From 84be5dc9e72fbf4c85b6f061da94a4316c90d65e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Jun 2017 17:49:44 +0200
Subject: [PATCH] ipa_pwd_extop: do not generate NT hashes in FIPS mode

In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++++++++++++++++++------
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 761f7a8e3e9ee539f97797c98b8719ad752bdcf1..5efadac5b1fd57e5f91a886224fa2f1ab88305ac 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,6 +46,8 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE
 
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
 /* Uncomment the following #undef FOR TESTING:
  * allows non-SSL connections to use the password change extended op */
 /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
@@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = {
     NULL
 };
 
+static bool fips_enabled(void)
+{
+    int fd;
+    ssize_t len;
+    char buf[8];
+
+    fd = open(PROC_SYS_FIPS, O_RDONLY);
+    if (fd != -1) {
+        len = read(fd, buf, sizeof(buf));
+        close(fd);
+        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+         * similar to the is_fips_enabled() check in
+         * ipaplatform/redhat/tasks.py */
+        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
     krb5_error_code krberr;
@@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 
     /* get the ipa etc/ipaConfig entry */
     config->allow_nt_hash = false;
-    ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
-    if (ret != LDAP_SUCCESS) {
-        LOG_FATAL("No config Entry?\n");
-        goto free_and_error;
+    if (fips_enabled()) {
+        LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
     } else {
-        tmparray = slapi_entry_attr_get_charray(config_entry,
-                                                "ipaConfigString");
-        for (i = 0; tmparray && tmparray[i]; i++) {
-            if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
-                config->allow_nt_hash = true;
-                continue;
+        ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
+        if (ret != LDAP_SUCCESS) {
+            LOG_FATAL("No config Entry?\n");
+            goto free_and_error;
+        } else {
+            tmparray = slapi_entry_attr_get_charray(config_entry,
+                                                    "ipaConfigString");
+            for (i = 0; tmparray && tmparray[i]; i++) {
+                if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
+                    config->allow_nt_hash = true;
+                    continue;
+                }
             }
+            if (tmparray) slapi_ch_array_free(tmparray);
         }
-        if (tmparray) slapi_ch_array_free(tmparray);
-    }
 
-    slapi_entry_free(config_entry);
+        slapi_entry_free(config_entry);
+    }
 
     return config;
 
-- 
2.9.4