From 08ada3f8d7f80067a1b43e6172394d1326e3d178 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 8 Aug 2018 12:28:53 +0300
Subject: [PATCH] Move fips_enabled to a common library to share across
different plugins
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
---
.../ipa-slapi-plugins/ipa-pwd-extop/common.c | 24 +-----------------
util/ipa_pwd.c | 25 +++++++++++++++++++
util/ipa_pwd.h | 2 ++
3 files changed, 28 insertions(+), 23 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 5efadac5b1fd57e5f91a886224fa2f1ab88305ac..db7183bf2b115dcb0c21f7a6bdb8e55db26224c4 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,7 +46,6 @@
/* Type of connection for this operation;*/
#define LDAP_EXTOP_PASSMOD_CONN_SECURE
-#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
/* Uncomment the following #undef FOR TESTING:
* allows non-SSL connections to use the password change extended op */
@@ -64,27 +63,6 @@ static const char *ipapwd_def_encsalts[] = {
NULL
};
-static bool fips_enabled(void)
-{
- int fd;
- ssize_t len;
- char buf[8];
-
- fd = open(PROC_SYS_FIPS, O_RDONLY);
- if (fd != -1) {
- len = read(fd, buf, sizeof(buf));
- close(fd);
- /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
- * similar to the is_fips_enabled() check in
- * ipaplatform/redhat/tasks.py */
- if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
- return true;
- }
- }
-
- return false;
-}
-
static struct ipapwd_krbcfg *ipapwd_getConfig(void)
{
krb5_error_code krberr;
@@ -255,7 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
/* get the ipa etc/ipaConfig entry */
config->allow_nt_hash = false;
- if (fips_enabled()) {
+ if (ipapwd_fips_enabled()) {
LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
} else {
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index f6564c8021c656031d3f459dd50d830934c7143b..9890c980cacad08302fb5305c3aa9598a81ec681 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -27,6 +27,8 @@
#include <stdio.h>
#include <time.h>
#include <ctype.h>
+#include <fcntl.h>
+#include <unistd.h>
#include <nss.h>
#include <nssb64.h>
#include <hasht.h>
@@ -656,3 +658,26 @@ done:
free(hash);
return ret;
}
+
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
+bool ipapwd_fips_enabled(void)
+{
+ int fd;
+ ssize_t len;
+ char buf[8];
+
+ fd = open(PROC_SYS_FIPS, O_RDONLY);
+ if (fd != -1) {
+ len = read(fd, buf, sizeof(buf));
+ close(fd);
+ /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+ * similar to the is_fips_enabled() check in
+ * ipaplatform/redhat/tasks.py */
+ if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+ return true;
+ }
+ }
+
+ return false;
+}
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index b3ee75063adc4baa93bbd4991161bebe1d233bb8..664c8b1827591e716095d9ef1727e422c7d82680 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -77,3 +77,5 @@ int ipapwd_generate_new_history(char *password,
int *new_pwd_hlen);
int encode_nt_key(char *newPasswd, uint8_t *nt_key);
+
+bool ipapwd_fips_enabled(void);
--
2.17.1