diff options
| author | Ani Sinha <anisinha@redhat.com> | 2023-05-02 20:35:45 +0530 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-02 17:05:45 +0200 |
| commit | c53f04aeb2acf9526a2ebf3d3320f149ac46caa6 (patch) | |
| tree | 392c5036abfa0c92a0410e305fa521dd7a8922bf /cloudinit/util.py | |
| parent | 76fe7ddb590f05a650f22fb15a7764320f58a42e (diff) | |
| download | cloud-init-git-c53f04aeb2acf9526a2ebf3d3320f149ac46caa6.tar.gz | |
Do not generate dsa and ed25519 key types when crypto FIPS mode is enabled (#2142)
DSA and ED25519 key types are not supported when FIPS is enabled in crypto.
Check if FIPS has been enabled on the system and if so, do not generate those
key types. Presently the check is only available on Linux systems.
LP: 2017761
RHBZ: 2187164
Signed-off-by: Ani Sinha <anisinha@redhat.com>
Diffstat (limited to 'cloudinit/util.py')
| -rw-r--r-- | cloudinit/util.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/cloudinit/util.py b/cloudinit/util.py index 2eb79d33..b0d2ddb0 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -1578,6 +1578,18 @@ def get_cmdline(): return _get_cmdline() +def fips_enabled() -> bool: + fips_proc = "/proc/sys/crypto/fips_enabled" + try: + contents = load_file(fips_proc).strip() + return contents == "1" + except (IOError, OSError): + # for BSD systems and Linux systems where the proc entry is not + # available, we assume FIPS is disabled to retain the old behavior + # for now. + return False + + def pipe_in_out(in_fh, out_fh, chunk_size=1024, chunk_cb=None): bytes_piped = 0 while True: |