Vault: Migrate to RSA-OAEP

[f-trivino]

PKCS#1 v1.5 padding support has been removed as it will not be allowed in FIPS mode after 2023.
None of the FIPS certified modules in RHEL will support it as a FIPS approved mechanism.

This commit migrates PKCS#1 v1.5 padding to RSA-OAEP. Mew installations of KRA will use RSA-OAEP
as default key wrapping algorithm.

Fixes: https://pagure.io/freeipa/issue/9191

[flo-renaud]

Hi @f-trivino
The patch is missing an upgrade part. If IPA 4.10.2 is installed on a FIPS server, and then upgraded with the patch, /etc/pki/pki-tomcat/kra/CS.cfg does not contain keyWrap.useOAEP=true and the vault commands executed on the server are still failing.

The second issue is the support of older clients. If I install a RHEL8 client + RHEL9 server with the patch, the RHEL8 client is unable to access the vault on the server. It fails with

# ipa vault-retrieve vault1 --out /dev/stdout
ipa: ERROR: an internal error has occurred

It means the patch would be needed on all client versions.

[f-trivino]

Hi @f-trivino The patch is missing an upgrade part. If IPA 4.10.2 is installed on a FIPS server, and then upgraded with the patch, /etc/pki/pki-tomcat/kra/CS.cfg does not contain keyWrap.useOAEP=true and the vault commands executed on the server are still failing.

The second issue is the support of older clients. If I install a RHEL8 client + RHEL9 server with the patch, the RHEL8 client is unable to access the vault on the server. It fails with

# ipa vault-retrieve vault1 --out /dev/stdout
ipa: ERROR: an internal error has occurred

It means the patch would be needed on all client versions.

Hi @flo-renaud ,

I implemented the missing parts:

1. upgrade part

2. older client support: fall back into PKCS1v15() if OAEP doesn't work.

I tested the patch in a RHEL7.9-Client and RHEL9.3-Server:

Server with KRA using PKCS1v15 wrap padding (it will try OAEP and will fallback into PKCS):

[root@master tmp]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 9.3 (Plow)

[root@master tmp]# ipa vault-add vault --type standard
-------------------
Added vault "vault"
-------------------
  Vault name: vault
  Type: standard
  Owner users: admin
  Vault user: admin

Client (it will try OAEP and will fallback into PKCS):

[root@client cloud-user]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.9 (Maipo)

[root@client cloud-user]# ipa vault-retrieve vault
---------------------------------
Retrieved data from vault "vault"
---------------------------------
  Data: 

Switch KRA Server to use OAEP:

Added "keyWrap.useOAEP=true" to /etc/pki/pki-tomcat/kra/CS.cfg
[root@master tmp]# ipactl restart
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@master tmp]# ipa vault-add vaultOAEP --type standard
-----------------------
Added vault "vaultOAEP"
-----------------------
  Vault name: vaultOAEP
  Type: standard
  Owner users: admin
  Vault user: admin

Client will try OAEP at a first attempt and will succeed:

[root@client cloud-user]# ipa vault-retrieve vaultOAEP
-------------------------------------
Retrieved data from vault "vaultOAEP"
-------------------------------------
  Data: 

Added ipa-* as we will need to backport this implementation to all rhel versions.

I'm removing also temp_commit, this is the link of the vault gating tests passing:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/7ee868b0-9f1d-11ee-a3af-fa163e3caa6f/report.html

RSN vault:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/9a025ab6-9f1d-11ee-a466-fa163e33b8c8/report.html

test install:
http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/54378790-9f1d-11ee-8799-fa163e172501/report.html

[rcritten]

One of my test systems still has F37 and it's failing with OAEP trying to unwrap the response. Both the client and server are using this patch.

ipa vault-archive test --data Zm9vCg==
Password:
ipa: ERROR: non-public: ValueError: Invalid padding bytes.
Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/ipalib/backend.py", line 141, in execute
return self.Command[_name](*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 471, in call
return self.__do_call(*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 1224, in run
return self.forward(*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipaclient/plugins/vault.py", line 944, in forward
self.api.Command.vault_retrieve(*args, **opts)
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 471, in call
return self.__do_call(*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 1224, in run
return self.forward(*args, **options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipaclient/plugins/vault.py", line 1141, in forward
vault_data = self._unwrap_response(
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/ipaclient/plugins/vault.py", line 1092, in _unwrap_response
json_vault_data += unpadder.finalize()
^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/site-packages/cryptography/hazmat/primitives/padding.py", line 159, in finalize
result = _byte_unpadding_check(
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.11/site-packages/cryptography/hazmat/primitives/padding.py", line 101, in _byte_unpadding_check
raise ValueError("Invalid padding bytes.")
ValueError: Invalid padding bytes.
ipa: ERROR: an internal error has occurred

