websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.7.2-3

Browse Source
This commit is contained in:
Timo Aaltonen
2019-05-06 08:43:34 +03:00
committed by Mario Fetka
parent 27edeba051
commit 8bc559c5a1
917 changed files with 1068993 additions and 1184676 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
daemons/ipa-slapi-plugins/libotp/Makefile.am
View File

@@ -4,15 +4,15 @@ PLUGIN_COMMON_DIR = $(srcdir)/../common
AM_CPPFLAGS = \
-I$(PLUGIN_COMMON_DIR) \
$(DIRSRV_CFLAGS) \
$(CRYPTO_CFLAGS) \
$(NSPR_CFLAGS) \
$(NSS_CFLAGS) \
$(NULL)
noinst_LTLIBRARIES = libhotp.la libotp.la
libhotp_la_SOURCES = hotp.c hotp.h
libotp_la_SOURCES = otp_config.c otp_config.h otp_token.c otp_token.h
libotp_la_LIBADD = libhotp.la $(CRYPTO_LIBS)
libotp_la_LIBADD = libhotp.la
check_PROGRAMS = t_hotp
TESTS = $(check_PROGRAMS)
t_hotp_LDADD = libhotp.la $(CRYPTO_LIBS)
t_hotp_LDADD = libhotp.la $(NSPR_LIBS) $(NSS_LIBS)

26
daemons/ipa-slapi-plugins/libotp/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -115,13 +115,14 @@ AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
am__DEPENDENCIES_1 =
libotp_la_DEPENDENCIES = libhotp.la $(am__DEPENDENCIES_1)
libotp_la_DEPENDENCIES = libhotp.la
am_libotp_la_OBJECTS = otp_config.lo otp_token.lo
libotp_la_OBJECTS = $(am_libotp_la_OBJECTS)
t_hotp_SOURCES = t_hotp.c
t_hotp_OBJECTS = t_hotp.$(OBJEXT)
t_hotp_DEPENDENCIES = libhotp.la $(am__DEPENDENCIES_1)
am__DEPENDENCIES_1 =
t_hotp_DEPENDENCIES = libhotp.la $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -448,8 +449,6 @@ JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -492,10 +491,11 @@ NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_GROUP = @ODS_GROUP@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -516,6 +516,8 @@ POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -603,9 +605,7 @@ program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
runstatedir = @runstatedir@
sbindir = @sbindir@
selinux_makefile = @selinux_makefile@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
@@ -621,16 +621,16 @@ PLUGIN_COMMON_DIR = $(srcdir)/../common
AM_CPPFLAGS = \
-I$(PLUGIN_COMMON_DIR) \
$(DIRSRV_CFLAGS) \
$(CRYPTO_CFLAGS) \
$(NSPR_CFLAGS) \
$(NSS_CFLAGS) \
$(NULL)
noinst_LTLIBRARIES = libhotp.la libotp.la
libhotp_la_SOURCES = hotp.c hotp.h
libotp_la_SOURCES = otp_config.c otp_config.h otp_token.c otp_token.h
libotp_la_LIBADD = libhotp.la $(CRYPTO_LIBS)
libotp_la_LIBADD = libhotp.la
TESTS = $(check_PROGRAMS)
t_hotp_LDADD = libhotp.la $(CRYPTO_LIBS)
t_hotp_LDADD = libhotp.la $(NSPR_LIBS) $(NSS_LIBS)
all: all-am
.SUFFIXES:

