On 06/28/2016 11:05 AM, Martin Basti wrote:



On 28.06.2016 10:51, Florence Blanc-Renaud wrote:
On 06/27/2016 10:18 PM, Rob Crittenden wrote:
Florence Blanc-Renaud wrote:
Hi all,

thanks for your suggestions. Updated patch attached.
Flo.


The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob

Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.



Thank you for the patch I have two comments:

1)
+    except Exception:
+        # Consider that the host is not fips-enabled if the file does
not exist
+        pass

exceptions should be as much specific as possible, otherwise it may mask
real issues
please use 'except IOError' if you want catch the case that file does
not exist

2)
in replicainstall.py and install.py please raise exception
(RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc.

Sys.exit() should not be used in modules, it is hard to debug etc. It
can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..)

Martin^2

Hi,

hopefully converging with this updated patch :)
Thanks for all the comments, I'm learning tips with each iteration.

Flo.

>From 09f028c0342da5fee5e300dbdd193b7f2a1d1140 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <fren...@redhat.com>
Date: Mon, 27 Jun 2016 10:23:14 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install                  |  5 ++++-
 install/tools/ipactl                       |  6 +++++-
 ipapython/ipautil.py                       | 19 +++++++++++++++++++
 ipaserver/install/server/install.py        |  7 ++++++-
 ipaserver/install/server/replicainstall.py |  4 ++++
 5 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..64d2b3de9b3ea20addd3f6f1a64389680c8288ab 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -45,7 +45,7 @@ try:
     import ipaclient.ntpconf
     from ipapython.ipautil import (
         run, user_input, CalledProcessError, file_exists, dir_exists,
-        realm_to_suffix)
+        realm_to_suffix, is_fips_enabled)
     from ipaplatform.tasks import tasks
     from ipaplatform import services
     from ipaplatform.paths import paths
@@ -3064,6 +3064,9 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if is_fips_enabled():
+        sys.exit("Installing IPA client in FIPS mode is not supported")
+
     tasks.check_selinux_status()
     logging_setup(options)
     root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d875dff7231fae8dfc10faf995b0ca230b..e6a1b5a2299ea0f6ff91b7536e82ac9872ed88b0 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname
 from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipalib import api, errors
 from ipapython.ipaldap import IPAdmin
-from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
+from ipapython.ipautil import (
+    wait_for_open_ports, wait_for_open_socket, is_fips_enabled)
 from ipapython import config
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -545,6 +546,9 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+    if is_fips_enabled():
+        raise IpactlError("Starting IPA server in FIPS mode is not supported")
+
     # check if IPA is configured at all
     try:
         check_IPA_configuration()
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 34e05d36698e58aec0fae8ee9679e904709f2379..4ef9770e92c3ba86ffa5c6523268475a026705d0 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1428,3 +1428,22 @@ if six.PY2:
                 type(value).__name__))
 else:
     fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def is_fips_enabled():
+    """
+    Checks whether this host is FIPS-enabled.
+
+    Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+    file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+    or if the file /proc/sys/crypto/fips_enabled does not exist,
+    the function returns False.
+    """
+    try:
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                return True
+    except IOError:
+        # Consider that the host is not fips-enabled if the file does not exist
+        pass
+    return False
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..f0e89ae484b3106afaf325eef1020ec97f313438 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -22,7 +22,8 @@ from ipapython.install.common import step
 from ipapython.install.core import Knob
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import (
-    decrypt_file, format_netloc, ipa_generate_password, run, user_input)
+    decrypt_file, format_netloc, ipa_generate_password, run, user_input,
+    is_fips_enabled)
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
@@ -319,6 +320,10 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
+    if is_fips_enabled():
+        raise RuntimeError(
+            "Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..f7dbce5c056d01482f4481333c91a807034019e2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,10 @@ def install_check(installer):
     options = installer
     filename = installer.replica_file
 
+    if ipautil.is_fips_enabled():
+        raise RuntimeError(
+            "Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if is_ipa_configured():
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to