ipa-4.9.8-7

- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
This commit is contained in:
Florence Blanc-Renaud 2022-03-24 08:35:50 +01:00
parent 9b88d4c513
commit db00e46a5c
10 changed files with 1061 additions and 2 deletions

View File

@ -0,0 +1,108 @@
From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 25 Feb 2022 08:58:24 +0200
Subject: [PATCH] KRB instance: make provision to work with crypto policy
without SHA-1 HMAC types
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
Due to bootstrapping process, force explicitly supported encryption
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
in FIPS mode at bootstrap time which then fails to initialize kadmin
principals requiring use of AES256-SHA2 and AES128-SHA2.
Camellia ciphers must be filtered out in FIPS mode, we do that already
in the kerberos.ldif.
At this point we are not changing the master key encryption type to
AES256-SHA2 because upgrading existing deployments is complicated and
at the time when a replica configuration is deployed, we don't know what
is the encryption type of the master key of the original server as well.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
install/share/kdc.conf.template | 3 ++-
install/share/kerberos.ldif | 2 ++
ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++-
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -6,7 +6,8 @@
[realms]
$REALM = {
- master_key_type = aes256-cts
+ master_key_type = $MASTER_KEY_TYPE
+ supported_enctypes = $SUPPORTED_ENCTYPES
max_life = 7d
max_renewable_life = 14d
acl_file = $KRB5KDC_KADM5_ACL
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
krbMaxTicketLife: 86400
krbMaxRenewableAge: 604800
+krbDefaultEncSaltTypes: aes256-sha2:special
+krbDefaultEncSaltTypes: aes128-sha2:special
krbDefaultEncSaltTypes: aes256-cts:special
krbDefaultEncSaltTypes: aes128-cts:special
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)
PKINIT_ENABLED = 'pkinitEnabled'
+MASTER_KEY_TYPE = 'aes256-sha1'
+SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
+ 'aes256-sha2:normal', 'aes128-sha2:normal',
+ 'aes256-cts:special', 'aes128-cts:special',
+ 'aes256-cts:normal', 'aes128-cts:normal',
+ 'camellia256-cts:special', 'camellia128-cts:special',
+ 'camellia256-cts:normal', 'camellia128-cts:normal')
+
def get_pkinit_request_ca():
"""
@@ -252,6 +260,7 @@ class KrbInstance(service.Service):
else:
includes = ''
+ fips_enabled = tasks.is_fips_enabled()
self.sub_dict = dict(FQDN=self.fqdn,
IP=self.ip,
PASSWORD=self.kdc_password,
@@ -269,7 +278,17 @@ class KrbInstance(service.Service):
KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
INCLUDES=includes,
- FIPS='#' if tasks.is_fips_enabled() else '')
+ FIPS='#' if fips_enabled else '')
+
+ if fips_enabled:
+ supported_enctypes = list(
+ filter(lambda e: not e.startswith('camelia'),
+ SUPPORTED_ENCTYPES))
+ else:
+ supported_enctypes = SUPPORTED_ENCTYPES
+ self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
+
+ self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
# IPA server/KDC is not a subdomain of default domain
# Proper domain-realm mapping needs to be specified
--
2.34.1

