From ec381c10fc6080b1e2594cbee857725c886566d4 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:56:28 +0200
Subject: [PATCH] Do not allow installation in FIPS mode
https://bugzilla.redhat.com/show_bug.cgi?id=1131570
---
install/tools/ipa-replica-install | 5 +++++
install/tools/ipa-server-install | 5 +++++
install/tools/ipactl | 6 ++++++
ipa-client/ipa-install/ipa-client-install | 4 ++++
4 files changed, 20 insertions(+)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index d3b520abf635ccc324b74bca31f241960a33d950..70190b718965518803b9767325d58f9526c32f7c 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -457,6 +457,11 @@ def main():
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ sys.exit("Cannot install IPA server in FIPS mode")
+
standard_logging_setup(log_file_name, debug=options.debug)
root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 4fd4d8171ab89b805449a6625e9c5ea2d0921fa5..3b748aaab37fa8806ebc7a4983ed97cc8243a9c4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -662,6 +662,11 @@ def main():
if os.getegid() != 0:
sys.exit("Must be root to set up server")
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ sys.exit("Cannot install IPA server in FIPS mode")
+
tasks.check_selinux_status()
signal.signal(signal.SIGTERM, signal_handler)
diff --git a/install/tools/ipactl b/install/tools/ipactl
index b1b0b6e26fa97cdc953c86eee22e160782b57379..56d24b0dab1770d23348f4c60db62bab3bd508d4 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -480,6 +480,12 @@ def main():
elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
+ if (args[0] in ('start', 'restart') and
+ os.path.exists('/proc/sys/crypto/fips_enabled')):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ raise IpactlError("Cannot start IPA server in FIPS mode")
+
# check if IPA is configured at all
try:
check_IPA_configuration()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..53d969ee0b607a4392a008daebaf3befc0785084 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2865,6 +2865,10 @@ def main():
if not os.getegid() == 0:
sys.exit("\nYou must be root to run ipa-client-install.\n")
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ sys.exit("Cannot install IPA client in FIPS mode")
tasks.check_selinux_status()
logging_setup(options)
root_logger.debug(
--
2.1.0