Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Petr Spacek Mon, 27 Jun 2016 00:17:04 -0700

On 27.6.2016 08:38, Florence Blanc-Renaud wrote:
> Hi,
> 
> this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client
> installation in a FIPS-140 mode
> It prevents installation of FreeIPA if the host is fips-enabled.
> 
> https://fedorahosted.org/freeipa/ticket/5761
> 
> freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch
> 
> 
>>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
> From: Florence Blanc-Renaud <fren...@redhat.com>
> Date: Fri, 24 Jun 2016 16:16:22 +0200
> Subject: [PATCH] Do not allow installation in FIPS mode
> 
> https://fedorahosted.org/freeipa/ticket/5761
> ---
>  client/ipa-client-install                  | 4 ++++
>  install/tools/ipactl                       | 6 ++++++
>  ipaserver/install/server/install.py        | 5 +++++
>  ipaserver/install/server/replicainstall.py | 5 +++++
>  4 files changed, 20 insertions(+)
> 
> diff --git a/client/ipa-client-install b/client/ipa-client-install
> index 
> 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904
>  100755
> --- a/client/ipa-client-install
> +++ b/client/ipa-client-install
> @@ -3064,6 +3064,10 @@ def main():
>  
>      if not os.getegid() == 0:
>          sys.exit("\nYou must be root to run ipa-client-install.\n")
> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:


Usually it is safer to call open() and catch exception if the file does not
exist. The code above has inherent problem with race-conditions between time
of check (path.exists) and time of use (open).

Of course it is not a problem here because this file is part of kernel's
interface but in general please use the try: open() except: form.

> +            if f.read().strip() != '0':
> +                sys.exit("Cannot install IPA client in FIPS mode")

Personally I would like to see more informative messages.

I would recommend something like "<something> is not supported in FIPS mode".

In my eyes it is difference between "How do I ...? You dont!" vs "How do I
...? Sorry, we do not support that right now."


Sorry for nitpicking! :-)

Petr^2 Spacek



>      tasks.check_selinux_status()
>      logging_setup(options)
>      root_logger.debug(
> diff --git a/install/tools/ipactl b/install/tools/ipactl
> index 
> 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552
>  100755
> --- a/install/tools/ipactl
> +++ b/install/tools/ipactl
> @@ -545,6 +545,12 @@ def main():
>      elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" 
> and args[0] != "status":
>          raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
>  
> +    if (args[0] in ('start', 'restart') and
> +        os.path.exists('/proc/sys/crypto/fips_enabled')):
> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
> +            if f.read().strip() != '0':
> +                raise IpactlError("Cannot start IPA server in FIPS mode")
> +
>      # check if IPA is configured at all
>      try:
>          check_IPA_configuration()
> diff --git a/ipaserver/install/server/install.py 
> b/ipaserver/install/server/install.py
> index 
> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d
>  100644
> --- a/ipaserver/install/server/install.py
> +++ b/ipaserver/install/server/install.py
> @@ -319,6 +319,11 @@ def install_check(installer):
>      external_ca_file = installer._external_ca_file
>      http_ca_cert = installer._ca_cert
>  
> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
> +            if f.read().strip() != '0':
> +                sys.exit("Cannot install IPA server in FIPS mode")
> +
>      tasks.check_selinux_status()
>  
>      if options.master_password:
> diff --git a/ipaserver/install/server/replicainstall.py 
> b/ipaserver/install/server/replicainstall.py
> index 
> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291
>  100644
> --- a/ipaserver/install/server/replicainstall.py
> +++ b/ipaserver/install/server/replicainstall.py
> @@ -485,6 +485,11 @@ def install_check(installer):
>      options = installer
>      filename = installer.replica_file
>  
> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
> +            if f.read().strip() != '0':
> +                sys.exit("Cannot install IPA server in FIPS mode")
> +
>      tasks.check_selinux_status()
>  
>      if is_ipa_configured():
> -- 2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Reply via email to