import openwsman-2.6.8-22.el9

0753261e · Rocky Automation · 0753261e · 0753261e · 0753261e · 0753261e
Commit 0753261e authored 2 years ago by Rocky Automation
--- a/.gitignore
+++ b/.gitignore
+SOURCES/openwsmand.8.gz
+SOURCES/v2.6.8.tar.gz
--- a/.openwsman.metadata
+++ b/.openwsman.metadata
+a6a8bbbfa71ce04bedae55f2f06ce97089b6c5e1 SOURCES/openwsmand.8.gz
+e061a41b3d5f5fa4ee284726d283e15f4a0e8c46 SOURCES/v2.6.8.tar.gz
--- a/SOURCES/openwsman-2.4.0-pamsetup.patch
+++ b/SOURCES/openwsman-2.4.0-pamsetup.patch
+diff -up openwsman-2.6.8/etc/pam/openwsman.orig openwsman-2.6.8/etc/pam/openwsman
+--- openwsman-2.6.8/etc/pam/openwsman.orig	2018-11-21 13:51:52.776325243 +0100
+++ openwsman-2.6.8/etc/pam/openwsman	2018-11-21 13:54:17.066351134 +0100
+@@ -2,6 +2,6 @@
+ auth       required	pam_unix.so	nullok
+ auth       required	pam_nologin.so
+ account    required	pam_unix.so
+-password   required	pam_cracklib.so	nullok
+-password   required	pam_unix.so	nullok use_first_pass use_authtok nis shadow
+-session    required	pam_unix.so	none
+password   required	pam_pwquality.so
+password   required	pam_unix.so	nullok use_first_pass use_authtok
+session    required	pam_unix.so
--- a/SOURCES/openwsman-2.4.12-ruby-binding-build.patch
+++ b/SOURCES/openwsman-2.4.12-ruby-binding-build.patch
+diff -up openwsman-2.4.12/bindings/ruby/extconf.rb.orig openwsman-2.4.12/bindings/ruby/extconf.rb
+--- openwsman-2.4.12/bindings/ruby/extconf.rb.orig	2015-02-09 09:28:58.232581263 +0100
+++ openwsman-2.4.12/bindings/ruby/extconf.rb	2015-02-09 09:38:22.836772879 +0100
+@@ -32,7 +32,7 @@ swig = find_executable("swig")
+ raise "SWIG not found" unless swig
+ 
+ major, minor, path = RUBY_VERSION.split(".")
+-raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -o openwsman_wrap.c openwsman.i")
+raise "SWIG failed to run" unless system("#{swig} -ruby -autorename -DRUBY_VERSION=#{major}#{minor} -I. -I/usr/include/openwsman -I/builddir/build/BUILD/openwsman-2.6.8/include/ -o openwsman_wrap.c openwsman.i")
+ 
+ $CPPFLAGS = "-I/usr/include/openwsman -I.."