155
daemons/ipa-slapi-plugins/libotp/hotp.c
View File

@@ -43,48 +43,139 @@
*/
#include "hotp.h"
#include <endian.h>
#include <string.h>
#include <syslog.h>
#include <time.h>
#include <openssl/hmac.h>
#include <nss.h>
#include <blapit.h>
#include <pk11pub.h>
#include <hasht.h>
#include <prerror.h>
#include <prnetdb.h>
#include <syslog.h>
struct digest_buffer {
unsigned char buf[EVP_MAX_MD_SIZE];
uint8_t buf[SHA512_LENGTH];
unsigned int len;
};
static const struct {
const char *algo;
const char *sn_mech;
CK_MECHANISM_TYPE mech;
} algo2mech[] = {
{ "sha1", SN_sha1 },
{ "sha256", SN_sha256 },
{ "sha384", SN_sha384 },
{ "sha512", SN_sha512 },
{ "sha1", CKM_SHA_1_HMAC },
{ "sha256", CKM_SHA256_HMAC },
{ "sha384", CKM_SHA384_HMAC },
{ "sha512", CKM_SHA512_HMAC },
{ }
};
static bool hmac(const struct hotp_token_key *key, const char *sn_mech,
uint64_t counter, struct digest_buffer *out)
static PK11SymKey *
import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
{
unsigned char in[sizeof(uint64_t)];
const EVP_MD *evp;
unsigned char *result;
uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE];
uint8_t iv[AES_BLOCK_SIZE] = {};
SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer };
SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer };
PK11SymKey *ekey = NULL;
PK11SymKey *skey = NULL;
memcpy(in, &counter, sizeof(uint64_t));
/* Try to import the key directly. */
skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
CKA_SIGN, key, NULL);
if (skey)
return skey;
evp = EVP_get_digestbyname(sn_mech);
if (evp == NULL) {
return false;
/* If we get here, we are probably in FIPS mode. Let's encrypt the key so
* that we can unseal it instead of loading it directly. */
/* Generate an ephemeral key. */
ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL,
AES_128_KEY_LENGTH, NULL,
CKF_ENCRYPT | CKF_UNWRAP,
PK11_ATTR_SESSION |
PK11_ATTR_PRIVATE |
PK11_ATTR_SENSITIVE, NULL);
if (!ekey) {
syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d",
PR_GetError());
goto egress;
}
if (!HMAC(evp, (void *)key->bytes, key->len, in, sizeof(in),
out->buf, &out->len)) {
return false;
/* Encrypt the input key. */
if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
ctitem.len, key->data, key->len) != SECSuccess) {
syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d",
PR_GetError());
goto egress;
}
return true;
/* Unwrap the input key. */
skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
&ctitem, mech, CKA_SIGN, key->len);
if (!skey) {
syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d",
PR_GetError());
}
egress:
PK11_FreeSymKey(ekey);
return skey;
}
/*
* This code is mostly cargo-cult taken from here:
* http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html
*
* It should implement HMAC with the given mechanism (SHA: 1, 256, 384, 512).
*/
static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,
struct digest_buffer *out)
{
SECItem param = { siBuffer, NULL, 0 };
PK11SlotInfo *slot = NULL;
PK11SymKey *symkey = NULL;
PK11Context *ctx = NULL;
bool ret = false;
SECStatus s;
slot = PK11_GetBestSlot(mech, NULL);
if (slot == NULL) {
slot = PK11_GetInternalKeySlot();
if (slot == NULL) {
goto done;
}
}
symkey = import_key(slot, mech, key);
if (symkey == NULL)
goto done;
ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, symkey, &param);
if (ctx == NULL)
goto done;
s = PK11_DigestBegin(ctx);
if (s != SECSuccess)
goto done;
s = PK11_DigestOp(ctx, in->data, in->len);
if (s != SECSuccess)
goto done;
s = PK11_DigestFinal(ctx, out->buf, &out->len, sizeof(out->buf));
if (s != SECSuccess)
goto done;
ret = true;
done:
if (ctx != NULL)
PK11_DestroyContext(ctx, PR_TRUE);
if (symkey != NULL)
PK11_FreeSymKey(symkey);
if (slot != NULL)
PK11_FreeSlot(slot);
return ret;
}
/*
@@ -92,34 +183,32 @@ static bool hmac(const struct hotp_token_key *key, const char *sn_mech,
*/
bool hotp(const struct hotp_token *token, uint64_t counter, uint32_t *out)
{
const char *mech = SN_sha1;
const SECItem cntr = { siBuffer, (uint8_t *) &counter, sizeof(counter) };
SECItem keyitm = { siBuffer, token->key.bytes, token->key.len };
CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
PRUint64 offset, binary, div;
struct digest_buffer digest;
unsigned char counter_buf[sizeof(uint64_t)];
const EVP_MD *evp;
int digits = token->digits;
int i;
uint64_t div, offset, binary;
/* Convert counter to network byte order. */
counter = htobe64(counter);
/* Copy counter to buffer */
memcpy(counter_buf, &counter, sizeof(uint64_t));
counter = PR_htonll(counter);
/* Find the mech. */
for (i = 0; algo2mech[i].algo; i++) {
if (strcasecmp(algo2mech[i].algo, token->algo) == 0) {
mech = algo2mech[i].sn_mech;
mech = algo2mech[i].mech;
break;
}
}
/* Create the digits divisor. */
for (div = 1; digits > 0; digits--) {
div *= 10;
}
/* Do the digest. */
if (!hmac(&(token->key), mech, counter, &digest)) {
if (!hmac(&keyitm, mech, &cntr, &digest)) {
return false;
}

4
daemons/ipa-slapi-plugins/libotp/otp_config.c
View File

@@ -217,7 +217,7 @@ struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id)
void *node = NULL;
int search_result = 0;
cfg = (struct otp_config *) slapi_ch_calloc(1, sizeof(*cfg));
cfg = (typeof(cfg)) slapi_ch_calloc(1, sizeof(*cfg));
cfg->plugin_id = plugin_id;
/* Build the config table. */
@@ -229,7 +229,7 @@ struct otp_config *otp_config_init(Slapi_ComponentId *plugin_id)
struct record *rec;
/* Create the config entry. */
rec = (struct record *) slapi_ch_calloc(1, sizeof(*rec));
rec = (typeof(rec)) slapi_ch_calloc(1, sizeof(*rec));
rec->spec = specs[i];
rec->sdn = make_sdn(rec->spec->prefix, sfx);

4
daemons/ipa-slapi-plugins/libotp/t_hotp.c
View File

@@ -43,6 +43,7 @@
#include <stddef.h>
#include <time.h>
#include <string.h>
#include <nss.h>
#define KEY(s) { (uint8_t *) s, sizeof(s) - 1 }
@@ -103,6 +104,8 @@ main(int argc, const char *argv[])
uint32_t otp;
int i;
NSS_NoDB_Init(".");
for (i = 0; i < sizeof(hotp_answers) / sizeof(*hotp_answers); i++) {
assert(hotp(&hotp_token, i, &otp));
assert(otp == hotp_answers[i]);
@@ -113,5 +116,6 @@ main(int argc, const char *argv[])
assert(otp == totp_tests[i].answer);
}
NSS_Shutdown();
return 0;
}