Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 29.06.2016 13:04, Martin Basti wrote: On 28.06.2016 16:57, Florence Blanc-Renaud wrote: On 06/28/2016 11:05 AM, Martin Basti wrote: On 28.06.2016 10:51, Florence Blanc-Renaud wrote: On 06/27/2016 10:18 PM, Rob Crittenden wrote: Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob Hi all, thanks to Rob for catching the typo. Patch with updated message is attached, Flo. Thank you for the patch I have two comments: 1) +except Exception: +# Consider that the host is not fips-enabled if the file does not exist +pass exceptions should be as much specific as possible, otherwise it may mask real issues please use 'except IOError' if you want catch the case that file does not exist 2) in replicainstall.py and install.py please raise exception (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc. Sys.exit() should not be used in modules, it is hard to debug etc. It can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..) Martin^2 Hi, hopefully converging with this updated patch :) Thanks for all the comments, I'm learning tips with each iteration. Flo. I propose following changes (in attached patch). If you agree I can squash patches and push it. Martin^2 ACK pushed to master: * 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 Do not allow installation in FIPS mode ipa-4-3: * 4ce0ff61a8e46de4a2f2dfca41610323f9569d8a Do not allow installation in FIPS mode -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 06/29/2016 01:04 PM, Martin Basti wrote: On 28.06.2016 16:57, Florence Blanc-Renaud wrote: On 06/28/2016 11:05 AM, Martin Basti wrote: On 28.06.2016 10:51, Florence Blanc-Renaud wrote: On 06/27/2016 10:18 PM, Rob Crittenden wrote: Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob Hi all, thanks to Rob for catching the typo. Patch with updated message is attached, Flo. Thank you for the patch I have two comments: 1) +except Exception: +# Consider that the host is not fips-enabled if the file does not exist +pass exceptions should be as much specific as possible, otherwise it may mask real issues please use 'except IOError' if you want catch the case that file does not exist 2) in replicainstall.py and install.py please raise exception (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc. Sys.exit() should not be used in modules, it is hard to debug etc. It can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..) Martin^2 Hi, hopefully converging with this updated patch :) Thanks for all the comments, I'm learning tips with each iteration. Flo. I propose following changes (in attached patch). If you agree I can squash patches and push it. Martin^2 Hi Martin, thanks for the proposal, OK for me. Flo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 28.06.2016 16:57, Florence Blanc-Renaud wrote: On 06/28/2016 11:05 AM, Martin Basti wrote: On 28.06.2016 10:51, Florence Blanc-Renaud wrote: On 06/27/2016 10:18 PM, Rob Crittenden wrote: Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob Hi all, thanks to Rob for catching the typo. Patch with updated message is attached, Flo. Thank you for the patch I have two comments: 1) +except Exception: +# Consider that the host is not fips-enabled if the file does not exist +pass exceptions should be as much specific as possible, otherwise it may mask real issues please use 'except IOError' if you want catch the case that file does not exist 2) in replicainstall.py and install.py please raise exception (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc. Sys.exit() should not be used in modules, it is hard to debug etc. It can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..) Martin^2 Hi, hopefully converging with this updated patch :) Thanks for all the comments, I'm learning tips with each iteration. Flo. I propose following changes (in attached patch). If you agree I can squash patches and push it. Martin^2 From a3e91642a83877f45708094f391104fbcb894fd4 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 29 Jun 2016 13:02:59 +0200 Subject: [PATCH] FIPS: reviewer proposed changes --- ipaplatform/base/paths.py | 1 + ipapython/ipautil.