From b016683552a58f9cc2a05cf628cc467234eaf599 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 28 Feb 2022 11:10:49 +0200 Subject: [PATCH] tests: ensure AD-SUPPORT subpolicy is active Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS mode. This is required in FIPS mode due to AD not supporting Kerberos AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as defined in RFC 8009. Fixes: https://pagure.io/freeipa/issue/9119 Signed-off-by: Alexander Bokovoy Reviewed-By: Julien Rische Reviewed-By: Francisco Trivino --- ipatests/pytest_ipa/integration/fips.py | 6 ++++++ ipatests/pytest_ipa/integration/tasks.py | 3 +++ 2 files changed, 9 insertions(+) diff --git a/ipatests/pytest_ipa/integration/fips.py b/ipatests/pytest_ipa/integration/fips.py index 694ec8a9927da917fe99482094f68540a1032c14..b33aa91b14552d6f47191c913db4f974a5a5948c 100644 --- a/ipatests/pytest_ipa/integration/fips.py +++ b/ipatests/pytest_ipa/integration/fips.py @@ -68,3 +68,9 @@ def disable_userspace_fips(host): # sanity check assert not is_fips_enabled(host) host.run_command(["openssl", "md5", "/dev/null"]) + + +def enable_crypto_subpolicy(host, subpolicy): + result = host.run_command(["update-crypto-policies", "--show"]) + policy = result.stdin_text.strip() + ":" + subpolicy + host.run_command(["update-crypto-policies", "--set", policy]) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index 7e1b7c24dab00986ff6e75430bf55e55dd1a6b8e..13d84e23fa7dc8a5e562e8498c9142e2bcad696a 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -66,6 +66,7 @@ from .env_config import env_to_script from .host import Host from .firewall import Firewall from .resolver import ResolvedResolver +from .fips import is_fips_enabled, enable_crypto_subpolicy logger = logging.getLogger(__name__) @@ -362,6 +363,8 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False, if setup_adtrust: args.append('--setup-adtrust') fw_services.append("freeipa-trust") + if is_fips_enabled(host): + enable_crypto_subpolicy(host, "AD-SUPPORT") if external_ca: args.append('--external-ca') -- 2.34.1