URL: https://github.com/freeipa/freeipa/pull/879 Author: sumit-bose Title: #879: FIPS mode and NT hashes Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/879/head:pr879 git checkout pr879
From 4d7f9b07832da3a4caa1f7d34b2e1cbab2e5a195 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 16 Jun 2017 16:26:41 +0200 Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash() Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. Resolves https://pagure.io/freeipa/issue/7026 --- daemons/ipa-sam/ipa_sam.c | 27 ++------------------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 6a29e8e10b..59d92f37c9 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so * char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ +bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" @@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, struct dom_sid *g_sid; char *name; char *trustpw = NULL; - char *trustpw_utf8 = NULL; - char *tmp_str = NULL; - int ret; uint8_t nt_key[16]; - size_t converted_size; bool res; char *sid_str; enum idmap_error_code err; @@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, return false; } - if (!push_utf8_talloc(user, &trustpw_utf8, trustpw, &converted_size)) { - res = false; - goto done; - } - - tmp_str = talloc_strdup_upper(user, trustpw); - if (tmp_str == NULL) { - res = false; - goto done; - } - - ret = encode_nt_key(trustpw_utf8, nt_key); - if (ret != 0) { + if (!E_md4hash(trustpw, nt_key)) { res = false; goto done; } @@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, memset(trustpw, 0, strlen(trustpw)); talloc_free(trustpw); } - if (trustpw_utf8 != NULL) { - memset(trustpw_utf8, 0, strlen(trustpw_utf8)); - talloc_free(trustpw_utf8); - } - if (tmp_str != NULL) { - memset(tmp_str, 0, strlen(tmp_str)); - talloc_free(tmp_str); - } return res; } From f5ca91d8dc5528f7f0f2f7edbb9a07cc01de8bfd Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 16 Jun 2017 17:49:44 +0200 Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. Resolves https://pagure.io/freeipa/issue/7026 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++++++++++++++++++------ 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 761f7a8e3e..5efadac5b1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -46,6 +46,8 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" + /* Uncomment the following #undef FOR TESTING: * allows non-SSL connections to use the password change extended op */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ @@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = { NULL }; +static bool fips_enabled(void) +{ + int fd; + ssize_t len; + char buf[8]; + + fd = open(PROC_SYS_FIPS, O_RDONLY); + if (fd != -1) { + len = read(fd, buf, sizeof(buf)); + close(fd); + /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value + * similar to the is_fips_enabled() check in + * ipaplatform/redhat/tasks.py */ + if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { + return true; + } + } + + return false; +} + static struct ipapwd_krbcfg *ipapwd_getConfig(void) { krb5_error_code krberr; @@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) /* get the ipa etc/ipaConfig entry */ config->allow_nt_hash = false; - ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); - if (ret != LDAP_SUCCESS) { - LOG_FATAL("No config Entry?\n"); - goto free_and_error; + if (fips_enabled()) { + LOG("FIPS mode is enabled, NT hashes are not allowed.\n"); } else { - tmparray = slapi_entry_attr_get_charray(config_entry, - "ipaConfigString"); - for (i = 0; tmparray && tmparray[i]; i++) { - if (strcasecmp(tmparray[i], "AllowNThash") == 0) { - config->allow_nt_hash = true; - continue; + ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); + if (ret != LDAP_SUCCESS) { + LOG_FATAL("No config Entry?\n"); + goto free_and_error; + } else { + tmparray = slapi_entry_attr_get_charray(config_entry, + "ipaConfigString"); + for (i = 0; tmparray && tmparray[i]; i++) { + if (strcasecmp(tmparray[i], "AllowNThash") == 0) { + config->allow_nt_hash = true; + continue; + } } + if (tmparray) slapi_ch_array_free(tmparray); } - if (tmparray) slapi_ch_array_free(tmparray); - } - slapi_entry_free(config_entry); + slapi_entry_free(config_entry); + } return config;
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org