Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.5] Manual rebase of OTP FIPS mode fixes #1678

Closed
wants to merge 3 commits into from
Closed

[4.5] Manual rebase of OTP FIPS mode fixes #1678

wants to merge 3 commits into from

Conversation

rcritten
Copy link
Contributor

@rcritten rcritten commented Mar 13, 2018
edited by tiran

Manual rebase of PR #1621 to the ipa-4-5 branch

@npmccallum @rcritten
Fix OTP validation in FIPS mode
4e7013b 
NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
@npmccallum @rcritten
Increase the default token key size
00044ac 
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
@npmccallum @rcritten
Revert "Don't allow OTP or RADIUS in FIPS mode"
e04b93f 
This reverts commit 16a952a.

OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.

https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
@stlaz stlaz changed the title Manual rebase of OTP FIPS mode fixes [4.5] Manual rebase of OTP FIPS mode fixes Mar 14, 2018
@tiran tiran added ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels Mar 14, 2018
@tiran
Copy link
Member

tiran commented Mar 14, 2018

ipa-4-5:

  • 52c5998 Fix OTP validation in FIPS mode
  • c7d383c Increase the default token key size
  • 98efe7c Revert "Don't allow OTP or RADIUS in FIPS mode"

@tiran tiran closed this Mar 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@rcritten @tiran @npmccallum