[389-commits] [389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme
This is an automated email from the git hooks/post-receive script.
tbordaz pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new baadc1c Ticket 50099 - In FIPS mode, the server can select an unsupported
password storage scheme
baadc1c is described below
commit baadc1c645705c187e5678b8c0efb887fef12ae4
Author: Thierry Bordaz <tbordaz(a)redhat.com>
AuthorDate: Fri Dec 14 11:43:30 2018 +0100
Ticket 50099 - In FIPS mode, the server can select an unsupported password storage
scheme
Bug Description:
When running in FIPS mode, DS selects SSHA512 as password storage schema else it
selects PBKDF2_SHA256.
The problem is that in FIPS mode it selects PBKDF2_SHA256 that is currently not
supported by NSS.
So DS fails to hash password
The scheme selection is done in the early phase of DS startup
(slapd_bootstrap_config).
To determine it is in FIPS mode, DS calls PK11_IsFIPS that requires that NSS has been
initialized.
The problem is that during slapd_bootstrap_config, NSS is not yet initialized and
PK11_IsFIPS returns
PR_FALSE even in FIPS mode
Fix Description:
The fix consists to check if NSS is initialized. If it is initialize, then rely on
PK11_IsFIPS.
If it is not initialized then retrieve the FIPS mode from the system, assuming that
if system
is in FIPS mode, then NSS will be in FIPS mode as well
https://pagure.io/389-ds-base/issue/50099
Reviewed by: Mark Reynolds (thanks Mark !)
Platforms tested: F27
Flag Day: no
Doc impact: no
---
ldap/servers/slapd/security_wrappers.c | 51 +++++++++++++++++++++++++++++++++-
1 file changed, 50 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/security_wrappers.c
b/ldap/servers/slapd/security_wrappers.c
index 41fe036..bdea7f5 100644
--- a/ldap/servers/slapd/security_wrappers.c
+++ b/ldap/servers/slapd/security_wrappers.c
@@ -226,11 +226,60 @@ slapd_pk11_setSlotPWValues(PK11SlotInfo *slot, int askpw, int
timeout)
return;
}
+/* The system FIPS mode can be tested on FIPS_ENABLED
+ * system FIPS mode is ON => NSS is always ON
+ * One can imagine to set NSS ON when system FIPS is OFF but it makes no real sense
+ */
+#define FIPS_ENABLED "/proc/sys/crypto/fips_enabled"
+PRBool
+slapd_system_isFIPS()
+{
+ PRBool rc = PR_FALSE;
+ PRFileDesc *prfd;
+ char buf[sizeof (PRIu64)];
+ int val;
+ if (PR_SUCCESS != PR_Access(FIPS_ENABLED, PR_ACCESS_READ_OK)) {
+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read
%s\n", FIPS_ENABLED);
+ goto done;
+ }
+ if ((prfd = PR_Open(FIPS_ENABLED, PR_RDONLY, SLAPD_DEFAULT_FILE_MODE)) == NULL) {
+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not open
%s\n", FIPS_ENABLED);
+ goto done;
+ }
+ if (PR_Read(prfd, buf, sizeof (buf)) < 0) {
+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read
%s\n", FIPS_ENABLED);
+ PR_Close(prfd);
+ goto done;
+ }
+ PR_Close(prfd);
+ val = atoi(buf);
+ if (val) {
+ slapi_log_err(SLAPI_LOG_INFO, "slapd_system_isFIPS", "system in
FIPS mode\n");
+ rc = PR_TRUE;
+ }
+done:
+ return rc;
+}
PRBool
slapd_pk11_isFIPS()
{
- return PK11_IsFIPS();
+ PRBool rc = PR_FALSE;
+
+ if (slapd_nss_is_initialized()) {
+ /* It requires that NSS is initialized before calling PK11_IsFIPS.
+ * Note that it can exist a false positive if NSS in was FIPS mode
+ * although the system is not in FIPS. Such configuration makes no sense
+ */
+ rc = PK11_IsFIPS();
+ } else {
+ /* NSS being not initialized, we are considering the
+ * system FIPS mode.
+ */
+ rc = slapd_system_isFIPS();
+ }
+
+ return rc;
}
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.