+ 
--- a/SOURCES/openwsman-2.6.2-openssl-1.1-fix.patch
+++ b/SOURCES/openwsman-2.6.2-openssl-1.1-fix.patch
+diff -up openwsman-2.6.8/src/server/shttpd/compat_unix.h.orig openwsman-2.6.8/src/server/shttpd/compat_unix.h
+--- openwsman-2.6.8/src/server/shttpd/compat_unix.h.orig	2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/compat_unix.h	2018-11-22 13:30:10.756423510 +0100
+@@ -27,10 +27,6 @@
+ 	pthread_create(&tid, NULL, (void *(*)(void *))a, c); } while (0)
+ #endif /* !NO_THREADS */
+ 
+-#ifndef SSL_LIB
+-#define	SSL_LIB				"libssl.so"
+-#endif
+-
+ #define	DIRSEP				'/'
+ #define	IS_DIRSEP_CHAR(c)		((c) == '/')
+ #define	O_BINARY			0
+diff -up openwsman-2.6.8/src/server/shttpd/io_ssl.c.orig openwsman-2.6.8/src/server/shttpd/io_ssl.c
+--- openwsman-2.6.8/src/server/shttpd/io_ssl.c.orig	2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/io_ssl.c	2018-11-22 13:30:10.757423510 +0100
+@@ -11,23 +11,6 @@
+ #include "defs.h"
+ 
+ #if !defined(NO_SSL)
+-struct ssl_func	ssl_sw[] = {
+-	{"SSL_free",			{0}},
+-	{"SSL_accept",			{0}},
+-	{"SSL_connect",			{0}},
+-	{"SSL_read",			{0}},
+-	{"SSL_write",			{0}},
+-	{"SSL_get_error",		{0}},
+-	{"SSL_set_fd",			{0}},
+-	{"SSL_new",			{0}},
+-	{"SSL_CTX_new",			{0}},
+-	{"SSLv23_server_method",	{0}},
+-	{"SSL_library_init",		{0}},
+-	{"SSL_CTX_use_PrivateKey_file",	{0}},
+-	{"SSL_CTX_use_certificate_file",{0}},
+-	{NULL,				{0}}
+-};
+-
+ void
+ _shttpd_ssl_handshake(struct stream *stream)
+ {
+diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
+--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig	2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c	2018-11-22 13:30:41.314416695 +0100
+@@ -1476,20 +1476,14 @@ set_ssl(struct shttpd_ctx *ctx, const ch
+ 	int		retval = FALSE;
+ 	EC_KEY*		key;
+ 
+-	/* Load SSL library dynamically */
+-	if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) {
+-		_shttpd_elog(E_LOG, NULL, "set_ssl: cannot load %s", SSL_LIB);
+-		return (FALSE);
+-	}
+-
+-	for (fp = ssl_sw; fp->name != NULL; fp++)
+-		if ((fp->ptr.v_void = dlsym(lib, fp->name)) == NULL) {
+-			_shttpd_elog(E_LOG, NULL,"set_ssl: cannot find %s", fp->name);
+-			return (FALSE);
+-		}
+-
+ 	/* Initialize SSL crap */
+	debug("Initialize SSL");
+	SSL_load_error_strings();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	OPENSSL_init_ssl(0, NULL);
+#else
+ 	SSL_library_init();
+#endif
+ 
+ 	if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL)
+ 		_shttpd_elog(E_LOG, NULL, "SSL_CTX_new error");
+diff -up openwsman-2.6.8/src/server/shttpd/ssl.h.orig openwsman-2.6.8/src/server/shttpd/ssl.h
+--- openwsman-2.6.8/src/server/shttpd/ssl.h.orig	2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/shttpd/ssl.h	2018-11-22 13:30:10.757423510 +0100
+@@ -12,52 +12,4 @@
+ 
+ #include <openssl/ssl.h>
+ 
+-#else
+-
+-/*
+- * Snatched from OpenSSL includes. I put the prototypes here to be independent
+- * from the OpenSSL source installation. Having this, shttpd + SSL can be
+- * built on any system with binary SSL libraries installed.
