diff --git a/0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch b/0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch new file mode 100644 index 0000000..1daf696 --- /dev/null +++ b/0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch @@ -0,0 +1,127 @@ +From 163f06cab678d517ab30ab6da59ae339f39ee7cf Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Fri, 27 May 2022 17:31:40 +0200 +Subject: [PATCH] Vault: add support for RSA-OAEP wrapping algo + +None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS +approved mechanism. This commit adds support for RSA-OAEP padding as a +fallback. + +Fixes: https://pagure.io/freeipa/issue/9191 + +Signed-off-by: Francisco Trivino +Reviewed-By: Rob Crittenden +(cherry picked from commit b1fb31fd20c900c9ff1d5d28dfe136439f6bf605) +--- + ipaclient/plugins/vault.py | 57 ++++++++++++++++++++++++++++++-------- + 1 file changed, 45 insertions(+), 12 deletions(-) + +diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py +index d4c84eb6b..ed16c73ae 100644 +--- a/ipaclient/plugins/vault.py ++++ b/ipaclient/plugins/vault.py +@@ -119,8 +119,8 @@ def encrypt(data, symmetric_key=None, public_key=None): + return public_key_obj.encrypt( + data, + padding.OAEP( +- mgf=padding.MGF1(algorithm=hashes.SHA1()), +- algorithm=hashes.SHA1(), ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), + label=None + ) + ) +@@ -154,8 +154,8 @@ def decrypt(data, symmetric_key=None, private_key=None): + return private_key_obj.decrypt( + data, + padding.OAEP( +- mgf=padding.MGF1(algorithm=hashes.SHA1()), +- algorithm=hashes.SHA1(), ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), + label=None + ) + ) +@@ -705,14 +705,39 @@ class ModVaultData(Local): + return transport_cert, wrapping_algo + + def _do_internal(self, algo, transport_cert, raise_unexpected, +- *args, **options): ++ use_oaep=False, *args, **options): + public_key = transport_cert.public_key() + + # wrap session key with transport certificate +- wrapped_session_key = public_key.encrypt( +- algo.key, +- padding.PKCS1v15() +- ) ++ # KRA may be configured using either the default PKCS1v15 or RSA-OAEP. ++ # there is no way to query this info using the REST interface. ++ if not use_oaep: ++ # PKCS1v15() causes an OpenSSL exception when FIPS is enabled ++ # if so, we fallback to RSA-OAEP ++ try: ++ wrapped_session_key = public_key.encrypt( ++ algo.key, ++ padding.PKCS1v15() ++ ) ++ except ValueError: ++ wrapped_session_key = public_key.encrypt( ++ algo.key, ++ padding.OAEP( ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), ++ label=None ++ ) ++ ) ++ else: ++ wrapped_session_key = public_key.encrypt( ++ algo.key, ++ padding.OAEP( ++ mgf=padding.MGF1(algorithm=hashes.SHA256()), ++ algorithm=hashes.SHA256(), ++ label=None ++ ) ++ ) ++ + options['session_key'] = wrapped_session_key + + name = self.name + '_internal' +@@ -723,7 +748,7 @@ class ModVaultData(Local): + errors.ExecutionError, + errors.GenericError): + _kra_config_cache.remove(self.api.env.domain) +- if raise_unexpected: ++ if raise_unexpected and use_oaep: + raise + return None + +@@ -733,15 +758,23 @@ class ModVaultData(Local): + """ + # try call with cached transport certificate + result = self._do_internal(algo, transport_cert, False, +- *args, **options) ++ False, *args, **options) + if result is not None: + return result + + # retrieve transport certificate (cached by vaultconfig_show) + transport_cert = self._get_vaultconfig(force_refresh=True)[0] ++ + # call with the retrieved transport certificate ++ result = self._do_internal(algo, transport_cert, True, ++ False, *args, **options) ++ ++ if result is not None: ++ return result ++ ++ # call and use_oaep this time, last attempt + return self._do_internal(algo, transport_cert, True, +- *args, **options) ++ True, *args, **options) + + + @register(no_fail=True) +-- +2.43.0 + diff --git a/0020-Vault-improve-vault-server-archival-retrieval-calls-.patch b/0020-Vault-improve-vault-server-archival-retrieval-calls-.patch new file mode 100644 index 0000000..2fed594 --- /dev/null +++ b/0020-Vault-improve-vault-server-archival-retrieval-calls-.patch @@ -0,0 +1,88 @@ +From 84798137fabf75fe79aebbd97e4b8418de8ab0f2 Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Fri, 