January 2019 - 389-commits - Fedora Mailing-Lists

[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme

by pagure＠pagure.io

This is an automated email from the git hooks/post-receive script. tbordaz pushed a commit to branch 389-ds-base-1.3.9 in repository 389-ds-base. The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push: new baadc1c Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme baadc1c is described below commit baadc1c645705c187e5678b8c0efb887fef12ae4 Author: Thierry Bordaz <tbordaz(a)redhat.com> AuthorDate: Fri Dec 14 11:43:30 2018 +0100 Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme Bug Description: When running in FIPS mode, DS selects SSHA512 as password storage schema else it selects PBKDF2_SHA256. The problem is that in FIPS mode it selects PBKDF2_SHA256 that is currently not supported by NSS. So DS fails to hash password The scheme selection is done in the early phase of DS startup (slapd_bootstrap_config). To determine it is in FIPS mode, DS calls PK11_IsFIPS that requires that NSS has been initialized. The problem is that during slapd_bootstrap_config, NSS is not yet initialized and PK11_IsFIPS returns PR_FALSE even in FIPS mode Fix Description: The fix consists to check if NSS is initialized. If it is initialize, then rely on PK11_IsFIPS. If it is not initialized then retrieve the FIPS mode from the system, assuming that if system is in FIPS mode, then NSS will be in FIPS mode as well https://pagure.io/389-ds-base/issue/50099 Reviewed by: Mark Reynolds (thanks Mark !) Platforms tested: F27 Flag Day: no Doc impact: no --- ldap/servers/slapd/security_wrappers.c | 51 +++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c index 41fe036..bdea7f5 100644 --- a/ldap/servers/slapd/security_wrappers.c +++ b/ldap/servers/slapd/security_wrappers.c @@ -226,11 +226,60 @@ slapd_pk11_setSlotPWValues(PK11SlotInfo *slot, int askpw, int timeout) return; } +/* The system FIPS mode can be tested on FIPS_ENABLED + * system FIPS mode is ON => NSS is always ON + * One can imagine to set NSS ON when system FIPS is OFF but it makes no real sense + */ +#define FIPS_ENABLED "/proc/sys/crypto/fips_enabled" +PRBool +slapd_system_isFIPS() +{ + PRBool rc = PR_FALSE; + PRFileDesc *prfd; + char buf[sizeof (PRIu64)]; + int val; + if (PR_SUCCESS != PR_Access(FIPS_ENABLED, PR_ACCESS_READ_OK)) { + slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED); + goto done; + } + if ((prfd = PR_Open(FIPS_ENABLED, PR_RDONLY, SLAPD_DEFAULT_FILE_MODE)) == NULL) { + slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not open %s\n", FIPS_ENABLED); + goto done; + } + if (PR_Read(prfd, buf, sizeof (buf)) < 0) { + slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED); + PR_Close(prfd); + goto done; + } + PR_Close(prfd); + val = atoi(buf); + if (val) { + slapi_log_err(SLAPI_LOG_INFO, "slapd_system_isFIPS", "system in FIPS mode\n"); + rc = PR_TRUE; + } +done: + return rc; +} PRBool slapd_pk11_isFIPS() { - return PK11_IsFIPS(); + PRBool rc = PR_FALSE; + + if (slapd_nss_is_initialized()) { + /* It requires that NSS is initialized before calling PK11_IsFIPS. + * Note that it can exist a false positive if NSS in was FIPS mode + * although the system is not in FIPS. Such configuration makes no sense + */ + rc = PK11_IsFIPS(); + } else { + /* NSS being not initialized, we are considering the + * system FIPS mode. + */ + rc = slapd_system_isFIPS(); + } + + return rc; } -- To stop receiving notification emails like this one, please contact the administrator of this repository.

5 years, 3 months

1
0
0 / 0

[389-ds-base] branch 389-ds-base-1.3.9 updated: Ticket 50134 - fixup-memberof.pl does not respect protocol requested

by pagure＠pagure.io

This is an automated email from the git hooks/post-receive script. mhonek pushed a commit to branch 389-ds-base-1.3.9 in repository 389-ds-base. The following commit(s) were added to refs/heads/389-ds-base-1.3.9 by this push: new 826682e Ticket 50134 - fixup-memberof.pl does not respect protocol requested 826682e is described below commit 826682eb60b747b4acf8783419e7aeb06ec53f50 Author: Matúš Honěk <mhonek(a)redhat.com> AuthorDate: Mon Jan 7 13:25:14 2019 +0100 Ticket 50134 - fixup-memberof.pl does not respect protocol requested Bug Description: fixup-memberof.pl tries with StartTLS even though LDAP was specified. Fix Description: Fix protocol assignment to $info, probably missed during a previous code porting. https://pagure.io/389-ds-base/issue/50134 Author: mhonek Review by: mreynolds, firstyear (thanks!) --- ldap/admin/src/scripts/fixup-memberof.pl.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap/admin/src/scripts/fixup-memberof.pl.in b/ldap/admin/src/scripts/fixup-memberof.pl.in index 167ed7f..2e67450 100644 --- a/ldap/admin/src/scripts/fixup-memberof.pl.in +++ b/ldap/admin/src/scripts/fixup-memberof.pl.in @@ -77,7 +77,7 @@ while ($i <= $#ARGV) ($servid, $confdir) = DSUtil::get_server_id($servid, "@initconfigdir@"); %info = DSUtil::get_info($confdir, $host, $port, $rootdn); $info{rootdnpw} = DSUtil::get_password_from_file($passwd, $passwdfile); -$info[9] = $protocol; +$info{protocol} = $protocol; if ($verbose == 1){ $info{args} = "-v -a"; } else { -- To stop receiving notification emails like this one, please contact the administrator of this repository.

