subject:"\[Freeipa\-devel\] \[PATCH\] 0008 Do not allow installation in FIPS mode"

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-29 Thread Martin Basti




On 29.06.2016 13:04, Martin Basti wrote:



On 28.06.2016 16:57, Florence Blanc-Renaud wrote:

On 06/28/2016 11:05 AM, Martin Basti wrote:



On 28.06.2016 10:51, Florence Blanc-Renaud wrote:

On 06/27/2016 10:18 PM, Rob Crittenden wrote:

Florence Blanc-Renaud wrote:

Hi all,

thanks for your suggestions. Updated patch attached.
Flo.



The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob


Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.




Thank you for the patch I have two comments:

1)
+except Exception:
+# Consider that the host is not fips-enabled if the file does
not exist
+pass

exceptions should be as much specific as possible, otherwise it may 
mask

real issues
please use 'except IOError' if you want catch the case that file does
not exist

2)
in replicainstall.py and install.py please raise exception
(RuntimeError) instead of sys.exit() to keep proper logging, 
cleanup, etc.


Sys.exit() should not be used in modules, it is hard to debug etc. It
can be used only in scripts (ipa-client-install, ipa-replica-manage, 
etc..)


Martin^2


Hi,

hopefully converging with this updated patch :)
Thanks for all the comments, I'm learning tips with each iteration.

Flo.

I propose following changes (in attached patch). If you agree I can 
squash patches and push it.


Martin^2




ACK

pushed to
master:
* 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 Do not allow installation in 
FIPS mode


ipa-4-3:
* 4ce0ff61a8e46de4a2f2dfca41610323f9569d8a Do not allow installation in 
FIPS mode
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-29 Thread Florence Blanc-Renaud


On 06/29/2016 01:04 PM, Martin Basti wrote:



On 28.06.2016 16:57, Florence Blanc-Renaud wrote:

On 06/28/2016 11:05 AM, Martin Basti wrote:



On 28.06.2016 10:51, Florence Blanc-Renaud wrote:

On 06/27/2016 10:18 PM, Rob Crittenden wrote:

Florence Blanc-Renaud wrote:

Hi all,

thanks for your suggestions. Updated patch attached.
Flo.



The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob


Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.




Thank you for the patch I have two comments:

1)
+except Exception:
+# Consider that the host is not fips-enabled if the file does
not exist
+pass

exceptions should be as much specific as possible, otherwise it may mask
real issues
please use 'except IOError' if you want catch the case that file does
not exist

2)
in replicainstall.py and install.py please raise exception
(RuntimeError) instead of sys.exit() to keep proper logging, cleanup,
etc.

Sys.exit() should not be used in modules, it is hard to debug etc. It
can be used only in scripts (ipa-client-install, ipa-replica-manage,
etc..)

Martin^2


Hi,

hopefully converging with this updated patch :)
Thanks for all the comments, I'm learning tips with each iteration.

Flo.


I propose following changes (in attached patch). If you agree I can
squash patches and push it.

Martin^2


Hi Martin,

thanks for the proposal, OK for me.
Flo.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-29 Thread Martin Basti




On 28.06.2016 16:57, Florence Blanc-Renaud wrote:

On 06/28/2016 11:05 AM, Martin Basti wrote:



On 28.06.2016 10:51, Florence Blanc-Renaud wrote:

On 06/27/2016 10:18 PM, Rob Crittenden wrote:

Florence Blanc-Renaud wrote:

Hi all,

thanks for your suggestions. Updated patch attached.
Flo.



The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob


Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.




Thank you for the patch I have two comments:

1)
+except Exception:
+# Consider that the host is not fips-enabled if the file does
not exist
+pass

exceptions should be as much specific as possible, otherwise it may mask
real issues
please use 'except IOError' if you want catch the case that file does
not exist

2)
in replicainstall.py and install.py please raise exception
(RuntimeError) instead of sys.exit() to keep proper logging, cleanup, 
etc.


Sys.exit() should not be used in modules, it is hard to debug etc. It
can be used only in scripts (ipa-client-install, ipa-replica-manage, 
etc..)


Martin^2


Hi,

hopefully converging with this updated patch :)
Thanks for all the comments, I'm learning tips with each iteration.

Flo.

I propose following changes (in attached patch). If you agree I can 
squash patches and push it.


