ipa_pwd_extop: do not generate NT hashes in FIPS mode

In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. Resolves https://pagure.io/freeipa/issue/7026 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-06-16 17:49:44 +02:00
parent f169481b55
commit 1f0ca6aafd
1 changed files with 40 additions and 13 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -46,6 +46,8 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE

+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
 /* Uncomment the following #undef FOR TESTING:
 * allows non-SSL connections to use the password change extended op */
 /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */
@@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = {
    NULL
 };

+static bool fips_enabled(void)
+{
+    int fd;
+    ssize_t len;
+    char buf[8];
+
+    fd = open(PROC_SYS_FIPS, O_RDONLY);
+    if (fd != -1) {
+        len = read(fd, buf, sizeof(buf));
+        close(fd);
+        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+         * similar to the is_fips_enabled() check in
+         * ipaplatform/redhat/tasks.py */
+        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
    krb5_error_code krberr;
@@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)

    /* get the ipa etc/ipaConfig entry */
    config->allow_nt_hash = false;
-    ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
-    if (ret != LDAP_SUCCESS) {
-        LOG_FATAL("No config Entry?\n");
-        goto free_and_error;
+    if (fips_enabled()) {
+        LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
    } else {
-        tmparray = slapi_entry_attr_get_charray(config_entry,
-                                                "ipaConfigString");
-        for (i = 0; tmparray && tmparray[i]; i++) {
-            if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
-                config->allow_nt_hash = true;
-                continue;
+        ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
+        if (ret != LDAP_SUCCESS) {
+            LOG_FATAL("No config Entry?\n");
+            goto free_and_error;
+        } else {
+            tmparray = slapi_entry_attr_get_charray(config_entry,
+                                                    "ipaConfigString");
+            for (i = 0; tmparray && tmparray[i]; i++) {
+                if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
+                    config->allow_nt_hash = true;
+                    continue;
+                }
            }
+            if (tmparray) slapi_ch_array_free(tmparray);
        }
-        if (tmparray) slapi_ch_array_free(tmparray);
-    }

-    slapi_entry_free(config_entry);
+        slapi_entry_free(config_entry);
+    }

    return config;