View File

@ -0,0 +1,58 @@
From b016683552a58f9cc2a05cf628cc467234eaf599 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 28 Feb 2022 11:10:49 +0200
Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/pytest_ipa/integration/fips.py | 6 ++++++
ipatests/pytest_ipa/integration/tasks.py | 3 +++
2 files changed, 9 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
index 694ec8a9927da917fe99482094f68540a1032c14..b33aa91b14552d6f47191c913db4f974a5a5948c 100644
--- a/ipatests/pytest_ipa/integration/fips.py
+++ b/ipatests/pytest_ipa/integration/fips.py
@@ -68,3 +68,9 @@ def disable_userspace_fips(host):
# sanity check
assert not is_fips_enabled(host)
host.run_command(["openssl", "md5", "/dev/null"])
+
+
+def enable_crypto_subpolicy(host, subpolicy):
+ result = host.run_command(["update-crypto-policies", "--show"])
+ policy = result.stdin_text.strip() + ":" + subpolicy
+ host.run_command(["update-crypto-policies", "--set", policy])
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 7e1b7c24dab00986ff6e75430bf55e55dd1a6b8e..13d84e23fa7dc8a5e562e8498c9142e2bcad696a 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -66,6 +66,7 @@ from .env_config import env_to_script
from .host import Host
from .firewall import Firewall
from .resolver import ResolvedResolver
+from .fips import is_fips_enabled, enable_crypto_subpolicy
logger = logging.getLogger(__name__)
@@ -362,6 +363,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
if setup_adtrust:
args.append('--setup-adtrust')
fw_services.append("freeipa-trust")
+ if is_fips_enabled(host):
+ enable_crypto_subpolicy(host, "AD-SUPPORT")
if external_ca:
args.append('--external-ca')
--
2.34.1

View File

@ -0,0 +1,46 @@
From 49d9147e38c5b50c52a1ebc7283753c779c2f81f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 3 Mar 2022 14:38:57 +0200
Subject: [PATCH] ipatests: extend AES keyset to SHA2-based ones
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipaserver/install/plugins/adtrust.py | 3 ++-
ipatests/pytest_ipa/integration/tasks.py | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index 5b87ac47c6919de287b07c9ceef7ae22e1e79398..67e372bdb40a0b1f6815f107fc567f0ae056dad8 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -754,7 +754,8 @@ class update_host_cifs_keytabs(Updater):
"""
host_princ_template = "host/{master}@{realm}"
- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
+ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
+ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
def extract_key_refs(self, keytab):
host_princ = self.host_princ_template.format(
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 13d84e23fa7dc8a5e562e8498c9142e2bcad696a..d06f8eb2cf6c36956ec200a1abb7c488d1dad9aa 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2261,7 +2261,8 @@ class KerberosKeyCopier:
copier.copy_keys('/etc/krb5.keytab', tmpname, replacement=replacement)
"""
host_princ_template = "host/{master}@{realm}"
- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
+ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
+ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
def __init__(self, host):
self.host = host
--
2.34.1

View File

@ -0,0 +1,35 @@
From ee39de46a1c1ea96bbe524f159ae435319b2d072 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 3 Mar 2022 14:43:11 +0200
Subject: [PATCH] freeipa.spec: bump crypto-policies dependency for CentOS 9
Stream
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
freeipa.spec.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0b24febc0baff6f60fd2b4cb254971bd3e3aa3b8..c1d81605068c6fc3e6c765ad01c4967fa9f03c95 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -695,6 +695,12 @@ Provides: %{name}-admintools = %{version}-%{release}
Conflicts: crypto-policies < 20200629-1
%endif
+%if 0%{?rhel} == 9
+# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
+# AD-SUPPORT-LEGACY policy modules
+Conflicts: crypto-policies < 20220223-1
+%endif
+
%description client
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
--
2.34.1