Martin^2
From a3e91642a83877f45708094f391104fbcb894fd4 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 29 Jun 2016 13:02:59 +0200
Subject: [PATCH] FIPS: reviewer proposed changes

---
 ipaplatform/base/paths.py | 1 +
 ipapython/ipautil.py  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index dddefea0b558010ac24334d041201a80a05587be..d6fbe32f6839a5db40148777132ba1454cbc3382 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -134,6 +134,7 @@ class BasePathNamespace(object):
 SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
 DNSSEC_TRUSTED_KEY = "/etc/trusted-key.key"
 HOME_DIR = "/home"
+PROC_FIPS_ENABLED = "/proc/sys/crypto/fips_enabled"
 ROOT_IPA_CACHE = "/root/.ipa_cache"
 ROOT_PKI = "/root/.pki"
 DOGTAG_ADMIN_P12 = "/root/ca-agent.p12"
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4ef9770e92c3ba86ffa5c6523268475a026705d0..c7e20c5102efaa006c10d4c3af849bc259da43e7 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1440,7 +1440,7 @@ def is_fips_enabled():
 the function returns False.
 """
 try:
-with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+with open(paths.PROC_FIPS_ENABLED, 'r') as f:
 if f.read().strip() != '0':
 return True
 except IOError:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-28 Thread Florence Blanc-Renaud


On 06/28/2016 11:05 AM, Martin Basti wrote:



On 28.06.2016 10:51, Florence Blanc-Renaud wrote:

On 06/27/2016 10:18 PM, Rob Crittenden wrote:

Florence Blanc-Renaud wrote:

Hi all,

thanks for your suggestions. Updated patch attached.
Flo.



The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob


Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.




Thank you for the patch I have two comments:

1)
+except Exception:
+# Consider that the host is not fips-enabled if the file does
not exist
+pass

exceptions should be as much specific as possible, otherwise it may mask
real issues
please use 'except IOError' if you want catch the case that file does
not exist

2)
in replicainstall.py and install.py please raise exception
(RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc.

Sys.exit() should not be used in modules, it is hard to debug etc. It
can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..)

Martin^2


Hi,

hopefully converging with this updated patch :)
Thanks for all the comments, I'm learning tips with each iteration.

Flo.

>From 09f028c0342da5fee5e300dbdd193b7f2a1d1140 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 27 Jun 2016 10:23:14 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install  |  5 -
 install/tools/ipactl   |  6 +-
 ipapython/ipautil.py   | 19 +++
 ipaserver/install/server/install.py|  7 ++-
 ipaserver/install/server/replicainstall.py |  4 
 5 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..64d2b3de9b3ea20addd3f6f1a64389680c8288ab 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -45,7 +45,7 @@ try:
 import ipaclient.ntpconf
 from ipapython.ipautil import (
 run, user_input, CalledProcessError, file_exists, dir_exists,
-realm_to_suffix)
+realm_to_suffix, is_fips_enabled)
 from ipaplatform.tasks import tasks
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -3064,6 +3064,9 @@ def main():
 
 if not os.getegid() == 0:
 sys.exit("\nYou must be root to run ipa-client-install.\n")
+if is_fips_enabled():
+sys.exit("Installing IPA client in FIPS mode is not supported")
+
 tasks.check_selinux_status()
 logging_setup(options)
 root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d875dff7231fae8dfc10faf995b0ca230b..e6a1b5a2299ea0f6ff91b7536e82ac9872ed88b0 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname
 from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipalib import api, errors
 from ipapython.ipaldap import IPAdmin
-from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
+from ipapython.ipautil import (
+wait_for_open_ports, wait_for_open_socket, is_fips_enabled)
 from ipapython import config
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -545,6 +546,9 @@ def main():
 elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
 raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+if is_fips_enabled():
+raise IpactlError("Starting IPA server in FIPS mode is not supported")
+
 # check if IPA is configured at all
 try:
 check_IPA_configuration()
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 34e05d36698e58aec0fae8ee9679e904709f2379..4ef9770e92c3ba86ffa5c6523268475a026705d0 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1428,3 +1428,22 @@ if six.PY2:
 type(value).__name__))
 else:
 fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def is_fips_enabled():
+"""
+Checks whether this host is FIPS-enabled.
+
+Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+or if the file /proc/sys/crypto/fips_enabled does not exist,
+the function returns False.
+"""
+try:
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+return True
+except IOError:
+# Consider that the host is not fips-enabled if the file does not exist
+pass
+return False
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..f0e89ae484b3106afaf325eef1020ec97f313438 100644
--- a/ipaserver/install/server/install.py
+++

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-28 Thread Martin Basti




On 28.06.2016 10:51, Florence Blanc-Renaud wrote:

On 06/27/2016 10:18 PM, Rob Crittenden wrote:

Florence Blanc-Renaud wrote:

Hi all,

thanks for your suggestions. Updated patch attached.
Flo.



