Hello,

the patch removes the dependency on Python's ssl module and
python-backports-ssl_match_hostname.

https://fedorahosted.org/freeipa/ticket/5068

Open question
-------------
Is paths.IPA_NSSDB_DIR the correct NSSDB?

Christian
From 976427e5c448093131a99bdf77fc9d23c2d87883 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 7 Jul 2015 15:10:28 +0200
Subject: [PATCH] otptoken: use ipapython.nsslib instead of Python's ssl module

The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.

https://fedorahosted.org/freeipa/ticket/5068
---
 freeipa.spec.in            |  2 --
 ipalib/plugins/otptoken.py | 36 ++++++++----------------------------
 2 files changed, 8 insertions(+), 30 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 52af50dd0cac1902759d6d58061d73c7f80b3a0e..c419164410e33f0bc26762bed295f8c704f205fc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -92,7 +92,6 @@ BuildRequires:  systemd
 BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
 BuildRequires:  python-yubico >= 1.2.3
-BuildRequires:  python-backports-ssl_match_hostname
 BuildRequires:  softhsm-devel >= 2.0.0rc1-1
 BuildRequires:  openssl-devel
 BuildRequires:  p11-kit-devel
@@ -252,7 +251,6 @@ Requires: libsss_autofs
 Requires: autofs
 Requires: libnfsidmap
 Requires: nfs-utils
-Requires: python-backports-ssl_match_hostname
 Requires(post): policycoreutils
 
 Conflicts: %{alt_name}-client
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 294c1c54afdfa6a13d37766d6851affa44ece60c..07df0ee3ee29032aaee35f1afc4d0b882d67ea75 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -24,8 +24,9 @@ from ipalib.plugable import Registry
 from ipalib.errors import PasswordMismatch, ConversionError, LastMemberError, NotFound, ValidationError
 from ipalib.request import context
 from ipalib.frontend import Local
+from ipaplatform.paths import paths
+from ipapython.nsslib import NSSConnection
 
-from backports.ssl_match_hostname import match_hostname
 import base64
 import uuid
 import urllib
@@ -34,7 +35,6 @@ import httplib
 import urlparse
 import qrcode
 import os
-import ssl
 
 __doc__ = _("""
 OTP Tokens
@@ -471,28 +471,6 @@ class otptoken_remove_managedby(LDAPRemoveMember):
 
     member_attributes = ['managedby']
 
-class HTTPSConnection(httplib.HTTPConnection):
-    "Generates an SSL HTTP connection that performs hostname validation."
-
-    ssl_kwargs = ssl.wrap_socket.func_code.co_varnames[1:ssl.wrap_socket.func_code.co_argcount] #pylint: disable=E1101
-    default_port = httplib.HTTPS_PORT
-
-    def __init__(self, host, **kwargs):
-        # Strip out arguments we want to pass to ssl.wrap_socket()
-        self.__kwargs = {k: v for k, v in kwargs.items() if k in self.ssl_kwargs}
-        for k in self.__kwargs:
-            del kwargs[k]
-
-        # Can't use super() because the parent is an old-style class.
-        httplib.HTTPConnection.__init__(self, host, **kwargs)
-
-    def connect(self):
-        # Create the raw socket and wrap it in ssl.
-        httplib.HTTPConnection.connect(self)
-        self.sock = ssl.wrap_socket(self.sock, **self.__kwargs)
-
-        # Verify the remote hostname.
-        match_hostname(self.sock.getpeercert(), self.host.split(':', 1)[0])
 
 class HTTPSHandler(urllib2.HTTPSHandler):
     "Opens SSL HTTPS connections that perform hostname validation."
@@ -506,7 +484,9 @@ class HTTPSHandler(urllib2.HTTPSHandler):
     def __inner(self, host, **kwargs):
         tmp = self.__kwargs.copy()
         tmp.update(kwargs)
-        return HTTPSConnection(host, **tmp)
+        # NSSConnection doesn't support timeout argument
+        tmp.pop('timeout', None)
+        return NSSConnection(host, **tmp)
 
     def https_open(self, req):
         return self.do_open(self.__inner, req)
@@ -548,9 +528,9 @@ class otptoken_sync(Local):
 
         # Sync the token.
         # pylint: disable=E1101
-        handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'),
-                               cert_reqs=ssl.CERT_REQUIRED,
-                               ssl_version=ssl.PROTOCOL_TLSv1)
+        handler = HTTPSHandler(dbdir=paths.IPA_NSSDB_DIR,
+                               tls_version_min=api.env.tls_version_min,
+                               tls_version_max=api.env.tls_version_max)
         rsp = urllib2.build_opener(handler).open(sync_uri, query)
         if rsp.getcode() == 200:
             status['result'][self.header] = rsp.info().get(self.header, 'unknown')
-- 
2.4.3

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to