|
Matthew Harmsen |
90b0aa6 |
commit f60846e025ff5492e8c05ccf525fe8df1b59bba6
|
|
Matthew Harmsen |
90b0aa6 |
Author: Jack Magne <jmagne@localhost.localdomain>
|
|
Matthew Harmsen |
90b0aa6 |
Date: Tue Aug 11 18:26:04 2015 -0700
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
setpin utility doesn't set the pin for users.
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
There were some things wrong with the setpin utility.
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
1. There were some syntax violations that had to be dealt with or a DS with syntax checking
|
|
Matthew Harmsen |
90b0aa6 |
would not be pleased.
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
2. The back end is expecting a byte of hash data at the beginning of the pin.
|
|
Matthew Harmsen |
90b0aa6 |
In our case we are sending NO hash so we want this code at the beginning '-'
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
|
|
Matthew Harmsen |
90b0aa6 |
Tested to work with actual PinBased Enrollment.
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
|
|
Matthew Harmsen |
90b0aa6 |
The no hash option is supported but puts the pin in the clear.
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
diff --git a/base/native-tools/src/setpin/setpin.c b/base/native-tools/src/setpin/setpin.c
|
|
Matthew Harmsen |
90b0aa6 |
index f1bf6a8..a164719 100644
|
|
Matthew Harmsen |
90b0aa6 |
--- a/base/native-tools/src/setpin/setpin.c
|
|
Matthew Harmsen |
90b0aa6 |
+++ b/base/native-tools/src/setpin/setpin.c
|
|
Matthew Harmsen |
90b0aa6 |
@@ -87,7 +87,7 @@ void testpingen();
|
|
Matthew Harmsen |
90b0aa6 |
void do_setup();
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
-char *sha1_pw_enc( char *pwd );
|
|
Matthew Harmsen |
90b0aa6 |
+char *sha256_pw_enc( char *pwd );
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
int errcode=0;
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
@@ -375,7 +375,7 @@ void do_setup() {
|
|
Matthew Harmsen |
90b0aa6 |
doLDAPBind();
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
if (o_schemachange) {
|
|
Matthew Harmsen |
90b0aa6 |
- sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.5' SINGLE-VALUE )",
|
|
Matthew Harmsen |
90b0aa6 |
+ sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'custom for setpin' )",
|
|
Matthew Harmsen |
90b0aa6 |
o_attribute,
|
|
Matthew Harmsen |
90b0aa6 |
o_attribute);
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
@@ -398,8 +398,8 @@ void do_setup() {
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
- sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined ObjectClass' SUP 'top' MUST ( objectclass ) MAY ( aci $ %s )",
|
|
Matthew Harmsen |
90b0aa6 |
- o_objectclass,o_objectclass,
|
|
Matthew Harmsen |
90b0aa6 |
+ sprintf(x_values[0],"( 2.16.840.1.117370.999.1.2.10 NAME '%s' DESC 'User Defined ObjectClass' SUP top MAY ( aci $ %s ) )",
|
|
Matthew Harmsen |
90b0aa6 |
+ o_objectclass,
|
|
Matthew Harmsen |
90b0aa6 |
o_attribute);
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
fprintf(stderr,"Adding objectclass: %s\n",x_values[0]);
|
|
Matthew Harmsen |
90b0aa6 |
@@ -433,7 +433,7 @@ void do_setup() {
|
|
Matthew Harmsen |
90b0aa6 |
exitError("missing basedn argument");
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
- password = sha1_pw_enc( o_pinmanagerpwd );
|
|
Matthew Harmsen |
90b0aa6 |
+ password = sha256_pw_enc( o_pinmanagerpwd );
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
fprintf(stderr,"Adding user: %s\n",o_pinmanager);
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
@@ -533,23 +533,23 @@ int ldif_base64_encode(
|
|
Matthew Harmsen |
90b0aa6 |