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index dddefea0b558010ac24334d041201a80a05587be..d6fbe32f6839a5db40148777132ba1454cbc3382 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -134,6 +134,7 @@ class BasePathNamespace(object): SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service" DNSSEC_TRUSTED_KEY = "/etc/trusted-key.key" HOME_DIR = "/home" +PROC_FIPS_ENABLED = "/proc/sys/crypto/fips_enabled" ROOT_IPA_CACHE = "/root/.ipa_cache" ROOT_PKI = "/root/.pki" DOGTAG_ADMIN_P12 = "/root/ca-agent.p12" diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 4ef9770e92c3ba86ffa5c6523268475a026705d0..c7e20c5102efaa006c10d4c3af849bc259da43e7 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1440,7 +1440,7 @@ def is_fips_enabled(): the function returns False. """ try: -with open('/proc/sys/crypto/fips_enabled', 'r') as f: +with open(paths.PROC_FIPS_ENABLED, 'r') as f: if f.read().strip() != '0': return True except IOError: -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 06/28/2016 11:05 AM, Martin Basti wrote: On 28.06.2016 10:51, Florence Blanc-Renaud wrote: On 06/27/2016 10:18 PM, Rob Crittenden wrote: Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob Hi all, thanks to Rob for catching the typo. Patch with updated message is attached, Flo. Thank you for the patch I have two comments: 1) +except Exception: +# Consider that the host is not fips-enabled if the file does not exist +pass exceptions should be as much specific as possible, otherwise it may mask real issues please use 'except IOError' if you want catch the case that file does not exist 2) in replicainstall.py and install.py please raise exception (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc. Sys.exit() should not be used in modules, it is hard to debug etc. It can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..) Martin^2 Hi, hopefully converging with this updated patch :) Thanks for all the comments, I'm learning tips with each iteration. Flo. >From 09f028c0342da5fee5e300dbdd193b7f2a1d1140 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 27 Jun 2016 10:23:14 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://fedorahosted.org/freeipa/ticket/5761 --- client/ipa-client-install | 5 - install/tools/ipactl | 6 +- ipapython/ipautil.py | 19 +++ ipaserver/install/server/install.py| 7 ++- ipaserver/install/server/replicainstall.py | 4 5 files changed, 38 insertions(+), 3 deletions(-) diff --git a/client/ipa-client-install b/client/ipa-client-install index 0a601b63118b0a3568066495837121c65e5df04f..64d2b3de9b3ea20addd3f6f1a64389680c8288ab 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -45,7 +45,7 @@ try: import ipaclient.ntpconf from ipapython.ipautil import ( run, user_input, CalledProcessError, file_exists, dir_exists, -realm_to_suffix) +realm_to_suffix, is_fips_enabled) from ipaplatform.tasks import tasks from ipaplatform import services from ipaplatform.paths import paths @@ -3064,6 +3064,9 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") +if is_fips_enabled(): +sys.exit("Installing IPA client in FIPS mode is not supported") + tasks.check_selinux_status() logging_setup(options) root_logger.debug( diff --git a/install/tools/ipactl b/install/tools/ipactl index 547b21d875dff7231fae8dfc10faf995b0ca230b..e6a1b5a2299ea0f6ff91b7536e82ac9872ed88b0 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname from ipaserver.install.installutils import is_ipa_configured, ScriptError from ipalib import api, errors from ipapython.ipaldap import IPAdmin -from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket +from ipapython.ipautil import ( +wait_for_open_ports, wait_for_open_socket, is_fips_enabled) from ipapython import config from ipaplatform.tasks import tasks from ipapython.dn import DN @@ -545,6 +546,9 @@ def main(): elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": raise IpactlError("Unrecognized action [" + args[0] + "]", 2) +if is_fips_enabled(): +raise IpactlError("Starting IPA server in FIPS mode is not supported") + # check if IPA is configured at all try: check_IPA_configuration() diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 34e05d36698e58aec0fae8ee9679e904709f2379..4ef9770e92c3ba86ffa5c6523268475a026705d0 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1428,3 +1428,22 @@ if six.PY2: type(value).__name__)) else: fsdecode = os.fsdecode #pylint: disable=no-member + + +def is_fips_enabled(): +""" +Checks whether this host is FIPS-enabled. + +Returns a boolean indicating if the host is FIPS-enabled, i.e. if the +file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise, +or if the file /proc/sys/crypto/fips_enabled does not exist, +the function returns False. +""" +try: +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +return True +except IOError: +# Consider that the host is not fips-enabled if the file does not exist +pass +return False diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..f0e89ae484b3106afaf325eef1020ec97f313438 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/ins
