rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.11.0-8 

- Resolves: RHEL-12143 'ipa vault-add is failing with ipa: ERROR: an internal error has occurred in FIPS mode
- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2024-02-20 18:59:25 +01:00
parent 7389b56a67
commit a727d75b87
5 changed files with 347 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch Normal file
View File

@ -0,0 +1,126 @@
From b1390d1ad7e94256148a6b26431ff1e97fb8b7b3 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 27 May 2022 17:31:40 +0200
Subject: [PATCH] Vault: add support for RSA-OAEP wrapping algo
None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS
approved mechanism. This commit adds support for RSA-OAEP padding as a
fallback.
Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaclient/plugins/vault.py | 57 ++++++++++++++++++++++++++++++--------
1 file changed, 45 insertions(+), 12 deletions(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7f2419c27 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -119,8 +119,8 @@ def encrypt(data, symmetric_key=None, public_key=None):
return public_key_obj.encrypt(
data,
padding.OAEP(
- mgf=padding.MGF1(algorithm=hashes.SHA1()),
- algorithm=hashes.SHA1(),
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
+ algorithm=hashes.SHA256(),
label=None
)
)
@@ -154,8 +154,8 @@ def decrypt(data, symmetric_key=None, private_key=None):
return private_key_obj.decrypt(
data,
padding.OAEP(
- mgf=padding.MGF1(algorithm=hashes.SHA1()),
- algorithm=hashes.SHA1(),
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
+ algorithm=hashes.SHA256(),
label=None
)
)
@@ -703,14 +703,39 @@ class ModVaultData(Local):
return transport_cert, wrapping_algo
def _do_internal(self, algo, transport_cert, raise_unexpected,
- *args, **options):
+ use_oaep=False, *args, **options):
public_key = transport_cert.public_key()
# wrap session key with transport certificate
- wrapped_session_key = public_key.encrypt(
- algo.key,
- padding.PKCS1v15()
- )
+ # KRA may be configured using either the default PKCS1v15 or RSA-OAEP.
+ # there is no way to query this info using the REST interface.
+ if not use_oaep:
+ # PKCS1v15() causes an OpenSSL exception when FIPS is enabled
+ # if so, we fallback to RSA-OAEP
+ try:
+ wrapped_session_key = public_key.encrypt(
+ algo.key,
+ padding.PKCS1v15()
+ )
+ except ValueError:
+ wrapped_session_key = public_key.encrypt(
+ algo.key,
+ padding.OAEP(
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
+ algorithm=hashes.SHA256(),
+ label=None
+ )
+ )
+ else:
+ wrapped_session_key = public_key.encrypt(
+ algo.key,
+ padding.OAEP(
+ mgf=padding.MGF1(algorithm=hashes.SHA256()),
+ algorithm=hashes.SHA256(),
+ label=None
+ )
+ )
+
options['session_key'] = wrapped_session_key
name = self.name + '_internal'
@@ -721,7 +746,7 @@ class ModVaultData(Local):
errors.ExecutionError,
errors.GenericError):
_kra_config_cache.remove(self.api.env.domain)
- if raise_unexpected:
+ if raise_unexpected and use_oaep:
raise
return None
@@ -731,15 +756,23 @@ class ModVaultData(Local):
"""
# try call with cached transport certificate
result = self._do_internal(algo, transport_cert, False,
- *args, **options)
+ False, *args, **options)
if result is not None:
return result
# retrieve transport certificate (cached by vaultconfig_show)
transport_cert = self._get_vaultconfig(force_refresh=True)[0]
+
# call with the retrieved transport certificate
+ result = self._do_internal(algo, transport_cert, True,
+ False, *args, **options)
+
+ if result is not None:
+ return result
+
+ # call and use_oaep this time, last attempt
return self._do_internal(algo, transport_cert, True,
- *args, **options)
+ True, *args, **options)
@register(no_fail=True)
--
2.43.0

87
0057-Vault-improve-vault-server-archival-retrieval-calls-.patch Normal file
View File

@ -0,0 +1,87 @@
From c6f79e0453c9d417173ca7ecfbd5e233c6a89a9f Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 19 Jan 2024 18:15:28 +0100
Subject: [PATCH] Vault: improve vault server archival/retrieval calls error
handling
If a vault operation fails, the error message just says "InternalError". This commit
improves error handling of key archival and retrieval calls by catching the PKIException
error and raising it as an IPA error.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/vault.py | 40 +++++++++++++++++++++++++-------------
1 file changed, 26 insertions(+), 14 deletions(-)
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index a47cf7bd306154b24fd6dc0223718faf55440489..0bcc2a1ce4bb5f61b3a69fd0cc8d2b4516e20b63 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -45,6 +45,7 @@ if api.env.in_server:
import pki.key
from pki.crypto import DES_EDE3_CBC_OID
from pki.crypto import AES_128_CBC_OID
+ from pki import PKIException
if six.PY3:
unicode = str
@@ -1096,16 +1097,21 @@ class vault_archive_internal(PKQuery):
pki.key.KeyClient.KEY_STATUS_INACTIVE)
# forward wrapped data to KRA
- kra_client.keys.archive_encrypted_data(
- client_key_id,
- pki.key.KeyClient.PASS_PHRASE_TYPE,
- wrapped_vault_data,
- wrapped_session_key,
- algorithm_oid=algorithm_oid,
- nonce_iv=nonce,
- )
-
- kra_account.logout()
+ try:
+ kra_client.keys.archive_encrypted_data(
+ client_key_id,
+ pki.key.KeyClient.PASS_PHRASE_TYPE,
+ wrapped_vault_data,
+ wrapped_session_key,
+ algorithm_oid=algorithm_oid,
+ nonce_iv=nonce,
+ )
+ except PKIException as e:
+ kra_account.logout()
+ raise errors.EncodingError(
+ message=_("Unable to archive key: %s") % e)
+ finally:
+ kra_account.logout()
response = {
'value': args[-1],
@@ -1176,11 +1182,17 @@ class vault_retrieve_internal(PKQuery):
kra_client.keys.encrypt_alg_oid = algorithm_oid
# retrieve encrypted data from KRA
- key = kra_client.keys.retrieve_key(
- key_info.get_key_id(),
- wrapped_session_key)
+ try:
- kra_account.logout()
+ key = kra_client.keys.retrieve_key(
+ key_info.get_key_id(),
+ wrapped_session_key)
+ except PKIException as e:
+ kra_account.logout()
+ raise errors.EncodingError(
+ message=_("Unable to retrieve key: %s") % e)
+ finally:
+ kra_account.logout()
response = {
'value': args[-1],
--
2.43.0

