diff --git a/.corosync.metadata b/.corosync.metadata index aaec8c5..123abd6 100644 --- a/.corosync.metadata +++ b/.corosync.metadata @@ -1,2 +1,2 @@ 761fe353b2cbead7a8572bfb6b84fe5d2fc8d9d6 SOURCES/corosync-3.1.0.tar.gz -a04dcd386274951894c32f5a5a92a0483e3c1fe1 SOURCES/spausedd-20201110.tar.gz +63e882d0bebed3f75436da0606fe7acbeabf1b25 SOURCES/spausedd-20201112.tar.gz diff --git a/.gitignore b/.gitignore index 303f637..a64a5a1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/corosync-3.1.0.tar.gz -SOURCES/spausedd-20201110.tar.gz +SOURCES/spausedd-20201112.tar.gz diff --git a/SOURCES/bz1896493-1-totemknet-Check-both-cipher-and-hash-for-crypto.patch b/SOURCES/bz1896493-1-totemknet-Check-both-cipher-and-hash-for-crypto.patch new file mode 100644 index 0000000..99da8ff --- /dev/null +++ b/SOURCES/bz1896493-1-totemknet-Check-both-cipher-and-hash-for-crypto.patch @@ -0,0 +1,88 @@ +From 4a2f48b17b06638d3d3adcae683aff1639351434 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Tue, 10 Nov 2020 18:10:17 +0100 +Subject: [PATCH] totemknet: Check both cipher and hash for crypto + +Previously only crypto cipher was used as a way to find out if crypto is +enabled or disabled. + +This usually works ok until cipher is set to none and hash to some other +value (like sha1). Such config is perfectly valid and it was not +supported correctly. + +As a solution, check both cipher and hash. + +Signed-off-by: Jan Friesse +Reviewed-by: Fabio M. Di Nitto +Reviewed-by: Christine Caulfield +--- + exec/totemknet.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/exec/totemknet.c b/exec/totemknet.c +index c6a1649d..0834e8e4 100644 +--- a/exec/totemknet.c ++++ b/exec/totemknet.c +@@ -905,6 +905,14 @@ static void totemknet_add_config_notifications(struct totemknet_instance *instan + LEAVE(); + } + ++static int totemknet_is_crypto_enabled(const struct totemknet_instance *instance) ++{ ++ ++ return (!(strcmp(instance->totem_config->crypto_cipher_type, "none") == 0 && ++ strcmp(instance->totem_config->crypto_hash_type, "none") == 0)); ++ ++} ++ + static int totemknet_set_knet_crypto(struct totemknet_instance *instance) + { + struct knet_handle_crypto_cfg crypto_cfg; +@@ -927,7 +935,7 @@ static int totemknet_set_knet_crypto(struct totemknet_instance *instance) + ); + + /* If crypto is being disabled we need to explicitly allow cleartext traffic in knet */ +- if (strcmp(instance->totem_config->crypto_cipher_type, "none") == 0) { ++ if (!totemknet_is_crypto_enabled(instance)) { + res = knet_handle_crypto_rx_clear_traffic(instance->knet_handle, KNET_CRYPTO_RX_ALLOW_CLEAR_TRAFFIC); + if (res) { + knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_rx_clear_traffic(ALLOW) failed %s", strerror(errno)); +@@ -1108,7 +1116,7 @@ int totemknet_initialize ( + + /* Enable crypto if requested */ + #ifdef HAVE_KNET_CRYPTO_RECONF +- if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) { ++ if (totemknet_is_crypto_enabled(instance)) { + res = totemknet_set_knet_crypto(instance); + if (res == 0) { + res = knet_handle_crypto_use_config(instance->knet_handle, totem_config->crypto_index); +@@ -1134,7 +1142,7 @@ int totemknet_initialize ( + } + } + #else +- if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) { ++ if (totemknet_is_crypto_enabled(instance)) { + res = totemknet_set_knet_crypto(instance); + if (res) { + knet_log_printf(LOG_DEBUG, "Failed to set up knet crypto"); +@@ -1616,7 +1624,7 @@ int totemknet_crypto_reconfigure_phase ( + switch (phase) { + case CRYPTO_RECONFIG_PHASE_ACTIVATE: + config_to_use = totem_config->crypto_index; +- if (strcmp(instance->totem_config->crypto_cipher_type, "none") == 0) { ++ if (!totemknet_is_crypto_enabled(instance)) { + config_to_use = 0; /* we are clearing it */ + } + +@@ -1647,7 +1655,7 @@ int totemknet_crypto_reconfigure_phase ( + } + + /* If crypto is enabled then disable all cleartext reception */ +- if (strcmp(instance->totem_config->crypto_cipher_type, "none") != 0) { ++ if (totemknet_is_crypto_enabled(instance)) { + res = knet_handle_crypto_rx_clear_traffic(instance->knet_handle, KNET_CRYPTO_RX_DISALLOW_CLEAR_TRAFFIC); + if (res) { + knet_log_printf(LOGSYS_LEVEL_ERROR, "knet_handle_crypto_rx_clear_traffic(DISALLOW) failed %s", strerror(errno)); +-- +2.18.2 + diff --git a/SPECS/corosync.spec b/SPECS/corosync.spec index f4905e9..46115ea 100644 --- a/SPECS/corosync.spec +++ b/SPECS/corosync.spec @@ -17,17 +17,19 @@ %global gittarver %{?numcomm:.%{numcomm}}%{?alphatag:-%{alphatag}}%{?dirty:-%{dirty}} %if %{with spausedd} -%global spausedd_version 20201110 +%global spausedd_version 20201112 %endif Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces Version: 3.1.0 -Release: 2%{?gitver}%{?dist} +Release: 3%{?gitver}%{?dist} License: BSD URL: http://corosync.github.io/corosync/ Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?gittarver}.tar.gz +Patch0: bz1896493-1-totemknet-Check-both-cipher-and-hash-for-crypto.patch + %if %{with spausedd} Source1: https://github.com/jfriesse/spausedd/releases/download/%{spausedd_version}/spausedd-%{spausedd_version}.tar.gz # VMGuestLib exists only for x86_64 architecture @@ -91,6 +93,8 @@ BuildRequires: pkgconfig(vmguestlib) %setup -q -n %{name}-%{version}%{?gittarver} %endif +%patch0 -p1 -b .bz1896493-1 + %build %if %{with runautogen} ./autogen.sh @@ -389,6 +393,13 @@ fi %endif %changelog +* Thu Nov 12 2020 Jan Friesse 3.1.0-3 +- Resolves: rhbz#1897085 +- Resolves: rhbz#1896493 + +- spausedd: Add ability to move process into root cgroup (rhbz#1897085) +- totemknet: Check both cipher and hash for crypto (rhbz#1896493) + * Tue Nov 10 2020 Jan Friesse 3.1.0-2 - Resolves: rhbz#1896309