From fb90a9492150d668003984345dcac874c4e26e61 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 12 Mar 2025 13:49:47 +0100
Subject: [PATCH] Use ipaplatform tasks for krb5 enctypes

Provide the master key encryption type and the list of supported
encryption types as ipaplatform.<platform>.tasks methods. This allows
to generate the list at runtime based on the environment (e.g. FIPS) and
override the list depending of the platform.

3DES HMAC-SHA1 encryption type is now removed from supported encryption
types if it is present.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 install/share/kerberos.ldif           | 18 +-----------------
 install/updates/50-krbenctypes.update | 11 +----------
 ipaplatform/base/tasks.py             | 25 +++++++++++++++++++++++++
 ipaplatform/redhat/tasks.py           |  8 ++++++++
 ipaserver/install/krbinstance.py      | 27 +++++++++++----------------
 ipaserver/install/ldapupdate.py       | 17 ++++++++++++++++-
 6 files changed, 62 insertions(+), 44 deletions(-)

diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
index 3a5c30ec8533b6d60c614f276090bf2f4cfcd075..78c29923b166594c0c977304f4eed30823e69afb 100644
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -14,25 +14,9 @@ objectClass: krbrealmcontainer
 objectClass: krbticketpolicyaux
 krbSubTrees: $SUFFIX
 krbSearchScope: 2
-krbSupportedEncSaltTypes: aes256-cts:normal
-krbSupportedEncSaltTypes: aes256-cts:special
-krbSupportedEncSaltTypes: aes128-cts:normal
-krbSupportedEncSaltTypes: aes128-cts:special
-krbSupportedEncSaltTypes: aes128-sha2:normal
-krbSupportedEncSaltTypes: aes128-sha2:special
-krbSupportedEncSaltTypes: aes256-sha2:normal
-krbSupportedEncSaltTypes: aes256-sha2:special
-${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
-${FIPS}krbSupportedEncSaltTypes: camellia128-cts-cmac:special
-${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
-${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
 krbMaxTicketLife: 86400
 krbMaxRenewableAge: 604800
-krbDefaultEncSaltTypes: aes256-sha2:special
-krbDefaultEncSaltTypes: aes128-sha2:special
-krbDefaultEncSaltTypes: aes256-cts:special
-krbDefaultEncSaltTypes: aes128-cts:special
-
+${LDIF_SUPPORTED_ENCTYPES}${LDIF_DEFAULT_ENCTYPES}
 # Default password Policy
 dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
 changetype: add
diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update
index 1bf2bf33a6566586639767771dff501d91a03508..3061b98c94b255dd99d77ed32e155f0447c45413 100644
--- a/install/updates/50-krbenctypes.update
+++ b/install/updates/50-krbenctypes.update
@@ -1,11 +1,2 @@
 dn: cn=$REALM,cn=kerberos,$SUFFIX
-${FIPS}add: krbSupportedEncSaltTypes: camellia128-cts-cmac:normal
-${FIPS}add: krbSupportedEncSaltTypes: camellia128-cts-cmac:special
-${FIPS}add: krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
-${FIPS}add: krbSupportedEncSaltTypes: camellia256-cts-cmac:special
-add: krbSupportedEncSaltTypes: aes128-sha2:normal
-add: krbSupportedEncSaltTypes: aes128-sha2:special
-add: krbSupportedEncSaltTypes: aes256-sha2:normal
-add: krbSupportedEncSaltTypes: aes256-sha2:special
-remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special
-remove: krbDefaultEncSaltTypes: arcfour-hmac:special
+${ADD_SUPPORTED_ENCTYPES}${ADD_DEFAULT_ENCTYPES}${REMOVE_SUPPORTED_ENCTYPES}${REMOVE_DEFAULT_ENCTYPES}
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 4108a7ced240c3fa98a2bd58d21f655227d95a55..9e221d872e7ca9ac0607ff29e1b51dedcf688d75 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -540,4 +540,29 @@ class BaseTaskNamespace:
                 'ipa-client-automount-nsswitch', 'previous-automount'
             )
 
+    def get_masterkey_enctype(self):
+        return 'aes256-sha2'
+
+    # Encryption types allowed for Kerberos keys
+    def get_supported_enctypes(self):
+        return ('aes256-sha2:special', 'aes128-sha2:special',
+                'aes256-sha2:normal', 'aes128-sha2:normal',
+                'aes256-cts:special', 'aes128-cts:special',
+                'aes256-cts:normal', 'aes128-cts:normal',
+                'camellia256-cts:special', 'camellia128-cts:special',
+                'camellia256-cts:normal', 'camellia128-cts:normal')
+
+    # Encryption types used in the past, not supported anymore
+    def get_removed_supported_enctypes(self):
+        return ('des3-hmac-sha1:special')
+
+    # Encryption types used by default when generating Kerberos keys
+    def get_default_enctypes(self):
+        return ('aes256-sha2:special', 'aes128-sha2:special',
+                'aes256-cts:special', 'aes128-cts:special')
+
+    # Encryption types no longer used by default when generating keys
+    def get_removed_default_enctypes(self):
+        return ('des3-hmac-sha1:special', 'arcfour-hmac:special')
+
 tasks = BaseTaskNamespace()
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 18203bf0e25838ef529d4da998a84bdfbb715ce6..4953dc78ab0437b4c0041c1194f06b30d8628228 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -751,5 +751,13 @@ class RedHatTaskNamespace(BaseTaskNamespace):
             logger.info("It may happen if the configuration was done "
                         "using authconfig instead of authselect")
 
