From 08ada3f8d7f80067a1b43e6172394d1326e3d178 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Wed, 8 Aug 2018 12:28:53 +0300

Subject: [PATCH] Move fips_enabled to a common library to share across

 different plugins

Related: https://pagure.io/freeipa/issue/7659

Reviewed-By: Robbie Harwood <rharwood@redhat.com>

---

 .../ipa-slapi-plugins/ipa-pwd-extop/common.c  | 24 +-----------------

 util/ipa_pwd.c                                | 25 +++++++++++++++++++

 util/ipa_pwd.h                                |  2 ++

 3 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c

index 5efadac5b1fd57e5f91a886224fa2f1ab88305ac..db7183bf2b115dcb0c21f7a6bdb8e55db26224c4 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c

@@ -46,7 +46,6 @@

 /* Type of connection for this operation;*/

 #define LDAP_EXTOP_PASSMOD_CONN_SECURE

-#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"

 /* Uncomment the following #undef FOR TESTING:

  * allows non-SSL connections to use the password change extended op */

@@ -64,27 +63,6 @@ static const char *ipapwd_def_encsalts[] = {

     NULL

 };

-static bool fips_enabled(void)

-{

-    int fd;

-    ssize_t len;

-    char buf[8];

-

-    fd = open(PROC_SYS_FIPS, O_RDONLY);

-    if (fd != -1) {

-        len = read(fd, buf, sizeof(buf));

-        close(fd);

-        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value

-         * similar to the is_fips_enabled() check in

-         * ipaplatform/redhat/tasks.py */

-        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {

-            return true;

-        }

-    }

-

-    return false;

-}

-

 static struct ipapwd_krbcfg *ipapwd_getConfig(void)

 {

     krb5_error_code krberr;

@@ -255,7 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)

     /* get the ipa etc/ipaConfig entry */

     config->allow_nt_hash = false;

-    if (fips_enabled()) {

+    if (ipapwd_fips_enabled()) {

         LOG("FIPS mode is enabled, NT hashes are not allowed.\n");

     } else {

         ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);

diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c

index f6564c8021c656031d3f459dd50d830934c7143b..9890c980cacad08302fb5305c3aa9598a81ec681 100644

--- a/util/ipa_pwd.c

+++ b/util/ipa_pwd.c

@@ -27,6 +27,8 @@

 #include <stdio.h>

 #include <time.h>

 #include <ctype.h>

+#include <fcntl.h>

+#include <unistd.h>

 #include <nss.h>

 #include <nssb64.h>

 #include <hasht.h>

@@ -656,3 +658,26 @@ done:

     free(hash);

     return ret;

 }

+

+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"

+

+bool ipapwd_fips_enabled(void)

+{

+    int fd;

+    ssize_t len;

+    char buf[8];

+

+    fd = open(PROC_SYS_FIPS, O_RDONLY);

+    if (fd != -1) {

+        len = read(fd, buf, sizeof(buf));

+        close(fd);

+        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value

+         * similar to the is_fips_enabled() check in

+         * ipaplatform/redhat/tasks.py */

+        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {

+            return true;

+        }

+    }

+

+    return false;

+}

diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h

index b3ee75063adc4baa93bbd4991161bebe1d233bb8..664c8b1827591e716095d9ef1727e422c7d82680 100644

--- a/util/ipa_pwd.h

+++ b/util/ipa_pwd.h

@@ -77,3 +77,5 @@ int ipapwd_generate_new_history(char *password,

                                 int *new_pwd_hlen);

 int encode_nt_key(char *newPasswd, uint8_t *nt_key);

+

+bool ipapwd_fips_enabled(void);

-- 

2.17.1