import certmonger-0.79.7-6.el8
This commit is contained in:
parent
434855d374
commit
09ef8f82dc
134
SOURCES/0026-Optimize-closing-open-file-descriptors.patch
Normal file
134
SOURCES/0026-Optimize-closing-open-file-descriptors.patch
Normal file
@ -0,0 +1,134 @@
|
||||
From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 5 Sep 2019 12:45:52 -0400
|
||||
Subject: [PATCH] Optimize closing open file descriptors
|
||||
|
||||
When forking, the code would close all unused file descriptors up
|
||||
to maximum number of files. In the default case this is 1024. In
|
||||
the container case this is 1048576. Huge delays in startup were
|
||||
seen due to this.
|
||||
|
||||
Even in a default 1024 ulimit case this drastically reduces the
|
||||
number of file descriptors to mark FD_CLOEXEC but in the container
|
||||
default case this saves another order of magnitude of work.
|
||||
|
||||
This patch takes inspiration from systemd[1] and walks /proc/self/fd
|
||||
if it is available to determine the list of open descriptors. It
|
||||
falls back to the "close all fds we don't care about up to limit"
|
||||
method.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1656519
|
||||
|
||||
[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
|
||||
---
|
||||
src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 62 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/subproc.c b/src/subproc.c
|
||||
index e49e3762..8df836ae 100644
|
||||
--- a/src/subproc.c
|
||||
+++ b/src/subproc.c
|
||||
@@ -19,6 +19,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
+#include <dirent.h>
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <paths.h>
|
||||
@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error)
|
||||
return argv;
|
||||
}
|
||||
|
||||
+/* Based heavily on systemd version */
|
||||
+static
|
||||
+int safe_atoi(const char *s, int *ret_i) {
|
||||
+ char *x = NULL;
|
||||
+ long l;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ l = strtol(s, &x, 0);
|
||||
+ if (errno > 0)
|
||||
+ return -1;
|
||||
+ if (!x || x == s || *x != 0)
|
||||
+ return -1;
|
||||
+ if ((long) (int) l != l)
|
||||
+ return -1;
|
||||
+
|
||||
+ *ret_i = (int) l;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/* Redirect stdio to /dev/null, and mark everything else as close-on-exec,
|
||||
* except for perhaps one to three of them that are passed in by number. */
|
||||
void
|
||||
@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
|
||||
{
|
||||
int i;
|
||||
long l;
|
||||
+ DIR *dir = NULL;
|
||||
+ struct dirent *de;
|
||||
+
|
||||
if ((fd != STDIN_FILENO) &&
|
||||
(fd2 != STDIN_FILENO) &&
|
||||
(fd3 != STDIN_FILENO)) {
|
||||
@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
|
||||
close(STDERR_FILENO);
|
||||
}
|
||||
}
|
||||
- for (i = getdtablesize() - 1; i >= 3; i--) {
|
||||
- if ((i == fd) ||
|
||||
- (i == fd2) ||
|
||||
- (i == fd3)) {
|
||||
- continue;
|
||||
+ dir = opendir("/proc/self/fd");
|
||||
+ if (!dir) {
|
||||
+ /* /proc isn't available, fall back to old way */
|
||||
+ for (i = getdtablesize() - 1; i >= 3; i--) {
|
||||
+ if ((i == fd) ||
|
||||
+ (i == fd2) ||
|
||||
+ (i == fd3)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ l = fcntl(i, F_GETFD);
|
||||
+ if (l != -1) {
|
||||
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
|
||||
+ cm_log(0, "Potentially leaking FD %d.\n", i);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
- l = fcntl(i, F_GETFD);
|
||||
- if (l != -1) {
|
||||
- if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
|
||||
- cm_log(0, "Potentially leaking FD %d.\n", i);
|
||||
+ } else {
|
||||
+ while ((de = readdir(dir)) != NULL) {
|
||||
+ int i = -1;
|
||||
+
|
||||
+ if (safe_atoi(de->d_name, &i) < 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if ((i == fd) ||
|
||||
+ (i == fd2) ||
|
||||
+ (i == fd3)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if (i == dirfd(dir)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ l = fcntl(i, F_GETFD);
|
||||
+ if (l != -1) {
|
||||
+ if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
|
||||
+ cm_log(0, "Potentially leaking FD %d.\n", i);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
+ closedir(dir);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,33 @@
|
||||
From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 10 Oct 2019 16:28:18 -0400
|
||||
Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function
|
||||
|
||||
cm_subproc_mark_most_cloexec() now closes all open file
|
||||
descriptors except for up to three requested for stdin, stdout
|
||||
and stderr. Before the optimization those three were always
|
||||
left open.
