Myproxy ipv6 #183
Merged
Myproxy ipv6 #183
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Clean up code before doing changes. This commit does not change the code. (git diff --ignore-all-space shows nothing.)
Use BIO_new_ssl and attach the socket to it, instead of using BIO_new_ssl_connect which creates a new connection. The old code sometimes failed if, e.g. we have created an IPv6 socket and the connect BIO tries to create an IPv4 socket and the server doesn't accept IPv4 connections. The OpenSSL version in RHEL/CentOS 7 can use an existing IPv6 socket if it is attached, but its connect BIO is IPv4 only and can not create new IPv6 sockets.
9ab1809 to
a54556c
Compare
$ myproxy-store -V myproxy-init version MYPROXYv2 (v6.2 Aug 2021 PAM SASL KRB5 LDAP VOMS OCSP)
server uses the write to file then rename the file scheme to ensure that the file buffers are written to disk. However, when writing the modified credential to disk after a request to change its passphrase this is not done. This commit implements the scheme for this case too.
fscheiner
reviewed
Apr 14, 2022
private key without using a passphrase, let a failure be an indication that the private key is encrypted regardless of what error code is returned. The current code checks the error code against a set of error codes that are considered as an indication that the private key is encrypted and treats an error code not in the set as an error. However, when trying to read an encrypted private key without using a passphrase, the parsing can fail in a variety of ways resulting in different error codes. At least the following errors not in the current set have been seen: ASN1_R_WRONG_TAG, ASN1_R_HEADER_TOO_LONG and ASN1_R_TOO_LONG. But just adding these three to the set is not a guarantee that the set will be complete. Better not try to check the error code, and treat any failure as an indication that the private key is encrypted.
|
@fscheiner : I added two more commits to this PR because they are for myproxy too, and if I made a second PR it would conflict with this one since the would both add to the myproxy changlogs in the packaging directory. |
integers, and its presence cancels the '0' modifier.
$ perl -e 'print sprintf "%010.d\n", 5'
5
$ perl -e 'print sprintf "%010d\n", 5'
0000000005
32590cf to
66f629b
Compare
fscheiner
reviewed
Apr 20, 2022
| { | ||
| free(tmpfilename); | ||
| } | ||
|
|
||
| return return_status; | ||
| } | ||
|
|
There was a problem hiding this comment.
Good catch! Here I mean the originally different behavior for writing credentials to disk.
fscheiner
approved these changes
Apr 20, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a fix for the trust root retrieval feature in the myproxy client.
The PR has three commits. The first has no actual code changes (white space changes only). The second smaller one has the actual changes. The third just fixes a cut and paste error.