puppet 2.6.11 → 2.6.12

data/CHANGELOG

@@ -1,3 +1,36 @@
+2.6.12 (CVE-2011-3872 see http://puppetlabs.com/security/hotfixes/cve-2011-3872/)
+===
+3ed6499 Backport Enumerable#count to Rubies < 1.8.7
+5f44c23 More 1.8.5 compatibility fixes.
+ef1b960 Better 1.8.5 compatible implementation of `lines`.
+246e875 (#2848) Config options require '_', not '-'.
+3bdeb3a Ruby 1.8.5 compatibility changes in tests and code.
+6866d4b Add `lines` alias for `each_line` in Ruby 1.8.5.
+2f9ec3c s/not_to/should_not/ for older versions of RSpec 2.
+56320ea (#2848) Eliminate redundant `master_dns_alt_names`.
+de19861 (#2848) Remove the legacy SSLCertificates code
+cf008a6 (#2848) Rework the xmlrpc CA handler to use the modern SSL code
+32be180 (#2848) Remove unused xmlrpc code
+5f2a44d (#2848) Consistent return values from `subject_alt_names` accessors.
+5e507f2 (#2848) Consistently use `subject_alt_names` as accessor name.
+5ac2417 (#2848) Don't strip the subjectAltName label when listing.
+44cf3a2 (#2848) Don't enable `emailProtection` for server keys.
+d66def9 (#2848) Only mark `subjectAltName` critical if `subject` is empty.
+8174047 (#2848) Migrate `dns-alt-names` back to settings.
+f18df2b Wire up the `setbycli` slot in Puppet settings.
+efa61f2 (#2848) rename subject-alt-name option to dns-alt-names
+f103b20 (#2848) Rename `certdnsnames` to match new behaviour.
+363b47b (#2848) Use `certdnsnames` when bootstrapping a local master.
+49334ff (#2848) CSR subjectAltNames handling while signing.
+5f2af93 (#2848) List subject alt names in output of puppet cert --list
+bb475ec (#7224) Add a helper to Puppet::SSL::Certificate to retrieve alternate names
+bab9310 (#2848) Rewrite SSL Certificate Factory, fixing `subjectAltName` leak.
+fca1ff0 (#2848) Reject unknown (== all) extensions on the CSR.
+443a756 (#2848) extract the subjectAltName value from the CSR.
+66101f1 (#2848) Set `certdnsnames` values into the CSR.
+77b814f (#6928) Don't blow up when the method is undefined...
+5427f1e (#6928) backport Symbol#to_proc for Ruby < 1.8.7
+
 2.6.11
 ===
 e158b26 (#9793) "secure" indirector file backed terminus base class.

data/conf/redhat/puppet.spec

@@ -5,13 +5,13 @@
 %global confdir conf/redhat
 
 Name:           puppet
-Version:        2.6.11
+Version:        2.6.12
 Release:        1%{?dist}
 Summary:        A network tool for managing many disparate systems
 License:        GPLv2
 URL:            http://puppetlabs.com
-Source0:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}rc1.tar.gz
-#Source1:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz.asc
+Source0:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz
+Source1:        http://puppetlabs.com/downloads/%{name}/%{name}-%{version}.tar.gz.asc
 
 Group:          System Environment/Base
 
@@ -65,7 +65,7 @@ Provides the central puppet server daemon which provides manifests to clients.
 The server can also function as a certificate authority and file server.
 
 %prep
-%setup -q -n %{name}-%{version}rc1
+%setup -q -n %{name}-%{version}
 patch -s -p1 < conf/redhat/rundir-perms.patch
 
 
@@ -253,6 +253,9 @@ fi
 rm -rf %{buildroot}
 
 %changelog
+* Fri Oct 21 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.6.12-1
+- CVE-2011-3872 fixes
+
 * Fri Sep 30 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.6.11-1
 - CVE-2011-3869, 3870, 3871
 

data/lib/puppet.rb

@@ -24,7 +24,7 @@ require 'puppet/util/run_mode'
 # it's also a place to find top-level commands like 'debug'
 
 module Puppet
-  PUPPETVERSION = '2.6.11'
+  PUPPETVERSION = '2.6.12'
 
   def Puppet.version
     PUPPETVERSION

data/lib/puppet/application/cert.rb

@@ -10,6 +10,7 @@ class Puppet::Application::Cert < Puppet::Application
   def subcommand
     @subcommand
   end
+
   def subcommand=(name)
     # Handle the nasty, legacy mapping of "clean" to "destroy".
     sub = name.to_sym
@@ -38,11 +39,15 @@ class Puppet::Application::Cert < Puppet::Application
 
   require 'puppet/ssl/certificate_authority/interface'
   Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.reject {|m| m == :destroy }.each do |method|
-    option("--#{method}", "-#{method.to_s[0,1]}") do
+    option("--#{method.to_s.gsub('_','-')}", "-#{method.to_s[0,1]}") do
       self.subcommand = method
     end
   end
 
