From c643e56e4c45b7cb61aa53989657143627c23e04 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Nov 22 2022 06:56:00 +0000
Subject: Vault: fix interoperability issues with older RHEL systems


AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/API.txt b/API.txt
index 9892211..2bd1cc2 100644
--- a/API.txt
+++ b/API.txt
@@ -6666,7 +6666,7 @@ option: Flag('shared?', autofill=True, default=False)
 option: Str('username?', cli_name='user')
 option: Bytes('vault_data')
 option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
@@ -6766,7 +6766,7 @@ option: Bytes('session_key')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('username?', cli_name='user')
 option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
diff --git a/VERSION.m4 b/VERSION.m4
index 7d60b01..b4b1774 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-# Last change: add graceperiodlimit
-define(IPA_API_VERSION_MINOR, 248)
+# Last change: fix vault interoperability issues.
+define(IPA_API_VERSION_MINOR, 251)
 
 ########################################################
 # Following values are auto-generated from values above
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 115171c..d4c84eb 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -687,7 +687,7 @@ class ModVaultData(Local):
         default_algo = config.get('wrapping_default_algorithm')
         if default_algo is None:
             # old server
-            wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
+            wrapping_algo = constants.VAULT_WRAPPING_3DES
         elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
             # try to use server default
             wrapping_algo = default_algo
@@ -801,7 +801,8 @@ class vault_archive(ModVaultData):
             if option.name not in ('nonce',
                                    'session_key',
                                    'vault_data',
-                                   'version'):
+                                   'version',
+                                   'wrapping_algo'):
                 yield option
         for option in super(vault_archive, self).get_options():
             yield option
@@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData):
 
     def get_options(self):
         for option in self.api.Command.vault_retrieve_internal.options():
-            if option.name not in ('session_key', 'version'):
+            if option.name not in ('session_key', 'version', 'wrapping_algo'):
                 yield option
         for option in super(vault_retrieve, self).get_options():
             yield option
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index 4d40f66..574c83a 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery):
             'wrapping_algo?',
             doc=_('Key wrapping algorithm'),
             values=VAULT_WRAPPING_SUPPORTED_ALGOS,
-            default=VAULT_WRAPPING_DEFAULT_ALGO,
+            default=VAULT_WRAPPING_3DES,
             autofill=True,
         ),
     )
@@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery):
             'wrapping_algo?',
             doc=_('Key wrapping algorithm'),
             values=VAULT_WRAPPING_SUPPORTED_ALGOS,
-            default=VAULT_WRAPPING_DEFAULT_ALGO,
+            default=VAULT_WRAPPING_3DES,
             autofill=True,
         ),
     )