0201d8
From d99f08c6b205edbbf5df68a088296b5fe029b049 Mon Sep 17 00:00:00 2001
e3ffab
From: Jan Cholasta <jcholast@redhat.com>
e3ffab
Date: Tue, 21 Oct 2014 14:56:28 +0200
e3ffab
Subject: [PATCH] Do not allow installation in FIPS mode
e3ffab
e3ffab
https://bugzilla.redhat.com/show_bug.cgi?id=1131570
e3ffab
---
e3ffab
 install/tools/ipa-replica-install         | 5 +++++
e3ffab
 install/tools/ipa-server-install          | 5 +++++
e3ffab
 install/tools/ipactl                      | 6 ++++++
e3ffab
 ipa-client/ipa-install/ipa-client-install | 4 ++++
e3ffab
 4 files changed, 20 insertions(+)
e3ffab
e3ffab
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
e3ffab
index d3b520abf635ccc324b74bca31f241960a33d950..70190b718965518803b9767325d58f9526c32f7c 100755
e3ffab
--- a/install/tools/ipa-replica-install
e3ffab
+++ b/install/tools/ipa-replica-install
e3ffab
@@ -457,6 +457,11 @@ def main():
e3ffab
     if os.geteuid() != 0:
e3ffab
         sys.exit("\nYou must be root to run this script.\n")
e3ffab
 
e3ffab
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
e3ffab
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
e3ffab
+            if f.read().strip() != '0':
e3ffab
+                sys.exit("Cannot install IPA server in FIPS mode")
e3ffab
+
e3ffab
     standard_logging_setup(log_file_name, debug=options.debug)
e3ffab
     root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
e3ffab
     root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
e3ffab
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
e3ffab
index 4fd4d8171ab89b805449a6625e9c5ea2d0921fa5..3b748aaab37fa8806ebc7a4983ed97cc8243a9c4 100755
e3ffab
--- a/install/tools/ipa-server-install
e3ffab
+++ b/install/tools/ipa-server-install
e3ffab
@@ -662,6 +662,11 @@ def main():
e3ffab
     if os.getegid() != 0:
e3ffab
         sys.exit("Must be root to set up server")
e3ffab
 
e3ffab
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
e3ffab
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
e3ffab
+            if f.read().strip() != '0':
e3ffab
+                sys.exit("Cannot install IPA server in FIPS mode")
e3ffab
+
e3ffab
     tasks.check_selinux_status()
e3ffab
 
e3ffab
     signal.signal(signal.SIGTERM, signal_handler)
e3ffab
diff --git a/install/tools/ipactl b/install/tools/ipactl
e3ffab
index b1b0b6e26fa97cdc953c86eee22e160782b57379..56d24b0dab1770d23348f4c60db62bab3bd508d4 100755
e3ffab
--- a/install/tools/ipactl
e3ffab
+++ b/install/tools/ipactl
e3ffab
@@ -480,6 +480,12 @@ def main():
e3ffab
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
e3ffab
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
e3ffab
 
e3ffab
+    if (args[0] in ('start', 'restart') and
e3ffab
+        os.path.exists('/proc/sys/crypto/fips_enabled')):
e3ffab
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
e3ffab
+            if f.read().strip() != '0':
e3ffab
+                raise IpactlError("Cannot start IPA server in FIPS mode")
e3ffab
+
e3ffab
     # check if IPA is configured at all
e3ffab
     try:
e3ffab
         check_IPA_configuration()
e3ffab
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
0201d8
index b7b3d05b6b6d1c9635084e0c01aa7443bb559db2..82ac1d4db8bf969ba72113bc2802879fea5dcb01 100755
e3ffab
--- a/ipa-client/ipa-install/ipa-client-install
e3ffab
+++ b/ipa-client/ipa-install/ipa-client-install
0201d8
@@ -2874,6 +2874,10 @@ def main():
e3ffab
 
e3ffab
     if not os.getegid() == 0:
e3ffab
         sys.exit("\nYou must be root to run ipa-client-install.\n")
e3ffab
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
e3ffab
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
e3ffab
+            if f.read().strip() != '0':
e3ffab
+                sys.exit("Cannot install IPA client in FIPS mode")
e3ffab
     tasks.check_selinux_status()
e3ffab
     logging_setup(options)
e3ffab
     root_logger.debug(
e3ffab
-- 
e3ffab
2.1.0
e3ffab