/*
|
|
Matthew Harmsen |
90b0aa6 |
* Number of bytes each hash algorithm produces
|
|
Matthew Harmsen |
90b0aa6 |
*/
|
|
Matthew Harmsen |
90b0aa6 |
-#define SHA1_LENGTH 20
|
|
Matthew Harmsen |
90b0aa6 |
-
|
|
Matthew Harmsen |
90b0aa6 |
+#define SHA256_LENGTH 32
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
char *
|
|
Matthew Harmsen |
90b0aa6 |
-sha1_pw_enc( char *pwd )
|
|
Matthew Harmsen |
90b0aa6 |
+sha256_pw_enc( char *pwd )
|
|
Matthew Harmsen |
90b0aa6 |
{
|
|
Matthew Harmsen |
90b0aa6 |
- unsigned char hash[ SHA1_LENGTH ];
|
|
Matthew Harmsen |
90b0aa6 |
+
|
|
Matthew Harmsen |
90b0aa6 |
+ unsigned char hash[ SHA256_LENGTH ];
|
|
Matthew Harmsen |
90b0aa6 |
char *enc;
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
- /* SHA1 hash the user's key */
|
|
Matthew Harmsen |
90b0aa6 |
- PK11_HashBuf(SEC_OID_SHA1,hash,pwd,strlen(pwd));
|
|
Matthew Harmsen |
90b0aa6 |
+ /* SHA246 hash the user's key */
|
|
Matthew Harmsen |
90b0aa6 |
+ PK11_HashBuf(SEC_OID_SHA256,hash,pwd,strlen(pwd));
|
|
Matthew Harmsen |
90b0aa6 |
enc = malloc(256);
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
- sprintf( enc, "{SHA}");
|
|
Matthew Harmsen |
90b0aa6 |
+ sprintf( enc, "{SHA256}");
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
(void)ldif_base64_encode( hash, enc + 5,
|
|
Matthew Harmsen |
90b0aa6 |
- SHA1_LENGTH, -1 );
|
|
Matthew Harmsen |
90b0aa6 |
+ SHA256_LENGTH, -1 );
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
return( enc );
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
@@ -871,24 +871,17 @@ void processSearchResults(LDAPMessage *r) {
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
#define SENTINEL_SHA1 0
|
|
Matthew Harmsen |
90b0aa6 |
#define SENTINEL_MD5 1
|
|
Matthew Harmsen |
90b0aa6 |
+#define SENTINEL_SHA256 2
|
|
Matthew Harmsen |
90b0aa6 |
#define SENTINEL_NONE '-'
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
- if ((!strcmp(o_hash,"SHA1")) || (!strcmp(o_hash,"sha1")) ) {
|
|
Matthew Harmsen |
90b0aa6 |
- status = PK11_HashBuf(SEC_OID_SHA1,
|
|
Matthew Harmsen |
90b0aa6 |
- (unsigned char *)hashbuf_dest+1,
|
|
Matthew Harmsen |
90b0aa6 |
- (unsigned char *)hashbuf_source,
|
|
Matthew Harmsen |
90b0aa6 |
- strlen(hashbuf_source)
|
|
Matthew Harmsen |
90b0aa6 |
- );
|
|
Matthew Harmsen |
90b0aa6 |
- hashbuf_dest[0] = SENTINEL_SHA1;
|
|
Matthew Harmsen |
90b0aa6 |
- pindatasize = SHA1_LENGTH + 1;
|
|
Matthew Harmsen |
90b0aa6 |
- } else if ((!strcmp(o_hash,"MD5")) || (!strcmp(o_hash,"md5")) ) {
|
|
Matthew Harmsen |
90b0aa6 |
- status = PK11_HashBuf(SEC_OID_MD5,
|
|
Matthew Harmsen |
90b0aa6 |
+ if ((!strcmp(o_hash,"SHA256")) || (!strcmp(o_hash,"sha256")) ) {
|
|
Matthew Harmsen |
90b0aa6 |
+ status = PK11_HashBuf(SEC_OID_SHA256,
|
|
Matthew Harmsen |
90b0aa6 |
(unsigned char *)hashbuf_dest+1,
|
|
Matthew Harmsen |
90b0aa6 |
(unsigned char *)hashbuf_source,
|
|
Matthew Harmsen |
90b0aa6 |
strlen(hashbuf_source)
|
|
Matthew Harmsen |
90b0aa6 |
);
|
|
Matthew Harmsen |
90b0aa6 |
- hashbuf_dest[0] = SENTINEL_MD5;
|
|
Matthew Harmsen |
90b0aa6 |
- pindatasize = MD5_LENGTH + 1;
|
|
Matthew Harmsen |
90b0aa6 |
+ hashbuf_dest[0] = SENTINEL_SHA256;
|
|
Matthew Harmsen |
90b0aa6 |
+ pindatasize = SHA256_LENGTH + 1;
|
|
Matthew Harmsen |
90b0aa6 |
} else if ((!strcmp(o_hash,"NONE")) || (!strcmp(o_hash,"none")) ) {
|
|
Matthew Harmsen |
90b0aa6 |
hashbuf_dest[0] = SENTINEL_NONE;
|
|
Matthew Harmsen |
90b0aa6 |
status = SECSuccess;
|
|
Matthew Harmsen |
90b0aa6 |
@@ -897,7 +890,7 @@ void processSearchResults(LDAPMessage *r) {
|
|
Matthew Harmsen |
90b0aa6 |
strlen(hashbuf_source)
|
|
Matthew Harmsen |
90b0aa6 |
);
|
|
