IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

refresh pkcs11-openssl-for-bind.diff

Browse Source
This commit is contained in:
Timo Aaltonen
2020-09-28 11:42:37 +03:00
parent e8987b4be7
commit b47b82b9df
1 changed files with 39 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
debian/patches/pkcs11-openssl-for-bind.diff vendored
View File

@@ -1,8 +1,6 @@
diff --git a/daemons/dnssec/ipa-dnskeysync-replica.in b/daemons/dnssec/ipa-dnskeysync-replica.in
index 6783e30ea..c5364a497 100644
--- a/daemons/dnssec/ipa-dnskeysync-replica.in
+++ b/daemons/dnssec/ipa-dnskeysync-replica.in
@@ -145,7 +145,7 @@ def ldap2replica_zone_keys_sync(ldapkeydb, localhsm):
@@ -145,7 +145,7 @@ def ldap2replica_zone_keys_sync(ldapkeyd
# IPA framework initialization
@@ -11,11 +9,9 @@ index 6783e30ea..c5364a497 100644
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
diff --git a/daemons/dnssec/ipa-dnskeysyncd.in b/daemons/dnssec/ipa-dnskeysyncd.in
index 418bf73e2..13e6ac7f2 100644
--- a/daemons/dnssec/ipa-dnskeysyncd.in
+++ b/daemons/dnssec/ipa-dnskeysyncd.in
@@ -23,12 +23,9 @@ logger = logging.getLogger(os.path.basename(__file__))
@@ -23,12 +23,9 @@ logger = logging.getLogger(os.path.basen
# IPA framework initialization
@@ -29,8 +25,6 @@ index 418bf73e2..13e6ac7f2 100644
# Global state
watcher_running = True
diff --git a/daemons/dnssec/ipa-ods-exporter.in b/daemons/dnssec/ipa-ods-exporter.in
index dd8606221..0349b9224 100644
--- a/daemons/dnssec/ipa-ods-exporter.in
+++ b/daemons/dnssec/ipa-ods-exporter.in
@@ -29,12 +29,12 @@ import dns.dnssec
@@ -47,7 +41,7 @@ index dd8606221..0349b9224 100644
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
@@ -650,20 +650,8 @@ def cleanup_ldap_zone(ldap, dns_dn, zone_name):
@@ -650,20 +650,8 @@ def cleanup_ldap_zone(ldap, dns_dn, zone
ldap.delete_entry(ldap_key)
@@ -69,11 +63,9 @@ index dd8606221..0349b9224 100644
ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
ipalib.api.finalize()
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b4e1aaad8..2d4a96d90 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -111,6 +111,15 @@
@@ -99,6 +99,15 @@
%global httpd_version 2.4.41-6.1
%endif
@@ -89,7 +81,7 @@ index b4e1aaad8..2d4a96d90 100755
# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
# Some packages don't provide new dist aliases.
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@@ -481,8 +490,13 @@ Requires: %{name}-server = %{version}-%{release}
@@ -463,8 +472,13 @@ Requires: %{name}-server = %{version}-%{
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
@@ -103,8 +95,6 @@ index b4e1aaad8..2d4a96d90 100755
%if 0%{?fedora} >= 32
# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
Requires: opendnssec >= 2.1.6-5
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index ae09afdc4..026d83035 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -48,6 +48,8 @@ dist_app_DATA = \
@@ -116,9 +106,6 @@ index ae09afdc4..026d83035 100644
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
diff --git a/install/share/bind.openssl.cnf.template b/install/share/bind.openssl.cnf.template
new file mode 100644
index 000000000..b43b46fef
--- /dev/null
+++ b/install/share/bind.openssl.cnf.template
@@ -0,0 +1,14 @@
@@ -136,9 +123,6 @@ index 000000000..b43b46fef
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
diff --git a/install/share/bind.openssl.cryptopolicy.cnf.template b/install/share/bind.openssl.cryptopolicy.cnf.template
new file mode 100644
index 000000000..3fa5c492c
--- /dev/null
+++ b/install/share/bind.openssl.cryptopolicy.cnf.template
@@ -0,0 +1,21 @@
@@ -163,8 +147,6 @@ index 000000000..3fa5c492c
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index eac60cac3..08b34708a 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -23,6 +23,8 @@ class BaseConstantsNamespace:
@@ -176,8 +158,6 @@ index eac60cac3..08b34708a 100644
NAMED_ZONE_COMMENT = ""
PKI_USER = 'pkiuser'
PKI_GROUP = 'pkiuser'
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 55999ee6a..631086945 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -26,6 +26,7 @@ import os
@@ -188,7 +168,7 @@ index 55999ee6a..631086945 100644
ECHO = "/bin/echo"
