diff --git a/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch b/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch new file mode 100644 index 0000000..992df1f --- /dev/null +++ b/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch @@ -0,0 +1,126 @@ +From b1390d1ad7e94256148a6b26431ff1e97fb8b7b3 Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Fri, 27 May 2022 17:31:40 +0200 +Subject: [PATCH] Vault: add support for RSA-OAEP wrapping algo + +None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS +approved mechanism. This commit adds support for RSA-OAEP padding as a +fallback. + +Fixes: https://pagure.io/freeipa/issue/9191 + +Signed-off-by: Francisco Trivino +Reviewed-By: Rob Crittenden +--- + ipaclient/plugins/vault.py | 57 ++++++++++++++++++++++++++++++-------- + 1 file changed, 45 insertions(+), 12 deletions(-) + +diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py +index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7f2419c27 100644 +--- a/ipaclient/plugins/vault.py ++++ b/ipaclient/plugins/vault.py +@@ -119,8 +119,8 @@ def encrypt(data, symmetric_key=None, public_key=None): + return public_key_obj.encrypt( + data, + padding.OAEP( +- mgf=padding.MGF1(algorithm=hashes.SHA1()), +- algorithm=hashes.SHA1(), ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), + label=None + ) + ) +@@ -154,8 +154,8 @@ def decrypt(data, symmetric_key=None, private_key=None): + return private_key_obj.decrypt( + data, + padding.OAEP( +- mgf=padding.MGF1(algorithm=hashes.SHA1()), +- algorithm=hashes.SHA1(), ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), + label=None + ) + ) +@@ -703,14 +703,39 @@ class ModVaultData(Local): + return transport_cert, wrapping_algo + + def _do_internal(self, algo, transport_cert, raise_unexpected, +- *args, **options): ++ use_oaep=False, *args, **options): + public_key = transport_cert.public_key() + + # wrap session key with transport certificate +- wrapped_session_key = public_key.encrypt( +- algo.key, +- padding.PKCS1v15() +- ) ++ # KRA may be configured using either the default PKCS1v15 or RSA-OAEP. ++ # there is no way to query this info using the REST interface. ++ if not use_oaep: ++ # PKCS1v15() causes an OpenSSL exception when FIPS is enabled ++ # if so, we fallback to RSA-OAEP ++ try: ++ wrapped_session_key = public_key.encrypt( ++ algo.key, ++ padding.PKCS1v15() ++ ) ++ except ValueError: ++ wrapped_session_key = public_key.encrypt( ++ algo.key, ++ padding.OAEP( ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), ++ label=None ++ ) ++ ) ++ else: ++ wrapped_session_key = public_key.encrypt( ++ algo.key, ++ padding.OAEP( ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), ++ label=None ++ ) ++ ) ++ + options['session_key'] = wrapped_session_key + + name = self.name + '_internal' +@@ -721,7 +746,7 @@ class ModVaultData(Local): + errors.ExecutionError, + errors.GenericError): + _kra_config_cache.remove(self.api.env.domain) +- if raise_unexpected: ++ if raise_unexpected and use_oaep: + raise + return None + +@@ -731,15 +756,23 @@ class ModVaultData(Local): + """ + # try call with cached transport certificate + result = self._do_internal(algo, transport_cert, False, +- *args, **options) ++ False, *args, **options) + if result is not None: + return result + + # retrieve transport certificate (cached by vaultconfig_show) + transport_cert = self._get_vaultconfig(force_refresh=True)[0] ++ + # call with the retrieved transport certificate ++ result = self._do_internal(algo, transport_cert, True, ++ False, *args, **options) ++ ++ if result is not None: ++ return result ++ ++ # call and use_oaep this time, last attempt + return self._do_internal(algo, transport_cert, True, +- *args, **options) ++ True, *args, **options) + + + @register(no_fail=True) +-- +2.43.0 + diff --git a/0057-Vault-improve-vault-server-archival-retrieval-calls-.patch b/0057-Vault-improve-vault-server-archival-retrieval-calls-.patch new file mode 100644 index 0000000..a5bd8af --- /dev/null +++ b/0057-Vault-improve-vault-server-archival-retrieval-calls-.patch @@ -0,0 +1,87 @@ +From c6f79e0453c9d417173ca7ecfbd5e233c6a89a9f Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Fri, 19 Jan 2024 18:15:28 +0100 +Subject: [PATCH] Vault: improve vault server archival/retrieval calls error + handling + +If a vault operation fails, the error message just says "InternalError". This commit +improves error handling of key archival and retrieval calls by catching the PKIException +error and raising it as an IPA error. + +Related: https://pagure.io/freeipa/issue/9191 + +Signed-off-by: Francisco Trivino +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/vault.py | 40 +++++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 14 deletions(-) + +diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py +index a47cf7bd306154b24fd6dc0223718faf55440489..0bcc2a1ce4bb5f61b3a69fd0cc8d2b4516e20b63 100644 +--- a/ipaserver/plugins/vault.py ++++ b/ipaserver/plugins/vault.py +@@ -45,6 +45,7 @@ if api.env.in_server: + import pki.key + from pki.crypto import DES_EDE3_CBC_OID + from pki.crypto import AES_128_CBC_OID ++ from pki import PKIException + + if six.PY3: + unicode = str +@@ -1096,16 +1097,21 @@ class vault_archive_internal(PKQuery): + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + # forward wrapped data to KRA +- kra_client.keys.archive_encrypted_data( +- client_key_id, +- pki.key.KeyClient.PASS_PHRASE_TYPE, +- wrapped_vault_data, +- wrapped_session_key, +- algorithm_oid=algorithm_oid, +- nonce_iv=nonce, +- ) +- +- kra_account.logout() ++ try: ++ kra_client.keys.archive_encrypted_data( ++ client_key_id, ++ pki.key.KeyClient.PASS_PHRASE_TYPE, ++ wrapped_vault_data, ++ wrapped_session_key, ++ algorithm_oid=algorithm_oid, ++ nonce_iv=nonce, ++ ) ++ except PKIException as e: ++ kra_account.logout() ++ raise errors.EncodingError( ++ message=_("Unable to archive key: %s") % e) ++ finally: ++ kra_account.logout() + + response = { + 'value': args[-1], +@@ -1176,11 +1182,17 @@ class vault_retrieve_internal(PKQuery): + kra_client.keys.encrypt_alg_oid = algorithm_oid + + # retrieve encrypted data from KRA +- key = kra_client.keys.retrieve_key( +- key_info.get_key_id(), +- wrapped_session_key) ++ try: + +- kra_account.logout() ++ key = kra_client.keys.retrieve_key( ++ key_info.get_key_id(), ++ wrapped_session_key) ++ except PKIException as e: ++ kra_account.logout() ++ raise errors.EncodingError( ++ message=_("Unable to retrieve key: %s") % e) ++ finally: ++ kra_account.logout() + + response = { + 'value': args[-1], +-- +2.43.0 + diff --git a/0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch b/0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch new file mode 100644 index 0000000..85515f8 --- /dev/null +++ b/0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch @@ -0,0 +1,97 @@ +From 601de6985ce0efdd701bfd8361cea72c4b87f39b Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Fri, 19 Jan 2024 17:12:07 +0100 +Subject: [PATCH] kra: set RSA-OAEP as default wrapping algo when FIPS is + enabled + +Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved +FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS +is enabled. It also handles upgrade path. + +Fixes: https://pagure.io/freeipa/issue/9191 + +Signed-off-by: Francisco Trivino +Reviewed-By: Rob Crittenden +--- + install/share/ipaca_default.ini | 3 +++ + ipaserver/install/dogtaginstance.py | 4 +++- + ipaserver/install/krainstance.py | 12 ++++++++++++ + ipaserver/install/server/upgrade.py | 12 ++++++++++++ + 4 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini +index 62e0729d1b6332fce142cd1d85ccc461539d06ae..44cda15920176c9eebb9a3d16f089210ff17dcdd 100644 +--- a/install/share/ipaca_default.ini ++++ b/install/share/ipaca_default.ini +@@ -166,3 +166,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s + # We will use the dbuser created for the CA. + pki_share_db=True + pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca ++ ++# KRA padding, set RSA-OAEP in FIPS mode ++pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s +\ No newline at end of file +diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py +index 7fdf2e0ed0f3ed99a6672f527d38dda0ce5ef8bb..e0aa129ad3b0114afc4d1eae7f1ed76bb41276ae 100644 +--- a/ipaserver/install/dogtaginstance.py ++++ b/ipaserver/install/dogtaginstance.py +@@ -1020,7 +1020,9 @@ class PKIIniLoader: + # for softhsm2 testing + softhsm2_so=paths.LIBSOFTHSM2_SO, + # Configure a more secure AJP password by default +- ipa_ajp_secret=ipautil.ipa_generate_password(special=None) ++ ipa_ajp_secret=ipautil.ipa_generate_password(special=None), ++ # in FIPS mode use RSA-OAEP wrapping padding algo as default ++ fips_use_oaep_rsa_keywrap=tasks.is_fips_enabled() + ) + + @classmethod +diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py +index d0636a56c3d2c09a5c83c08cc1fc12768212ac3e..0fd148697dadd59ad87eb401528761010a1555de 100644 +--- a/ipaserver/install/krainstance.py ++++ b/ipaserver/install/krainstance.py +@@ -284,6 +284,18 @@ class KRAInstance(DogtagInstance): + + # A restart is required + ++ def enable_oaep_wrap_algo(self): ++ """ ++ Enable KRA OAEP key wrap algorithm ++ """ ++ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): ++ directivesetter.set_directive( ++ self.config, ++ 'keyWrap.useOAEP', ++ 'true', quotes=False, separator='=') ++ ++ # A restart is required ++ + def update_cert_config(self, nickname, cert): + """ + When renewing a KRA subsystem certificate the configuration file +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index f42faea049c720c931ce7ea865e3c35acbc08b5d..31d4f8398cfb0251cc59ada909eb55635b83e960 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1794,6 +1794,18 @@ def upgrade_configuration(): + else: + logger.info('ephemeralRequest is already enabled') + ++ if tasks.is_fips_enabled(): ++ logger.info('[Ensuring KRA OAEP wrap algo is enabled in FIPS]') ++ value = directivesetter.get_directive( ++ paths.KRA_CS_CFG_PATH, ++ 'keyWrap.useOAEP', ++ separator='=') ++ if value is None or value.lower() != 'true': ++ logger.info('Use the OAEP key wrap algo') ++ kra.enable_oaep_wrap_algo() ++ else: ++ logger.info('OAEP key wrap algo is already enabled') ++ + # several upgrade steps require running CA. If CA is configured, + # always run ca.start() because we need to wait until CA is really ready + # by checking status using http +-- +2.43.0 + diff --git a/0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch b/0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch new file mode 100644 index 0000000..91131ed --- /dev/null +++ b/0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch @@ -0,0 +1,28 @@ +From ac44c3d0a69aa2b3f8230c3ab13dca5ab5a78dd0 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 20 Feb 2024 15:14:24 +0100 +Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac() + +Fixes: https://pagure.io/freeipa/issue/9535 + +Signed-off-by: Julien Rische +Reviewed-By: Florence Blanc-Renaud +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index b0eb3324bf4b7d8eeb7b332c39de4023784f6337..9723103d8a77294ed7457d9b48bfc0d98b9ccef1 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -3087,6 +3087,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit, + } + + free(resstr); ++ resstr = NULL; + + flat_server_name = get_server_netbios_name(ipactx); + if (!flat_server_name) { +-- +2.43.0 + diff --git a/freeipa.spec b/freeipa.spec index 5278b8a..078c72d 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 7%{?rc_version:.%rc_version}%{?dist} +Release: 8%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -302,6 +302,10 @@ Patch0052: 0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch Patch0053: 0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch Patch0054: 0054-ipatests-fix-tasks.wait_for_replication-method.patch Patch0055: 0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch +Patch0056: 0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch +Patch0057: 0057-Vault-improve-vault-server-archival-retrieval-calls-.patch +Patch0058: 0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch +Patch0059: 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1794,6 +1798,10 @@ fi %endif %changelog +* Tue Feb 20 2024 Florence Blanc-Renaud - 4.11.0-8 +- Resolves: RHEL-12143 'ipa vault-add is failing with ipa: ERROR: an internal error has occurred in FIPS mode +- Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available + * Fri Feb 16 2024 Florence Blanc-Renaud - 4.11.0-7 - Resolves: RHEL-25260 tier-1-upstream-dns-locations failed on RHEL8.8 gating - Resolves: RHEL-25738 ipa-kdb: Cannot determine if PAC generator is available