From 8db5b277a079fdfe5efbd7d49311f14489cee0e8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Jan 06 2017 08:26:56 +0000
Subject: Unify password generation across FreeIPA


Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>

---

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 02b03d4..414a716 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -25,7 +25,6 @@ import shutil
 import xml.dom.minidom
 import pwd
 import base64
-from hashlib import sha1
 import fcntl
 import time
 import datetime
@@ -159,9 +158,6 @@ class CertDB(object):
             perms |= stat.S_IWUSR
         os.chmod(fname, perms)
 
-    def gen_password(self):
-        return sha1(ipautil.ipa_generate_password()).hexdigest()
-
     def run_certutil(self, args, stdin=None, **kwargs):
         return self.nssdb.run_certutil(args, stdin, **kwargs)
 
@@ -177,7 +173,7 @@ class CertDB(object):
         if ipautil.file_exists(self.noise_fname):
             os.remove(self.noise_fname)
         f = open(self.noise_fname, "w")
-        f.write(self.gen_password())
+        f.write(ipautil.ipa_generate_password(pwd_len=25))
         self.set_perms(self.noise_fname)
 
     def create_passwd_file(self, passwd=None):
@@ -186,7 +182,7 @@ class CertDB(object):
         if passwd is not None:
             f.write("%s\n" % passwd)
         else:
-            f.write(self.gen_password())
+            f.write(ipautil.ipa_generate_password(pwd_len=25))
         f.close()
         self.set_perms(self.passwd_fname)
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f4856c7..dc4b5b0 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -18,7 +18,6 @@
 #
 
 import base64
-import binascii
 import ldap
 import os
 import shutil
@@ -428,7 +427,7 @@ class DogtagInstance(service.Service):
 
     def setup_admin(self):
         self.admin_user = "admin-%s" % self.fqdn
-        self.admin_password = binascii.hexlify(os.urandom(16))
+        self.admin_password = ipautil.ipa_generate_password(pwd_len=20)
         self.admin_dn = DN(('uid', self.admin_user),
                            ('ou', 'people'), ('o', 'ipaca'))
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index a0fdc4a..89315b6 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -508,7 +508,7 @@ class DsInstance(service.Service):
             idrange_size = None
         self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
                              PASSWORD=self.dm_password,
-                             RANDOM_PASSWORD=self.generate_random(),
+                             RANDOM_PASSWORD=ipautil.ipa_generate_password(),
                              SUFFIX=self.suffix,
                              REALM=self.realm, USER=DS_USER,
                              SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -775,9 +775,6 @@ class DsInstance(service.Service):
     def __add_enrollment_module(self):
         self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
 
-    def generate_random(self):
-        return ipautil.ipa_generate_password()
-
     def __enable_ssl(self):
         dirname = config_dirname(self.serverid)
         dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index b7ce857..e8c706e 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,7 +19,6 @@
 
 from __future__ import print_function
 
-import binascii
 import os
 import os.path
 import pwd
@@ -314,9 +313,9 @@ class HTTPInstance(service.Service):
             ipautil.backup_file(nss_path)
 
         # Create the password file for this db
-        hex_str = binascii.hexlify(os.urandom(10))
+        password = ipautil.ipa_generate_password(pwd_len=15)
         f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-        os.write(f, hex_str)
+        os.write(f, password)
         os.close(f)
 
         ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6e986f7..2126169 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -45,7 +45,6 @@ from ipaserver.install.replication import (
     ReplicationManager, replica_conn_check)
 import SSSDConfig
 from subprocess import CalledProcessError
-from binascii import hexlify
 
 if six.PY3:
     unicode = str
@@ -1303,7 +1302,7 @@ def install(installer):
                 if conn.isconnected():
                     conn.disconnect()
                 os.environ['KRB5CCNAME'] = ccache
-        config.dirman_password = hexlify(ipautil.ipa_generate_password())
+        config.dirman_password = ipautil.ipa_generate_password()
 
         # FIXME: allow to use passed in certs instead
         if ca_enabled:
diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py
index 1df7191..1c369d8 100644
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@@ -122,7 +122,7 @@ class NSSCertDB(DBMAPHandler):
             with open(nsspwfile, 'w+') as f:
                 f.write(self.nssdb_password)
             pk12pwfile = os.path.join(tdir, 'pk12pwfile')
-            password = b64encode(os.urandom(16))
+            password = ipautil.ipa_generate_password(pwd_len=20)
             with open(pk12pwfile, 'w+') as f:
                 f.write(password)
             pk12file = os.path.join(tdir, 'pk12file')