View File

@ -0,0 +1,56 @@
From 3e54c4362490b4da1b6cb3e141bb6e08fecc58c0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 14 Mar 2022 13:23:04 +0200
Subject: [PATCH] Kerberos instance: default to AES256-SHA2 for master key
encryption
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
the template in install/share/kdc.conf.template. Master key encryption
type specified there is used to bootstrap the master key in LDAP
database. Once it is done, actual deployment does not rely on the
master_key_type value anymore. The actual master key(s) get loaded from
LDAP database where they stored in a BER-encoded format, preserving all
parameters, including encryption type.
This means we can safely migrate to AES256-SHA2 as the default master
key encryption type for new installations. Replicas will get their
master key encryption type details from the server they were provisioned
from.
MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
the earliest supported version as it provides krb5 1.15.1. Current
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
change does not affect old releases.
Migration from the previously deployed master key encryption type is
described by MIT Kerberos upstream in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
One would need to use '-x ipa-setup-override-restrictions' to allow
the `kdb5_util` utility to modify the data over IPA KDB driver.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipaserver/install/krbinstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 01b3309d50c0e8025e3381eac577225b1ef0be9d..a5eaa7b17133498f08e84d01c90764236e8ebe84 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
PKINIT_ENABLED = 'pkinitEnabled'
-MASTER_KEY_TYPE = 'aes256-sha1'
+MASTER_KEY_TYPE = 'aes256-sha2'
SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
'aes256-sha2:normal', 'aes128-sha2:normal',
'aes256-cts:special', 'aes128-cts:special',
--
2.34.1

View File

@ -0,0 +1,44 @@
From 3baae8d1bd0a0c4c707314524289e86e6ecbc0df Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 14 Mar 2022 21:09:36 +0200
Subject: [PATCH] test_otp: do not use paramiko unless it is really needed
paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.
Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/test_integration/test_otp.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index bec76d205bf37699483b65ebbc5613cbbb466bb4..04bef4626077e727654898b07a76acab4f1d5971 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -5,7 +5,6 @@
"""
import base64
import logging
-import paramiko
import pytest
import re
import time
@@ -102,6 +101,8 @@ def ssh_2f(hostname, username, answers_dict, port=22):
logger.info(
"Answer to ssh prompt is: '%s'", answers_dict[prmpt_str])
return resp
+
+ import paramiko
trans = paramiko.Transport((hostname, port))
trans.connect()
trans.auth_interactive(username, answer_handler)
--
2.34.1

View File

@ -0,0 +1,44 @@
From 2e70535f74e7d9dd76e728eca1119ce522fd138a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 15 Mar 2022 11:39:46 +0200
Subject: [PATCH] test_krbtpolicy: skip SPAKE-related tests in FIPS mode
SPAKE is based on the crypto primitives which are not FIPS compliant
yet. This means that in FIPS mode use of 'hardened' authentication
indicator is not possible. Skip corresponding tests in FIPS mode.
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/test_integration/test_krbtpolicy.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
index 9489fbc97b7836aecf491b57627f254d4849eb56..eae16247bdfb195c1d91209cf2d11eac4c25018f 100644
--- a/ipatests/test_integration/test_krbtpolicy.py
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -105,6 +105,9 @@ class TestPWPolicy(IntegrationTest):
def test_krbtpolicy_password_and_hardended(self):
"""Test a pwd and hardened kerberos ticket policy with 10min tickets"""
+ if self.master.is_fips_mode:
+ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
+
master = self.master
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'password',
@@ -133,6 +136,9 @@ class TestPWPolicy(IntegrationTest):
def test_krbtpolicy_hardended(self):
"""Test a hardened kerberos ticket policy with 30min tickets"""
+ if self.master.is_fips_mode:
+ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
+
master = self.master
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type', 'hardened'])
--
2.34.1

