log = logging.getLogger(__name__)
+def is_fips():
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ state = f.readline().strip()
+ if state == '1':
+ return True
+ else:
+ return False
+
+
def run_healthcheck_and_flush_log(topology, instance, searched_code, json, searched_code2=None):
args = FakeArgs()
args.instance = instance.serverid
nsslapd-plugintype: pwdstoragescheme
nsslapd-pluginenabled: on
-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2
-
-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2-SHA1
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2-SHA1
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2-SHA1\
-
-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2-SHA256
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2-SHA256
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2-SHA256\
-
-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2-SHA512
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2-SHA512
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2-SHA512
-
dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
nsslapd-plugintype: pwdstoragescheme
nsslapd-pluginenabled: on
-dn: cn=PBKDF2,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2
-
-dn: cn=PBKDF2-SHA1,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2-SHA1
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha1_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2-SHA1
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2-SHA1\
-
-dn: cn=PBKDF2-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2-SHA256
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha256_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2-SHA256
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2-SHA256\
-
-dn: cn=PBKDF2-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
-objectclass: top
-objectclass: nsSlapdPlugin
-cn: PBKDF2-SHA512
-nsslapd-pluginpath: libpwdchan-plugin
-nsslapd-plugininitfunc: pwdchan_pbkdf2_sha512_plugin_init
-nsslapd-plugintype: pwdstoragescheme
-nsslapd-pluginenabled: on
-nsslapd-pluginId: PBKDF2-SHA512
-nsslapd-pluginVersion: none
-nsslapd-pluginVendor: 389 Project
-nsslapd-pluginDescription: PBKDF2-SHA512
-
dn: cn=AES,cn=Password Storage Schemes,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
SECStatus
pbkdf2_sha256_hash(char *hash_out, size_t hash_out_len, SECItem *pwd, SECItem *salt, uint32_t iterations)
{
+ SECItem *result = NULL;
SECAlgorithmID *algid = NULL;
PK11SlotInfo *slot = NULL;
PK11SymKey *symkey = NULL;
- SECItem *wrapKeyData = NULL;
- SECStatus rv = SECFailure;
/* We assume that NSS is already started. */
algid = PK11_CreatePBEV2AlgorithmID(SEC_OID_PKCS5_PBKDF2, SEC_OID_HMAC_SHA256, SEC_OID_HMAC_SHA256, hash_out_len, iterations, salt);
slot = PK11_GetBestSlotMultiple(mechanism_array, 2, NULL);
if (slot != NULL) {
symkey = PK11_PBEKeyGen(slot, algid, pwd, PR_FALSE, NULL);
+ PK11_FreeSlot(slot);
if (symkey == NULL) {
/* We try to get the Error here but NSS has two or more error interfaces, and sometimes it uses none of them. */
int32_t status = PORT_GetError();
return SECFailure;
}
- /*
- * First, we need to generate a wrapped key for PK11_Decrypt call:
- * slot is the same slot we used in PK11_PBEKeyGen()
- * 256 bits / 8 bit per byte
- */
- PK11SymKey *wrapKey = PK11_KeyGen(slot, CKM_AES_ECB, NULL, 256/8, NULL);
- PK11_FreeSlot(slot);
- if (wrapKey == NULL) {
- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to generate a wrapped key.\n");
- return SECFailure;
- }
-
- wrapKeyData = (SECItem *)PORT_Alloc(sizeof(SECItem));
- /* Align the wrapped key with 32 bytes. */
- wrapKeyData->len = (PK11_GetKeyLength(symkey) + 31) & ~31;
- /* Allocate the aligned space for pkc5PBE key plus AESKey block */
- wrapKeyData->data = (unsigned char *)slapi_ch_calloc(wrapKeyData->len, sizeof(unsigned char));
-
- /* Get symkey wrapped with wrapKey - required for PK11_Decrypt call */
- rv = PK11_WrapSymKey(CKM_AES_ECB, NULL, wrapKey, symkey, wrapKeyData);
- if (rv != SECSuccess) {
- PK11_FreeSymKey(symkey);
- PK11_FreeSymKey(wrapKey);
- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to wrap the symkey. (%d)\n", rv);
- return SECFailure;
- }
-
- /* Allocate the space for our result */
- void *result = (char *)slapi_ch_calloc(wrapKeyData->len, sizeof(char));
- unsigned int result_len = 0;
-
- /* User wrapKey to decrypt the wrapped contents.