+- */
+-
+-typedef struct ssl_st SSL;
+-typedef struct ssl_method_st SSL_METHOD;
+-typedef struct ssl_ctx_st SSL_CTX;
+-
+-#define	SSL_ERROR_WANT_READ	2
+-#define	SSL_ERROR_WANT_WRITE	3
+-#define	SSL_ERROR_SYSCALL	5
+-#define	SSL_FILETYPE_PEM	1
+-
+-#endif
+-
+-/*
+- * Dynamically loaded SSL functionality
+- */
+-struct ssl_func {
+-	const char	*name;		/* SSL function name	*/
+-	union variant	ptr;		/* Function pointer	*/
+-};
+-
+-extern struct ssl_func	ssl_sw[];
+-
+-#define	FUNC(x)	ssl_sw[x].ptr.v_func
+-
+-#define	SSL_free(x)	(* (void (*)(SSL *)) FUNC(0))(x)
+-#define	SSL_accept(x)	(* (int (*)(SSL *)) FUNC(1))(x)
+-#define	SSL_connect(x)	(* (int (*)(SSL *)) FUNC(2))(x)
+-#define	SSL_read(x,y,z)	(* (int (*)(SSL *, void *, int)) FUNC(3))((x),(y),(z))
+-#define	SSL_write(x,y,z) \
+-	(* (int (*)(SSL *, const void *,int)) FUNC(4))((x), (y), (z))
+-#define	SSL_get_error(x,y)(* (int (*)(SSL *, int)) FUNC(5))((x), (y))
+-#define	SSL_set_fd(x,y)	(* (int (*)(SSL *, int)) FUNC(6))((x), (y))
+-#define	SSL_new(x)	(* (SSL * (*)(SSL_CTX *)) FUNC(7))(x)
+-#define	SSL_CTX_new(x)	(* (SSL_CTX * (*)(const SSL_METHOD *)) FUNC(8))(x)
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-#define	SSLv23_server_method()	(* (SSL_METHOD * (*)(void)) FUNC(9))()
+-#define	SSL_library_init() (* (int (*)(void)) FUNC(10))()
+ #endif
+-#define	SSL_CTX_use_PrivateKey_file(x,y,z)	(* (int (*)(SSL_CTX *, \
+-		const char *, int)) FUNC(11))((x), (y), (z))
+-#define	SSL_CTX_use_certificate_file(x,y,z)	(* (int (*)(SSL_CTX *, \
+-		const char *, int)) FUNC(12))((x), (y), (z))
--- a/SOURCES/openwsman-2.6.5-http-status-line.patch
+++ b/SOURCES/openwsman-2.6.5-http-status-line.patch
+diff -up openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c.orig openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c
+--- openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c.orig	2016-07-27 16:03:55.000000000 +0200
+++ openwsman-4391e5c68d99c6239e1672d1c8a5a16d7d8c4c2b/src/server/wsmand-listener.c	2018-01-22 13:05:04.478923300 +0100
+@@ -344,6 +344,35 @@ DONE:
+ 	if (fault_reason == NULL) {
+ 		// this is a way to segfault, investigate
+ 		//fault_reason = shttpd_reason_phrase(status);
+		// ugly workaround follows...
+		switch (status) {
+			case 200:
+				fault_reason = "OK";
+				break;
+			case 400:
+				fault_reason = "Bad request";
+				break;
+			case 401:
+				fault_reason = "Unauthorized";
+				break;
+			case 403:
+				fault_reason = "Forbidden";
+				break;
+			case 404:
+				fault_reason = "Not found";
+				break;
+			case 500:
+				fault_reason = "Internal Error";
+				break;
+			case 501:
+				fault_reason = "Not implemented";
+				break;
+			case 415:
+				fault_reason = "Unsupported Media Type";
+				break;
+			default:
+				fault_reason = "";
+		}
+ 	}
+ 	debug("Response status=%d (%s)", status, fault_reason);
+ 
--- a/SOURCES/openwsman-2.6.5-libcurl-error-codes-update.patch
+++ b/SOURCES/openwsman-2.6.5-libcurl-error-codes-update.patch