Matthew Harmsen |
90b0aa6 |
} else {
|
|
Matthew Harmsen |
90b0aa6 |
- sprintf(errbuf,"Unsupported hash type '%s'. Must be one of 'sha1', 'md5' or 'none",o_hash);
|
|
Matthew Harmsen |
90b0aa6 |
+ sprintf(errbuf,"Unsupported hash type '%s'. Must be one of 'sha256', or 'none",o_hash);
|
|
Matthew Harmsen |
90b0aa6 |
errcode = 7;
|
|
Matthew Harmsen |
90b0aa6 |
exitError(errbuf);
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
@@ -907,16 +900,20 @@ void processSearchResults(LDAPMessage *r) {
|
|
Matthew Harmsen |
90b0aa6 |
errcode = 9;
|
|
Matthew Harmsen |
90b0aa6 |
exitError(errbuf);
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
-
|
|
Matthew Harmsen |
90b0aa6 |
- pindata = hashbuf_dest;
|
|
Matthew Harmsen |
90b0aa6 |
+ pindata = hashbuf_dest;
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
if (hashbuf_source != NULL) {
|
|
Matthew Harmsen |
90b0aa6 |
free(hashbuf_source);
|
|
Matthew Harmsen |
90b0aa6 |
hashbuf_source = NULL;
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
} else {
|
|
Matthew Harmsen |
90b0aa6 |
- pindata = generatedPassword;
|
|
Matthew Harmsen |
90b0aa6 |
- pindatasize = strlen(generatedPassword);
|
|
Matthew Harmsen |
90b0aa6 |
+ /* Do last resort no hash version */
|
|
Matthew Harmsen |
90b0aa6 |
+ hashbuf_dest[0] = SENTINEL_NONE;
|
|
Matthew Harmsen |
90b0aa6 |
+ memcpy(hashbuf_dest + 1, dn, strlen(dn));
|
|
Matthew Harmsen |
90b0aa6 |
+ memcpy(hashbuf_dest + 1 + strlen(dn) ,generatedPassword, strlen(generatedPassword));
|
|
Matthew Harmsen |
90b0aa6 |
+
|
|
Matthew Harmsen |
90b0aa6 |
+ pindata = hashbuf_dest;
|
|
Matthew Harmsen |
90b0aa6 |
+ pindatasize = strlen(generatedPassword) + 1 + strlen(dn);
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
bval.bv_len = pindatasize;
|
|
Matthew Harmsen |
90b0aa6 |
diff --git a/base/native-tools/src/setpin/setpin_options.c b/base/native-tools/src/setpin/setpin_options.c
|
|
Matthew Harmsen |
90b0aa6 |
index d8ee83a..d2fb54d 100644
|
|
Matthew Harmsen |
90b0aa6 |
--- a/base/native-tools/src/setpin/setpin_options.c
|
|
Matthew Harmsen |
90b0aa6 |
+++ b/base/native-tools/src/setpin/setpin_options.c
|
|
Matthew Harmsen |
90b0aa6 |
@@ -51,7 +51,7 @@ char *valid_args[] = {
|
|
Matthew Harmsen |
90b0aa6 |
"case", "Restrict case of pins 'case=upperonly'",
|
|
Matthew Harmsen |
90b0aa6 |
"objectclass", "Objectclass of LDAP entry to operate on (default pinPerson)",
|
|
Matthew Harmsen |
90b0aa6 |
"attribute","Which LDAP attribute to write to (default pin)",
|
|
Matthew Harmsen |
90b0aa6 |
- "hash", "Hash algorithm used to store pin: 'none', 'md5' or 'sha1' (default)",
|
|
Matthew Harmsen |
90b0aa6 |
+ "hash", "Hash algorithm used to store pin: 'none', or 'sha256' (default) warning: 'none' is in the clear",
|
|
Matthew Harmsen |
90b0aa6 |
"saltattribute", "Which attribute to use for salt (default: dn)",
|
|
Matthew Harmsen |
90b0aa6 |
"input", "File to use for restricting DN's, or providing your own pins",
|
|
Matthew Harmsen |
90b0aa6 |
"output", "Redirect stdout to a file",
|
|
Matthew Harmsen |
90b0aa6 |
@@ -96,7 +96,7 @@ void setDefaultOptions() {
|
|
Matthew Harmsen |
90b0aa6 |
o_gen= "RNG-alphanum";
|
|
Matthew Harmsen |
90b0aa6 |
o_case= NULL;
|
|
Matthew Harmsen |
90b0aa6 |
o_attribute="pin";
|
|
Matthew Harmsen |
90b0aa6 |
- o_hash= "sha1";
|
|
Matthew Harmsen |
90b0aa6 |
+ o_hash= "sha256";
|
|
Matthew Harmsen |
90b0aa6 |
o_objectclass="pinPerson";
|
|
Matthew Harmsen |
90b0aa6 |
o_output= NULL;
|
|
Matthew Harmsen |
90b0aa6 |
o_retry= "5";
|
|
Matthew Harmsen |
90b0aa6 |
@@ -270,8 +270,7 @@ void validateOptions() {
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
if (!
