2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-26 19:40:12 +00:00
Commit Graph

16 Commits

Author SHA1 Message Date
Jarrod Johnson
c09e8448c2 Change to POSIX compliant range
POSIX allows ., but does not allow +.  This was a problem with EL 8.4 libxcrypt,
though is not a problem otherwise.
2023-01-19 14:53:35 -05:00
Jarrod Johnson
2d5a016ad4 Tweak various issues for static analysis.
For autocons, though it's copying from a static source, use strncpy anyway,
despite the length being hardcoded already.  This makes static analysis happier.

Terminate the buff with a NULL.  This is superfluous as the strcpies that preceed
are guaranteed to null terminate, or exit the program.

In clortho, free(tmps), which is a valid leak, though clortho isn't long running.
Also, explicitly return 0, which is ultimately returned by main().

Static analysis could not figure out that padneeded implies that keylen is short of
chunk size, so change the check to be expressly the scenario that static analysis
was worried about directly, rather than indirectly.

Hint to static analysis that we don't care about the time as a time value by masking the
lower 32 bit explicitly.  This was already happening, but static analysis was afraid
that we wanted this as time instead of just some mutating value.
2022-12-06 15:35:49 -05:00
Jarrod Johnson
301ed7a798 Fix mistake in b64e invocation 2022-03-10 09:15:26 -05:00
Jarrod Johnson
b42e2e4932 Change to b64 output for hmac
base64 utility is not always available, so natively
use base64 format for hmac output.
2022-03-10 09:00:54 -05:00
Jarrod Johnson
61d037ae31 Combine genpasshmac with clortho
This permits saving on addons size by using the same
binary for both networked api grant and hmac api
grant.
2022-03-09 13:36:47 -05:00
Jarrod Johnson
0abe978bd9 Implement hmac of apikey
For routed deployment, we have to preshare some information.

Additionally, the API arm mechanism gets too open ended.

Add support for using a shared secret over another
channel to do HMAC of a key to authenticate peer,
which has an alternate api arming mechanism
that is hardened.
2022-03-08 14:46:00 -05:00
Jarrod Johnson
b463a53146 Cleanup per coverity
Fix a number of concerns that coverity reports
2022-02-17 17:05:00 -05:00
Jarrod Johnson
1645d47b73 Fix clortho
The suggested correection for clortho was in fact
incorrect.  Revert back and cast it.
2021-06-04 17:19:19 -04:00
Jarrod Johnson
e0c59cc341 Fixup c utilities and add start_root
The diskless will use start_root to boot the 'main' OS as a container.
2021-06-03 17:06:10 -04:00
Jarrod Johnson
917a51a406 Error if bind to privileged port fails 2021-04-28 08:37:23 -04:00
Jarrod Johnson
1ecef6f251 Be a bit paranoid about string boundary 2020-11-06 13:57:35 -05:00
Jarrod Johnson
31c2c5f6f7 Fix errors in the TPM2 support 2020-11-06 13:38:37 -05:00
Jarrod Johnson
f7e7d05729 Add TPM2 support to node api key handling
This is an optional capability that image payloads may use
to use the TPM2 to protect an apikey as an alternative to
arming a weak authentication invocation
2020-11-06 10:00:36 -05:00
Jarrod Johnson
785d8a7c1c Fix a couple of problems
In RHV, tmux was unable to attach because of TMUX variable.
Unset it to allow tmux to work normally.

Clortho didn't specify family, which worked in linux but not
in ESXi.
2020-06-19 10:24:51 -04:00
Jarrod Johnson
e4a4bdf317 Fix clortho mistake
In attempting to correct clortho,
a mistake was made in the printf
formats.
2020-05-04 17:27:22 -04:00
Jarrod Johnson
efe936a93d Further build process for confluent_osdeploy 2020-05-04 15:45:35 -04:00