|
||||
|
||||
This was causing errors in the IPA helper ipa-server-guard
|
||||
because it tries to display the contents of stderr which was
|
||||
always being closed, causing ipa-server-guard to blow up.
|
||||
---
|
||||
src/cadata.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cadata.c b/src/cadata.c
|
||||
index eb87eb76..3e916c96 100644
|
||||
--- a/src/cadata.c
|
||||
+++ b/src/cadata.c
|
||||
@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
|
||||
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
|
||||
cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
|
||||
execvp(argv[0], argv);
|
||||
u = errno;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,35 @@
|
||||
From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 25 Oct 2019 20:25:36 +0000
|
||||
Subject: [PATCH] Don't close STDERR when submitting request
|
||||
|
||||
cm_subproc_mark_most_cloexec() now closes all open file
|
||||
descriptors except for up to three requested for stdin, stdout
|
||||
and stderr. Before the optimization those three were always
|
||||
left open.
|
||||
|
||||
This was causing errors in the IPA helper ipa-server-guard
|
||||
because it tries to display the contents of stderr which was
|
||||
always being closed, causing ipa-server-guard to blow up.
|
||||
---
|
||||
src/submit-e.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/submit-e.c b/src/submit-e.c
|
||||
index d6158d7a..69b4f8e2 100644
|
||||
--- a/src/submit-e.c
|
||||
+++ b/src/submit-e.c
|
||||
@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
- cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]);
|
||||
- cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
|
||||
+ cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]);
|
||||
+ cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
|
||||
cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]);
|
||||
execvp(argv[0], argv);
|
||||
u = errno;
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,259 @@
|
||||
From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 26 Aug 2019 22:01:35 +0000
|
||||
Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
|
||||
tokens
|
||||
|
||||
The NSS databases were almost universally initialized with the
|
||||
NOMODDB flag. I'm not sure if something changed in NSS but the
|
||||
PKCS#11 modules were not being initialized. Adding this back after
|
||||
permission checks are done results in tokens working again.
|
||||
|
||||
When looking for certs and keys try the full token:nickname string
|
||||
as well as just nickname when comparing values.
|
||||
|
||||
https://pagure.io/certmonger/issue/125
|
||||
---
|
||||
src/casave.c | 3 +--
|
||||
src/certread-n.c | 33 ++++++++++++++++-----------------
|
||||
src/certsave-n.c | 5 +++++
|
||||
src/dogtag.c | 3 +--
|
||||
src/keygen-n.c | 5 +++++
|
||||
src/keyiread-n.c | 11 ++++++++++-
|
||||
src/scepgen-n.c | 5 +++++
|
||||
src/submit-n.c | 5 +++++
|
||||
src/toklist.c | 2 +-
|
||||
9 files changed, 49 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/src/casave.c b/src/casave.c
|
||||
index bde63f99..1cf5a406 100644
|
||||
--- a/src/casave.c
|
||||
+++ b/src/casave.c
|
||||
@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
|
||||
break;
|
||||
default:
|
||||
flags = NSS_INIT_READONLY |
|
||||
- NSS_INIT_NOROOTINIT |
|
||||
- NSS_INIT_NOMODDB;
|
||||
+ NSS_INIT_NOROOTINIT;
|
||||
/* Sigh. Not a lot of detail. Check
|
||||
* if we succeed in read-only mode,
|
||||
* which we'll interpret as lack of
|
||||
diff --git a/src/certread-n.c b/src/certread-n.c
|
||||
index d535030b..bb61b61b 100644
|
||||
--- a/src/certread-n.c
|
||||
+++ b/src/certread-n.c
|
||||
@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