+diff -up openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.5/src/lib/wsman-curl-client-transport.c
+--- openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig	2018-11-14 13:53:27.442138557 +0100
+++ openwsman-2.6.5/src/lib/wsman-curl-client-transport.c	2018-11-14 14:11:28.508714204 +0100
+@@ -186,16 +186,23 @@ convert_to_last_error(CURLcode r)
+ 		return WS_LASTERR_SSL_CONNECT_ERROR;
+         case CURLE_BAD_FUNCTION_ARGUMENT:
+                 return WS_LASTERR_CURL_BAD_FUNCTION_ARG;
+#if LIBCURL_VERSION_NUM < 0x073E00
+ 	case CURLE_SSL_PEER_CERTIFICATE:
+ 		return WS_LASTERR_SSL_PEER_CERTIFICATE;
+#endif
+ 	case CURLE_SSL_ENGINE_NOTFOUND:
+ 		return WS_LASTERR_SSL_ENGINE_NOTFOUND;
+ 	case CURLE_SSL_ENGINE_SETFAILED:
+ 		return WS_LASTERR_SSL_ENGINE_SETFAILED;
+ 	case CURLE_SSL_CERTPROBLEM:
+ 		return WS_LASTERR_SSL_CERTPROBLEM;
+#if LIBCURL_VERSION_NUM < 0x073E00
+ 	case CURLE_SSL_CACERT:
+ 		return WS_LASTERR_SSL_CACERT;
+#else
+	case CURLE_PEER_FAILED_VERIFICATION:
+		return WS_LASTERR_SSL_PEER_CERTIFICATE;
+#endif
+ #if LIBCURL_VERSION_NUM > 0x70C01
+ 	case CURLE_SSL_ENGINE_INITFAILED:
+ 		return WS_LASTERR_SSL_ENGINE_INITFAILED;
--- a/SOURCES/openwsman-2.6.8-CVE-2019-3816.patch
+++ b/SOURCES/openwsman-2.6.8-CVE-2019-3816.patch
+diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
+--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig	2019-03-13 08:52:06.112090942 +0100
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c	2019-03-13 09:01:15.496156789 +0100
+@@ -336,10 +336,12 @@ date_to_epoch(const char *s)
+ }
+ 
+ static void
+-remove_double_dots(char *s)
+remove_all_leading_dots(char *s)
+ {
+ 	char	*p = s;
+ 
+	while (*s != '\0' && *s == '.') s++;
+
+ 	while (*s != '\0') {
+ 		*p++ = *s++;
+ 		if (s[-1] == '/' || s[-1] == '\\')
+@@ -546,7 +548,7 @@ decide_what_to_do(struct conn *c)
+ 		*c->query++ = '\0';
+ 
+ 	_shttpd_url_decode(c->uri, strlen(c->uri), c->uri, strlen(c->uri) + 1);
+-	remove_double_dots(c->uri);
+	remove_all_leading_dots(c->uri);
+ 
+ 	root = c->ctx->options[OPT_ROOT];
+ 	if (strlen(c->uri) + strlen(root) >= sizeof(path)) {
+@@ -556,6 +558,7 @@ decide_what_to_do(struct conn *c)
+ 
+ 	(void) _shttpd_snprintf(path, sizeof(path), "%s%s", root, c->uri);
+ 
+	DBG(("decide_what_to_do -> processed path: [%s]", path));
+ 	/* User may use the aliases - check URI for mount point */
+ 	if (is_alias(c->ctx, c->uri, &alias_uri, &alias_path) != NULL) {
+ 		(void) _shttpd_snprintf(path, sizeof(path), "%.*s%s",
+@@ -572,7 +575,10 @@ decide_what_to_do(struct conn *c)
+ 	if ((ruri = _shttpd_is_registered_uri(c->ctx, c->uri)) != NULL) {
+ 		_shttpd_setup_embedded_stream(c,
+ 		    ruri->callback, ruri->callback_data);
+-	} else
+	} else {
+		_shttpd_send_server_error(c, 403, "Forbidden");
+	}
+#if 0
+ 	if (strstr(path, HTPASSWD)) {
+ 		/* Do not allow to view passwords files */
+ 		_shttpd_send_server_error(c, 403, "Forbidden");
+@@ -656,6 +662,7 @@ decide_what_to_do(struct conn *c)
+ 	} else {
+ 		_shttpd_send_server_error(c, 500, "Internal Error");
