Bug 2214297

Summary: PKINIT module initialization fails if a well-known MODP group cannot be loaded [rawhide]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, antorres, cllang, dbelyavs, fdvorak, ftrivino, hkario, jrische, j, mjurasek, mpolovka, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.21-2.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2187722 Environment:
Last Closed: 2023-07-11 01:27:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2187722    
Bug Blocks: 2144442, 2209715    

Description Julien Rische 2023-06-12 14:00:38 UTC 
+++ This bug was initially created as a clone of Bug #2187722 +++

Description of problem:
PKINIT preauth stopped to work (MIT krb5 KDC do not send a pA-PK-AS-REQ message in KRB5KDC_ERR_PREAUTH_REQUIRED) with the openssl-libs-3.0.7-9.el9_2 and newer in FIPS mode on RHEL9.2.

Version-Release number of selected component (if applicable):
RHEL9.2
krb5-server-1.20.1-8.el9.x86_64
openssl-libs-3.0.7-12.el9_2.x86_64


How reproducible:
always

Steps to Reproduce:
1. Set up PKINIT and generate certs (used certificates and generating script were attached)

kdc.conf (conf file was attached)
- add the pkinit options into kdc.conf
 pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem
 pkinit_identity = FILE:/var/kerberos/krb5kdc/kdc.pem,/var/kerberos/krb5kdc/kdckey.pem
- supported_enctypes = aes256-cts-hmac-sha384-192:normal aes128-cts-hmac-sha256-128:normal

- create user alice with "REQUIRES_PRE_AUTH" attribute

krb5.conf (conf file was attached)
- add pkinit options into krb.conf
  pkinit_anchors = FILE:/etc/krb5/cacert.pem
  pkinit_identities = FILE:/etc/krb5/alice.pem,/etc/krb5/alicekey.pem

-fips-mode-setup --enable
- update-crypto-policies --set FIPS

Actual results:
# kinit alice
[68340] 1681826975.764972: Matching alice.COM in collection with result: 0/Success
[68340] 1681826975.764973: Getting initial credentials for alice.COM
[68340] 1681826975.764975: Sending unauthenticated request
[68340] 1681826975.764976: Sending request (192 bytes) to TEST.REDHAT.COM
[68340] 1681826975.764977: Resolving hostname xx
[68340] 1681826975.764978: Sending initial UDP request to dgram xx:88
[68340] 1681826975.764979: Received answer (249 bytes) from dgram xx:88
[68340] 1681826975.764980: Sending DNS URI query for _kerberos.TEST.REDHAT.COM.
[68340] 1681826975.764981: No URI records found
[68340] 1681826975.764982: Sending DNS SRV query for _kerberos-master._udp.TEST.REDHAT.COM.
[68340] 1681826975.764983: Sending DNS SRV query for _kerberos-master._tcp.TEST.REDHAT.COM.
[68340] 1681826975.764984: No SRV records found
[68340] 1681826975.764985: Response was not from primary KDC
[68340] 1681826975.764986: Received error from KDC: -1765328359/Additional pre-authentication required
[68340] 1681826975.764989: Preauthenticating using KDC method data
[68340] 1681826975.764990: Processing preauth types: PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[68340] 1681826975.764991: Selected etype info: etype aes256-sha2, salt "TEST.REDHAT.COMalice", params ""
[68340] 1681826975.764992: Received cookie: MIT
Password for alice.COM:
...

Expected results:
# kinit alice
# klist 
Ticket cache: KCM:0
Default principal: alice.COM

Valid starting     Expires            Service principal
04/18/23 10:10:40  04/19/23 10:10:40  krbtgt/TEST.REDHAT.COM.COM
	renew until 04/18/23 10:10:40

Additional info:
- the same scenario (the same certificates + settings) passed with openssl-libs-3.0.7-6.el9_2.x86_64
- nonFIPS scenario works

--- Additional comment from Julien Rische on 2023-05-23 16:28:18 UTC ---

This downstream merge request is fixing the issue on the OpenSSL side by re-enabling DHX key type:
https://gitlab.com/redhat/centos-stream/rpms/openssl/-/merge_requests/109

However, it will not be possible to load groups that are not considered well-known by OpenSSL. This is the case of group 2.

I opened a krb5 upstream pull requests to allow the PKINIT plugin to be loaded if at least one of groups 2, 14, or 16 is available:
https://github.com/krb5/krb5/pull/1303
Comment 1 Julien Rische 2023-06-12 14:46:15 UTC 
Fedora pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/36
Comment 2 Fedora Update System 2023-06-13 13:41:28 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 3 Fedora Update System 2023-06-13 13:55:34 UTC 
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2023-07-10 08:51:43 UTC 
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29
Comment 5 Fedora Update System 2023-07-11 01:27:16 UTC 
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.