rpms / pki-core

Clone
Source Code
GIT

Blame pki-core-Fix-setpin-utility.patch

10.6 el5 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   90b0aa649ea3864fd9b24da1c7a3de6a8931ed1b
  2.   pki-core-Fix-setpin-utility.patch
Blob History Raw
Matthew Harmsen 90b0aa6 
commit f60846e025ff5492e8c05ccf525fe8df1b59bba6
Matthew Harmsen 90b0aa6 
Author: Jack Magne <jmagne@localhost.localdomain>
Matthew Harmsen 90b0aa6 
Date:   Tue Aug 11 18:26:04 2015 -0700
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
    setpin utility doesn't set the pin for users.
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
    There were some things wrong with the setpin utility.
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
    1. There were some syntax violations that had to be dealt with or a DS with syntax checking
Matthew Harmsen 90b0aa6 
    would not be pleased.
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
    2. The back end is expecting a byte of hash data at the beginning of the pin.
Matthew Harmsen 90b0aa6 
    In our case we are sending NO hash so we want this code at the beginning '-'
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
    3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
    Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
Matthew Harmsen 90b0aa6 
    Tested to work with actual PinBased Enrollment.
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
    4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
Matthew Harmsen 90b0aa6 
    The no hash option is supported but puts the pin in the clear.
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
diff --git a/base/native-tools/src/setpin/setpin.c b/base/native-tools/src/setpin/setpin.c
Matthew Harmsen 90b0aa6 
index f1bf6a8..a164719 100644
Matthew Harmsen 90b0aa6 
--- a/base/native-tools/src/setpin/setpin.c
Matthew Harmsen 90b0aa6 
+++ b/base/native-tools/src/setpin/setpin.c
Matthew Harmsen 90b0aa6 
@@ -87,7 +87,7 @@ void testpingen();
Matthew Harmsen 90b0aa6 
 void do_setup();
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
-char *sha1_pw_enc( char *pwd );
Matthew Harmsen 90b0aa6 
+char *sha256_pw_enc( char *pwd );
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
 int errcode=0;
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
@@ -375,7 +375,7 @@ void do_setup() {
Matthew Harmsen 90b0aa6 
     doLDAPBind();
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
     if (o_schemachange) {
Matthew Harmsen 90b0aa6 
-        sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.5' SINGLE-VALUE )",
Matthew Harmsen 90b0aa6 
+        sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'custom for setpin' )",
Matthew Harmsen 90b0aa6 
             o_attribute,
Matthew Harmsen 90b0aa6 
             o_attribute);
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
@@ -398,8 +398,8 @@ void do_setup() {
Matthew Harmsen 90b0aa6 
             }
Matthew Harmsen 90b0aa6 
         }
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
-        sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined ObjectClass' SUP 'top' MUST ( objectclass ) MAY ( aci $ %s )",
Matthew Harmsen 90b0aa6 
-           o_objectclass,o_objectclass,
Matthew Harmsen 90b0aa6 
+        sprintf(x_values[0],"( 2.16.840.1.117370.999.1.2.10 NAME '%s' DESC 'User Defined ObjectClass' SUP top MAY ( aci $ %s ) )",
Matthew Harmsen 90b0aa6 
+           o_objectclass,
Matthew Harmsen 90b0aa6 
            o_attribute);
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
         fprintf(stderr,"Adding objectclass: %s\n",x_values[0]);
Matthew Harmsen 90b0aa6 
@@ -433,7 +433,7 @@ void do_setup() {
Matthew Harmsen 90b0aa6 
             exitError("missing basedn argument");
Matthew Harmsen 90b0aa6 
         }
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
-        password = sha1_pw_enc( o_pinmanagerpwd );
Matthew Harmsen 90b0aa6 
+        password = sha256_pw_enc( o_pinmanagerpwd );
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
