import ipa-4.9.6-12.module+el8.5.0+14525+2137cc8f
This commit is contained in:
parent
c07c360d7e
commit
646ea186ee
@ -0,0 +1,45 @@
|
|||||||
|
From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
Date: Feb 01 2022 07:57:24 +0000
|
||||||
|
Subject: Custodia: use a stronger encryption algo when exporting keys
|
||||||
|
|
||||||
|
|
||||||
|
The Custodia key export handler is using the default's OpenSSL encryption
|
||||||
|
scheme for PKCS#12.
|
||||||
|
|
||||||
|
This represents an issue when performing a migration from CentOS Stream 8 (C8S)
|
||||||
|
to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
|
||||||
|
replica talks to the Custodia server on C8S source server. The later creates an
|
||||||
|
encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
|
||||||
|
default encryption scheme, which is no longer supported on C9S.
|
||||||
|
|
||||||
|
This commit enforces a stronger encryption algorigthm by adding following
|
||||||
|
arguments to the Custodia server handler:
|
||||||
|
|
||||||
|
-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
|
||||||
|
|
||||||
|
The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9101
|
||||||
|
|
||||||
|
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
|
||||||
|
index 4e8eff0..ad36bd0 100644
|
||||||
|
--- a/ipaserver/secrets/handlers/pemfile.py
|
||||||
|
+++ b/ipaserver/secrets/handlers/pemfile.py
|
||||||
|
@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
|
||||||
|
'-out', pk12file,
|
||||||
|
'-inkey', args.keyfile,
|
||||||
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
||||||
|
+ '-keypbe', 'AES-256-CBC',
|
||||||
|
+ '-certpbe', 'AES-256-CBC',
|
||||||
|
+ '-macalg', 'sha384',
|
||||||
|
])
|
||||||
|
|
||||||
|
with open(pk12file, 'rb') as f:
|
||||||
|
|
95
SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch
Normal file
95
SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
From 6302769b83af75f267c76fe6f854d5b42b6b80f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Oct 21 2021 19:58:19 +0000
|
||||||
|
Subject: ipa-server-install uninstall: remove tdb files
|
||||||
|
|
||||||
|
|
||||||
|
ipa-server-install uninstaller must remove samba *.tdb files
|
||||||
|
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
|
||||||
|
The current code calls rm on the relative path filename
|
||||||
|
instead of building an absolute path filename,
|
||||||
|
resulting in failure to remove the tdb files.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8687
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
||||||
|
index 24e90f3..e034fab 100644
|
||||||
|
--- a/ipaserver/install/adtrustinstance.py
|
||||||
|
+++ b/ipaserver/install/adtrustinstance.py
|
||||||
|
@@ -918,11 +918,18 @@ class ADTRUSTInstance(service.Service):
|
||||||
|
ipautil.remove_file(self.smb_conf)
|
||||||
|
|
||||||
|
# Remove samba's persistent and temporary tdb files
|
||||||
|
- if os.path.isdir(paths.SAMBA_DIR):
|
||||||
|
- tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
|
||||||
|
- if tdb_file.endswith(".tdb")]
|
||||||
|
- for tdb_file in tdb_files:
|
||||||
|
- ipautil.remove_file(tdb_file)
|
||||||
|
+ # in /var/lib/samba and /var/lib/samba/private
|
||||||
|
+ for smbpath in (paths.SAMBA_DIR,
|
||||||
|
+ os.path.join(paths.SAMBA_DIR, "private"),
|
||||||
|
+ os.path.join(paths.SAMBA_DIR, "lock")):
|
||||||
|
+ if os.path.isdir(smbpath):
|
||||||
|
+ tdb_files = [
|
||||||
|
+ os.path.join(smbpath, tdb_file)
|
||||||
|
+ for tdb_file in os.listdir(smbpath)
|
||||||
|
+ if tdb_file.endswith(".tdb")
|
||||||
|
+ ]
|
||||||
|
+ for tdb_file in tdb_files:
|
||||||
|
+ ipautil.remove_file(tdb_file)
|
||||||
|
|
||||||
|
# Remove our keys from samba's keytab
|
||||||
|
self.clean_samba_keytab()
|
||||||
|
|
||||||
|
From 82eaa2eac454aed75a498d2c6ccd9e921f9c8a89 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Oct 21 2021 19:58:19 +0000
|
||||||
|
Subject: ipa-client-samba uninstall: remove tdb files
|
||||||
|
|
||||||
|
|
||||||
|
ipa-client-samba uninstaller must remove samba *.tdb files
|
||||||
|
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
|
||||||
|
The current code calls rm on the relative path filename
|
||||||
|
instead of building an absolute path filename,
|
||||||
|
resulting in failure to remove the tdb files.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8687
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
|
||||||
|
index fd89e59..222ff31 100755
|
||||||
|
--- a/ipaclient/install/ipa_client_samba.py
|
||||||
|
+++ b/ipaclient/install/ipa_client_samba.py
|
||||||
|
@@ -446,13 +446,17 @@ def uninstall(fstore, statestore, options):
|
||||||
|
fstore.restore_file(paths.SMB_CONF)
|
||||||
|
|
||||||
|
# Remove samba's persistent and temporary tdb files
|
||||||
|
- tdb_files = [
|
||||||
|
- tdb_file
|
||||||
|
- for tdb_file in os.listdir(paths.SAMBA_DIR)
|
||||||
|
- if tdb_file.endswith(".tdb")
|
||||||
|
- ]
|
||||||
|
- for tdb_file in tdb_files:
|
||||||
|
- ipautil.remove_file(tdb_file)
|
||||||
|
+ # in /var/lib/samba and /var/lib/samba/private
|
||||||
|
+ for smbpath in (paths.SAMBA_DIR,
|
||||||
|
+ os.path.join(paths.SAMBA_DIR, "private"),
|
||||||
|
+ os.path.join(paths.SAMBA_DIR, "lock")):
|
||||||
|
+ tdb_files = [
|
||||||
|
+ os.path.join(smbpath, tdb_file)
|
||||||
|
+ for tdb_file in os.listdir(smbpath)
|
||||||
|
+ if tdb_file.endswith(".tdb")
|
||||||
|
+ ]
|
||||||
|
+ for tdb_file in tdb_files:
|
||||||
|
+ ipautil.remove_file(tdb_file)
|
||||||
|
|
||||||
|
# Remove our keys from samba's keytab
|
||||||
|
if os.path.exists(paths.SAMBA_KEYTAB):
|
||||||
|
|
@ -191,7 +191,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 10%{?rc_version:.%rc_version}%{?dist}
|
Release: 12%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -224,6 +224,8 @@ Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.pa
|
|||||||
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
|
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
|
||||||
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
|
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
|
||||||
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
|
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
|
||||||
|
Patch0014: 0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
|
||||||
|
Patch0015: 0015-uninstall-remove-tdb-files_rhbz#2065719.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
@ -1717,6 +1719,15 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 18 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-12
|
||||||
|
- ipa-server-install uninstall: remove tdb files
|
||||||
|
- ipa-client-samba uninstall: remove tdb files
|
||||||
|
Resolves: RHBZ#2065719
|
||||||
|
|
||||||
|
* Tue Mar 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-11
|
||||||
|
- Custodia use a stronger encryption algo when exporting keys
|
||||||
|
Resolves: RHBZ#2062404
|
||||||
|
|
||||||
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
|
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
|
||||||
- Bump realease version due to build issue.
|
- Bump realease version due to build issue.
|
||||||
Related: RHBZ#2021489
|
Related: RHBZ#2021489
|
||||||
|
Loading…
Reference in New Issue
Block a user