|
|
ac7d03 |
From c6b9b76307faa001670bc990fbe88aeb23bad403 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
ac7d03 |
Date: Wed, 26 Apr 2017 18:15:40 +0200
|
|
|
ac7d03 |
Subject: [PATCH] Vault: Explicitly default to 3DES CBC
|
|
|
ac7d03 |
|
|
|
ac7d03 |
The server-side plugin for IPA Vault relied on the fact that the default
|
|
|
ac7d03 |
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
|
|
|
ac7d03 |
10.4 has changed the default from 3DES to AES. Pass the correct
|
|
|
ac7d03 |
algorithm OID to KeyClient.archive_encrypted_data().
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Closes: https://pagure.io/freeipa/issue/6899
|
|
|
ac7d03 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
ipaserver/plugins/vault.py | 12 ++++++++++--
|
|
|
ac7d03 |
1 file changed, 10 insertions(+), 2 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
|
|
|
ac7d03 |
index 57e1ed7800063822f87da5a71f0f3a0df4d8dd33..d46aca821d2ec94a38dd7cc930f26038d5d80a90 100644
|
|
|
ac7d03 |
--- a/ipaserver/plugins/vault.py
|
|
|
ac7d03 |
+++ b/ipaserver/plugins/vault.py
|
|
|
ac7d03 |
@@ -38,6 +38,14 @@ from ipapython.dn import DN
|
|
|
ac7d03 |
if api.env.in_server:
|
|
|
ac7d03 |
import pki.account
|
|
|
ac7d03 |
import pki.key
|
|
|
ac7d03 |
+ # pylint: disable=no-member
|
|
|
ac7d03 |
+ try:
|
|
|
ac7d03 |
+ # pki >= 10.4.0
|
|
|
ac7d03 |
+ from pki.crypto import DES_EDE3_CBC_OID
|
|
|
ac7d03 |
+ except ImportError:
|
|
|
ac7d03 |
+ DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
|
|
|
ac7d03 |
+ # pylint: enable=no-member
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
|
|
|
ac7d03 |
if six.PY3:
|
|
|
ac7d03 |
unicode = str
|
|
|
ac7d03 |
@@ -1059,8 +1067,8 @@ class vault_archive_internal(PKQuery):
|
|
|
ac7d03 |
pki.key.KeyClient.PASS_PHRASE_TYPE,
|
|
|
ac7d03 |
wrapped_vault_data,
|
|
|
ac7d03 |
wrapped_session_key,
|
|
|
ac7d03 |
- None,
|
|
|
ac7d03 |
- nonce,
|
|
|
ac7d03 |
+ algorithm_oid=DES_EDE3_CBC_OID,
|
|
|
ac7d03 |
+ nonce_iv=nonce,
|
|
|
ac7d03 |
)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
kra_account.logout()
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.12.2
|
|
|
ac7d03 |
|