130 lines
5.8 KiB
Diff
130 lines
5.8 KiB
Diff
From ba962632cd008edd057f61e7e6fadbf464ff94f2 Mon Sep 17 00:00:00 2001
|
|
From: Francisco Trivino <ftrivino@redhat.com>
|
|
Date: Tue, 4 Oct 2022 17:26:51 +0200
|
|
Subject: [PATCH] Vault: fix interoperability issues with older RHEL systems
|
|
|
|
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
|
|
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
|
|
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
|
|
|
|
This commit is tuning some defaults so that interoperability with older RHEL systems
|
|
works again. The new logic reflects:
|
|
|
|
- when an old client is calling a new server, it doesn't send any value for wrapping_algo
|
|
and the old value is used (3DES), so that the client can decrypt using 3DES.
|
|
|
|
- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
|
|
|
|
- when a new client is calling an old server, it doesn't send any value and the default is
|
|
to use 3DES.
|
|
|
|
Finally, as this logic is able to handle overlapping wrapping algorithm between server and
|
|
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
|
|
vault-retrieve --help" commands.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9259
|
|
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
API.txt | 4 ++--
|
|
VERSION.m4 | 4 ++--
|
|
ipaclient/plugins/vault.py | 7 ++++---
|
|
ipaserver/plugins/vault.py | 4 ++--
|
|
4 files changed, 10 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/API.txt b/API.txt
|
|
index 814124f600111e46c117a0c925e33a27a19b38e0..062a6c756babea6b091c5aaec7d0eaa908b41911 100644
|
|
--- a/API.txt
|
|
+++ b/API.txt
|
|
@@ -6667,7 +6667,7 @@ option: Flag('shared?', autofill=True, default=False)
|
|
option: Str('username?', cli_name='user')
|
|
option: Bytes('vault_data')
|
|
option: Str('version?')
|
|
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
|
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
|
output: Entry('result')
|
|
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
output: PrimaryKey('value')
|
|
@@ -6767,7 +6767,7 @@ option: Bytes('session_key')
|
|
option: Flag('shared?', autofill=True, default=False)
|
|
option: Str('username?', cli_name='user')
|
|
option: Str('version?')
|
|
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
|
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
|
output: Entry('result')
|
|
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
output: PrimaryKey('value')
|
|
diff --git a/VERSION.m4 b/VERSION.m4
|
|
index 0f02d48979e4af3ad737e377545c4951d5dece02..d628c69a09a43b01aad4ac1bd3a6912bef27a7fe 100644
|
|
--- a/VERSION.m4
|
|
+++ b/VERSION.m4
|
|
@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
|
|
# #
|
|
########################################################
|
|
define(IPA_API_VERSION_MAJOR, 2)
|
|
-# Last change: add Random Serial Numbers v3
|
|
-define(IPA_API_VERSION_MINOR, 249)
|
|
+# Last change: fix vault interoperability issues.
|
|
+define(IPA_API_VERSION_MINOR, 251)
|
|
|
|
########################################################
|
|
# Following values are auto-generated from values above
|
|
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
|
index 115171c7768d44251c17d0bcdac9c37b3a25db99..d4c84eb6bfb4cc119c599d494171b0a2417ce0ba 100644
|
|
--- a/ipaclient/plugins/vault.py
|
|
+++ b/ipaclient/plugins/vault.py
|
|
@@ -687,7 +687,7 @@ class ModVaultData(Local):
|
|
default_algo = config.get('wrapping_default_algorithm')
|
|
if default_algo is None:
|
|
# old server
|
|
- wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
|
|
+ wrapping_algo = constants.VAULT_WRAPPING_3DES
|
|
elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
|
|
# try to use server default
|
|
wrapping_algo = default_algo
|
|
@@ -801,7 +801,8 @@ class vault_archive(ModVaultData):
|
|
if option.name not in ('nonce',
|
|
'session_key',
|
|
'vault_data',
|
|
- 'version'):
|
|
+ 'version',
|
|
+ 'wrapping_algo'):
|
|
yield option
|
|
for option in super(vault_archive, self).get_options():
|
|
yield option
|
|
@@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData):
|
|
|
|
def get_options(self):
|
|
for option in self.api.Command.vault_retrieve_internal.options():
|
|
- if option.name not in ('session_key', 'version'):
|
|
+ if option.name not in ('session_key', 'version', 'wrapping_algo'):
|
|
yield option
|
|
for option in super(vault_retrieve, self).get_options():
|
|
yield option
|
|
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
|
|
index 4d40f66c6a793a831e91c5fe25c8b5277cbd1972..574c83a9aaa64b6a4774400ea7af25343b445c03 100644
|
|
--- a/ipaserver/plugins/vault.py
|
|
+++ b/ipaserver/plugins/vault.py
|
|
@@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery):
|
|
'wrapping_algo?',
|
|
doc=_('Key wrapping algorithm'),
|
|
values=VAULT_WRAPPING_SUPPORTED_ALGOS,
|
|
- default=VAULT_WRAPPING_DEFAULT_ALGO,
|
|
+ default=VAULT_WRAPPING_3DES,
|
|
autofill=True,
|
|
),
|
|
)
|
|
@@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery):
|
|
'wrapping_algo?',
|
|
doc=_('Key wrapping algorithm'),
|
|
values=VAULT_WRAPPING_SUPPORTED_ALGOS,
|
|
- default=VAULT_WRAPPING_DEFAULT_ALGO,
|
|
+ default=VAULT_WRAPPING_3DES,
|
|
autofill=True,
|
|
),
|
|
)
|
|
--
|
|
2.38.1
|
|
|