+  option("--[no-]allow-dns-alt-names") do |value|
+    options[:allow_dns_alt_names] = value
+  end
+
   option("--verbose", "-v") do
     Puppet::Util::Log.level = :info
   end
@@ -56,8 +61,8 @@ class Puppet::Application::Cert < Puppet::Application
       hosts = command_line.args.collect { |h| h.downcase }
     end
     begin
-      @ca.apply(:revoke, :to => hosts) if subcommand == :destroy
-      @ca.apply(subcommand, :to => hosts, :digest => @digest)
+      @ca.apply(:revoke, options.merge(:to => hosts)) if subcommand == :destroy
+      @ca.apply(subcommand, options.merge(:to => hosts, :digest => @digest))
     rescue => detail
       puts detail.backtrace if Puppet[:trace]
       puts detail.to_s
@@ -77,6 +82,15 @@ class Puppet::Application::Cert < Puppet::Application
       Puppet::SSL::Host.ca_location = :only
     end
 
+    # If we are generating, and the option came from the CLI, it gets added to
+    # the data.  This will do the right thing for non-local certificates, in
+    # that the command line but *NOT* the config file option will apply.
+    if subcommand == :generate
+      if Puppet.settings.setting(:dns_alt_names).setbycli
+        options[:dns_alt_names] = Puppet[:dns_alt_names]
+      end
+    end
+
     begin
       @ca = Puppet::SSL::CertificateAuthority.new
     rescue => detail

data/lib/puppet/application/kick.rb

@@ -48,8 +48,6 @@ class Puppet::Application::Kick < Puppet::Application
   end
 
   def main
-    require 'puppet/network/client'
-
     Puppet.warning "Failed to load ruby LDAP library. LDAP functionality will not be available" unless Puppet.features.ldap?
     require 'puppet/util/ldap/connection'
 

data/lib/puppet/defaults.rb

@@ -205,9 +205,58 @@ module Puppet
       to the fully qualified domain name.",
       :call_on_define => true, # Call our hook with the default value, so we're always downcased
       :hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }},
-    :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list.
-      If it's anything other than an empty string, it will be used as an alias in the created
-      certificate.  By default, only the server gets an alias set up, and only for 'puppet'."],
+    :certdnsnames => {
+      :default => '',
+      :hook    => proc do |value|
+        unless value.nil? or value == '' then
+          Puppet.warning <<WARN
+The `certdnsnames` setting is no longer functional,
+after CVE-2011-3872. We ignore the value completely.
+
+For your own certificate request you can set `dns_alt_names` in the
+configuration and it will apply locally.  There is no configuration option to
+set DNS alt names, or any other `subjectAltName` value, for another nodes
+certificate.
+
+Alternately you can use the `--dns_alt_names` command line option to set the
+labels added while generating your own CSR.
+WARN
+        end
+      end,
+      :desc    => <<EOT
+The `certdnsnames` setting is no longer functional,
+after CVE-2011-3872. We ignore the value completely.
+
+For your own certificate request you can set `dns_alt_names` in the
+configuration and it will apply locally.  There is no configuration option to
+set DNS alt names, or any other `subjectAltName` value, for another nodes
+certificate.
+
+Alternately you can use the `--dns_alt_names` command line option to set the
+labels added while generating your own CSR.
+EOT
+    },
+    :dns_alt_names => {
+      :default => '',
+      :desc    => <<EOT,
+The comma-separated list of alternative DNS names to use for the local host.
+
+When the node generates a CSR for itself, these are added to the request
+as the desired `subjectAltName` in the certificate: additional DNS labels
+that the certificate is also valid answering as.
+
+This is generally required if you use a non-hostname `certname`, or if you
+want to use `puppet kick` or `puppet resource -H` and the primary certname
+does not match the DNS name you use to communicate with the host.
+
+This is unnecessary for agents, unless you intend to use them as a server for
+`puppet kick` or remote `puppet resource` management.
+
+It is rarely necessary for servers; it is usually helpful only if you need to
+have a pool of multiple load balanced masters, or for the same master to
+respond on two physically separate networks under different names.
+EOT
+    },
     :certdir => {
       :default => "$ssldir/certs",
       :owner => "service",

data/lib/puppet/network/handler/ca.rb

@@ -1,10 +1,7 @@
 require 'openssl'
 require 'puppet'
-require 'puppet/sslcertificates'
 require 'xmlrpc/server'
-
-# Much of this was taken from QuickCert:
-#   http://segment7.net/projects/ruby/QuickCert/
+require 'puppet/network/handler'
 
 class Puppet::Network::Handler
   class CA < Handler
@@ -18,73 +15,17 @@ class Puppet::Network::Handler
       iface.add_method("array getcert(csr)")
     }
 