The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob


Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.




Thank you for the patch I have two comments:

1)
+except Exception:
+# Consider that the host is not fips-enabled if the file does 
not exist

+pass

exceptions should be as much specific as possible, otherwise it may mask 
real issues
please use 'except IOError' if you want catch the case that file does 
not exist


2)
in replicainstall.py and install.py please raise exception 
(RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc.


Sys.exit() should not be used in modules, it is hard to debug etc. It 
can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..)


Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-28 Thread Florence Blanc-Renaud


On 06/27/2016 10:18 PM, Rob Crittenden wrote:

Florence Blanc-Renaud wrote:

Hi all,

thanks for your suggestions. Updated patch attached.
Flo.



The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob


Hi all,

thanks to Rob for catching the typo.
Patch with updated message is attached,
Flo.
>From efc282fddd2d7ee87bf07e5b1a7fdaa035df7caa Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 27 Jun 2016 10:23:14 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install  |  5 -
 install/tools/ipactl   |  6 +-
 ipapython/ipautil.py   | 19 +++
 ipaserver/install/server/install.py|  6 +-
 ipaserver/install/server/replicainstall.py |  3 +++
 5 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..64d2b3de9b3ea20addd3f6f1a64389680c8288ab 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -45,7 +45,7 @@ try:
 import ipaclient.ntpconf
 from ipapython.ipautil import (
 run, user_input, CalledProcessError, file_exists, dir_exists,
-realm_to_suffix)
+realm_to_suffix, is_fips_enabled)
 from ipaplatform.tasks import tasks
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -3064,6 +3064,9 @@ def main():
 
 if not os.getegid() == 0:
 sys.exit("\nYou must be root to run ipa-client-install.\n")
+if is_fips_enabled():
+sys.exit("Installing IPA client in FIPS mode is not supported")
+
 tasks.check_selinux_status()
 logging_setup(options)
 root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d875dff7231fae8dfc10faf995b0ca230b..e6a1b5a2299ea0f6ff91b7536e82ac9872ed88b0 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname
 from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipalib import api, errors
 from ipapython.ipaldap import IPAdmin
-from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
+from ipapython.ipautil import (
+wait_for_open_ports, wait_for_open_socket, is_fips_enabled)
 from ipapython import config
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -545,6 +546,9 @@ def main():
 elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
 raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+if is_fips_enabled():
+raise IpactlError("Starting IPA server in FIPS mode is not supported")
+
 # check if IPA is configured at all
 try:
 check_IPA_configuration()
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 34e05d36698e58aec0fae8ee9679e904709f2379..14fbf7b5156c0ed58634410d944ae6bc225b9b9c 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1428,3 +1428,22 @@ if six.PY2:
 type(value).__name__))
 else:
 fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def is_fips_enabled():
+"""
+Checks whether this host is FIPS-enabled.
+
+Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+or if the file /proc/sys/crypto/fips_enabled does not exist,
+the function returns False.
+"""
+try:
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+return True
+except Exception:
+# Consider that the host is not fips-enabled if the file does not exist
+pass
+return False
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..5dfd9fabee19e9b9535782139bbb4d0dc27fd495 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -22,7 +22,8 @@ from ipapython.install.common import step
 from ipapython.install.core import Knob
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import (
-decrypt_file, format_netloc, ipa_generate_password, run, user_input)
+decrypt_file, format_netloc, ipa_generate_password, run, user_input,
+is_fips_enabled)
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
@@ -319,6 +320,9 @@ def install_check(installer):
 external_ca_file = installer._external_ca_file
 http_ca_cert = installer._ca_cert
 
+if is_fips_enabled():
+sys.exit("Installing IPA server in FIPS mode is not supported")
+
 tasks.check_selinux_status()
 
 if options.master_password:
diff --git

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Rob Crittenden


Florence Blanc-Renaud wrote:

Hi all,

thanks for your suggestions. Updated patch attached.
Flo.



The invocation in ipactl should say server, not client.