|
|
Matthew Harmsen |
90b0aa6 |
- (equals(o_hash,"sha1") ||
|
|
Matthew Harmsen |
90b0aa6 |
- equals(o_hash,"md5") ||
|
|
Matthew Harmsen |
90b0aa6 |
+ (equals(o_hash,"sha256") ||
|
|
Matthew Harmsen |
90b0aa6 |
equals(o_hash,"none"))
|
|
Matthew Harmsen |
90b0aa6 |
) {
|
|
Matthew Harmsen |
90b0aa6 |
snprintf(errbuf, ERR_BUF_LENGTH, "invalid hash: %s",o_hash);
|
|
Matthew Harmsen |
90b0aa6 |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
|
|
Matthew Harmsen |
90b0aa6 |
index 82331da..6caa9a1 100644
|
|
Matthew Harmsen |
90b0aa6 |
--- a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
|
|
Matthew Harmsen |
90b0aa6 |
+++ b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
|
|
Matthew Harmsen |
90b0aa6 |
@@ -75,6 +75,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
protected static final byte SENTINEL_SHA = 0;
|
|
Matthew Harmsen |
90b0aa6 |
protected static final byte SENTINEL_MD5 = 1;
|
|
Matthew Harmsen |
90b0aa6 |
+ protected static final byte SENTINEL_SHA256 = 2;
|
|
Matthew Harmsen |
90b0aa6 |
protected static final byte SENTINEL_NONE = 0x2d;
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
/* Holds configuration parameters accepted by this implementation.
|
|
Matthew Harmsen |
90b0aa6 |
@@ -132,6 +133,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
|
|
Matthew Harmsen |
90b0aa6 |
protected String mPinAttr = DEF_PIN_ATTR;
|
|
Matthew Harmsen |
90b0aa6 |
protected MessageDigest mSHADigest = null;
|
|
Matthew Harmsen |
90b0aa6 |
protected MessageDigest mMD5Digest = null;
|
|
Matthew Harmsen |
90b0aa6 |
+ protected MessageDigest mSHA256Digest = null;
|
|
Matthew Harmsen |
90b0aa6 |
|
|
Matthew Harmsen |
90b0aa6 |
private ILdapConnFactory removePinLdapFactory = null;
|
|
Matthew Harmsen |
90b0aa6 |
private LDAPConnection removePinLdapConnection = null;
|
|
Matthew Harmsen |
90b0aa6 |
@@ -165,6 +167,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
|
|
Matthew Harmsen |
90b0aa6 |
try {
|
|
Matthew Harmsen |
90b0aa6 |
mSHADigest = MessageDigest.getInstance("SHA1");
|
|
Matthew Harmsen |
90b0aa6 |
mMD5Digest = MessageDigest.getInstance("MD5");
|
|
Matthew Harmsen |
90b0aa6 |
+ mSHA256Digest = MessageDigest.getInstance("SHA256");
|
|
Matthew Harmsen |
90b0aa6 |
} catch (NoSuchAlgorithmException e) {
|
|
Matthew Harmsen |
90b0aa6 |
throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage()));
|
|
Matthew Harmsen |
90b0aa6 |
}
|
|
Matthew Harmsen |
90b0aa6 |
@@ -336,6 +339,8 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
|
|
Matthew Harmsen |
90b0aa6 |
pinDigest = mSHADigest.digest(toBeDigested.getBytes());
|
|
Matthew Harmsen |
90b0aa6 |
} else if (hashtype == SENTINEL_MD5) {
|
|
Matthew Harmsen |
90b0aa6 |
pinDigest = mMD5Digest.digest(toBeDigested.getBytes());
|
|
Matthew Harmsen |
90b0aa6 |
+ } else if (hashtype == SENTINEL_SHA256) {
|
|
Matthew Harmsen |
90b0aa6 |
+ pinDigest = mSHA256Digest.digest(toBeDigested.getBytes());
|
|
Matthew Harmsen |
90b0aa6 |
} else if (hashtype == SENTINEL_NONE) {
|
|
Matthew Harmsen |
90b0aa6 |
pinDigest = toBeDigested.getBytes();
|
|
Matthew Harmsen |
90b0aa6 |
} else {
|