Blame SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch

b045b9
From b1dfe53aaf7cb0260286423b9abf7d71f8edd421 Mon Sep 17 00:00:00 2001
b045b9
From: Mark Reynolds <mreynolds@redhat.com>
b045b9
Date: Wed, 15 Nov 2017 13:27:58 -0500
b045b9
Subject: [PATCH] Ticket 49454 - SSL Client Authentication breaks in FIPS mode
b045b9
b045b9
Bug Description:  Replication using SSL Client Auth breaks when FIPS
b045b9
                  is enabled.  This is because FIPS mode changes the
b045b9
                  internal certificate token name.
b045b9
b045b9
Fix Description:  If FIPS is enabled grab the token name from the internal
b045b9
                  slot instead of using the default hardcoded internal
b045b9
                  token name.
b045b9
b045b9
https://pagure.io/389-ds-base/issue/49454
b045b9
b045b9
Reviewed by: firstyear(Thanks!)
b045b9
b045b9
(cherry picked from commit 6e794a8eff213d49c933f781006e234984160db2)
b045b9
---
b045b9
 ldap/servers/slapd/proto-slap.h        |  1 +
b045b9
 ldap/servers/slapd/security_wrappers.c |  6 ++++++
b045b9
 ldap/servers/slapd/ssl.c               | 24 +++++++++++++++++-------
b045b9
 3 files changed, 24 insertions(+), 7 deletions(-)
b045b9
b045b9
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
b045b9
index 4a30def8b..3b7ab53b2 100644
b045b9
--- a/ldap/servers/slapd/proto-slap.h
b045b9
+++ b/ldap/servers/slapd/proto-slap.h
b045b9
@@ -1130,6 +1130,7 @@ PRBool slapd_pk11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
b045b9
 PK11SymKey *slapd_pk11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags, PRBool isPerm);
b045b9
 PK11SymKey *slapd_pk11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx);
b045b9
 CK_MECHANISM_TYPE slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECItem *pwitem);
b045b9
+char *slapd_PK11_GetTokenName(PK11SlotInfo *slot);
b045b9
 
b045b9
 /*
b045b9
  * start_tls_extop.c
b045b9
diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c
b045b9
index bec28d2f3..41fe03608 100644
b045b9
--- a/ldap/servers/slapd/security_wrappers.c
b045b9
+++ b/ldap/servers/slapd/security_wrappers.c
b045b9
@@ -401,3 +401,9 @@ slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECIte
b045b9
 {
b045b9
     return PK11_GetPBECryptoMechanism(algid, params, pwitem);
b045b9
 }
b045b9
+
b045b9
+char *
b045b9
+slapd_PK11_GetTokenName(PK11SlotInfo *slot)
b045b9
+{
b045b9
+    return PK11_GetTokenName(slot);
b045b9
+}
b045b9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
b045b9
index efe32d5d0..52ac7ea9f 100644
b045b9
--- a/ldap/servers/slapd/ssl.c
b045b9
+++ b/ldap/servers/slapd/ssl.c
b045b9
@@ -2365,13 +2365,23 @@ slapd_SSL_client_auth(LDAP *ld)
b045b9
                 ssltoken = slapi_entry_attr_get_charptr(entry, "nsssltoken");
b045b9
                 if (ssltoken && personality) {
b045b9
                     if (!PL_strcasecmp(ssltoken, "internal") ||
b045b9
-                        !PL_strcasecmp(ssltoken, "internal (software)")) {
b045b9
-
b045b9
-                        /* Translate config internal name to more
b045b9
-                          * readable form.  Certificate name is just
b045b9
-                          * the personality for internal tokens.
b045b9
-                          */
b045b9
-                        token = slapi_ch_strdup(internalTokenName);
b045b9
+                        !PL_strcasecmp(ssltoken, "internal (software)"))
b045b9
+                    {
b045b9
+                        if ( slapd_pk11_isFIPS() ) {
b045b9
+                            /*
b045b9
+                             * FIPS mode changes the internal token name, so we need to
b045b9
+                             * grab the new token name from the internal slot.
b045b9
+                             */
b045b9
+                            PK11SlotInfo *slot = slapd_pk11_getInternalSlot();
b045b9
+                            token = slapi_ch_strdup(slapd_PK11_GetTokenName(slot));
b045b9
+                            PK11_FreeSlot(slot);
b045b9
+                        } else {
b045b9
+                            /*
b045b9
+                             * Translate config internal name to more readable form.
b045b9
+                             * Certificate name is just the personality for internal tokens.
b045b9
+                             */
b045b9
+                            token = slapi_ch_strdup(internalTokenName);
b045b9
+                        }
b045b9
 #if defined(USE_OPENLDAP)
b045b9
                         /* openldap needs tokenname:certnick */
b045b9
                         PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
b045b9
-- 
b045b9
2.13.6
b045b9