cm_log(1, "Unable to open NSS database.\n");
|
||||
_exit(status);
|
||||
}
|
||||
+ /* Re-open the database with modules enabled */
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
es = util_n_fips_hook();
|
||||
if (es != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
|
||||
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
|
||||
}
|
||||
- /* Allocate a memory pool. */
|
||||
- arena = PORT_NewArena(sizeof(double));
|
||||
- if (arena == NULL) {
|
||||
- cm_log(1, "Error opening database '%s'.\n",
|
||||
- entry->cm_cert_storage_location);
|
||||
- if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
- cm_log(1, "Error shutting down NSS.\n");
|
||||
- }
|
||||
- _exit(ENOMEM);
|
||||
- }
|
||||
/* Find the tokens that we might use for cert storage. */
|
||||
mech = CKM_RSA_X_509;
|
||||
slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
|
||||
if (slotlist == NULL) {
|
||||
cm_log(1, "Error getting list of tokens.\n");
|
||||
- PORT_FreeArena(arena, PR_TRUE);
|
||||
if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
cm_log(1, "Error shutting down NSS.\n");
|
||||
}
|
||||
@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
}
|
||||
/* If we need to log in in order to read certificates, do so. */
|
||||
if (PK11_NeedLogin(sle->slot)) {
|
||||
+ cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
|
||||
if (cm_pin_read_for_cert(entry, &pin) != 0) {
|
||||
cm_log(1, "Error reading PIN for cert db, "
|
||||
"skipping.\n");
|
||||
@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
/* Walk the list of certificates in the slot, looking for one
|
||||
* which matches the specified nickname. */
|
||||
certs = PK11_ListCertsInSlot(sle->slot);
|
||||
+ cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
|
||||
if (certs != NULL) {
|
||||
for (node = CERT_LIST_HEAD(certs);
|
||||
!CERT_LIST_EMPTY(certs) &&
|
||||
!CERT_LIST_END(node, certs);
|
||||
node = CERT_LIST_NEXT(node)) {
|
||||
- if (strcmp(node->cert->nickname,
|
||||
- entry->cm_cert_nickname) == 0) {
|
||||
+ cm_log(3, "certread-n: Slot nickname %s\n",
|
||||
+ node->cert->nickname);
|
||||
+ es = talloc_asprintf(entry, "%s:%s",
|
||||
+ entry->cm_cert_token, entry->cm_cert_nickname);
|
||||
+ if ((strcmp(node->cert->nickname,
|
||||
+ entry->cm_cert_nickname) == 0) ||
|
||||
+ (strcmp(node->cert->nickname, es) == 0)) {
|
||||
cm_log(3, "Located the certificate "
|
||||
"\"%s\".\n",
|
||||
entry->cm_cert_nickname);
|
||||
@@ -321,7 +323,6 @@ next_slot:
|
||||
if (cert == NULL) {
|
||||
cm_log(1, "Error locating certificate.\n");
|
||||
PK11_FreeSlotList(slotlist);
|
||||
- PORT_FreeArena(arena, PR_TRUE);
|
||||
if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
cm_log(1, "Error shutting down NSS.\n");
|
||||
}
|
||||
@@ -332,7 +333,6 @@ next_slot:
|
||||
fclose(fp);
|
||||
CERT_DestroyCertificate(cert);
|
||||
PK11_FreeSlotList(slotlist);
|
||||
- PORT_FreeArena(arena, PR_TRUE);
|
||||
if (NSS_ShutdownContext(ctx) != SECSuccess) {
|
||||
cm_log(1, "Error shutting down NSS.\n");
|
||||
}
|
||||
@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
|
||||
NULL, NULL, NULL, NULL,
|
||||
NSS_INIT_NOCERTDB |
|
||||
NSS_INIT_READONLY |
|
||||
- NSS_INIT_NOROOTINIT |
|
||||
- NSS_INIT_NOMODDB);
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
if (ctx == NULL) {
|
||||
cm_log(1, "Unable to initialize NSS.\n");
|
||||
_exit(1);
|
||||
diff --git a/src/certsave-n.c b/src/certsave-n.c
|
||||
index 972a1dfa..eda03b34 100644
|
||||
--- a/src/certsave-n.c
|
||||
+++ b/src/certsave-n.c
|
||||
@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
} else {
|
||||
/* We don't try to force FIPS mode here, as it seems to get in