View File

@ -0,0 +1,555 @@
From 895e99b6843c2fa2274acab824607c33c1a560a4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 7 Oct 2019 14:13:03 +0200
Subject: [PATCH] Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 7 +-
VERSION.m4 | 5 +-
ipaclient/plugins/vault.py | 155 +++++++++++++++++++++++++------------
ipalib/capabilities.py | 4 +
ipalib/constants.py | 12 +++
ipaserver/plugins/vault.py | 61 ++++++++++++---
6 files changed, 180 insertions(+), 64 deletions(-)
diff --git a/API.txt b/API.txt
index 576fa7c51e31886b257ccf176aaf232c0f2ea5ee..f95f2c8457e39f2268386a8a2336952d3285e008 100644
--- a/API.txt
+++ b/API.txt
@@ -6548,7 +6548,7 @@ output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: vault_archive_internal/1
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Bytes('nonce')
@@ -6559,6 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Bytes('vault_data')
option: Str('version?')
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -6649,7 +6650,7 @@ output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: vault_retrieve_internal/1
-args: 1,7,3
+args: 1,8,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -6658,6 +6659,7 @@ option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?')
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -7327,6 +7329,7 @@ default: vaultcontainer_del/1
default: vaultcontainer_remove_owner/1
default: vaultcontainer_show/1
default: whoami/1
+capability: vault_aes_keywrap 2.246
capability: messages 2.52
capability: optional_uid_params 2.54
capability: permissions2 2.69
diff --git a/VERSION.m4 b/VERSION.m4
index 70aaff4c9b9514a5937eae60074376e1a592464e..997ac35e74fa6f2a96da027ed3ce93cf809b62a7 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -86,9 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
-# Last change: add enable_sid to config
-define(IPA_API_VERSION_MINOR, 245)
-
+# Last change: Add wrapping algorithm to vault archive/retrieve
+define(IPA_API_VERSION_MINOR, 246)
########################################################
# Following values are auto-generated from values above
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index d3a1d370efaccc7e5b0088bd3df341d76884d509..115171c7768d44251c17d0bcdac9c37b3a25db99 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -25,11 +25,12 @@ import io
import json
import logging
import os
+import ssl
import tempfile
from cryptography.fernet import Fernet, InvalidToken
from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
@@ -39,7 +40,7 @@ from cryptography.hazmat.primitives.serialization import (
from ipaclient.frontend import MethodOverride
from ipalib import x509
-from ipalib.constants import USER_CACHE_PATH
+from ipalib import constants
from ipalib.frontend import Local, Method, Object
from ipalib.util import classproperty
from ipalib import api, errors
@@ -546,42 +547,49 @@ class vault_mod(Local):
return response
-class _TransportCertCache:
+class _KraConfigCache:
+ """The KRA config cache stores vaultconfig-show result.
+ """
def __init__(self):
self._dirname = os.path.join(
- USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
+ constants.USER_CACHE_PATH, 'ipa', 'kra-config'
)
def _get_filename(self, domain):
- basename = DNSName(domain).ToASCII() + '.pem'
+ basename = DNSName(domain).ToASCII() + '.json'
return os.path.join(self._dirname, basename)
- def load_cert(self, domain):
- """Load cert from cache
+ def load(self, domain):
+ """Load config from cache
:param domain: IPA domain
- :return: cryptography.x509.Certificate or None
+ :return: dict or None
"""
filename = self._get_filename(domain)
try:
try:
- return x509.load_certificate_from_file(filename)
- except EnvironmentError as e:
+ with open(filename) as f:
+ return json.load(f)
+ except OSError as e:
if e.errno != errno.ENOENT:
raise
except Exception:
logger.warning("Failed to load %s", filename, exc_info=True)
return None
- def store_cert(self, domain, transport_cert):
