Bug 2162461

Summary: creating of user principal failed with Cryptosystem internal error when the aes256-cts is used (FIPS)
Product: Red Hat Enterprise Linux 9 Reporter: Filip Dvorak <fdvorak>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.2CC: amore, fdvorak, mpolovka
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.20.1-5.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:25:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2144442    

Description Filip Dvorak 2023-01-19 16:21:43 UTC 
Description of problem:
The creating of user principal failed with "Cryptosystem internal error while creating "bob"" when the following enctypes aes128-cts or aes256-cts were used (these enctypes use SHA1) in FIPS mode. 

Version-Release number of selected component (if applicable):
RHEL-9.2.0-20230115.7
krb5-server-1.20.1-3.el9.x86_64
crypto-policies-20221215-1.git9a18988.el9.noarch

How reproducible:


Steps to Reproduce:
1.fips-mode-setup --enable
2.update-crypto-policies --set FIPS:AD-SUPPORT
3. set KRB5

   hostnamectl set-hostname kerberos.example.com
   echo $(hostname -I) kerberos.example.com >> /etc/hosts
   sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = TEST.COM/" /etc/krb5.conf
   sed -i "s/\[realms\]/[realms]\n TEST.COM = {\n  kdc = $KDC_HostName\n  admin_server = $KDC_HostName\n }/" /etc/krb5.conf
   sed -i "s/\[domain_realm\]/[domain_realm]\n .$KDC_DomainName = TEST.COM\n $DKC_DomainName = TEST.COM/" /etc/krb5.conf

kdc.conf
master_key_type = aes256-cts-hmac-sha384-192
supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal

4. kdb5_util create -s -P <passwd> -r EXAMPLE.COM

Actual results:
# kadmin.local -q "ank -pw bob bob"
Authenticating as principal root/admin with password.
[1929] 1674145082.705861: Retrieving K/M from FILE:/var/kerberos/krb5kdc/.k5.EXAMPLE.COM (vno 0, enctype 0) with result: 0/Success
No policy specified for bob; defaulting to no policy
add_principal: Cryptosystem internal error while creating "bob"

Expected results:
The user principal should be created with a aes128/256-cts keys. 

Additional info:
https://gitlab.com/redhat/centos-stream/rpms/krb5/-/commit/d5c38cc27b356822c57e317a03bfd047f60ba43a
Comment 1 Julien Rische 2023-01-30 16:10:06 UTC 
*** Bug 2165529 has been marked as a duplicate of this bug. ***
Comment 2 Michal Polovka 2023-02-08 17:20:56 UTC 
Pre-verified manually using RHEL9.2 machine with krb5-server-1.20.1-5.el9.x86_64

1. fips-mode-setup --enable
2. reboot
3. update-crypto-policies --set FIPS:AD-SUPPORT
4. reboot
5. install krb5-server-1.20.1-5.el9.x86_64
6. export KDC_HostName=127.0.0.1; export KDC_DomainName=kerberos.example.com
7. hostnamectl set-hostname kerberos.example.com
8. echo $   echo $(hostname -I) kerberos.example.com >> /etc/hosts
9. sed -i   sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = EXAMPLE.COM/" /etc/krb5.conf
10. sed -i   sed -i "s/\[realms\]/[realms]\n EXAMPLE.COM = {\n  kdc = $KDC_HostName\n  admin_server = $KDC_HostName\n }/" /etc/krb5.conf
11. sed -i   sed -i "s/\[domain_realm\]/[domain_realm]\n .$KDC_DomainName = TEST.COM\n $KDC_DomainName = TEST.COM/" /etc/krb5.conf
12. edit /var/kerberos/krb5kdc/kdc.conf to contain:
master_key_type = aes256-cts-hmac-sha384-192
supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
13. kdb5_util create -s -P Secret123 -r EXAMPLE.COM
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M
14. kdb5_util admin.local -q "ank -pw bob bob"
Authenticating as principal root/admin with password.
No policy specified for bob; defaulting to no policy
Principal "bob" created.


Issue fixed, marking as pre-verified: tested.
Comment 5 Michal Polovka 2023-02-10 10:10:57 UTC 
Verified manually using RHEL9.2 machine and krb5-server-1.20.1-5.el9.x86_64

1. fips-mode-setup --enable
2. reboot
3. update-crypto-policies --set FIPS:AD-SUPPORT
4. reboot
5. dnf install krb5-server
Installed:
  krb5-pkinit-1.20.1-5.el9.x86_64                   krb5-server-1.20.1-5.el9.x86_64                   libkadm5-1.20.1-5.el9.x86_64                   words-3.0-39.el9.noarch
6. export KDC_HostName=127.0.0.1; export KDC_DomainName=kerberos.example.com
7. hostnamectl set-hostname kerberos.example.com
8. echo $(hostname -I) kerberos.example.com >> /etc/hosts
9. sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = EXAMPLE.COM/" /etc/krb5.conf
10. sed -i "s/\[realms\]/[realms]\n EXAMPLE.COM = {\n  kdc = $KDC_HostName\n  admin_server = $KDC_HostName\n }/" /etc/krb5.conf
11. sed -i "s/\[domain_realm\]/[domain_realm]\n .$KDC_DomainName = TEST.COM\n $KDC_DomainName = TEST.COM/" /etc/krb5.conf
12. edit /var/kerberos/krb5kdc/kdc.conf to contain:
master_key_type = aes256-cts-hmac-sha384-192
supported_enctypes = aes256-cts:normal aes128-cts:normal aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal
13. db5_util create -s -P Secret123 -r EXAMPLE.COM
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M'
14.  kadmin.local -q "ank -pw bob bob"
Authenticating as principal root/admin with password.
No policy specified for bob; defaulting to no policy
Principal "bob" created.

Note: Pre-verification comment contains some duplication in shell commands. This is a result of terminal glitch, command were executed as seen in this comment.
Principal created, marking as verified.
Comment 7 errata-xmlrpc 2023-05-09 08:25:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: krb5 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2570