ipa-4.9.8-7
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
This commit is contained in:
parent
9b88d4c513
commit
db00e46a5c
108
0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
Normal file
108
0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
Normal file
@ -0,0 +1,108 @@
|
||||
From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 25 Feb 2022 08:58:24 +0200
|
||||
Subject: [PATCH] KRB instance: make provision to work with crypto policy
|
||||
without SHA-1 HMAC types
|
||||
|
||||
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
|
||||
|
||||
Due to bootstrapping process, force explicitly supported encryption
|
||||
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
|
||||
in FIPS mode at bootstrap time which then fails to initialize kadmin
|
||||
principals requiring use of AES256-SHA2 and AES128-SHA2.
|
||||
|
||||
Camellia ciphers must be filtered out in FIPS mode, we do that already
|
||||
in the kerberos.ldif.
|
||||
|
||||
At this point we are not changing the master key encryption type to
|
||||
AES256-SHA2 because upgrading existing deployments is complicated and
|
||||
at the time when a replica configuration is deployed, we don't know what
|
||||
is the encryption type of the master key of the original server as well.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9119
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
install/share/kdc.conf.template | 3 ++-
|
||||
install/share/kerberos.ldif | 2 ++
|
||||
ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++-
|
||||
3 files changed, 24 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
|
||||
index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644
|
||||
--- a/install/share/kdc.conf.template
|
||||
+++ b/install/share/kdc.conf.template
|
||||
@@ -6,7 +6,8 @@
|
||||
|
||||
[realms]
|
||||
$REALM = {
|
||||
- master_key_type = aes256-cts
|
||||
+ master_key_type = $MASTER_KEY_TYPE
|
||||
+ supported_enctypes = $SUPPORTED_ENCTYPES
|
||||
max_life = 7d
|
||||
max_renewable_life = 14d
|
||||
acl_file = $KRB5KDC_KADM5_ACL
|
||||
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
|
||||
index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644
|
||||
--- a/install/share/kerberos.ldif
|
||||
+++ b/install/share/kerberos.ldif
|
||||
@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
|
||||
${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
|
||||
krbMaxTicketLife: 86400
|
||||
krbMaxRenewableAge: 604800
|
||||
+krbDefaultEncSaltTypes: aes256-sha2:special
|
||||
+krbDefaultEncSaltTypes: aes128-sha2:special
|
||||
krbDefaultEncSaltTypes: aes256-cts:special
|
||||
krbDefaultEncSaltTypes: aes128-cts:special
|
||||
|
||||
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
||||
index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644
|
||||
--- a/ipaserver/install/krbinstance.py
|
||||
+++ b/ipaserver/install/krbinstance.py
|
||||
@@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)
|
||||
|
||||
PKINIT_ENABLED = 'pkinitEnabled'
|
||||
|
||||
+MASTER_KEY_TYPE = 'aes256-sha1'
|
||||
+SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
|
||||
+ 'aes256-sha2:normal', 'aes128-sha2:normal',
|
||||
+ 'aes256-cts:special', 'aes128-cts:special',
|
||||
+ 'aes256-cts:normal', 'aes128-cts:normal',
|
||||
+ 'camellia256-cts:special', 'camellia128-cts:special',
|
||||
+ 'camellia256-cts:normal', 'camellia128-cts:normal')
|
||||
+
|
||||
|
||||
def get_pkinit_request_ca():
|
||||
"""
|
||||
@@ -252,6 +260,7 @@ class KrbInstance(service.Service):
|
||||
else:
|
||||
includes = ''
|
||||
|
||||
+ fips_enabled = tasks.is_fips_enabled()
|
||||
self.sub_dict = dict(FQDN=self.fqdn,
|
||||
IP=self.ip,
|
||||
PASSWORD=self.kdc_password,
|
||||
@@ -269,7 +278,17 @@ class KrbInstance(service.Service):
|
||||
KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
|
||||
CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
|
||||
INCLUDES=includes,
|
||||
- FIPS='#' if tasks.is_fips_enabled() else '')
|
||||
+ FIPS='#' if fips_enabled else '')
|
||||
+
|
||||
+ if fips_enabled:
|
||||
+ supported_enctypes = list(
|
||||
+ filter(lambda e: not e.startswith('camelia'),
|
||||
+ SUPPORTED_ENCTYPES))
|
||||
+ else:
|
||||
+ supported_enctypes = SUPPORTED_ENCTYPES
|
||||
+ self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
|
||||
+
|
||||
+ self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
|
||||
|
||||
# IPA server/KDC is not a subdomain of default domain
|
||||
# Proper domain-realm mapping needs to be specified
|
||||
--
|
||||
2.34.1
|
||||
|
58
0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
Normal file
58
0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From b016683552a58f9cc2a05cf628cc467234eaf599 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 28 Feb 2022 11:10:49 +0200
|
||||
Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active
|
||||
|
||||
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
|
||||
mode. This is required in FIPS mode due to AD not supporting Kerberos
|
||||
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
|
||||
defined in RFC 8009.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9119
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
ipatests/pytest_ipa/integration/fips.py | 6 ++++++
|
||||
ipatests/pytest_ipa/integration/tasks.py | 3 +++
|
||||
2 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py
|
||||
index 694ec8a9927da917fe99482094f68540a1032c14..b33aa91b14552d6f47191c913db4f974a5a5948c 100644
|
||||
--- a/ipatests/pytest_ipa/integration/fips.py
|
||||
+++ b/ipatests/pytest_ipa/integration/fips.py
|
||||
@@ -68,3 +68,9 @@ def disable_userspace_fips(host):
|
||||
# sanity check
|
||||
assert not is_fips_enabled(host)
|
||||
host.run_command(["openssl", "md5", "/dev/null"])
|
||||
+
|
||||
+
|
||||
+def enable_crypto_subpolicy(host, subpolicy):
|
||||
+ result = host.run_command(["update-crypto-policies", "--show"])
|
||||
+ policy = result.stdin_text.strip() + ":" + subpolicy
|
||||
+ host.run_command(["update-crypto-policies", "--set", policy])
|
||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||
index 7e1b7c24dab00986ff6e75430bf55e55dd1a6b8e..13d84e23fa7dc8a5e562e8498c9142e2bcad696a 100755
|
||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||
@@ -66,6 +66,7 @@ from .env_config import env_to_script
|
||||
from .host import Host
|
||||
from .firewall import Firewall
|
||||
