Move fips_enabled to a common library to share across different plugins

Related: https://pagure.io/freeipa/issue/7659 Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-08-08 12:28:53 +03:00 · 2018-08-08 12:28:53 +03:00 · de8f969f2d
commit de8f969f2d
parent c2e1cdf8a3
3 changed files with 28 additions and 23 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@ -46,7 +46,6 @@
 /* Type of connection for this operation;*/
 #define LDAP_EXTOP_PASSMOD_CONN_SECURE

-#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"

 /* Uncomment the following #undef FOR TESTING:
 * allows non-SSL connections to use the password change extended op */
@ -64,27 +63,6 @@ static const char *ipapwd_def_encsalts[] = {
    NULL
 };

-static bool fips_enabled(void)
-{
-    int fd;
-    ssize_t len;
-    char buf[8];
-
-    fd = open(PROC_SYS_FIPS, O_RDONLY);
-    if (fd != -1) {
-        len = read(fd, buf, sizeof(buf));
-        close(fd);
-        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
-         * similar to the is_fips_enabled() check in
-         * ipaplatform/redhat/tasks.py */
-        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
-            return true;
-        }
-    }
-
-    return false;
-}
-
 static struct ipapwd_krbcfg *ipapwd_getConfig(void)
 {
    krb5_error_code krberr;
@ -255,7 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)

    /* get the ipa etc/ipaConfig entry */
    config->allow_nt_hash = false;
-    if (fips_enabled()) {
+    if (ipapwd_fips_enabled()) {
        LOG("FIPS mode is enabled, NT hashes are not allowed.\n");
    } else {
        ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@ -27,6 +27,8 @@
 #include <stdio.h>
 #include <time.h>
 #include <ctype.h>
+#include <fcntl.h>
+#include <unistd.h>
 #include <nss.h>
 #include <nssb64.h>
 #include <hasht.h>
@ -656,3 +658,26 @@ done:
    free(hash);
    return ret;
 }
+
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
+
+bool ipapwd_fips_enabled(void)
+{
+    int fd;
+    ssize_t len;
+    char buf[8];
+
+    fd = open(PROC_SYS_FIPS, O_RDONLY);
+    if (fd != -1) {
+        len = read(fd, buf, sizeof(buf));
+        close(fd);
+        /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value
+         * similar to the is_fips_enabled() check in
+         * ipaplatform/redhat/tasks.py */
+        if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) {
+            return true;
+        }
+    }
+
+    return false;
+}
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@ -77,3 +77,5 @@ int ipapwd_generate_new_history(char *password,
                                int *new_pwd_hlen);

 int encode_nt_key(char *newPasswd, uint8_t *nt_key);
+
+bool ipapwd_fips_enabled(void);