From be18d6c15a2557e8f45e41efc81f1c005958c690 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Tue, 7 Nov 2017 14:42:12 +0100
Subject: [PATCH] Don't allow OTP or RADIUS in FIPS mode

RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/baseuser.py |  3 +++
 ipaserver/plugins/config.py   | 16 ++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index bf24dbf542d3b481671dfe4e8cee14a2edcc26e0..bb8a73ded0fed135d5829ec0b0829a936f2196fb 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -32,6 +32,7 @@ from .baseldap import (
     add_missing_object_class)
 from ipaserver.plugins.service import (
    validate_certificate, validate_realm, normalize_principal)
+from ipaserver.plugins.config import check_fips_auth_opts
 from ipalib.request import context
 from ipalib import _
 from ipalib.constants import PATTERN_GROUPUSER_NAME
@@ -477,6 +478,7 @@ class baseuser_add(LDAPCreate):
                             **options):
         assert isinstance(dn, DN)
         set_krbcanonicalname(entry_attrs)
+        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
         self.obj.convert_usercertificate_pre(entry_attrs)
 
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -600,6 +602,7 @@ class baseuser_mod(LDAPUpdate):
         assert isinstance(dn, DN)
         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
 
+        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
         self.check_namelength(ldap, **options)
 
         self.check_mail(entry_attrs)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index ce15e6096f5b84dc45ee21d5aecc73ecf86eba07..c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -85,6 +85,20 @@ EXAMPLES:
 
 register = Registry()
 
+
+def check_fips_auth_opts(fips_mode, **options):
+    """
+    OTP and RADIUS are not allowed in FIPS mode since they use MD5
+    checksums (OTP uses our RADIUS responder daemon ipa-otpd).
+    """
+    if 'ipauserauthtype' in options and fips_mode:
+        if ('otp' in options['ipauserauthtype'] or
+                'radius' in options['ipauserauthtype']):
+            raise errors.InvocationError(
+                'OTP and RADIUS authentication in FIPS is '
+                'not yet supported')
+
+
 @register()
 class config(LDAPObject):
     """
@@ -398,6 +412,8 @@ class config_mod(LDAPUpdate):
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
+        check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+
         if 'ipadefaultprimarygroup' in entry_attrs:
             group=entry_attrs['ipadefaultprimarygroup']
             try:
-- 
2.13.6