[f-trivino]

One of my test systems still has F37 and it's failing with OAEP trying to unwrap the response. Both the client and server are using this patch.

ipa vault-archive test --data Zm9vCg== Password: ipa: ERROR: non-public: ValueError: Invalid padding bytes. Traceback (most recent call last): File "/usr/lib/python3.11/site-packages/ipalib/backend.py", line 141, in execute return self.Command[_name](*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 471, in call return self.__do_call(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 499, in __do_call ret = self.run(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 1224, in run return self.forward(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaclient/plugins/vault.py", line 944, in forward self.api.Command.vault_retrieve(*args, **opts) File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 471, in call return self.__do_call(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 499, in __do_call ret = self.run(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipalib/frontend.py", line 1224, in run return self.forward(*args, **options) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaclient/plugins/vault.py", line 1141, in forward vault_data = self._unwrap_response( ^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/site-packages/ipaclient/plugins/vault.py", line 1092, in _unwrap_response json_vault_data += unpadder.finalize() ^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/site-packages/cryptography/hazmat/primitives/padding.py", line 159, in finalize result = _byte_unpadding_check( ^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.11/site-packages/cryptography/hazmat/primitives/padding.py", line 101, in _byte_unpadding_check raise ValueError("Invalid padding bytes.") ValueError: Invalid padding bytes. ipa: ERROR: an internal error has occurred

@rcritten thanks for testing it.

I think the issue might be that your F37 test system is running with a KRA without the 'keyWrap.useOAEP=true' option enabled. This could occur if you applied the patch without performing an upgrade. The upgrade function will enable 'useOAEP' in the KRA. Another possibility could be that dogtag-pki-kra-11.2.0-2.fc37.noarch doesn't implement support for OAEP.

[rcritten]

I re-tested on F39 and it works. I tested a RHEL 7.9 client against it and it fails:

PKIException: Cannot encrypt passphrase: org.mozilla.jss.crypto.TokenException: Failed to unwrap key: (-8190) security library: received bad data.

I assume because a client-side patch is needed as well. I wonder if we should catch this on the server and raise a new exception telling the client what to do (update to provide OAEP support).

I double-checked my new F-37 install and indeed it is missing the useOAEP setting. I re-installed and confirmed it is simply not being set. Manually running ipa-server-upgrade adds it.

I think that a call to enable_oaep_wrap_algo should be made during the kra install and not rely on the upgrade scripts alone to set the value.

[f-trivino]

I re-tested on F39 and it works. I tested a RHEL 7.9 client against it and it fails:

PKIException: Cannot encrypt passphrase: org.mozilla.jss.crypto.TokenException: Failed to unwrap key: (-8190) security library: received bad data.

I assume because a client-side patch is needed as well. I wonder if we should catch this on the server and raise a new exception telling the client what to do (update to provide OAEP support).

I double-checked my new F-37 install and indeed it is missing the useOAEP setting. I re-installed and confirmed it is simply not being set. Manually running ipa-server-upgrade adds it.

I think that a call to enable_oaep_wrap_algo should be made during the kra install and not rely on the upgrade scripts alone to set the value.

Hi @rcritten ,

The patch adds the new default "pki_use_oaep_rsa_keywrap=True" to the "install/share/ipaca_default.ini" file. This covers new installations, it works for me (F38 and RHEL). Should I remove this setting and call enable_oaep_wrap_algo()?, I didn't want to introduce new restarts of the pki service.

Concerning old clients, yes, we need to backport this patch to older RHEL systems. The reason is that there is no way for an old client to switch to OAEP padding if a server is running in FIPS mode, where the use of an old padding, PKCS1v15, is forbidden in the server. The good point is that OAEP is supported in RHEL7.

