From 7c3bc762a9cede20a0193f64ca1a36f507aeeeb3 Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Fri, 20 Apr 2018 13:23:10 -0500 Subject: [PATCH 1/2] Build: libcrmcommon: configure option to specify GnuTLS cipher priorities Default to current behavior, i.e. "NORMAL". Spec file overrides with "@SYSTEM" on distros that have it. Pacemaker does not use option value as-is; it adds "+ANON-DH" for CIB remote commands and "+DHE-PSK:+PSK" for Pacemaker Remote connections. In the longer term, we could consider moving to certificate-based connections in both cases, but that has backward compatibility issues as well as additional administrative burden. --- configure.ac | 9 +++++++++ lib/common/remote.c | 4 ++-- pacemaker.spec.in | 4 ++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index ce02777..a7084e2 100644 --- a/configure.ac +++ b/configure.ac @@ -290,6 +290,12 @@ AC_ARG_WITH(cibsecrets, [ SUPPORT_CIBSECRETS=no ], ) +AC_ARG_WITH(gnutls-priorities, + [ --with-gnutls-priorities GnuTLS cipher priorities @<:@NORMAL@:>@ ], + [ PCMK_GNUTLS_PRIORITIES="$withval" ], + [ PCMK_GNUTLS_PRIORITIES="NORMAL" ], +) + CSPREFIX="" AC_ARG_WITH(ais-prefix, [ --with-ais-prefix=DIR Prefix used when Corosync was installed [$prefix]], @@ -453,6 +459,9 @@ if test x"${BUG_URL}" = x""; then fi AC_SUBST(BUG_URL) +AC_DEFINE_UNQUOTED([PCMK_GNUTLS_PRIORITIES], ["$PCMK_GNUTLS_PRIORITIES"], + [GnuTLS cipher priorities]) + for j in prefix exec_prefix bindir sbindir libexecdir datadir sysconfdir \ sharedstatedir localstatedir libdir includedir oldincludedir infodir \ mandir INITDIR docdir CONFIGDIR diff --git a/lib/common/remote.c b/lib/common/remote.c index 12d25fa..1e4f8d8 100644 --- a/lib/common/remote.c +++ b/lib/common/remote.c @@ -244,9 +244,9 @@ pcmk__new_tls_session(int csock, unsigned int conn_type, # ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT if (cred_type == GNUTLS_CRD_ANON) { // http://www.manpagez.com/info/gnutls/gnutls-2.10.4/gnutls_81.php#Echo-Server-with-anonymous-authentication - prio = "NORMAL:+ANON-DH"; + prio = PCMK_GNUTLS_PRIORITIES ":+ANON-DH"; } else { - prio = "NORMAL:+DHE-PSK:+PSK"; + prio = PCMK_GNUTLS_PRIORITIES ":+DHE-PSK:+PSK"; } # endif diff --git a/pacemaker.spec.in b/pacemaker.spec.in index 3a26572..fd0e3c8 100644 --- a/pacemaker.spec.in +++ b/pacemaker.spec.in @@ -80,6 +80,9 @@ } || %{?__transaction_systemd_inhibit:1}%{!?__transaction_systemd_inhibit:0}%{nil \ } || %(test -f /usr/lib/os-release; test $? -ne 0; echo $?)) +%if 0%{?fedora} > 20 || 0%{?rhel} > 7 +%global gnutls_priorities @SYSTEM +%endif # Definitions for backward compatibility with older RPM versions @@ -403,6 +406,7 @@ export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}" --without-heartbeat \ %{!?with_doc: --with-brand=} \ %{!?with_hardening: --disable-hardening} \ + %{?gnutls_priorities: --with-gnutls-priorities="%{gnutls_priorities}"} \ --with-initdir=%{_initrddir} \ --localstatedir=%{_var} \ --with-version=%{version}-%{release} -- 1.8.3.1 From 99a83b172544102ec32585514e5808585f2ce31c Mon Sep 17 00:00:00 2001 From: Ken Gaillot Date: Mon, 8 Jul 2019 17:39:12 -0500 Subject: [PATCH 2/2] Feature: remote: allow run-time configurable TLS priorities This also restores compilability with GnuTLS <2.1.7 (not that anyone is still using that ...), unintentionally broken in 5bded36 (1.1.20). --- lib/common/remote.c | 34 +++++++++++++++++++++++++++------- mcp/pacemaker.sysconfig | 9 +++++++++ 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/lib/common/remote.c b/lib/common/remote.c index 1e4f8d8..ccd0342 100644 --- a/lib/common/remote.c +++ b/lib/common/remote.c @@ -237,17 +237,25 @@ pcmk__new_tls_session(int csock, unsigned int conn_type, { int rc = GNUTLS_E_SUCCESS; # ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT - const char *prio = NULL; + const char *prio_base = NULL; + char *prio = NULL; # endif gnutls_session_t *session = NULL; # ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT - if (cred_type == GNUTLS_CRD_ANON) { - // http://www.manpagez.com/info/gnutls/gnutls-2.10.4/gnutls_81.php#Echo-Server-with-anonymous-authentication - prio = PCMK_GNUTLS_PRIORITIES ":+ANON-DH"; - } else { - prio = PCMK_GNUTLS_PRIORITIES ":+DHE-PSK:+PSK"; + /* Determine list of acceptable ciphers, etc. Pacemaker always adds the + * values required for its functionality. + * + * For an example of anonymous authentication, see: + * http://www.manpagez.com/info/gnutls/gnutls-2.10.4/gnutls_81.php#Echo-Server-with-anonymous-authentication + */ + + prio_base = getenv("PCMK_tls_priorities"); + if (prio_base == NULL) { + prio_base = PCMK_GNUTLS_PRIORITIES; } + prio = crm_strdup_printf("%s:%s", prio_base, + (cred_type == GNUTLS_CRD_ANON)? "+ANON-DH" : "+DHE-PSK:+PSK"); # endif session = gnutls_malloc(sizeof(gnutls_session_t)); @@ -285,6 +293,9 @@ pcmk__new_tls_session(int csock, unsigned int conn_type, if (rc != GNUTLS_E_SUCCESS) { goto error; } +# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT + free(prio); +# endif return session; error: @@ -292,7 +303,16 @@ error: CRM_XS " rc=%d priority='%s'", (cred_type == GNUTLS_CRD_ANON)? "anonymous" : "PSK", (conn_type == GNUTLS_SERVER)? "server" : "client", - gnutls_strerror(rc), rc, prio); + gnutls_strerror(rc), rc, +# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT + prio +# else + "default" +# endif + ); +# ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT + free(prio); +# endif if (session != NULL) { gnutls_free(session); } diff --git a/mcp/pacemaker.sysconfig b/mcp/pacemaker.sysconfig index a983011..0da401e 100644 --- a/mcp/pacemaker.sysconfig +++ b/mcp/pacemaker.sysconfig @@ -101,6 +101,15 @@ # value must be the same on all nodes. The default is "3121". # PCMK_remote_port=3121 +# Use these GnuTLS cipher priorities for TLS connections. See: +# +# https://gnutls.org/manual/html_node/Priority-Strings.html +# +# Pacemaker will append ":+ANON-DH" for remote CIB access (when enabled) and +# ":+DHE-PSK:+PSK" for Pacemaker Remote connections, as they are required for +# the respective functionality. +# PCMK_tls_priorities="NORMAL" + # Set bounds on the bit length of the prime number generated for Diffie-Hellman # parameters needed by TLS connections. The default is not to set any bounds. # -- 1.8.3.1