Otherwise LGTM (untested).

rob

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Florence Blanc-Renaud


On 06/27/2016 03:55 PM, Rob Crittenden wrote:

Petr Spacek wrote:

On 27.6.2016 08:38, Florence Blanc-Renaud wrote:

Hi,

this fix is a port of Bug 1131570 - Do not allow IdM
server/replica/client
installation in a FIPS-140 mode
It prevents installation of FreeIPA if the host is fips-enabled.

https://fedorahosted.org/freeipa/ticket/5761

freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch


>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 24 Jun 2016 16:16:22 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
  client/ipa-client-install  | 4 
  install/tools/ipactl   | 6 ++
  ipaserver/install/server/install.py| 5 +
  ipaserver/install/server/replicainstall.py | 5 +
  4 files changed, 20 insertions(+)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index
0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904
100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -3064,6 +3064,10 @@ def main():

  if not os.getegid() == 0:
  sys.exit("\nYou must be root to run ipa-client-install.\n")
+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:


Usually it is safer to call open() and catch exception if the file
does not
exist. The code above has inherent problem with race-conditions
between time
of check (path.exists) and time of use (open).

Of course it is not a problem here because this file is part of kernel's
interface but in general please use the try: open() except: form.


+if f.read().strip() != '0':
+sys.exit("Cannot install IPA client in FIPS mode")


Personally I would like to see more informative messages.

I would recommend something like " is not supported in FIPS
mode".

In my eyes it is difference between "How do I ...? You dont!" vs "How
do I
...? Sorry, we do not support that right now."


Given that this code is duplicated 4 times I'd also move it to a
function in ipapython, is_fips_enabled() or something .

rob




Sorry for nitpicking! :-)

Petr^2 Spacek




  tasks.check_selinux_status()
  logging_setup(options)
  root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index
547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552
100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -545,6 +545,12 @@ def main():
  elif args[0] != "start" and args[0] != "stop" and args[0] !=
"restart" and args[0] != "status":
  raise IpactlError("Unrecognized action [" + args[0] + "]", 2)

+if (args[0] in ('start', 'restart') and
+os.path.exists('/proc/sys/crypto/fips_enabled')):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+raise IpactlError("Cannot start IPA server in FIPS
mode")
+
  # check if IPA is configured at all
  try:
  check_IPA_configuration()
diff --git a/ipaserver/install/server/install.py
b/ipaserver/install/server/install.py
index
930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d
100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -319,6 +319,11 @@ def install_check(installer):
  external_ca_file = installer._external_ca_file
  http_ca_cert = installer._ca_cert

+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+sys.exit("Cannot install IPA server in FIPS mode")
+
  tasks.check_selinux_status()

  if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py
b/ipaserver/install/server/replicainstall.py
index
52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291
100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,11 @@ def install_check(installer):
  options = installer
  filename = installer.replica_file

+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+sys.exit("Cannot install IPA server in FIPS mode")
+
  tasks.check_selinux_status()

  if is_ipa_configured():
-- 2.7.4





Hi all,

thanks for your suggestions. Updated patch attached.
Flo.

>From 26d77345490711934cf7a63bb0cef670b3e5c85c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 27 Jun 2016 10:23:14 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install  |  5

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Rob Crittenden


Gabe Alford wrote:

On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud
> wrote:

Hi,

this fix is a port of Bug 1131570 - Do not allow IdM
server/replica/client installation in a FIPS-140 mode
It prevents installation of FreeIPA if the host is fips-enabled.

https://fedorahosted.org/freeipa/ticket/5761


Shouldn't this be about fixing FreeIPA to allow installation/operation
in FIPS mode rather than disabling it? There are many environments where
FIPS is required, and FreeIPA should support it.


This is a stop-gap measure to provide users with reasonable feedback on 
the current state of things.


Getting FIPS working, particularly in the server, is a somewhat 
non-trivial task.


rob

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Rob Crittenden


Petr Spacek wrote:

On 27.6.2016 08:38, Florence Blanc-Renaud wrote:

Hi,

this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client
installation in a FIPS-140 mode
It prevents installation of FreeIPA if the host is fips-enabled.

https://fedorahosted.org/freeipa/ticket/5761

freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch


>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 24 Jun 2016 16:16:22 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
  client/ipa-client-install  | 4 
  install/tools/ipactl   | 6 ++
  ipaserver/install/server/install.py| 5 +
  ipaserver/install/server/replicainstall.py | 5 +
  4 files changed, 20 insertions(+)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 
0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904
 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -3064,6 +3064,10 @@ def main():

  if not os.getegid() == 0:
  sys.exit("\nYou must be root to run ipa-client-install.\n")
+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:


Usually it is safer to call open() and catch exception if the file does not
exist. The code above has inherent problem with race-conditions between time
of check (path.exists) and time of use (open).