from .resolver import ResolvedResolver
|
||||
+from .fips import is_fips_enabled, enable_crypto_subpolicy
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -362,6 +363,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
|
||||
if setup_adtrust:
|
||||
args.append('--setup-adtrust')
|
||||
fw_services.append("freeipa-trust")
|
||||
+ if is_fips_enabled(host):
|
||||
+ enable_crypto_subpolicy(host, "AD-SUPPORT")
|
||||
if external_ca:
|
||||
args.append('--external-ca')
|
||||
|
||||
--
|
||||
2.34.1
|
||||
|
46
0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
Normal file
46
0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From 49d9147e38c5b50c52a1ebc7283753c779c2f81f Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 3 Mar 2022 14:38:57 +0200
|
||||
Subject: [PATCH] ipatests: extend AES keyset to SHA2-based ones
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9119
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
ipaserver/install/plugins/adtrust.py | 3 ++-
|
||||
ipatests/pytest_ipa/integration/tasks.py | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
|
||||
index 5b87ac47c6919de287b07c9ceef7ae22e1e79398..67e372bdb40a0b1f6815f107fc567f0ae056dad8 100644
|
||||
--- a/ipaserver/install/plugins/adtrust.py
|
||||
+++ b/ipaserver/install/plugins/adtrust.py
|
||||
@@ -754,7 +754,8 @@ class update_host_cifs_keytabs(Updater):
|
||||
"""
|
||||
|
||||
host_princ_template = "host/{master}@{realm}"
|
||||
- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
|
||||
+ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
|
||||
+ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
|
||||
|
||||
def extract_key_refs(self, keytab):
|
||||
host_princ = self.host_princ_template.format(
|
||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||
index 13d84e23fa7dc8a5e562e8498c9142e2bcad696a..d06f8eb2cf6c36956ec200a1abb7c488d1dad9aa 100755
|
||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||
@@ -2261,7 +2261,8 @@ class KerberosKeyCopier:
|
||||
copier.copy_keys('/etc/krb5.keytab', tmpname, replacement=replacement)
|
||||
"""
|
||||
host_princ_template = "host/{master}@{realm}"
|
||||
- valid_etypes = ['aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
|
||||
+ valid_etypes = ['aes256-cts-hmac-sha384-192', 'aes128-cts-hmac-sha256-128',
|
||||
+ 'aes256-cts-hmac-sha1-96', 'aes128-cts-hmac-sha1-96']
|
||||
|
||||
def __init__(self, host):
|
||||
self.host = host
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,35 @@
|
||||
From ee39de46a1c1ea96bbe524f159ae435319b2d072 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 3 Mar 2022 14:43:11 +0200
|
||||
Subject: [PATCH] freeipa.spec: bump crypto-policies dependency for CentOS 9
|
||||
Stream
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9119
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 0b24febc0baff6f60fd2b4cb254971bd3e3aa3b8..c1d81605068c6fc3e6c765ad01c4967fa9f03c95 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -695,6 +695,12 @@ Provides: %{name}-admintools = %{version}-%{release}
|
||||
Conflicts: crypto-policies < 20200629-1
|
||||
%endif
|
||||
|
||||
+%if 0%{?rhel} == 9
|
||||
+# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
|
||||
+# AD-SUPPORT-LEGACY policy modules
|
||||
+Conflicts: crypto-policies < 20220223-1
|
||||
+%endif
|
||||
+
|
||||
%description client
|
||||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,56 @@
|
||||
From 3e54c4362490b4da1b6cb3e141bb6e08fecc58c0 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 14 Mar 2022 13:23:04 +0200
|
||||
Subject: [PATCH] Kerberos instance: default to AES256-SHA2 for master key
|
||||
encryption
|
||||
|
||||
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
|
||||
the template in install/share/kdc.conf.template. Master key encryption
|
||||
type specified there is used to bootstrap the master key in LDAP
|
||||
database. Once it is done, actual deployment does not rely on the
|
||||
master_key_type value anymore. The actual master key(s) get loaded from
|
||||
LDAP database where they stored in a BER-encoded format, preserving all
|
||||
parameters, including encryption type.
|
||||
|
||||
This means we can safely migrate to AES256-SHA2 as the default master
|
||||
key encryption type for new installations. Replicas will get their
|
||||
master key encryption type details from the server they were provisioned
|
||||
from.
|
||||
|
||||
MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
|
||||
the earliest supported version as it provides krb5 1.15.1. Current
|
||||
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
|
||||
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
|
||||
change does not affect old releases.
|
||||
|
||||
Migration from the previously deployed master key encryption type is
|
||||
described by MIT Kerberos upstream in
|
||||
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
|
||||
|
||||
One would need to use '-x ipa-setup-override-restrictions' to allow
|
||||
the `kdb5_util` utility to modify the data over IPA KDB driver.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9119
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
ipaserver/install/krbinstance.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
||||
index 01b3309d50c0e8025e3381eac577225b1ef0be9d..a5eaa7b17133498f08e84d01c90764236e8ebe84 100644
|
||||
--- a/ipaserver/install/krbinstance.py
|
||||
+++ b/ipaserver/install/krbinstance.py
|
||||
@@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
|
||||
|
||||
PKINIT_ENABLED = 'pkinitEnabled'
|
||||
|
||||
-MASTER_KEY_TYPE = 'aes256-sha1'
|
||||
+MASTER_KEY_TYPE = 'aes256-sha2'
|
||||
SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
|
||||
'aes256-sha2:normal', 'aes128-sha2:normal',
|
||||
'aes256-cts:special', 'aes128-cts:special',
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 3baae8d1bd0a0c4c707314524289e86e6ecbc0df Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mon, 14 Mar 2022 21:09:36 +0200
|
||||
Subject: [PATCH] test_otp: do not use paramiko unless it is really needed
|
||||
|
||||
paramiko cannot be used in FIPS mode. We have few tests that import
|
||||
generic methods from test_otp (add_token/del_token) and those tests fail
|
||||
in FIPS mode due to unconditional 'import paramiko'.
|
||||
|
||||
Instead, move 'import paramiko' to the ssh_2f() helper which is not used
|
||||
in FIPS mode (the whole SSH 2FA test is skipped then).
