[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
tbordaz pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new baadc1c Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme
baadc1c is described below
commit baadc1c645705c187e5678b8c0efb887fef12ae4
Author: Thierry Bordaz <tbordaz(a)redhat.com>
AuthorDate: Fri Dec 14 11:43:30 2018 +0100
Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme
Bug Description:
When running in FIPS mode, DS selects SSHA512 as password storage schema else it selects PBKDF2_SHA256.
The problem is that in FIPS mode it selects PBKDF2_SHA256 that is currently not supported by NSS.
So DS fails to hash password
The scheme selection is done in the early phase of DS startup (slapd_bootstrap_config).
To determine it is in FIPS mode, DS calls PK11_IsFIPS that requires that NSS has been initialized.
The problem is that during slapd_bootstrap_config, NSS is not yet initialized and PK11_IsFIPS returns
PR_FALSE even in FIPS mode
Fix Description:
The fix consists to check if NSS is initialized. If it is initialize, then rely on PK11_IsFIPS.
If it is not initialized then retrieve the FIPS mode from the system, assuming that if system
is in FIPS mode, then NSS will be in FIPS mode as well
https://pagure.io/389-ds-base/issue/50099
Reviewed by: Mark Reynolds (thanks Mark !)
Platforms tested: F27
Flag Day: no
Doc impact: no
---
ldap/servers/slapd/security_wrappers.c | 51 +++++++++++++++++++++++++++++++++-
1 file changed, 50 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c
index 41fe036..bdea7f5 100644
--- a/ldap/servers/slapd/security_wrappers.c
+++ b/ldap/servers/slapd/security_wrappers.c
@@ -226,11 +226,60 @@ slapd_pk11_setSlotPWValues(PK11SlotInfo *slot, int askpw, int timeout)
return;
}
+/* The system FIPS mode can be tested on FIPS_ENABLED
+ * system FIPS mode is ON => NSS is always ON
+ * One can imagine to set NSS ON when system FIPS is OFF but it makes no real sense
+ */
+#define FIPS_ENABLED "/proc/sys/crypto/fips_enabled"
+PRBool
+slapd_system_isFIPS()
+{
+ PRBool rc = PR_FALSE;
+ PRFileDesc *prfd;
+ char buf[sizeof (PRIu64)];
+ int val;
+ if (PR_SUCCESS != PR_Access(FIPS_ENABLED, PR_ACCESS_READ_OK)) {
+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED);
+ goto done;
+ }
+ if ((prfd = PR_Open(FIPS_ENABLED, PR_RDONLY, SLAPD_DEFAULT_FILE_MODE)) == NULL) {
+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not open %s\n", FIPS_ENABLED);
+ goto done;
+ }
+ if (PR_Read(prfd, buf, sizeof (buf)) < 0) {
+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED);
+ PR_Close(prfd);
+ goto done;
+ }
+ PR_Close(prfd);
+ val = atoi(buf);
+ if (val) {
+ slapi_log_err(SLAPI_LOG_INFO, "slapd_system_isFIPS", "system in FIPS mode\n");
+ rc = PR_TRUE;
+ }
+done:
+ return rc;
+}
PRBool
slapd_pk11_isFIPS()
{
- return PK11_IsFIPS();
+ PRBool rc = PR_FALSE;
+
+ if (slapd_nss_is_initialized()) {
+ /* It requires that NSS is initialized before calling PK11_IsFIPS.
+ * Note that it can exist a false positive if NSS in was FIPS mode
+ * although the system is not in FIPS. Such configuration makes no sense
+ */
+ rc = PK11_IsFIPS();
+ } else {
+ /* NSS being not initialized, we are considering the
+ * system FIPS mode.
+ */
+ rc = slapd_system_isFIPS();
+ }
+
+ return rc;
}
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 3 months
[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50134 - fixup-memberof.pl does not respect protocol requested
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mhonek pushed a commit to branch 389-ds-base-1.3.9
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push:
new 826682e Ticket 50134 - fixup-memberof.pl does not respect protocol requested
826682e is described below
commit 826682eb60b747b4acf8783419e7aeb06ec53f50
Author: Matúš Honěk <mhonek(a)redhat.com>
AuthorDate: Mon Jan 7 13:25:14 2019 +0100
Ticket 50134 - fixup-memberof.pl does not respect protocol requested
Bug Description:
fixup-memberof.pl tries with StartTLS even though LDAP was specified.
Fix Description:
Fix protocol assignment to $info, probably missed during a previous code porting.
https://pagure.io/389-ds-base/issue/50134
Author: mhonek
Review by: mreynolds, firstyear (thanks!)
