|
 |
c2be30f |
From 341974aae7d0755fc32a0b7e2b34d8e1ef60d195 Mon Sep 17 00:00:00 2001
|
|
|
c2be30f |
From: Sumit Bose <sbose@redhat.com>
|
|
|
c2be30f |
Date: Thu, 20 Dec 2018 21:05:35 +0100
|
|
|
c2be30f |
Subject: [PATCH] adenroll: make sure only allowed enctypes are used in FIPS
|
|
|
c2be30f |
mode
|
|
|
c2be30f |
|
|
|
c2be30f |
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355
|
|
|
c2be30f |
---
|
|
|
c2be30f |
library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-
|
|
|
c2be30f |
1 file changed, 35 insertions(+), 1 deletion(-)
|
|
|
c2be30f |
|
|
|
c2be30f |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
c2be30f |
index 52aa8a8..f617f28 100644
|
|
|
c2be30f |
--- a/library/adenroll.c
|
|
|
c2be30f |
+++ b/library/adenroll.c
|
|
|
c2be30f |
@@ -41,11 +41,19 @@
|
|
|
c2be30f |
#include <netdb.h>
|
|
|
c2be30f |
#include <stdio.h>
|
|
|
c2be30f |
#include <unistd.h>
|
|
|
c2be30f |
+#include <sys/stat.h>
|
|
|
c2be30f |
+#include <fcntl.h>
|
|
|
c2be30f |
|
|
|
c2be30f |
#ifndef SAMBA_DATA_TOOL
|
|
|
c2be30f |
#define SAMBA_DATA_TOOL "/usr/bin/net"
|
|
|
c2be30f |
#endif
|
|
|
c2be30f |
|
|
|
c2be30f |
+static krb5_enctype v60_later_enctypes_fips[] = {
|
|
|
c2be30f |
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
|
c2be30f |
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
|
c2be30f |
+ 0
|
|
|
c2be30f |
+};
|
|
|
c2be30f |
+
|
|
|
c2be30f |
static krb5_enctype v60_later_enctypes[] = {
|
|
|
c2be30f |
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
|
c2be30f |
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
|
c2be30f |
@@ -2594,6 +2602,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,
|
|
|
c2be30f |
enroll->keytab_name_is_krb5 = 0;
|
|
|
c2be30f |
}
|
|
|
c2be30f |
|
|
|
c2be30f |
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
|
|
|
c2be30f |
+
|
|
|
c2be30f |
+static bool adcli_fips_enabled (void)
|
|
|
c2be30f |
+{
|
|
|
c2be30f |
+ int fd;
|
|
|
c2be30f |
+ ssize_t len;
|
|
|
c2be30f |
+ char buf[8];
|
|
|
c2be30f |
+
|
|
|
c2be30f |
+ fd = open (PROC_SYS_FIPS, O_RDONLY);
|
|
|
c2be30f |
+ if (fd != -1) {
|
|
|
c2be30f |
+ len = read (fd, buf, sizeof (buf));
|
|
|
c2be30f |
+ close (fd);
|
|
|
c2be30f |
+ /* Assume FIPS in enabled if PROC_SYS_FIPS contains a
|
|
|
c2be30f |
+ * non-0 value. */
|
|
|
c2be30f |
+ if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {
|
|
|
c2be30f |
+ return true;
|
|
|
c2be30f |
+ }
|
|
|
c2be30f |
+ }
|
|
|
c2be30f |
+
|
|
|
c2be30f |
+ return false;
|
|
|
c2be30f |
+}
|
|
|
c2be30f |
+
|
|
|
c2be30f |
krb5_enctype *
|
|
|
c2be30f |
adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
|
|
|
c2be30f |
{
|
|
|
c2be30f |
@@ -2602,7 +2632,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
|
|
|
c2be30f |
return enroll->keytab_enctypes;
|
|
|
c2be30f |
|
|
|
c2be30f |
if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
|
|
|
c2be30f |
- return v60_later_enctypes;
|
|
|
c2be30f |
+ if (adcli_fips_enabled ()) {
|
|
|
c2be30f |
+ return v60_later_enctypes_fips;
|
|
|
c2be30f |
+ } else {
|
|
|
c2be30f |
+ return v60_later_enctypes;
|
|
|
c2be30f |
+ }
|
|
|
c2be30f |
else
|
|
|
c2be30f |
return v51_earlier_enctypes;
|
|
|
c2be30f |
}
|
|
|
c2be30f |
--
|
|
|
c2be30f |
2.20.1
|
|
|
c2be30f |
|