named: Include crypto policy in openssl config

On platforms which have system-wide crypto policy the latter has to be included in openssl config. Fixes: https://pagure.io/freeipa/issue/8094 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-08-13 13:54:40 +03:00
parent ecfaf897b9
commit e2030b8cad
6 changed files with 36 additions and 4 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -49,6 +49,7 @@ dist_app_DATA =				\
 	bind.ipa-options-ext.conf.template	\
 	bind.named.conf.template	\
 	bind.openssl.cnf.template	\
+	bind.openssl.cryptopolicy.cnf.template	\
 	certmap.conf.template		\
 	kdc.conf.template		\
 	kdc_extensions.template		\
--- a/install/share/bind.openssl.cryptopolicy.cnf.template
+++ b/install/share/bind.openssl.cryptopolicy.cnf.template
@@ -0,0 +1,21 @@
+# OpenSSL configuration file
+# File generated by IPA instalation
+openssl_conf = openssl_init
+
+[openssl_init]
+ssl_conf = ssl_configuration
+engines = engine_section
+
+[ssl_configuration]
+system_default = crypto_policy
+
+[crypto_policy]
+.include $CRYPTO_POLICY_FILE
+
+[engine_section]
+$OPENSSL_ENGINE = ${OPENSSL_ENGINE}_section
+
+[${OPENSSL_ENGINE}_section]
+engine_id = $OPENSSL_ENGINE
+MODULE_PATH = $SOFTHSM_MODULE
+init=0
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -26,6 +26,7 @@ import os

 class BasePathNamespace:
    BIN_HOSTNAMECTL = "/bin/hostnamectl"
+    CRYPTO_POLICY_OPENSSLCNF_FILE = None
    ECHO = "/bin/echo"
    FIPS_MODE_SETUP = "/usr/bin/fips-mode-setup"
    GZIP = "/bin/gzip"
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -31,6 +31,9 @@ from ipaplatform.base.paths import BasePathNamespace


 class RedHatPathNamespace(BasePathNamespace):
+    CRYPTO_POLICY_OPENSSLCNF_FILE = (
+        '/etc/crypto-policies/back-ends/opensslcnf.config'
+    )
    # https://docs.python.org/2/library/platform.html#cross-platform
    if sys.maxsize > 2**32:
        LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -186,11 +186,17 @@ class DNSKeySyncInstance(service.Service):
            conf_file_dict = {
                'OPENSSL_ENGINE': constants.NAMED_OPENSSL_ENGINE,
                'SOFTHSM_MODULE': paths.LIBSOFTHSM2_SO,
+                'CRYPTO_POLICY_FILE': paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
            }
+            if paths.CRYPTO_POLICY_OPENSSLCNF_FILE is None:
+                opensslcnf_tmpl = "bind.openssl.cnf.template"
+            else:
+                opensslcnf_tmpl = "bind.openssl.cryptopolicy.cnf.template"
+
            named_openssl_txt = ipautil.template_file(
-                os.path.join(paths.USR_SHARE_IPA_DIR,
-                             "bind.openssl.cnf.template"),
-                conf_file_dict)
+                os.path.join(paths.USR_SHARE_IPA_DIR, opensslcnf_tmpl),
+                conf_file_dict
+            )
            with open(paths.DNSSEC_OPENSSL_CONF, 'w') as f:
                os.fchmod(f.fileno(), 0o640)
                os.fchown(f.fileno(), 0, self.named_gid)
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -989,7 +989,7 @@ class TestIPACommand(IntegrationTest):

        # get minimum version from current crypto-policy
        openssl_cnf = self.master.get_file_contents(
-            "/etc/crypto-policies/back-ends/opensslcnf.config",
+            paths.CRYPTO_POLICY_OPENSSLCNF_FILE,
            encoding="utf-8"
        )
        mo = re.search(r"MinProtocol\s*=\s*(TLSv[0-9.]+)", openssl_cnf)