1079a7
From a51900819bd5332bc05ec9d513f062844b3a7763 Mon Sep 17 00:00:00 2001
1079a7
From: Alexander Bokovoy <abokovoy@redhat.com>
1079a7
Date: Fri, 25 Feb 2022 08:58:24 +0200
1079a7
Subject: [PATCH] KRB instance: make provision to work with crypto policy
1079a7
 without SHA-1 HMAC types
1079a7
1079a7
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
1079a7
1079a7
Due to bootstrapping process, force explicitly supported encryption
1079a7
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
1079a7
in FIPS mode at bootstrap time which then fails to initialize kadmin
1079a7
principals requiring use of AES256-SHA2 and AES128-SHA2.
1079a7
1079a7
Camellia ciphers must be filtered out in FIPS mode, we do that already
1079a7
in the kerberos.ldif.
1079a7
1079a7
At this point we are not changing the master key encryption type to
1079a7
AES256-SHA2 because upgrading existing deployments is complicated and
1079a7
at the time when a replica configuration is deployed, we don't know what
1079a7
is the encryption type of the master key of the original server as well.
1079a7
1079a7
Fixes: https://pagure.io/freeipa/issue/9119
1079a7
1079a7
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
1079a7
Reviewed-By: Julien Rische <jrische@redhat.com>
1079a7
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
1079a7
---
1079a7
 install/share/kdc.conf.template  |  3 ++-
1079a7
 install/share/kerberos.ldif      |  2 ++
1079a7
 ipaserver/install/krbinstance.py | 21 ++++++++++++++++++++-
1079a7
 3 files changed, 24 insertions(+), 2 deletions(-)
1079a7
1079a7
diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
1079a7
index 232fedc445f660c30a88d8844d9f1b6042db41a7..685d42f3b7fb263e86b7a6db98be8bcc53e7bbe6 100644
1079a7
--- a/install/share/kdc.conf.template
1079a7
+++ b/install/share/kdc.conf.template
1079a7
@@ -6,7 +6,8 @@
1079a7
 
1079a7
 [realms]
1079a7
  $REALM = {
1079a7
-  master_key_type = aes256-cts
1079a7
+  master_key_type = $MASTER_KEY_TYPE
1079a7
+  supported_enctypes = $SUPPORTED_ENCTYPES
1079a7
   max_life = 7d
1079a7
   max_renewable_life = 14d
1079a7
   acl_file = $KRB5KDC_KADM5_ACL
1079a7
diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif
1079a7
index 3b75b445641fd86e2029ceb51e479c6ccb17856c..51e5cf9bca4b0b2cf2e1fe3ec85777deb61b76b0 100644
1079a7
--- a/install/share/kerberos.ldif
1079a7
+++ b/install/share/kerberos.ldif
1079a7
@@ -28,6 +28,8 @@ ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:normal
1079a7
 ${FIPS}krbSupportedEncSaltTypes: camellia256-cts-cmac:special
1079a7
 krbMaxTicketLife: 86400
1079a7
 krbMaxRenewableAge: 604800
1079a7
+krbDefaultEncSaltTypes: aes256-sha2:special
1079a7
+krbDefaultEncSaltTypes: aes128-sha2:special
1079a7
 krbDefaultEncSaltTypes: aes256-cts:special
1079a7
 krbDefaultEncSaltTypes: aes128-cts:special
1079a7
 
1079a7
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
1079a7
index 216c1032d8abd9fc119d98d8f9976ce17d246ea4..852edcd9978f4a47d355e206fbb4a513ea699865 100644
1079a7
--- a/ipaserver/install/krbinstance.py
1079a7
+++ b/ipaserver/install/krbinstance.py
1079a7
@@ -51,6 +51,14 @@ logger = logging.getLogger(__name__)
1079a7
 
1079a7
 PKINIT_ENABLED = 'pkinitEnabled'
1079a7
 
1079a7
+MASTER_KEY_TYPE = 'aes256-sha1'
1079a7
+SUPPORTED_ENCTYPES = ('aes256-sha2:special', 'aes128-sha2:special',
1079a7
+                      'aes256-sha2:normal', 'aes128-sha2:normal',
1079a7
+                      'aes256-cts:special', 'aes128-cts:special',
1079a7
+                      'aes256-cts:normal', 'aes128-cts:normal',
1079a7
+                      'camellia256-cts:special', 'camellia128-cts:special',
1079a7
+                      'camellia256-cts:normal', 'camellia128-cts:normal')
1079a7
+
1079a7
 
1079a7
 def get_pkinit_request_ca():
1079a7
     """
1079a7
@@ -252,6 +260,7 @@ class KrbInstance(service.Service):
1079a7
         else:
1079a7
             includes = ''
1079a7
 
1079a7
+        fips_enabled = tasks.is_fips_enabled()
1079a7
         self.sub_dict = dict(FQDN=self.fqdn,
1079a7
                              IP=self.ip,
1079a7
                              PASSWORD=self.kdc_password,
1079a7
@@ -269,7 +278,17 @@ class KrbInstance(service.Service):
1079a7
                              KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
1079a7
                              CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
1079a7
                              INCLUDES=includes,
1079a7
-                             FIPS='#' if tasks.is_fips_enabled() else '')
1079a7
+                             FIPS='#' if fips_enabled else '')
1079a7
+
1079a7
+        if fips_enabled:
1079a7
+            supported_enctypes = list(
1079a7
+                filter(lambda e: not e.startswith('camelia'),
1079a7
+                       SUPPORTED_ENCTYPES))
1079a7
+        else:
1079a7
+            supported_enctypes = SUPPORTED_ENCTYPES
1079a7
+        self.sub_dict['SUPPORTED_ENCTYPES'] = ' '.join(supported_enctypes)
1079a7
+
1079a7
+        self.sub_dict['MASTER_KEY_TYPE'] = MASTER_KEY_TYPE
1079a7
 
1079a7
         # IPA server/KDC is not a subdomain of default domain
1079a7
         # Proper domain-realm mapping needs to be specified
1079a7
-- 
1079a7
2.34.1
1079a7