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 28.06.2016 10:51, Florence Blanc-Renaud wrote: On 06/27/2016 10:18 PM, Rob Crittenden wrote: Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob Hi all, thanks to Rob for catching the typo. Patch with updated message is attached, Flo. Thank you for the patch I have two comments: 1) +except Exception: +# Consider that the host is not fips-enabled if the file does not exist +pass exceptions should be as much specific as possible, otherwise it may mask real issues please use 'except IOError' if you want catch the case that file does not exist 2) in replicainstall.py and install.py please raise exception (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc. Sys.exit() should not be used in modules, it is hard to debug etc. It can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..) Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 06/27/2016 10:18 PM, Rob Crittenden wrote: Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob Hi all, thanks to Rob for catching the typo. Patch with updated message is attached, Flo. >From efc282fddd2d7ee87bf07e5b1a7fdaa035df7caa Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 27 Jun 2016 10:23:14 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://fedorahosted.org/freeipa/ticket/5761 --- client/ipa-client-install | 5 - install/tools/ipactl | 6 +- ipapython/ipautil.py | 19 +++ ipaserver/install/server/install.py| 6 +- ipaserver/install/server/replicainstall.py | 3 +++ 5 files changed, 36 insertions(+), 3 deletions(-) diff --git a/client/ipa-client-install b/client/ipa-client-install index 0a601b63118b0a3568066495837121c65e5df04f..64d2b3de9b3ea20addd3f6f1a64389680c8288ab 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -45,7 +45,7 @@ try: import ipaclient.ntpconf from ipapython.ipautil import ( run, user_input, CalledProcessError, file_exists, dir_exists, -realm_to_suffix) +realm_to_suffix, is_fips_enabled) from ipaplatform.tasks import tasks from ipaplatform import services from ipaplatform.paths import paths @@ -3064,6 +3064,9 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") +if is_fips_enabled(): +sys.exit("Installing IPA client in FIPS mode is not supported") + tasks.check_selinux_status() logging_setup(options) root_logger.debug( diff --git a/install/tools/ipactl b/install/tools/ipactl index 547b21d875dff7231fae8dfc10faf995b0ca230b..e6a1b5a2299ea0f6ff91b7536e82ac9872ed88b0 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname from ipaserver.install.installutils import is_ipa_configured, ScriptError from ipalib import api, errors from ipapython.ipaldap import IPAdmin -from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket +from ipapython.ipautil import ( +wait_for_open_ports, wait_for_open_socket, is_fips_enabled) from ipapython import config from ipaplatform.tasks import tasks from ipapython.dn import DN @@ -545,6 +546,9 @@ def main(): elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": raise IpactlError("Unrecognized action [" + args[0] + "]", 2) +if is_fips_enabled(): +raise IpactlError("Starting IPA server in FIPS mode is not supported") + # check if IPA is configured at all try: check_IPA_configuration() diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 34e05d36698e58aec0fae8ee9679e904709f2379..14fbf7b5156c0ed58634410d944ae6bc225b9b9c 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1428,3 +1428,22 @@ if six.PY2: type(value).__name__)) else: fsdecode = os.fsdecode #pylint: disable=no-member + + +def is_fips_enabled(): +""" +Checks whether this host is FIPS-enabled. + +Returns a boolean indicating if the host is FIPS-enabled, i.e. if the +file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise, +or if the file /proc/sys/crypto/fips_enabled does not exist, +the function returns False. +""" +try: +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +return True +except Exception: +# Consider that the host is not fips-enabled if the file does not exist +pass +return False diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..5dfd9fabee19e9b9535782139bbb4d0dc27fd495 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -22,7 +22,8 @@ from ipapython.install.common import step from ipapython.install.core import Knob from ipapython.ipa_log_manager import root_logger from ipapython.ipautil import ( -decrypt_file, format_netloc, ipa_generate_password, run, user_input) +decrypt_file, format_netloc, ipa_generate_password, run, user_input, +is_fips_enabled) from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -319,6 +320,9 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert +if is_fips_enabled(): +sys.exit("Installing IPA server in FIPS mode is not supported") + tasks.check_selinux_status() if options.master_password: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