Of course it is not a problem here because this file is part of kernel's
interface but in general please use the try: open() except: form.


+if f.read().strip() != '0':
+sys.exit("Cannot install IPA client in FIPS mode")


Personally I would like to see more informative messages.

I would recommend something like " is not supported in FIPS mode".

In my eyes it is difference between "How do I ...? You dont!" vs "How do I
...? Sorry, we do not support that right now."


Given that this code is duplicated 4 times I'd also move it to a 
function in ipapython, is_fips_enabled() or something .


rob




Sorry for nitpicking! :-)

Petr^2 Spacek




  tasks.check_selinux_status()
  logging_setup(options)
  root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 
547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552
 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -545,6 +545,12 @@ def main():
  elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] 
!= "status":
  raise IpactlError("Unrecognized action [" + args[0] + "]", 2)

+if (args[0] in ('start', 'restart') and
+os.path.exists('/proc/sys/crypto/fips_enabled')):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+raise IpactlError("Cannot start IPA server in FIPS mode")
+
  # check if IPA is configured at all
  try:
  check_IPA_configuration()
diff --git a/ipaserver/install/server/install.py 
b/ipaserver/install/server/install.py
index 
930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d
 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -319,6 +319,11 @@ def install_check(installer):
  external_ca_file = installer._external_ca_file
  http_ca_cert = installer._ca_cert

+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+sys.exit("Cannot install IPA server in FIPS mode")
+
  tasks.check_selinux_status()

  if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py 
b/ipaserver/install/server/replicainstall.py
index 
52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291
 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,11 @@ def install_check(installer):
  options = installer
  filename = installer.replica_file

+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+sys.exit("Cannot install IPA server in FIPS mode")
+
  tasks.check_selinux_status()

  if is_ipa_configured():
-- 2.7.4




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Gabe Alford

On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud 
wrote:

> Hi,
>
> this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client
> installation in a FIPS-140 mode
> It prevents installation of FreeIPA if the host is fips-enabled.
>
> https://fedorahosted.org/freeipa/ticket/5761
>

Shouldn't this be about fixing FreeIPA to allow installation/operation in
FIPS mode rather than disabling it? There are many environments where FIPS
is required, and FreeIPA should support it.

Gabe
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Petr Spacek

On 27.6.2016 08:38, Florence Blanc-Renaud wrote:
> Hi,
> 
> this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client
> installation in a FIPS-140 mode
> It prevents installation of FreeIPA if the host is fips-enabled.
> 
> https://fedorahosted.org/freeipa/ticket/5761
> 
> freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch
> 
> 
>>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
> From: Florence Blanc-Renaud 
> Date: Fri, 24 Jun 2016 16:16:22 +0200
> Subject: [PATCH] Do not allow installation in FIPS mode
> 
> https://fedorahosted.org/freeipa/ticket/5761
> ---
>  client/ipa-client-install  | 4 
>  install/tools/ipactl   | 6 ++
>  ipaserver/install/server/install.py| 5 +
>  ipaserver/install/server/replicainstall.py | 5 +
>  4 files changed, 20 insertions(+)
> 
> diff --git a/client/ipa-client-install b/client/ipa-client-install
> index 
> 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904
>  100755
> --- a/client/ipa-client-install
> +++ b/client/ipa-client-install
> @@ -3064,6 +3064,10 @@ def main():
>  
>  if not os.getegid() == 0:
>  sys.exit("\nYou must be root to run ipa-client-install.\n")
> +if os.path.exists('/proc/sys/crypto/fips_enabled'):
> +with open('/proc/sys/crypto/fips_enabled', 'r') as f:

Usually it is safer to call open() and catch exception if the file does not
exist. The code above has inherent problem with race-conditions between time
of check (path.exists) and time of use (open).

Of course it is not a problem here because this file is part of kernel's
interface but in general please use the try: open() except: form.

> +if f.read().strip() != '0':
> +sys.exit("Cannot install IPA client in FIPS mode")

Personally I would like to see more informative messages.

I would recommend something like " is not supported in FIPS mode".

