389-ds-base

Clone
Source Code
GIT

76847e8 Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme

Authored and Committed by tbordaz 5 years ago
raw patch tree parent
1 file changed. 50 lines added. 1 lines removed.
ldap/servers/slapd/security_wrappers.c
file modified
+50 -1 
    Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme
    
    Bug Description:
    	When running in FIPS mode, DS selects SSHA512 as password storage schema else it selects PBKDF2_SHA256.
    	The problem is that in FIPS mode it selects PBKDF2_SHA256 that is currently not supported by NSS.
    	So DS fails to hash password
    	The scheme selection is done in the early phase of DS startup (slapd_bootstrap_config).
    	To determine it is in FIPS mode, DS calls PK11_IsFIPS that requires that NSS has been initialized.
    	The problem is that during slapd_bootstrap_config, NSS is not yet initialized and PK11_IsFIPS returns
    	PR_FALSE even in FIPS mode
    
    Fix Description:
    	The fix consists to check if NSS is initialized. If it is initialize, then rely on PK11_IsFIPS.
    	If it is not initialized then retrieve the FIPS mode from the system, assuming that if system
    	is in FIPS mode, then NSS will be in FIPS mode as well
    
    https://pagure.io/389-ds-base/issue/50099
    
    Reviewed by: Mark Reynolds (thanks Mark !)
    
    Platforms tested: F27
    
    Flag Day: no
    
    Doc impact: no
file modified
+50 -1
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.