- * result is the hash that we need;
- * result_len is the actual lengh of the data;
- * has_out_len is the maximum (the space we allocted for hash_out)
- */
- rv = PK11_Decrypt(wrapKey, CKM_AES_ECB, NULL, result, &result_len, hash_out_len, wrapKeyData->data, wrapKeyData->len);
- PK11_FreeSymKey(symkey);
- PK11_FreeSymKey(wrapKey);
- SECITEM_FreeItem(wrapKeyData, PR_TRUE);
-
- if (rv == SECSuccess) {
- if (result != NULL && result_len <= hash_out_len) {
- memcpy(hash_out, result, result_len);
- slapi_ch_free((void **)&result);
+ if (PK11_ExtractKeyValue(symkey) == SECSuccess) {
+ result = PK11_GetKeyData(symkey);
+ if (result != NULL && result->len <= hash_out_len) {
+ memcpy(hash_out, result->data, result->len);
+ PK11_FreeSymKey(symkey);
} else {
- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to retrieve (get) hash output.\n");
- slapi_ch_free((void **)&result);
+ PK11_FreeSymKey(symkey);
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to retrieve (get) hash output.\n");
return SECFailure;
}
} else {
- slapi_log_err(SLAPI_LOG_ERR, "pbkdf2_sha256_hash", "Unable to extract hash output. (%d)\n", rv);
- slapi_ch_free((void **)&result);
+ slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to extract hash output.\n");
return SECFailure;
}
* is enabled or not. We use NSS for random number generation and
* other things even if we are not going to accept SSL connections.
* We also need NSS for attribute encryption/decryption on import and export.
- *
- * It's important to remember that while in FIPS mode the administrator should always enable
- * the security, otherwise we don't call slapd_pk11_authenticate which is a requirement for FIPS mode
*/
- PRBool isFIPS = slapd_pk11_isFIPS();
int init_ssl = config_get_security();
- if (isFIPS && !init_ssl) {
- slapi_log_err(SLAPI_LOG_WARNING, "slapd_do_all_nss_ssl_init",
- "ERROR: TLS is not enabled, and the machine is in FIPS mode. "
- "Some functionality won't work correctly (for example, "
- "users with PBKDF2_SHA256 password scheme won't be able to log in). "
- "It's highly advisable to enable TLS on this instance.\n");
- }
-
if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
init_ssl = init_ssl && (0 != s_port) && (s_port <= LDAP_PORT_MAX);
} else {
:param post_open: Open the server connection after restart.
:type post_open: bool
"""
- if self.config.get_attr_val_utf8_l("nsslapd-security") == 'on':
- self.restart(post_open=post_open)
- return
-
# If it doesn't exist, create a cadb.
ssca = NssSsl(dbpath=self.get_ssca_dir())
if not ssca._db_exists():
import socket # For hostname detection for GSSAPI tests
import pytest
from lib389 import DirSrv
-from lib389.utils import generate_ds_params, is_fips
+from lib389.utils import generate_ds_params
from lib389.mit_krb5 import MitKrb5
from lib389.saslmap import SaslMappings
from lib389.replica import ReplicationManager, Replicas
if role == ReplicaRole.HUB:
hs[instance.serverid] = instance
instances.update(hs)
- # We should always enable TLS while in FIPS mode because otherwise NSS database won't be
- # configured in a FIPS compliant way
- if is_fips():
- instance.enable_tls()
if DEBUGGING:
instance.config.set('nsslapd-errorlog-level','8192')
instance.config.set('nsslapd-accesslog-level','260')
hostname = hostname[:-1] # strip exactly one dot from the right, if present
allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
return all(allowed.match(x) for x in hostname.split("."))
-
-
-def is_fips():
- if os.path.exists('/proc/sys/crypto/fips_enabled'):
- with open('/proc/sys/crypto/fips_enabled', 'r') as f:
- state = f.readline().strip()
- if state == '1':
- return True
- else:
- return False
- else:
- return False
-
projects / 389-ds-base.git / commitdiff