From d99f08c6b205edbbf5df68a088296b5fe029b049 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 21 Oct 2014 14:56:28 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://bugzilla.redhat.com/show_bug.cgi?id=1131570 --- install/tools/ipa-replica-install | 5 +++++ install/tools/ipa-server-install | 5 +++++ install/tools/ipactl | 6 ++++++ ipa-client/ipa-install/ipa-client-install | 4 ++++ 4 files changed, 20 insertions(+) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index d3b520abf635ccc324b74bca31f241960a33d950..70190b718965518803b9767325d58f9526c32f7c 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -457,6 +457,11 @@ def main(): if os.geteuid() != 0: sys.exit("\nYou must be root to run this script.\n") + if os.path.exists('/proc/sys/crypto/fips_enabled'): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + sys.exit("Cannot install IPA server in FIPS mode") + standard_logging_setup(log_file_name, debug=options.debug) root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options)) root_logger.debug('IPA version %s' % version.VENDOR_VERSION) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 4fd4d8171ab89b805449a6625e9c5ea2d0921fa5..3b748aaab37fa8806ebc7a4983ed97cc8243a9c4 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -662,6 +662,11 @@ def main(): if os.getegid() != 0: sys.exit("Must be root to set up server") + if os.path.exists('/proc/sys/crypto/fips_enabled'): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() signal.signal(signal.SIGTERM, signal_handler) diff --git a/install/tools/ipactl b/install/tools/ipactl index b1b0b6e26fa97cdc953c86eee22e160782b57379..56d24b0dab1770d23348f4c60db62bab3bd508d4 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -480,6 +480,12 @@ def main(): elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": raise IpactlError("Unrecognized action [" + args[0] + "]", 2) + if (args[0] in ('start', 'restart') and + os.path.exists('/proc/sys/crypto/fips_enabled')): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + raise IpactlError("Cannot start IPA server in FIPS mode") + # check if IPA is configured at all try: check_IPA_configuration() diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index b7b3d05b6b6d1c9635084e0c01aa7443bb559db2..82ac1d4db8bf969ba72113bc2802879fea5dcb01 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2874,6 +2874,10 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") + if os.path.exists('/proc/sys/crypto/fips_enabled'): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + sys.exit("Cannot install IPA client in FIPS mode") tasks.check_selinux_status() logging_setup(options) root_logger.debug( -- 2.1.0