[Freeipa-devel] [freeipa PR#884][opened] ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace

[npmccallum via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/884
Author: npmccallum
 Title: #884: ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
Action: opened

PR body:
"""
For some unknown reason, when I wrote the ipa-otptoken-import script
I used bad input data which had the PBKDF2 parameters in the wrong
XML namespace. I have corrected this input data to match RFC 6030.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/884/head:pr884
git checkout pr884
From 0d083d23eb9fb5b85dec5fc53aaa9ab223981f30 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Tue, 20 Jun 2017 10:31:15 -0400
Subject: [PATCH] ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace

For some unknown reason, when I wrote the ipa-otptoken-import script
I used bad input data which had the PBKDF2 parameters in the wrong
XML namespace. I have corrected this input data to match RFC 6030.
---
 ipaserver/install/ipa_otptoken_import.py  | 11 ++-
 ipatests/test_ipaserver/data/pskc-figure7.xml | 16 
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 2580e2cfc9..b97803b648 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -52,6 +52,7 @@ class ValidationError(Exception):
 
 def fetchAll(element, xpath, conv=lambda x: x):
 return [conv(e) for e in element.xpath(xpath, namespaces={
+"pkcs5": "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#;,
 "pskc": "urn:ietf:params:xml:ns:keyprov:pskc",
 "xenc11": "http://www.w3.org/2009/xmlenc11#;,
 "xenc": "http://www.w3.org/2001/04/xmlenc#;,
@@ -175,18 +176,18 @@ def derive(self, masterkey):
 
 class PBKDF2KeyDerivation(XMLKeyDerivation):
 def __init__(self, enckey):
-params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/xenc11:PBKDF2-params")
+params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/pkcs5:PBKDF2-params")
 if params is None:
 raise ValueError("XML file is missing PBKDF2 parameters!")
 
 salt = fetch(
-params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode)
+params, "./pkcs5:Salt/pkcs5:Specified/text()", base64.b64decode)
 itrs = fetch(
-params, "./xenc11:IterationCount/text()", int)
+params, "./pkcs5:IterationCount/text()", int)
 klen = fetch(
-params, "./xenc11:KeyLength/text()", int)
+params, "./pkcs5:KeyLength/text()", int)
 hmod = fetch(
-params, "./xenc11:PRF/@Algorithm", convertHMACType, hashes.SHA1)
+params, "./pkcs5:PRF/@Algorithm", convertHMACType, hashes.SHA1)
 
 if salt is None:
 raise ValueError("XML file is missing PBKDF2 salt!")
diff --git a/ipatests/test_ipaserver/data/pskc-figure7.xml b/ipatests/test_ipaserver/data/pskc-figure7.xml
index 1fb04fc319..808e272a54 100644
--- a/ipatests/test_ipaserver/data/pskc-figure7.xml
+++ b/ipatests/test_ipaserver/data/pskc-figure7.xml
@@ -8,14 +8,14 @@
 
   http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2;>
-
-  
-Ej7/PEpyEpw=
-  
-  1000
-  16
-  
-
+
+  
+Ej7/PEpyEpw=
+  
+  1000
+  16
+  
+
   
   
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#876][closed] python-netifaces: update to reflect upstream changes

[martbab via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/876
Author: MartinBasti
 Title: #876: python-netifaces: update to reflect upstream changes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/876/head:pr876
git checkout pr876
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Github notifications reduced

[Martin Bašti via FreeIPA-devel]

Hello all,

github notifications sent on the list have been reduced to only "PR 
opened", "PR closed", "PR reopened".


In case you want to receive more notifications, please set it up on 
Github with your email.


thanks

--
Martin Bašti
Software Engineer
Red Hat Czech
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

MartinBasti commented:
"""
Rebased in #881 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309712146
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#439][-WIP] Testing both py2/py3 in travis

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/439
Title: #439: Testing both py2/py3 in travis

Label: -WIP
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#881][opened] [4.5] fix ip address checks

[MartinBasti via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/881
Author: MartinBasti
 Title: #881: [4.5] fix ip address checks
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/881/head:pr881
git checkout pr881
From 110b8c09454da75043948952cb0cc48f4756d360 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 13 Jun 2017 17:03:30 +0200
Subject: [PATCH 1/7] Fix local IP address validation

Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has
undesirable side effect that CheckedIPAddress object has set self._net
from local interface.