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9119
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_otp.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||
index bec76d205bf37699483b65ebbc5613cbbb466bb4..04bef4626077e727654898b07a76acab4f1d5971 100644
|
||||
--- a/ipatests/test_integration/test_otp.py
|
||||
+++ b/ipatests/test_integration/test_otp.py
|
||||
@@ -5,7 +5,6 @@
|
||||
"""
|
||||
import base64
|
||||
import logging
|
||||
-import paramiko
|
||||
import pytest
|
||||
import re
|
||||
import time
|
||||
@@ -102,6 +101,8 @@ def ssh_2f(hostname, username, answers_dict, port=22):
|
||||
logger.info(
|
||||
"Answer to ssh prompt is: '%s'", answers_dict[prmpt_str])
|
||||
return resp
|
||||
+
|
||||
+ import paramiko
|
||||
trans = paramiko.Transport((hostname, port))
|
||||
trans.connect()
|
||||
trans.auth_interactive(username, answer_handler)
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,44 @@
|
||||
From 2e70535f74e7d9dd76e728eca1119ce522fd138a Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Tue, 15 Mar 2022 11:39:46 +0200
|
||||
Subject: [PATCH] test_krbtpolicy: skip SPAKE-related tests in FIPS mode
|
||||
|
||||
SPAKE is based on the crypto primitives which are not FIPS compliant
|
||||
yet. This means that in FIPS mode use of 'hardened' authentication
|
||||
indicator is not possible. Skip corresponding tests in FIPS mode.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9119
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_krbtpolicy.py | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
|
||||
index 9489fbc97b7836aecf491b57627f254d4849eb56..eae16247bdfb195c1d91209cf2d11eac4c25018f 100644
|
||||
--- a/ipatests/test_integration/test_krbtpolicy.py
|
||||
+++ b/ipatests/test_integration/test_krbtpolicy.py
|
||||
@@ -105,6 +105,9 @@ class TestPWPolicy(IntegrationTest):
|
||||
|
||||
def test_krbtpolicy_password_and_hardended(self):
|
||||
"""Test a pwd and hardened kerberos ticket policy with 10min tickets"""
|
||||
+ if self.master.is_fips_mode:
|
||||
+ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
|
||||
+
|
||||
master = self.master
|
||||
master.run_command(['ipa', 'user-mod', USER1,
|
||||
'--user-auth-type', 'password',
|
||||
@@ -133,6 +136,9 @@ class TestPWPolicy(IntegrationTest):
|
||||
|
||||
def test_krbtpolicy_hardended(self):
|
||||
"""Test a hardened kerberos ticket policy with 30min tickets"""
|
||||
+ if self.master.is_fips_mode:
|
||||
+ pytest.skip("SPAKE pre-auth is not compatible with FIPS mode")
|
||||
+
|
||||
master = self.master
|
||||
master.run_command(['ipa', 'user-mod', USER1,
|
||||
'--user-auth-type', 'hardened'])
|
||||
--
|
||||
2.34.1
|
||||
|
555
0034-Support-AES-for-KRA-archival-wrapping.patch
Normal file
555
0034-Support-AES-for-KRA-archival-wrapping.patch
Normal file
@ -0,0 +1,555 @@
|
||||
From 895e99b6843c2fa2274acab824607c33c1a560a4 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Mon, 7 Oct 2019 14:13:03 +0200
|
||||
Subject: [PATCH] Support AES for KRA archival wrapping
|
||||
|
||||
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
|
||||
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
|
||||
alternative wrapping algorithm for transport of secrets.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/6524
|
||||
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
API.txt | 7 +-
|
||||
VERSION.m4 | 5 +-
|
||||
ipaclient/plugins/vault.py | 155 +++++++++++++++++++++++++------------
|
||||
ipalib/capabilities.py | 4 +
|
||||
ipalib/constants.py | 12 +++
|
||||
ipaserver/plugins/vault.py | 61 ++++++++++++---
|
||||
6 files changed, 180 insertions(+), 64 deletions(-)
|
||||
|
||||
diff --git a/API.txt b/API.txt
|
||||
index 576fa7c51e31886b257ccf176aaf232c0f2ea5ee..f95f2c8457e39f2268386a8a2336952d3285e008 100644
|
||||
--- a/API.txt
|
||||
+++ b/API.txt
|
||||
@@ -6548,7 +6548,7 @@ output: Output('completed', type=[<type 'int'>])
|
||||
output: Output('failed', type=[<type 'dict'>])
|
||||
output: Entry('result')
|
||||
command: vault_archive_internal/1
|
||||
-args: 1,9,3
|
||||
+args: 1,10,3
|
||||
arg: Str('cn', cli_name='name')
|
||||
option: Flag('all', autofill=True, cli_name='all', default=False)
|
||||
option: Bytes('nonce')
|
||||
@@ -6559,6 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
|
||||
option: Str('username?', cli_name='user')
|
||||
option: Bytes('vault_data')
|
||||
option: Str('version?')
