From b1dfe53aaf7cb0260286423b9abf7d71f8edd421 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Wed, 15 Nov 2017 13:27:58 -0500 Subject: [PATCH] Ticket 49454 - SSL Client Authentication breaks in FIPS mode Bug Description: Replication using SSL Client Auth breaks when FIPS is enabled. This is because FIPS mode changes the internal certificate token name. Fix Description: If FIPS is enabled grab the token name from the internal slot instead of using the default hardcoded internal token name. https://pagure.io/389-ds-base/issue/49454 Reviewed by: firstyear(Thanks!) (cherry picked from commit 6e794a8eff213d49c933f781006e234984160db2) --- ldap/servers/slapd/proto-slap.h | 1 + ldap/servers/slapd/security_wrappers.c | 6 ++++++ ldap/servers/slapd/ssl.c | 24 +++++++++++++++++------- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 4a30def8b..3b7ab53b2 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -1130,6 +1130,7 @@ PRBool slapd_pk11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type); PK11SymKey *slapd_pk11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags, PRBool isPerm); PK11SymKey *slapd_pk11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx); CK_MECHANISM_TYPE slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECItem *pwitem); +char *slapd_PK11_GetTokenName(PK11SlotInfo *slot); /* * start_tls_extop.c diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c index bec28d2f3..41fe03608 100644 --- a/ldap/servers/slapd/security_wrappers.c +++ b/ldap/servers/slapd/security_wrappers.c @@ -401,3 +401,9 @@ slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECIte { return PK11_GetPBECryptoMechanism(algid, params, pwitem); } + +char * +slapd_PK11_GetTokenName(PK11SlotInfo *slot) +{ + return PK11_GetTokenName(slot); +} diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index efe32d5d0..52ac7ea9f 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -2365,13 +2365,23 @@ slapd_SSL_client_auth(LDAP *ld) ssltoken = slapi_entry_attr_get_charptr(entry, "nsssltoken"); if (ssltoken && personality) { if (!PL_strcasecmp(ssltoken, "internal") || - !PL_strcasecmp(ssltoken, "internal (software)")) { - - /* Translate config internal name to more - * readable form. Certificate name is just - * the personality for internal tokens. - */ - token = slapi_ch_strdup(internalTokenName); + !PL_strcasecmp(ssltoken, "internal (software)")) + { + if ( slapd_pk11_isFIPS() ) { + /* + * FIPS mode changes the internal token name, so we need to + * grab the new token name from the internal slot. + */ + PK11SlotInfo *slot = slapd_pk11_getInternalSlot(); + token = slapi_ch_strdup(slapd_PK11_GetTokenName(slot)); + PK11_FreeSlot(slot); + } else { + /* + * Translate config internal name to more readable form. + * Certificate name is just the personality for internal tokens. + */ + token = slapi_ch_strdup(internalTokenName); + } #if defined(USE_OPENLDAP) /* openldap needs tokenname:certnick */ PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality); -- 2.13.6