[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][upstream] 53 commits: If calling a CA helper fails, call cm_casave_done to reap

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Sun Oct 10 17:39:34 BST 2021



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / certmonger


Commits:
08dab29d by Rob Crittenden at 2021-01-12T10:44:26-05:00
If calling a CA helper fails, call cm_casave_done to reap

CA helper calls to certmaster when the certmaster helper wasn't
installed was causing 8 zombie processes (one for each query).

It is due to waitpid() not being called on them.

https://pagure.io/certmonger/issue/185

- - - - -
33948eda by Weblate at 2021-02-16T13:19:04-05:00
Update translation files

Updated by "Update ALL_LINGUAS variable in the "configure" file" hook in Weblate.

Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/
Translation: certmonger/master

- - - - -
4a532089 by Yuri Chornoivan at 2021-02-16T13:19:04-05:00
Translated using Weblate (Ukrainian)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Ukrainian)

Currently translated at 87.7% (415 of 473 strings)

Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/uk/
Translation: certmonger/master

- - - - -
c3e3e982 by Geert Warrink at 2021-02-16T13:19:04-05:00
Translated using Weblate (Dutch)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Dutch)

Currently translated at 75.2% (356 of 473 strings)

Co-authored-by: Geert Warrink <geert.warrink at onsnet.nu>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/nl/
Translation: certmonger/master

- - - - -
02a331ff by Piotr Drąg at 2021-02-16T13:19:04-05:00
Translated using Weblate (Polish)

Currently translated at 100.0% (473 of 473 strings)

Co-authored-by: Piotr Drąg <piotrdrag at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/pl/
Translation: certmonger/master

- - - - -
329025ac by Luna Jernberg at 2021-02-16T13:19:04-05:00
Translated using Weblate (Swedish)

Currently translated at 90.2% (427 of 473 strings)

Co-authored-by: Luna Jernberg <bittin at reimu.nl>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/sv/
Translation: certmonger/master

- - - - -
12b57406 by Oğuz Ersen at 2021-02-16T13:19:04-05:00
Translated using Weblate (Turkish)

Currently translated at 34.0% (161 of 473 strings)

Co-authored-by: Oğuz Ersen <oguzersen at protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/tr/
Translation: certmonger/master

- - - - -
effa25f7 by Göran Uddeborg at 2021-02-16T13:19:04-05:00
Translated using Weblate (Swedish)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Swedish)

Currently translated at 100.0% (473 of 473 strings)

Co-authored-by: Göran Uddeborg <goeran at uddeborg.se>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/sv/
Translation: certmonger/master

- - - - -
4b5c9e38 by Mustafa Çalışkan at 2021-02-16T13:19:04-05:00
Translated using Weblate (Turkish)

Currently translated at 34.0% (161 of 473 strings)

Co-authored-by: Mustafa Çalışkan <musfay at protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/tr/
Translation: certmonger/master

- - - - -
f3d86dc8 by Oğuz Ersen at 2021-02-16T13:19:04-05:00
Translated using Weblate (Turkish)

Currently translated at 42.4% (201 of 473 strings)

Co-authored-by: Oğuz Ersen <oguzersen at protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/tr/
Translation: certmonger/master

- - - - -
62a66348 by Ade Lee at 2021-04-14T16:16:44-04:00
Fix local CA to work under FIPS

The PKCS12 file used for the local CA fails to be created because
it uses default OpenSSL encryption algorithms that are disallowed
under FIPS.  This patch simply updates the PKCS12_create() command
to use allowed encryption algorithms.

- - - - -
6802bec4 by Fábio Rodrigues Ribeiro at 2021-04-15T20:45:00+02:00
Translated using Weblate (Portuguese (Brazil))

Currently translated at 50.1% (237 of 473 strings)

Co-authored-by: Fábio Rodrigues Ribeiro <farribeiro at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/pt_BR/
Translation: certmonger/master

- - - - -
b8ab1bf6 by Hela Basa at 2021-04-15T20:45:00+02:00
Added translation using Weblate (Sinhala)

Co-authored-by: Hela Basa <r45xveza at pm.me>

- - - - -
7335176c by simmon at 2021-04-15T20:45:00+02:00
Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 25.7% (122 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 18.6% (88 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 16.9% (80 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 13.7% (65 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 13.3% (63 of 473 strings)

