|
|
058656 |
From b1dfe53aaf7cb0260286423b9abf7d71f8edd421 Mon Sep 17 00:00:00 2001
|
|
|
058656 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
058656 |
Date: Wed, 15 Nov 2017 13:27:58 -0500
|
|
|
058656 |
Subject: [PATCH] Ticket 49454 - SSL Client Authentication breaks in FIPS mode
|
|
|
058656 |
|
|
|
058656 |
Bug Description: Replication using SSL Client Auth breaks when FIPS
|
|
|
058656 |
is enabled. This is because FIPS mode changes the
|
|
|
058656 |
internal certificate token name.
|
|
|
058656 |
|
|
|
058656 |
Fix Description: If FIPS is enabled grab the token name from the internal
|
|
|
058656 |
slot instead of using the default hardcoded internal
|
|
|
058656 |
token name.
|
|
|
058656 |
|
|
|
058656 |
https://pagure.io/389-ds-base/issue/49454
|
|
|
058656 |
|
|
|
058656 |
Reviewed by: firstyear(Thanks!)
|
|
|
058656 |
|
|
|
058656 |
(cherry picked from commit 6e794a8eff213d49c933f781006e234984160db2)
|
|
|
058656 |
---
|
|
|
058656 |
ldap/servers/slapd/proto-slap.h | 1 +
|
|
|
058656 |
ldap/servers/slapd/security_wrappers.c | 6 ++++++
|
|
|
058656 |
ldap/servers/slapd/ssl.c | 24 +++++++++++++++++-------
|
|
|
058656 |
3 files changed, 24 insertions(+), 7 deletions(-)
|
|
|
058656 |
|
|
|
058656 |
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
|
|
|
058656 |
index 4a30def8b..3b7ab53b2 100644
|
|
|
058656 |
--- a/ldap/servers/slapd/proto-slap.h
|
|
|
058656 |
+++ b/ldap/servers/slapd/proto-slap.h
|
|
|
058656 |
@@ -1130,6 +1130,7 @@ PRBool slapd_pk11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
|
|
|
058656 |
PK11SymKey *slapd_pk11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags, PRBool isPerm);
|
|
|
058656 |
PK11SymKey *slapd_pk11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx);
|
|
|
058656 |
CK_MECHANISM_TYPE slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECItem *pwitem);
|
|
|
058656 |
+char *slapd_PK11_GetTokenName(PK11SlotInfo *slot);
|
|
|
058656 |
|
|
|
058656 |
/*
|
|
|
058656 |
* start_tls_extop.c
|
|
|
058656 |
diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c
|
|
|
058656 |
index bec28d2f3..41fe03608 100644
|
|
|
058656 |
--- a/ldap/servers/slapd/security_wrappers.c
|
|
|
058656 |
+++ b/ldap/servers/slapd/security_wrappers.c
|
|
|
058656 |
@@ -401,3 +401,9 @@ slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECIte
|
|
|
058656 |
{
|
|
|
058656 |
return PK11_GetPBECryptoMechanism(algid, params, pwitem);
|
|
|
058656 |
}
|
|
|
058656 |
+
|
|
|
058656 |
+char *
|
|
|
058656 |
+slapd_PK11_GetTokenName(PK11SlotInfo *slot)
|
|
|
058656 |
+{
|
|
|
058656 |
+ return PK11_GetTokenName(slot);
|
|
|
058656 |
+}
|
|
|
058656 |
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
|
058656 |
index efe32d5d0..52ac7ea9f 100644
|
|
|
058656 |
--- a/ldap/servers/slapd/ssl.c
|
|
|
058656 |
+++ b/ldap/servers/slapd/ssl.c
|
|
|
058656 |
@@ -2365,13 +2365,23 @@ slapd_SSL_client_auth(LDAP *ld)
|
|
|
058656 |
ssltoken = slapi_entry_attr_get_charptr(entry, "nsssltoken");
|
|
|
058656 |
if (ssltoken && personality) {
|
|
|
058656 |
if (!PL_strcasecmp(ssltoken, "internal") ||
|
|
|
058656 |
- !PL_strcasecmp(ssltoken, "internal (software)")) {
|
|
|
058656 |
-
|
|
|
058656 |
- /* Translate config internal name to more
|
|
|
058656 |
- * readable form. Certificate name is just
|
|
|
058656 |
- * the personality for internal tokens.
|
|
|
058656 |
- */
|
|
|
058656 |
- token = slapi_ch_strdup(internalTokenName);
|
|
|
058656 |
+ !PL_strcasecmp(ssltoken, "internal (software)"))
|
|
|
058656 |
+ {
|
|
|
058656 |
+ if ( slapd_pk11_isFIPS() ) {
|
|
|
058656 |
+ /*
|
|
|
058656 |
+ * FIPS mode changes the internal token name, so we need to
|
|
|
058656 |
+ * grab the new token name from the internal slot.
|
|
|
058656 |
+ */
|
|
|
058656 |
+ PK11SlotInfo *slot = slapd_pk11_getInternalSlot();
|
|
|
058656 |
+ token = slapi_ch_strdup(slapd_PK11_GetTokenName(slot));
|
|
|
058656 |
+ PK11_FreeSlot(slot);
|
|
|
058656 |
+ } else {
|
|
|
058656 |
+ /*
|
|
|
058656 |
+ * Translate config internal name to more readable form.
|
|
|
058656 |
+ * Certificate name is just the personality for internal tokens.
|
|
|
058656 |
+ */
|
|
|
058656 |
+ token = slapi_ch_strdup(internalTokenName);
|
|
|
058656 |
+ }
|
|
|
058656 |
#if defined(USE_OPENLDAP)
|
|
|
058656 |
/* openldap needs tokenname:certnick */
|
|
|
058656 |
PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
|
|
|
058656 |
--
|
|
|
058656 |
2.13.6
|
|
|
058656 |
|