PR#50100: Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme - 389-ds-base

389-ds-base

#50100 Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme

Closed 3 years ago by spichugi. Opened 5 years ago by tbordaz.

tbordaz/389-ds-base ticket_50099 into master

Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme

Thierry Bordaz • 5 years ago

76847e8

ldap/servers/slapd/security_wrappers.c

file modified

+50 -1

		`@@ -226,11 +226,60 @@`
		`return;`
		`}`

		`+ /* The system FIPS mode can be tested on FIPS_ENABLED`
		`+ * system FIPS mode is ON => NSS is always ON`
		`+ * One can imagine to set NSS ON when system FIPS is OFF but it makes no real sense`
		`+ */`
		`+ #define FIPS_ENABLED "/proc/sys/crypto/fips_enabled"`
		`+ PRBool`
		`+ slapd_system_isFIPS()`
		`+ {`
		`+ PRBool rc = PR_FALSE;`
		`+ PRFileDesc *prfd;`
		`+ char buf[sizeof (PRIu64)];`
		`+ int val;`
		`+ if (PR_SUCCESS != PR_Access(FIPS_ENABLED, PR_ACCESS_READ_OK)) {`
		`+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED);`
		`+ goto done;`
		`+ }`
		`+ if ((prfd = PR_Open(FIPS_ENABLED, PR_RDONLY, SLAPD_DEFAULT_FILE_MODE)) == NULL) {`
		`+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not open %s\n", FIPS_ENABLED);`
		`+ goto done;`
		`+ }`
		`+ if (PR_Read(prfd, buf, sizeof (buf)) < 0) {`
		`+ slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED);`
		`+ PR_Close(prfd);`
		`+ goto done;`
		`+ }`
		`+ PR_Close(prfd);`
		`+ val = atoi(buf);`
		`+ if (val) {`
		`+ slapi_log_err(SLAPI_LOG_INFO, "slapd_system_isFIPS", "system in FIPS mode\n");`
		`+ rc = PR_TRUE;`
		`+ }`
		`+ done:`
		`+ return rc;`
		`+ }`

		`PRBool`
		`slapd_pk11_isFIPS()`
		`{`
		`- return PK11_IsFIPS();`
		`+ PRBool rc = PR_FALSE;`
		`+`
		`+ if (slapd_nss_is_initialized()) {`
		`+ /* It requires that NSS is initialized before calling PK11_IsFIPS.`
		`+ * Note that it can exist a false positive if NSS in was FIPS mode`
		`+ * although the system is not in FIPS. Such configuration makes no sense`
		`+ */`
		`+ rc = PK11_IsFIPS();`
		`+ } else {`
		`+ /* NSS being not initialized, we are considering the`
		`+ * system FIPS mode.`
		`+ */`
		`+ rc = slapd_system_isFIPS();`
		`+ }`
		`+`
		`+ return rc;`
		`}`

tbordaz commented 5 years ago

Bug Description:
When running in FIPS mode, DS selects SSHA512 as password storage schema else it selects PBKDF2_SHA256.
The problem is that in FIPS mode it selects PBKDF2_SHA256 that is currently not supported by NSS.
So DS fails to hash password
The scheme selection is done in the early phase of DS startup (slapd_bootstrap_config).
To determine it is in FIPS mode, DS calls PK11_IsFIPS that requires that NSS has been initialized.
The problem is that during slapd_bootstrap_config, NSS is not yet initialized and PK11_IsFIPS returns
PR_FALSE even in FIPS mode

Fix Description:
The fix consists to check if NSS is initialized. If it is initialize, then rely on PK11_IsFIPS.
If it is not initialized then retrieve the FIPS mode from the system, assuming that if system
is in FIPS mode, then NSS will be in FIPS mode as well

https://pagure.io/389-ds-base/issue/50099

Reviewed by: ?

Platforms tested: <plat>

Flag Day: no

Doc impact: no

mreynolds commented on line 33 of ldap/servers/slapd/security_wrappers.c 5 years ago

Can you change this:
slapi_log_err(SLAPI_LOG_INFO, "slapd_system_isFIPS", "system in FIPS mode\n");

rebased onto c393b284a79d0a003eb4a8a992d006ad48f76bd2

5 years ago

mreynolds commented 5 years ago

ack

rebased onto 76847e8

5 years ago

Pull-Request has been merged by tbordaz

5 years ago

lkrispen commented 5 years ago

sorry I am late with my comment, but I have a question.

In slapd_system_isFIPS() you have a sequence of access,open, read checks on FIPS_ENABLED and if any fails returns false. But if eg access and open succeeds and read fails, does this indicate false or an incorrect fips configuration or another problem ?

tbordaz commented 5 years ago

If it fails to read it is certainly an indication of an other problem external to DS. Except logging the failure I do not know if we can do more (like testing in an other way if we are in FIPS or not).

lkrispen commented 5 years ago

I had the impression that in the case we are in a third mode, "PR_UNDEFINED" and unsure if it makes sense to continue at all

tbordaz commented 5 years ago

offline discussions. It is enough to change the error messages. In case of failure (access/open/read) DS logs it assumes the system is not in FIPS mode

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3159

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

3 years ago

Metadata

Assignee

None

Tags

No Tags

Changes Summary 1

+50 -1

file changed

ldap/servers/slapd/security_wrappers.c

389-ds-base

Source Code

#50100 Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme Closed 3 years ago by spichugi. Opened 5 years ago by tbordaz. tbordaz/389-ds-base ticket_50099 into master

Metadata

Changes Summary 1

#50100 Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme

Closed 3 years ago by spichugi. Opened 5 years ago by tbordaz.

tbordaz/389-ds-base ticket_50099 into master