From 3c974c157f332bd8f4db48eba52d2b760c0c1e77 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 7 Jul 2015 15:10:28 +0200 Subject: otptoken: use ipapython.nsslib instead of Python's ssl module The otptoken plugin is the only module in FreeIPA that uses Python's ssl module instead of NSS. The patch replaces ssl with NSSConnection. It uses the default NSS database to lookup trust anchors. NSSConnection uses NSS for hostname matching. The package python-backports-ssl_match_hostname is no longer required. https://fedorahosted.org/freeipa/ticket/5068 Reviewed-By: Martin Basti --- freeipa.spec.in | 2 -- ipalib/plugins/otptoken.py | 36 ++++++++---------------------------- 2 files changed, 8 insertions(+), 30 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 928425fdc..649af3c2e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -95,7 +95,6 @@ BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 -BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel >= 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel @@ -272,7 +271,6 @@ Requires: libsss_autofs Requires: autofs Requires: libnfsidmap Requires: nfs-utils -Requires: python-backports-ssl_match_hostname Requires(post): policycoreutils Conflicts: %{alt_name}-client diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py index 294c1c54a..07df0ee3e 100644 --- a/ipalib/plugins/otptoken.py +++ b/ipalib/plugins/otptoken.py @@ -24,8 +24,9 @@ from ipalib.plugable import Registry from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError from ipalib.request import context from ipalib.frontend import Local +from ipaplatform.paths import paths +from ipapython.nsslib import NSSConnection -from backports.ssl_match_hostname import match_hostname import base64 import uuid import urllib @@ -34,7 +35,6 @@ import httplib import urlparse import qrcode import os -import ssl __doc__ = _(""" OTP Tokens @@ -471,28 +471,6 @@ class otptoken_remove_managedby(LDAPRemoveMember): member_attributes = ['managedby'] -class HTTPSConnection(httplib.HTTPConnection): - "Generates an SSL HTTP connection that performs hostname validation." - - ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] #pylint: disable=E1101 - default_port = httplib.HTTPS_PORT - - def __init__(self, host, **kwargs): - # Strip out arguments we want to pass to ssl.wrap_socket() - self.__kwargs = {k: v for k, v in kwargs.items() if k in self.ssl_kwargs} - for k in self.__kwargs: - del kwargs[k] - - # Can't use super() because the parent is an old-style class. - httplib.HTTPConnection.__init__(self, host, **kwargs) - - def connect(self): - # Create the raw socket and wrap it in ssl. - httplib.HTTPConnection.connect(self) - self.sock = ssl.wrap_socket(self.sock, **self.__kwargs) - - # Verify the remote hostname. - match_hostname(self.sock.getpeercert(), self.host.split(':', 1)[0]) class HTTPSHandler(urllib2.HTTPSHandler): "Opens SSL HTTPS connections that perform hostname validation." @@ -506,7 +484,9 @@ class HTTPSHandler(urllib2.HTTPSHandler): def __inner(self, host, **kwargs): tmp = self.__kwargs.copy() tmp.update(kwargs) - return HTTPSConnection(host, **tmp) + # NSSConnection doesn't support timeout argument + tmp.pop('timeout', None) + return NSSConnection(host, **tmp) def https_open(self, req): return self.do_open(self.__inner, req) @@ -548,9 +528,9 @@ class otptoken_sync(Local): # Sync the token. # pylint: disable=E1101 - handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'), - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) + handler = HTTPSHandler(dbdir=paths.IPA_NSSDB_DIR, + tls_version_min=api.env.tls_version_min, + tls_version_max=api.env.tls_version_max) rsp = urllib2.build_opener(handler).open(sync_uri, query) if rsp.getcode() == 200: status['result'][self.header] = rsp.info().get(self.header, 'unknown') -- cgit