+ 	}
+#endif
+ }
+ 
+ static int
+diff -up openwsman-2.6.8/src/server/wsmand.c.orig openwsman-2.6.8/src/server/wsmand.c
+--- openwsman-2.6.8/src/server/wsmand.c.orig	2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/src/server/wsmand.c	2019-03-13 09:03:25.919181279 +0100
+@@ -198,6 +198,10 @@ static void daemonize(void)
+ 	int fd;
+ 	char *pid;
+ 
+	/* Change our CWD to / */
+	i = chdir("/");
+	assert(i == 0);
+
+ 	if (wsmand_options_get_foreground_debug() > 0) {
+ 		return;
+ 	}
+@@ -214,10 +218,6 @@ static void daemonize(void)
+ 	log_pid = 0;
+ 	setsid();
+ 
+-	/* Change our CWD to / */
+-	i=chdir("/");
+-        assert(i == 0);
+-
+ 	/* Close all file descriptors. */
+ 	for (i = getdtablesize(); i >= 0; --i)
+ 		close(i);
--- a/SOURCES/openwsman-2.6.8-CVE-2019-3833.patch
+++ b/SOURCES/openwsman-2.6.8-CVE-2019-3833.patch
+diff -up openwsman-2.6.8/src/server/shttpd/shttpd.c.orig openwsman-2.6.8/src/server/shttpd/shttpd.c
+--- openwsman-2.6.8/src/server/shttpd/shttpd.c.orig	2019-03-13 09:32:32.417633057 +0100
+++ openwsman-2.6.8/src/server/shttpd/shttpd.c	2019-03-13 09:58:04.482486589 +0100
+@@ -705,11 +705,11 @@ parse_http_request(struct conn *c)
+ 		_shttpd_send_server_error(c, 500, "Cannot allocate request");
+ 	}
+ 
+	io_inc_tail(&c->rem.io, req_len);
+
+ 	if (c->loc.flags & FLAG_CLOSED)
+ 		return;
+ 
+-	io_inc_tail(&c->rem.io, req_len);
+-
+ 	DBG(("Conn %d: parsing request: [%.*s]", c->rem.chan.sock, req_len, s));
+ 	c->rem.flags |= FLAG_HEADERS_PARSED;
+ 
+@@ -975,7 +975,7 @@ write_stream(struct stream *from, struct
+ }
+ 
+ 
+-static void
+static int
+ connection_desctructor(struct llhead *lp)
+ {
+ 	struct conn		*c = LL_ENTRY(lp, struct conn, link);
+@@ -999,7 +999,8 @@ connection_desctructor(struct llhead *lp
+ 	 * Check the "Connection: " header before we free c->request
+ 	 * If it its 'keep-alive', then do not close the connection
+ 	 */
+-	do_close = (c->ch.connection.v_vec.len >= vec.len &&
+	do_close = c->rem.flags & FLAG_CLOSED ||
+	    (c->ch.connection.v_vec.len >= vec.len &&
+ 	    !_shttpd_strncasecmp(vec.ptr,c->ch.connection.v_vec.ptr,vec.len)) ||
+ 	    (c->major_version < 1 ||
+ 	    (c->major_version >= 1 && c->minor_version < 1));
+@@ -1021,7 +1022,7 @@ connection_desctructor(struct llhead *lp
+ 		io_clear(&c->loc.io);
+ 		c->birth_time = _shttpd_current_time;
+ 		if (io_data_len(&c->rem.io) > 0)
+-			process_connection(c, 0, 0);
+			return 1;
+ 	} else {
+ 		if (c->rem.io_class != NULL)
+ 			c->rem.io_class->close(&c->rem);
+@@ -1032,6 +1033,8 @@ connection_desctructor(struct llhead *lp
+ 
+ 		free(c);
+ 	}
+
+	return 0;
+ }
+ 
+ static void
+@@ -1039,7 +1042,7 @@ worker_destructor(struct llhead *lp)
+ {
+ 	struct worker	*worker = LL_ENTRY(lp, struct worker, link);
+ 
+-	free_list(&worker->connections, connection_desctructor);
+	free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
+ 	free(worker);
+ }
+ 
+@@ -1072,6 +1075,8 @@ add_to_set(int fd, fd_set *set, int *max
