[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master-next] Revert a commit that makes dscreate to fail.
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Dec 15 21:01:59 GMT 2021
Timo Aaltonen pushed to branch master-next at FreeIPA packaging / 389-ds-base
Commits:
b6fc1afc by Timo Aaltonen at 2021-12-15T23:01:42+02:00
Revert a commit that makes dscreate to fail.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/0001-Revert-Issue-3584-Fix-PBKDF2_SHA256-hashing-in-FIPS-.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+389-ds-base (2.0.11-2) UNRELEASED; urgency=medium
+
+ * Revert a commit that makes dscreate to fail.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 15 Dec 2021 21:42:08 +0200
+
389-ds-base (2.0.11-1) unstable; urgency=medium
* New upstream release.
=====================================
debian/patches/0001-Revert-Issue-3584-Fix-PBKDF2_SHA256-hashing-in-FIPS-.patch
=====================================
@@ -0,0 +1,348 @@
+From 85d06aba6cb874958e9583d84bbd83ffe8bc40f6 Mon Sep 17 00:00:00 2001
+From: Timo Aaltonen <tjaalton at debian.org>
+Date: Wed, 15 Dec 2021 21:40:38 +0200
+Subject: [PATCH] Revert "Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode
+ (#4949)"
+
+This reverts commit b0d06615e1117799ec156d51489cd49c92635cca.
+---
+ .../healthcheck/health_security_test.py | 10 +++
+ ldap/ldif/template-dse-minimal.ldif.in | 52 ----------------
+ ldap/ldif/template-dse.ldif.in | 52 ----------------
+ ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 62 +++----------------
+ ldap/servers/slapd/main.c | 12 ----
+ src/lib389/lib389/__init__.py | 4 --
+ src/lib389/lib389/topologies.py | 6 +-
+ src/lib389/lib389/utils.py | 13 ----
+ 8 files changed, 21 insertions(+), 190 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/healthcheck/health_security_test.py b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
+index fa3c28615..a07371e0e 100644
+--- a/dirsrvtests/tests/suites/healthcheck/health_security_test.py
++++ b/dirsrvtests/tests/suites/healthcheck/health_security_test.py
+@@ -31,6 +31,16 @@ libfaketime.reexec_if_needed()
+ log = logging.getLogger(__name__)
+
+
++def is_fips():
++ if os.path.exists('/proc/sys/crypto/fips_enabled'):
++ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
++ state = f.readline().strip()
++ if state == '1':
++ return True
++ else:
++ return False
++
++
+ def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searched_code2=None):
+ args = FakeArgs()
+ args.instance = instance.serverid
+diff --git a/ldap/ldif/template-dse-minimal.ldif.in b/ldap/ldif/template-dse-minimal.ldif.in
+index a1700a2da..5d424fbf5 100644
+--- a/ldap/ldif/template-dse-minimal.ldif.in
++++ b/ldap/ldif/template-dse-minimal.ldif.in
+@@ -185,58 +185,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
+ nsslapd-plugintype: pwdstoragescheme
+ nsslapd-pluginenabled: on
+
+-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2
+-
+-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA1
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA1
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA1\
+-
+-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA256
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA256
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA256\
+-
+-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA512
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA512
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA512
+-
+ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
+ objectclass: top
+ objectclass: nsSlapdPlugin
+diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
+index 1456761e5..892f62c6b 100644
+--- a/ldap/ldif/template-dse.ldif.in
++++ b/ldap/ldif/template-dse.ldif.in
+@@ -232,58 +232,6 @@ nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
+ nsslapd-plugintype: pwdstoragescheme
+ nsslapd-pluginenabled: on
+
+-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2
+-
+-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA1
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA1
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA1\
+-
+-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA256
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA256
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA256\
+-
+-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
+-objectclass: top
+-objectclass: nsSlapdPlugin
+-cn: PBKDF2-SHA512
+-nsslapd-pluginpath: libpwdchan-plugin
+-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
