|
|
95ea96 |
From 08ada3f8d7f80067a1b43e6172394d1326e3d178 Mon Sep 17 00:00:00 2001
|
|
|
95ea96 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
95ea96 |
Date: Wed, 8 Aug 2018 12:28:53 +0300
|
|
|
95ea96 |
Subject: [PATCH] Move fips_enabled to a common library to share across
|
|
|
95ea96 |
different plugins
|
|
|
95ea96 |
|
|
|
95ea96 |
Related: https://pagure.io/freeipa/issue/7659
|
|
|
95ea96 |
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
|
95ea96 |
---
|
|
|
95ea96 |
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 24 +-----------------
|
|
|
95ea96 |
util/ipa_pwd.c | 25 +++++++++++++++++++
|
|
|
95ea96 |
util/ipa_pwd.h | 2 ++
|
|
|
95ea96 |
3 files changed, 28 insertions(+), 23 deletions(-)
|
|
|
95ea96 |
|
|
|
95ea96 |
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
|
95ea96 |
index 5efadac5b1fd57e5f91a886224fa2f1ab88305ac..db7183bf2b115dcb0c21f7a6bdb8e55db26224c4 100644
|
|
|
95ea96 |
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
|
95ea96 |
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
|
|
|
95ea96 |
@@ -46,7 +46,6 @@
|
|
|
95ea96 |
/* Type of connection for this operation;*/
|
|
|
95ea96 |
#define LDAP_EXTOP_PASSMOD_CONN_SECURE
|
|
|
95ea96 |
|
|
|
95ea96 |
-#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
|
|
|
95ea96 |
|
|
|
95ea96 |
/* Uncomment the following #undef FOR TESTING:
|
|
|
95ea96 |
* allows non-SSL connections to use the password change extended op */
|
|
|
95ea96 |
@@ -64,27 +63,6 @@ static const char *ipapwd_def_encsalts[] = {
|
|
|
95ea96 |
NULL
|
|
|
95ea96 |
};
|
|
|
95ea96 |
|
|
|
95ea96 |
-static bool fips_enabled(void)
|
|
|
95ea96 |
-{
|
|
|
95ea96 |
- int fd;
|
|
|
95ea96 |
- ssize_t len;
|
|
|
95ea96 |
- char buf[8];
|
|
|
95ea96 |
-
|
|
|
95ea96 |
- fd = open(PROC_SYS_FIPS, O_RDONLY);
|
|
|
95ea96 |
- if (fd != -1) {
|
|
|
95ea96 |
- len = read(fd, buf, sizeof(buf));
|
|
|
95ea96 |
- close(fd);
|
|
|
95ea96 |
- /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
|
|
|
95ea96 |
- * similar to the is_fips_enabled() check in
|
|
|
95ea96 |
- * ipaplatform/redhat/tasks.py */
|
|
|
95ea96 |
- if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
|
|
|
95ea96 |
- return true;
|
|
|
95ea96 |
- }
|
|
|
95ea96 |
- }
|
|
|
95ea96 |
-
|
|
|
95ea96 |
- return false;
|
|
|
95ea96 |
-}
|
|
|
95ea96 |
-
|
|
|
95ea96 |
static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
|
|
95ea96 |
{
|
|
|
95ea96 |
krb5_error_code krberr;
|
|
|
95ea96 |
@@ -255,7 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
|
|
|
95ea96 |
|
|
|
95ea96 |
/* get the ipa etc/ipaConfig entry */
|
|
|
95ea96 |
config->allow_nt_hash = false;
|
|
|
95ea96 |
- if (fips_enabled()) {
|
|
|
95ea96 |
+ if (ipapwd_fips_enabled()) {
|
|
|
95ea96 |
LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
|
|
|
95ea96 |
} else {
|
|
|
95ea96 |
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
|
|
|
95ea96 |
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
|
|
|
95ea96 |
index f6564c8021c656031d3f459dd50d830934c7143b..9890c980cacad08302fb5305c3aa9598a81ec681 100644
|
|
|
95ea96 |
--- a/util/ipa_pwd.c
|
|
|
95ea96 |
+++ b/util/ipa_pwd.c
|
|
|
95ea96 |
@@ -27,6 +27,8 @@
|
|
|
95ea96 |
#include <stdio.h>
|
|
|
95ea96 |
#include <time.h>
|
|
|
95ea96 |
#include <ctype.h>
|
|
|
95ea96 |
+#include <fcntl.h>
|
|
|
95ea96 |
+#include <unistd.h>
|
|
|
95ea96 |
#include <nss.h>
|
|
|
95ea96 |
#include <nssb64.h>
|
|
|
95ea96 |
#include <hasht.h>
|
|
|
95ea96 |
@@ -656,3 +658,26 @@ done:
|
|
|
95ea96 |
free(hash);
|
|
|
95ea96 |
return ret;
|
|
|
95ea96 |
}
|
|
|
95ea96 |
+
|
|
|
95ea96 |
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
|
|
|
95ea96 |
+
|
|
|
95ea96 |
+bool ipapwd_fips_enabled(void)
|
|
|
95ea96 |
+{
|
|
|
95ea96 |
+ int fd;
|
|
|
95ea96 |
+ ssize_t len;
|
|
|
95ea96 |
+ char buf[8];
|
|
|
95ea96 |
+
|
|
|
95ea96 |
+ fd = open(PROC_SYS_FIPS, O_RDONLY);
|
|
|
95ea96 |
+ if (fd != -1) {
|
|
|
95ea96 |
+ len = read(fd, buf, sizeof(buf));
|
|
|
95ea96 |
+ close(fd);
|
|
|
95ea96 |
+ /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
|
|
|
95ea96 |
+ * similar to the is_fips_enabled() check in
|
|
|
95ea96 |
+ * ipaplatform/redhat/tasks.py */
|
|
|
95ea96 |
+ if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
|
|
|
95ea96 |
+ return true;
|
|
|
95ea96 |
+ }
|
|
|
95ea96 |
+ }
|
|
|
95ea96 |
+
|
|
|
95ea96 |
+ return false;
|
|
|
95ea96 |
+}
|
|
|
95ea96 |
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
|
|
|
95ea96 |
index b3ee75063adc4baa93bbd4991161bebe1d233bb8..664c8b1827591e716095d9ef1727e422c7d82680 100644
|
|
|
95ea96 |
--- a/util/ipa_pwd.h
|
|
|
95ea96 |
+++ b/util/ipa_pwd.h
|
|
|
95ea96 |
@@ -77,3 +77,5 @@ int ipapwd_generate_new_history(char *password,
|
|
|
95ea96 |
int *new_pwd_hlen);
|
|
|
95ea96 |
|
|
|
95ea96 |
int encode_nt_key(char *newPasswd, uint8_t *nt_key);
|
|
|
95ea96 |
+
|
|
|
95ea96 |
+bool ipapwd_fips_enabled(void);
|
|
|
95ea96 |
--
|
|
|
95ea96 |
2.17.1
|
|
|
95ea96 |
|