[rcritten]

F39 server has the patch, vault operations on the server:

• confirmed useOAEP=True in KRA CS.cfg
• vault-add
• vault-archive
• vault-retrieve
• vault-del

F39 client with the patch, against F39 server with the patch:

• vault-add
• vault-archive
• vault-retrieve
• vault-del

F39 server with the patch, F39 client without the patch:

• vault-add fail
• vault-archive fail
• vault-retrieve fail
• vault-del

The vault-add failure doesn't roll back removing the vault. It remains and as near as I can tell, it's usable. On an add failure it might be nice to roll things back but I don't think this is a new issue so it can wait if you'd prefer.

The client-side behavior isn't very nice, with an InternalError. I'd propose catching the error and raising it as an IPA error. I used NotFound here for demonstration but something more specific would be better. Perhaps EncodingError (it's really for text encoding but meh). Note that we may want to do the kra logout when raising the exception. I was just banging on this until it worked.

diff -u /tmp/vault.py /usr/lib/python3.12/site-packages/ipaserver/plugins/vault.py 
--- /tmp/vault.py       2024-01-16 14:44:11.395141053 -0500
+++ /usr/lib/python3.12/site-packages/ipaserver/plugins/vault.py        2024-01-16 14:47:40.924141053 -0500
@@ -45,6 +45,7 @@
     import pki.key
     from pki.crypto import DES_EDE3_CBC_OID
     from pki.crypto import AES_128_CBC_OID
+    from pki import PKIException
 
 if six.PY3:
     unicode = str
@@ -1096,14 +1097,17 @@
                     pki.key.KeyClient.KEY_STATUS_INACTIVE)
 
             # forward wrapped data to KRA
-            kra_client.keys.archive_encrypted_data(
-                client_key_id,
-                pki.key.KeyClient.PASS_PHRASE_TYPE,
-                wrapped_vault_data,
-                wrapped_session_key,
-                algorithm_oid=algorithm_oid,
-                nonce_iv=nonce,
-            )
+            try:
+                kra_client.keys.archive_encrypted_data(
+                    client_key_id,
+                    pki.key.KeyClient.PASS_PHRASE_TYPE,
+                    wrapped_vault_data,
+                    wrapped_session_key,
+                    algorithm_oid=algorithm_oid,
+                    nonce_iv=nonce,
+                )
+            except PKIException as e:
+                raise errors.NotFound(reason=_(str(e)))
 
             kra_account.logout()
 
@@ -1176,9 +1180,12 @@
             kra_client.keys.encrypt_alg_oid = algorithm_oid
 
             # retrieve encrypted data from KRA
-            key = kra_client.keys.retrieve_key(
-                key_info.get_key_id(),
-                wrapped_session_key)
+            try:
+                key = kra_client.keys.retrieve_key(
+                    key_info.get_key_id(),
+                    wrapped_session_key)
+            except PKIException as e:
+                raise errors.NotFound(reason=_(str(e)))
 
             kra_account.logout()

F39 server without the patch, F39 client with the patch:

• confirmed useOAEP not present in KRA CS.cfg
• vault-add
• [] vault-archive fails: ValueError: Invalid padding bytes.
• [] vault-retrieve fails: ValueError: Invalid padding bytes.
• vault-del

The fallback isn't working: it doesn't fall back at all in my testing. It fails when unwrapping with the OAEP session key. If I force it to use PKCS1v15 then it succeeds (obviously b/c the code is then the same between client and server).

This change works for me. It moves the wrapping try/except a level higher:

diff -u /tmp/vault.py /usr/lib/python3.12/site-packages/ipaclient/plugins/vault.py 
--- /tmp/vault.py       2024-01-16 15:42:42.002250068 -0500
+++ /usr/lib/python3.12/site-packages/ipaclient/plugins/vault.py        2024-01-16 16:10:01.020250068 -0500
@@ -704,40 +704,9 @@
 
     def _do_internal(self, algo, transport_cert, raise_unexpected,
                      *args, **options):
-        public_key = transport_cert.public_key()
-
-        # wrap session key with transport certificate using OAEP padding
-        wrapped_session_key = public_key.encrypt(
-            algo.key,
-            padding.OAEP(
-                mgf=padding.MGF1(algorithm=hashes.SHA256()),
-                algorithm=hashes.SHA256(),
-                label=None
-            )
-        )
-        options['session_key'] = wrapped_session_key
 
         name = self.name + '_internal'
-        try:
-            # ipalib.errors.NotFound exception can be propagated
-            # Try OAEP padding
-            return self.api.Command[name](*args, **options)
-        except (errors.InternalError,
-                errors.ExecutionError,
-                errors.GenericError):
-            # If the OAEP attempt fails, fall back to PKCS1v15 padding
-            try:
-                wrapped_session_key = public_key.encrypt(
-                    algo.key,
-                    padding.PKCS1v15()
-                )
-                options['session_key'] = wrapped_session_key
-                return self.api.Command[name](*args, **options)
-            except Exception as e:
-                _kra_config_cache.remove(self.api.env.domain)
-                if raise_unexpected:
-                    raise e
-        return None
+        return self.api.Command[name](*args, **options)
 
     def internal(self, algo, transport_cert, *args, **options):
         """
@@ -1135,14 +1104,48 @@
 
