1 file changed, 5 insertions(+), 6 deletions(-)
New commits:
commit 61c72f966bda17993f483e8f79d97dff20b7cc93
Author: Mark Reynolds <mreynolds@redhat.com>
Date: Fri Oct 14 16:17:46 2016 -0400
Ticket 48909 - Replication stops working in FIPS mode
Bug Description: When FIPS mode is enabled on the security database, the
token name is changed. This prevents the server from
reverse decoding the replication manager's password. Which
prevents replication sessions from getting established.
Fix Description: Instead of getting the key slot from the harded coded token
name, call slapd_pk11_getInternalKeySlot() which gets the
current slot.
https://fedorahosted.org/389/ticket/48909
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/servers/plugins/rever/pbe.c b/ldap/servers/plugins/rever/pbe.c
index 5044770..45b1f97 100644
--- a/ldap/servers/plugins/rever/pbe.c
+++ b/ldap/servers/plugins/rever/pbe.c
@@ -50,7 +50,7 @@ struct pk11ContextStore
static int encode_path(char *inPlain, char **outCipher, char *path, int mech);
static int decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid);
-static SVRCOREError genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *algid);
+static SVRCOREError genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *algid);
static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, unsigned char **out);
static SVRCOREError decryptPassword(struct pk11ContextStore *store, unsigned char *cipher, char **out, int len);
static void freePBE(struct pk11ContextStore *store);
@@ -83,7 +83,7 @@ encode_path(char *inPlain, char **outCipher, char *path, int mech)
*outCipher = NULL;
err = 1;
- if ( genKey(&context, tokPBE, path, mech, arena, NULL) == SVRCORE_Success ){
+ if ( genKey(&context, path, mech, arena, NULL) == SVRCORE_Success ){
/* Try an encryption */
if ( cryptPassword(context, inPlain, &cipher) == SVRCORE_Success ){
base = BTOA_DataToAscii(cipher, context->length);
@@ -141,7 +141,7 @@ decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid)
*outPlain = NULL;
err = 1;
- if ( genKey(&context, tokPBE, path, mech, arena, algid) == SVRCORE_Success ){
+ if ( genKey(&context, path, mech, arena, algid) == SVRCORE_Success ){
/* it seems that there is memory leak in that function: bug 400170 */
base = ATOB_AsciiToData(inCipher, (unsigned int*)&len);
if ( base != NULL ){
@@ -177,7 +177,7 @@ freePBE(struct pk11ContextStore *store)
}
static SVRCOREError
-genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *alg)
+genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *alg)
{
SVRCOREError err = SVRCORE_Success;
struct pk11ContextStore *store = NULL;
@@ -204,8 +204,7 @@ genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, P
}
*out = store;
- /* Use the tokenName to find a PKCS11 slot */
- store->slot = slapd_pk11_findSlotByName((char *)token);
+ store->slot = slapd_pk11_getInternalKeySlot();
if (store->slot == NULL){
err = SVRCORE_NoSuchToken_Error;
goto done;
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
No comments:
Post a Comment