import ipa-4.9.6-12.module+el8.5.0+14525+2137cc8f

This commit is contained in:
CentOS Sources 2022-04-26 09:53:50 -04:00 committed by Stepan Oksanichenko
parent c07c360d7e
commit 646ea186ee
3 changed files with 152 additions and 1 deletions

View File

@ -0,0 +1,45 @@
From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Feb 01 2022 07:57:24 +0000
Subject: Custodia: use a stronger encryption algo when exporting keys
The Custodia key export handler is using the default's OpenSSL encryption
scheme for PKCS#12.
This represents an issue when performing a migration from CentOS Stream 8 (C8S)
to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
replica talks to the Custodia server on C8S source server. The later creates an
encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
default encryption scheme, which is no longer supported on C9S.
This commit enforces a stronger encryption algorigthm by adding following
arguments to the Custodia server handler:
-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
Fixes: https://pagure.io/freeipa/issue/9101
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
index 4e8eff0..ad36bd0 100644
--- a/ipaserver/secrets/handlers/pemfile.py
+++ b/ipaserver/secrets/handlers/pemfile.py
@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
'-out', pk12file,
'-inkey', args.keyfile,
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
+ '-keypbe', 'AES-256-CBC',
+ '-certpbe', 'AES-256-CBC',
+ '-macalg', 'sha384',
])
with open(pk12file, 'rb') as f:

View File

@ -0,0 +1,95 @@
From 6302769b83af75f267c76fe6f854d5b42b6b80f5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Oct 21 2021 19:58:19 +0000
Subject: ipa-server-install uninstall: remove tdb files
ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 24e90f3..e034fab 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -918,11 +918,18 @@ class ADTRUSTInstance(service.Service):
ipautil.remove_file(self.smb_conf)
# Remove samba's persistent and temporary tdb files
- if os.path.isdir(paths.SAMBA_DIR):
- tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
- if tdb_file.endswith(".tdb")]
- for tdb_file in tdb_files:
- ipautil.remove_file(tdb_file)
+ # in /var/lib/samba and /var/lib/samba/private
+ for smbpath in (paths.SAMBA_DIR,
+ os.path.join(paths.SAMBA_DIR, "private"),
+ os.path.join(paths.SAMBA_DIR, "lock")):
+ if os.path.isdir(smbpath):
+ tdb_files = [
+ os.path.join(smbpath, tdb_file)
+ for tdb_file in os.listdir(smbpath)
+ if tdb_file.endswith(".tdb")
+ ]
+ for tdb_file in tdb_files:
+ ipautil.remove_file(tdb_file)
# Remove our keys from samba's keytab
self.clean_samba_keytab()
From 82eaa2eac454aed75a498d2c6ccd9e921f9c8a89 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Oct 21 2021 19:58:19 +0000
Subject: ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
index fd89e59..222ff31 100755
--- a/ipaclient/install/ipa_client_samba.py
+++ b/ipaclient/install/ipa_client_samba.py
@@ -446,13 +446,17 @@ def uninstall(fstore, statestore, options):
fstore.restore_file(paths.SMB_CONF)
# Remove samba's persistent and temporary tdb files
- tdb_files = [
- tdb_file
- for tdb_file in os.listdir(paths.SAMBA_DIR)
- if tdb_file.endswith(".tdb")
- ]
- for tdb_file in tdb_files:
- ipautil.remove_file(tdb_file)
+ # in /var/lib/samba and /var/lib/samba/private
+ for smbpath in (paths.SAMBA_DIR,
+ os.path.join(paths.SAMBA_DIR, "private"),
+ os.path.join(paths.SAMBA_DIR, "lock")):
+ tdb_files = [
+ os.path.join(smbpath, tdb_file)
+ for tdb_file in os.listdir(smbpath)
+ if tdb_file.endswith(".tdb")
+ ]
+ for tdb_file in tdb_files:
+ ipautil.remove_file(tdb_file)
# Remove our keys from samba's keytab
if os.path.exists(paths.SAMBA_KEYTAB):

View File

@ -191,7 +191,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 10%{?rc_version:.%rc_version}%{?dist} Release: 12%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -224,6 +224,8 @@ Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.pa
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
Patch0014: 0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
Patch0015: 0015-uninstall-remove-tdb-files_rhbz#2065719.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif %endif
%endif %endif
@ -1717,6 +1719,15 @@ fi
%changelog %changelog
* Fri Mar 18 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-12
- ipa-server-install uninstall: remove tdb files
- ipa-client-samba uninstall: remove tdb files
Resolves: RHBZ#2065719
* Tue Mar 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-11
- Custodia use a stronger encryption algo when exporting keys
Resolves: RHBZ#2062404
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10 * Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
- Bump realease version due to build issue. - Bump realease version due to build issue.
Related: RHBZ#2021489 Related: RHBZ#2021489