amoralej / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 years ago
Clone

Blame SOURCES/0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch

95b556
From 4a45817827bd657e94ff483d35f572b0c0c33a17 Mon Sep 17 00:00:00 2001
95b556
From: Mark Reynolds <mreynolds@redhat.com>
95b556
Date: Fri, 14 Oct 2016 16:17:46 -0400
95b556
Subject: [PATCH 52/55] Ticket 48909 - Replication stops working in FIPS mode
95b556
95b556
Bug Description:  When FIPS mode is enabled on the security database, the
95b556
                  token name is changed.  This prevents the server from
95b556
                  reverse decoding the replication manager's password.  Which
95b556
                  prevents replication sessions from getting established.
95b556
95b556
Fix Description:  Instead of getting the key slot from the harded coded token
95b556
                  name, call slapd_pk11_getInternalKeySlot() which gets the
95b556
                  current slot.
95b556
95b556
https://fedorahosted.org/389/ticket/48909
95b556
95b556
Reviewed by: nhosoi(Thanks!)
95b556
95b556
(cherry picked from commit 61c72f966bda17993f483e8f79d97dff20b7cc93)
95b556
(cherry picked from commit 9982033b7cd888bd30400001e10158a9bbf9b863)
95b556
---
95b556
 ldap/servers/plugins/rever/pbe.c | 11 +++++------
95b556
 1 file changed, 5 insertions(+), 6 deletions(-)
95b556
95b556
diff --git a/ldap/servers/plugins/rever/pbe.c b/ldap/servers/plugins/rever/pbe.c
95b556
index 0588c73..4034ac5 100644
95b556
--- a/ldap/servers/plugins/rever/pbe.c
95b556
+++ b/ldap/servers/plugins/rever/pbe.c
95b556
@@ -69,7 +69,7 @@ struct pk11ContextStore
95b556
 
95b556
 static int encode_path(char *inPlain, char **outCipher, char *path, int mech);
95b556
 static int decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid);
95b556
-static SVRCOREError genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *algid);
95b556
+static SVRCOREError genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *algid);
95b556
 static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, unsigned char **out);
95b556
 static SVRCOREError decryptPassword(struct pk11ContextStore *store, unsigned char *cipher, char **out, int len);
95b556
 static void freePBE(struct pk11ContextStore *store);
95b556
@@ -102,7 +102,7 @@ encode_path(char *inPlain, char **outCipher, char *path, int mech)
95b556
     *outCipher = NULL;
95b556
     err = 1;
95b556
 
95b556
-    if ( genKey(&context, tokPBE, path, mech, arena, NULL) == SVRCORE_Success ){
95b556
+    if ( genKey(&context, path, mech, arena, NULL) == SVRCORE_Success ){
95b556
         /* Try an encryption */
95b556
         if ( cryptPassword(context, inPlain, &cipher) == SVRCORE_Success ){
95b556
             base = BTOA_DataToAscii(cipher, context->length);
95b556
@@ -160,7 +160,7 @@ decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid)
95b556
     *outPlain = NULL;
95b556
     err = 1;
95b556
 
95b556
-    if ( genKey(&context, tokPBE, path, mech, arena, algid) == SVRCORE_Success ){
95b556
+    if ( genKey(&context, path, mech, arena, algid) == SVRCORE_Success ){
95b556
         /* it seems that there is memory leak in that function: bug 400170 */
95b556
         base = ATOB_AsciiToData(inCipher, (unsigned int*)&len;;
95b556
         if ( base != NULL ){
95b556
@@ -196,7 +196,7 @@ freePBE(struct pk11ContextStore *store)
95b556
 }
95b556
 
95b556
 static SVRCOREError
95b556
-genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *alg)
95b556
+genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *alg)
95b556
 {
95b556
     SVRCOREError err = SVRCORE_Success;
95b556
     struct pk11ContextStore *store = NULL;
95b556
@@ -223,8 +223,7 @@ genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, P
95b556
     }
95b556
     *out = store;
95b556
 
95b556
-    /* Use the tokenName to find a PKCS11 slot */
95b556
-    store->slot = slapd_pk11_findSlotByName((char *)token);
95b556
+    store->slot = slapd_pk11_getInternalKeySlot();
95b556
     if (store->slot == NULL){
95b556
         err = SVRCORE_NoSuchToken_Error;
95b556
         goto done;
95b556
-- 
95b556
2.4.11
95b556