Overview

File 0008-policies-modules-update-AD-SUPPORT-add-AD-SUP.patch of Package crypto-policies.37510

From 3a96e57a9db08ee5ad8994339f50fddcaf364b75 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Oct 2024 13:45:33 +0200
Subject: [PATCH 1/2] FIPS-krb5: Do not allow aes256-cts-hmac-sha1-96 or
 aes128-cts-hmac-sha1-96

These encryption types use the non-certified KRBKDF algorithm from RFC 3961.

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
 policies/FIPS.pol                          | 2 +-
 tests/outputs/FIPS-krb5.txt                | 2 +-
 tests/outputs/FIPS:ECDHE-ONLY-krb5.txt     | 2 +-
 tests/outputs/FIPS:NO-ENFORCE-EMS-krb5.txt | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policies/FIPS.pol b/policies/FIPS.pol
index d965612..0cf28e9 100644
--- a/policies/FIPS.pol
+++ b/policies/FIPS.pol
@@ -13,7 +13,7 @@
 # TLS protocols: TLS >= 1.2, DTLS >= 1.2
 
 mac = AEAD HMAC-SHA2-256 HMAC-SHA1 HMAC-SHA2-384 HMAC-SHA2-512
-mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD HMAC-SHA2-512 HMAC-SHA1
+mac@Kerberos = HMAC-SHA2-384 HMAC-SHA2-256 AEAD HMAC-SHA2-512
 
 group = SECP256R1 SECP521R1 SECP384R1 \
         FFDHE-2048 FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
diff --git a/tests/outputs/FIPS-krb5.txt b/tests/outputs/FIPS-krb5.txt
index 415dcb3..449348d 100644
--- a/tests/outputs/FIPS-krb5.txt
+++ b/tests/outputs/FIPS-krb5.txt
@@ -1,2 +1,2 @@
 [libdefaults]
-permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
diff --git a/tests/outputs/FIPS:ECDHE-ONLY-krb5.txt b/tests/outputs/FIPS:ECDHE-ONLY-krb5.txt
index 415dcb3..449348d 100644
--- a/tests/outputs/FIPS:ECDHE-ONLY-krb5.txt
+++ b/tests/outputs/FIPS:ECDHE-ONLY-krb5.txt
@@ -1,2 +1,2 @@
 [libdefaults]
-permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
diff --git a/tests/outputs/FIPS:NO-ENFORCE-EMS-krb5.txt b/tests/outputs/FIPS:NO-ENFORCE-EMS-krb5.txt
index 415dcb3..449348d 100644
--- a/tests/outputs/FIPS:NO-ENFORCE-EMS-krb5.txt
+++ b/tests/outputs/FIPS:NO-ENFORCE-EMS-krb5.txt
@@ -1,2 +1,2 @@
 [libdefaults]
-permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
-- 
2.46.1


From 7024ebef466ec094b52ae46f89abad49063e94db Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 22 Feb 2022 19:43:54 +0100
Subject: [PATCH 2/2] RHEL-9: policies/modules: update AD-SUPPORT, add
 AD-SUPPORT-LEGACY

renames AD-SUPPORT to AD-SUPPORT-LEGACY (the RC4 enctype),
updates AD-SUPPORT with much less drastic AD interoperability measures

(cherry picked from commit 92b52f1265ea8b360ac163f61c3867f76f383a75)
---
 policies/modules/AD-SUPPORT-LEGACY.pmod              |  9 +++++++++
 policies/modules/AD-SUPPORT.pmod                     | 12 ++++++------
 .../modules/AD-SUPPORT-LEGACY.pmod                   |  8 ++++++++
 tests/alternative-policies/modules/AD-SUPPORT.pmod   | 12 ++++++------
 tests/outputs/LEGACY:AD-SUPPORT-krb5.txt             |  2 +-
 5 files changed, 30 insertions(+), 13 deletions(-)
 create mode 100644 policies/modules/AD-SUPPORT-LEGACY.pmod
 create mode 100644 tests/alternative-policies/modules/AD-SUPPORT-LEGACY.pmod

