Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket 48909 - Replication stops working in FIPS mode

Bug Description:  When FIPS mode is enabled on the security database, the
                  token name is changed.  This prevents the server from
                  reverse decoding the replication manager's password.  Which
                  prevents replication sessions from getting established.

Fix Description:  Instead of getting the key slot from the harded coded token
                  name, call slapd_pk11_getInternalKeySlot() which gets the
                  current slot.

https://fedorahosted.org/389/ticket/48909

Reviewed by: nhosoi(Thanks!)
Mark Reynolds 9 years ago
parent
83a7705b43
commit
61c72f966b
1 changed files with 5 additions and 6 deletions
Split View Show Diff Stats
  1. 5 6
      ldap/servers/plugins/rever/pbe.c

+ 5 - 6
ldap/servers/plugins/rever/pbe.c
View File 

@@ -50,7 +50,7 @@ struct pk11ContextStore
 
 
 static int encode_path(char *inPlain, char **outCipher, char *path, int mech);
 
 static int decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid);
 
-static SVRCOREError genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *algid);
 
+static SVRCOREError genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *algid);
 
 static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, unsigned char **out);
 
 static SVRCOREError decryptPassword(struct pk11ContextStore *store, unsigned char *cipher, char **out, int len);
 
 static void freePBE(struct pk11ContextStore *store);
 
@@ -83,7 +83,7 @@ encode_path(char *inPlain, char **outCipher, char *path, int mech)
 
     *outCipher = NULL;
 
     err = 1;
 
 
-    if ( genKey(&context, tokPBE, path, mech, arena, NULL) == SVRCORE_Success ){
 
+    if ( genKey(&context, path, mech, arena, NULL) == SVRCORE_Success ){
 
         /* Try an encryption */
 
         if ( cryptPassword(context, inPlain, &cipher) == SVRCORE_Success ){
 
             base = BTOA_DataToAscii(cipher, context->length);
 
@@ -141,7 +141,7 @@ decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid)
 
     *outPlain = NULL;
 
     err = 1;
 
 
-    if ( genKey(&context, tokPBE, path, mech, arena, algid) == SVRCORE_Success ){
 
+    if ( genKey(&context, path, mech, arena, algid) == SVRCORE_Success ){
 
         /* it seems that there is memory leak in that function: bug 400170 */
 
         base = ATOB_AsciiToData(inCipher, (unsigned int*)&len);
 
         if ( base != NULL ){
 
@@ -177,7 +177,7 @@ freePBE(struct pk11ContextStore *store)
 
 }
 
 
 static SVRCOREError
 
-genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *alg)
 
+genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *alg)
 
 {
 
     SVRCOREError err = SVRCORE_Success;
 
     struct pk11ContextStore *store = NULL;
 
@@ -204,8 +204,7 @@ genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, P
 
     }
 
     *out = store;
 
 
-    /* Use the tokenName to find a PKCS11 slot */
 
-    store->slot = slapd_pk11_findSlotByName((char *)token);
 
+    store->slot = slapd_pk11_getInternalKeySlot();
 
     if (store->slot == NULL){
 
         err = SVRCORE_NoSuchToken_Error;
 
         goto done;