+-nsslapd-plugintype: pwdstoragescheme
+-nsslapd-pluginenabled: on
+-nsslapd-pluginId: PBKDF2-SHA512
+-nsslapd-pluginVersion: none
+-nsslapd-pluginVendor: 389 Project
+-nsslapd-pluginDescription: PBKDF2-SHA512
+-
+ dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
+ objectclass: top
+ objectclass: nsSlapdPlugin
+diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+index dcac4fcdd..d310dc792 100644
+--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
+@@ -91,11 +91,10 @@ pbkdf2_sha256_extract(char *hash_in, SECItem *salt, uint32_t *iterations)
+ SECStatus
+ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *salt, uint32_t iterations)
+ {
++ SECItem *result = NULL;
+ SECAlgorithmID *algid = NULL;
+ PK11SlotInfo *slot = NULL;
+ PK11SymKey *symkey = NULL;
+- SECItem *wrapKeyData = NULL;
+- SECStatus rv = SECFailure;
+
+ /* We assume that NSS is already started. */
+ algid = PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA256, SEC_OID_HMAC_SHA256, hash_out_len, iterations, salt);
+@@ -105,6 +104,7 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s
+ slot = PK11_GetBestSlotMultiple(mechanism_array, 2, NULL);
+ if (slot != NULL) {
+ symkey = PK11_PBEKeyGen(slot, algid, pwd, PR_FALSE, NULL);
++ PK11_FreeSlot(slot);
+ if (symkey == NULL) {
+ /* We try to get the Error here but NSS has two or more error interfaces, and sometimes it uses none of them. */
+ int32_t status = PORT_GetError();
+@@ -123,60 +123,18 @@ pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *s
+ return SECFailure;
+ }
+
+- /*
+- * First, we need to generate a wrapped key for PK11_Decrypt call:
+- * slot is the same slot we used in PK11_PBEKeyGen()
+- * 256 bits / 8 bit per byte
+- */
+- PK11SymKey *wrapKey = PK11_KeyGen(slot, CKM_AES_ECB, NULL, 256/8, NULL);
+- PK11_FreeSlot(slot);
+- if (wrapKey == NULL) {
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to generate a wrapped key.\n");
+- return SECFailure;
+- }
+-
+- wrapKeyData = (SECItem *)PORT_Alloc(sizeof(SECItem));
+- /* Align the wrapped key with 32 bytes. */
+- wrapKeyData->len = (PK11_GetKeyLength(symkey) + 31) & ~31;
+- /* Allocate the aligned space for pkc5PBE key plus AESKey block */
+- wrapKeyData->data = (unsigned char *)slapi_ch_calloc(wrapKeyData->len, sizeof(unsigned char));
+-
+- /* Get symkey wrapped with wrapKey - required for PK11_Decrypt call */
+- rv = PK11_WrapSymKey(CKM_AES_ECB, NULL, wrapKey, symkey, wrapKeyData);
+- if (rv != SECSuccess) {
+- PK11_FreeSymKey(symkey);
+- PK11_FreeSymKey(wrapKey);
+- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to wrap the symkey. (%d)\n", rv);
+- return SECFailure;
+- }
+-
+- /* Allocate the space for our result */
+- void *result = (char *)slapi_ch_calloc(wrapKeyData->len, sizeof(char));
+- unsigned int result_len = 0;
+-
+- /* User wrapKey to decrypt the wrapped contents.
+- * result is the hash that we need;
+- * result_len is the actual lengh of the data;
+- * has_out_len is the maximum (the space we allocted for hash_out)
+- */
+- rv = PK11_Decrypt(wrapKey, CKM_AES_ECB, NULL, result, &result_len, hash_out_len, wrapKeyData->data, wrapKeyData->len);
+- PK11_FreeSymKey(symkey);
+- PK11_FreeSymKey(wrapKey);
+- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
+-
+- if (rv == SECSuccess) {
+- if (result != NULL && result_len <= hash_out_len) {
+- memcpy(hash_out, result, result_len);
+- slapi_ch_free((void **)&result);
++ if (PK11_ExtractKeyValue(symkey) == SECSuccess) {
++ result = PK11_GetKeyData(symkey);
++ if (result != NULL && result->len <= hash_out_len) {
++ memcpy(hash_out, result->data, result->len);
++ PK11_FreeSymKey(symkey);
+ } else {
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to retrieve (get) hash output.\n");
+- slapi_ch_free((void **)&result);
++ PK11_FreeSymKey(symkey);
++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve (get) hash output.\n");
+ return SECFailure;
+ }
+ } else {
+- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to extract hash output. (%d)\n", rv);
+- slapi_ch_free((void **)&result);
++ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to extract hash output.\n");
+ return SECFailure;
+ }
+
+diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
+index 7b3dc848f..9f99f6154 100644
+--- a/ldap/servers/slapd/main.c
++++ b/ldap/servers/slapd/main.c
+@@ -2931,21 +2931,9 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt, int s_por
+ * is enabled or not. We use NSS for random number generation and
+ * other things even if we are not going to accept SSL connections.
