From 08ada3f8d7f80067a1b43e6172394d1326e3d178 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 8 Aug 2018 12:28:53 +0300 Subject: [PATCH] Move fips_enabled to a common library to share across different plugins Related: https://pagure.io/freeipa/issue/7659 Reviewed-By: Robbie Harwood --- .../ipa-slapi-plugins/ipa-pwd-extop/common.c | 24 +----------------- util/ipa_pwd.c | 25 +++++++++++++++++++ util/ipa_pwd.h | 2 ++ 3 files changed, 28 insertions(+), 23 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 5efadac5b1fd57e5f91a886224fa2f1ab88305ac..db7183bf2b115dcb0c21f7a6bdb8e55db26224c4 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -46,7 +46,6 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE -#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" /* Uncomment the following #undef FOR TESTING: * allows non-SSL connections to use the password change extended op */ @@ -64,27 +63,6 @@ static const char *ipapwd_def_encsalts[] = { NULL }; -static bool fips_enabled(void) -{ - int fd; - ssize_t len; - char buf[8]; - - fd = open(PROC_SYS_FIPS, O_RDONLY); - if (fd != -1) { - len = read(fd, buf, sizeof(buf)); - close(fd); - /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value - * similar to the is_fips_enabled() check in - * ipaplatform/redhat/tasks.py */ - if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { - return true; - } - } - - return false; -} - static struct ipapwd_krbcfg *ipapwd_getConfig(void) { krb5_error_code krberr; @@ -255,7 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) /* get the ipa etc/ipaConfig entry */ config->allow_nt_hash = false; - if (fips_enabled()) { + if (ipapwd_fips_enabled()) { LOG("FIPS mode is enabled, NT hashes are not allowed.\n"); } else { ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c index f6564c8021c656031d3f459dd50d830934c7143b..9890c980cacad08302fb5305c3aa9598a81ec681 100644 --- a/util/ipa_pwd.c +++ b/util/ipa_pwd.c @@ -27,6 +27,8 @@ #include #include #include +#include +#include #include #include #include @@ -656,3 +658,26 @@ done: free(hash); return ret; } + +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" + +bool ipapwd_fips_enabled(void) +{ + int fd; + ssize_t len; + char buf[8]; + + fd = open(PROC_SYS_FIPS, O_RDONLY); + if (fd != -1) { + len = read(fd, buf, sizeof(buf)); + close(fd); + /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value + * similar to the is_fips_enabled() check in + * ipaplatform/redhat/tasks.py */ + if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { + return true; + } + } + + return false; +} diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h index b3ee75063adc4baa93bbd4991161bebe1d233bb8..664c8b1827591e716095d9ef1727e422c7d82680 100644 --- a/util/ipa_pwd.h +++ b/util/ipa_pwd.h @@ -77,3 +77,5 @@ int ipapwd_generate_new_history(char *password, int *new_pwd_hlen); int encode_nt_key(char *newPasswd, uint8_t *nt_key); + +bool ipapwd_fips_enabled(void); -- 2.17.1