         fprintf(stderr,"Adding user: %s\n",o_pinmanager);
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
@@ -533,23 +533,23 @@ int ldif_base64_encode(
Matthew Harmsen 90b0aa6 
 /*
Matthew Harmsen 90b0aa6 
  * Number of bytes each hash algorithm produces
Matthew Harmsen 90b0aa6 
  */
Matthew Harmsen 90b0aa6 
-#define SHA1_LENGTH     20
Matthew Harmsen 90b0aa6 
-
Matthew Harmsen 90b0aa6 
+#define SHA256_LENGTH   32
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
 char *
Matthew Harmsen 90b0aa6 
-sha1_pw_enc( char *pwd )
Matthew Harmsen 90b0aa6 
+sha256_pw_enc( char *pwd )
Matthew Harmsen 90b0aa6 
 {
Matthew Harmsen 90b0aa6 
-    unsigned char   hash[ SHA1_LENGTH ];
Matthew Harmsen 90b0aa6 
+
Matthew Harmsen 90b0aa6 
+    unsigned char   hash[ SHA256_LENGTH ];
Matthew Harmsen 90b0aa6 
     char        *enc;
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
-    /* SHA1 hash the user's key */
Matthew Harmsen 90b0aa6 
-    PK11_HashBuf(SEC_OID_SHA1,hash,pwd,strlen(pwd));
Matthew Harmsen 90b0aa6 
+    /* SHA246 hash the user's key */
Matthew Harmsen 90b0aa6 
+    PK11_HashBuf(SEC_OID_SHA256,hash,pwd,strlen(pwd));
Matthew Harmsen 90b0aa6 
     enc = malloc(256);
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
-    sprintf( enc, "{SHA}");
Matthew Harmsen 90b0aa6 
+    sprintf( enc, "{SHA256}");
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
     (void)ldif_base64_encode( hash, enc + 5,
Matthew Harmsen 90b0aa6 
-        SHA1_LENGTH, -1 );
Matthew Harmsen 90b0aa6 
+        SHA256_LENGTH, -1 );
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
     return( enc );
Matthew Harmsen 90b0aa6 
 }
Matthew Harmsen 90b0aa6 
@@ -871,24 +871,17 @@ void processSearchResults(LDAPMessage *r) {
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
 #define SENTINEL_SHA1 0
Matthew Harmsen 90b0aa6 
 #define SENTINEL_MD5  1
Matthew Harmsen 90b0aa6 
+#define SENTINEL_SHA256 2
Matthew Harmsen 90b0aa6 
 #define SENTINEL_NONE '-'
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
-            if ((!strcmp(o_hash,"SHA1")) || (!strcmp(o_hash,"sha1")) ) {
Matthew Harmsen 90b0aa6 
-                status = PK11_HashBuf(SEC_OID_SHA1,
Matthew Harmsen 90b0aa6 
-                                  (unsigned char *)hashbuf_dest+1,
Matthew Harmsen 90b0aa6 
-                                  (unsigned char *)hashbuf_source,
Matthew Harmsen 90b0aa6 
-                                  strlen(hashbuf_source)
Matthew Harmsen 90b0aa6 
-                                  );
Matthew Harmsen 90b0aa6 
-                hashbuf_dest[0] = SENTINEL_SHA1;
Matthew Harmsen 90b0aa6 
-                pindatasize = SHA1_LENGTH + 1;
Matthew Harmsen 90b0aa6 
-            } else if ((!strcmp(o_hash,"MD5")) || (!strcmp(o_hash,"md5")) ) {
Matthew Harmsen 90b0aa6 
-                status = PK11_HashBuf(SEC_OID_MD5,
Matthew Harmsen 90b0aa6 
+            if ((!strcmp(o_hash,"SHA256")) || (!strcmp(o_hash,"sha256")) ) {
Matthew Harmsen 90b0aa6 
+                status = PK11_HashBuf(SEC_OID_SHA256,
Matthew Harmsen 90b0aa6 
                                   (unsigned char *)hashbuf_dest+1,
Matthew Harmsen 90b0aa6 
                                   (unsigned char *)hashbuf_source,
Matthew Harmsen 90b0aa6 
                                   strlen(hashbuf_source)
Matthew Harmsen 90b0aa6 
                                   );
Matthew Harmsen 90b0aa6 
-                hashbuf_dest[0] = SENTINEL_MD5;
Matthew Harmsen 90b0aa6 
-                pindatasize = MD5_LENGTH + 1;
Matthew Harmsen 90b0aa6 
+                hashbuf_dest[0] = SENTINEL_SHA256;
Matthew Harmsen 90b0aa6 
+                pindatasize = SHA256_LENGTH + 1;
Matthew Harmsen 90b0aa6 
             } else if ((!strcmp(o_hash,"NONE")) || (!strcmp(o_hash,"none")) ) {
Matthew Harmsen 90b0aa6 
                 hashbuf_dest[0] = SENTINEL_NONE;
Matthew Harmsen 90b0aa6 
                 status = SECSuccess;
Matthew Harmsen 90b0aa6 
@@ -897,7 +890,7 @@ void processSearchResults(LDAPMessage *r) {