+ * We also need NSS for attribute encryption/decryption on import and export.
+- *
+- * It's important to remember that while in FIPS mode the administrator should always enable
+- * the security, otherwise we don't call slapd_pk11_authenticate which is a requirement for FIPS mode
+ */
+- PRBool isFIPS = slapd_pk11_isFIPS();
+ int init_ssl = config_get_security();
+
+- if (isFIPS && !init_ssl) {
+- slapi_log_err(SLAPI_LOG_WARNING, "slapd_do_all_nss_ssl_init",
+- "ERROR: TLS is not enabled, and the machine is in FIPS mode. "
+- "Some functionality won't work correctly (for example, "
+- "users with PBKDF2_SHA256 password scheme won't be able to log in). "
+- "It's highly advisable to enable TLS on this instance.\n");
+- }
+-
+ if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
+ init_ssl = init_ssl && (0 != s_port) && (s_port <= LDAP_PORT_MAX);
+ } else {
+diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py
+index 15ac50b7d..d4473dfd1 100644
+--- a/src/lib389/lib389/__init__.py
++++ b/src/lib389/lib389/__init__.py
+@@ -1533,10 +1533,6 @@ class DirSrv(SimpleLDAPObject, object):
+ :param post_open: Open the server connection after restart.
+ :type post_open: bool
+ """
+- if self.config.get_attr_val_utf8_l("nsslapd-security") == 'on':
+- self.restart(post_open=post_open)
+- return
+-
+ # If it doesn't exist, create a cadb.
+ ssca = NssSsl(dbpath=self.get_ssca_dir())
+ if not ssca._db_exists():
+diff --git a/src/lib389/lib389/topologies.py b/src/lib389/lib389/topologies.py
+index 569818fc1..db505535f 100644
+--- a/src/lib389/lib389/topologies.py
++++ b/src/lib389/lib389/topologies.py
+@@ -11,7 +11,7 @@ import logging
+ import socket # For hostname detection for GSSAPI tests
+ import pytest
+ from lib389 import DirSrv
+-from lib389.utils import generate_ds_params, is_fips
++from lib389.utils import generate_ds_params
+ from lib389.mit_krb5 import MitKrb5
+ from lib389.saslmap import SaslMappings
+ from lib389.replica import ReplicationManager, Replicas
+@@ -103,10 +103,6 @@ def _create_instances(topo_dict, suffix):
+ if role == ReplicaRole.HUB:
+ hs[instance.serverid] = instance
+ instances.update(hs)
+- # We should always enable TLS while in FIPS mode because otherwise NSS database won't be
+- # configured in a FIPS compliant way
+- if is_fips():
+- instance.enable_tls()
+ if DEBUGGING:
+ instance.config.set('nsslapd-errorlog-level','8192')
+ instance.config.set('nsslapd-accesslog-level','260')
+diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py
+index 5445aa7b0..37eeda273 100644
+--- a/src/lib389/lib389/utils.py
++++ b/src/lib389/lib389/utils.py
+@@ -1434,16 +1434,3 @@ def is_valid_hostname(hostname):
+ hostname = hostname[:-1] # strip exactly one dot from the right, if present
+ allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
+ return all(allowed.match(x) for x in hostname.split("."))
+-
+-
+-def is_fips():
+- if os.path.exists('/proc/sys/crypto/fips_enabled'):
+- with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+- state = f.readline().strip()
+- if state == '1':
+- return True
+- else:
+- return False
+- else:
+- return False
+-
+--
+2.32.0
+
=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
fix-saslpath.diff
+0001-Revert-Issue-3584-Fix-PBKDF2_SHA256-hashing-in-FIPS-.patch
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/commit/b6fc1afcc93ebec74e0fd3ffaf675ca380a1d8cc
--
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/commit/b6fc1afcc93ebec74e0fd3ffaf675ca380a1d8cc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211215/e0ab6bc8/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list