Hi,

this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode
It prevents installation of FreeIPA if the host is fips-enabled.

https://fedorahosted.org/freeipa/ticket/5761
>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Fri, 24 Jun 2016 16:16:22 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install                  | 4 ++++
 install/tools/ipactl                       | 6 ++++++
 ipaserver/install/server/install.py        | 5 +++++
 ipaserver/install/server/replicainstall.py | 5 +++++
 4 files changed, 20 insertions(+)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -3064,6 +3064,10 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA client in FIPS mode")
     tasks.check_selinux_status()
     logging_setup(options)
     root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -545,6 +545,12 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+    if (args[0] in ('start', 'restart') and
+        os.path.exists('/proc/sys/crypto/fips_enabled')):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                raise IpactlError("Cannot start IPA server in FIPS mode")
+
     # check if IPA is configured at all
     try:
         check_IPA_configuration()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -319,6 +319,11 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
     tasks.check_selinux_status()
 
     if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,11 @@ def install_check(installer):
     options = installer
     filename = installer.replica_file
 
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
     tasks.check_selinux_status()
 
     if is_ipa_configured():
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to