- """Store a new cert or override existing cert
+ def store(self, domain, response):
+ """Store config in cache
:param domain: IPA domain
- :param transport_cert: cryptography.x509.Certificate
- :return: True if cert was stored successfully
+ :param config: ipa vaultconfig-show response
+ :return: True if config was stored successfully
"""
+ config = response['result'].copy()
+ # store certificate as PEM-encoded ASCII
+ config['transport_cert'] = ssl.DER_cert_to_PEM_cert(
+ config['transport_cert']
+ )
filename = self._get_filename(domain)
- pem = transport_cert.public_bytes(serialization.Encoding.PEM)
try:
try:
os.makedirs(self._dirname)
@@ -589,9 +597,9 @@ class _TransportCertCache:
if e.errno != errno.EEXIST:
raise
with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
- mode='wb') as f:
+ mode='w') as f:
try:
- f.write(pem)
+ json.dump(config, f)
ipautil.flush_sync(f)
f.close()
os.rename(f.name, filename)
@@ -604,8 +612,8 @@ class _TransportCertCache:
else:
return True
- def remove_cert(self, domain):
- """Remove a cert from cache, ignores errors
+ def remove(self, domain):
+ """Remove a config from cache, ignores errors
:param domain: IPA domain
:return: True if cert was found and removed
@@ -621,7 +629,7 @@ class _TransportCertCache:
return True
-_transport_cert_cache = _TransportCertCache()
+_kra_config_cache = _KraConfigCache()
@register(override=True, no_fail=True)
@@ -636,13 +644,8 @@ class vaultconfig_show(MethodOverride):
response = super(vaultconfig_show, self).forward(*args, **options)
- # cache transport certificate
- transport_cert = x509.load_der_x509_certificate(
- response['result']['transport_cert'])
-
- _transport_cert_cache.store_cert(
- self.api.env.domain, transport_cert
- )
+ # cache config
+ _kra_config_cache.store(self.api.env.domain, response)
if file:
with open(file, 'wb') as f:
@@ -652,10 +655,54 @@ class vaultconfig_show(MethodOverride):
class ModVaultData(Local):
- def _generate_session_key(self):
- key_length = max(algorithms.TripleDES.key_sizes)
- algo = algorithms.TripleDES(os.urandom(key_length // 8))
- return algo
+ def _generate_session_key(self, name):
+ if name not in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ msg = _("{algo} is not a supported vault wrapping algorithm")
+ raise errors.ValidationError(msg.format(algo=repr(name)))
+ if name == constants.VAULT_WRAPPING_AES128_CBC:
+ return algorithms.AES(os.urandom(128 // 8))
+ elif name == constants.VAULT_WRAPPING_3DES:
+ return algorithms.TripleDES(os.urandom(196 // 8))
+ else:
+ # unreachable
+ raise ValueError(name)
+
+ def _get_vaultconfig(self, force_refresh=False):
+ config = None
+ if not force_refresh:
+ config = _kra_config_cache.load(self.api.env.domain)
+ if config is None:
+ # vaultconfig_show also caches data
+ response = self.api.Command.vaultconfig_show()
+ config = response['result']
+ transport_cert = x509.load_der_x509_certificate(
+ config['transport_cert']
+ )
+ else:
+ # cached JSON uses PEM-encoded ASCII string
+ transport_cert = x509.load_pem_x509_certificate(
+ config['transport_cert'].encode('ascii')
+ )
+
+ default_algo = config.get('wrapping_default_algorithm')
+ if default_algo is None:
+ # old server
+ wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
+ elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ # try to use server default
+ wrapping_algo = default_algo
+ else:
+ # prefer server's sorting order
+ for algo in config['wrapping_supported_algorithms']:
+ if algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ wrapping_algo = algo
+ break
+ else:
+ raise errors.ValidationError(
+ "No overlapping wrapping algorithm between server and "
+ "client."
+ )
+ return transport_cert, wrapping_algo
def _do_internal(self, algo, transport_cert, raise_unexpected,
*args, **options):
@@ -675,29 +722,23 @@ class ModVaultData(Local):
except (errors.InternalError,
errors.ExecutionError,
errors.GenericError):
- _transport_cert_cache.remove_cert(self.api.env.domain)