Florence Blanc-Renaud wrote: Hi all, thanks for your suggestions. Updated patch attached. Flo. The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 06/27/2016 03:55 PM, Rob Crittenden wrote: Petr Spacek wrote: On 27.6.2016 08:38, Florence Blanc-Renaud wrote: Hi, this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode It prevents installation of FreeIPA if the host is fips-enabled. https://fedorahosted.org/freeipa/ticket/5761 freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch >From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 24 Jun 2016 16:16:22 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://fedorahosted.org/freeipa/ticket/5761 --- client/ipa-client-install | 4 install/tools/ipactl | 6 ++ ipaserver/install/server/install.py| 5 + ipaserver/install/server/replicainstall.py | 5 + 4 files changed, 20 insertions(+) diff --git a/client/ipa-client-install b/client/ipa-client-install index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -3064,6 +3064,10 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: Usually it is safer to call open() and catch exception if the file does not exist. The code above has inherent problem with race-conditions between time of check (path.exists) and time of use (open). Of course it is not a problem here because this file is part of kernel's interface but in general please use the try: open() except: form. +if f.read().strip() != '0': +sys.exit("Cannot install IPA client in FIPS mode") Personally I would like to see more informative messages. I would recommend something like " is not supported in FIPS mode". In my eyes it is difference between "How do I ...? You dont!" vs "How do I ...? Sorry, we do not support that right now." Given that this code is duplicated 4 times I'd also move it to a function in ipapython, is_fips_enabled() or something . rob Sorry for nitpicking! :-) Petr^2 Spacek tasks.check_selinux_status() logging_setup(options) root_logger.debug( diff --git a/install/tools/ipactl b/install/tools/ipactl index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -545,6 +545,12 @@ def main(): elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": raise IpactlError("Unrecognized action [" + args[0] + "]", 2) +if (args[0] in ('start', 'restart') and +os.path.exists('/proc/sys/crypto/fips_enabled')): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +raise IpactlError("Cannot start IPA server in FIPS mode") + # check if IPA is configured at all try: check_IPA_configuration() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -319,6 +319,11 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() if options.master_password: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -485,6 +485,11 @@ def install_check(installer): options = installer filename = installer.replica_file +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() if is_ipa_configured(): -- 2.7.4 Hi all, thanks for your suggestions. Updated patch attached. Flo. >From 26d77345490711934cf7a63bb0cef670b3e5c85c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 27 Jun 2016 10:23:14 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://fedorahosted.org/freeipa/ticket/5761 --- client/ipa-client-install | 5 - install/tools/ipactl
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
Gabe Alford wrote: On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud mailto:fren...@redhat.com>> wrote: Hi, this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode It prevents installation of FreeIPA if the host is fips-enabled. https://fedorahosted.org/freeipa/ticket/5761 Shouldn't this be about fixing FreeIPA to allow installation/operation in FIPS mode rather than disabling it? There are many environments where FIPS is required, and FreeIPA should support it. This is a stop-gap measure to provide users with reasonable feedback on the current state of things. Getting FIPS working, particularly in the server, is a somewhat non-trivial task. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
