[Freeipa-devel] [freeipa PR#884][opened] ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
URL: https://github.com/freeipa/freeipa/pull/884 Author: npmccallum Title: #884: ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace Action: opened PR body: """ For some unknown reason, when I wrote the ipa-otptoken-import script I used bad input data which had the PBKDF2 parameters in the wrong XML namespace. I have corrected this input data to match RFC 6030. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/884/head:pr884 git checkout pr884 From 0d083d23eb9fb5b85dec5fc53aaa9ab223981f30 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallumDate: Tue, 20 Jun 2017 10:31:15 -0400 Subject: [PATCH] ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace For some unknown reason, when I wrote the ipa-otptoken-import script I used bad input data which had the PBKDF2 parameters in the wrong XML namespace. I have corrected this input data to match RFC 6030. --- ipaserver/install/ipa_otptoken_import.py | 11 ++- ipatests/test_ipaserver/data/pskc-figure7.xml | 16 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py index 2580e2cfc9..b97803b648 100644 --- a/ipaserver/install/ipa_otptoken_import.py +++ b/ipaserver/install/ipa_otptoken_import.py @@ -52,6 +52,7 @@ class ValidationError(Exception): def fetchAll(element, xpath, conv=lambda x: x): return [conv(e) for e in element.xpath(xpath, namespaces={ +"pkcs5": "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#;, "pskc": "urn:ietf:params:xml:ns:keyprov:pskc", "xenc11": "http://www.w3.org/2009/xmlenc11#;, "xenc": "http://www.w3.org/2001/04/xmlenc#;, @@ -175,18 +176,18 @@ def derive(self, masterkey): class PBKDF2KeyDerivation(XMLKeyDerivation): def __init__(self, enckey): -params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/xenc11:PBKDF2-params") +params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/pkcs5:PBKDF2-params") if params is None: raise ValueError("XML file is missing PBKDF2 parameters!") salt = fetch( -params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode) +params, "./pkcs5:Salt/pkcs5:Specified/text()", base64.b64decode) itrs = fetch( -params, "./xenc11:IterationCount/text()", int) +params, "./pkcs5:IterationCount/text()", int) klen = fetch( -params, "./xenc11:KeyLength/text()", int) +params, "./pkcs5:KeyLength/text()", int) hmod = fetch( -params, "./xenc11:PRF/@Algorithm", convertHMACType, hashes.SHA1) +params, "./pkcs5:PRF/@Algorithm", convertHMACType, hashes.SHA1) if salt is None: raise ValueError("XML file is missing PBKDF2 salt!") diff --git a/ipatests/test_ipaserver/data/pskc-figure7.xml b/ipatests/test_ipaserver/data/pskc-figure7.xml index 1fb04fc319..808e272a54 100644 --- a/ipatests/test_ipaserver/data/pskc-figure7.xml +++ b/ipatests/test_ipaserver/data/pskc-figure7.xml @@ -8,14 +8,14 @@ http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2;> - - -Ej7/PEpyEpw= - - 1000 - 16 - - + + +Ej7/PEpyEpw= + + 1000 + 16 + + ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#876][closed] python-netifaces: update to reflect upstream changes
URL: https://github.com/freeipa/freeipa/pull/876 Author: MartinBasti Title: #876: python-netifaces: update to reflect upstream changes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/876/head:pr876 git checkout pr876 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Github notifications reduced
Hello all, github notifications sent on the list have been reduced to only "PR opened", "PR closed", "PR reopened". In case you want to receive more notifications, please set it up on Github with your email. thanks -- Martin Bašti Software Engineer Red Hat Czech ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks MartinBasti commented: """ Rebased in #881 """ See the full comment at https://github.com/freeipa/freeipa/pull/875#issuecomment-309712146 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#439][-WIP] Testing both py2/py3 in travis
URL: https://github.com/freeipa/freeipa/pull/439 Title: #439: Testing both py2/py3 in travis Label: -WIP ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#881][opened] [4.5] fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/881 Author: MartinBasti Title: #881: [4.5] fix ip address checks Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/881/head:pr881 git checkout pr881 From 110b8c09454da75043948952cb0cc48f4756d360 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 13 Jun 2017 17:03:30 +0200 Subject: [PATCH 1/7] Fix local IP address validation Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has undesirable side effect that CheckedIPAddress object has set self._net from local interface. However with the recent changes, match_local is usually set to False, thus this side effect stops happening and default mask per address class is used. This causes validation error because mask on interface and mask used for provided IP addresses differ (reporducible only with classless masks). FreeIPA should compare only IP addresses with local addresses without masks https://pagure.io/freeipa/issue/4317 --- ipapython/ipautil.