+ _kra_config_cache.remove(self.api.env.domain)
if raise_unexpected:
raise
return None
- def internal(self, algo, *args, **options):
+ def internal(self, algo, transport_cert, *args, **options):
"""
Calls the internal counterpart of the command.
"""
- domain = self.api.env.domain
-
# try call with cached transport certificate
- transport_cert = _transport_cert_cache.load_cert(domain)
- if transport_cert is not None:
- result = self._do_internal(algo, transport_cert, False,
+ result = self._do_internal(algo, transport_cert, False,
*args, **options)
- if result is not None:
- return result
+ if result is not None:
+ return result
# retrieve transport certificate (cached by vaultconfig_show)
- response = self.api.Command.vaultconfig_show()
- transport_cert = x509.load_der_x509_certificate(
- response['result']['transport_cert'])
+ transport_cert = self._get_vaultconfig(force_refresh=True)[0]
# call with the retrieved transport certificate
return self._do_internal(algo, transport_cert, True,
*args, **options)
@@ -777,7 +818,7 @@ class vault_archive(ModVaultData):
def _wrap_data(self, algo, json_vault_data):
"""Encrypt data with wrapped session key and transport cert
- :param bytes algo: wrapping algorithm instance
+ :param algo: wrapping algorithm instance
:param bytes json_vault_data: dumped vault data
:return:
"""
@@ -929,15 +970,24 @@ class vault_archive(ModVaultData):
json_vault_data = json.dumps(vault_data).encode('utf-8')
+ # get config
+ transport_cert, wrapping_algo = self._get_vaultconfig()
+ # let options override wrapping algo
+ # For backwards compatibility do not send old legacy wrapping algo
+ # to server. Only send the option when non-3DES is used.
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
+ options['wrapping_algo'] = wrapping_algo
+
# generate session key
- algo = self._generate_session_key()
+ algo = self._generate_session_key(wrapping_algo)
# wrap vault data
nonce, wrapped_vault_data = self._wrap_data(algo, json_vault_data)
options.update(
nonce=nonce,
vault_data=wrapped_vault_data
)
- return self.internal(algo, *args, **options)
+ return self.internal(algo, transport_cert, *args, **options)
@register(no_fail=True)
@@ -1061,10 +1111,19 @@ class vault_retrieve(ModVaultData):
vault = self.api.Command.vault_show(*args, **options)['result']
vault_type = vault['ipavaulttype'][0]
+ # get config
+ transport_cert, wrapping_algo = self._get_vaultconfig()
+ # let options override wrapping algo
+ # For backwards compatibility do not send old legacy wrapping algo
+ # to server. Only send the option when non-3DES is used.
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
+ options['wrapping_algo'] = wrapping_algo
+
# generate session key
- algo = self._generate_session_key()
+ algo = self._generate_session_key(wrapping_algo)
# send retrieval request to server
- response = self.internal(algo, *args, **options)
+ response = self.internal(algo, transport_cert, *args, **options)
# unwrap data with session key
vault_data = self._unwrap_response(
algo,
diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
index 55b84aa6bc73d583e7bd5d03d2f4f1cc5c8e7c0b..4d8ae408bf67c280d27ce494baa9db9aaff0cd69 100644
--- a/ipalib/capabilities.py
+++ b/ipalib/capabilities.py
@@ -54,6 +54,10 @@ capabilities = dict(
# dns_name_values: dnsnames as objects
dns_name_values=u'2.88',
+
+ # vault supports aes key wrapping
+ vault_aes_keywrap='2.246'
+
)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 9f19b0f9941ba5068f1e6c218092e3b76fdc7599..11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -374,3 +374,15 @@ KRA_TRACKING_REQS = {
}
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
+
+# vault data wrapping algorithms
+VAULT_WRAPPING_3DES = 'des-ede3-cbc'
+VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
+VAULT_WRAPPING_SUPPORTED_ALGOS = (
+ # old default was 3DES
+ VAULT_WRAPPING_3DES,
+ # supported since pki-kra >= 10.4
+ VAULT_WRAPPING_AES128_CBC,
+)