In my eyes it is difference between "How do I ...? You dont!" vs "How do I
...? Sorry, we do not support that right now."


Sorry for nitpicking! :-)

Petr^2 Spacek



>  tasks.check_selinux_status()
>  logging_setup(options)
>  root_logger.debug(
> diff --git a/install/tools/ipactl b/install/tools/ipactl
> index 
> 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552
>  100755
> --- a/install/tools/ipactl
> +++ b/install/tools/ipactl
> @@ -545,6 +545,12 @@ def main():
>  elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" 
> and args[0] != "status":
>  raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
>  
> +if (args[0] in ('start', 'restart') and
> +os.path.exists('/proc/sys/crypto/fips_enabled')):
> +with open('/proc/sys/crypto/fips_enabled', 'r') as f:
> +if f.read().strip() != '0':
> +raise IpactlError("Cannot start IPA server in FIPS mode")
> +
>  # check if IPA is configured at all
>  try:
>  check_IPA_configuration()
> diff --git a/ipaserver/install/server/install.py 
> b/ipaserver/install/server/install.py
> index 
> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d
>  100644
> --- a/ipaserver/install/server/install.py
> +++ b/ipaserver/install/server/install.py
> @@ -319,6 +319,11 @@ def install_check(installer):
>  external_ca_file = installer._external_ca_file
>  http_ca_cert = installer._ca_cert
>  
> +if os.path.exists('/proc/sys/crypto/fips_enabled'):
> +with open('/proc/sys/crypto/fips_enabled', 'r') as f:
> +if f.read().strip() != '0':
> +sys.exit("Cannot install IPA server in FIPS mode")
> +
>  tasks.check_selinux_status()
>  
>  if options.master_password:
> diff --git a/ipaserver/install/server/replicainstall.py 
> b/ipaserver/install/server/replicainstall.py
> index 
> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291
>  100644
> --- a/ipaserver/install/server/replicainstall.py
> +++ b/ipaserver/install/server/replicainstall.py
> @@ -485,6 +485,11 @@ def install_check(installer):
>  options = installer
>  filename = installer.replica_file
>  
> +if os.path.exists('/proc/sys/crypto/fips_enabled'):
> +with open('/proc/sys/crypto/fips_enabled', 'r') as f:
> +if f.read().strip() != '0':
> +sys.exit("Cannot install IPA server in FIPS mode")
> +
>  tasks.check_selinux_status()
>  
>  if is_ipa_configured():
> -- 2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

2016-06-27 Thread Florence Blanc-Renaud


Hi,

this fix is a port of Bug 1131570 - Do not allow IdM 
server/replica/client installation in a FIPS-140 mode

It prevents installation of FreeIPA if the host is fips-enabled.

https://fedorahosted.org/freeipa/ticket/5761
>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 24 Jun 2016 16:16:22 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761
---
 client/ipa-client-install  | 4 
 install/tools/ipactl   | 6 ++
 ipaserver/install/server/install.py| 5 +
 ipaserver/install/server/replicainstall.py | 5 +
 4 files changed, 20 insertions(+)

diff --git a/client/ipa-client-install b/client/ipa-client-install
index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -3064,6 +3064,10 @@ def main():
 
 if not os.getegid() == 0:
 sys.exit("\nYou must be root to run ipa-client-install.\n")
+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+sys.exit("Cannot install IPA client in FIPS mode")
 tasks.check_selinux_status()
 logging_setup(options)
 root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -545,6 +545,12 @@ def main():
 elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
 raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+if (args[0] in ('start', 'restart') and
+os.path.exists('/proc/sys/crypto/fips_enabled')):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+raise IpactlError("Cannot start IPA server in FIPS mode")
+
 # check if IPA is configured at all
 try:
 check_IPA_configuration()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -319,6 +319,11 @@ def install_check(installer):
 external_ca_file = installer._external_ca_file
 http_ca_cert = installer._ca_cert
 
+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+sys.exit("Cannot install IPA server in FIPS mode")
+
 tasks.check_selinux_status()
 
 if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -485,6 +485,11 @@ def install_check(installer):
 options = installer
 filename = installer.replica_file
 
+if os.path.exists('/proc/sys/crypto/fips_enabled'):
+with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+if f.read().strip() != '0':
+sys.exit("Cannot install IPA server in FIPS mode")
+
 tasks.check_selinux_status()
 
 if is_ipa_configured():
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

[Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

13 matches

Site Navigation

Mail list logo

Footer information