+    def get_supported_enctypes(self):
+        enctypes = super().get_supported_enctypes()
+
+        if not self.is_fips_enabled():
+            return enctypes
+
+        return tuple(e for e in enctypes if not e.startswith('camellia'))
+
 
 tasks = RedHatTaskNamespace()
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 9f0eea56301d66391b6ba87a7a2a4b7ed4e9eaa5..fb1a2884226a45e3c76f32432fe9b0831eebb888 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -55,14 +55,6 @@ from ipaplatform.paths import paths
 
 logger = logging.getLogger(__name__)
 
-MASTER_KEY_TYPE = 'aes256-sha2'
-SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
-                      'aes256-sha2:normal', 'aes128-sha2:normal',
-                      'aes256-cts:special', 'aes128-cts:special',
-                      'aes256-cts:normal', 'aes128-cts:normal',
-                      'camellia256-cts:special', 'camellia128-cts:special',
-                      'camellia256-cts:normal', 'camellia128-cts:normal')
-
 
 def get_pkinit_request_ca():
     """
@@ -299,15 +291,18 @@ class KrbInstance(service.Service):
                              INCLUDES=includes,
                              FIPS='#' if fips_enabled else '')
 
-        if fips_enabled:
-            supported_enctypes = list(
-                filter(lambda e: not e.startswith('camellia'),
-                       SUPPORTED_ENCTYPES))
-        else:
-            supported_enctypes = SUPPORTED_ENCTYPES
-        self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
+        supported_enctypes = tasks.get_supported_enctypes()
+        str_supported_enctypes = ' '.join(supported_enctypes)
+        ldif_supported_enctypes = ''.join(f'krbSupportedEncSaltTypes: {e}\n'
+                                          for e in supported_enctypes)
+        ldif_default_enctypes = ''.join(f'krbDefaultEncSaltTypes: {e}\n'
+                                        for e in tasks.get_default_enctypes())
+
+        self.sub_dict['SUPPORTED_ENCTYPES'] = str_supported_enctypes
+        self.sub_dict['LDIF_SUPPORTED_ENCTYPES'] = ldif_supported_enctypes
+        self.sub_dict['LDIF_DEFAULT_ENCTYPES'] = ldif_default_enctypes
 
-        self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
+        self.sub_dict['MASTER_KEY_TYPE'] = tasks.get_masterkey_enctype()
 
         # IPA server/KDC is not a subdomain of default domain
         # Proper domain-realm mapping needs to be specified
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index c3b59732ae8991b2e9ff203caab00da72e093781..9a1a1167ee168e5fea45517e01199baaeb29645b 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -54,6 +54,9 @@ UPDATES_DIR=paths.UPDATES_DIR
 UPDATE_SEARCH_TIME_LIMIT = 30  # seconds
 
 
+def ldif_mod(op, attr, values):
+    return ''.join(f'{op}: {attr}: {v}\n' for v in values)
+
 def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
     """LDAP template substitution dict for installer and updater
     """
@@ -73,6 +76,15 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
         named_uid = None
         named_gid = None
 
+    add_supported_enctypes = ldif_mod('add', 'krbSupportedEncSaltTypes',
+                                      tasks.get_supported_enctypes())
+    add_default_enctypes = ldif_mod('add', 'krbDefaultEncSaltTypes',
+                                    tasks.get_default_enctypes())
+    rm_supported_enctypes = ldif_mod('remove', 'krbSupportedEncSaltTypes',
+                                     tasks.get_removed_supported_enctypes())
+    rm_default_enctypes = ldif_mod('remove', 'krbDefaultEncSaltTypes',
+                                   tasks.get_removed_default_enctypes())
+
     return dict(
         REALM=realm,
         DOMAIN=domain,
@@ -82,7 +94,10 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
         HOST=fqdn,
         LIBARCH=paths.LIBARCH,
         TIME=int(time.time()),
-        FIPS="#" if tasks.is_fips_enabled() else "",
+        ADD_SUPPORTED_ENCTYPES=add_supported_enctypes,
+        ADD_DEFAULT_ENCTYPES=add_default_enctypes,
+        REMOVE_SUPPORTED_ENCTYPES=rm_supported_enctypes,
+        REMOVE_DEFAULT_ENCTYPES=rm_default_enctypes,
         # idstart, idmax, and idrange_size may be None
         IDSTART=idstart,
         IDMAX=idmax,
-- 
2.50.0