FIPS_MODE_SETUP = "/usr/bin/fips-mode-setup"
GZIP = "/bin/gzip"
@@ -68,6 +69,7 @@ class BasePathNamespace:
@@ -69,6 +70,7 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
@@ -196,7 +176,7 @@ index 55999ee6a..631086945 100644
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
IPA_NSSDB_DIR = "/etc/ipa/nssdb"
@@ -256,8 +258,6 @@ class BasePathNamespace:
@@ -253,8 +255,6 @@ class BasePathNamespace:
IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
IPACTL = "/usr/sbin/ipactl"
@@ -205,22 +185,18 @@ index 55999ee6a..631086945 100644
CHRONYC = "/usr/bin/chronyc"
CHRONYD = "/usr/sbin/chronyd"
PKIDESTROY = "/usr/sbin/pkidestroy"
diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
index 7efa6e204..34ba0ce19 100644
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@@ -27,4 +27,6 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace):
@@ -27,4 +27,6 @@ class FedoraConstantsNamespace(RedHatCon
if HAS_NFS_CONF:
SECURE_NFS_VAR = None
+ NAMED_OPENSSL_ENGINE = "pkcs11"
+
constants = FedoraConstantsNamespace()
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 4e993c063..19cbb0e1d 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,8 @@ class FedoraPathNamespace(RedHatPathNamespace):
@@ -36,6 +36,8 @@ class FedoraPathNamespace(RedHatPathName
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
@@ -229,11 +205,9 @@ index 4e993c063..19cbb0e1d 100644
paths = FedoraPathNamespace()
diff --git a/ipaplatform/fedora/services.py b/ipaplatform/fedora/services.py
index 0778f624c..0669f4d20 100644
--- a/ipaplatform/fedora/services.py
+++ b/ipaplatform/fedora/services.py
@@ -29,6 +29,8 @@ from ipaplatform.redhat import services as redhat_services
@@ -29,6 +29,8 @@ from ipaplatform.redhat import services
# Mappings from service names as FreeIPA code references to these services
# to their actual systemd service names
fedora_system_units = redhat_services.redhat_system_units.copy()
@@ -242,7 +216,7 @@ index 0778f624c..0669f4d20 100644
# Service classes that implement Fedora-specific behaviour
@@ -41,6 +43,8 @@ class FedoraService(redhat_services.RedHatService):
@@ -41,6 +43,8 @@ class FedoraService(redhat_services.RedH
# of specified name
def fedora_service_class_factory(name, api=None):
@@ -251,11 +225,9 @@ index 0778f624c..0669f4d20 100644
return redhat_services.redhat_service_class_factory(name, api)
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index 15bdef60f..eb4033a05 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -31,6 +31,9 @@ from ipaplatform.base.paths import BasePathNamespace
@@ -31,6 +31,9 @@ from ipaplatform.base.paths import BaseP
class RedHatPathNamespace(BasePathNamespace):
@@ -265,11 +237,9 @@ index 15bdef60f..eb4033a05 100644
# https://docs.python.org/2/library/platform.html#cross-platform
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 042431849..3cc8a71b8 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -68,6 +68,7 @@ redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
@@ -68,6 +68,7 @@ redhat_system_units['ipa-dnskeysyncd'] =
redhat_system_units['named-regular'] = 'named.service'
redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
redhat_system_units['named'] = redhat_system_units['named-pkcs11']
@@ -277,8 +247,6 @@ index 042431849..3cc8a71b8 100644
redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
redhat_system_units['ods-signerd'] = 'ods-signerd.service'
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index c2f9c5a04..4f7cad893 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -16,11 +16,14 @@ import stat
@@ -308,11 +276,9 @@ index c2f9c5a04..4f7cad893 100644
# keys has to be readable by ODS & named
result = ipautil.run(cmd, capture_output=True)
basename = result.output.strip()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 90cc9b38b..b27548144 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -657,7 +657,7 @@ class BindInstance(service.Service):
@@ -663,7 +663,7 @@ class BindInstance(service.Service):
self.no_dnssec_validation = False
self.sub_dict = None
self.reverse_zones = ()
@@ -321,16 +287,16 @@ index 90cc9b38b..b27548144 100644
suffix = ipautil.dn_attribute_property('_suffix')
