From ab4b7f7ca4a3a477df1cf61418f2d63755652dcc Mon Sep 17 00:00:00 2001
From: Johnny Hughes <johnny@centos.org>
Date: Mon, 14 May 2018 14:34:43 +0000
Subject: [PATCH] set ipaplatform to rhel for compatibilty for updates

---
 SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch |   93 ++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 93 insertions(+), 0 deletions(-)

diff --git a/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch b/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch
new file mode 100644
index 0000000..0c0e1b7
--- /dev/null
+++ b/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch
@@ -0,0 +1,93 @@
+From 20ab0c731eea95327c8c2dc296461b612c6e98ae Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Wed, 21 Feb 2018 23:39:55 -0500
+Subject: [PATCH] Fix OTP validation in FIPS mode
+
+NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
+this, we encrypt the input key using an ephemeral key and then unwrap the
+encrypted key.
+
+https://pagure.io/freeipa/issue/7168
+
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ daemons/ipa-slapi-plugins/libotp/hotp.c | 47 +++++++++++++++++++++++++++++++--
+ 1 file changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
+index 619bc63ab1bee99d71c2f0fb887809762107c94c..0c9de96d37183e597867b736d6324db60fa1b3bb 100644
+--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
++++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
+@@ -46,6 +46,7 @@
+ #include <time.h>
+ 
+ #include <nss.h>
++#include <blapit.h>
+ #include <pk11pub.h>
+ #include <hasht.h>
+ #include <prnetdb.h>
+@@ -66,6 +67,49 @@ static const struct {
+     { }
+ };
+ 
++static PK11SymKey *
++import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
++{
++    uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE];
++    uint8_t iv[AES_BLOCK_SIZE] = {};
++    SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer };
++    SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer };
++    PK11SymKey *ekey = NULL;
++    PK11SymKey *skey = NULL;
++
++    /* Try to import the key directly. */
++    skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
++                             CKA_SIGN, key, NULL);
++    if (skey)
++        return skey;
++
++    /* If we get here, we are probably in FIPS mode. Let's encrypt the key so
++     * that we can unseal it instead of loading it directly. */
++
++    /* Generate an ephemeral key. */
++    ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL,
++                                     AES_128_KEY_LENGTH, NULL,
++                                     CKF_ENCRYPT | CKF_UNWRAP,
++                                     PK11_ATTR_SESSION |
++                                     PK11_ATTR_PRIVATE |
++                                     PK11_ATTR_SENSITIVE, NULL);
++    if (!ekey)
++        goto egress;
++
++    /* Encrypt the input key. */
++    if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len,
++                     ctitem.len, key->data, key->len) != SECSuccess)
++        goto egress;
++
++    /* Unwrap the input key. */
++    skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem,
++                             &ctitem, mech, CKA_SIGN, key->len);
++
++egress:
++    PK11_FreeSymKey(ekey);
++    return skey;
++}
++
+ /*
+  * This code is mostly cargo-cult taken from here:
+  *   http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html
+@@ -90,8 +134,7 @@ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,
+         }
+     }
+ 
+-    symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
+-                               CKA_SIGN, key, NULL);
++    symkey = import_key(slot, mech, key);
+     if (symkey == NULL)
+         goto done;
+ 
+-- 
+2.14.3
+

--
Gitblit v1.8.0