|
||||
* the way of saving the certificate. */
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_cert_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
|
||||
/* Allocate a memory pool. */
|
||||
arena = PORT_NewArena(sizeof(double));
|
||||
diff --git a/src/dogtag.c b/src/dogtag.c
|
||||
index 55607f3d..c43664ef 100644
|
||||
--- a/src/dogtag.c
|
||||
+++ b/src/dogtag.c
|
||||
@@ -306,8 +306,7 @@ main(int argc, const char **argv)
|
||||
NULL, NULL, NULL, NULL,
|
||||
NSS_INIT_NOCERTDB |
|
||||
NSS_INIT_READONLY |
|
||||
- NSS_INIT_NOROOTINIT |
|
||||
- NSS_INIT_NOMODDB);
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
if (nctx == NULL) {
|
||||
cm_log(1, "Unable to initialize NSS.\n");
|
||||
_exit(1);
|
||||
diff --git a/src/keygen-n.c b/src/keygen-n.c
|
||||
index 061bd2af..e921d7ec 100644
|
||||
--- a/src/keygen-n.c
|
||||
+++ b/src/keygen-n.c
|
||||
@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
diff --git a/src/keyiread-n.c b/src/keyiread-n.c
|
||||
index 91b1be41..dc1c6092 100644
|
||||
--- a/src/keyiread-n.c
|
||||
+++ b/src/keyiread-n.c
|
||||
@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ (readwrite ? 0 : NSS_INIT_READONLY) |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
|
||||
cnode = CERT_LIST_NEXT(cnode)) {
|
||||
nickname = entry->cm_key_nickname;
|
||||
cert = cnode->cert;
|
||||
+ es = talloc_asprintf(entry, "%s:%s",
|
||||
+ entry->cm_cert_token,
|
||||
+ entry->cm_cert_nickname);
|
||||
if ((nickname != NULL) &&
|
||||
- (strcmp(cert->nickname, nickname) == 0)) {
|
||||
+ ((strcmp(cert->nickname, nickname) == 0) ||
|
||||
+ (strcmp(cert->nickname, es) == 0))) {
|
||||
cm_log(3, "Located a certificate with "
|
||||
"the key's nickname (\"%s\").\n",
|
||||
nickname);
|
||||
diff --git a/src/scepgen-n.c b/src/scepgen-n.c
|
||||
index d6735aa7..8c67b122 100644
|
||||
--- a/src/scepgen-n.c
|
||||
+++ b/src/scepgen-n.c
|
||||
@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
|
||||
break;
|
||||
}
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ NSS_INIT_READONLY |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
diff --git a/src/submit-n.c b/src/submit-n.c
|
||||
index b07ea23a..f27b9c7f 100644
|
||||
--- a/src/submit-n.c
|
||||
+++ b/src/submit-n.c
|
||||
@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
|
||||
}
|
||||
goto done;
|
||||
}
|
||||
+ NSS_ShutdownContext(ctx);
|
||||
+ ctx = NSS_InitContext(args->entry->cm_key_storage_location,
|
||||
+ NULL, NULL, NULL, NULL,
|
||||
+ NSS_INIT_READONLY |
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
reason = util_n_fips_hook();
|
||||
if (reason != NULL) {
|
||||
cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
|
||||
diff --git a/src/toklist.c b/src/toklist.c
|
||||
index a4328218..ac166722 100644
|
||||
--- a/src/toklist.c
|
||||
+++ b/src/toklist.c
|
||||
@@ -79,7 +79,7 @@ main(int argc, const char **argv)
|
||||
|
||||
/* Open the database. */
|
||||
ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
|
||||
- NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
|
||||
+ NSS_INIT_NOROOTINIT);
|
||||
if (ctx == NULL) {
|
||||
printf("Unable to open NSS database '%s'.\n", dbdir);
|
||||
_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
|
||||
--
|
||||
2.21.0
|
||||
|
@ -0,0 +1,233 @@
|
||||
From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Tue, 27 Aug 2019 18:01:02 +0000
|
||||
Subject: [PATCH] Update tests to include the security module DB in expected
|
||||
output
|
||||
|
||||
certmonger was previously always initializing the databases with
|
||||
the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
|
||||
seem to initialize external modules (tested with SoftHSM2).