         # generate session key
         algo = self._generate_session_key(wrapping_algo)
+        public_key = transport_cert.public_key()
         # send retrieval request to server
-        response = self.internal(algo, transport_cert, *args, **options)
-        # unwrap data with session key
-        vault_data = self._unwrap_response(
-            algo,
-            response['result']['nonce'],
-            response['result']['vault_data']
-        )
+        try:
+            # ipalib.errors.NotFound exception can be propagated
+            # Try OAEP padding
+            wrapped_session_key = public_key.encrypt(
+                algo.key,
+                padding.OAEP(
+                    mgf=padding.MGF1(algorithm=hashes.SHA256()),
+                    algorithm=hashes.SHA256(),
+                    label=None
+                )
+            )
+            options['session_key'] = wrapped_session_key
+            response = self.internal(algo, transport_cert, *args, **options)
+            # unwrap data with session key
+            vault_data = self._unwrap_response(
+                algo,
+                response['result']['nonce'],
+                response['result']['vault_data']
+            )
+        except (errors.InternalError,
+                errors.ExecutionError,
+                errors.GenericError,
+                ValueError):
+            # If the OAEP attempt fails, fall back to PKCS1v15 padding
+            try:
+                wrapped_session_key = public_key.encrypt(
+                    algo.key,
+                    padding.PKCS1v15()
+                )
+                options['session_key'] = wrapped_session_key
+                response = self.internal(algo, transport_cert, *args, **options)
+                # unwrap data with session key
+                vault_data = self._unwrap_response(
+                    algo,
+                    response['result']['nonce'],
+                    response['result']['vault_data']
+                )
+            except Exception as e:
+                _kra_config_cache.remove(self.api.env.domain)
+                raise e
         del algo
 
         data = base64.b64decode(vault_data[u'data'].encode('utf-8'))

[f-trivino]

Thanks @rcritt for the review and testing.

After reconsideration, I believe that enabling RSA-OAEP as the default option will cause numerous issues in existing deployments, as it would require all RHEL systems to upgrade. Therefore, the transition to the new padding should be considered as part of a major release, and we can make the switch at that point in time. However, PKCS1v15 is not usable at all in FIPS mode. Consequently, the code now detects if a system is in FIPS mode (at install/upgrade time) and picks the appropriate algo, ensuring compatibility.

Regarding the fallback, you are correct; it was not working properly. I had to enhance the fallback code because PKCS1v15() triggers an exception in FIPS mode:

  File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 163, in _enc_dec_rsa_pkey_ctx
    raise ValueError("Encryption/decryption failed.")
ValueError: Encryption/decryption failed.

This explains why the fallback was failing. I believe the new code now handles this situation properly. I have tested all these scenarios:

F39 server/client with the patches in FIPS mode (KRA uses RSA-OAEP):

• keyWrap.useOAEP=true is set in the CS.cfg as the server is in FIPS mode.
• vault-add works from the server
• vault-archieve works from the server
• vault-retrieve works from the server
• vault-add works from the client
• vault-archieve works from the client
• vault-retrieve works from the client

F39 server/client with the patches in normal mode (KRA uses PKCS1v15):

• keyWrap.useOAEP is not in the CS.cfg file
• vault-add works from the server
• vault-archieve works from the server
• vault-retrieve works from the server
• vault-del works from the server
• vault-add works from the client
• vault-archieve works from the client
• vault-retrieve works from the client
• vault-del works from the client
  I manually added UseOAEP in the KRA, and restarted pki-tomcatd@pki-tomcat.service, then:
• vault-add works from the server
• vault-archieve works from the server
• vault-retrieve works from the server
• vault-del works from the server
• vault-add works from the client
• vault-archieve works from the client
• vault-retrieve works from the client
• vault-del works from the client

The fallback is a bit tricky because of the absence of a REST call to query the KRA padding status (DRM using the REST interface). With the proper call returning such status, we would be able to handle all use cases more easily.