|
||||
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
|
||||
output: Entry('result')
|
||||
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
||||
output: PrimaryKey('value')
|
||||
@@ -6649,7 +6650,7 @@ output: Output('completed', type=[<type 'int'>])
|
||||
output: Output('failed', type=[<type 'dict'>])
|
||||
output: Entry('result')
|
||||
command: vault_retrieve_internal/1
|
||||
-args: 1,7,3
|
||||
+args: 1,8,3
|
||||
arg: Str('cn', cli_name='name')
|
||||
option: Flag('all', autofill=True, cli_name='all', default=False)
|
||||
option: Flag('raw', autofill=True, cli_name='raw', default=False)
|
||||
@@ -6658,6 +6659,7 @@ option: Bytes('session_key')
|
||||
option: Flag('shared?', autofill=True, default=False)
|
||||
option: Str('username?', cli_name='user')
|
||||
option: Str('version?')
|
||||
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
|
||||
output: Entry('result')
|
||||
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
||||
output: PrimaryKey('value')
|
||||
@@ -7327,6 +7329,7 @@ default: vaultcontainer_del/1
|
||||
default: vaultcontainer_remove_owner/1
|
||||
default: vaultcontainer_show/1
|
||||
default: whoami/1
|
||||
+capability: vault_aes_keywrap 2.246
|
||||
capability: messages 2.52
|
||||
capability: optional_uid_params 2.54
|
||||
capability: permissions2 2.69
|
||||
diff --git a/VERSION.m4 b/VERSION.m4
|
||||
index 70aaff4c9b9514a5937eae60074376e1a592464e..997ac35e74fa6f2a96da027ed3ce93cf809b62a7 100644
|
||||
--- a/VERSION.m4
|
||||
+++ b/VERSION.m4
|
||||
@@ -86,9 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
|
||||
# #
|
||||
########################################################
|
||||
define(IPA_API_VERSION_MAJOR, 2)
|
||||
-# Last change: add enable_sid to config
|
||||
-define(IPA_API_VERSION_MINOR, 245)
|
||||
-
|
||||
+# Last change: Add wrapping algorithm to vault archive/retrieve
|
||||
+define(IPA_API_VERSION_MINOR, 246)
|
||||
|
||||
########################################################
|
||||
# Following values are auto-generated from values above
|
||||
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
||||
index d3a1d370efaccc7e5b0088bd3df341d76884d509..115171c7768d44251c17d0bcdac9c37b3a25db99 100644
|
||||
--- a/ipaclient/plugins/vault.py
|
||||
+++ b/ipaclient/plugins/vault.py
|
||||
@@ -25,11 +25,12 @@ import io
|
||||
import json
|
||||
import logging
|
||||
import os
|
||||
+import ssl
|
||||
import tempfile
|
||||
|
||||
from cryptography.fernet import Fernet, InvalidToken
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
-from cryptography.hazmat.primitives import hashes, serialization
|
||||
+from cryptography.hazmat.primitives import hashes
|
||||
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
||||
from cryptography.hazmat.primitives.asymmetric import padding
|
||||
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
||||
@@ -39,7 +40,7 @@ from cryptography.hazmat.primitives.serialization import (
|
||||
|
||||
from ipaclient.frontend import MethodOverride
|
||||
from ipalib import x509
|
||||
-from ipalib.constants import USER_CACHE_PATH
|
||||
+from ipalib import constants
|
||||
from ipalib.frontend import Local, Method, Object
|
||||
from ipalib.util import classproperty
|
||||
from ipalib import api, errors
|
||||
@@ -546,42 +547,49 @@ class vault_mod(Local):
|
||||
return response
|
||||
|
||||
|
||||
-class _TransportCertCache:
|
||||
+class _KraConfigCache:
|
||||
+ """The KRA config cache stores vaultconfig-show result.
|
||||
+ """
|
||||
def __init__(self):
|
||||
self._dirname = os.path.join(
|
||||
- USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
|
||||
+ constants.USER_CACHE_PATH, 'ipa', 'kra-config'
|
||||
)
|
||||
|
||||
def _get_filename(self, domain):
|
||||
- basename = DNSName(domain).ToASCII() + '.pem'
|
||||
+ basename = DNSName(domain).ToASCII() + '.json'
|
||||
return os.path.join(self._dirname, basename)
|
||||
|
||||
- def load_cert(self, domain):
|
||||
- """Load cert from cache
|
||||
+ def load(self, domain):
|
||||
+ """Load config from cache
|
||||
|
||||
:param domain: IPA domain
|
||||
- :return: cryptography.x509.Certificate or None
|
||||
+ :return: dict or None
|
||||
"""
|
||||
filename = self._get_filename(domain)
|
||||
try:
|
||||
try:
|
||||
- return x509.load_certificate_from_file(filename)
|
||||
- except EnvironmentError as e:
|
||||
+ with open(filename) as f:
|
||||
+ return json.load(f)
|
||||
+ except OSError as e:
|
||||
if e.errno != errno.ENOENT:
|
||||
raise
|
||||
except Exception:
|
||||
logger.warning("Failed to load %s", filename, exc_info=True)
|
||||
return None
|
||||
|
||||
- def store_cert(self, domain, transport_cert):
|
||||
- """Store a new cert or override existing cert
|
||||
+ def store(self, domain, response):
|
||||
+ """Store config in cache
|
||||
|
||||
:param domain: IPA domain
|
||||
- :param transport_cert: cryptography.x509.Certificate
|
||||
