From 08ada3f8d7f80067a1b43e6172394d1326e3d178 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 8 Aug 2018 12:28:53 +0300
Subject: [PATCH] Move fips_enabled to a common library to share across
 different plugins

Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
---
 .../ipa-slapi-plugins/ipa-pwd-extop/common.c  | 24 +-----------------
 util/ipa_pwd.c                                | 25 +++++++++++++++++++
 util/ipa_pwd.h                                |  2 ++
 3 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index 5efadac5b1fd57e5f91a886224fa2f1ab88305ac..db7183bf2b115dcb0c21f7a6bdb8e55db26224c4 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,7 +46,6 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE
 
-#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
 
 /* Uncomment the following #undef FOR TESTING:
  * allows non-SSL connections to use the password change extended op */
@@ -64,27 +63,6 @@ static const char *ipapwd_def_encsalts[] = {
     NULL
 };
 
-static bool fips_enabled(void)
-{
-    int fd;
-    ssize_t len;
-    char buf[8];
-
-    fd = open(PROC_SYS_FIPS, O_RDONLY);
-    if (fd != -1) {
-        len = read(fd, buf, sizeof(buf));
-        close(fd);
-        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
-         * similar to the is_fips_enabled() check in
-         * ipaplatform/redhat/tasks.py */
-        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
-            return true;
-        }
-    }
-
-    return false;
-}
-
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
     krb5_error_code krberr;
@@ -255,7 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 
     /* get the ipa etc/ipaConfig entry */
     config->allow_nt_hash = false;
-    if (fips_enabled()) {
+    if (ipapwd_fips_enabled()) {
         LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
     } else {
         ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index f6564c8021c656031d3f459dd50d830934c7143b..9890c980cacad08302fb5305c3aa9598a81ec681 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -27,6 +27,8 @@
 #include <stdio.h>
 #include <time.h>
 #include <ctype.h>
+#include <fcntl.h>
+#include <unistd.h>
 #include <nss.h>
 #include <nssb64.h>
 #include <hasht.h>
@@ -656,3 +658,26 @@ done:
     free(hash);
     return ret;
 }
+
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
+bool ipapwd_fips_enabled(void)
+{
+    int fd;
+    ssize_t len;
+    char buf[8];
+
+    fd = open(PROC_SYS_FIPS, O_RDONLY);
+    if (fd != -1) {
+        len = read(fd, buf, sizeof(buf));
+        close(fd);
+        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+         * similar to the is_fips_enabled() check in
+         * ipaplatform/redhat/tasks.py */
+        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+            return true;
+        }
+    }
+
+    return false;
+}
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index b3ee75063adc4baa93bbd4991161bebe1d233bb8..664c8b1827591e716095d9ef1727e422c7d82680 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -77,3 +77,5 @@ int ipapwd_generate_new_history(char *password,
                                 int *new_pwd_hlen);
 
 int encode_nt_key(char *newPasswd, uint8_t *nt_key);
+
+bool ipapwd_fips_enabled(void);
-- 
2.17.1