From 4a45817827bd657e94ff483d35f572b0c0c33a17 Mon Sep 17 00:00:00 2001

From: Mark Reynolds <mreynolds@redhat.com>

Date: Fri, 14 Oct 2016 16:17:46 -0400

Subject: [PATCH 52/55] Ticket 48909 - Replication stops working in FIPS mode

Bug Description:  When FIPS mode is enabled on the security database, the

                  token name is changed.  This prevents the server from

                  reverse decoding the replication manager's password.  Which

                  prevents replication sessions from getting established.

Fix Description:  Instead of getting the key slot from the harded coded token

                  name, call slapd_pk11_getInternalKeySlot() which gets the

                  current slot.

https://fedorahosted.org/389/ticket/48909

Reviewed by: nhosoi(Thanks!)

(cherry picked from commit 61c72f966bda17993f483e8f79d97dff20b7cc93)

(cherry picked from commit 9982033b7cd888bd30400001e10158a9bbf9b863)

---

 ldap/servers/plugins/rever/pbe.c | 11 +++++------

 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/ldap/servers/plugins/rever/pbe.c b/ldap/servers/plugins/rever/pbe.c

index 0588c73..4034ac5 100644

--- a/ldap/servers/plugins/rever/pbe.c

+++ b/ldap/servers/plugins/rever/pbe.c

@@ -69,7 +69,7 @@ struct pk11ContextStore

 static int encode_path(char *inPlain, char **outCipher, char *path, int mech);

 static int decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid);

-static SVRCOREError genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *algid);

+static SVRCOREError genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *algid);

 static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, unsigned char **out);

 static SVRCOREError decryptPassword(struct pk11ContextStore *store, unsigned char *cipher, char **out, int len);

 static void freePBE(struct pk11ContextStore *store);

@@ -102,7 +102,7 @@ encode_path(char *inPlain, char **outCipher, char *path, int mech)

     *outCipher = NULL;

     err = 1;

-    if ( genKey(&context, tokPBE, path, mech, arena, NULL) == SVRCORE_Success ){

+    if ( genKey(&context, path, mech, arena, NULL) == SVRCORE_Success ){

         /* Try an encryption */

         if ( cryptPassword(context, inPlain, &cipher) == SVRCORE_Success ){

             base = BTOA_DataToAscii(cipher, context->length);

@@ -160,7 +160,7 @@ decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid)

     *outPlain = NULL;

     err = 1;

-    if ( genKey(&context, tokPBE, path, mech, arena, algid) == SVRCORE_Success ){

+    if ( genKey(&context, path, mech, arena, algid) == SVRCORE_Success ){

         /* it seems that there is memory leak in that function: bug 400170 */

         base = ATOB_AsciiToData(inCipher, (unsigned int*)&len;;

         if ( base != NULL ){

@@ -196,7 +196,7 @@ freePBE(struct pk11ContextStore *store)

 }

 static SVRCOREError

-genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *alg)

+genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *alg)

 {

     SVRCOREError err = SVRCORE_Success;

     struct pk11ContextStore *store = NULL;

@@ -223,8 +223,7 @@ genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, P

     }

     *out = store;

-    /* Use the tokenName to find a PKCS11 slot */

-    store->slot = slapd_pk11_findSlotByName((char *)token);

+    store->slot = slapd_pk11_getInternalKeySlot();

     if (store->slot == NULL){

         err = SVRCORE_NoSuchToken_Error;

         goto done;

-- 

2.4.11