- :return: True if cert was stored successfully
|
||||
+ :param config: ipa vaultconfig-show response
|
||||
+ :return: True if config was stored successfully
|
||||
"""
|
||||
+ config = response['result'].copy()
|
||||
+ # store certificate as PEM-encoded ASCII
|
||||
+ config['transport_cert'] = ssl.DER_cert_to_PEM_cert(
|
||||
+ config['transport_cert']
|
||||
+ )
|
||||
filename = self._get_filename(domain)
|
||||
- pem = transport_cert.public_bytes(serialization.Encoding.PEM)
|
||||
try:
|
||||
try:
|
||||
os.makedirs(self._dirname)
|
||||
@@ -589,9 +597,9 @@ class _TransportCertCache:
|
||||
if e.errno != errno.EEXIST:
|
||||
raise
|
||||
with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
|
||||
- mode='wb') as f:
|
||||
+ mode='w') as f:
|
||||
try:
|
||||
- f.write(pem)
|
||||
+ json.dump(config, f)
|
||||
ipautil.flush_sync(f)
|
||||
f.close()
|
||||
os.rename(f.name, filename)
|
||||
@@ -604,8 +612,8 @@ class _TransportCertCache:
|
||||
else:
|
||||
return True
|
||||
|
||||
- def remove_cert(self, domain):
|
||||
- """Remove a cert from cache, ignores errors
|
||||
+ def remove(self, domain):
|
||||
+ """Remove a config from cache, ignores errors
|
||||
|
||||
:param domain: IPA domain
|
||||
:return: True if cert was found and removed
|
||||
@@ -621,7 +629,7 @@ class _TransportCertCache:
|
||||
return True
|
||||
|
||||
|
||||
-_transport_cert_cache = _TransportCertCache()
|
||||
+_kra_config_cache = _KraConfigCache()
|
||||
|
||||
|
||||
@register(override=True, no_fail=True)
|
||||
@@ -636,13 +644,8 @@ class vaultconfig_show(MethodOverride):
|
||||
|
||||
response = super(vaultconfig_show, self).forward(*args, **options)
|
||||
|
||||
- # cache transport certificate
|
||||
- transport_cert = x509.load_der_x509_certificate(
|
||||
- response['result']['transport_cert'])
|
||||
-
|
||||
- _transport_cert_cache.store_cert(
|
||||
- self.api.env.domain, transport_cert
|
||||
- )
|
||||
+ # cache config
|
||||
+ _kra_config_cache.store(self.api.env.domain, response)
|
||||
|
||||
if file:
|
||||
with open(file, 'wb') as f:
|
||||
@@ -652,10 +655,54 @@ class vaultconfig_show(MethodOverride):
|
||||
|
||||
|
||||
class ModVaultData(Local):
|
||||
- def _generate_session_key(self):
|
||||
- key_length = max(algorithms.TripleDES.key_sizes)
|
||||
- algo = algorithms.TripleDES(os.urandom(key_length // 8))
|
||||
- return algo
|
||||
+ def _generate_session_key(self, name):
|
||||
+ if name not in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
|
||||
+ msg = _("{algo} is not a supported vault wrapping algorithm")
|
||||
+ raise errors.ValidationError(msg.format(algo=repr(name)))
|
||||
+ if name == constants.VAULT_WRAPPING_AES128_CBC:
|
||||
+ return algorithms.AES(os.urandom(128 // 8))
|
||||
+ elif name == constants.VAULT_WRAPPING_3DES:
|
||||
+ return algorithms.TripleDES(os.urandom(196 // 8))
|
||||
+ else:
|
||||
+ # unreachable
|
||||
+ raise ValueError(name)
|
||||
+
|
||||
+ def _get_vaultconfig(self, force_refresh=False):
|
||||
+ config = None
|
||||
+ if not force_refresh:
|
||||
+ config = _kra_config_cache.load(self.api.env.domain)
|
||||
+ if config is None:
|
||||
+ # vaultconfig_show also caches data
|
||||
+ response = self.api.Command.vaultconfig_show()
|
||||
+ config = response['result']
|
||||
+ transport_cert = x509.load_der_x509_certificate(
|
||||
+ config['transport_cert']
|
||||
+ )
|
||||
+ else:
|
||||
+ # cached JSON uses PEM-encoded ASCII string
|
||||
+ transport_cert = x509.load_pem_x509_certificate(
|
||||
+ config['transport_cert'].encode('ascii')
|
||||
+ )
|
||||
+
|
||||
+ default_algo = config.get('wrapping_default_algorithm')
|
||||
+ if default_algo is None:
|
||||
+ # old server
|
||||
+ wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
|
||||
+ elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
|
||||
+ # try to use server default
|
||||
+ wrapping_algo = default_algo
|
||||
+ else:
|
||||
+ # prefer server's sorting order
|
||||
+ for algo in config['wrapping_supported_algorithms']:
|
||||
+ if algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
|
||||
+ wrapping_algo = algo
|
||||
+ break
|
||||
+ else:
|
||||
+ raise errors.ValidationError(
|
||||
+ "No overlapping wrapping algorithm between server and "
|
||||
+ "client."
|
||||
+ )
|
||||
+ return transport_cert, wrapping_algo
|
||||
|
||||
def _do_internal(self, algo, transport_cert, raise_unexpected,
|
||||
*args, **options):
|
||||
@@ -675,29 +722,23 @@ class ModVaultData(Local):
|
||||
except (errors.InternalError,
|
||||
errors.ExecutionError,
|
||||
errors.GenericError):
|
||||
- _transport_cert_cache.remove_cert(self.api.env.domain)
|
||||
+ _kra_config_cache.remove(self.api.env.domain)
|
||||
if raise_unexpected:
|
||||
raise
|
||||
return None
|
||||
|
||||
- def internal(self, algo, *args, **options):
|
||||
+ def internal(self, algo, transport_cert, *args, **options):
|
||||
"""
|
||||
Calls the internal counterpart of the command.
