From 561fa3870f0eb10710962d57c7cdfb69446db5b9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 10 2019 10:34:52 +0000 Subject: import pcs-0.10.1-4.el8_0.4 --- diff --git a/SOURCES/bz1746565-01-set-authkey-length-to-256-bytes.patch b/SOURCES/bz1746565-01-set-authkey-length-to-256-bytes.patch new file mode 100644 index 0000000..56d8c33 --- /dev/null +++ b/SOURCES/bz1746565-01-set-authkey-length-to-256-bytes.patch @@ -0,0 +1,79 @@ +From 3a1439a74eb64b3473cb5ce84914cdd533563573 Mon Sep 17 00:00:00 2001 +From: Tomas Jelinek +Date: Tue, 13 Aug 2019 10:06:29 +0200 +Subject: [PATCH] set authkey length to 256 bytes + +--- + pcs/lib/commands/test/remote_node/test_node_add_guest.py | 4 ++-- + pcs/lib/commands/test/remote_node/test_node_add_remote.py | 4 ++-- + pcs/settings_default.py | 7 +++++-- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/pcs/lib/commands/test/remote_node/test_node_add_guest.py b/pcs/lib/commands/test/remote_node/test_node_add_guest.py +index cb385150..d013b255 100644 +--- a/pcs/lib/commands/test/remote_node/test_node_add_guest.py ++++ b/pcs/lib/commands/test/remote_node/test_node_add_guest.py +@@ -154,7 +154,7 @@ class AddGuest(TestCase): + .local.push_cib() + ) + node_add_guest(self.env_assist.get_env()) +- generate_binary_key.assert_called_once_with(random_bytes_count=384) ++ generate_binary_key.assert_called_once_with(random_bytes_count=256) + self.env_assist.assert_reports( + REPORTS + .adapt( +@@ -523,7 +523,7 @@ class AddGuest(TestCase): + .local.push_cib() + ) + node_add_guest(self.env_assist.get_env(), skip_offline_nodes=True) +- generate_binary_key.assert_called_once_with(random_bytes_count=384) ++ generate_binary_key.assert_called_once_with(random_bytes_count=256) + self.env_assist.assert_reports( + fixture_reports_new_node_unreachable(NODE_NAME) + + [ +diff --git a/pcs/lib/commands/test/remote_node/test_node_add_remote.py b/pcs/lib/commands/test/remote_node/test_node_add_remote.py +index 46f82587..b0b3d6d3 100644 +--- a/pcs/lib/commands/test/remote_node/test_node_add_remote.py ++++ b/pcs/lib/commands/test/remote_node/test_node_add_remote.py +@@ -212,7 +212,7 @@ class AddRemote(TestCase): + .env.push_cib(resources=FIXTURE_RESOURCES) + ) + node_add_remote(self.env_assist.get_env()) +- generate_binary_key.assert_called_once_with(random_bytes_count=384) ++ generate_binary_key.assert_called_once_with(random_bytes_count=256) + self.env_assist.assert_reports( + REPORTS + .adapt( +@@ -507,7 +507,7 @@ class AddRemote(TestCase): + .env.push_cib(resources=FIXTURE_RESOURCES) + ) + node_add_remote(self.env_assist.get_env(), skip_offline_nodes=True) +- generate_binary_key.assert_called_once_with(random_bytes_count=384) ++ generate_binary_key.assert_called_once_with(random_bytes_count=256) + self.env_assist.assert_reports( + fixture_reports_new_node_unreachable(NODE_NAME) + + [ +diff --git a/pcs/settings_default.py b/pcs/settings_default.py +index e3a55b58..0d025b85 100644 +--- a/pcs/settings_default.py ++++ b/pcs/settings_default.py +@@ -21,11 +21,14 @@ corosync_qdevice_net_client_certs_dir = os.path.join( + ) + corosync_qdevice_net_client_ca_file_name = "qnetd-cacert.crt" + corosync_authkey_file = os.path.join(corosync_conf_dir, "authkey") +-corosync_authkey_bytes = 384 ++# Must be set to 256 for corosync to work in FIPS environment. ++corosync_authkey_bytes = 256 + corosync_log_file = "/var/log/cluster/corosync.log" + pacemaker_authkey_file = "/etc/pacemaker/authkey" +-pacemaker_authkey_bytes = 384 ++# Using the same value as for corosync. Higher values MAY work in FIPS. ++pacemaker_authkey_bytes = 256 + booth_authkey_file_mode = 0o600 ++# Booth does not support keys longer than 64 bytes. + booth_authkey_bytes = 64 + cluster_conf_file = "/etc/cluster/cluster.conf" + fence_agent_binaries = "/usr/sbin/" +-- +2.21.0 + diff --git a/SPECS/pcs.spec b/SPECS/pcs.spec index 97d7428..d62adbc 100644 --- a/SPECS/pcs.spec +++ b/SPECS/pcs.spec @@ -1,6 +1,6 @@ Name: pcs Version: 0.10.1 -Release: 4%{?dist}.3 +Release: 4%{?dist}.4 # https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses # GPLv2: pcs # ASL 2.0: tornado @@ -10,7 +10,7 @@ URL: https://github.com/ClusterLabs/pcs Group: System Environment/Base Summary: Pacemaker Configuration System #building only for architectures with pacemaker and corosync available -ExclusiveArch: i686 x86_64 s390x ppc64le aarch64 %{arm} +ExclusiveArch: i686 x86_64 s390x ppc64le aarch64 %global pcs_snmp_pkg_name pcs-snmp @@ -90,6 +90,7 @@ Patch102: bz1690290-GUI-cannot-create-a-cluster-if-k.patch Patch103: bz1690304-GUI-submitting-of-create-cluster.patch Patch104: fix-web-UI-dashboard-data-loading-timeout.patch Patch105: fix-communication-over-IPv6.patch +Patch106: bz1746565-01-set-authkey-length-to-256-bytes.patch # git for patches BuildRequires: git @@ -240,6 +241,7 @@ update_times_patch %{PATCH2} update_times_patch %{PATCH3} update_times_patch %{PATCH4} update_times_patch %{PATCH105} +update_times_patch %{PATCH106} cp -f %SOURCE1 pcsd/public/images @@ -466,7 +468,11 @@ run_all_tests %license pyagentx_LICENSE.txt %changelog -* Fri May 24 2019 Ivan Devat - 0.10.1-4.el8_0.2 +* Thu Aug 29 2019 Ivan Devat - 0.10.1-4.el8_0.4 +- Generate 256 bytes long corosync authkey, longer keys are not supported when FIPS is enabled +- Resolves: rhbz#1746565 + +* Fri May 24 2019 Ivan Devat - 0.10.1-4.el8_0.3 - Fixed communication over IPv6 - Resolves: rhbz#1710067