|
||||
|
||||
https://pagure.io/certmonger/issue/125
|
||||
---
|
||||
tests/034-perms-dbm/expected.out | 16 ++++++++++++++++
|
||||
tests/034-perms-sql/expected.out | 16 ++++++++++++++++
|
||||
tests/034-perms/expected.out | 16 ++++++++++++++++
|
||||
3 files changed, 48 insertions(+)
|
||||
|
||||
diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
|
||||
index c062d409..7bf23a37 100644
|
||||
--- a/tests/034-perms-dbm/expected.out
|
||||
+++ b/tests/034-perms-dbm/expected.out
|
||||
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
|
||||
[dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
[rekey:dbm:start]
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
OK
|
||||
diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
|
||||
index 2808e02c..c5914e02 100644
|
||||
--- a/tests/034-perms-sql/expected.out
|
||||
+++ b/tests/034-perms-sql/expected.out
|
||||
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
|
||||
[sql:keygen]
|
||||
$owner:$group|0600|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0600|pkcs11.txt
|
||||
[sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:csrgen]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:submit]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[sql:save]
|
||||
$owner:$group|0662|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0662|pkcs11.txt
|
||||
[rekey:sql:start]
|
||||
[rekey:sql:keygen]
|
||||
$owner:$group|0600|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0600|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:keygen]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:csrgen]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:submit]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:reset]
|
||||
$owner:$group|0755|cert9.db
|
||||
$owner:$group|0755|key4.db
|
||||
+$owner:$group|0755|pkcs11.txt
|
||||
[rekey:sql:save]
|
||||
$owner:$group|0662|cert9.db
|
||||
$owner:$group|0620|key4.db
|
||||
+$owner:$group|0662|pkcs11.txt
|
||||
OK
|
||||
diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
|
||||
index c062d409..7bf23a37 100644
|
||||
--- a/tests/034-perms/expected.out
|
||||
+++ b/tests/034-perms/expected.out
|
||||
@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
|
||||
[dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
[rekey:dbm:start]
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0600|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0600|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:keygen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:csrgen]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:submit]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:reset]
|
||||
$owner:$group|0755|cert8.db
|
||||
$owner:$group|0755|key3.db
|
||||
+$owner:$group|0755|secmod.db
|
||||
[rekey:dbm:save]
|
||||
$owner:$group|0662|cert8.db
|
||||
$owner:$group|0620|key3.db
|
||||
+$owner:$group|0662|secmod.db
|
||||
OK
|
||||
--
|
||||
2.21.0
|
||||
|
50
SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
Normal file
50
SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 10 Oct 2019 18:24:32 +0000
|
||||
Subject: [PATCH] Try to pull the entire CA chain from IPA
|
||||
|
||||
IPA originally stored a single cert in cn=cacert which is
|
||||
what certmonger has always retrieved in fetch_roots. It was
|
||||
replaced to store cn=certificates as separate entries in order
|
||||
to more easily support chains and to include additional
|
||||
metadata about certificates.