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index a277ed8747..647ee833ae 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -216,10 +216,10 @@ def get_matching_interface(self): addr=ifaddr, netmask=ifdata['netmask'] )) -if ifnet == self._net or ( -self._net is None and ifnet.ip == self): -self._net = ifnet + +if ifnet.ip == self: iface = interface +self._net = ifnet break return iface From 3eb681b61cf51ab707db42f8ed99bfe34a0320c4 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 14 Jun 2017 14:45:03 +0200 Subject: [PATCH 2/7] ipa-dns-install: remove check for local ip address This check was forgotten and will be removed now. https://pagure.io/freeipa/issue/4317 --- install/tools/ipa-dns-install | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 5bd0ba6d77..cb6c5d887f 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -47,7 +47,9 @@ def parse_options(): default=False, help="print debugging information") parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS", default=[], action="append", - type="ip", ip_local=True, help="Master Server IP Address. This option can be used multiple times") + type="ip", + help="Master Server IP Address. This option can be used " + "multiple times") parser.add_option("--forwarder", dest="forwarders", action="append", type="ip", help="Add a DNS forwarder. This option can be used multiple times") parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true", From e07e6664308a198064f0e16c1c8c135c3e9caa4f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 14 Jun 2017 14:47:23 +0200 Subject: [PATCH 3/7] refactor CheckedIPAddress class Make methods without side effects (setting mask) https://pagure.io/freeipa/issue/4317 --- ipapython/ipautil.py | 29 ++--- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 647ee833ae..2c020e3ecb 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -62,6 +62,12 @@ socket.SOCK_DGRAM: 'udp' } +InterfaceDetails = collections.namedtuple( +'InterfaceDetails', [ +'name', # interface name +'ifnet' # network details of interface +]) + class UnsafeIPAddress(netaddr.IPAddress): """Any valid IP address with or without netmask.""" @@ -161,9 +167,12 @@ def __init__(self, addr, match_local=False, parse_netmask=True, raise ValueError("cannot use multicast IP address {}".format(addr)) if match_local: -if not self.get_matching_interface(): +intf_details = self.get_matching_interface() +if not intf_details: raise ValueError('no network interface matches the IP address ' 'and netmask {}'.format(addr)) +else: +self.set_ip_net(intf_details.ifnet) if self._net is None: if self.version == 4: @@ -193,7 +202,8 @@ def is_broadcast_addr(self): def get_matching_interface(self): """Find matching local interface for address -:return: Interface name or None if no interface has this address +:return: InterfaceDetails named tuple or None if no interface has +this address """ if
[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks dkupka commented: """ @MartinBasti please rebase for ipa-4-5 """ See the full comment at https://github.com/freeipa/freeipa/pull/875#issuecomment-309698530 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][closed] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Author: MartinBasti Title: #875: Fix ip address checks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/875/head:pr875 git checkout pr875 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][-pushed] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks Label: -pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks dkupka commented: """ master: * 82ad586f6cbf6e707add3c866ed4e37ade69b045 Fix local IP address validation * cb48a49c80f4a11d2d16511e0f1366867320f153 ipa-dns-install: remove check for local ip address * 0b69e44f16fbba6ab7ddef5a3e55bdabcfd6a8a6 refactor CheckedIPAddress class * 6024165101677c844dc3bbb337e290df2e66eaf1 CheckedIPAddress: remove match_local param * f9cba7d161f788c32336b66ff7c641f4a1ed2754 Remove ip_netmask from option parser * 1b8dc1131c9ca7218efb8fe16dcce97f9f960be9 replica install: add missing check for non-local IP address * f3537297bee2890c6b839750bb7a0a2cf904cdf9 Remove network and broadcast address warnings """ See the full comment at https://github.com/freeipa/freeipa/pull/875#issuecomment-309698183 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][+pushed] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][+ack] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#879][comment] FIPS mode and NT hashes
