From 76847e82a4f70af90b88f2bf5023e8e70be178b4 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Dec 19 2018 09:58:44 +0000
Subject: Ticket 50099 - In FIPS mode, the server can select an unsupported password storage scheme


Bug Description:
	When running in FIPS mode, DS selects SSHA512 as password storage schema else it selects PBKDF2_SHA256.
	The problem is that in FIPS mode it selects PBKDF2_SHA256 that is currently not supported by NSS.
	So DS fails to hash password
	The scheme selection is done in the early phase of DS startup (slapd_bootstrap_config).
	To determine it is in FIPS mode, DS calls PK11_IsFIPS that requires that NSS has been initialized.
	The problem is that during slapd_bootstrap_config, NSS is not yet initialized and PK11_IsFIPS returns
	PR_FALSE even in FIPS mode

Fix Description:
	The fix consists to check if NSS is initialized. If it is initialize, then rely on PK11_IsFIPS.
	If it is not initialized then retrieve the FIPS mode from the system, assuming that if system
	is in FIPS mode, then NSS will be in FIPS mode as well

https://pagure.io/389-ds-base/issue/50099

Reviewed by: Mark Reynolds (thanks Mark !)

Platforms tested: F27

Flag Day: no

Doc impact: no

---

diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c
index d055889..49b1968 100644
--- a/ldap/servers/slapd/security_wrappers.c
+++ b/ldap/servers/slapd/security_wrappers.c
@@ -226,11 +226,60 @@ slapd_pk11_setSlotPWValues(PK11SlotInfo *slot, int askpw, int timeout)
     return;
 }
 
+/* The system FIPS mode can be tested on FIPS_ENABLED
+ * system FIPS mode is ON => NSS is always ON
+ * One can imagine to set NSS ON when system FIPS is OFF but it makes no real sense
+ */
+#define FIPS_ENABLED "/proc/sys/crypto/fips_enabled"
+PRBool
+slapd_system_isFIPS()
+{
+    PRBool rc = PR_FALSE;
+    PRFileDesc *prfd;
+    char buf[sizeof (PRIu64)];
+    int val;
+    if (PR_SUCCESS != PR_Access(FIPS_ENABLED, PR_ACCESS_READ_OK)) {
+        slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED);
+        goto done;
+    }
+    if ((prfd = PR_Open(FIPS_ENABLED, PR_RDONLY, SLAPD_DEFAULT_FILE_MODE)) == NULL) {
+        slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not open %s\n", FIPS_ENABLED);
+        goto done;
+    }
+    if (PR_Read(prfd, buf, sizeof (buf)) < 0) {
+        slapi_log_err(SLAPI_LOG_ERR, "slapd_system_isFIPS", "Can not read %s\n", FIPS_ENABLED);
+        PR_Close(prfd);
+        goto done;
+    }
+    PR_Close(prfd);
+    val = atoi(buf);
+    if (val) {
+        slapi_log_err(SLAPI_LOG_INFO, "slapd_system_isFIPS", "system in FIPS mode\n");
+        rc = PR_TRUE;
+    }
+done:
+    return rc;
+}
 
 PRBool
 slapd_pk11_isFIPS()
 {
-    return PK11_IsFIPS();
+    PRBool rc = PR_FALSE;
+
+    if (slapd_nss_is_initialized()) {
+        /* It requires that NSS is initialized before calling PK11_IsFIPS.
+         * Note that it can exist a false positive if NSS in was FIPS mode
+         * although the system is not in FIPS. Such configuration makes no sense
+         */
+        rc = PK11_IsFIPS();
+    } else {
+        /* NSS being not initialized, we are considering the
+         * system FIPS mode.
+         */
+        rc = slapd_system_isFIPS();
+    }
+
+    return rc;
 }