4c20458190
- Resolves: RHEL-70760 Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges' - Resolves: RHEL-70481 ipa-server-upgrade fails after established trust with ad - Resolves: RHEL-69927 add support for python cryptography 44.0.0 - Resolves: RHEL-69908 All user groups are not being included during HSM token validation - Resolves: RHEL-69900 Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
121 lines
5.3 KiB
Diff
121 lines
5.3 KiB
Diff
From 8dfec28647f7c17e47fbfc96a1720dcde1592386 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Levin <slev@altlinux.org>
|
|
Date: Mon, 2 Dec 2024 15:04:30 +0300
|
|
Subject: [PATCH] pyca: adapt import paths for TripleDES cipher
|
|
|
|
https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.TripleDES
|
|
|
|
> This algorithm has been deprecated and moved to the Decrepit
|
|
cryptography module. If you need to continue using it then update your
|
|
code to use the new module path. It will be removed from this namespace
|
|
in 48.0.0.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9708
|
|
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
---
|
|
ipaclient/plugins/vault.py | 8 +++++++-
|
|
ipalib/constants.py | 24 +++++++++++-------------
|
|
ipaserver/install/ipa_otptoken_import.py | 8 +++++++-
|
|
3 files changed, 25 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
|
index 75415c03a57242ae674636fa31a72db2fa56d6ea..6af7297936924dfb80e7f79924b570421da65c97 100644
|
|
--- a/ipaclient/plugins/vault.py
|
|
+++ b/ipaclient/plugins/vault.py
|
|
@@ -34,6 +34,12 @@ from cryptography.hazmat.primitives import hashes
|
|
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
|
|
from cryptography.hazmat.primitives.asymmetric import padding
|
|
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
|
+try:
|
|
+ # cryptography>=43.0.0
|
|
+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
|
|
+except ImportError:
|
|
+ # will be removed from this module in cryptography 48.0.0
|
|
+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
|
|
from cryptography.hazmat.primitives.padding import PKCS7
|
|
from cryptography.hazmat.primitives.serialization import (
|
|
load_pem_public_key, load_pem_private_key)
|
|
@@ -661,7 +667,7 @@ class ModVaultData(Local):
|
|
if name == constants.VAULT_WRAPPING_AES128_CBC:
|
|
return algorithms.AES(os.urandom(128 // 8))
|
|
elif name == constants.VAULT_WRAPPING_3DES:
|
|
- return algorithms.TripleDES(os.urandom(196 // 8))
|
|
+ return TripleDES(os.urandom(196 // 8))
|
|
else:
|
|
# unreachable
|
|
raise ValueError(name)
|
|
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
|
index b657e5a9065d115d0eff2dbfffff49e992006536..c90caa22149ec3d93d45fcb5480f7401e4555799 100644
|
|
--- a/ipalib/constants.py
|
|
+++ b/ipalib/constants.py
|
|
@@ -25,20 +25,19 @@ All constants centralised in one file.
|
|
import os
|
|
import string
|
|
import uuid
|
|
-import warnings
|
|
-
|
|
-warnings.filterwarnings(
|
|
- "ignore",
|
|
- "TripleDES has been moved to "
|
|
- "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and "
|
|
- "will be removed from this module in 48.0.0",
|
|
- category=UserWarning)
|
|
|
|
from ipaplatform.constants import constants as _constants
|
|
from ipapython.dn import DN
|
|
from ipapython.fqdn import gethostfqdn
|
|
from ipapython.version import VERSION, API_VERSION
|
|
-from cryptography.hazmat.primitives.ciphers import algorithms, modes
|
|
+from cryptography.hazmat.primitives.ciphers import modes
|
|
+try:
|
|
+ # cryptography>=43.0.0
|
|
+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
|
|
+except ImportError:
|
|
+ # will be removed from this module in cryptography 48.0.0
|
|
+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
|
|
+
|
|
from cryptography.hazmat.backends.openssl.backend import backend
|
|
|
|
|
|
@@ -389,7 +388,6 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = (
|
|
VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
|
|
|
|
# Add 3DES for backwards compatibility if supported
|
|
-if getattr(algorithms, 'TripleDES', None):
|
|
- if backend.cipher_supported(algorithms.TripleDES(
|
|
- b"\x00" * 8), modes.CBC(b"\x00" * 8)):
|
|
- VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
|
|
+if backend.cipher_supported(TripleDES(
|
|
+ b"\x00" * 8), modes.CBC(b"\x00" * 8)):
|
|
+ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
|
|
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
|
|
index 279a7502d2f305309252b3b291e32b772a51a1d3..17457f6c5b81ab70a0ecee13bf744e242ec88ff0 100644
|
|
--- a/ipaserver/install/ipa_otptoken_import.py
|
|
+++ b/ipaserver/install/ipa_otptoken_import.py
|
|
@@ -37,6 +37,12 @@ from cryptography.hazmat.primitives import hashes, hmac
|
|
from cryptography.hazmat.primitives.padding import PKCS7
|
|
from cryptography.hazmat.primitives.kdf import pbkdf2
|
|
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
|
+try:
|
|
+ # cryptography>=43.0.0
|
|
+ from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
|
|
+except ImportError:
|
|
+ # will be removed from this module in cryptography 48.0.0
|
|
+ from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
|
|
from cryptography.hazmat.backends import default_backend
|
|
|
|
from ipaplatform.paths import paths
|
|
@@ -169,7 +175,7 @@ def convertAlgorithm(value):
|
|
# in the list of the vault wrapping algorithms, we cannot use 3DES anywhere
|
|
if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS:
|
|
supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = (
|
|
- algorithms.TripleDES, modes.CBC, 64)
|
|
+ TripleDES, modes.CBC, 64)
|
|
|
|
return supported_algs.get(value.lower(), (None, None, None))
|
|
|
|
--
|
|
2.47.1
|
|
|