Btw, I haven't addressed the roll back of the vault if something fails, it is not straight forward as when the issue happens (keyArchival of an empty vault from vault-add), the LDAP container for the vault is already created. I would prefer to address this issue as a separate PR.

[rcritten]

This is working well in all my previous test cases. I just noticed one thing during the fallback. I set the KRA to use OAEP and I see two failures prior the prompt for the password when trying to retrieve data. I added a print before each wrapped_session_key creation and on InternalError print the exception.

It functions ok I just don't know if this doulbe PKCS1v15 failure is expected. It happens

 # ipa vault-retrieve test
PKCS1v15 vault_retrieve
Cannot encrypt passphrase: org.mozilla.jss.crypto.TokenException: Failed to unwrap key: (-8190) security library: received bad data.
PKCS1v15 vault_retrieve
Cannot encrypt passphrase: org.mozilla.jss.crypto.TokenException: Failed to unwrap key: (-8190) security library: received bad data.
use OAEP vault_retrieve
Password: 
--------------------------------
Retrieved data from vault "test"
--------------------------------
  Data: Zm9vCg==

It is even more when trying to add a new vault

 # ipa vault-add test2
New password: 
Enter New password again to verify: 
PKCS1v15 vault_retrieve
No archived data.
PKCS1v15 vault_retrieve
No archived data.
use OAEP vault_retrieve
No archived data.
PKCS1v15 vault_archive
Unable to decrypt passphrase: Failed to unwrap key: (-8190) security library: received bad data.
PKCS1v15 vault_archive
Unable to decrypt passphrase: Failed to unwrap key: (-8190) security library: received bad data.
use OAEP vault_archive
-------------------
Added vault "test2"
-------------------
  Vault name: test2
  Type: symmetric
  Salt: mQWntGMlQZqdxIOLEhbpiQ==
  Owner users: admin
  Vault user: admin

Maybe this is the trade-off we have to accept for now.

[f-trivino]

This is working well in all my previous test cases. I just noticed one thing during the fallback. I set the KRA to use OAEP and I see two failures prior the prompt for the password when trying to retrieve data. I added a print before each wrapped_session_key creation and on InternalError print the exception.

It functions ok I just don't know if this doulbe PKCS1v15 failure is expected. It happens

 # ipa vault-retrieve test
PKCS1v15 vault_retrieve
Cannot encrypt passphrase: org.mozilla.jss.crypto.TokenException: Failed to unwrap key: (-8190) security library: received bad data.
PKCS1v15 vault_retrieve
Cannot encrypt passphrase: org.mozilla.jss.crypto.TokenException: Failed to unwrap key: (-8190) security library: received bad data.
use OAEP vault_retrieve
Password: 
--------------------------------
Retrieved data from vault "test"
--------------------------------
  Data: Zm9vCg==

It is even more when trying to add a new vault

 # ipa vault-add test2
New password: 
Enter New password again to verify: 
PKCS1v15 vault_retrieve
No archived data.
PKCS1v15 vault_retrieve
No archived data.
use OAEP vault_retrieve
No archived data.
PKCS1v15 vault_archive
Unable to decrypt passphrase: Failed to unwrap key: (-8190) security library: received bad data.
PKCS1v15 vault_archive
Unable to decrypt passphrase: Failed to unwrap key: (-8190) security library: received bad data.
use OAEP vault_archive
-------------------
Added vault "test2"
-------------------
  Vault name: test2
  Type: symmetric
  Salt: mQWntGMlQZqdxIOLEhbpiQ==
  Owner users: admin
  Vault user: admin

Maybe this is the trade-off we have to accept for now.

This occurs when the transport certificate is not cached. The reason is that internal() attempts to call _do_internal() with the cached transport certificate on the first attempt. Since the transport certificate is not cached the first time, there is a second call where _get_vaultconfig() retrieves the transport certificate.

[rcritten]

Alright this is working for me. ack.

[rcritten]

master:

• 2d0a088 Vault: add support for RSA-OAEP wrapping algo
• 4cc6b9c Vault: improve vault server archival/retrieval calls error handling
• 305fcc2 kra: set RSA-OAEP as default wrapping algo when FIPS is enabled

[rcritten]

manual backport required for ipa-4-6 branch