Translated using Weblate (Korean)

Currently translated at 12.0% (57 of 473 strings)

Added translation using Weblate (Korean)

Co-authored-by: simmon <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ko/
Translation: certmonger/master

- - - - -
f269602b by Oğuz Ersen at 2021-04-15T20:45:00+02:00
Translated using Weblate (Turkish)

Currently translated at 100.0% (473 of 473 strings)

Co-authored-by: Oğuz Ersen <oguzersen at protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/tr/
Translation: certmonger/master

- - - - -
0302d410 by Rafael Fontenelle at 2021-04-15T20:45:00+02:00
Translated using Weblate (Portuguese (Brazil))

Currently translated at 50.3% (238 of 473 strings)

Co-authored-by: Rafael Fontenelle <rafaelff at gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/pt_BR/
Translation: certmonger/master

- - - - -
ab5d0f60 by Rob Crittenden at 2021-04-29T14:40:59-04:00
Revert three Korean translations because they change the order

The order of the formatting was changed so the wrong values/types
would be displayed.

- - - - -
a5f9b624 by Rob Crittenden at 2021-05-14T14:04:48-04:00
Update cadata test to reflect non-NULL returned by helper

NULL was returned when a helper was non-executable which led to
it becoming a zombie process.

- - - - -
50cec1d8 by Rob Crittenden at 2021-05-14T14:04:48-04:00
Drop hardcoded values for Apache NSS db for IPA < v4

These were used with IPAv3 when the IPA RA certificate
was stored in the Apache NSS database and references
by nickname. The RA certificate was moved to a set of
PEM files starting in IPA v4.

The hardcoded values were not particulary distribution
friendly.

This change isn't explicitly dropping support for IPAv3
but changes would be necessary there to pass in the
options for the NSS database directory and nickname.
A newer certmonger is not likely to be used with such an
old IPA release.

https://pagure.io/certmonger/issue/97

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
0eec70b9 by Rob Crittenden at 2021-05-14T14:20:36-04:00
Add NULL checks before string compares when analyzing a cert

A user reported a segfault which was due to a broken request.
How it got broken I have no idea but it was effectively empty.

It had everything as defaults: 0, -1, UNSPECIFIED or not
present at all.

So when trying to analyze the request it did a NULL compare.

https://pagure.io/certmonger/issue/191

- - - - -
881a1af1 by Rob Crittenden at 2021-05-14T14:42:12-04:00
Pass /etc/ipa/ca.crt if it exists to libcurl, else rely on system

Don't pass a non-existant file to libcurl because it overrides the
system-wide trust and the connection will fail since there is no
chain.

https://pagure.io/certmonger/issue/132

- - - - -
c69e64cb by Rob Crittenden at 2021-05-14T14:53:02-04:00
Close file in casave on NSS database login error

Discovered by Coverity

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
45d94600 by Rob Crittenden at 2021-05-14T14:53:02-04:00
Remove remaining reference to token variable in certread-n

I had switched to using PK11_GetTokenName(slot) except in one
spot which could lead to use of an uninitialized pointer in
an error message. Change this and drop the token variable.

Discovered by Coverity

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
baa10a98 by Rob Crittenden at 2021-05-14T14:53:02-04:00
Free the thumbprint variable before returning

This is probably a false-positive because if we know that the
length of t is 0 then there is nothing to free, but it doesn't
hurt anything and quiets the static analyzers.

Discovered by Coverity

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
08b9baee by Rob Crittenden at 2021-05-14T14:53:02-04:00
Free the error message when returning

Since the submit label may be called multiple times free
error_message before returning.

Discovered by Coverity

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
a13b7ed1 by Rob Crittenden at 2021-05-14T14:53:02-04:00
Fix compiler warnings

These range from:
 - unused variables
 - missing switch options
 - missing default in switch
 - logging with known NULL variables
 - non-void function with no return

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
af3264e7 by Rob Crittenden at 2021-05-14T14:53:02-04:00
clang: Unused variable assignment

kret is assigned but unused.

- - - - -
0bf6d91f by Rob Crittenden at 2021-05-14T14:53:02-04:00
clang: Remove memory leak on failure

At this point a number of objects have been allocated. On error
be sure to release them.

