|
|
9ccf84 |
From 7c3bc762a9cede20a0193f64ca1a36f507aeeeb3 Mon Sep 17 00:00:00 2001
|
|
|
9ccf84 |
From: Ken Gaillot <kgaillot@redhat.com>
|
|
|
9ccf84 |
Date: Fri, 20 Apr 2018 13:23:10 -0500
|
|
|
9ccf84 |
Subject: [PATCH 1/2] Build: libcrmcommon: configure option to specify GnuTLS
|
|
|
9ccf84 |
cipher priorities
|
|
|
9ccf84 |
|
|
|
9ccf84 |
Default to current behavior, i.e. "NORMAL". Spec file overrides with "@SYSTEM"
|
|
|
9ccf84 |
on distros that have it.
|
|
|
9ccf84 |
|
|
|
9ccf84 |
Pacemaker does not use option value as-is; it adds "+ANON-DH" for CIB remote
|
|
|
9ccf84 |
commands and "+DHE-PSK:+PSK" for Pacemaker Remote connections. In the longer
|
|
|
9ccf84 |
term, we could consider moving to certificate-based connections in both cases,
|
|
|
9ccf84 |
but that has backward compatibility issues as well as additional administrative
|
|
|
9ccf84 |
burden.
|
|
|
9ccf84 |
---
|
|
|
9ccf84 |
configure.ac | 9 +++++++++
|
|
|
9ccf84 |
lib/common/remote.c | 4 ++--
|
|
|
9ccf84 |
pacemaker.spec.in | 4 ++++
|
|
|
9ccf84 |
3 files changed, 15 insertions(+), 2 deletions(-)
|
|
|
9ccf84 |
|
|
|
9ccf84 |
diff --git a/configure.ac b/configure.ac
|
|
|
9ccf84 |
index ce02777..a7084e2 100644
|
|
|
9ccf84 |
--- a/configure.ac
|
|
|
9ccf84 |
+++ b/configure.ac
|
|
|
9ccf84 |
@@ -290,6 +290,12 @@ AC_ARG_WITH(cibsecrets,
|
|
|
9ccf84 |
[ SUPPORT_CIBSECRETS=no ],
|
|
|
9ccf84 |
)
|
|
|
9ccf84 |
|
|
|
9ccf84 |
+AC_ARG_WITH(gnutls-priorities,
|
|
|
9ccf84 |
+ [ --with-gnutls-priorities GnuTLS cipher priorities @<:@NORMAL@:>@ ],
|
|
|
9ccf84 |
+ [ PCMK_GNUTLS_PRIORITIES="$withval" ],
|
|
|
9ccf84 |
+ [ PCMK_GNUTLS_PRIORITIES="NORMAL" ],
|
|
|
9ccf84 |
+)
|
|
|
9ccf84 |
+
|
|
|
9ccf84 |
CSPREFIX=""
|
|
|
9ccf84 |
AC_ARG_WITH(ais-prefix,
|
|
|
9ccf84 |
[ --with-ais-prefix=DIR Prefix used when Corosync was installed [$prefix]],
|
|
|
9ccf84 |
@@ -453,6 +459,9 @@ if test x"${BUG_URL}" = x""; then
|
|
|
9ccf84 |
fi
|
|
|
9ccf84 |
AC_SUBST(BUG_URL)
|
|
|
9ccf84 |
|
|
|
9ccf84 |
+AC_DEFINE_UNQUOTED([PCMK_GNUTLS_PRIORITIES], ["$PCMK_GNUTLS_PRIORITIES"],
|
|
|
9ccf84 |
+ [GnuTLS cipher priorities])
|
|
|
9ccf84 |
+
|
|
|
9ccf84 |
for j in prefix exec_prefix bindir sbindir libexecdir datadir sysconfdir \
|
|
|
9ccf84 |
sharedstatedir localstatedir libdir includedir oldincludedir infodir \
|
|
|
9ccf84 |
mandir INITDIR docdir CONFIGDIR
|
|
|
9ccf84 |
diff --git a/lib/common/remote.c b/lib/common/remote.c
|
|
|
9ccf84 |
index 12d25fa..1e4f8d8 100644
|
|
|
9ccf84 |
--- a/lib/common/remote.c
|
|
|
9ccf84 |
+++ b/lib/common/remote.c
|
|
|
9ccf84 |
@@ -244,9 +244,9 @@ pcmk__new_tls_session(int csock, unsigned int conn_type,
|
|
|
9ccf84 |
# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
|
|
|
9ccf84 |
if (cred_type == GNUTLS_CRD_ANON) {
|
|
|
9ccf84 |
// http://www.manpagez.com/info/gnutls/gnutls-2.10.4/gnutls_81.php#Echo-Server-with-anonymous-authentication
|
|
|
9ccf84 |
- prio = "NORMAL:+ANON-DH";
|
|
|
9ccf84 |
+ prio = PCMK_GNUTLS_PRIORITIES ":+ANON-DH";
|
|
|
9ccf84 |
} else {
|
|
|
9ccf84 |
- prio = "NORMAL:+DHE-PSK:+PSK";
|
|
|
9ccf84 |
+ prio = PCMK_GNUTLS_PRIORITIES ":+DHE-PSK:+PSK";
|
|
|
9ccf84 |
}
|
|
|
9ccf84 |
# endif
|
|
|
9ccf84 |
|
|
|
9ccf84 |
diff --git a/pacemaker.spec.in b/pacemaker.spec.in
|
|
|
9ccf84 |
index 3a26572..fd0e3c8 100644
|
|
|
9ccf84 |
--- a/pacemaker.spec.in
|
|
|
9ccf84 |
+++ b/pacemaker.spec.in
|
|
|
9ccf84 |
@@ -80,6 +80,9 @@
|
|
|
9ccf84 |
} || %{?__transaction_systemd_inhibit:1}%{!?__transaction_systemd_inhibit:0}%{nil \
|
|
|
9ccf84 |
} || %(test -f /usr/lib/os-release; test $? -ne 0; echo $?))
