IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move fips_enabled to a common library to share across different plugins

Browse Source 
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Alexander Bokovoy 2018-08-08 12:28:53 +03:00 committed by Tibor Dudlák
parent c2e1cdf8a3
commit de8f969f2d
No known key found for this signature in database
GPG Key ID: 12B8BD343576CDF5
3 changed files with 28 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
View File

@ -46,7 +46,6 @@
/* Type of connection for this operation;*/ /* Type of connection for this operation;*/
#define LDAP_EXTOP_PASSMOD_CONN_SECURE #define LDAP_EXTOP_PASSMOD_CONN_SECURE
#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
/* Uncomment the following #undef FOR TESTING: /* Uncomment the following #undef FOR TESTING:
* allows non-SSL connections to use the password change extended op */ * allows non-SSL connections to use the password change extended op */
@ -64,27 +63,6 @@ static const char *ipapwd_def_encsalts[] = {
NULL NULL
}; };
static bool fips_enabled(void)
{
int fd;
ssize_t len;
char buf[8];
fd = open(PROC_SYS_FIPS, O_RDONLY);
if (fd != -1) {
len = read(fd, buf, sizeof(buf));
close(fd);
/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
* similar to the is_fips_enabled() check in
* ipaplatform/redhat/tasks.py */
if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
return true;
}
}
return false;
}
static struct ipapwd_krbcfg *ipapwd_getConfig(void) static struct ipapwd_krbcfg *ipapwd_getConfig(void)
{ {
krb5_error_code krberr; krb5_error_code krberr;
@ -255,7 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
/* get the ipa etc/ipaConfig entry */ /* get the ipa etc/ipaConfig entry */
config->allow_nt_hash = false; config->allow_nt_hash = false;
if (fips_enabled()) { if (ipapwd_fips_enabled()) {
LOG("FIPS mode is enabled, NT hashes are not allowed.\n"); LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
} else { } else {
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);

25
util/ipa_pwd.c
View File

@ -27,6 +27,8 @@
#include <stdio.h> #include <stdio.h>
#include <time.h> #include <time.h>
#include <ctype.h> #include <ctype.h>
#include <fcntl.h>
#include <unistd.h>
#include <nss.h> #include <nss.h>
#include <nssb64.h> #include <nssb64.h>
#include <hasht.h> #include <hasht.h>
@ -656,3 +658,26 @@ done:
free(hash); free(hash);
return ret; return ret;
} }
#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
bool ipapwd_fips_enabled(void)
{
int fd;
ssize_t len;
char buf[8];
fd = open(PROC_SYS_FIPS, O_RDONLY);
if (fd != -1) {
len = read(fd, buf, sizeof(buf));
close(fd);
/* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
* similar to the is_fips_enabled() check in
* ipaplatform/redhat/tasks.py */
if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
return true;
}
}
return false;
}

2
util/ipa_pwd.h
View File

@ -77,3 +77,5 @@ int ipapwd_generate_new_history(char *password,
int *new_pwd_hlen); int *new_pwd_hlen);
int encode_nt_key(char *newPasswd, uint8_t *nt_key); int encode_nt_key(char *newPasswd, uint8_t *nt_key);
bool ipapwd_fips_enabled(void);