---
ldap/admin/src/scripts/fixup-memberof.pl.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/admin/src/scripts/fixup-memberof.pl.in b/ldap/admin/src/scripts/fixup-memberof.pl.in
index 167ed7f..2e67450 100644
--- a/ldap/admin/src/scripts/fixup-memberof.pl.in
+++ b/ldap/admin/src/scripts/fixup-memberof.pl.in
@@ -77,7 +77,7 @@ while ($i <= $#ARGV)
($servid, $confdir) = DSUtil::get_server_id($servid, "@initconfigdir@");
%info = DSUtil::get_info($confdir, $host, $port, $rootdn);
$info{rootdnpw} = DSUtil::get_password_from_file($passwd, $passwdfile);
-$info[9] = $protocol;
+$info{protocol} = $protocol;
if ($verbose == 1){
$info{args} = "-v -a";
} else {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 3 months
[389-ds-base] branch master updated (3a1628f -> ff00b07)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
tbordaz pushed a change to branch master
in repository 389-ds-base.
from 3a1628f Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first
add ff00b07 Ticket 50117 - after certain failed import operation, impossible to replay an import operation
No new revisions were added by this update.
Summary of changes:
ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 3 months
[389-ds-base] branch master updated: Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first
by git repository hosting
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new 3a1628f Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first
3a1628f is described below
commit 3a1628f6b94bdce38bb502a56482d194fc88c1a6
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri Jan 4 11:42:52 2019 -0500
Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first
Description: make -f rpm.mk dist-bz2 should always generate this directory
from scratch:
src/cockpit/389-console/cockpit_dist
https://pagure.io/389-ds-base/issue/49999
Reviewed by: spichugi & mreynolds
---
rpm.mk | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/rpm.mk b/rpm.mk
index 0b2b3a0..4945229 100644
--- a/rpm.mk
+++ b/rpm.mk
@@ -40,8 +40,10 @@ $(NODE_MODULES_TEST):
$(WEBPACK_TEST): $(NODE_MODULES_TEST)
cd src/cockpit/389-console; make -f node_modules.mk build-cockpit-plugin
-dist-bz2: $(WEBPACK_TEST)
+dist-bz2: $(NODE_MODULES_TEST)
cd src/cockpit/389-console; \
+ rm -rf cockpit_dist; \
+ make -f node_modules.mk build-cockpit-plugin; \
mv node_modules node_modules.release; \
touch cockpit_dist/*
mkdir -p $(NODE_MODULES_TEST)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 3 months
[389-ds-base] branch master updated (01df5d5 -> a3d35b9)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
vashirov pushed a change to branch master
in repository 389-ds-base.
from 01df5d5 Issue 49938 - lib389 - Clean up CLI logging
add a3d35b9 Issue 48064 - Fix various issues in disk monitoring test suite
No new revisions were added by this update.
Summary of changes:
.../suites/disk_monitoring/disk_monitoring_test.py | 60 +++++++++++++---------
1 file changed, 36 insertions(+), 24 deletions(-)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 3 months
[389-ds-base] branch master updated (4bb89f1 -> 01df5d5)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
spichugi pushed a change to branch master
in repository 389-ds-base.
from 4bb89f1 Issue: 49761
add 01df5d5 Issue 49938 - lib389 - Clean up CLI logging
No new revisions were added by this update.
Summary of changes:
src/lib389/lib389/__init__.py | 67 ++++++++++++++++---------------------
src/lib389/lib389/instance/setup.py | 32 ++++++------------
src/lib389/lib389/ldclt.py | 21 +++++-------
src/lib389/lib389/replica.py | 14 ++++----
4 files changed, 56 insertions(+), 78 deletions(-)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 3 months
[389-ds-base] branch master updated (ad1b78e -> 4bb89f1)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
spichugi pushed a change to branch master
in repository 389-ds-base.
from ad1b78e Ticket 50056 - Fix UI bugs (part 2)
add 4bb89f1 Issue: 49761
No new revisions were added by this update.
Summary of changes:
...gression_nsslapd_plugin_binddn_tracking_test.py | 114 +++++++++++++++++++++
dirsrvtests/tests/suites/vlv/regression_test.py | 107 +++++++++++++++++++
2 files changed, 221 insertions(+)
create mode 100644 dirsrvtests/tests/suites/replication/regression_nsslapd_plugin_binddn_tracking_test.py
create mode 100644 dirsrvtests/tests/suites/vlv/regression_test.py
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years, 3 months