+# 3DES for backwards compatibility
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index aebac7dff7bb9d183c6012cc685577d476e18c4e..4d40f66c6a793a831e91c5fe25c8b5277cbd1972 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -23,6 +23,10 @@ from ipalib.frontend import Command, Object
from ipalib import api, errors
from ipalib import Bytes, Flag, Str, StrEnum
from ipalib import output
+from ipalib.constants import (
+ VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_DEFAULT_ALGO,
+ VAULT_WRAPPING_3DES, VAULT_WRAPPING_AES128_CBC,
+)
from ipalib.crud import PKQuery, Retrieve
from ipalib.parameters import Principal
from ipalib.plugable import Registry
@@ -39,14 +43,8 @@ from ipaserver.masters import is_service_enabled
if api.env.in_server:
import pki.account
import pki.key
- # pylint: disable=no-member
- try:
- # pki >= 10.4.0
- from pki.crypto import DES_EDE3_CBC_OID
- except ImportError:
- DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
- # pylint: enable=no-member
-
+ from pki.crypto import DES_EDE3_CBC_OID
+ from pki.crypto import AES_128_CBC_OID
if six.PY3:
unicode = str
@@ -652,6 +652,20 @@ class vault(LDAPObject):
),
)
+ def _translate_algorithm(self, name):
+ if name is None:
+ name = VAULT_WRAPPING_DEFAULT_ALGO
+ if name not in VAULT_WRAPPING_SUPPORTED_ALGOS:
+ msg = _("{algo} is not a supported vault wrapping algorithm")
+ raise errors.ValidationError(msg.format(algo=name))
+ if name == VAULT_WRAPPING_3DES:
+ return DES_EDE3_CBC_OID
+ elif name == VAULT_WRAPPING_AES128_CBC:
+ return AES_128_CBC_OID
+ else:
+ # unreachable
+ raise ValueError(name)
+
def get_dn(self, *keys, **options):
"""
Generates vault DN from parameters.
@@ -992,14 +1006,18 @@ class vaultconfig_show(Retrieve):
)
def execute(self, *args, **options):
-
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
+ config = dict(
+ wrapping_supported_algorithms=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ wrapping_default_algorithm=VAULT_WRAPPING_DEFAULT_ALGO,
+ )
+
with self.api.Backend.kra.get_client() as kra_client:
transport_cert = kra_client.system_certs.get_transport_cert()
- config = {'transport_cert': transport_cert.binary}
+ config['transport_cert'] = transport_cert.binary
self.api.Object.config.show_servroles_attributes(
config, "KRA server", **options)
@@ -1029,6 +1047,13 @@ class vault_archive_internal(PKQuery):
'nonce',
doc=_('Nonce'),
),
+ StrEnum(
+ 'wrapping_algo?',
+ doc=_('Key wrapping algorithm'),
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
+ autofill=True,
+ ),
)
has_output = output.standard_entry
@@ -1045,6 +1070,9 @@ class vault_archive_internal(PKQuery):
nonce = options.pop('nonce')
wrapped_session_key = options.pop('session_key')
+ wrapping_algo = options.pop('wrapping_algo', None)
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
+
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
@@ -1071,7 +1099,7 @@ class vault_archive_internal(PKQuery):
pki.key.KeyClient.PASS_PHRASE_TYPE,
wrapped_vault_data,
wrapped_session_key,
- algorithm_oid=DES_EDE3_CBC_OID,
+ algorithm_oid=algorithm_oid,
nonce_iv=nonce,
)
@@ -1098,6 +1126,13 @@ class vault_retrieve_internal(PKQuery):
'session_key',
doc=_('Session key wrapped with transport certificate'),
),
+ StrEnum(
+ 'wrapping_algo?',
+ doc=_('Key wrapping algorithm'),
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
+ autofill=True,
+ ),
)
has_output = output.standard_entry
@@ -1112,6 +1147,9 @@ class vault_retrieve_internal(PKQuery):
wrapped_session_key = options.pop('session_key')
+ wrapping_algo = options.pop('wrapping_algo', None)
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
+
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
@@ -1132,6 +1170,9 @@ class vault_retrieve_internal(PKQuery):
key_info = response.key_infos[0]
+ # XXX hack
+ kra_client.keys.encrypt_alg_oid = algorithm_oid
+
# retrieve encrypted data from KRA
key = kra_client.keys.retrieve_key(
key_info.get_key_id(),
--
2.34.1