-    def autosign
-      if defined?(@autosign)
-        @autosign
-      else
-        Puppet[:autosign]
-      end
-    end
-
-    # FIXME autosign? should probably accept both hostnames and IP addresses
-    def autosign?(hostname)
-      # simple values are easy
-      if autosign == true or autosign == false
-        return autosign
-      end
-
-      # we only otherwise know how to handle files
-      unless autosign =~ /^\//
-        raise Puppet::Error, "Invalid autosign value #{autosign.inspect}"
-      end
-
-      unless FileTest.exists?(autosign)
-        unless defined?(@@warnedonautosign)
-          @@warnedonautosign = true
-          Puppet.info "Autosign is enabled but #{autosign} is missing"
-        end
-        return false
-      end
-      auth = Puppet::Network::AuthStore.new
-      File.open(autosign) { |f|
-        f.each { |line|
-          next if line =~ /^\s*#/
-          next if line =~ /^\s*$/
-          auth.allow(line.chomp)
-        }
-      }
-
-      # for now, just cheat and pass a fake IP address to allowed?
-      auth.allowed?(hostname, "127.1.1.1")
-    end
-
     def initialize(hash = {})
       Puppet.settings.use(:main, :ssl, :ca)
-      @autosign = hash[:autosign] if hash.include? :autosign
 
-      @ca = Puppet::SSLCertificates::CA.new(hash)
+      @ca = Puppet::SSL::CertificateAuthority.instance
     end
 
     # our client sends us a csr, and we either store it for later signing,
     # or we sign it right away
     def getcert(csrtext, client = nil, clientip = nil)
-      csr = OpenSSL::X509::Request.new(csrtext)
-
-      # Use the hostname from the CSR, not from the network.
-      subject = csr.subject
-
-      nameary = subject.to_a.find { |ary|
-        ary[0] == "CN"
-      }
-
-      if nameary.nil?
-        Puppet.err(
-          "Invalid certificate request: could not retrieve server name"
-        )
-        return "invalid"
-      end
-
-      hostname = nameary[1]
+      csr = Puppet::SSL::CertificateRequest.from_s(csrtext)
+      hostname = csr.name
 
       unless @ca
         Puppet.notice "Host #{hostname} asked for signing from non-CA master"
@@ -93,57 +34,26 @@ class Puppet::Network::Handler
 
       # We used to save the public key, but it's basically unnecessary
       # and it mucks with the permissions requirements.
-      # save_pk(hostname, csr.public_key)
-
-      certfile = File.join(Puppet[:certdir], [hostname, "pem"].join("."))
 
       # first check to see if we already have a signed cert for the host
-      cert, cacert = ca.getclientcert(hostname)
-      if cert and cacert
+      cert = Puppet::SSL::Certificate.find(hostname)
+      cacert = Puppet::SSL::Certificate.find(@ca.host.name)
+
+      if cert
         Puppet.info "Retrieving existing certificate for #{hostname}"
-        unless csr.public_key.to_s == cert.public_key.to_s
+        unless csr.content.public_key.to_s == cert.content.public_key.to_s
           raise Puppet::Error, "Certificate request does not match existing certificate; run 'puppetca --clean #{hostname}'."
         end
-        return [cert.to_pem, cacert.to_pem]
-      elsif @ca
-        if self.autosign?(hostname) or client.nil?
-          Puppet.info "Signing certificate for CA server" if client.nil?
-          # okay, we don't have a signed cert
-          # if we're a CA and autosign is turned on, then go ahead and sign
-          # the csr and return the results
-          Puppet.info "Signing certificate for #{hostname}"
-          cert, cacert = @ca.sign(csr)
-          #Puppet.info "Cert: #{cert.class}; Cacert: #{cacert.class}"
-          return [cert.to_pem, cacert.to_pem]
-        else # just write out the csr for later signing
-          if @ca.getclientcsr(hostname)
-            Puppet.info "Not replacing existing request from #{hostname}"
-          else
-            Puppet.notice "Host #{hostname} has a waiting certificate request"
-            @ca.storeclientcsr(csr)
-          end
-          return ["", ""]
-        end
+        [cert.to_s, cacert.to_s]
       else
-        raise "huh?"
-      end
-    end
+        csr.save
 