However with the recent changes, match_local is usually set to False,
thus this side effect stops happening and default mask per address class
is used. This causes validation error because mask on interface and mask
used for provided IP addresses differ (reporducible only with classless
masks).

FreeIPA should compare only IP addresses with local addresses without masks

https://pagure.io/freeipa/issue/4317
---
 ipapython/ipautil.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a277ed8747..647ee833ae 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -216,10 +216,10 @@ def get_matching_interface(self):
 addr=ifaddr,
 netmask=ifdata['netmask']
 ))
-if ifnet == self._net or (
-self._net is None and ifnet.ip == self):
-self._net = ifnet
+
+if ifnet.ip == self:
 iface = interface
+self._net = ifnet
 break
 
 return iface

From 3eb681b61cf51ab707db42f8ed99bfe34a0320c4 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Jun 2017 14:45:03 +0200
Subject: [PATCH 2/7] ipa-dns-install: remove check for local ip address

This check was forgotten and will be removed now.

https://pagure.io/freeipa/issue/4317
---
 install/tools/ipa-dns-install | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 5bd0ba6d77..cb6c5d887f 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -47,7 +47,9 @@ def parse_options():
   default=False, help="print debugging information")
 parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS",
   default=[], action="append",
-  type="ip", ip_local=True, help="Master Server IP Address. This option can be used multiple times")
+  type="ip",
+  help="Master Server IP Address. This option can be used "
+   "multiple times")
 parser.add_option("--forwarder", dest="forwarders", action="append",
   type="ip", help="Add a DNS forwarder. This option can be used multiple times")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",

From e07e6664308a198064f0e16c1c8c135c3e9caa4f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Jun 2017 14:47:23 +0200
Subject: [PATCH 3/7] refactor CheckedIPAddress class

Make methods without side effects (setting mask)

https://pagure.io/freeipa/issue/4317
---
 ipapython/ipautil.py | 29 ++---
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 647ee833ae..2c020e3ecb 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -62,6 +62,12 @@
 socket.SOCK_DGRAM: 'udp'
 }
 
+InterfaceDetails = collections.namedtuple(
+'InterfaceDetails', [
+'name',  # interface name
+'ifnet'  # network details of interface
+])
+
 
 class UnsafeIPAddress(netaddr.IPAddress):
 """Any valid IP address with or without netmask."""
@@ -161,9 +167,12 @@ def __init__(self, addr, match_local=False, parse_netmask=True,
 raise ValueError("cannot use multicast IP address {}".format(addr))
 
 if match_local:
-if not self.get_matching_interface():
+intf_details = self.get_matching_interface()
+if not intf_details:
 raise ValueError('no network interface matches the IP address '
  'and netmask {}'.format(addr))
+else:
+self.set_ip_net(intf_details.ifnet)
 
 if self._net is None:
 if self.version == 4:
@@ -193,7 +202,8 @@ def is_broadcast_addr(self):
 
 def get_matching_interface(self):
 """Find matching local interface for address
-:return: Interface name or None if no interface has this address
+:return: InterfaceDetails named tuple or None if no interface has
+this address
 """
 if 

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

dkupka commented:
"""
@MartinBasti please rebase for ipa-4-5
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309698530
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][closed] Fix ip address checks

[dkupka via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/875
Author: MartinBasti
 Title: #875: Fix ip address checks
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/875/head:pr875
git checkout pr875
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][-pushed] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

Label: -pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

dkupka commented:
"""
master:

* 82ad586f6cbf6e707add3c866ed4e37ade69b045 Fix local IP address validation
* cb48a49c80f4a11d2d16511e0f1366867320f153 ipa-dns-install: remove check for 
local ip address
* 0b69e44f16fbba6ab7ddef5a3e55bdabcfd6a8a6 refactor CheckedIPAddress class
* 6024165101677c844dc3bbb337e290df2e66eaf1 CheckedIPAddress: remove match_local 
param
* f9cba7d161f788c32336b66ff7c641f4a1ed2754 Remove ip_netmask from option parser
* 1b8dc1131c9ca7218efb8fe16dcce97f9f960be9 replica install: add missing check 
for non-local IP address
* f3537297bee2890c6b839750bb7a0a2cf904cdf9 Remove network and broadcast address 
warnings
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309698183
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][+pushed] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][+ack] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#879][comment] FIPS mode and NT hashes

[sumit-bose via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/879
Title: #879: FIPS mode and NT hashes

sumit-bose commented:
"""
I just pushed a new version which include the upstream ticket reference in the 
commit message, there are no changes to the code.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/879#issuecomment-309683850
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#879][synchronized] FIPS mode and NT hashes

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/879
Author: sumit-bose
 Title: #879: FIPS mode and NT hashes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/879/head:pr879
git checkout pr879
From 4d7f9b07832da3a4caa1f7d34b2e1cbab2e5a195 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 16:26:41 +0200
Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash()

Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.