|
|
|
9ccf84 |
|
|
|
9ccf84 |
+%if 0%{?fedora} > 20 || 0%{?rhel} > 7
|
|
|
9ccf84 |
+%global gnutls_priorities @SYSTEM
|
|
|
9ccf84 |
+%endif
|
|
|
9ccf84 |
|
|
|
9ccf84 |
# Definitions for backward compatibility with older RPM versions
|
|
|
9ccf84 |
|
|
|
9ccf84 |
@@ -403,6 +406,7 @@ export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}"
|
|
|
9ccf84 |
--without-heartbeat \
|
|
|
9ccf84 |
%{!?with_doc: --with-brand=} \
|
|
|
9ccf84 |
%{!?with_hardening: --disable-hardening} \
|
|
|
9ccf84 |
+ %{?gnutls_priorities: --with-gnutls-priorities="%{gnutls_priorities}"} \
|
|
|
9ccf84 |
--with-initdir=%{_initrddir} \
|
|
|
9ccf84 |
--localstatedir=%{_var} \
|
|
|
9ccf84 |
--with-version=%{version}-%{release}
|
|
|
9ccf84 |
--
|
|
|
9ccf84 |
1.8.3.1
|
|
|
9ccf84 |
|
|
|
9ccf84 |
|
|
|
9ccf84 |
From 99a83b172544102ec32585514e5808585f2ce31c Mon Sep 17 00:00:00 2001
|
|
|
9ccf84 |
From: Ken Gaillot <kgaillot@redhat.com>
|
|
|
9ccf84 |
Date: Mon, 8 Jul 2019 17:39:12 -0500
|
|
|
9ccf84 |
Subject: [PATCH 2/2] Feature: remote: allow run-time configurable TLS
|
|
|
9ccf84 |
priorities
|
|
|
9ccf84 |
|
|
|
9ccf84 |
This also restores compilability with GnuTLS <2.1.7 (not that anyone is still
|
|
|
9ccf84 |
using that ...), unintentionally broken in 5bded36 (1.1.20).
|
|
|
9ccf84 |
---
|
|
|
9ccf84 |
lib/common/remote.c | 34 +++++++++++++++++++++++++++-------
|
|
|
9ccf84 |
mcp/pacemaker.sysconfig | 9 +++++++++
|
|
|
9ccf84 |
2 files changed, 36 insertions(+), 7 deletions(-)
|
|
|
9ccf84 |
|
|
|
9ccf84 |
diff --git a/lib/common/remote.c b/lib/common/remote.c
|
|
|
9ccf84 |
index 1e4f8d8..ccd0342 100644
|
|
|
9ccf84 |
--- a/lib/common/remote.c
|
|
|
9ccf84 |
+++ b/lib/common/remote.c
|
|
|
9ccf84 |
@@ -237,17 +237,25 @@ pcmk__new_tls_session(int csock, unsigned int conn_type,
|
|
|
9ccf84 |
{
|
|
|
9ccf84 |
int rc = GNUTLS_E_SUCCESS;
|
|
|
9ccf84 |
# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
|
|
|
9ccf84 |
- const char *prio = NULL;
|
|
|
9ccf84 |
+ const char *prio_base = NULL;
|
|
|
9ccf84 |
+ char *prio = NULL;
|
|
|
9ccf84 |
# endif
|
|
|
9ccf84 |
gnutls_session_t *session = NULL;
|
|
|
9ccf84 |
|
|
|
9ccf84 |
# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
|
|
|
9ccf84 |
- if (cred_type == GNUTLS_CRD_ANON) {
|
|
|
9ccf84 |
- // http://www.manpagez.com/info/gnutls/gnutls-2.10.4/gnutls_81.php#Echo-Server-with-anonymous-authentication
|
|
|
9ccf84 |
- prio = PCMK_GNUTLS_PRIORITIES ":+ANON-DH";
|
|
|
9ccf84 |
- } else {
|
|
|
9ccf84 |
- prio = PCMK_GNUTLS_PRIORITIES ":+DHE-PSK:+PSK";
|
|
|
9ccf84 |
+ /* Determine list of acceptable ciphers, etc. Pacemaker always adds the
|
|
|
9ccf84 |
+ * values required for its functionality.