Matthew Harmsen 90b0aa6 
                        strlen(hashbuf_source)
Matthew Harmsen 90b0aa6 
                       );
Matthew Harmsen 90b0aa6 
             } else {
Matthew Harmsen 90b0aa6 
-                sprintf(errbuf,"Unsupported hash type '%s'. Must be one of 'sha1', 'md5' or 'none",o_hash);
Matthew Harmsen 90b0aa6 
+                sprintf(errbuf,"Unsupported hash type '%s'. Must be one of 'sha256', or 'none",o_hash);
Matthew Harmsen 90b0aa6 
                 errcode = 7;
Matthew Harmsen 90b0aa6 
                 exitError(errbuf);
Matthew Harmsen 90b0aa6 
             }
Matthew Harmsen 90b0aa6 
@@ -907,16 +900,20 @@ void processSearchResults(LDAPMessage *r) {
Matthew Harmsen 90b0aa6 
                 errcode = 9;
Matthew Harmsen 90b0aa6 
                 exitError(errbuf);
Matthew Harmsen 90b0aa6 
             }
Matthew Harmsen 90b0aa6 
-
Matthew Harmsen 90b0aa6 
-            pindata = hashbuf_dest;
Matthew Harmsen 90b0aa6 
+      pindata = hashbuf_dest;
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
             if (hashbuf_source != NULL) {
Matthew Harmsen 90b0aa6 
                 free(hashbuf_source);
Matthew Harmsen 90b0aa6 
                 hashbuf_source = NULL;
Matthew Harmsen 90b0aa6 
             }
Matthew Harmsen 90b0aa6 
         } else {
Matthew Harmsen 90b0aa6 
-            pindata = generatedPassword;
Matthew Harmsen 90b0aa6 
-            pindatasize = strlen(generatedPassword);
Matthew Harmsen 90b0aa6 
+            /* Do last resort no hash version */
Matthew Harmsen 90b0aa6 
+            hashbuf_dest[0] = SENTINEL_NONE;
Matthew Harmsen 90b0aa6 
+            memcpy(hashbuf_dest + 1, dn, strlen(dn));
Matthew Harmsen 90b0aa6 
+            memcpy(hashbuf_dest + 1 + strlen(dn) ,generatedPassword, strlen(generatedPassword));
Matthew Harmsen 90b0aa6 
+
Matthew Harmsen 90b0aa6 
+            pindata = hashbuf_dest;
Matthew Harmsen 90b0aa6 
+            pindatasize = strlen(generatedPassword) + 1 + strlen(dn);
Matthew Harmsen 90b0aa6 
         }
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
         bval.bv_len = pindatasize;
Matthew Harmsen 90b0aa6 
diff --git a/base/native-tools/src/setpin/setpin_options.c b/base/native-tools/src/setpin/setpin_options.c
Matthew Harmsen 90b0aa6 
index d8ee83a..d2fb54d 100644
Matthew Harmsen 90b0aa6 
--- a/base/native-tools/src/setpin/setpin_options.c
Matthew Harmsen 90b0aa6 
+++ b/base/native-tools/src/setpin/setpin_options.c
Matthew Harmsen 90b0aa6 
@@ -51,7 +51,7 @@ char *valid_args[] = {
Matthew Harmsen 90b0aa6 
   "case",     "Restrict case of pins 'case=upperonly'",
Matthew Harmsen 90b0aa6 
   "objectclass", "Objectclass of LDAP entry to operate on    (default pinPerson)",
Matthew Harmsen 90b0aa6 
   "attribute","Which LDAP attribute to write to           (default pin)",
Matthew Harmsen 90b0aa6 
-  "hash",     "Hash algorithm used to store pin: 'none', 'md5' or 'sha1' (default)",
Matthew Harmsen 90b0aa6 
+  "hash",     "Hash algorithm used to store pin: 'none',  or 'sha256' (default) warning: 'none' is in the clear",
Matthew Harmsen 90b0aa6 
   "saltattribute", "Which attribute to use for salt            (default: dn)",
Matthew Harmsen 90b0aa6 
   "input",    "File to use for restricting DN's, or providing your own pins",
Matthew Harmsen 90b0aa6 
   "output",   "Redirect stdout to a file",
Matthew Harmsen 90b0aa6 
@@ -96,7 +96,7 @@ void setDefaultOptions() {
Matthew Harmsen 90b0aa6 
  o_gen=      "RNG-alphanum";
Matthew Harmsen 90b0aa6 
  o_case=     NULL;
Matthew Harmsen 90b0aa6 
  o_attribute="pin";
Matthew Harmsen 90b0aa6 
- o_hash=     "sha1";
Matthew Harmsen 90b0aa6 
+ o_hash=     "sha256";
Matthew Harmsen 90b0aa6 
  o_objectclass="pinPerson";
Matthew Harmsen 90b0aa6 
  o_output=   NULL;
Matthew Harmsen 90b0aa6 
  o_retry=    "5";
Matthew Harmsen 90b0aa6 
@@ -270,8 +270,7 @@ void validateOptions() {
Matthew Harmsen 90b0aa6 
   }
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
   if (!