- - - - -
4ae497e9 by Rob Crittenden at 2021-05-14T14:53:02-04:00
clang: free error_message when finding the realm

The error message can come from either krb5_get_error_message(),
error_message() or a static string.

If krb5_get_error_message() is used then krb5_free_error_message()
needs to be called to free it.

We already strdup'd error_message() but there were some static
strings as well.

So unify around strdup'ing these strings so we can free() it
when the function exits.

- - - - -
84d575da by Rob Crittenden at 2021-05-14T15:12:07-04:00
Display not_before in getcert output

Including not_before can help with troubleshooting
renewal problems and if time needs to be reversed
helping identify the maximum one can go back.

https://bugzilla.redhat.com/show_bug.cgi?id=1940261

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
5e276766 by Rob Crittenden at 2021-06-03T17:36:15-04:00
Revert "Revert three Korean translations because they change the order"

This reverts commit ab5d0f6068fa4f79de7966337a218a1b38aa66e9.

This was corrected in Weblate.

- - - - -
694f4d2e by simmon at 2021-06-03T23:38:13+02:00
Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Translation: certmonger/master
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ko/

- - - - -
f8d6652c by Semyon Apoykov at 2021-06-03T23:38:13+02:00
Translated using Weblate (Russian)

Currently translated at 67.4% (319 of 473 strings)

Translation: certmonger/master
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ru/

- - - - -
f8246249 by Rob Crittenden at 2021-06-04T09:06:51-04:00
Fix list of sub-commands in the getcert man page

There was a typo (refresh-cas) and a number of sub-commands were
missing in the top-level summary.

https://pagure.io/certmonger/issue/203

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
977dca30 by Rob Crittenden at 2021-06-04T14:29:09-04:00
Use the system env and not the session env for the local CA

The session env caused the local CA to try to use
/run/certmonger/.config/certmonger/certmonger.conf for its
configuration file which is both temporary and not exactly ideal.

Use the system environment as well so that
/etc/certmonger/certmonger.conf is the configuration file.

The problem was that users didn't know how to manage this file
and it didn't persist. The local CA is designed just for
developers but this wasn't discoverable at all and the
shipped certmonger.conf has a [local] section so confusion
abounded.

https://pagure.io/certmonger/issue/101

- - - - -
2cb0420b by Rob Crittenden at 2021-06-08T17:06:38-04:00
Add autoreconf to in-tree rpm spec file

This is to allow CI automation using copr

- - - - -
9cd9bbc5 by simmon at 2021-06-15T08:04:15+02:00
Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Co-authored-by: simmon <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ko/
Translation: certmonger/master

- - - - -
10064de9 by Rob Crittenden at 2021-06-15T15:07:50-04:00
Tag 0.79.14

- - - - -
9ac80d80 by Rob Crittenden at 2021-08-06T10:02:55-04:00
If an existing cert exists, use it to decrypt the PKCS#7 envelope

>From the PKCS7_decrypt man page:

 Although the recipients certificate is not needed to decrypt the data
 it is needed to locate the appropriate (of possible several) recipients
 in the PKCS#7 structure.

Based heavily on patch contributed by Romain Bezut

https://pagure.io/certmonger/issue/202

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
fa54cbf4 by Rob Crittenden at 2021-08-06T10:13:44-04:00
Increase minimum allowed RSA key size to 1024

Better late than never.

https://pagure.io/certmonger/issue/211

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
c50fa860 by Rob Crittenden at 2021-08-06T10:13:44-04:00
Make the default RSA key size configurable

There is still a compiled-in default (currently 2048)
but this can be overridden in certmonger.conf with the
rsa_key_size setting in the default section. This will
allow users to increase the minimum size without changing
the default behavior for others.

https://pagure.io/certmonger/issue/211

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
2eb0793c by simmon at 2021-08-06T10:37:12-04:00
Translated using Weblate (Korean)

Currently translated at 100.0% (473 of 473 strings)

Co-authored-by: simmon <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ko/
Translation: certmonger/master

- - - - -
f0b6f42e by Anders Jonsson at 2021-08-06T10:37:12-04:00
Translated using Weblate (Swedish)

Currently translated at 100.0% (473 of 473 strings)

Co-authored-by: Anders Jonsson <anders.jonsson at norsjovallen.se>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/sv/
Translation: certmonger/master

- - - - -
b38981c6 by Your Name at 2021-08-06T10:51:21-04:00
Add SCEP config option to treat the challenge password as an OTP

SCEP RFC 8894 specifies that a challenge password SHOULD be
removed from subsequent requests but that it MAY be included.