|
|
|
9ccf84 |
+ *
|
|
|
9ccf84 |
+ * For an example of anonymous authentication, see:
|
|
|
9ccf84 |
+ * http://www.manpagez.com/info/gnutls/gnutls-2.10.4/gnutls_81.php#Echo-Server-with-anonymous-authentication
|
|
|
9ccf84 |
+ */
|
|
|
9ccf84 |
+
|
|
|
9ccf84 |
+ prio_base = getenv("PCMK_tls_priorities");
|
|
|
9ccf84 |
+ if (prio_base == NULL) {
|
|
|
9ccf84 |
+ prio_base = PCMK_GNUTLS_PRIORITIES;
|
|
|
9ccf84 |
}
|
|
|
9ccf84 |
+ prio = crm_strdup_printf("%s:%s", prio_base,
|
|
|
9ccf84 |
+ (cred_type == GNUTLS_CRD_ANON)? "+ANON-DH" : "+DHE-PSK:+PSK");
|
|
|
9ccf84 |
# endif
|
|
|
9ccf84 |
|
|
|
9ccf84 |
session = gnutls_malloc(sizeof(gnutls_session_t));
|
|
|
9ccf84 |
@@ -285,6 +293,9 @@ pcmk__new_tls_session(int csock, unsigned int conn_type,
|
|
|
9ccf84 |
if (rc != GNUTLS_E_SUCCESS) {
|
|
|
9ccf84 |
goto error;
|
|
|
9ccf84 |
}
|
|
|
9ccf84 |
+# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
|
|
|
9ccf84 |
+ free(prio);
|
|
|
9ccf84 |
+# endif
|
|
|
9ccf84 |
return session;
|
|
|
9ccf84 |
|
|
|
9ccf84 |
error:
|
|
|
9ccf84 |
@@ -292,7 +303,16 @@ error:
|
|
|
9ccf84 |
CRM_XS " rc=%d priority='%s'",
|
|
|
9ccf84 |
(cred_type == GNUTLS_CRD_ANON)? "anonymous" : "PSK",
|
|
|
9ccf84 |
(conn_type == GNUTLS_SERVER)? "server" : "client",
|
|
|
9ccf84 |
- gnutls_strerror(rc), rc, prio);
|
|
|
9ccf84 |
+ gnutls_strerror(rc), rc,
|
|
|
9ccf84 |
+# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
|
|
|
9ccf84 |
+ prio
|
|
|
9ccf84 |
+# else
|
|
|
9ccf84 |
+ "default"
|
|
|
9ccf84 |
+# endif
|
|
|
9ccf84 |
+ );
|
|
|
9ccf84 |
+# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
|
|
|
9ccf84 |
+ free(prio);
|
|
|
9ccf84 |
+# endif
|
|
|
9ccf84 |
if (session != NULL) {
|
|
|
9ccf84 |
gnutls_free(session);
|
|
|
9ccf84 |
}
|
|
|
9ccf84 |
diff --git a/mcp/pacemaker.sysconfig b/mcp/pacemaker.sysconfig
|
|
|
9ccf84 |
index a983011..0da401e 100644
|
|
|
9ccf84 |
--- a/mcp/pacemaker.sysconfig
|
|
|
9ccf84 |
+++ b/mcp/pacemaker.sysconfig
|
|
|
9ccf84 |
@@ -101,6 +101,15 @@
|
|
|
9ccf84 |
# value must be the same on all nodes. The default is "3121".
|
|
|
9ccf84 |
# PCMK_remote_port=3121
|
|
|
9ccf84 |
|
|
|
9ccf84 |
+# Use these GnuTLS cipher priorities for TLS connections. See:
|
|
|
9ccf84 |
+#
|
|
|
9ccf84 |
+# https://gnutls.org/manual/html_node/Priority-Strings.html
|
|
|
9ccf84 |
+#
|
|
|
9ccf84 |
+# Pacemaker will append ":+ANON-DH" for remote CIB access (when enabled) and
|
|
|
9ccf84 |
+# ":+DHE-PSK:+PSK" for Pacemaker Remote connections, as they are required for
|
|
|
9ccf84 |
+# the respective functionality.
|
|
|
9ccf84 |
+# PCMK_tls_priorities="NORMAL"
|
|
|
9ccf84 |
+
|
|
|
9ccf84 |
# Set bounds on the bit length of the prime number generated for Diffie-Hellman
|
|
|
9ccf84 |
# parameters needed by TLS connections. The default is not to set any bounds.
|
|
|
9ccf84 |
#
|
|
|
9ccf84 |
--
|
|
|
9ccf84 |
1.8.3.1
|
|
|
9ccf84 |
|