dogtag.c b/src/dogtag.c
index 55607f3d..c43664ef 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
NULL, NULL, NULL, NULL,
NSS_INIT_NOCERTDB |
NSS_INIT_READONLY |
- NSS_INIT_NOROOTINIT |
- NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (nctx == NULL) {
cm_log(1, "Unable to initialize NSS.\n");
_exit(1);
diff --git a/src/keygen-n.c b/src/keygen-n.c
index 061bd2af..e921d7ec 100644
--- a/src/keygen-n.c
+++ b/src/keygen-n.c
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
index 91b1be41..dc1c6092 100644
--- a/src/keyiread-n.c
+++ b/src/keyiread-n.c
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ (readwrite ? 0 : NSS_INIT_READONLY) |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
cnode = CERT_LIST_NEXT(cnode)) {
nickname = entry->cm_key_nickname;
cert = cnode->cert;
+ es = talloc_asprintf(entry, "%s:%s",
+ entry->cm_cert_token,
+ entry->cm_cert_nickname);
if ((nickname != NULL) &&
- (strcmp(cert->nickname, nickname) == 0)) {
+ ((strcmp(cert->nickname, nickname) == 0) ||
+ (strcmp(cert->nickname, es) == 0))) {
cm_log(3, "Located a certificate with "
"the key's nickname (\"%s\").\n",
nickname);
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
index d6735aa7..8c67b122 100644
--- a/src/scepgen-n.c
+++ b/src/scepgen-n.c
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
break;
}
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/submit-n.c b/src/submit-n.c
index b07ea23a..f27b9c7f 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
}
goto done;
}
+ NSS_ShutdownContext(ctx);
+ ctx = NSS_InitContext(args->entry->cm_key_storage_location,
+ NULL, NULL, NULL, NULL,
+ NSS_INIT_READONLY |
+ NSS_INIT_NOROOTINIT);
reason = util_n_fips_hook();
if (reason != NULL) {
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
diff --git a/src/toklist.c b/src/toklist.c
index a4328218..ac166722 100644
--- a/src/toklist.c
+++ b/src/toklist.c
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
/* Open the database. */
ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
- NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
+ NSS_INIT_NOROOTINIT);
if (ctx == NULL) {
printf("Unable to open NSS database '%s'.\n", dbdir);
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
--
2.21.0

View File

@ -0,0 +1,233 @@
From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 27 Aug 2019 18:01:02 +0000
Subject: [PATCH] Update tests to include the security module DB in expected
output
certmonger was previously always initializing the databases with
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
seem to initialize external modules (tested with SoftHSM2).
https://pagure.io/certmonger/issue/125
---
tests/034-perms-dbm/expected.out | 16 ++++++++++++++++
tests/034-perms-sql/expected.out | 16 ++++++++++++++++
tests/034-perms/expected.out | 16 ++++++++++++++++
3 files changed, 48 insertions(+)
diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms-dbm/expected.out
+++ b/tests/034-perms-dbm/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
index 2808e02c..c5914e02 100644
--- a/tests/034-perms-sql/expected.out
+++ b/tests/034-perms-sql/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
[rekey:sql:start]
[rekey:sql:keygen]
$owner:$group|0600|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0600|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:keygen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:csrgen]
$owner:$group|0755|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:submit]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:reset]
$owner:$group|0755|cert9.db
$owner:$group|0755|key4.db
+$owner:$group|0755|pkcs11.txt
[rekey:sql:save]
$owner:$group|0662|cert9.db
$owner:$group|0620|key4.db
+$owner:$group|0662|pkcs11.txt
OK
diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
index c062d409..7bf23a37 100644
--- a/tests/034-perms/expected.out
+++ b/tests/034-perms/expected.out
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
[dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
[rekey:dbm:start]
[rekey:dbm:keygen]
$owner:$group|0600|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0600|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:keygen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:csrgen]
$owner:$group|0755|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:submit]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:reset]
$owner:$group|0755|cert8.db
$owner:$group|0755|key3.db
+$owner:$group|0755|secmod.db
[rekey:dbm:save]
$owner:$group|0662|cert8.db
$owner:$group|0620|key3.db
+$owner:$group|0662|secmod.db
OK
--
2.21.0

View File

@ -0,0 +1,50 @@
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 10 Oct 2019 18:24:32 +0000
Subject: [PATCH] Try to pull the entire CA chain from IPA
IPA originally stored a single cert in cn=cacert which is
what certmonger has always retrieved in fetch_roots. It was
replaced to store cn=certificates as separate entries in order
to more easily support chains and to include additional
metadata about certificates.
Try to pull the chain from that location first and fall back
to cn=cacert if no entries are found.
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
---
src/ipa.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index acd1a4e2..40a4b52c 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
LDAP *ld = NULL;
LDAPMessage *lresult = NULL, *lmsg = NULL;
char *lattrs[2] = {"caCertificate;binary", NULL};
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
struct berval **lbvalues, *lbv;
unsigned char *bv_val;
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
+ /* Fall back to the old location */
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
+ lfilter, lattrs, 0, NULL, NULL, NULL,
+ LDAP_NO_LIMIT, &lresult);
+ }
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

View File

@ -0,0 +1,34 @@
From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 2 Dec 2019 15:08:54 -0500
Subject: [PATCH] Fix use-after-free issue
The basedn value was freed after the first search but a second
one could be initiated.
---
src/ipa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/ipa.c b/src/ipa.c
index 40a4b52c..41ca9081 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
/* Now look up the root certificates for the domain. */
snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]);
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
- free(basedn);
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
}
+ free(basedn);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
--
2.21.0

View File

@ -9,7 +9,7 @@
Name: certmonger
Version: 0.79.7
Release: 3%{?dist}
Release: 6%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@ -80,8 +80,8 @@ Requires(post): /sbin/chkconfig, /sbin/service
Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
%endif
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
Patch2: 0002-Convert-tests-to-use-python3.patch
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
Patch2: 0002-Convert-tests-to-use-python3.patch
Patch18: 0018-clang-more-Dead-assignment.patch
Patch19: 0019-clang-more-Memory-leaks.patch
Patch20: 0020-clang-Avoid-buffer-overflow.patch
@ -90,6 +90,14 @@ Patch22: 0022-Uninitialized-variable.patch
Patch23: 0023-merge-into-clang-more-Memory-leaks.patch
Patch24: 0024-Add-missing-return-type-declaration.patch
Patch25: 0025-Discards-const-qualifier.patch
Patch26: 0026-Optimize-closing-open-file-descriptors.patch
Patch27: 0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
Patch28: 0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
Patch29: 0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
Patch30: 0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
Patch31: 0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
Patch32: 0032-Fix-use-after-free-issue.patch
%description
Certmonger is a service which is primarily concerned with getting your
@ -107,6 +115,13 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%build
autoreconf -i -f
@ -233,6 +248,17 @@ exit 0
%endif
%changelog
* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6
- Rebuild
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5
- Fix use-after-free issue when retrieving CA chain (#1710632)
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4
- Optimize closing of file descriptors on fork (#1763745)
- Remove NOMODDB flag flag from context init, look for full tokens (#1746543)
- Retrieve full IPA CA chain (#1710632)
* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
- Rebuild for new annobin (#1708095)