From ba962632cd008edd057f61e7e6fadbf464ff94f2 Mon Sep 17 00:00:00 2001

From: Francisco Trivino <ftrivino@redhat.com>

Date: Tue, 4 Oct 2022 17:26:51 +0200

Subject: [PATCH] Vault: fix interoperability issues with older RHEL systems

AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.

This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but

setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems

works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo

  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is

  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and

client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa

vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 API.txt                    | 4 ++--

 VERSION.m4                 | 4 ++--

 ipaclient/plugins/vault.py | 7 ++++---

 ipaserver/plugins/vault.py | 4 ++--

 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/API.txt b/API.txt

index 814124f600111e46c117a0c925e33a27a19b38e0..062a6c756babea6b091c5aaec7d0eaa908b41911 100644

--- a/API.txt

+++ b/API.txt

@@ -6667,7 +6667,7 @@ option: Flag('shared?', autofill=True, default=False)

 option: Str('username?', cli_name='user')

 option: Bytes('vault_data')

 option: Str('version?')

-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

 output: Entry('result')

 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])

 output: PrimaryKey('value')

@@ -6767,7 +6767,7 @@ option: Bytes('session_key')

 option: Flag('shared?', autofill=True, default=False)

 option: Str('username?', cli_name='user')

 option: Str('version?')

-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

 output: Entry('result')

 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])

 output: PrimaryKey('value')

diff --git a/VERSION.m4 b/VERSION.m4

index 0f02d48979e4af3ad737e377545c4951d5dece02..d628c69a09a43b01aad4ac1bd3a6912bef27a7fe 100644

--- a/VERSION.m4

+++ b/VERSION.m4

@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)

 #                                                      #

 ########################################################

 define(IPA_API_VERSION_MAJOR, 2)

-# Last change: add Random Serial Numbers v3

-define(IPA_API_VERSION_MINOR, 249)

+# Last change: fix vault interoperability issues.

+define(IPA_API_VERSION_MINOR, 251)

 ########################################################

 # Following values are auto-generated from values above

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py

index 115171c7768d44251c17d0bcdac9c37b3a25db99..d4c84eb6bfb4cc119c599d494171b0a2417ce0ba 100644

--- a/ipaclient/plugins/vault.py

+++ b/ipaclient/plugins/vault.py

@@ -687,7 +687,7 @@ class ModVaultData(Local):

         default_algo = config.get('wrapping_default_algorithm')

         if default_algo is None:

             # old server

-            wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC

+            wrapping_algo = constants.VAULT_WRAPPING_3DES

         elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:

             # try to use server default

             wrapping_algo = default_algo

@@ -801,7 +801,8 @@ class vault_archive(ModVaultData):

             if option.name not in ('nonce',

                                    'session_key',

                                    'vault_data',

-                                   'version'):

+                                   'version',

+                                   'wrapping_algo'):

                 yield option

         for option in super(vault_archive, self).get_options():

             yield option

@@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData):

     def get_options(self):

         for option in self.api.Command.vault_retrieve_internal.options():

-            if option.name not in ('session_key', 'version'):

+            if option.name not in ('session_key', 'version', 'wrapping_algo'):

                 yield option

         for option in super(vault_retrieve, self).get_options():

             yield option

diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py

index 4d40f66c6a793a831e91c5fe25c8b5277cbd1972..574c83a9aaa64b6a4774400ea7af25343b445c03 100644

--- a/ipaserver/plugins/vault.py

+++ b/ipaserver/plugins/vault.py

@@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery):

             'wrapping_algo?',

             doc=_('Key wrapping algorithm'),

             values=VAULT_WRAPPING_SUPPORTED_ALGOS,

-            default=VAULT_WRAPPING_DEFAULT_ALGO,

+            default=VAULT_WRAPPING_3DES,

             autofill=True,

         ),

     )

@@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery):

             'wrapping_algo?',

             doc=_('Key wrapping algorithm'),

             values=VAULT_WRAPPING_SUPPORTED_ALGOS,

-            default=VAULT_WRAPPING_DEFAULT_ALGO,

+            default=VAULT_WRAPPING_3DES,

             autofill=True,

         ),

     )

-- 

2.38.1