On 06/27/2016 03:55 PM, Rob Crittenden wrote:
Petr Spacek wrote:
On 27.6.2016 08:38, Florence Blanc-Renaud wrote:
Hi,

this fix is a port of Bug 1131570 - Do not allow IdM
server/replica/client
installation in a FIPS-140 mode
It prevents installation of FreeIPA if the host is fips-enabled.

https://fedorahosted.org/freeipa/ticket/5761

freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch


>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Fri, 24 Jun 2016 16:16:22 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
  client/ipa-client-install                  | 4 ++++
  install/tools/ipactl                       | 6 ++++++
  ipaserver/install/server/install.py        | 5 +++++
  ipaserver/install/server/replicainstall.py | 5 +++++
  4 files changed, 20 insertions(+)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index
0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904
100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -3064,6 +3064,10 @@ def main():

      if not os.getegid() == 0:
          sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:

Usually it is safer to call open() and catch exception if the file
does not
exist. The code above has inherent problem with race-conditions
between time
of check (path.exists) and time of use (open).

Of course it is not a problem here because this file is part of kernel's
interface but in general please use the try: open() except: form.

+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA client in FIPS mode")

Personally I would like to see more informative messages.

I would recommend something like "<something> is not supported in FIPS
mode".

In my eyes it is difference between "How do I ...? You dont!" vs "How
do I
...? Sorry, we do not support that right now."

Given that this code is duplicated 4 times I'd also move it to a
function in ipapython, is_fips_enabled() or something .

rob



Sorry for nitpicking! :-)

Petr^2 Spacek



      tasks.check_selinux_status()
      logging_setup(options)
      root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index
547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552
100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -545,6 +545,12 @@ def main():
      elif args[0] != "start" and args[0] != "stop" and args[0] !=
"restart" and args[0] != "status":
          raise IpactlError("Unrecognized action [" + args[0] + "]", 2)

+    if (args[0] in ('start', 'restart') and
+        os.path.exists('/proc/sys/crypto/fips_enabled')):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                raise IpactlError("Cannot start IPA server in FIPS
mode")
+
      # check if IPA is configured at all
      try:
          check_IPA_configuration()
diff --git a/ipaserver/install/server/install.py
b/ipaserver/install/server/install.py
index
930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d
100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -319,6 +319,11 @@ def install_check(installer):
      external_ca_file = installer._external_ca_file
      http_ca_cert = installer._ca_cert

+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
      tasks.check_selinux_status()

      if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py
b/ipaserver/install/server/replicainstall.py
index
52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291
100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,11 @@ def install_check(installer):
      options = installer
      filename = installer.replica_file

+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
      tasks.check_selinux_status()

      if is_ipa_configured():
-- 2.7.4


Hi all,

thanks for your suggestions. Updated patch attached.
Flo.

>From 26d77345490711934cf7a63bb0cef670b3e5c85c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Mon, 27 Jun 2016 10:23:14 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install                  |  5 ++++-
 install/tools/ipactl                       |  6 +++++-
 ipapython/ipautil.py                       | 19 +++++++++++++++++++
 ipaserver/install/server/install.py        |  6 +++++-
 ipaserver/install/server/replicainstall.py |  3 +++
 5 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..64d2b3de9b3ea20addd3f6f1a64389680c8288ab 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -45,7 +45,7 @@ try:
     import ipaclient.ntpconf
     from ipapython.ipautil import (
         run, user_input, CalledProcessError, file_exists, dir_exists,
-        realm_to_suffix)
+        realm_to_suffix, is_fips_enabled)
     from ipaplatform.tasks import tasks
     from ipaplatform import services
     from ipaplatform.paths import paths
@@ -3064,6 +3064,9 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if is_fips_enabled():
+        sys.exit("Installing IPA client in FIPS mode is not supported")
+
     tasks.check_selinux_status()
     logging_setup(options)
     root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d875dff7231fae8dfc10faf995b0ca230b..908ac12363d58334bb554fc7ed6bd6c4a9ce1235 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname
 from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipalib import api, errors
 from ipapython.ipaldap import IPAdmin
-from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
+from ipapython.ipautil import (
+    wait_for_open_ports, wait_for_open_socket, is_fips_enabled)
 from ipapython import config
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -545,6 +546,9 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+    if is_fips_enabled():
+        raise IpactlError("Starting IPA client in FIPS mode is not supported")
+
     # check if IPA is configured at all
     try:
         check_IPA_configuration()
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 34e05d36698e58aec0fae8ee9679e904709f2379..14fbf7b5156c0ed58634410d944ae6bc225b9b9c 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1428,3 +1428,22 @@ if six.PY2:
                 type(value).__name__))
 else:
     fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def is_fips_enabled():
+    """
+    Checks whether this host is FIPS-enabled.
+
+    Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+    file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+    or if the file /proc/sys/crypto/fips_enabled does not exist,
+    the function returns False.
+    """
+    try:
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                return True
+    except Exception:
+        # Consider that the host is not fips-enabled if the file does not exist
+        pass
+    return False
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..5dfd9fabee19e9b9535782139bbb4d0dc27fd495 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -22,7 +22,8 @@ from ipapython.install.common import step
 from ipapython.install.core import Knob
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import (
-    decrypt_file, format_netloc, ipa_generate_password, run, user_input)
+    decrypt_file, format_netloc, ipa_generate_password, run, user_input,
+    is_fips_enabled)
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
@@ -319,6 +320,9 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
+    if is_fips_enabled():
+        sys.exit("Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..da1cac02ce187a6467591b77dd37b89fe3c56fbc 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,9 @@ def install_check(installer):
     options = installer
     filename = installer.replica_file
 
+    if ipautil.is_fips_enabled():
+        sys.exit("Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if is_ipa_configured():
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to