|
||||
|
||||
Try to pull the chain from that location first and fall back
|
||||
to cn=cacert if no entries are found.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1710632
|
||||
---
|
||||
src/ipa.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/ipa.c b/src/ipa.c
|
||||
index acd1a4e2..40a4b52c 100644
|
||||
--- a/src/ipa.c
|
||||
+++ b/src/ipa.c
|
||||
@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
LDAP *ld = NULL;
|
||||
LDAPMessage *lresult = NULL, *lmsg = NULL;
|
||||
char *lattrs[2] = {"caCertificate;binary", NULL};
|
||||
- const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
|
||||
+ const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
|
||||
+ const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
|
||||
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
|
||||
struct berval **lbvalues, *lbv;
|
||||
unsigned char *bv_val;
|
||||
@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
||||
lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
LDAP_NO_LIMIT, &lresult);
|
||||
+ if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
|
||||
+ /* Fall back to the old location */
|
||||
+ snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
|
||||
+ rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
||||
+ lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
+ LDAP_NO_LIMIT, &lresult);
|
||||
+ }
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
fprintf(stderr, "Error searching '%s': %s.\n",
|
||||
ldn, ldap_err2string(rc));
|
||||
--
|
||||
2.21.0
|
||||
|
34
SOURCES/0032-Fix-use-after-free-issue.patch
Normal file
34
SOURCES/0032-Fix-use-after-free-issue.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 2 Dec 2019 15:08:54 -0500
|
||||
Subject: [PATCH] Fix use-after-free issue
|
||||
|
||||
The basedn value was freed after the first search but a second
|
||||
one could be initiated.
|
||||
---
|
||||
src/ipa.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/ipa.c b/src/ipa.c
|
||||
index 40a4b52c..41ca9081 100644
|
||||
--- a/src/ipa.c
|
||||
+++ b/src/ipa.c
|
||||
@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
/* Now look up the root certificates for the domain. */
|
||||
snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]);
|
||||
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
|
||||
- free(basedn);
|
||||
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
|
||||
lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
LDAP_NO_LIMIT, &lresult);
|
||||
@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
|
||||
lfilter, lattrs, 0, NULL, NULL, NULL,
|
||||
LDAP_NO_LIMIT, &lresult);
|
||||
}
|
||||
+ free(basedn);
|
||||
if (rc != LDAP_SUCCESS) {
|
||||
fprintf(stderr, "Error searching '%s': %s.\n",
|
||||
ldn, ldap_err2string(rc));
|
||||
--
|
||||
2.21.0
|
||||
|
@ -9,7 +9,7 @@
|
||||
|
||||
Name: certmonger
|
||||
Version: 0.79.7
|
||||
Release: 3%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Summary: Certificate status monitor and PKI enrollment client
|
||||
|
||||
Group: System Environment/Daemons
|
||||
@ -80,8 +80,8 @@ Requires(post): /sbin/chkconfig, /sbin/service
|
||||
Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
|
||||
%endif
|
||||
|
||||
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
|
||||
Patch2: 0002-Convert-tests-to-use-python3.patch
|
||||
Patch1: 0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
|
||||
Patch2: 0002-Convert-tests-to-use-python3.patch
|
||||
Patch18: 0018-clang-more-Dead-assignment.patch
|
||||
Patch19: 0019-clang-more-Memory-leaks.patch
|
||||
Patch20: 0020-clang-Avoid-buffer-overflow.patch
|
||||
@ -90,6 +90,14 @@ Patch22: 0022-Uninitialized-variable.patch
|
||||
Patch23: 0023-merge-into-clang-more-Memory-leaks.patch
|
||||
Patch24: 0024-Add-missing-return-type-declaration.patch
|
||||
Patch25: 0025-Discards-const-qualifier.patch
|
||||
Patch26: 0026-Optimize-closing-open-file-descriptors.patch
|
||||
Patch27: 0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
|
||||
Patch28: 0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
|
||||
Patch29: 0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
|
||||
Patch30: 0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
|
||||
Patch31: 0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
|
||||
Patch32: 0032-Fix-use-after-free-issue.patch
|
||||
|
||||
|
||||
%description
|
||||
Certmonger is a service which is primarily concerned with getting your
|
||||
@ -107,6 +115,13 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
|
||||
%build
|
||||
autoreconf -i -f
|
||||
@ -233,6 +248,17 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6
|
||||
- Rebuild
|
||||
|
||||
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5
|
||||
- Fix use-after-free issue when retrieving CA chain (#1710632)
|
||||
|
||||
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4
|
||||
- Optimize closing of file descriptors on fork (#1763745)
|
||||
- Remove NOMODDB flag flag from context init, look for full tokens (#1746543)
|
||||
- Retrieve full IPA CA chain (#1710632)
|
||||
|
||||
* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
|
||||
- Rebuild for new annobin (#1708095)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user