-    private
-
-    # Save the public key.
-    def save_pk(hostname, public_key)
-      pkeyfile = File.join(Puppet[:publickeydir], [hostname, "pem"].join('.'))
-
-      if FileTest.exists?(pkeyfile)
-        currentkey = File.open(pkeyfile) { |k| k.read }
-        unless currentkey == public_key.to_s
-          raise Puppet::Error, "public keys for #{hostname} differ"
+        # We determine whether we signed the csr by checking if there's a certificate for it
+        if cert = Puppet::SSL::Certificate.find(hostname)
+          [cert.to_s, cacert.to_s]
+        else
+          nil
         end
-      else
-        File.open(pkeyfile, "w", 0644) { |f|
-          f.print public_key.to_s
-        }
       end
     end
   end

data/lib/puppet/network/handler/master.rb

@@ -1,6 +1,5 @@
 require 'openssl'
 require 'puppet'
-require 'puppet/sslcertificates'
 require 'xmlrpc/server'
 require 'yaml'
 
@@ -33,8 +32,6 @@ class Puppet::Network::Handler
 
       args[:Local] = true
 
-      @ca = (hash.include?(:CA) and hash[:CA]) ? Puppet::SSLCertificates::CA.new : nil
-
       # This is only used by the cfengine module, or if --loadclasses was
       # specified in +puppet+.
       args[:Classes] = hash[:Classes] if hash.include?(:Classes)

data/lib/puppet/network/handler/runner.rb

@@ -1,4 +1,5 @@
 require 'puppet/run'
+require 'puppet/network/handler'
 
 class Puppet::Network::Handler
   class MissingMasterError < RuntimeError; end # Cannot find the master client

data/lib/puppet/ssl/certificate.rb

@@ -27,6 +27,12 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     [:s]
   end
 
+  def subject_alt_names
+    alts = content.extensions.find{|ext| ext.oid == "subjectAltName"}
+    return [] unless alts
+    alts.value.split(/\s*,\s*/)
+  end
+
   def expiration
     return nil unless content
     content.not_after

data/lib/puppet/ssl/certificate_authority.rb

@@ -11,6 +11,15 @@ require 'puppet/util/cacher'
 # it can also be seen as a general interface into all of the
 # SSL stuff.
 class Puppet::SSL::CertificateAuthority
+  # We will only sign extensions on this whitelist, ever.  Any CSR with a
+  # requested extension that we don't recognize is rejected, against the risk
+  # that it will introduce some security issue through our ignorance of it.
+  #
+  # Adding an extension to this whitelist simply means we will consider it
+  # further, not that we will always accept a certificate with an extension
+  # requested on this list.
+  RequestExtensionWhitelist = %w{subjectAltName}
+
   require 'puppet/ssl/certificate_factory'
   require 'puppet/ssl/inventory'
   require 'puppet/ssl/certificate_revocation_list'
@@ -25,6 +34,14 @@ class Puppet::SSL::CertificateAuthority
     end
   end
 
+  class CertificateSigningError < RuntimeError
+    attr_accessor :host
+
+    def initialize(host)
+      @host = host
+    end
+  end
+
   class << self
     include Puppet::Util::Cacher
 
@@ -52,7 +69,6 @@ class Puppet::SSL::CertificateAuthority
   def apply(method, options)
     raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all" unless options[:to]
     applier = Interface.new(method, options)
-
     applier.apply(self)
   end
 
@@ -108,13 +124,15 @@ class Puppet::SSL::CertificateAuthority
   end
 
   # Generate a new certificate.
-  def generate(name)
+  def generate(name, options = {})
     raise ArgumentError, "A Certificate already exists for #{name}" if Puppet::SSL::Certificate.find(name)
-    host = Puppet::SSL::Host.new(name)
 
-    host.generate_certificate_request
+    # Pass on any requested subjectAltName field.
+    san = options[:dns_alt_names]
 
-    sign(name)
+    host = Puppet::SSL::Host.new(name)
+    host.generate_certificate_request(:dns_alt_names => san)
+    sign(name, !!san)
   end
 
