Bug 1768959

Summary: [FIPS] Don't add camellia KRB5 encsalttypes in FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: cheimes, ksiddiqu, myusuf, pasik, pcech, rcritten, tscherf
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.8.2-1.module+el8.2.0+4697+7171660c Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:44:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1760850    

Description Rob Crittenden 2019-11-05 16:45:08 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/freeipa/issue/8111

``install/share/kerberos.ldif`` does not install camellia encsalttypes in FIPS mode. The lines are disables with a conditional comment. But ``install/updates/50-krbenctypes.update`` is missing the same conditional. An update may install camellia based algorithms in FIPS mode.
Comment 1 Rob Crittenden 2019-11-05 16:49:16 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/bc56642bf9e59821322903e7470be6ec1d857034
https://pagure.io/freeipa/c/560acf37482fe5c7df1abd2d087e33a18b1cbe38
Comment 2 Rob Crittenden 2019-11-05 21:55:46 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/9023033e1867a1ed67628566e8db99fefaa1d4e9
https://pagure.io/freeipa/c/6ab306a2a35b7dfed05b5a87d8ed647b1925c873
Comment 3 Christian Heimes 2019-11-20 10:38:16 UTC 
Fixed in IPA 4.8.2
Comment 6 Rob Crittenden 2020-02-05 14:03:28 UTC 
This will only apply to new installations. To verify:

ldapsearch -Y GSSAPI -s base -b cn=EXAMPLE.TEST,cn=kerberos,dc=example,dc=test krbSupportedEncSaltTypes

Ensure that camellia* are not included.

Specifically

camellia128-cts-cmac:normal
camellia128-cts-cmac:special
camellia256-cts-cmac:normal
camellia256-cts-cmac:special
Comment 7 Mohammad Rizwan 2020-02-11 12:45:11 UTC 
[root@master ~]# cat /proc/sys/crypto/fips_enabled 
1
[root@master ~]# ldapsearch -Y GSSAPI -s base -b cn=IPADOMAIN.COM,cn=kerberos,dc=ipadomain,dc=com krbSupportedEncSaltTypes
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=IPADOMAIN.COM,cn=kerberos,dc=ipadomain,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: krbSupportedEncSaltTypes 
#

# IPADOMAIN.COM, kerberos, ipadomain.com
dn: cn=IPADOMAIN.COM,cn=kerberos,dc=ipadomain,dc=com
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes256-cts:special
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: aes128-cts:special
krbSupportedEncSaltTypes: aes128-sha2:normal
krbSupportedEncSaltTypes: aes128-sha2:special
krbSupportedEncSaltTypes: aes256-sha2:normal
krbSupportedEncSaltTypes: aes256-sha2:special

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


camellia* is not included in the enctype. Hence marking the bug as verified.
Comment 8 Mohammad Rizwan 2020-02-11 12:45:46 UTC 
version: ipa-server-4.8.4-4.module+el8.2.0+5591+1f878b19.x86_64
Comment 12 errata-xmlrpc 2020-04-28 15:44:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:1640