19 Jan 2024 18:15:28 +0100 +Subject: [PATCH] Vault: improve vault server archival/retrieval calls + error handling + +If a vault operation fails, the error message just says "InternalError". This commit +improves error handling of key archival and retrieval calls by catching the PKIException +error and raising it as an IPA error. + +Related: https://pagure.io/freeipa/issue/9191 + +Signed-off-by: Francisco Trivino +Reviewed-By: Rob Crittenden +(cherry picked from commit dc1ab53f0aa0398d493f7440b5ec4d70d9c7d663) +--- + ipaserver/plugins/vault.py | 40 +++++++++++++++++++++++++------------- + 1 file changed, 26 insertions(+), 14 deletions(-) + +diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py +index 574c83a9a..13c4fac9a 100644 +--- a/ipaserver/plugins/vault.py ++++ b/ipaserver/plugins/vault.py +@@ -45,6 +45,7 @@ if api.env.in_server: + import pki.key + from pki.crypto import DES_EDE3_CBC_OID + from pki.crypto import AES_128_CBC_OID ++ from pki import PKIException + + if six.PY3: + unicode = str +@@ -1094,16 +1095,21 @@ class vault_archive_internal(PKQuery): + pki.key.KeyClient.KEY_STATUS_INACTIVE) + + # forward wrapped data to KRA +- kra_client.keys.archive_encrypted_data( +- client_key_id, +- pki.key.KeyClient.PASS_PHRASE_TYPE, +- wrapped_vault_data, +- wrapped_session_key, +- algorithm_oid=algorithm_oid, +- nonce_iv=nonce, +- ) +- +- kra_account.logout() ++ try: ++ kra_client.keys.archive_encrypted_data( ++ client_key_id, ++ pki.key.KeyClient.PASS_PHRASE_TYPE, ++ wrapped_vault_data, ++ wrapped_session_key, ++ algorithm_oid=algorithm_oid, ++ nonce_iv=nonce, ++ ) ++ except PKIException as e: ++ kra_account.logout() ++ raise errors.EncodingError( ++ message=_("Unable to archive key: %s") % e) ++ finally: ++ kra_account.logout() + + response = { + 'value': args[-1], +@@ -1174,11 +1180,17 @@ class vault_retrieve_internal(PKQuery): + kra_client.keys.encrypt_alg_oid = algorithm_oid + + # retrieve encrypted data from KRA +- key = kra_client.keys.retrieve_key( +- key_info.get_key_id(), +- wrapped_session_key) ++ try: + +- kra_account.logout() ++ key = kra_client.keys.retrieve_key( ++ key_info.get_key_id(), ++ wrapped_session_key) ++ except PKIException as e: ++ kra_account.logout() ++ raise errors.EncodingError( ++ message=_("Unable to retrieve key: %s") % e) ++ finally: ++ kra_account.logout() + + response = { + 'value': args[-1], +-- +2.43.0 + diff --git a/0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch b/0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch new file mode 100644 index 0000000..42cc639 --- /dev/null +++ b/0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch @@ -0,0 +1,98 @@ +From a406fd9aec7d053c044e73f16b05489bebd84bc8 Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Fri, 19 Jan 2024 17:12:07 +0100 +Subject: [PATCH] kra: set RSA-OAEP as default wrapping algo when FIPS is + enabled + +Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved +FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS +is enabled. It also handles upgrade path. + +Fixes: https://pagure.io/freeipa/issue/9191 + +Signed-off-by: Francisco Trivino +Reviewed-By: Rob Crittenden +(cherry picked from commit f2eec9eb208e62f923375b9eaf34fcc491046a0d) +--- + install/share/ipaca_default.ini | 3 +++ + ipaserver/install/dogtaginstance.py | 4 +++- + ipaserver/install/krainstance.py | 12 ++++++++++++ + ipaserver/install/server/upgrade.py | 12 ++++++++++++ + 4 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini +index 082f507b2..691f1e1b7 100644 +--- a/install/share/ipaca_default.ini ++++ b/install/share/ipaca_default.ini +@@ -166,3 +166,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s + # We will use the dbuser created for the CA. + pki_share_db=True + pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca ++ ++# KRA padding, set RSA-OAEP in FIPS mode ++pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s +\ No newline at end of file +diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py +index c2c6b3f49..c3c726f68 100644 +--- a/ipaserver/install/dogtaginstance.py ++++ b/ipaserver/install/dogtaginstance.py +@@ -1020,7 +1020,9 @@ class PKIIniLoader: + # for softhsm2 testing + softhsm2_so=paths.LIBSOFTHSM2_SO, + # Configure