URL: https://github.com/freeipa/freeipa/pull/879 Title: #879: FIPS mode and NT hashes sumit-bose commented: """ I just pushed a new version which include the upstream ticket reference in the commit message, there are no changes to the code. """ See the full comment at https://github.com/freeipa/freeipa/pull/879#issuecomment-309683850 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#879][synchronized] FIPS mode and NT hashes
URL: https://github.com/freeipa/freeipa/pull/879 Author: sumit-bose Title: #879: FIPS mode and NT hashes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/879/head:pr879 git checkout pr879 From 4d7f9b07832da3a4caa1f7d34b2e1cbab2e5a195 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Fri, 16 Jun 2017 16:26:41 +0200 Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash() Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. Resolves https://pagure.io/freeipa/issue/7026 --- daemons/ipa-sam/ipa_sam.c | 27 ++- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 6a29e8e10b..59d92f37c9 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so * char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ +bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" @@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, struct dom_sid *g_sid; char *name; char *trustpw = NULL; - char *trustpw_utf8 = NULL; - char *tmp_str = NULL; - int ret; uint8_t nt_key[16]; - size_t converted_size; bool res; char *sid_str; enum idmap_error_code err; @@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, return false; } - if (!push_utf8_talloc(user, _utf8, trustpw, _size)) { - res = false; - goto done; - } - - tmp_str = talloc_strdup_upper(user, trustpw); - if (tmp_str == NULL) { - res = false; - goto done; - } - - ret = encode_nt_key(trustpw_utf8, nt_key); - if (ret != 0) { + if (!E_md4hash(trustpw, nt_key)) { res = false; goto done; } @@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, memset(trustpw, 0, strlen(trustpw)); talloc_free(trustpw); } - if (trustpw_utf8 != NULL) { - memset(trustpw_utf8, 0, strlen(trustpw_utf8)); - talloc_free(trustpw_utf8); - } - if (tmp_str != NULL) { - memset(tmp_str, 0, strlen(tmp_str)); - talloc_free(tmp_str); - } return res; } From f5ca91d8dc5528f7f0f2f7edbb9a07cc01de8bfd Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 16 Jun 2017 17:49:44 +0200 Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. Resolves https://pagure.io/freeipa/issue/7026 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++-- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 761f7a8e3e..5efadac5b1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -46,6 +46,8 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" + /* Uncomment the following #undef FOR TESTING: * allows non-SSL connections to use the password change extended op */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ @@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = { NULL }; +static bool fips_enabled(void) +{ +int fd; +ssize_t len; +char buf[8]; + +fd = open(PROC_SYS_FIPS, O_RDONLY); +if (fd != -1) { +len = read(fd, buf, sizeof(buf)); +close(fd); +/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value + * similar to the is_fips_enabled() check in + * ipaplatform/redhat/tasks.py */ +if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { +return true; +} +} + +return false; +} + static struct ipapwd_krbcfg *ipapwd_getConfig(void) { krb5_error_code krberr; @@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) /* get the ipa etc/ipaConfig entry */ config->allow_nt_hash = false; -ret = ipapwd_getEntry(ipa_etc_config_dn, _entry, NULL); -if (ret != LDAP_SUCCESS) { -LOG_FATAL("No config Entry?\n"); -goto free_and_error; +if (fips_enabled()) { +
[Freeipa-devel] [freeipa PR#439][comment] Testing both py2/py3 in travis
URL: https://github.com/freeipa/freeipa/pull/439 Title: #439: Testing both py2/py3 in travis stlaz commented: """ Otherwise LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/439#issuecomment-309678418 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks MartinBasti commented: """ @dkupka it is not aim of this PR to fix what you mentioned. """ See the full comment at https://github.com/freeipa/freeipa/pull/875#issuecomment-309666594 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks
URL: https://github.com/freeipa/freeipa/pull/875 Title: #875: Fix ip address checks dkupka commented: """ Changes look good to me. But it uncovers another unwanted behaviour: With --setup-dns the installer adds IP and FQDN into /etc/hosts. This results in all traffic from local system towards it's FQDN being routed over the external IP. I believe this is not a good idea but don't have strong opinion about fixing it in this PR or separate one. It's time to stop touching /etc/hosts. """ See the full comment at https://github.com/freeipa/freeipa/pull/875#issuecomment-309665085 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org