Use FIPS-safe algorithms for cluster discover/join handshake

The peer discover/join handshake hardcoded the default PKCS1v15-SHA1
signing and OAEP-SHA1 encryption, which OpenSSL refuses under FIPS,
causing master startup to fail with UnsupportedAlgorithm during
discover_peers().

Sign sites now read self.opts["publish_signing_algorithm"] (already
set to PKCS1v15-SHA224 by FIPS test fixtures). Encrypt/decrypt sites
read a new master opt cluster_encryption_algorithm (default OAEP-SHA1,
overridden to OAEP-SHA224 in FIPS conftest), validated against
VALID_ENCRYPTION_ALGORITHMS. The two pre-existing OAEP-SHA224
hardcodes in send_aes_key_event/handle_pool_publish are folded into
the same opt for consistency.

Verified by running test_cluster_key_rotation in a Photon 5 container
with openssl-fips-provider installed; previously errored at master
startup, now passes in 67s.

Author: dwoz

salt/channel/server.py

@@ -2427,7 +2427,7 @@ def discover_peers(self):
                 }
             )
             key = salt.crypt.PrivateKeyString(self.private_key())
-            sig = key.sign(tosign)
+            sig = key.sign(tosign, algorithm=self.opts["publish_signing_algorithm"])
             data = {
                 "sig": sig,
                 "payload": tosign,
@@ -2457,7 +2457,9 @@ def send_aes_key_event(self):
                     hashlib.sha256(aes).hexdigest()
                 )
                 data["peers"][peer] = {
-                    "aes": pub.encrypt(aes, algorithm="OAEP-SHA224"),
+                    "aes": pub.encrypt(
+                        aes, algorithm=self.opts["cluster_encryption_algorithm"]
+                    ),
                     "sig": self.master_key.master_key.encrypt(digest),
                 }
             else:
@@ -2891,14 +2893,21 @@ async def handle_pool_publish(self, payload):
                     log.warning("Cluster join, token does not not match")
                     return
                 pubk = salt.crypt.PublicKeyString(payload["pub"])
-                if not pubk.verify(data["payload"], data["sig"]):
+                if not pubk.verify(
+                    data["payload"],
+                    data["sig"],
+                    algorithm=self.opts["publish_signing_algorithm"],
+                ):
                     log.warning("Cluster join signature invalid.")
                     return
 
                 log.info("Cluster join from %s", payload["peer_id"])
                 salted_secret = (
                     salt.crypt.PrivateKey.from_file(self.master_key.master_rsa_path)
-                    .decrypt(payload["secret"])
+                    .decrypt(
+                        payload["secret"],
+                        algorithm=self.opts["cluster_encryption_algorithm"],
+                    )
                     .decode()
                 )
 
@@ -2911,7 +2920,10 @@ async def handle_pool_publish(self, payload):
                 log.info("Peer %s joined cluster", payload["peer_id"])
                 salted_aes = (
                     salt.crypt.PrivateKey.from_file(self.master_key.master_rsa_path)
-                    .decrypt(payload["key"])
+                    .decrypt(
+                        payload["key"],
+                        algorithm=self.opts["cluster_encryption_algorithm"],
+                    )
                     .decode()
                 )
 
@@ -3025,13 +3037,20 @@ async def handle_pool_publish(self, payload):
                     cluster_pem_pem.encode()
                 )
                 wrapped_session = joiner_pub.encrypt(
-                    token_bytes + cluster_key_session.encode()
+                    token_bytes + cluster_key_session.encode(),
+                    algorithm=self.opts["cluster_encryption_algorithm"],
                 )
                 inner_payload = {
                     "return_token": payload["token"],
                     "peer_id": self.opts["id"],
-                    "aes": joiner_pub.encrypt(token_bytes + aes_secret),
-                    "cluster_aes": joiner_pub.encrypt(token_bytes + cluster_aes_secret),
+                    "aes": joiner_pub.encrypt(
+                        token_bytes + aes_secret,
+                        algorithm=self.opts["cluster_encryption_algorithm"],
+                    ),
+                    "cluster_aes": joiner_pub.encrypt(
+                        token_bytes + cluster_aes_secret,
+                        algorithm=self.opts["cluster_encryption_algorithm"],
+                    ),
                     "cluster_key_session": wrapped_session,
                     "cluster_pem": cluster_pem_ciphertext,
                     "cluster_pub": cluster_pub_pem,
@@ -3051,7 +3070,9 @@ async def handle_pool_publish(self, payload):
                     state_sync_session_id = new_session_id()
                     inner_payload["state_sync_session"] = state_sync_session_id
                 tosign = salt.payload.package(inner_payload)
-                sig = salt.crypt.PrivateKeyString(self.private_key()).sign(tosign)
+                sig = salt.crypt.PrivateKeyString(self.private_key()).sign(
+                    tosign, algorithm=self.opts["publish_signing_algorithm"]
+                )
                 event_data = salt.utils.event.SaltEvent.pack(
                     salt.utils.event.tagify("join-reply", "peer", "cluster"),
                     {
@@ -3080,7 +3101,11 @@ async def handle_pool_publish(self, payload):
                     return
 
                 cluster_pub = salt.crypt.PublicKeyString(payload["cluster_pub"])
-                if not cluster_pub.verify(data["payload"], data["sig"]):
+                if not cluster_pub.verify(
+                    data["payload"],
+                    data["sig"],
+                    algorithm=self.opts["publish_signing_algorithm"],
+                ):
                     log.warning("Invalid signature of cluster discover payload")
                     return
 