Resolves https://pagure.io/freeipa/issue/7026
---
 daemons/ipa-sam/ipa_sam.c | 27 ++-
 1 file changed, 2 insertions(+), 25 deletions(-)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 6a29e8e10b..59d92f37c9 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so *
 char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
 bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
 void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
+bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */
 
 #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
 #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
@@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 	struct dom_sid *g_sid;
 	char *name;
 	char *trustpw = NULL;
-	char *trustpw_utf8 = NULL;
-	char *tmp_str = NULL;
-	int ret;
 	uint8_t nt_key[16];
-	size_t converted_size;
 	bool res;
 	char *sid_str;
 	enum idmap_error_code err;
@@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		return false;
 	}
 
-	if (!push_utf8_talloc(user, _utf8, trustpw, _size)) {
-		res = false;
-		goto done;
-	}
-
-	tmp_str = talloc_strdup_upper(user, trustpw);
-	if (tmp_str == NULL) {
-		res = false;
-		goto done;
-	}
-
-	ret = encode_nt_key(trustpw_utf8, nt_key);
-	if (ret != 0) {
+	if (!E_md4hash(trustpw, nt_key)) {
 		res = false;
 		goto done;
 	}
@@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
 		memset(trustpw, 0, strlen(trustpw));
 		talloc_free(trustpw);
 	}
-	if (trustpw_utf8 != NULL) {
-		memset(trustpw_utf8, 0, strlen(trustpw_utf8));
-		talloc_free(trustpw_utf8);
-	}
-	if (tmp_str != NULL) {
-		memset(tmp_str, 0, strlen(tmp_str));
-		talloc_free(tmp_str);
-	}
 
 	return res;
 }

From f5ca91d8dc5528f7f0f2f7edbb9a07cc01de8bfd Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 16 Jun 2017 17:49:44 +0200
Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode

In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.

Resolves https://pagure.io/freeipa/issue/7026
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++--
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 761f7a8e3e..5efadac5b1 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,6 +46,8 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE
 
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
 /* Uncomment the following #undef FOR TESTING:
  * allows non-SSL connections to use the password change extended op */
 /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
@@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = {
 NULL
 };
 
+static bool fips_enabled(void)
+{
+int fd;
+ssize_t len;
+char buf[8];
+
+fd = open(PROC_SYS_FIPS, O_RDONLY);
+if (fd != -1) {
+len = read(fd, buf, sizeof(buf));
+close(fd);
+/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+ * similar to the is_fips_enabled() check in
+ * ipaplatform/redhat/tasks.py */
+if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+return true;
+}
+}
+
+return false;
+}
+
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
 krb5_error_code krberr;
@@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 
 /* get the ipa etc/ipaConfig entry */
 config->allow_nt_hash = false;
-ret = ipapwd_getEntry(ipa_etc_config_dn, _entry, NULL);
-if (ret != LDAP_SUCCESS) {
-LOG_FATAL("No config Entry?\n");
-goto free_and_error;
+if (fips_enabled()) {
+   

[Freeipa-devel] [freeipa PR#439][comment] Testing both py2/py3 in travis

[stlaz via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/439
Title: #439: Testing both py2/py3 in travis

stlaz commented:
"""
Otherwise LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/439#issuecomment-309678418
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[MartinBasti via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

MartinBasti commented:
"""
@dkupka it is not aim of this PR to fix what you mentioned.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309666594
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

dkupka commented:
"""
Changes look good to me. But it uncovers another unwanted behaviour: With 
--setup-dns the installer adds IP and FQDN into /etc/hosts. This results in all 
traffic from local system towards it's FQDN being routed over the external IP.
I believe this is not a good idea but don't have strong opinion about fixing it 
in this PR or separate one. It's time to stop touching /etc/hosts.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309665085
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org