97
0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch Normal file
View File

@ -0,0 +1,97 @@
From 601de6985ce0efdd701bfd8361cea72c4b87f39b Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 19 Jan 2024 17:12:07 +0100
Subject: [PATCH] kra: set RSA-OAEP as default wrapping algo when FIPS is
enabled
Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved
FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS
is enabled. It also handles upgrade path.
Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/ipaca_default.ini | 3 +++
ipaserver/install/dogtaginstance.py | 4 +++-
ipaserver/install/krainstance.py | 12 ++++++++++++
ipaserver/install/server/upgrade.py | 12 ++++++++++++
4 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index 62e0729d1b6332fce142cd1d85ccc461539d06ae..44cda15920176c9eebb9a3d16f089210ff17dcdd 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -166,3 +166,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
# We will use the dbuser created for the CA.
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
+
+# KRA padding, set RSA-OAEP in FIPS mode
+pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s
\ No newline at end of file
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 7fdf2e0ed0f3ed99a6672f527d38dda0ce5ef8bb..e0aa129ad3b0114afc4d1eae7f1ed76bb41276ae 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -1020,7 +1020,9 @@ class PKIIniLoader:
# for softhsm2 testing
softhsm2_so=paths.LIBSOFTHSM2_SO,
# Configure a more secure AJP password by default
- ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None),
+ # in FIPS mode use RSA-OAEP wrapping padding algo as default
+ fips_use_oaep_rsa_keywrap=tasks.is_fips_enabled()
)
@classmethod
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index d0636a56c3d2c09a5c83c08cc1fc12768212ac3e..0fd148697dadd59ad87eb401528761010a1555de 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -284,6 +284,18 @@ class KRAInstance(DogtagInstance):
# A restart is required
+ def enable_oaep_wrap_algo(self):
+ """
+ Enable KRA OAEP key wrap algorithm
+ """
+ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
+ directivesetter.set_directive(
+ self.config,
+ 'keyWrap.useOAEP',
+ 'true', quotes=False, separator='=')
+
+ # A restart is required
+
def update_cert_config(self, nickname, cert):
"""
When renewing a KRA subsystem certificate the configuration file
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f42faea049c720c931ce7ea865e3c35acbc08b5d..31d4f8398cfb0251cc59ada909eb55635b83e960 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1794,6 +1794,18 @@ def upgrade_configuration():
else:
logger.info('ephemeralRequest is already enabled')
+ if tasks.is_fips_enabled():
+ logger.info('[Ensuring KRA OAEP wrap algo is enabled in FIPS]')
+ value = directivesetter.get_directive(
+ paths.KRA_CS_CFG_PATH,
+ 'keyWrap.useOAEP',
+ separator='=')
+ if value is None or value.lower() != 'true':
+ logger.info('Use the OAEP key wrap algo')
+ kra.enable_oaep_wrap_algo()
+ else:
+ logger.info('OAEP key wrap algo is already enabled')
+
# several upgrade steps require running CA. If CA is configured,
# always run ca.start() because we need to wait until CA is really ready
# by checking status using http
--
2.43.0

28
0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch Normal file
View File

@ -0,0 +1,28 @@
From ac44c3d0a69aa2b3f8230c3ab13dca5ab5a78dd0 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Tue, 20 Feb 2024 15:14:24 +0100
Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac()
Fixes: https://pagure.io/freeipa/issue/9535
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index b0eb3324bf4b7d8eeb7b332c39de4023784f6337..9723103d8a77294ed7457d9b48bfc0d98b9ccef1 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -3087,6 +3087,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit,
}
free(resstr);
+ resstr = NULL;
flat_server_name = get_server_netbios_name(ipactx);
if (!flat_server_name) {
--
2.43.0

10
freeipa.spec
View File

@ -223,7 +223,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 7%{?rc_version:.%rc_version}%{?dist}
Release: 8%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -302,6 +302,10 @@ Patch0052: 0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch
Patch0053: 0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch
Patch0054: 0054-ipatests-fix-tasks.wait_for_replication-method.patch
Patch0055: 0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch
Patch0056: 0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
Patch0057: 0057-Vault-improve-vault-server-archival-retrieval-calls-.patch
Patch0058: 0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch
Patch0059: 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1794,6 +1798,10 @@ fi
%endif
%changelog
* Tue Feb 20 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-8
- Resolves: RHEL-12143 'ipa vault-add is failing with ipa: ERROR: an internal error has occurred in FIPS mode
- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available
* Fri Feb 16 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.11.0-7
- Resolves: RHEL-25260 tier-1-upstream-dns-locations failed on RHEL8.8 gating
- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available