Re: [pcp] Second Secure Connection via pmproxy Fails

To:	Nathan Scott <nathans@xxxxxxxxxx>
Subject:	Re: [pcp] Second Secure Connection via pmproxy Fails
From:	Dave Brolley <brolley@xxxxxxxxxx>
Date:	Wed, 17 Sep 2014 16:36:17 -0400
Cc:	PCP Mailing List <pcp@xxxxxxxxxxx>
Delivered-to:	pcp@xxxxxxxxxxx
In-reply-to:	<933459561.50688823.1410915282806.JavaMail.zimbra@xxxxxxxxxx>
References:	<54185F54.30704@xxxxxxxxxx> <933459561.50688823.1410915282806.JavaMail.zimbra@xxxxxxxxxx>
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0

On 09/16/2014 08:54 PM, Nathan Scott wrote:

Hi Dave,

----- Original Message -----

While testing the implementation of delayed initialization of
NSPR/NSS/SASL within libpcp, I ran across a bug in which the first
secure connection of a client via pmproxy would succeed, but a second
secure connection (and all subsequent secure connection attempts) would
fail. I spent a bit of time trying to figure out how my code was causing
the apparent regression with no success. I then, in an act of
desperation, tried the scenario with the previous version of the code
and experienced the same results.

To quote Bart Simpson - "I can't help but feel partially responsible". :|
So sorry - did I not have a test case for this?  (qa/713?  hmm, that does
not go far enough does it?)

No worries --- I wasn't tying to lay blame, just giving some backgroundon how I found the bug.

For an insecure connection, things still succeed, because the
credentials pdu gets passed on to pmcd, which VerifyClient() would have
done anyway. My concern is that pmproxy's call to __pmDecodeCreds(),
which happens in VerifyClient() is skipped. Is there any potential
security problem exposed by this?

I can't immediately think of one, but I'll ponder further too.  IIRC we
were looking inside the Creds PDU in pmproxy so that we could establish
a secure connection "all the way" - so, both between client and proxy,
and between pmproxy and pmcd ... is that still happening with the fix?
(I think so, from my reading of the patch)

Yes, the credentials pdu now gets passed on to pmcd during the secondand subsequent connection attempts and the secure handshake is performedbetween client<-->pmproxy and pmproxy<--> pmcd.

The one line fix has been pushed to brolley/dev in pcpfans.

Nice and simple!  Could you make an extension to test qa/713 to expose
the bug and verify the fix also please?  (else, toss over the fence to
me & I'll do so)  AIUI, a second pminfo connection should trigger it?

Done

commit 4f88f5fb28944c76ccfe7ada0006dc6aa8d782a9
Author: Dave Brolley <brolley@xxxxxxxxxx>
Date:   Wed Sep 17 16:30:49 2014 -0400

    Qa test 713 -- check that a second secure connection attempt succeeds.

<Prev in Thread]	Current Thread	[Next in Thread>
Second Secure Connection via pmproxy Fails, Dave Brolley Re: [pcp] Second Secure Connection via pmproxy Fails, Nathan Scott Re: [pcp] Second Secure Connection via pmproxy Fails, Dave Brolley <= Re: [pcp] Second Secure Connection via pmproxy Fails, Nathan Scott

Previous by Date:	Re: systemd pmda problem, Frank Ch. Eigler
Next by Date:	Re: qa/652 - systemd pmda, Frank Ch. Eigler
Previous by Thread:	Re: [pcp] Second Secure Connection via pmproxy Fails, Nathan Scott
Next by Thread:	Re: [pcp] Second Secure Connection via pmproxy Fails, Nathan Scott
Indexes:	[Date] [Thread] [Top] [All Lists]