From 9e5b92965176a4734128c9d1fdb1e54d76be5ff8 Mon Sep 17 00:00:00 2001 From: RH Virt Maint Bot <8309305-rh-virt-maint-bot@users.noreply.gitlab.com> Date: Tue, 16 May 2023 08:29:07 +0000 Subject: [PATCH] * Tue May 16 2023 Camilla Conte - 23.1.1-5 - 0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch [bz#2187164] - Resolves: bz#2187164 --- 0001-Add-initial-redhat-changes.patch | 2 +- ...CONTROLLED-no-in-generated-interface.patch | 2 +- ...autoconnect-priority-for-network-scr.patch | 3 +- 0004-limit-permissions-on-def_log_file.patch | 2 +- ...e-Network-Manager-and-Netplan-as-def.patch | 4 +- ...d-native-NetworkManager-support-1224.patch | 2 +- ...revious-hostname-file-ends-with-a-ne.patch | 2 +- ...-permissions-of-netrules-target-2076.patch | 2 +- ...-data-sensitive-and-remove-log-permi.patch | 2 +- ...dsa-and-ed25519-key-types-when-crypt.patch | 209 ++++++++++++++++++ cloud-init.spec | 7 +- 11 files changed, 226 insertions(+), 11 deletions(-) create mode 100644 0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch diff --git a/0001-Add-initial-redhat-changes.patch b/0001-Add-initial-redhat-changes.patch index 86e0581..d6d47ca 100644 --- a/0001-Add-initial-redhat-changes.patch +++ b/0001-Add-initial-redhat-changes.patch @@ -1,7 +1,7 @@ From c4d66915520554adedff9be7396f877cd1a5525c Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Mon, 6 Mar 2023 16:37:20 +0100 -Subject: [PATCH 1/9] Add initial redhat changes +Subject: [PATCH 01/10] Add initial redhat changes Adding minimal set of changes necessary for successful build of the package on RHEL/CentOS 9 Stream koji. diff --git a/0002-Do-not-write-NM_CONTROLLED-no-in-generated-interface.patch b/0002-Do-not-write-NM_CONTROLLED-no-in-generated-interface.patch index bc0ce5e..5429b58 100644 --- a/0002-Do-not-write-NM_CONTROLLED-no-in-generated-interface.patch +++ b/0002-Do-not-write-NM_CONTROLLED-no-in-generated-interface.patch @@ -1,7 +1,7 @@ From b3b96bff187e9d0bfcbfefd5fca05c61bd50d368 Mon Sep 17 00:00:00 2001 From: Eduardo Otubo Date: Fri, 7 May 2021 13:36:06 +0200 -Subject: [PATCH 2/9] Do not write NM_CONTROLLED=no in generated interface +Subject: [PATCH 02/10] Do not write NM_CONTROLLED=no in generated interface config files Conflicts 20.3: diff --git a/0003-Setting-highest-autoconnect-priority-for-network-scr.patch b/0003-Setting-highest-autoconnect-priority-for-network-scr.patch index 8f2552e..8d8e8bc 100644 --- a/0003-Setting-highest-autoconnect-priority-for-network-scr.patch +++ b/0003-Setting-highest-autoconnect-priority-for-network-scr.patch @@ -1,7 +1,8 @@ From c589da20eb92231ef08e10c9724e3e6c663e6ce2 Mon Sep 17 00:00:00 2001 From: Eduardo Otubo Date: Thu, 17 Feb 2022 15:32:35 +0100 -Subject: [PATCH 3/9] Setting highest autoconnect priority for network-scripts +Subject: [PATCH 03/10] Setting highest autoconnect priority for + network-scripts RH-Author: Eduardo Otubo RH-MergeRequest: 22: Setting highest autoconnect priority for network-scripts diff --git a/0004-limit-permissions-on-def_log_file.patch b/0004-limit-permissions-on-def_log_file.patch index f55b524..0357daf 100644 --- a/0004-limit-permissions-on-def_log_file.patch +++ b/0004-limit-permissions-on-def_log_file.patch @@ -1,7 +1,7 @@ From dfff374f66904e84fb07ca157ba010fac6b5f1de Mon Sep 17 00:00:00 2001 From: Eduardo Otubo Date: Fri, 7 May 2021 13:36:08 +0200 -Subject: [PATCH 4/9] limit permissions on def_log_file +Subject: [PATCH 04/10] limit permissions on def_log_file This sets a default mode of 0600 on def_log_file, and makes this configurable via the def_log_file_mode option in cloud.cfg. diff --git a/0005-Manual-revert-Use-Network-Manager-and-Netplan-as-def.patch b/0005-Manual-revert-Use-Network-Manager-and-Netplan-as-def.patch index 385ff04..4a7615e 100644 --- a/0005-Manual-revert-Use-Network-Manager-and-Netplan-as-def.patch +++ b/0005-Manual-revert-Use-Network-Manager-and-Netplan-as-def.patch @@ -1,8 +1,8 @@ From ecae81f98ce230266eb99671b74534a4ede660f0 Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Fri, 10 Mar 2023 11:51:48 +0100 -Subject: [PATCH 5/9] Manual revert "Use Network-Manager and Netplan as default - renderers for RHEL and Fedora (#1465)" +Subject: [PATCH 05/10] Manual revert "Use Network-Manager and Netplan as + default renderers for RHEL and Fedora (#1465)" This reverts changes done in commit 7703aa98b. Done by hand because the doc file affected by that commit has changed. diff --git a/0006-Revert-Add-native-NetworkManager-support-1224.patch b/0006-Revert-Add-native-NetworkManager-support-1224.patch index 36c192c..88a00da 100644 --- a/0006-Revert-Add-native-NetworkManager-support-1224.patch +++ b/0006-Revert-Add-native-NetworkManager-support-1224.patch @@ -1,7 +1,7 @@ From b1dd14ffafad2d2ca84326c525962b2ca086b292 Mon Sep 17 00:00:00 2001 From: Ani Sinha Date: Wed, 22 Mar 2023 16:31:58 +0530 -Subject: [PATCH 6/9] Revert "Add native NetworkManager support (#1224)" +Subject: [PATCH 06/10] Revert "Add native NetworkManager support (#1224)" This reverts commit feda344e6cf9d37b09bc13cf333a717d1654c26c. diff --git a/0007-rhel-make-sure-previous-hostname-file-ends-with-a-ne.patch b/0007-rhel-make-sure-previous-hostname-file-ends-with-a-ne.patch index cd20488..3800f60 100644 --- a/0007-rhel-make-sure-previous-hostname-file-ends-with-a-ne.patch +++ b/0007-rhel-make-sure-previous-hostname-file-ends-with-a-ne.patch @@ -1,7 +1,7 @@ From ac0cf308318d423162ce3b7be32dcbf88f20ff50 Mon Sep 17 00:00:00 2001 From: Ani Sinha Date: Tue, 4 Apr 2023 19:59:07 +0530 -Subject: [PATCH 7/9] rhel: make sure previous-hostname file ends with a new +Subject: [PATCH 07/10] rhel: make sure previous-hostname file ends with a new line (#2108) cloud-init strips new line from "/etc/hostname" on rhel distro when processing diff --git a/0008-Don-t-change-permissions-of-netrules-target-2076.patch b/0008-Don-t-change-permissions-of-netrules-target-2076.patch index 9690604..9e8bd2d 100644 --- a/0008-Don-t-change-permissions-of-netrules-target-2076.patch +++ b/0008-Don-t-change-permissions-of-netrules-target-2076.patch @@ -1,7 +1,7 @@ From 34ef256dc614c7dcf5b04a431d410030e333d82b Mon Sep 17 00:00:00 2001 From: Emanuele Giuseppe Esposito Date: Mon, 17 Apr 2023 10:20:16 +0200 -Subject: [PATCH 8/9] Don't change permissions of netrules target (#2076) +Subject: [PATCH 08/10] Don't change permissions of netrules target (#2076) Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2182948 diff --git a/0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch b/0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch index be958ff..f577b9a 100644 --- a/0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch +++ b/0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch @@ -1,7 +1,7 @@ From d092efe0f437ad149f6d6e3a9f8b816c0f5c1c2a Mon Sep 17 00:00:00 2001 From: James Falcon Date: Wed, 26 Apr 2023 15:11:55 -0500 -Subject: [PATCH 9/9] Make user/vendor data sensitive and remove log +Subject: [PATCH 09/10] Make user/vendor data sensitive and remove log permissions (#2144) Because user data and vendor data may contain sensitive information, diff --git a/0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch b/0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch new file mode 100644 index 0000000..51f7a09 --- /dev/null +++ b/0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch @@ -0,0 +1,209 @@ +From 6bf6ceab79df97eb1c90b4df61f654bc0b2f598c Mon Sep 17 00:00:00 2001 +From: Ani Sinha +Date: Tue, 2 May 2023 20:35:45 +0530 +Subject: [PATCH 10/10] Do not generate dsa and ed25519 key types when crypto + FIPS mode is enabled (#2142) + +DSA and ED25519 key types are not supported when FIPS is enabled in crypto. +Check if FIPS has been enabled on the system and if so, do not generate those +key types. Presently