This adds a new configuration option to treat the challenge password
as a one-time password (OTP) so that it will not be sent on
subsequent requests, like renewals, by removing it completely
from the tracking request.

This allows certmonger to be able to renew AD-issued SCEP certificates
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.

https://bugzilla.redhat.com/show_bug.cgi?id=1577570

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
027556dd by Hela Basa at 2021-08-18T21:05:41+02:00
Translated using Weblate (Sinhala)

Currently translated at 0.6% (3 of 473 strings)

Co-authored-by: Hela Basa <r45xveza at pm.me>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/si/
Translation: certmonger/master

- - - - -
b4c090d2 by Rob Crittenden at 2021-09-03T13:18:49-04:00
Fix file descriptor leak when executing CA helpers

cm_cadata_start_generic() creates a pipe. One half is passed
to fetch(), the function that does all helper calls,
via the cm_cadata_state variable ret. The other half is the
reader and is used to detect execution errors. There is a pair
of write/read on this descriptor which on error would be the
errno.

This second half wasn't being closed after reading to test for
errors.

https://bugzilla.redhat.com/show_bug.cgi?id=1992439

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
40a702fc by Natacha Rault at 2021-09-13T02:04:51+02:00
Translated using Weblate (French)

Currently translated at 48.4% (229 of 473 strings)

Co-authored-by: Natacha Rault <n.rault at me.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/fr/
Translation: certmonger/master

- - - - -
729c2fbc by Andika Triwidada at 2021-09-13T02:04:52+02:00
Translated using Weblate (Indonesian)

Currently translated at 4.8% (23 of 473 strings)

Co-authored-by: Andika Triwidada <andika at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/id/
Translation: certmonger/master

- - - - -
5be5279c by Didik Supriadi at 2021-09-13T02:04:52+02:00
Translated using Weblate (Indonesian)

Currently translated at 4.8% (23 of 473 strings)

Co-authored-by: Didik Supriadi <didiksupriadi41 at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/id/
Translation: certmonger/master

- - - - -
aab56206 by Rob Crittenden at 2021-09-28T10:37:49-04:00
Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id

EVP_PKEY_id is no longer available as a function, only as a preprocessor
macro, so AC_CHECK_FUNCS cannot recognize it.

This was changed in OpenSSL 3.0.0-beta2

https://bugzilla.redhat.com/show_bug.cgi?id=2008451

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
9312d189 by Christian Heimes at 2021-10-04T17:35:44+02:00
Use extensions template from NSS

Drop certmonger's custom extension template and use the sequence of X509v3
extensions template from NSS.

The certmonger template had a bug that caused certmonger to create CSRs
with invalid DER. It was encoding extension's critical element even for
default value FALSE.

Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
e3e46796 by Christian Heimes at 2021-10-05T09:37:33+02:00
Use implicit, empty FALSE for extensions

Cemplate had a bug that caused certmonger to create CSRs with invalid DER..
It was encoding extension's critical element even for default value FALSE.

Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
46cd5a7d by Rob Crittenden at 2021-10-05T11:55:57-04:00
Update csrgen test to understand OpenSSL 3.0.0 output

OpenSSL 3.0.0 change a lot of output messages. When verifying
a certificate instead of printing just "verify OK" it prints
"Certificate request self-signature verify OK"

Modify the check to match both OpenSSL 1.x and 3.x

Related: https://pagure.io/certmonger/issue/223

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -


7 changed files:

- certmonger.spec
- configure.ac
- doc/selinux.txt
- po/fr.po
- po/id.po
- + po/ko.po
- po/nl.po


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/3514c6d7a9d61a48f09f4f7affe06fa508a494ee...46cd5a7d9434ed104093152bdf0a55404e6a1c6b

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/3514c6d7a9d61a48f09f4f7affe06fa508a494ee...46cd5a7d9434ed104093152bdf0a55404e6a1c6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211010/a9b51775/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list