|
||||
"""
|
||||
- domain = self.api.env.domain
|
||||
-
|
||||
# try call with cached transport certificate
|
||||
- transport_cert = _transport_cert_cache.load_cert(domain)
|
||||
- if transport_cert is not None:
|
||||
- result = self._do_internal(algo, transport_cert, False,
|
||||
+ result = self._do_internal(algo, transport_cert, False,
|
||||
*args, **options)
|
||||
- if result is not None:
|
||||
- return result
|
||||
+ if result is not None:
|
||||
+ return result
|
||||
|
||||
# retrieve transport certificate (cached by vaultconfig_show)
|
||||
- response = self.api.Command.vaultconfig_show()
|
||||
- transport_cert = x509.load_der_x509_certificate(
|
||||
- response['result']['transport_cert'])
|
||||
+ transport_cert = self._get_vaultconfig(force_refresh=True)[0]
|
||||
# call with the retrieved transport certificate
|
||||
return self._do_internal(algo, transport_cert, True,
|
||||
*args, **options)
|
||||
@@ -777,7 +818,7 @@ class vault_archive(ModVaultData):
|
||||
def _wrap_data(self, algo, json_vault_data):
|
||||
"""Encrypt data with wrapped session key and transport cert
|
||||
|
||||
- :param bytes algo: wrapping algorithm instance
|
||||
+ :param algo: wrapping algorithm instance
|
||||
:param bytes json_vault_data: dumped vault data
|
||||
:return:
|
||||
"""
|
||||
@@ -929,15 +970,24 @@ class vault_archive(ModVaultData):
|
||||
|
||||
json_vault_data = json.dumps(vault_data).encode('utf-8')
|
||||
|
||||
+ # get config
|
||||
+ transport_cert, wrapping_algo = self._get_vaultconfig()
|
||||
+ # let options override wrapping algo
|
||||
+ # For backwards compatibility do not send old legacy wrapping algo
|
||||
+ # to server. Only send the option when non-3DES is used.
|
||||
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
|
||||
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
|
||||
+ options['wrapping_algo'] = wrapping_algo
|
||||
+
|
||||
# generate session key
|
||||
- algo = self._generate_session_key()
|
||||
+ algo = self._generate_session_key(wrapping_algo)
|
||||
# wrap vault data
|
||||
nonce, wrapped_vault_data = self._wrap_data(algo, json_vault_data)
|
||||
options.update(
|
||||
nonce=nonce,
|
||||
vault_data=wrapped_vault_data
|
||||
)
|
||||
- return self.internal(algo, *args, **options)
|
||||
+ return self.internal(algo, transport_cert, *args, **options)
|
||||
|
||||
|
||||
@register(no_fail=True)
|
||||
@@ -1061,10 +1111,19 @@ class vault_retrieve(ModVaultData):
|
||||
vault = self.api.Command.vault_show(*args, **options)['result']
|
||||
vault_type = vault['ipavaulttype'][0]
|
||||
|
||||
+ # get config
|
||||
+ transport_cert, wrapping_algo = self._get_vaultconfig()
|
||||
+ # let options override wrapping algo
|
||||
+ # For backwards compatibility do not send old legacy wrapping algo
|
||||
+ # to server. Only send the option when non-3DES is used.
|
||||
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
|
||||
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
|
||||
+ options['wrapping_algo'] = wrapping_algo
|
||||
+
|
||||
# generate session key
|
||||
- algo = self._generate_session_key()
|
||||
+ algo = self._generate_session_key(wrapping_algo)
|
||||
# send retrieval request to server
|
||||
- response = self.internal(algo, *args, **options)
|
||||
+ response = self.internal(algo, transport_cert, *args, **options)
|
||||
# unwrap data with session key
|
||||
vault_data = self._unwrap_response(
|
||||
algo,
|
||||
diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
|
||||
index 55b84aa6bc73d583e7bd5d03d2f4f1cc5c8e7c0b..4d8ae408bf67c280d27ce494baa9db9aaff0cd69 100644
|
||||
--- a/ipalib/capabilities.py
|
||||
+++ b/ipalib/capabilities.py
|
||||
@@ -54,6 +54,10 @@ capabilities = dict(
|
||||
|
||||
# dns_name_values: dnsnames as objects
|
||||
dns_name_values=u'2.88',
|
||||
+
|
||||
+ # vault supports aes key wrapping
|
||||
+ vault_aes_keywrap='2.246'
|
||||
+
|
||||
)
|
||||
|
||||
|
||||
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
||||
index 9f19b0f9941ba5068f1e6c218092e3b76fdc7599..11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a 100644
|
||||
--- a/ipalib/constants.py
|
||||
+++ b/ipalib/constants.py
|
||||
@@ -374,3 +374,15 @@ KRA_TRACKING_REQS = {
|
||||
}
|
||||
|
||||
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
|
||||
+
|
||||
+# vault data wrapping algorithms
|
||||
+VAULT_WRAPPING_3DES = 'des-ede3-cbc'
|
||||
+VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
|
||||
+VAULT_WRAPPING_SUPPORTED_ALGOS = (
|
||||
+ # old default was 3DES
|
||||
+ VAULT_WRAPPING_3DES,
|
||||
+ # supported since pki-kra >= 10.4
|
||||
+ VAULT_WRAPPING_AES128_CBC,
|
||||
+)
|
||||
+# 3DES for backwards compatibility
|
||||
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
|
||||
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
|
||||
index aebac7dff7bb9d183c6012cc685577d476e18c4e..4d40f66c6a793a831e91c5fe25c8b5277cbd1972 100644
|
||||
--- a/ipaserver/plugins/vault.py
|
||||
+++ b/ipaserver/plugins/vault.py
|
||||
@@ -23,6 +23,10 @@ from ipalib.frontend import Command, Object
|
||||
from ipalib import api, errors
|
||||
from ipalib import Bytes, Flag, Str, StrEnum
|
||||
from ipalib import output
|
||||
+from ipalib.constants import (
|
||||
+ VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_DEFAULT_ALGO,
|
||||
+ VAULT_WRAPPING_3DES, VAULT_WRAPPING_AES128_CBC,
|
||||
+)
|
||||
from ipalib.crud import PKQuery, Retrieve
|
||||
from ipalib.parameters import Principal
|
||||
from ipalib.plugable import Registry
|
||||
@@ -39,14 +43,8 @@ from ipaserver.masters import is_service_enabled
|
||||
if api.env.in_server:
|
||||
import pki.account
|
||||
import pki.key
|
||||
- # pylint: disable=no-member
|
||||
- try:
|
||||
- # pki >= 10.4.0
|
||||
- from pki.crypto import DES_EDE3_CBC_OID
|
||||
- except ImportError:
|
||||
- DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
|
||||
- # pylint: enable=no-member
|
||||
-
|
||||
+ from pki.crypto import DES_EDE3_CBC_OID
|
||||
+ from pki.crypto import AES_128_CBC_OID
|
||||
|
||||
if six.PY3:
|
||||
unicode = str
|
||||
@@ -652,6 +652,20 @@ class vault(LDAPObject):
|
||||
),
|
||||
)
|
||||
|
||||
+ def _translate_algorithm(self, name):
|
||||
+ if name is None:
|
||||
+ name = VAULT_WRAPPING_DEFAULT_ALGO
|
||||
+ if name not in VAULT_WRAPPING_SUPPORTED_ALGOS:
|
||||
+ msg = _("{algo} is not a supported vault wrapping algorithm")
|
||||
+ raise errors.ValidationError(msg.format(algo=name))
|
||||
+ if name == VAULT_WRAPPING_3DES:
|
||||
+ return DES_EDE3_CBC_OID
|
||||
+ elif name == VAULT_WRAPPING_AES128_CBC:
|
||||
+ return AES_128_CBC_OID
|
||||
+ else:
|
||||
+ # unreachable
|
||||
+ raise ValueError(name)
|
||||
+
|
||||
def get_dn(self, *keys, **options):
|
||||
"""
|
||||
Generates vault DN from parameters.