@@ -764,7 +764,7 @@ class BindInstance(service.Service):
@@ -770,7 +770,7 @@ class BindInstance(service.Service):
# named has to be started after softhsm initialization
# self.step("restarting named", self.__start)
- self.step("configuring named to start on boot", self.__enable)
+ self.step("configuring named to start on boot", self.switch_service)
self.step("changing resolv.conf to point to ourselves", self.__setup_resolv_conf)
self.start_creation()
@@ -774,19 +774,16 @@ class BindInstance(service.Service):
self.step(
"changing resolv.conf to point to ourselves",
self.setup_resolv_conf
@@ -783,19 +783,16 @@ class BindInstance(service.Service):
def __start(self):
try:
@@ -354,7 +320,7 @@ index 90cc9b38b..b27548144 100644
# We do not let the system start IPA components on its own,
# Instead we reply on the IPA init script to start only enabled
# components as found in our LDAP configuration tree
@@ -797,20 +794,19 @@ class BindInstance(service.Service):
@@ -806,20 +803,19 @@ class BindInstance(service.Service):
# don't crash, just report error
logger.error("DNS service already exists")
@@ -383,7 +349,7 @@ index 90cc9b38b..b27548144 100644
def _get_dnssec_validation(self):
"""get dnssec-validation value
@@ -1307,11 +1303,6 @@ class BindInstance(service.Service):
@@ -1318,11 +1314,6 @@ class BindInstance(service.Service):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
@@ -395,7 +361,7 @@ index 90cc9b38b..b27548144 100644
self.dns_backup.clear_records(self.api.Backend.ldap2.isconnected())
try:
@@ -1326,23 +1317,10 @@ class BindInstance(service.Service):
@@ -1337,23 +1328,10 @@ class BindInstance(service.Service):
ipautil.rmtree(paths.BIND_LDAP_DNS_IPA_WORKDIR)
@@ -422,8 +388,6 @@ index 90cc9b38b..b27548144 100644
ipautil.remove_file(paths.NAMED_CONF_BAK)
ipautil.remove_file(paths.NAMED_CUSTOM_CONF)
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 0cc5cd0c4..3d0d48a52 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -4,11 +4,12 @@
@@ -441,7 +405,7 @@ index 0cc5cd0c4..3d0d48a52 100644
import shutil
import stat
@@ -56,10 +57,10 @@ class DNSKeySyncInstance(service.Service):
@@ -56,10 +57,10 @@ class DNSKeySyncInstance(service.Service
keytab=paths.IPA_DNSKEYSYNCD_KEYTAB
)
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled
@@ -456,7 +420,7 @@ index 0cc5cd0c4..3d0d48a52 100644
suffix = ipautil.dn_attribute_property('_suffix')
@@ -67,12 +68,6 @@ class DNSKeySyncInstance(service.Service):
@@ -67,12 +68,6 @@ class DNSKeySyncInstance(service.Service
"""
Setting up correct permissions to allow write/read access for daemons
"""
@@ -469,7 +433,7 @@ index 0cc5cd0c4..3d0d48a52 100644
if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
# dnssec daemons require to have access into the directory
@@ -133,20 +128,19 @@ class DNSKeySyncInstance(service.Service):
@@ -133,20 +128,19 @@ class DNSKeySyncInstance(service.Service
except KeyError:
raise RuntimeError("Named GID not found")
@@ -495,7 +459,7 @@ index 0cc5cd0c4..3d0d48a52 100644
if not dns_container_exists(self.suffix):
raise RuntimeError("DNS container does not exist")
@@ -164,10 +158,94 @@ class DNSKeySyncInstance(service.Service):
@@ -164,10 +158,94 @@ class DNSKeySyncInstance(service.Service
self._ldap_mod("dnssec.ldif", {'SUFFIX': self.suffix, })
@@ -504,7 +468,7 @@ index 0cc5cd0c4..3d0d48a52 100644
- assert self.named_gid is not None
+ def _are_named_options_configured(self, options):
+ """Check whether the sysconfig of named is patched
+
+ Additional command line options for named are passed
+ via OPTIONS env variable. Since custom options can be
+ supplied by a vendor, at least, the base parsing of such
@@ -588,12 +552,12 @@ index 0cc5cd0c4..3d0d48a52 100644
+ sysconfig,
+ 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF,
+ quotes=False, separator='=')
+
+ def __setup_softhsm(self):
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
# create dnssec directory
@@ -186,23 +264,15 @@ class DNSKeySyncInstance(service.Service):
@@ -186,23 +264,15 @@ class DNSKeySyncInstance(service.Service
'tokens_dir': paths.DNSSEC_TOKENS_DIR
}
logger.debug("Creating new softhsm config file")