Matthew Harmsen 90b0aa6 
-      (equals(o_hash,"sha1") ||
Matthew Harmsen 90b0aa6 
-       equals(o_hash,"md5") ||
Matthew Harmsen 90b0aa6 
+      (equals(o_hash,"sha256") ||
Matthew Harmsen 90b0aa6 
        equals(o_hash,"none"))
Matthew Harmsen 90b0aa6 
       ) {
Matthew Harmsen 90b0aa6 
     snprintf(errbuf, ERR_BUF_LENGTH, "invalid hash: %s",o_hash);
Matthew Harmsen 90b0aa6 
diff --git a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
Matthew Harmsen 90b0aa6 
index 82331da..6caa9a1 100644
Matthew Harmsen 90b0aa6 
--- a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
Matthew Harmsen 90b0aa6 
+++ b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
Matthew Harmsen 90b0aa6 
@@ -75,6 +75,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
     protected static final byte SENTINEL_SHA = 0;
Matthew Harmsen 90b0aa6 
     protected static final byte SENTINEL_MD5 = 1;
Matthew Harmsen 90b0aa6 
+    protected static final byte SENTINEL_SHA256 = 2;
Matthew Harmsen 90b0aa6 
     protected static final byte SENTINEL_NONE = 0x2d;
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
     /* Holds configuration parameters accepted by this implementation.
Matthew Harmsen 90b0aa6 
@@ -132,6 +133,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
Matthew Harmsen 90b0aa6 
     protected String mPinAttr = DEF_PIN_ATTR;
Matthew Harmsen 90b0aa6 
     protected MessageDigest mSHADigest = null;
Matthew Harmsen 90b0aa6 
     protected MessageDigest mMD5Digest = null;
Matthew Harmsen 90b0aa6 
+    protected MessageDigest mSHA256Digest = null;
Matthew Harmsen 90b0aa6
Matthew Harmsen 90b0aa6 
     private ILdapConnFactory removePinLdapFactory = null;
Matthew Harmsen 90b0aa6 
     private LDAPConnection removePinLdapConnection = null;
Matthew Harmsen 90b0aa6 
@@ -165,6 +167,7 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
Matthew Harmsen 90b0aa6 
         try {
Matthew Harmsen 90b0aa6 
             mSHADigest = MessageDigest.getInstance("SHA1");
Matthew Harmsen 90b0aa6 
             mMD5Digest = MessageDigest.getInstance("MD5");
Matthew Harmsen 90b0aa6 
+            mSHA256Digest = MessageDigest.getInstance("SHA256");
Matthew Harmsen 90b0aa6 
         } catch (NoSuchAlgorithmException e) {
Matthew Harmsen 90b0aa6 
             throw new EAuthException(CMS.getUserMessage("CMS_AUTHENTICATION_INTERNAL_ERROR", e.getMessage()));
Matthew Harmsen 90b0aa6 
         }
Matthew Harmsen 90b0aa6 
@@ -336,6 +339,8 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
Matthew Harmsen 90b0aa6 
             pinDigest = mSHADigest.digest(toBeDigested.getBytes());
Matthew Harmsen 90b0aa6 
         } else if (hashtype == SENTINEL_MD5) {
Matthew Harmsen 90b0aa6 
             pinDigest = mMD5Digest.digest(toBeDigested.getBytes());
Matthew Harmsen 90b0aa6 
+        } else if (hashtype == SENTINEL_SHA256) {
Matthew Harmsen 90b0aa6 
+            pinDigest = mSHA256Digest.digest(toBeDigested.getBytes());
Matthew Harmsen 90b0aa6 
         } else if (hashtype == SENTINEL_NONE) {
Matthew Harmsen 90b0aa6 
             pinDigest = toBeDigested.getBytes();
Matthew Harmsen 90b0aa6 
         } else {
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.