packages/kanidm: init with support for 389ds PBKDF2_SHA256
This commit is contained in:
parent
dfd5e3306b
commit
29f2c20e64
3 changed files with 35 additions and 0 deletions
|
@ -6,6 +6,7 @@
|
||||||
in {
|
in {
|
||||||
|
|
||||||
inherit (patched)
|
inherit (patched)
|
||||||
|
kanidm
|
||||||
powerdns-admin
|
powerdns-admin
|
||||||
prometheus-jitsi-exporter
|
prometheus-jitsi-exporter
|
||||||
sssd
|
sssd
|
||||||
|
|
|
@ -76,6 +76,8 @@ super: rec {
|
||||||
};
|
};
|
||||||
in jre // { meta = jre.meta // { inherit (super.jdk17_headless.meta) platforms; }; };
|
in jre // { meta = jre.meta // { inherit (super.jdk17_headless.meta) platforms; }; };
|
||||||
|
|
||||||
|
kanidm = patch super.kanidm "patches/base/kanidm";
|
||||||
|
|
||||||
keycloak = super.keycloak.override {
|
keycloak = super.keycloak.override {
|
||||||
jre = jre17_standard;
|
jre = jre17_standard;
|
||||||
};
|
};
|
||||||
|
|
32
patches/base/kanidm/389ds-pbkdf2_sha256.patch
Normal file
32
patches/base/kanidm/389ds-pbkdf2_sha256.patch
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
diff --git a/libs/crypto/src/lib.rs b/libs/crypto/src/lib.rs
|
||||||
|
index 1ca99d5..8edc071 100644
|
||||||
|
--- a/libs/crypto/src/lib.rs
|
||||||
|
+++ b/libs/crypto/src/lib.rs
|
||||||
|
@@ -295,6 +295,27 @@ impl TryFrom<&str> for Password {
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if let Some(ds_pbkdf2_b64) = value.strip_prefix("{PBKDF2_SHA256}") {
|
||||||
|
+ let base64_decoder_config = general_purpose::GeneralPurposeConfig::new()
|
||||||
|
+ .with_decode_allow_trailing_bits(true);
|
||||||
|
+ let base64_decoder =
|
||||||
|
+ GeneralPurpose::new(&alphabet::STANDARD, base64_decoder_config);
|
||||||
|
+ let ds_pbkdf2 = base64_decoder.decode(ds_pbkdf2_b64).map_err(|e| {
|
||||||
|
+ error!(?e, "Invalid base64 in 389ds PBKDF2_SHA256");
|
||||||
|
+ })?;
|
||||||
|
+ let cost = u32::from_be_bytes(ds_pbkdf2[0..4].try_into().unwrap());
|
||||||
|
+ let c: usize = cost.try_into().unwrap();
|
||||||
|
+ let s: Vec<u8> = ds_pbkdf2[4..68].try_into().unwrap();
|
||||||
|
+ let h: Vec<u8> = ds_pbkdf2[68..ds_pbkdf2.len()].try_into().unwrap();
|
||||||
|
+ if h.len() < PBKDF2_MIN_NIST_KEY_LEN {
|
||||||
|
+ warn!("389ds PBKDF2_SHA256: hash length {} too short vs. {}!", h.len(), PBKDF2_MIN_NIST_KEY_LEN);
|
||||||
|
+ return Err(());
|
||||||
|
+ }
|
||||||
|
+ return Ok(Password {
|
||||||
|
+ material: Kdf::PBKDF2(c, s, h)
|
||||||
|
+ })
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
// Test for OpenLDAP formats
|
||||||
|
if value.starts_with("{PBKDF2}")
|
||||||
|
|| value.starts_with("{PBKDF2-SHA1}")
|
Loading…
Reference in a new issue