@@ -626,7 +590,7 @@ index 0cc5cd0c4..3d0d48a52 100644
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and
os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
@@ -231,23 +301,17 @@ class DNSKeySyncInstance(service.Service):
@@ -231,23 +301,17 @@ class DNSKeySyncInstance(service.Service
entropy_bits=0, special=None, min_len=pin_length)
logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
@@ -659,7 +623,7 @@ index 0cc5cd0c4..3d0d48a52 100644
# initialize SoftHSM
@@ -377,7 +441,7 @@ class DNSKeySyncInstance(service.Service):
@@ -377,7 +441,7 @@ class DNSKeySyncInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid)
for filename in files:
file_path = os.path.join(root, filename)
@@ -668,7 +632,7 @@ index 0cc5cd0c4..3d0d48a52 100644
# chown to ods:named
os.chown(file_path, self.ods_uid, self.named_gid)
@@ -389,7 +453,6 @@ class DNSKeySyncInstance(service.Service):
@@ -389,7 +453,6 @@ class DNSKeySyncInstance(service.Service
logger.error("DNSKeySync service already exists")
def __setup_principal(self):
@@ -676,8 +640,6 @@ index 0cc5cd0c4..3d0d48a52 100644
ipautil.remove_keytab(self.keytab)
installutils.kadmin_addprinc(self.principal)
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index d4b7b4377..64806db4c 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -185,6 +185,7 @@ class Backup(admintool.AdminTool):
@@ -688,11 +650,9 @@ index d4b7b4377..64806db4c 100644
paths.DNSSEC_SOFTHSM2_CONF,
paths.DNSSEC_SOFTHSM_PIN_SO,
paths.IPA_ODS_EXPORTER_KEYTAB,
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 746c534dc..c7a097b58 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -106,9 +106,9 @@ def install(api, replica_config, options, custodia):
@@ -106,9 +106,9 @@ def install(api, replica_config, options
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
@@ -704,11 +664,9 @@ index 746c534dc..c7a097b58 100644
if named.is_running():
named.restart(capture_output=True)
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 95029fd5e..044db794b 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -269,7 +269,7 @@ class OpenDNSSECInstance(service.Service):
@@ -269,7 +269,7 @@ class OpenDNSSECInstance(service.Service
os.chown(dir_path, self.ods_uid, self.named_gid) # chown to ods:named
for filename in files:
file_path = os.path.join(root, filename)
@@ -717,11 +675,9 @@ index 95029fd5e..044db794b 100644
os.chown(file_path, self.ods_uid, self.named_gid) # chown to ods:named
finally:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index d532a1c0f..afd8bce5c 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -527,6 +527,24 @@ def ca_initialize_hsm_state(ca):
@@ -509,6 +509,24 @@ def ca_initialize_hsm_state(ca):
ca.set_hsm_state(config)
@@ -746,7 +702,7 @@ index d532a1c0f..afd8bce5c 100644
def certificate_renewal_update(ca, kra, ds, http):
"""
@@ -1425,7 +1443,10 @@ def upgrade_bind(fstore):
@@ -1395,7 +1413,10 @@ def upgrade_bind(fstore):
logger.info("DNS service is not configured")
return False
@@ -757,8 +713,8 @@ index d532a1c0f..afd8bce5c 100644
+ bind_old_states(bind)
bind_old_upgrade_states()
if bind.is_configured() and not bind.is_running():
@@ -1451,6 +1472,38 @@ def upgrade_bind(fstore):
# only upgrade with drop-in is missing and /etc/resolv.conf is a link to
@@ -1428,6 +1449,38 @@ def upgrade_bind(fstore):
return changed
@@ -797,7 +753,7 @@ index d532a1c0f..afd8bce5c 100644
def bind_old_upgrade_states():
"""Remove old upgrade states
"""
@@ -1696,6 +1749,9 @@ def upgrade_configuration():
@@ -1673,6 +1726,9 @@ def upgrade_configuration():
if not dnskeysyncd.is_configured():
dnskeysyncd.create_instance(fqdn, api.env.realm)
dnskeysyncd.start_dnskeysyncd()
@@ -807,8 +763,6 @@ index d532a1c0f..afd8bce5c 100644
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 3706bdd86..2123a17de 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -533,6 +533,9 @@ class Service:
@@ -829,8 +783,6 @@ index 3706bdd86..2123a17de 100644
self.disable()
set_service_entry_config(
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index fa6abd81e..e3c9f54a9 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -989,7 +989,7 @@ class TestIPACommand(IntegrationTest):