diff --git a/policies/modules/AD-SUPPORT-LEGACY.pmod b/policies/modules/AD-SUPPORT-LEGACY.pmod
new file mode 100644
index 0000000..4c75852
--- /dev/null
+++ b/policies/modules/AD-SUPPORT-LEGACY.pmod
@@ -0,0 +1,9 @@
+# AD-SUPPORT-LEGACY subpolicy is intended to be used in Active Directory
+# environments where either accounts or trusted domain objects were not yet
+# migrated to AES or future encryption types.
+# This subpolicy enables all AES and RC4 Kerberos encryption types
+# to maximize Active Directory interoperability at the expense of security.
+
+cipher@kerberos = AES-256-CBC+ AES-128-CBC+ RC4-128+
+mac@kerberos = HMAC-SHA2-384+ HMAC-SHA2-256+ HMAC-SHA1+
+hash@kerberos = MD5+
diff --git a/policies/modules/AD-SUPPORT.pmod b/policies/modules/AD-SUPPORT.pmod
index 592fc23..6ba7dd7 100644
--- a/policies/modules/AD-SUPPORT.pmod
+++ b/policies/modules/AD-SUPPORT.pmod
@@ -1,7 +1,7 @@
-# AD-SUPPORT subpolicy is intended to be used in Active Directory
-# environments where either accounts or trusted domain objects were not yet
-# migrated to AES or future encryption types. Active Directory implicitly
-# requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default.
+# AD-SUPPORT subpolicy is intended to be used in Active Directory environments.
+# This subpolicy is provided for enabling aes256-cts-hmac-sha1-96,
+# the strongest Kerberos encryption type interoperable with Active Directory.
+
+cipher@kerberos = AES-256-CBC+
+mac@kerberos = HMAC-SHA1+
 
-cipher@kerberos = RC4-128+
-hash@kerberos = MD5+
diff --git a/tests/alternative-policies/modules/AD-SUPPORT-LEGACY.pmod b/tests/alternative-policies/modules/AD-SUPPORT-LEGACY.pmod
new file mode 100644
index 0000000..b506089
--- /dev/null
+++ b/tests/alternative-policies/modules/AD-SUPPORT-LEGACY.pmod
@@ -0,0 +1,8 @@
+# AD-SUPPORT subpolicy is intended to be used in Active Directory
+# environments where either accounts or trusted domain objects were not yet
+# migrated to AES or future encryption types. Active Directory implicitly
+# requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default.
+
+cipher@kerberos = *+ -CAMELLIA*
+hash@kerberos = *+
+mac@kerberos = *+
diff --git a/tests/alternative-policies/modules/AD-SUPPORT.pmod b/tests/alternative-policies/modules/AD-SUPPORT.pmod
index 592fc23..b904fce 100644
--- a/tests/alternative-policies/modules/AD-SUPPORT.pmod
+++ b/tests/alternative-policies/modules/AD-SUPPORT.pmod
@@ -1,7 +1,7 @@
-# AD-SUPPORT subpolicy is intended to be used in Active Directory
-# environments where either accounts or trusted domain objects were not yet
-# migrated to AES or future encryption types. Active Directory implicitly
-# requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default.
+# AD-SUPPORT subpolicy is intended to be used in Active Directory environments.
+# This subpolicy is meant for enabling aes256-cts-hmac-sha1-96,
+# the strongest Kerberos encryption type interoperable with Active Directory.
+
+cipher@kerberos = AES-256-CBC+
+mac@kerberos = HMAC-SHA1+
 
-cipher@kerberos = RC4-128+
-hash@kerberos = MD5+
diff --git a/tests/outputs/LEGACY:AD-SUPPORT-krb5.txt b/tests/outputs/LEGACY:AD-SUPPORT-krb5.txt
index 277b468..8a92aec 100644
--- a/tests/outputs/LEGACY:AD-SUPPORT-krb5.txt
+++ b/tests/outputs/LEGACY:AD-SUPPORT-krb5.txt
@@ -1,2 +1,2 @@
 [libdefaults]
-permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac arcfour-hmac-md5
+permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
-- 
2.46.1
openSUSE Build Service is sponsored by
Places