Use system-wide crypto-policies on Fedora

HTTPS connections from IPA framework and bind named instance now use system-wide crypto-policies on Fedora. For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA, they are explicitly excluded. See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925 See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220 Fixes: https://pagure.io/freeipa/issue/4853 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2024-12-23 07:33:27 -06:00 · 2018-02-09 11:50:32 +01:00 · 2018-02-09 11:50:32 +01:00 · 90a75f0d43
commit 90a75f0d43
parent db2222fee4
8 changed files with 28 additions and 8 deletions
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@ -21,6 +21,9 @@ options {
 	bindkeys-file "$BINDKEYS_FILE";

 	managed-keys-directory "$MANAGED_KEYS_DIR";
+
+	/* crypto policy snippet on platforms with system-wide policy. */
+	$INCLUDE_CRYPTO_POLICY
 };

 /* If you want to enable debugging, eg. using the 'rndc trace' command,
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@ -304,9 +304,7 @@ TLS_VERSIONS = [
    "tls1.2"
 ]
 TLS_VERSION_MINIMAL = "tls1.0"
-# high ciphers without RC4, MD5, TripleDES, pre-shared key
-# and secure remote password
-TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP"
+

 # Use cache path
 USER_CACHE_PATH = (
--- a/ipalib/util.py
+++ b/ipalib/util.py
@ -56,9 +56,10 @@ except ImportError:
 from ipalib import errors, messages
 from ipalib.constants import (
    DOMAIN_LEVEL_0,
-    TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS
+    TLS_VERSIONS, TLS_VERSION_MINIMAL
 )
 from ipalib.text import _
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython.ssh import SSHPublicKey
 from ipapython.dn import DN, RDN
@ -335,9 +336,9 @@ def create_https_connection(
        ssl.OP_SINGLE_ECDH_USE
    )

-    # high ciphers without RC4, MD5, TripleDES, pre-shared key
-    # and secure remote password
-    ctx.set_ciphers(TLS_HIGH_CIPHERS)
+    # high ciphers without RC4, MD5, TripleDES, pre-shared key and secure
+    # remote password. Uses system crypto policies on some platforms.
+    ctx.set_ciphers(constants.TLS_HIGH_CIPHERS)

    # pylint: enable=no-member
    # set up the correct TLS version flags for the SSL context
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@ -42,6 +42,9 @@ class BaseConstantsNamespace(object):
    # WSGI module override, only used on Fedora
    MOD_WSGI_PYTHON2 = None
    MOD_WSGI_PYTHON3 = None
+    # high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
+    # remote password, and DSA cert authentication.
+    TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"


 constants = BaseConstantsNamespace()
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -81,6 +81,7 @@ class BasePathNamespace(object):
    NAMED_ROOT_KEY = "/etc/named.root.key"
    NAMED_BINDKEYS_FILE = "/etc/named.iscdlv.key"
    NAMED_MANAGED_KEYS_DIR = "/var/named/dynamic"
+    NAMED_CRYPTO_POLICY_FILE = None
    NSLCD_CONF = "/etc/nslcd.conf"
    NSS_LDAP_CONF = "/etc/nss_ldap.conf"
    NSSWITCH_CONF = "/etc/nsswitch.conf"
--- a/ipaplatform/fedora/constants.py
+++ b/ipaplatform/fedora/constants.py
@ -16,5 +16,10 @@ class FedoraConstantsNamespace(RedHatConstantsNamespace):
    MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
    MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"

+    # System-wide crypto policy, but without TripleDES, pre-shared key,
+    # secure remote password, and DSA cert authentication.
+    # see https://fedoraproject.org/wiki/Changes/CryptoPolicy
+    TLS_HIGH_CIPHERS = "PROFILE=SYSTEM:!3DES:!PSK:!SRP:!aDSS"
+

 constants = FedoraConstantsNamespace()
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@ -30,6 +30,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
    HTTPD_IPA_WSGI_MODULES_CONF = (
        "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
    )
+    NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"


 paths = FedoraPathNamespace()
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@ -768,6 +768,13 @@ class BindInstance(service.Service):
            logger.debug("Unable to mask named (%s)", e)

    def __setup_sub_dict(self):
+        if paths.NAMED_CRYPTO_POLICY_FILE is not None:
+            crypto_policy = 'include "{}";'.format(
+                paths.NAMED_CRYPTO_POLICY_FILE
+            )
+        else:
+            crypto_policy = "// not available"
+
        self.sub_dict = dict(
            FQDN=self.fqdn,
            SERVER_ID=installutils.realm_to_serverid(self.realm),
@ -780,7 +787,8 @@ class BindInstance(service.Service):
            NAMED_PID=paths.NAMED_PID,
            NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
            BIND_LDAP_SO=paths.BIND_LDAP_SO,
-            )
+            INCLUDE_CRYPTO_POLICY=crypto_policy,
+        )

    def __setup_dns_container(self):
        self._ldap_mod("dns.ldif", self.sub_dict)