URL: https://github.com/freeipa/freeipa/pull/879 Author: sumit-bose Title: #879: FIPS mode and NT hashes Action: opened
PR body: """ In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes in the password plugin even is they are allowed by IPA configuration. Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/879/head:pr879 git checkout pr879
From 21e740d2ca6ebdfcf5d30b8468846e0e1c546de8 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 16 Jun 2017 16:26:41 +0200 Subject: [PATCH 1/2] ipa-sam: replace encode_nt_key() with E_md4hash() Since ipa-sam is running as part of smbd is it safe to use the E_md4hash() from Samba. This way ipa-sam does not depend on other crypto libraries which might depend on other rules like e.g. FIPS mode. --- daemons/ipa-sam/ipa_sam.c | 27 ++------------------------- 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index 6a29e8e10b..59d92f37c9 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so * char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ +bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain" @@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, struct dom_sid *g_sid; char *name; char *trustpw = NULL; - char *trustpw_utf8 = NULL; - char *tmp_str = NULL; - int ret; uint8_t nt_key[16]; - size_t converted_size; bool res; char *sid_str; enum idmap_error_code err; @@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, return false; } - if (!push_utf8_talloc(user, &trustpw_utf8, trustpw, &converted_size)) { - res = false; - goto done; - } - - tmp_str = talloc_strdup_upper(user, trustpw); - if (tmp_str == NULL) { - res = false; - goto done; - } - - ret = encode_nt_key(trustpw_utf8, nt_key); - if (ret != 0) { + if (!E_md4hash(trustpw, nt_key)) { res = false; goto done; } @@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, memset(trustpw, 0, strlen(trustpw)); talloc_free(trustpw); } - if (trustpw_utf8 != NULL) { - memset(trustpw_utf8, 0, strlen(trustpw_utf8)); - talloc_free(trustpw_utf8); - } - if (tmp_str != NULL) { - memset(tmp_str, 0, strlen(tmp_str)); - talloc_free(tmp_str); - } return res; } From fef8e13d0c6c453d2849c2edc3743bf6fc614e1d Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Fri, 16 Jun 2017 17:49:44 +0200 Subject: [PATCH 2/2] ipa_pwd_extop: do not generate NT hashes in FIPS mode In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is detected we disable NT hashes even is the are allowed by IPA configuration. --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 53 ++++++++++++++++++------ 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 761f7a8e3e..5efadac5b1 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -46,6 +46,8 @@ /* Type of connection for this operation;*/ #define LDAP_EXTOP_PASSMOD_CONN_SECURE +#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled" + /* Uncomment the following #undef FOR TESTING: * allows non-SSL connections to use the password change extended op */ /* #undef LDAP_EXTOP_PASSMOD_CONN_SECURE */ @@ -62,6 +64,27 @@ static const char *ipapwd_def_encsalts[] = { NULL }; +static bool fips_enabled(void) +{ + int fd; + ssize_t len; + char buf[8]; + + fd = open(PROC_SYS_FIPS, O_RDONLY); + if (fd != -1) { + len = read(fd, buf, sizeof(buf)); + close(fd); + /* Assume FIPS in enabled if PROC_SYS_FIPS contains a non-0 value + * similar to the is_fips_enabled() check in + * ipaplatform/redhat/tasks.py */ + if (!(len == 2 && buf[0] == '0' && buf[1] == '\n')) { + return true; + } + } + + return false; +} + static struct ipapwd_krbcfg *ipapwd_getConfig(void) { krb5_error_code krberr; @@ -232,23 +255,27 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) /* get the ipa etc/ipaConfig entry */ config->allow_nt_hash = false; - ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); - if (ret != LDAP_SUCCESS) { - LOG_FATAL("No config Entry?\n"); - goto free_and_error; + if (fips_enabled()) { + LOG("FIPS mode is enabled, NT hashes are not allowed.\n"); } else { - tmparray = slapi_entry_attr_get_charray(config_entry, - "ipaConfigString"); - for (i = 0; tmparray && tmparray[i]; i++) { - if (strcasecmp(tmparray[i], "AllowNThash") == 0) { - config->allow_nt_hash = true; - continue; + ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); + if (ret != LDAP_SUCCESS) { + LOG_FATAL("No config Entry?\n"); + goto free_and_error; + } else { + tmparray = slapi_entry_attr_get_charray(config_entry, + "ipaConfigString"); + for (i = 0; tmparray && tmparray[i]; i++) { + if (strcasecmp(tmparray[i], "AllowNThash") == 0) { + config->allow_nt_hash = true; + continue; + } } + if (tmparray) slapi_ch_array_free(tmparray); } - if (tmparray) slapi_ch_array_free(tmparray); - } - slapi_entry_free(config_entry); + slapi_entry_free(config_entry); + } return config;
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org