|
||||
@@ -992,14 +1006,18 @@ class vaultconfig_show(Retrieve):
|
||||
)
|
||||
|
||||
def execute(self, *args, **options):
|
||||
-
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
+ config = dict(
|
||||
+ wrapping_supported_algorithms=VAULT_WRAPPING_SUPPORTED_ALGOS,
|
||||
+ wrapping_default_algorithm=VAULT_WRAPPING_DEFAULT_ALGO,
|
||||
+ )
|
||||
+
|
||||
with self.api.Backend.kra.get_client() as kra_client:
|
||||
transport_cert = kra_client.system_certs.get_transport_cert()
|
||||
- config = {'transport_cert': transport_cert.binary}
|
||||
+ config['transport_cert'] = transport_cert.binary
|
||||
|
||||
self.api.Object.config.show_servroles_attributes(
|
||||
config, "KRA server", **options)
|
||||
@@ -1029,6 +1047,13 @@ class vault_archive_internal(PKQuery):
|
||||
'nonce',
|
||||
doc=_('Nonce'),
|
||||
),
|
||||
+ StrEnum(
|
||||
+ 'wrapping_algo?',
|
||||
+ doc=_('Key wrapping algorithm'),
|
||||
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
|
||||
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
|
||||
+ autofill=True,
|
||||
+ ),
|
||||
)
|
||||
|
||||
has_output = output.standard_entry
|
||||
@@ -1045,6 +1070,9 @@ class vault_archive_internal(PKQuery):
|
||||
nonce = options.pop('nonce')
|
||||
wrapped_session_key = options.pop('session_key')
|
||||
|
||||
+ wrapping_algo = options.pop('wrapping_algo', None)
|
||||
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
|
||||
+
|
||||
# retrieve vault info
|
||||
vault = self.api.Command.vault_show(*args, **options)['result']
|
||||
|
||||
@@ -1071,7 +1099,7 @@ class vault_archive_internal(PKQuery):
|
||||
pki.key.KeyClient.PASS_PHRASE_TYPE,
|
||||
wrapped_vault_data,
|
||||
wrapped_session_key,
|
||||
- algorithm_oid=DES_EDE3_CBC_OID,
|
||||
+ algorithm_oid=algorithm_oid,
|
||||
nonce_iv=nonce,
|
||||
)
|
||||
|
||||
@@ -1098,6 +1126,13 @@ class vault_retrieve_internal(PKQuery):
|
||||
'session_key',
|
||||
doc=_('Session key wrapped with transport certificate'),
|
||||
),
|
||||
+ StrEnum(
|
||||
+ 'wrapping_algo?',
|
||||
+ doc=_('Key wrapping algorithm'),
|
||||
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
|
||||
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
|
||||
+ autofill=True,
|
||||
+ ),
|
||||
)
|
||||
|
||||
has_output = output.standard_entry
|
||||
@@ -1112,6 +1147,9 @@ class vault_retrieve_internal(PKQuery):
|
||||
|
||||
wrapped_session_key = options.pop('session_key')
|
||||
|
||||
+ wrapping_algo = options.pop('wrapping_algo', None)
|
||||
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
|
||||
+
|
||||
# retrieve vault info
|
||||
vault = self.api.Command.vault_show(*args, **options)['result']
|
||||
|
||||
@@ -1132,6 +1170,9 @@ class vault_retrieve_internal(PKQuery):
|
||||
|
||||
key_info = response.key_infos[0]
|
||||
|
||||
+ # XXX hack
|
||||
+ kra_client.keys.encrypt_alg_oid = algorithm_oid
|
||||
+
|
||||
# retrieve encrypted data from KRA
|
||||
key = kra_client.keys.retrieve_key(
|
||||
key_info.get_key_id(),
|
||||
--
|
||||
2.34.1
|
||||
|
86
0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
Normal file
86
0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From 984190eea01ac42cd1f97567a67dd9446e5b0bf9 Mon Sep 17 00:00:00 2001
|
||||
From: Francisco Trivino <ftrivino@redhat.com>
|
||||
Date: Fri, 11 Mar 2022 17:47:38 +0100
|
||||
Subject: [PATCH] Set AES as default for KRA archival wrapping
|
||||
|
||||
This commit sets AES-128-CBC as default wrapping algorithm as
|
||||
TripleDES (des-ede3-cbc) is not supported anymore in C9S.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/6524
|
||||
|
||||
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
API.txt | 6 +++---
|
||||
ipalib/constants.py | 14 +++++++++-----
|
||||
2 files changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/API.txt b/API.txt
|
||||
index f95f2c8457e39f2268386a8a2336952d3285e008..1f27dcc616a6395c56ef91f3453e7620625c7645 100644
|
||||
--- a/API.txt
|
||||
+++ b/API.txt
|
||||
@@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
|
||||
option: Str('username?', cli_name='user')
|
||||
option: Bytes('vault_data')
|
||||
option: Str('version?')
