rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0202-ipa_pwd_extop-do-not-generate-NT-hashes-in-FIPS-mode.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   460745326ba253b5c4924b624dbc2f0714a2af42
  2.   SOURCES
  3.   0202-ipa_pwd_extop-do-not-generate-NT-hashes-in-FIPS-mode.patch
Blob History Raw
ac7d03 
From 84be5dc9e72fbf4c85b6f061da94a4316c90d65e Mon Sep 17 00:00:00 2001
ac7d03 
From: Sumit Bose <sbose@redhat.com>
ac7d03 
Date: Fri, 16 Jun 2017 17:49:44 +0200
ac7d03 
Subject: [PATCH] ipa_pwd_extop: do not generate NT hashes in FIPS mode
ac7d03
ac7d03 
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
ac7d03 
detected we disable NT hashes even is the are allowed by IPA
ac7d03 
configuration.
ac7d03
ac7d03 
Resolves https://pagure.io/freeipa/issue/7026
ac7d03
ac7d03 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ac7d03 
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ac7d03 
---
ac7d03 
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++++++++++++++++++------
ac7d03 
 1 file changed, 40 insertions(+), 13 deletions(-)
ac7d03
ac7d03 
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
ac7d03 
index 761f7a8e3e9ee539f97797c98b8719ad752bdcf1..5efadac5b1fd57e5f91a886224fa2f1ab88305ac 100644
ac7d03 
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
ac7d03 
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
ac7d03 
@@ -46,6 +46,8 @@
ac7d03 
 /* Type of connection for this operation;*/
ac7d03 
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE
ac7d03
ac7d03 
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
ac7d03 
+
ac7d03 
 /* Uncomment the following #undef FOR TESTING:
ac7d03 
  * allows non-SSL connections to use the password change extended op */
ac7d03 
 /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
ac7d03 
@@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = {
ac7d03 
     NULL
ac7d03 
 };
ac7d03
ac7d03 
+static bool fips_enabled(void)
ac7d03 
+{
ac7d03 
+    int fd;
ac7d03 
+    ssize_t len;
ac7d03 
+    char buf[8];
ac7d03 
+
ac7d03 
+    fd = open(PROC_SYS_FIPS, O_RDONLY);
ac7d03 
+    if (fd != -1) {
ac7d03 
+        len = read(fd, buf, sizeof(buf));
ac7d03 
+        close(fd);
ac7d03 
+        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
ac7d03 
+         * similar to the is_fips_enabled() check in
ac7d03 
+         * ipaplatform/redhat/tasks.py */
ac7d03 
+        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
ac7d03 
+            return true;
ac7d03 
+        }
ac7d03 
+    }
ac7d03 
+
ac7d03 
+    return false;
ac7d03 
+}
ac7d03 
+
ac7d03 
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
ac7d03 
 {
ac7d03 
     krb5_error_code krberr;
ac7d03 
@@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
ac7d03
ac7d03 
     /* get the ipa etc/ipaConfig entry */
ac7d03 
     config->allow_nt_hash = false;
ac7d03 
-    ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
ac7d03 
-    if (ret != LDAP_SUCCESS) {
ac7d03 
-        LOG_FATAL("No config Entry?\n");
ac7d03 
-        goto free_and_error;
ac7d03 
+    if (fips_enabled()) {
ac7d03 
+        LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
ac7d03 
     } else {
ac7d03 
-        tmparray = slapi_entry_attr_get_charray(config_entry,
ac7d03 
-                                                "ipaConfigString");
ac7d03 
-        for (i = 0; tmparray && tmparray[i]; i++) {
ac7d03 
-            if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
ac7d03 
-                config->allow_nt_hash = true;
ac7d03 
-                continue;
ac7d03 
+        ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
ac7d03 
+        if (ret != LDAP_SUCCESS) {
ac7d03 
+            LOG_FATAL("No config Entry?\n");
ac7d03 
+            goto free_and_error;
ac7d03 
+        } else {
ac7d03 
+            tmparray = slapi_entry_attr_get_charray(config_entry,
ac7d03 
+                                                    "ipaConfigString");
ac7d03 
+            for (i = 0; tmparray && tmparray[i]; i++) {
ac7d03 
+                if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
ac7d03 
+                    config->allow_nt_hash = true;
ac7d03 
+                    continue;
ac7d03 
+                }
ac7d03 
             }
ac7d03 
+            if (tmparray) slapi_ch_array_free(tmparray);
ac7d03 
         }
ac7d03 
-        if (tmparray) slapi_ch_array_free(tmparray);
ac7d03 
-    }
ac7d03
ac7d03 
-    slapi_entry_free(config_entry);
ac7d03 
+        slapi_entry_free(config_entry);
ac7d03 
+    }
ac7d03
ac7d03 
     return config;
ac7d03
ac7d03 
--
ac7d03 
2.9.4
ac7d03

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation