On 06/27/2016 10:18 PM, Rob Crittenden wrote:
Florence Blanc-Renaud wrote:
Hi all,

thanks for your suggestions. Updated patch attached.
Flo.


The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob

Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.
>From efc282fddd2d7ee87bf07e5b1a7fdaa035df7caa Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Mon, 27 Jun 2016 10:23:14 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install                  |  5 ++++-
 install/tools/ipactl                       |  6 +++++-
 ipapython/ipautil.py                       | 19 +++++++++++++++++++
 ipaserver/install/server/install.py        |  6 +++++-
 ipaserver/install/server/replicainstall.py |  3 +++
 5 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..64d2b3de9b3ea20addd3f6f1a64389680c8288ab 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -45,7 +45,7 @@ try:
     import ipaclient.ntpconf
     from ipapython.ipautil import (
         run, user_input, CalledProcessError, file_exists, dir_exists,
-        realm_to_suffix)
+        realm_to_suffix, is_fips_enabled)
     from ipaplatform.tasks import tasks
     from ipaplatform import services
     from ipaplatform.paths import paths
@@ -3064,6 +3064,9 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if is_fips_enabled():
+        sys.exit("Installing IPA client in FIPS mode is not supported")
+
     tasks.check_selinux_status()
     logging_setup(options)
     root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d875dff7231fae8dfc10faf995b0ca230b..e6a1b5a2299ea0f6ff91b7536e82ac9872ed88b0 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname
 from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipalib import api, errors
 from ipapython.ipaldap import IPAdmin
-from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
+from ipapython.ipautil import (
+    wait_for_open_ports, wait_for_open_socket, is_fips_enabled)
 from ipapython import config
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -545,6 +546,9 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+    if is_fips_enabled():
+        raise IpactlError("Starting IPA server in FIPS mode is not supported")
+
     # check if IPA is configured at all
     try:
         check_IPA_configuration()
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 34e05d36698e58aec0fae8ee9679e904709f2379..14fbf7b5156c0ed58634410d944ae6bc225b9b9c 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1428,3 +1428,22 @@ if six.PY2:
                 type(value).__name__))
 else:
     fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def is_fips_enabled():
+    """
+    Checks whether this host is FIPS-enabled.
+
+    Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+    file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+    or if the file /proc/sys/crypto/fips_enabled does not exist,
+    the function returns False.
+    """
+    try:
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                return True
+    except Exception:
+        # Consider that the host is not fips-enabled if the file does not exist
+        pass
+    return False
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..5dfd9fabee19e9b9535782139bbb4d0dc27fd495 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -22,7 +22,8 @@ from ipapython.install.common import step
 from ipapython.install.core import Knob
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import (
-    decrypt_file, format_netloc, ipa_generate_password, run, user_input)
+    decrypt_file, format_netloc, ipa_generate_password, run, user_input,
+    is_fips_enabled)
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
@@ -319,6 +320,9 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
+    if is_fips_enabled():
+        sys.exit("Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..da1cac02ce187a6467591b77dd37b89fe3c56fbc 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,9 @@ def install_check(installer):
     options = installer
     filename = installer.replica_file
 
+    if ipautil.is_fips_enabled():
+        sys.exit("Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if is_ipa_configured():
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to