From fc029043401bb852d2bfe8e8eccb926f50627b3b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 31 Jul 2024 11:44:57 +0300
Subject: [PATCH] ipalib/constants.py: factor out TripleDES use

Cryptography 43 started to warn that in version 48 it will remove
TripleDES support. Change the code to detect missing TripleDES algorithm
and do not fail.

Related: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipalib/constants.py                      |  7 ++++---
 ipaserver/install/ipa_otptoken_import.py | 15 +++++++++++----
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 60b62a21d..cb4889393 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -381,6 +381,7 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = (
 VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
 
 # Add 3DES for backwards compatibility if supported
-if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
-                            modes.CBC(b"\x00" * 8)):
-    VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
+if getattr(algorithms, 'TripleDES', None):
+    if backend.cipher_supported(algorithms.TripleDES(
+                                b"\x00" * 8), modes.CBC(b"\x00" * 8)):
+        VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index d3f3d3cfa..e8a3a2457 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -42,6 +42,7 @@ from cryptography.hazmat.backends import default_backend
 from ipaplatform.paths import paths
 from ipapython import admintool
 from ipalib import api, errors
+from ipalib.constants import VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_3DES
 from ipaserver.plugins.ldap2 import AUTOBIND_DISABLED
 
 if six.PY3:
@@ -144,15 +145,13 @@ def convertHMACType(value):
 def convertAlgorithm(value):
     "Converts encryption URI to (mech, ivlen)."
 
-    return {
+    supported_algs = {
         "http://www.w3.org/2001/04/xmlenc#aes128-cbc": (
             algorithms.AES, modes.CBC, 128),
         "http://www.w3.org/2001/04/xmlenc#aes192-cbc": (
             algorithms.AES, modes.CBC, 192),
         "http://www.w3.org/2001/04/xmlenc#aes256-cbc": (
             algorithms.AES, modes.CBC, 256),
-        "http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (
-            algorithms.TripleDES, modes.CBC, 64),
         "http://www.w3.org/2001/04/xmldsig-more#camellia128": (
             algorithms.Camellia, modes.CBC, 128),
         "http://www.w3.org/2001/04/xmldsig-more#camellia192": (
@@ -168,7 +167,15 @@ def convertAlgorithm(value):
         # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia128": "kw-camellia128",
         # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia192": "kw-camellia192",
         # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia256": "kw-camellia256",
-    }.get(value.lower(), (None, None, None))
+    }
+
+    # We don't deal with VAULT here but if VAULT_WRAPPING_3DES is not present
+    # in the list of the vault wrapping algorithms, we cannot use 3DES anywhere
+    if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS:
+        supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = (
+            algorithms.TripleDES, modes.CBC, 64)
+
+    return supported_algs.get(value.lower(), (None, None, None))
 
 
 def convertEncrypted(value, decryptor=None, pconv=base64.b64decode, econv=lambda x: x):