@@ -3101,16 +3126,20 @@ async def handle_pool_publish(self, payload):
                         "peer_id": self.opts["id"],
                         "secret": key.encrypt(
                             payload["token"].encode()
-                            + (self.opts.get("cluster_secret") or "").encode()
+                            + (self.opts.get("cluster_secret") or "").encode(),
+                            algorithm=self.opts["cluster_encryption_algorithm"],
                         ),
                         "key": key.encrypt(
                             payload["token"].encode()
-                            + salt.master.SMaster.secrets["aes"]["secret"].value
+                            + salt.master.SMaster.secrets["aes"]["secret"].value,
+                            algorithm=self.opts["cluster_encryption_algorithm"],
                         ),
                         "pub": self.public_key(),
                     }
                 )
-                sig = salt.crypt.PrivateKeyString(self.private_key()).sign(tosign)
+                sig = salt.crypt.PrivateKeyString(self.private_key()).sign(
+                    tosign, algorithm=self.opts["publish_signing_algorithm"]
+                )
                 self.cluster_peers.append(payload["peer_id"])
                 event_data = salt.utils.event.SaltEvent.pack(
                     salt.utils.event.tagify("join", "peer", "cluster"),
@@ -3150,7 +3179,11 @@ async def handle_pool_publish(self, payload):
             elif tag.startswith("cluster/peer/discover"):
                 payload = salt.payload.loads(data["payload"])
                 peer_key = salt.crypt.PublicKeyString(payload["pub"])
-                if not peer_key.verify(data["payload"], data["sig"]):
+                if not peer_key.verify(
+                    data["payload"],
+                    data["sig"],
+                    algorithm=self.opts["publish_signing_algorithm"],
+                ):
                     log.warning("Invalid signature of cluster discover payload")
                     return
                 log.info("Cluster discovery from %s", payload["peer_id"])
@@ -3168,7 +3201,7 @@ async def handle_pool_publish(self, payload):
                     }
                 )
                 key = salt.crypt.PrivateKeyString(self.cluster_key())
-                sig = key.sign(tosign)
+                sig = key.sign(tosign, algorithm=self.opts["publish_signing_algorithm"])
                 _ = salt.payload.package(
                     {
                         "sig": sig,
@@ -3188,7 +3221,7 @@ async def handle_pool_publish(self, payload):
                 aes = data["peers"][self.opts["id"]]["aes"]
                 sig = data["peers"][self.opts["id"]]["sig"]
                 key_str = self.master_key.master_key.decrypt(
-                    aes, algorithm="OAEP-SHA224"
+                    aes, algorithm=self.opts["cluster_encryption_algorithm"]
                 )
                 digest = salt.utils.stringutils.to_bytes(
                     hashlib.sha256(key_str).hexdigest()

salt/config/__init__.py

@@ -1059,6 +1059,8 @@ def _gather_buffer_space():
         "signing_algorithm": str,
         # Master publish channel signing
         "publish_signing_algorithm": str,
+        # RSA encryption used for cluster peer-to-peer messages
+        "cluster_encryption_algorithm": str,
         # the cache driver to be used to manage keys for both minion and master
         "keys.cache_driver": (type(None), str),
         "request_server_ttl": int,
@@ -1773,6 +1775,7 @@ def _gather_buffer_space():
         "cluster_isolated_filesystem": False,
         "features": {},
         "publish_signing_algorithm": "PKCS1v15-SHA1",
+        "cluster_encryption_algorithm": "OAEP-SHA1",
         "keys.cache_driver": "localfs_key",
         "request_server_aes_session": 0,
         "request_server_ttl": 0,
@@ -4355,6 +4358,15 @@ def apply_master_config(overrides=None, defaults=None):
             f"Please specify one of {','.join(salt.crypt.VALID_SIGNING_ALGORITHMS)}."
         )
 
+    if (
+        opts["cluster_encryption_algorithm"]
+        not in salt.crypt.VALID_ENCRYPTION_ALGORITHMS
+    ):
+        raise salt.exceptions.SaltConfigurationError(
+            f"The cluster encryption algorithm '{opts['cluster_encryption_algorithm']}' is not valid. "
+            f"Please specify one of {','.join(salt.crypt.VALID_ENCRYPTION_ALGORITHMS)}."
+        )
+
     salt.features.setup_features(opts)
     return opts
 

tests/pytests/integration/cluster/conftest.py

@@ -181,6 +181,9 @@ def cluster_master_1(request, salt_factories, cluster_pki_path, cluster_cache_pa
         "publish_signing_algorithm": (
             "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1"
         ),
+        "cluster_encryption_algorithm": (
+            "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1"
+        ),
     }
     factory = salt_factories.salt_master_daemon(
         "127.0.0.1",
@@ -220,6 +223,9 @@ def cluster_master_2(salt_factories, cluster_master_1):
         "publish_signing_algorithm": (
             "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1"
         ),
+        "cluster_encryption_algorithm": (
+            "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1"
+        ),
     }
 
     # Use the same ports for both masters, they are binding to different interfaces
@@ -266,6 +272,9 @@ def cluster_master_3(salt_factories, cluster_master_1):
         "publish_signing_algorithm": (
             "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1"
         ),
+        "cluster_encryption_algorithm": (
+            "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1"
+        ),
     }
 
     # Use the same ports for both masters, they are binding to different interfaces
@@ -324,6 +333,9 @@ def cluster_master_4(
         "publish_signing_algorithm": (
             "PKCS1v15-SHA224" if FIPS_TESTRUN else "PKCS1v15-SHA1"
         ),
+        "cluster_encryption_algorithm": (
+            "OAEP-SHA224" if FIPS_TESTRUN else "OAEP-SHA1"
+        ),
     }
 
     # Use the same ports across the cluster; masters bind to different