Petr Spacek wrote: On 27.6.2016 08:38, Florence Blanc-Renaud wrote: Hi, this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode It prevents installation of FreeIPA if the host is fips-enabled. https://fedorahosted.org/freeipa/ticket/5761 freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch >From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 24 Jun 2016 16:16:22 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://fedorahosted.org/freeipa/ticket/5761 --- client/ipa-client-install | 4 install/tools/ipactl | 6 ++ ipaserver/install/server/install.py| 5 + ipaserver/install/server/replicainstall.py | 5 + 4 files changed, 20 insertions(+) diff --git a/client/ipa-client-install b/client/ipa-client-install index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -3064,6 +3064,10 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: Usually it is safer to call open() and catch exception if the file does not exist. The code above has inherent problem with race-conditions between time of check (path.exists) and time of use (open). Of course it is not a problem here because this file is part of kernel's interface but in general please use the try: open() except: form. +if f.read().strip() != '0': +sys.exit("Cannot install IPA client in FIPS mode") Personally I would like to see more informative messages. I would recommend something like " is not supported in FIPS mode". In my eyes it is difference between "How do I ...? You dont!" vs "How do I ...? Sorry, we do not support that right now." Given that this code is duplicated 4 times I'd also move it to a function in ipapython, is_fips_enabled() or something . rob Sorry for nitpicking! :-) Petr^2 Spacek tasks.check_selinux_status() logging_setup(options) root_logger.debug( diff --git a/install/tools/ipactl b/install/tools/ipactl index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -545,6 +545,12 @@ def main(): elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": raise IpactlError("Unrecognized action [" + args[0] + "]", 2) +if (args[0] in ('start', 'restart') and +os.path.exists('/proc/sys/crypto/fips_enabled')): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +raise IpactlError("Cannot start IPA server in FIPS mode") + # check if IPA is configured at all try: check_IPA_configuration() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -319,6 +319,11 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() if options.master_password: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -485,6 +485,11 @@ def install_check(installer): options = installer filename = installer.replica_file +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() if is_ipa_configured(): -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud wrote: > Hi, > > this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client > installation in a FIPS-140 mode > It prevents installation of FreeIPA if the host is fips-enabled. > > https://fedorahosted.org/freeipa/ticket/5761 > Shouldn't this be about fixing FreeIPA to allow installation/operation in FIPS mode rather than disabling it? There are many environments where FIPS is required, and FreeIPA should support it. Gabe -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
On 27.6.2016 08:38, Florence Blanc-Renaud wrote: > Hi, > > this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client > installation in a FIPS-140 mode > It prevents installation of FreeIPA if the host is fips-enabled. > > https://fedorahosted.org/freeipa/ticket/5761 > > freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch > > >>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001 > From: Florence Blanc-Renaud > Date: Fri, 24 Jun 2016 16:16:22 +0200 > Subject: [PATCH] Do not allow installation in FIPS mode > > https://fedorahosted.org/freeipa/ticket/5761 > --- > client/ipa-client-install | 4 > install/tools/ipactl | 6 ++ > ipaserver/install/server/install.py| 5 + > ipaserver/install/server/replicainstall.py | 5 + > 4 files changed, 20 insertions(+) > > diff --git a/client/ipa-client-install b/client/ipa-client-install > index > 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 > 100755 > --- a/client/ipa-client-install > +++ b/client/ipa-client-install > @@ -3064,6 +3064,10 @@ def main(): > > if not os.getegid() == 0: > sys.exit("\nYou must be root to run ipa-client-install.