5 years, 3 months

1
0
0 / 0

[389-ds-base] branch master updated (3a1628f -> ff00b07)

by git repository hosting

This is an automated email from the git hooks/post-receive script. tbordaz pushed a change to branch master in repository 389-ds-base. from 3a1628f Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first add ff00b07 Ticket 50117 - after certain failed import operation, impossible to replay an import operation No new revisions were added by this update. Summary of changes: ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) -- To stop receiving notification emails like this one, please contact the administrator of this repository.

5 years, 3 months

1
0
0 / 0

[389-ds-base] branch master updated: Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first

by git repository hosting

This is an automated email from the git hooks/post-receive script. mreynolds pushed a commit to branch master in repository 389-ds-base. The following commit(s) were added to refs/heads/master by this push: new 3a1628f Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first 3a1628f is described below commit 3a1628f6b94bdce38bb502a56482d194fc88c1a6 Author: Mark Reynolds <mreynolds(a)redhat.com> AuthorDate: Fri Jan 4 11:42:52 2019 -0500 Ticket 49999 - rpm.mk dist-bz2 should clean cockpit_dist first Description: make -f rpm.mk dist-bz2 should always generate this directory from scratch: src/cockpit/389-console/cockpit_dist https://pagure.io/389-ds-base/issue/49999 Reviewed by: spichugi & mreynolds --- rpm.mk | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rpm.mk b/rpm.mk index 0b2b3a0..4945229 100644 --- a/rpm.mk +++ b/rpm.mk @@ -40,8 +40,10 @@ $(NODE_MODULES_TEST): $(WEBPACK_TEST): $(NODE_MODULES_TEST) cd src/cockpit/389-console; make -f node_modules.mk build-cockpit-plugin -dist-bz2: $(WEBPACK_TEST) +dist-bz2: $(NODE_MODULES_TEST) cd src/cockpit/389-console; \ + rm -rf cockpit_dist; \ + make -f node_modules.mk build-cockpit-plugin; \ mv node_modules node_modules.release; \ touch cockpit_dist/* mkdir -p $(NODE_MODULES_TEST) -- To stop receiving notification emails like this one, please contact the administrator of this repository.

5 years, 3 months

1
0
0 / 0

[389-ds-base] branch master updated (01df5d5 -> a3d35b9)

by git repository hosting

This is an automated email from the git hooks/post-receive script. vashirov pushed a change to branch master in repository 389-ds-base. from 01df5d5 Issue 49938 - lib389 - Clean up CLI logging add a3d35b9 Issue 48064 - Fix various issues in disk monitoring test suite No new revisions were added by this update. Summary of changes: .../suites/disk_monitoring/disk_monitoring_test.py | 60 +++++++++++++--------- 1 file changed, 36 insertions(+), 24 deletions(-) -- To stop receiving notification emails like this one, please contact the administrator of this repository.

5 years, 3 months

1
0
0 / 0

[389-ds-base] branch master updated (4bb89f1 -> 01df5d5)

by git repository hosting

This is an automated email from the git hooks/post-receive script. spichugi pushed a change to branch master in repository 389-ds-base. from 4bb89f1 Issue: 49761 add 01df5d5 Issue 49938 - lib389 - Clean up CLI logging No new revisions were added by this update. Summary of changes: src/lib389/lib389/__init__.py | 67 ++++++++++++++++--------------------- src/lib389/lib389/instance/setup.py | 32 ++++++------------ src/lib389/lib389/ldclt.py | 21 +++++------- src/lib389/lib389/replica.py | 14 ++++---- 4 files changed, 56 insertions(+), 78 deletions(-) -- To stop receiving notification emails like this one, please contact the administrator of this repository.

5 years, 3 months

1
0
0 / 0

[389-ds-base] branch master updated (ad1b78e -> 4bb89f1)

by git repository hosting

This is an automated email from the git hooks/post-receive script. spichugi pushed a change to branch master in repository 389-ds-base. from ad1b78e Ticket 50056 - Fix UI bugs (part 2) add 4bb89f1 Issue: 49761 No new revisions were added by this update. Summary of changes: ...gression_nsslapd_plugin_binddn_tracking_test.py | 114 +++++++++++++++++++++ dirsrvtests/tests/suites/vlv/regression_test.py | 107 +++++++++++++++++++ 2 files changed, 221 insertions(+) create mode 100644 dirsrvtests/tests/suites/replication/regression_nsslapd_plugin_binddn_tracking_test.py create mode 100644 dirsrvtests/tests/suites/vlv/regression_test.py -- To stop receiving notification emails like this one, please contact the administrator of this repository.

5 years, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits January 2019