diff options
author | Ani Sinha <anisinha@redhat.com> | 2023-05-02 20:35:45 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-02 17:05:45 +0200 |
commit | c53f04aeb2acf9526a2ebf3d3320f149ac46caa6 (patch) | |
tree | 392c5036abfa0c92a0410e305fa521dd7a8922bf /cloudinit | |
parent | 76fe7ddb590f05a650f22fb15a7764320f58a42e (diff) | |
download | cloud-init-git-c53f04aeb2acf9526a2ebf3d3320f149ac46caa6.tar.gz |
Do not generate dsa and ed25519 key types when crypto FIPS mode is enabled (#2142)
DSA and ED25519 key types are not supported when FIPS is enabled in crypto.
Check if FIPS has been enabled on the system and if so, do not generate those
key types. Presently the check is only available on Linux systems.
LP: 2017761
RHBZ: 2187164
Signed-off-by: Ani Sinha <anisinha@redhat.com>
Diffstat (limited to 'cloudinit')
-rw-r--r-- | cloudinit/config/cc_ssh.py | 21 | ||||
-rw-r--r-- | cloudinit/util.py | 12 |
2 files changed, 32 insertions, 1 deletions
diff --git a/cloudinit/config/cc_ssh.py b/cloudinit/config/cc_ssh.py index 7c9ae36b..d7b9e704 100644 --- a/cloudinit/config/cc_ssh.py +++ b/cloudinit/config/cc_ssh.py @@ -173,6 +173,8 @@ __doc__ = get_meta_doc(meta) LOG = logging.getLogger(__name__) GENERATE_KEY_NAMES = ["rsa", "dsa", "ecdsa", "ed25519"] +FIPS_UNSUPPORTED_KEY_NAMES = ["dsa", "ed25519"] + pattern_unsupported_config_keys = re.compile( "^(ecdsa-sk|ed25519-sk)_(private|public|certificate)$" ) @@ -258,9 +260,26 @@ def handle(name: str, cfg: Config, cloud: Cloud, args: list) -> None: genkeys = util.get_cfg_option_list( cfg, "ssh_genkeytypes", GENERATE_KEY_NAMES ) + # remove keys that are not supported in fips mode if its enabled + key_names = ( + genkeys + if not util.fips_enabled() + else [ + names + for names in genkeys + if names not in FIPS_UNSUPPORTED_KEY_NAMES + ] + ) + skipped_keys = set(genkeys).difference(key_names) + if skipped_keys: + LOG.debug( + "skipping keys that are not supported in fips mode: %s", + ",".join(skipped_keys), + ) + lang_c = os.environ.copy() lang_c["LANG"] = "C" - for keytype in genkeys: + for keytype in key_names: keyfile = KEY_FILE_TPL % (keytype) if os.path.exists(keyfile): continue diff --git a/cloudinit/util.py b/cloudinit/util.py index 2eb79d33..b0d2ddb0 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -1578,6 +1578,18 @@ def get_cmdline(): return _get_cmdline() +def fips_enabled() -> bool: + fips_proc = "/proc/sys/crypto/fips_enabled" + try: + contents = load_file(fips_proc).strip() + return contents == "1" + except (IOError, OSError): + # for BSD systems and Linux systems where the proc entry is not + # available, we assume FIPS is disabled to retain the old behavior + # for now. + return False + + def pipe_in_out(in_fh, out_fh, chunk_size=1024, chunk_cb=None): bytes_piped = 0 while True: |