\n") > +if os.path.exists('/proc/sys/crypto/fips_enabled'): > +with open('/proc/sys/crypto/fips_enabled', 'r') as f: Usually it is safer to call open() and catch exception if the file does not exist. The code above has inherent problem with race-conditions between time of check (path.exists) and time of use (open). Of course it is not a problem here because this file is part of kernel's interface but in general please use the try: open() except: form. > +if f.read().strip() != '0': > +sys.exit("Cannot install IPA client in FIPS mode") Personally I would like to see more informative messages. I would recommend something like " is not supported in FIPS mode". In my eyes it is difference between "How do I ...? You dont!" vs "How do I ...? Sorry, we do not support that right now." Sorry for nitpicking! :-) Petr^2 Spacek > tasks.check_selinux_status() > logging_setup(options) > root_logger.debug( > diff --git a/install/tools/ipactl b/install/tools/ipactl > index > 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 > 100755 > --- a/install/tools/ipactl > +++ b/install/tools/ipactl > @@ -545,6 +545,12 @@ def main(): > elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" > and args[0] != "status": > raise IpactlError("Unrecognized action [" + args[0] + "]", 2) > > +if (args[0] in ('start', 'restart') and > +os.path.exists('/proc/sys/crypto/fips_enabled')): > +with open('/proc/sys/crypto/fips_enabled', 'r') as f: > +if f.read().strip() != '0': > +raise IpactlError("Cannot start IPA server in FIPS mode") > + > # check if IPA is configured at all > try: > check_IPA_configuration() > diff --git a/ipaserver/install/server/install.py > b/ipaserver/install/server/install.py > index > 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d > 100644 > --- a/ipaserver/install/server/install.py > +++ b/ipaserver/install/server/install.py > @@ -319,6 +319,11 @@ def install_check(installer): > external_ca_file = installer._external_ca_file > http_ca_cert = installer._ca_cert > > +if os.path.exists('/proc/sys/crypto/fips_enabled'): > +with open('/proc/sys/crypto/fips_enabled', 'r') as f: > +if f.read().strip() != '0': > +sys.exit("Cannot install IPA server in FIPS mode") > + > tasks.check_selinux_status() > > if options.master_password: > diff --git a/ipaserver/install/server/replicainstall.py > b/ipaserver/install/server/replicainstall.py > index > 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 > 100644 > --- a/ipaserver/install/server/replicainstall.py > +++ b/ipaserver/install/server/replicainstall.py > @@ -485,6 +485,11 @@ def install_check(installer): > options = installer > filename = installer.replica_file > > +if os.path.exists('/proc/sys/crypto/fips_enabled'): > +with open('/proc/sys/crypto/fips_enabled', 'r') as f: > +if f.read().strip() != '0': > +sys.exit("Cannot install IPA server in FIPS mode") > + > tasks.check_selinux_status() > > if is_ipa_configured(): > -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode
Hi, this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode It prevents installation of FreeIPA if the host is fips-enabled. https://fedorahosted.org/freeipa/ticket/5761 >From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Fri, 24 Jun 2016 16:16:22 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://fedorahosted.org/freeipa/ticket/5761 --- client/ipa-client-install | 4 install/tools/ipactl | 6 ++ ipaserver/install/server/install.py| 5 + ipaserver/install/server/replicainstall.py | 5 + 4 files changed, 20 insertions(+) diff --git a/client/ipa-client-install b/client/ipa-client-install index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755 --- a/client/ipa-client-install +++ b/client/ipa-client-install @@ -3064,6 +3064,10 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +sys.exit("Cannot install IPA client in FIPS mode") tasks.check_selinux_status() logging_setup(options) root_logger.debug( diff --git a/install/tools/ipactl b/install/tools/ipactl index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -545,6 +545,12 @@ def main(): elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": raise IpactlError("Unrecognized action [" + args[0] + "]", 2) +if (args[0] in ('start', 'restart') and +os.path.exists('/proc/sys/crypto/fips_enabled')): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +raise IpactlError("Cannot start IPA server in FIPS mode") + # check if IPA is configured at all try: check_IPA_configuration() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -319,6 +319,11 @@ def install_check(installer): external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() if options.master_password: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -485,6 +485,11 @@ def install_check(installer): options = installer filename = installer.replica_file +if os.path.exists('/proc/sys/crypto/fips_enabled'): +with open('/proc/sys/crypto/fips_enabled', 'r') as f: +if f.read().strip() != '0': +sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() if is_ipa_configured(): -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code