Blame SOURCES/0001-adenroll-make-sure-only-allowed-enctypes-are-used-in.patch

59dcbd
From 341974aae7d0755fc32a0b7e2b34d8e1ef60d195 Mon Sep 17 00:00:00 2001
59dcbd
From: Sumit Bose <sbose@redhat.com>
59dcbd
Date: Thu, 20 Dec 2018 21:05:35 +0100
59dcbd
Subject: [PATCH 1/4] adenroll: make sure only allowed enctypes are used in
59dcbd
 FIPS mode
59dcbd
59dcbd
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1717355
59dcbd
---
59dcbd
 library/adenroll.c | 36 +++++++++++++++++++++++++++++++++++-
59dcbd
 1 file changed, 35 insertions(+), 1 deletion(-)
59dcbd
59dcbd
diff --git a/library/adenroll.c b/library/adenroll.c
59dcbd
index 52aa8a8..f617f28 100644
59dcbd
--- a/library/adenroll.c
59dcbd
+++ b/library/adenroll.c
59dcbd
@@ -41,11 +41,19 @@
59dcbd
 #include <netdb.h>
59dcbd
 #include <stdio.h>
59dcbd
 #include <unistd.h>
59dcbd
+#include <sys/stat.h>
59dcbd
+#include <fcntl.h>
59dcbd
 
59dcbd
 #ifndef SAMBA_DATA_TOOL
59dcbd
 #define SAMBA_DATA_TOOL "/usr/bin/net"
59dcbd
 #endif
59dcbd
 
59dcbd
+static krb5_enctype v60_later_enctypes_fips[] = {
59dcbd
+	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
59dcbd
+	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
59dcbd
+	0
59dcbd
+};
59dcbd
+
59dcbd
 static krb5_enctype v60_later_enctypes[] = {
59dcbd
 	ENCTYPE_AES256_CTS_HMAC_SHA1_96,
59dcbd
 	ENCTYPE_AES128_CTS_HMAC_SHA1_96,
59dcbd
@@ -2594,6 +2602,28 @@ adcli_enroll_set_keytab_name (adcli_enroll *enroll,
59dcbd
 	enroll->keytab_name_is_krb5 = 0;
59dcbd
 }
59dcbd
 
59dcbd
+#define PROC_SYS_FIPS "/proc/sys/crypto/fips_enabled"
59dcbd
+
59dcbd
+static bool adcli_fips_enabled (void)
59dcbd
+{
59dcbd
+	int fd;
59dcbd
+	ssize_t len;
59dcbd
+	char buf[8];
59dcbd
+
59dcbd
+	fd = open (PROC_SYS_FIPS, O_RDONLY);
59dcbd
+	if (fd != -1) {
59dcbd
+		len = read (fd, buf, sizeof (buf));
59dcbd
+		close (fd);
59dcbd
+		/* Assume FIPS in enabled if PROC_SYS_FIPS contains a
59dcbd
+		 * non-0 value. */
59dcbd
+		if ( ! (len == 2 && buf[0] == '0' && buf[1] == '\n')) {
59dcbd
+			return true;
59dcbd
+		}
59dcbd
+	}
59dcbd
+
59dcbd
+	return false;
59dcbd
+}
59dcbd
+
59dcbd
 krb5_enctype *
59dcbd
 adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
59dcbd
 {
59dcbd
@@ -2602,7 +2632,11 @@ adcli_enroll_get_keytab_enctypes (adcli_enroll *enroll)
59dcbd
 		return enroll->keytab_enctypes;
59dcbd
 
59dcbd
 	if (adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID))
59dcbd
-		return v60_later_enctypes;
59dcbd
+		if (adcli_fips_enabled ()) {
59dcbd
+			return v60_later_enctypes_fips;
59dcbd
+		} else {
59dcbd
+			return v60_later_enctypes;
59dcbd
+		}
59dcbd
 	else
59dcbd
 		return v51_earlier_enctypes;
59dcbd
 }
59dcbd
-- 
59dcbd
2.21.0
59dcbd