View File

@ -0,0 +1,86 @@
From 984190eea01ac42cd1f97567a67dd9446e5b0bf9 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Fri, 11 Mar 2022 17:47:38 +0100
Subject: [PATCH] Set AES as default for KRA archival wrapping
This commit sets AES-128-CBC as default wrapping algorithm as
TripleDES (des-ede3-cbc) is not supported anymore in C9S.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 6 +++---
ipalib/constants.py | 14 +++++++++-----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/API.txt b/API.txt
index f95f2c8457e39f2268386a8a2336952d3285e008..1f27dcc616a6395c56ef91f3453e7620625c7645 100644
--- a/API.txt
+++ b/API.txt
@@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Bytes('vault_data')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -6659,7 +6659,7 @@ option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1
default: vaultcontainer_remove_owner/1
default: vaultcontainer_show/1
default: whoami/1
-capability: vault_aes_keywrap 2.246
capability: messages 2.52
capability: optional_uid_params 2.54
capability: permissions2 2.69
capability: primary_key_types 2.83
capability: datetime_values 2.84
capability: dns_name_values 2.88
+capability: vault_aes_keywrap 2.246
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a..68178004181bebcc8c093dac55e18d5afe0251e5 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants
from ipapython.dn import DN
from ipapython.fqdn import gethostfqdn
from ipapython.version import VERSION, API_VERSION
+from cryptography.hazmat.primitives.ciphers import algorithms, modes
+from cryptography.hazmat.backends.openssl.backend import backend
FQDN = gethostfqdn()
@@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
VAULT_WRAPPING_3DES = 'des-ede3-cbc'
VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
VAULT_WRAPPING_SUPPORTED_ALGOS = (
- # old default was 3DES
- VAULT_WRAPPING_3DES,
- # supported since pki-kra >= 10.4
+ # new default and supported since pki-kra >= 10.4
VAULT_WRAPPING_AES128_CBC,
)
-# 3DES for backwards compatibility
-VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
+
+# Add 3DES for backwards compatibility if supported
+if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
+ modes.CBC(b"\x00" * 8)):
+ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
--
2.34.1

View File

@ -66,7 +66,7 @@
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
%global krb5_version 1.18.2-2
%global krb5_version 1.19.1-15
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
@ -198,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Release: 7%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -244,6 +244,15 @@ Patch0023: 0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
Patch0024: 0024-ipatests-Tests-for-Autoprivate-group.patch
Patch0025: 0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
Patch0026: 0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
Patch0027: 0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
Patch0028: 0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
Patch0029: 0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
Patch0030: 0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch
Patch0031: 0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch
Patch0032: 0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
Patch0033: 0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
Patch0034: 0034-Support-AES-for-KRA-archival-wrapping.patch
Patch0035: 0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -716,6 +725,12 @@ Provides: %{name}-admintools = %{version}-%{release}
Conflicts: crypto-policies < 20200629-1
%endif
%if 0%{?rhel} == 9
# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
# AD-SUPPORT-LEGACY policy modules
Conflicts: crypto-policies < 20220223-1
%endif
%description client
IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
@ -1735,6 +1750,18 @@ fi
%endif
%changelog
* Thu Mar 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-7
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
- KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
- tests: ensure AD-SUPPORT subpolicy is active
- ipatests: extend AES keyset to SHA2-based ones
- freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
- Kerberos instance: default to AES256-SHA2 for master key encryption
- test_otp: do not use paramiko unless it is really needed
- test_krbtpolicy: skip SPAKE-related tests in FIPS mode
- Support AES for KRA archival wrapping
- Set AES as default for KRA archival wrapping
* Thu Feb 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-6
- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests
- ipatests: Tests for Autoprivate group.