   # Generate our CA certificate.
@@ -123,14 +141,16 @@ class Puppet::SSL::CertificateAuthority
 
     host.generate_key unless host.key
 
-    # Create a new cert request.  We do this
-    # specially, because we don't want to actually
-    # save the request anywhere.
+    # Create a new cert request.  We do this specially, because we don't want
+    # to actually save the request anywhere.
     request = Puppet::SSL::CertificateRequest.new(host.name)
+
+    # We deliberately do not put any subjectAltName in here: the CA
+    # certificate absolutely does not need them. --daniel 2011-10-13
     request.generate(host.key)
 
     # Create a self-signed certificate.
-    @certificate = sign(host.name, :ca, request)
+    @certificate = sign(host.name, false, request)
 
     # And make sure we initialize our CRL.
     crl
@@ -223,20 +243,34 @@ class Puppet::SSL::CertificateAuthority
   end
 
   # Sign a given certificate request.
-  def sign(hostname, cert_type = :server, self_signing_csr = nil)
+  def sign(hostname, allow_dns_alt_names = false, self_signing_csr = nil)
     # This is a self-signed certificate
     if self_signing_csr
+      # # This is a self-signed certificate, which is for the CA.  Since this
+      # # forces the certificate to be self-signed, anyone who manages to trick
+      # # the system into going through this path gets a certificate they could
+      # # generate anyway.  There should be no security risk from that.
       csr = self_signing_csr
+      cert_type = :ca
       issuer = csr.content
     else
+      allow_dns_alt_names = true if hostname == Puppet[:certname].downcase
       unless csr = Puppet::SSL::CertificateRequest.find(hostname)
         raise ArgumentError, "Could not find certificate request for #{hostname}"
       end
+
+      cert_type = :server
       issuer = host.certificate.content
+
+      # Make sure that the CSR conforms to our internal signing policies.
+      # This will raise if the CSR doesn't conform, but just in case...
+      check_internal_signing_policies(hostname, csr, allow_dns_alt_names) or
+        raise CertificateSigningError.new(hostname), "CSR had an unknown failure checking internal signing policies, will not sign!"
     end
 
     cert = Puppet::SSL::Certificate.new(hostname)
-    cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result
+    cert.content = Puppet::SSL::CertificateFactory.
+      build(cert_type, csr, issuer, next_serial)
     cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new)
 
     Puppet.notice "Signed certificate request for #{hostname}"
@@ -256,6 +290,47 @@ class Puppet::SSL::CertificateAuthority
     cert
   end
 
+  def check_internal_signing_policies(hostname, csr, allow_dns_alt_names)
+    # Reject unknown request extensions.
+    unknown_req = csr.request_extensions.
+      reject {|x| RequestExtensionWhitelist.include? x["oid"] }
+
+    if unknown_req and not unknown_req.empty?
+      names = unknown_req.map {|x| x["oid"] }.sort.uniq.join(", ")
+      raise CertificateSigningError.new(hostname), "CSR has request extensions that are not permitted: #{names}"
+    end
+
+    # Wildcards: we don't allow 'em at any point.
+    #
+    # The stringification here makes the content visible, and saves us having
+    # to scrobble through the content of the CSR subject field to make sure it
+    # is what we expect where we expect it.
+    if csr.content.subject.to_s.include? '*'
+      raise CertificateSigningError.new(hostname), "CSR subject contains a wildcard, which is not allowed: #{csr.content.subject.to_s}"
+    end
+
+    unless csr.subject_alt_names.empty?
+      # If you alt names are allowed, they are required. Otherwise they are
+      # disallowed. Self-signed certs are implicitly trusted, however.
+      unless allow_dns_alt_names
+        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains subject alternative names (#{csr.subject_alt_names.join(', ')}), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{csr.name}` to sign this request."
+      end
+
+      # If subjectAltNames are present, validate that they are only for DNS
+      # labels, not any other kind.
+      unless csr.subject_alt_names.all? {|x| x =~ /^DNS:/ }
+        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains a subjectAltName outside the DNS label space: #{csr.subject_alt_names.join(', ')}.  To continue, this CSR needs to be cleaned."
+      end
+
+      # Check for wildcards in the subjectAltName fields too.
+      if csr.subject_alt_names.any? {|x| x.include? '*' }
+        raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' subjectAltName contains a wildcard, which is not allowed: #{csr.subject_alt_names.join(', ')}  To continue, this CSR needs to be cleaned."
+      end
+    end
+
+    return true                 # good enough for us!
+  end
+
   # Verify a given host's certificate.
   def verify(name)
     unless cert = Puppet::SSL::Certificate.find(name)