|
||||
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
|
||||
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
||||
output: Entry('result')
|
||||
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
||||
output: PrimaryKey('value')
|
||||
@@ -6659,7 +6659,7 @@ option: Bytes('session_key')
|
||||
option: Flag('shared?', autofill=True, default=False)
|
||||
option: Str('username?', cli_name='user')
|
||||
option: Str('version?')
|
||||
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
|
||||
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
||||
output: Entry('result')
|
||||
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
||||
output: PrimaryKey('value')
|
||||
@@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1
|
||||
default: vaultcontainer_remove_owner/1
|
||||
default: vaultcontainer_show/1
|
||||
default: whoami/1
|
||||
-capability: vault_aes_keywrap 2.246
|
||||
capability: messages 2.52
|
||||
capability: optional_uid_params 2.54
|
||||
capability: permissions2 2.69
|
||||
capability: primary_key_types 2.83
|
||||
capability: datetime_values 2.84
|
||||
capability: dns_name_values 2.88
|
||||
+capability: vault_aes_keywrap 2.246
|
||||
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
||||
index 11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a..68178004181bebcc8c093dac55e18d5afe0251e5 100644
|
||||
--- a/ipalib/constants.py
|
||||
+++ b/ipalib/constants.py
|
||||
@@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants
|
||||
from ipapython.dn import DN
|
||||
from ipapython.fqdn import gethostfqdn
|
||||
from ipapython.version import VERSION, API_VERSION
|
||||
+from cryptography.hazmat.primitives.ciphers import algorithms, modes
|
||||
+from cryptography.hazmat.backends.openssl.backend import backend
|
||||
|
||||
|
||||
FQDN = gethostfqdn()
|
||||
@@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
|
||||
VAULT_WRAPPING_3DES = 'des-ede3-cbc'
|
||||
VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
|
||||
VAULT_WRAPPING_SUPPORTED_ALGOS = (
|
||||
- # old default was 3DES
|
||||
- VAULT_WRAPPING_3DES,
|
||||
- # supported since pki-kra >= 10.4
|
||||
+ # new default and supported since pki-kra >= 10.4
|
||||
VAULT_WRAPPING_AES128_CBC,
|
||||
)
|
||||
-# 3DES for backwards compatibility
|
||||
-VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
|
||||
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
|
||||
+
|
||||
+# Add 3DES for backwards compatibility if supported
|
||||
+if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
|
||||
+ modes.CBC(b"\x00" * 8)):
|
||||
+ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
|
||||
--
|
||||
2.34.1
|
||||
|
31
freeipa.spec
31
freeipa.spec
@ -66,7 +66,7 @@
|
||||
%if 0%{?rhel}
|
||||
%global package_name ipa
|
||||
%global alt_name freeipa
|
||||
%global krb5_version 1.18.2-2
|
||||
%global krb5_version 1.19.1-15
|
||||
%global krb5_kdb_version 8.0
|
||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||
%global python_netaddr_version 0.7.19
|
||||
@ -198,7 +198,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -244,6 +244,15 @@ Patch0023: 0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
|
||||
Patch0024: 0024-ipatests-Tests-for-Autoprivate-group.patch
|
||||
Patch0025: 0025-mark-xfail-for-test_idoverride_with_auto_private_gro.patch
|
||||
Patch0026: 0026-Mark-xfail-test_gidnumber_not_corresponding_existing.patch
|
||||
Patch0027: 0027-KRB-instance-make-provision-to-work-with-crypto-poli.patch
|
||||
Patch0028: 0028-tests-ensure-AD-SUPPORT-subpolicy-is-active.patch
|
||||
Patch0029: 0029-ipatests-extend-AES-keyset-to-SHA2-based-ones.patch
|
||||
Patch0030: 0030-freeipa.spec-bump-crypto-policies-dependency-for-Cen.patch
|
||||
Patch0031: 0031-Kerberos-instance-default-to-AES256-SHA2-for-master-.patch
|
||||
Patch0032: 0032-test_otp-do-not-use-paramiko-unless-it-is-really-nee.patch
|
||||
Patch0033: 0033-test_krbtpolicy-skip-SPAKE-related-tests-in-FIPS-mod.patch
|
||||
Patch0034: 0034-Support-AES-for-KRA-archival-wrapping.patch
|
||||
Patch0035: 0035-Set-AES-as-default-for-KRA-archival-wrapping.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -716,6 +725,12 @@ Provides: %{name}-admintools = %{version}-%{release}
|
||||
Conflicts: crypto-policies < 20200629-1
|
||||
%endif
|
||||
|
||||
%if 0%{?rhel} == 9
|
||||
# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and
|
||||
# AD-SUPPORT-LEGACY policy modules
|
||||
Conflicts: crypto-policies < 20220223-1
|
||||
%endif
|
||||
|
||||
%description client
|
||||
IPA is an integrated solution to provide centrally managed Identity (users,
|
||||
hosts, services), Authentication (SSO, 2FA), and Authorization
|
||||
@ -1735,6 +1750,18 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Mar 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-7
|
||||
- Resolves: rhbz#2067971 Consequences of FIPS crypto policy tightening in RHEL 9
|
||||
- KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
|
||||
- tests: ensure AD-SUPPORT subpolicy is active
|
||||
- ipatests: extend AES keyset to SHA2-based ones
|
||||
- freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
|
||||
- Kerberos instance: default to AES256-SHA2 for master key encryption
|
||||
- test_otp: do not use paramiko unless it is really needed
|
||||
- test_krbtpolicy: skip SPAKE-related tests in FIPS mode
|
||||
- Support AES for KRA archival wrapping
|
||||
- Set AES as default for KRA archival wrapping
|
||||
|
||||
* Thu Feb 24 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-6
|
||||
- Resolves: rhbz#2057467 Backport latest test fixes in python3-ipatests
|
||||
- ipatests: Tests for Autoprivate group.
|
||||
|
Loading…
Reference in New Issue
Block a user