+ static void
+ process_connection(struct conn *c, int remote_ready, int local_ready)
+ {
+again:
+
+ 	/* Read from remote end if it is ready */
+ 	if (remote_ready && io_space_len(&c->rem.io))
+ 		read_stream(&c->rem);
+@@ -1100,7 +1105,11 @@ process_connection(struct conn *c, int r
+ 	if ((_shttpd_current_time > c->expire_time) ||
+ 	    (c->rem.flags & FLAG_CLOSED) ||
+ 	    ((c->loc.flags & FLAG_CLOSED) && !io_data_len(&c->loc.io)))
+-		connection_desctructor(&c->link);
+		if (connection_desctructor(&c->link)) {
+			remote_ready = 0;
+			local_ready = 0;
+			goto again;
+		}
+ }
+ 
+ static int
+@@ -1642,7 +1651,7 @@ worker_function(void *param)
+ 	while (worker->exit_flag == 0)
+ 		poll_worker(worker, 1000 * 10);
+ 
+-	free_list(&worker->connections, connection_desctructor);
+	free_list(&worker->connections, (void (*)(struct llhead *))connection_desctructor);
+ 	free(worker);
+ }
+ 
--- a/SOURCES/openwsman-2.6.8-update-ssleay-conf.patch
+++ b/SOURCES/openwsman-2.6.8-update-ssleay-conf.patch
+diff -up openwsman-2.6.8/etc/ssleay.cnf.orig openwsman-2.6.8/etc/ssleay.cnf
+--- openwsman-2.6.8/etc/ssleay.cnf.orig	2018-10-12 12:06:26.000000000 +0200
+++ openwsman-2.6.8/etc/ssleay.cnf	2020-09-22 14:27:56.216306882 +0200
+@@ -2,10 +2,8 @@
+ # SSLeay example configuration file.
+ #
+ 
+-RANDFILE                = /dev/random
+-
+ [ req ]
+-default_bits            = 1024
+default_bits            = 2048
+ default_keyfile         = privkey.pem
+ distinguished_name      = req_distinguished_name
+ 
--- a/SOURCES/openwsmand.service
+++ b/SOURCES/openwsmand.service
+[Unit]
+Description=Openwsman WS-Management Service
+After=syslog.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/openwsmand -S
+ExecStartPre=/etc/openwsman/owsmantestcert.sh
+PIDFile=/var/run/wsmand.pid
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/owsmantestcert.sh
+++ b/SOURCES/owsmantestcert.sh
+#!/bin/bash
+
+if [ ! -f "/etc/openwsman/serverkey.pem" ]; then
+  if [ -f "/etc/ssl/servercerts/servercert.pem" \
+       -a -f "/etc/ssl/servercerts/serverkey.pem" ]; then
+    echo "Using common server certificate /etc/ssl/servercerts/servercert.pem"
+    ln -s /etc/ssl/servercerts/server{cert,key}.pem /etc/openwsman
+    exit 0
+  else
+    echo "FAILED: Starting openwsman server"
+    echo "There is no ssl server key available for openwsman server to use."
+    echo -e "Please generate one with the following script and start the openwsman service again:\n"
+    echo "##################################"
+    echo "/etc/openwsman/owsmangencert.sh"
+    echo "================================="
+    
+    echo "NOTE: The script uses /dev/random device for generating some random bits while generating the server key."
+    echo "      If this takes too long, you can replace the value of \"RANDFILE\" in /etc/openwsman/ssleay.cnf with /dev/urandom. Please understand the implications of replacing the RNADFILE."
+    exit 1
+  fi
+fi
--- a/SPECS/openwsman.spec
+++ b/SPECS/openwsman.spec