the check is only available on Linux systems. + +LP: 2017761 +RHBZ: 2187164 + +Signed-off-by: Ani Sinha +(cherry picked from commit c53f04aeb2acf9526a2ebf3d3320f149ac46caa6) +--- + cloudinit/config/cc_ssh.py | 21 +++++++++++++++- + cloudinit/util.py | 12 +++++++++ + tests/unittests/config/test_cc_ssh.py | 36 +++++++++++++++++++++------ + tests/unittests/test_util.py | 25 +++++++++++++++++++ + 4 files changed, 85 insertions(+), 9 deletions(-) + +diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py +index 1ec889f3..5578654a 100644 +--- a/cloudinit/config/cc_ssh.py ++++ b/cloudinit/config/cc_ssh.py +@@ -172,6 +172,8 @@ meta: MetaSchema = { + __doc__ = get_meta_doc(meta) + + GENERATE_KEY_NAMES = ["rsa", "dsa", "ecdsa", "ed25519"] ++FIPS_UNSUPPORTED_KEY_NAMES = ["dsa", "ed25519"] ++ + pattern_unsupported_config_keys = re.compile( + "^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$" + ) +@@ -259,9 +261,26 @@ def handle( + genkeys = util.get_cfg_option_list( + cfg, "ssh_genkeytypes", GENERATE_KEY_NAMES + ) ++ # remove keys that are not supported in fips mode if its enabled ++ key_names = ( ++ genkeys ++ if not util.fips_enabled() ++ else [ ++ names ++ for names in genkeys ++ if names not in FIPS_UNSUPPORTED_KEY_NAMES ++ ] ++ ) ++ skipped_keys = set(genkeys).difference(key_names) ++ if skipped_keys: ++ log.debug( ++ "skipping keys that are not supported in fips mode: %s", ++ ",".join(skipped_keys), ++ ) ++ + lang_c = os.environ.copy() + lang_c["LANG"] = "C" +- for keytype in genkeys: ++ for keytype in key_names: + keyfile = KEY_FILE_TPL % (keytype) + if os.path.exists(keyfile): + continue +diff --git a/cloudinit/util.py b/cloudinit/util.py +index 8ba3e2b6..4a8e3d3b 100644 +--- a/cloudinit/util.py ++++ b/cloudinit/util.py +@@ -1577,6 +1577,18 @@ def get_cmdline(): + return _get_cmdline() + + ++def fips_enabled() -> bool: ++ fips_proc = "/proc/sys/crypto/fips_enabled" ++ try: ++ contents = load_file(fips_proc).strip() ++ return contents == "1" ++ except (IOError, OSError): ++ # for BSD systems and Linux systems where the proc entry is not ++ # available, we assume FIPS is disabled to retain the old behavior ++ # for now. ++ return False ++ ++ + def pipe_in_out(in_fh, out_fh, chunk_size=1024, chunk_cb=None): + bytes_piped = 0 + while True: +diff --git a/tests/unittests/config/test_cc_ssh.py b/tests/unittests/config/test_cc_ssh.py +index 66368d0f..72941a95 100644 +--- a/tests/unittests/config/test_cc_ssh.py ++++ b/tests/unittests/config/test_cc_ssh.py +@@ -101,11 +101,16 @@ class TestHandleSsh: + expected_calls = [mock.call(set(keys), user)] + expected_calls + assert expected_calls == m_setup_keys.call_args_list + ++ @pytest.mark.parametrize("fips_enabled", (True, False)) + @mock.patch(MODPATH + "glob.glob") + @mock.patch(MODPATH + "ug_util.normalize_users_groups") + @mock.patch(MODPATH + "os.path.exists") +- def test_handle_no_cfg(self, m_path_exists, m_nug, m_glob, m_setup_keys): ++ @mock.patch(MODPATH + "util.fips_enabled") ++ def test_handle_no_cfg( ++ self, m_fips, m_path_exists, m_nug, m_glob, m_setup_keys, fips_enabled ++ ): + """Test handle with no config ignores generating existing keyfiles.""" ++ m_fips.return_value = fips_enabled + cfg = {} + keys = ["key1"] + m_glob.return_value = [] # Return no matching keys to prevent removal +@@ -118,12 +123,22 @@ class TestHandleSsh: + options = ssh_util.DISABLE_USER_OPTS.replace("$USER", "NONE") + options = options.replace("$DISABLE_USER", "root") + m_glob.assert_called_once_with("/etc/ssh/ssh_host_*key*") +- assert [ +- mock.call("/etc/ssh/ssh_host_rsa_key"), +- mock.call("/etc/ssh/ssh_host_dsa_key"), +- mock.call("/etc/ssh/ssh_host_ecdsa_key"), +- mock.call("/etc/ssh/ssh_host_ed25519_key"), +- ] in m_path_exists.call_args_list ++ m_fips.assert_called_once() ++ ++ if not m_fips(): ++ expected_calls = [ ++ mock.call("/etc/ssh/ssh_host_rsa_key"), ++ mock.call("/etc/ssh/ssh_host_dsa_key"), ++ mock.call("/etc/ssh/ssh_host_ecdsa_key"), ++ mock.call("/etc/ssh/ssh_host_ed25519_key"), ++ ] ++ else: ++ # Enabled fips doesn't generate dsa or ed25519 ++ expected_calls = [ ++ mock.call("/etc/ssh/ssh_host_rsa_key"), ++ mock.call("/etc/ssh/ssh_host_ecdsa_key"), ++ ] ++ assert expected_calls in m_path_exists.call_args_list + assert [ + mock.call(set(keys), "root", options=options) + ] == m_setup_keys.call_args_list +@@ -131,8 +146,9 @@ class TestHandleSsh: + @mock.patch(MODPATH + "glob.glob") + @mock.patch(MODPATH + "ug_util.normalize_users_groups") + @mock.patch(MODPATH + "os.path.exists") ++ @mock.patch(MODPATH + "util.fips_enabled", return_value=False) + def test_dont_allow_public_ssh_keys( +- self, m_path_exists, m_nug, m_glob, m_setup_keys ++ self, m_fips, m_path_exists, m_nug, m_glob, m_setup_keys + ): + """Test allow_public_ssh_keys=False ignores ssh public keys from + platform. +@@ -176,8 +192,10 @@ class TestHandleSsh: + @mock.patch(MODPATH + "glob.glob") + @mock.patch(MODPATH + "ug_util.normalize_users_groups") + @mock.patch(MODPATH + "os.path.exists") ++ @mock.patch(MODPATH + "util.fips_enabled", return_value=False) + def test_handle_default_root( + self, ++ m_fips, + m_path_exists, + m_nug, + m_glob, +@@ -241,8 +259,10 @@ class TestHandleSsh: + @mock.patch(MODPATH + "glob.glob") + @mock.patch(MODPATH + "ug_util.normalize_users_groups") + @mock.patch(MODPATH + "os.path.exists") ++ @mock.patch(MODPATH + "util.fips_enabled", return_value=False) + def test_handle_publish_hostkeys( + self, ++ m_fips, + m_path_exists, + m_nug, + m_glob, +diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py +index 07142a86..17182d06 100644 +--- a/tests/unittests/test_util.py ++++ b/tests/unittests/test_util.py +@@ -1945,6 +1945,31 @@ class TestGetCmdline(helpers.TestCase): + self.assertEqual("abcd 123", ret) + + ++class TestFipsEnabled: ++ @pytest.mark.parametrize( ++ "fips_enabled_content,expected", ++ ( ++ pytest.param(None, False, id="false_when_no_fips_enabled_file"), ++ pytest.param("0\n", False, id="false_when_fips_disabled"), ++ pytest.param("1\n", True, id="true_when_fips_enabled"), ++ pytest.param("1", True, id="true_when_fips_enabled_no_newline"), ++ ), ++ ) ++ @mock.patch(M_PATH + "load_file") ++ def test_fips_enabled_based_on_proc_crypto( ++ self, load_file, fips_enabled_content, expected, tmpdir ++ ): ++ def fake_load_file(path): ++ assert path == "/proc/sys/crypto/fips_enabled" ++ if fips_enabled_content is None: ++ raise IOError("No file exists Bob") ++ return fips_enabled_content ++ ++ load_file.side_effect = fake_load_file ++ ++ assert expected is util.fips_enabled() ++ ++ + class TestLoadYaml(helpers.CiTestCase): + mydefault = "7b03a8ebace993d806255121073fed52" + with_logs = True +-- +2.40.0 + diff --git a/cloud-init.spec b/cloud-init.spec index 5670dd6..7fc676d 100644 --- a/cloud-init.spec +++ b/cloud-init.spec @@ -1,6 +1,6 @@ Name: cloud-init Version: 23.1.1 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Cloud instance init scripts License: ASL 2.0 or GPLv3 URL: http://launchpad.net/cloud-init @@ -17,6 +17,7 @@ Patch6: 0006-Revert-Add-native-NetworkManager-support-1224.patch Patch7: 0007-rhel-make-sure-previous-hostname-file-ends-with-a-ne.patch Patch8: 0008-Don-t-change-permissions-of-netrules-target-2076.patch Patch9: 0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch +Patch10: 0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch BuildArch: noarch @@ -206,6 +207,10 @@ fi %config(noreplace) %{_sysconfdir}/rsyslog.d/21-cloudinit.conf %changelog +* Tue May 16 2023 Camilla Conte - 23.1.1-5 +- 0010-Do-not-generate-dsa-and-ed25519-key-types-when-crypt.patch [bz#2187164] +- Resolves: bz#2187164 + * Fri May 05 2023 Camilla Conte - 23.1.1-4 - 0009-Make-user-vendor-data-sensitive-and-remove-log-permi.patch [bz#2190083] - Resolves: bz#2190083