a more secure AJP password by default +- ipa_ajp_secret=ipautil.ipa_generate_password(special=None) ++ ipa_ajp_secret=ipautil.ipa_generate_password(special=None), ++ # in FIPS mode use RSA-OAEP wrapping padding algo as default ++ fips_use_oaep_rsa_keywrap=tasks.is_fips_enabled() + ) + + @classmethod +diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py +index 13cb2dcaa..0e04840a1 100644 +--- a/ipaserver/install/krainstance.py ++++ b/ipaserver/install/krainstance.py +@@ -277,6 +277,18 @@ class KRAInstance(DogtagInstance): + + # A restart is required + ++ def enable_oaep_wrap_algo(self): ++ """ ++ Enable KRA OAEP key wrap algorithm ++ """ ++ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): ++ directivesetter.set_directive( ++ self.config, ++ 'keyWrap.useOAEP', ++ 'true', quotes=False, separator='=') ++ ++ # A restart is required ++ + def update_cert_config(self, nickname, cert): + """ + When renewing a KRA subsystem certificate the configuration file +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index e4dc7ae73..c84516b56 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1780,6 +1780,18 @@ def upgrade_configuration(): + else: + logger.info('ephemeralRequest is already enabled') + ++ if tasks.is_fips_enabled(): ++ logger.info('[Ensuring KRA OAEP wrap algo is enabled in FIPS]') ++ value = directivesetter.get_directive( ++ paths.KRA_CS_CFG_PATH, ++ 'keyWrap.useOAEP', ++ separator='=') ++ if value is None or value.lower() != 'true': ++ logger.info('Use the OAEP key wrap algo') ++ kra.enable_oaep_wrap_algo() ++ else: ++ logger.info('OAEP key wrap algo is already enabled') ++ + # several upgrade steps require running CA. If CA is configured, + # always run ca.start() because we need to wait until CA is really ready + # by checking status using http +-- +2.43.0 + diff --git a/0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch b/0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch new file mode 100644 index 0000000..5745101 --- /dev/null +++ b/0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch @@ -0,0 +1,29 @@ +From a8e433f7c8d844d9f337a34db09b0197f2dbc5af Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 20 Feb 2024 15:14:24 +0100 +Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac() + +Fixes: https://pagure.io/freeipa/issue/9535 + +Signed-off-by: Julien Rische +Reviewed-By: Florence Blanc-Renaud +(cherry picked from commit dd27d225524aa81c038a970961a4f878cf742e2a) +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index deed513b9..0964d112a 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -3084,6 +3084,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit, + } + + free(resstr); ++ resstr = NULL; + + flat_server_name = get_server_netbios_name(ipactx); + if (!flat_server_name) { +-- +2.43.0 + diff --git a/ipa.spec b/ipa.spec index 8b7e68f..ce97973 100644 --- a/ipa.spec +++ b/ipa.spec @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?rc_version:.%rc_version}%{?dist} +Release: 7%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -226,6 +226,10 @@ Patch0015: 0015-hbactest-was-not-collecting-or-returning-messages_rhel#1278 Patch0016: 0016-ipatests-wait-for-replica-update-in-test_dns_locatio.patch Patch0017: 0017-ipa-kdb-Rework-ipadb_reinit_mspac.patch Patch0018: 0018-ipatests-fix-tasks-wait_for_replication-method_rhel#25708.patch +Patch0019: 0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch +Patch0020: 0020-Vault-improve-vault-server-archival-retrieval-calls-.patch +Patch0021: 0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch +Patch0022: 0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch %if 0%{?rhel} >= 8 Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -1741,6 +1745,16 @@ fi %endif %changelog +* Tue Feb 20 2024 Julien Rische - 4.9.13-7 +- ipa-kdb: Fix double free in ipadb_reinit_mspac() + Resolves: RHEL-25742 +- kra: set RSA-OAEP as default wrapping algo when FIPS is enabled + Resolves: RHEL-12153 +- Vault: improve vault server archival/retrieval calls error handling + Resolves: RHEL-12153 +- Vault: add support for RSA-OAEP wrapping algo + Resolves: RHEL-12153 + * Fri Feb 16 2024 Julien Rische - 4.9.13-6 - ipa-kdb: Rework ipadb_reinit_mspac() Resolves: RHEL-25742