Vault: fix interoperability issues with older RHEL systems

AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets. This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but setting AES as default ended-up breaking backwards compatibility with older RHEL systems. This commit is tuning some defaults so that interoperability with older RHEL systems works again. The new logic reflects: - when an old client is calling a new server, it doesn't send any value for wrapping_algo and the old value is used (3DES), so that the client can decrypt using 3DES. - when a new client is calling a new server, it sends wrapping_algo = AES128_CBC - when a new client is calling an old server, it doesn't send any value and the default is to use 3DES. Finally, as this logic is able to handle overlapping wrapping algorithm between server and client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa vault-retrieve --help" commands. Fixes: https://pagure.io/freeipa/issue/9259 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-01-26 16:16:31 -06:00 · 2022-10-04 17:26:51 +02:00 · 2022-10-04 17:26:51 +02:00 · 93548f2569
commit 93548f2569
parent d9ecb12d57
4 changed files with 10 additions and 9 deletions
--- a/API.txt
+++ b/API.txt
@ -6667,7 +6667,7 @@ option: Flag('shared?', autofill=True, default=False)
 option: Str('username?', cli_name='user')
 option: Bytes('vault_data')
 option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
@ -6767,7 +6767,7 @@ option: Bytes('session_key')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('username?', cli_name='user')
 option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
--- a/VERSION.m4
+++ b/VERSION.m4
@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-# Last change: deprecate idnssoaserial in dnszone.
-define(IPA_API_VERSION_MINOR, 250)
+# Last change: fix vault interoperability issues.
+define(IPA_API_VERSION_MINOR, 251)

 ########################################################
 # Following values are auto-generated from values above
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@ -687,7 +687,7 @@ class ModVaultData(Local):
        default_algo = config.get('wrapping_default_algorithm')
        if default_algo is None:
            # old server
-            wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
+            wrapping_algo = constants.VAULT_WRAPPING_3DES
        elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
            # try to use server default
            wrapping_algo = default_algo
@ -801,7 +801,8 @@ class vault_archive(ModVaultData):
            if option.name not in ('nonce',
                                   'session_key',
                                   'vault_data',
-                                   'version'):
+                                   'version',
+                                   'wrapping_algo'):
                yield option
        for option in super(vault_archive, self).get_options():
            yield option
@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData):

    def get_options(self):
        for option in self.api.Command.vault_retrieve_internal.options():
-            if option.name not in ('session_key', 'version'):
+            if option.name not in ('session_key', 'version', 'wrapping_algo'):
                yield option
        for option in super(vault_retrieve, self).get_options():
            yield option
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery):
            'wrapping_algo?',
            doc=_('Key wrapping algorithm'),
            values=VAULT_WRAPPING_SUPPORTED_ALGOS,
-            default=VAULT_WRAPPING_DEFAULT_ALGO,
+            default=VAULT_WRAPPING_3DES,
            autofill=True,
        ),
    )
@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery):
            'wrapping_algo?',
            doc=_('Key wrapping algorithm'),
            values=VAULT_WRAPPING_SUPPORTED_ALGOS,
-            default=VAULT_WRAPPING_DEFAULT_ALGO,
+            default=VAULT_WRAPPING_3DES,
            autofill=True,
        ),
    )