From c643e56e4c45b7cb61aa53989657143627c23e04 Mon Sep 17 00:00:00 2001

From: Francisco Trivino <ftrivino@redhat.com>

Date: Nov 22 2022 06:56:00 +0000

Subject: Vault: fix interoperability issues with older RHEL systems

AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.

This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but

setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems

works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo

  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is

  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and

client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa

vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/API.txt b/API.txt

index 9892211..2bd1cc2 100644

--- a/API.txt

+++ b/API.txt

@@ -6666,7 +6666,7 @@ option: Flag('shared?', autofill=True, default=False)

 option: Str('username?', cli_name='user')

 option: Bytes('vault_data')

 option: Str('version?')

-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

 output: Entry('result')

 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])

 output: PrimaryKey('value')

@@ -6766,7 +6766,7 @@ option: Bytes('session_key')

 option: Flag('shared?', autofill=True, default=False)

 option: Str('username?', cli_name='user')

 option: Str('version?')

-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])

 output: Entry('result')

 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])

 output: PrimaryKey('value')

diff --git a/VERSION.m4 b/VERSION.m4

index 7d60b01..b4b1774 100644

--- a/VERSION.m4

+++ b/VERSION.m4

@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)

 #                                                      #

 ########################################################

 define(IPA_API_VERSION_MAJOR, 2)

-# Last change: add graceperiodlimit

-define(IPA_API_VERSION_MINOR, 248)

+# Last change: fix vault interoperability issues.

+define(IPA_API_VERSION_MINOR, 251)

 ########################################################

 # Following values are auto-generated from values above

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py

index 115171c..d4c84eb 100644

--- a/ipaclient/plugins/vault.py

+++ b/ipaclient/plugins/vault.py

@@ -687,7 +687,7 @@ class ModVaultData(Local):

         default_algo = config.get('wrapping_default_algorithm')

         if default_algo is None:

             # old server

-            wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC

+            wrapping_algo = constants.VAULT_WRAPPING_3DES

         elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:

             # try to use server default

             wrapping_algo = default_algo

@@ -801,7 +801,8 @@ class vault_archive(ModVaultData):

             if option.name not in ('nonce',

                                    'session_key',

                                    'vault_data',

-                                   'version'):

+                                   'version',

+                                   'wrapping_algo'):

                 yield option

         for option in super(vault_archive, self).get_options():

             yield option

@@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData):

     def get_options(self):

         for option in self.api.Command.vault_retrieve_internal.options():

-            if option.name not in ('session_key', 'version'):

+            if option.name not in ('session_key', 'version', 'wrapping_algo'):

                 yield option

         for option in super(vault_retrieve, self).get_options():

             yield option

diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py

index 4d40f66..574c83a 100644

--- a/ipaserver/plugins/vault.py

+++ b/ipaserver/plugins/vault.py

@@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery):

             'wrapping_algo?',

             doc=_('Key wrapping algorithm'),

             values=VAULT_WRAPPING_SUPPORTED_ALGOS,

-            default=VAULT_WRAPPING_DEFAULT_ALGO,

+            default=VAULT_WRAPPING_3DES,

             autofill=True,

         ),

     )

@@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery):

             'wrapping_algo?',

             doc=_('Key wrapping algorithm'),

             values=VAULT_WRAPPING_SUPPORTED_ALGOS,

-            default=VAULT_WRAPPING_DEFAULT_ALGO,

+            default=VAULT_WRAPPING_3DES,

             autofill=True,

         ),

     )