590d18
From e5e637ffe268e7a8d6fe893baac181bf1f74ee86 Mon Sep 17 00:00:00 2001
e3ffab
From: Jan Cholasta <jcholast@redhat.com>
e3ffab
Date: Tue, 21 Oct 2014 14:56:28 +0200
e3ffab
Subject: [PATCH] Do not allow installation in FIPS mode
e3ffab
e3ffab
https://bugzilla.redhat.com/show_bug.cgi?id=1131570
e3ffab
---
590d18
 install/tools/ipactl                       | 6 ++++++
590d18
 ipa-client/ipa-install/ipa-client-install  | 4 ++++
590d18
 ipaserver/install/server/install.py        | 5 +++++
590d18
 ipaserver/install/server/replicainstall.py | 5 +++++
e3ffab
 4 files changed, 20 insertions(+)
e3ffab
e3ffab
diff --git a/install/tools/ipactl b/install/tools/ipactl
590d18
index acad7ff3771561d5dce530317b65aaf117f153a1..cf906ccbbe5c98013a5f640e90e1f3c9052f19cb 100755
e3ffab
--- a/install/tools/ipactl
e3ffab
+++ b/install/tools/ipactl
590d18
@@ -532,6 +532,12 @@ def main():
e3ffab
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
e3ffab
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
e3ffab
 
e3ffab
+    if (args[0] in ('start', 'restart') and
e3ffab
+        os.path.exists('/proc/sys/crypto/fips_enabled')):
e3ffab
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
e3ffab
+            if f.read().strip() != '0':
e3ffab
+                raise IpactlError("Cannot start IPA server in FIPS mode")
e3ffab
+
e3ffab
     # check if IPA is configured at all
e3ffab
     try:
e3ffab
         check_IPA_configuration()
e3ffab
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
590d18
index 793de4fc950ad73b1d88f9ab4bd5178afc8b813d..37b1547b815cbf08b2e32c6266d073e1635a1c84 100755
e3ffab
--- a/ipa-client/ipa-install/ipa-client-install
e3ffab
+++ b/ipa-client/ipa-install/ipa-client-install
590d18
@@ -3047,6 +3047,10 @@ def main():
e3ffab
 
e3ffab
     if not os.getegid() == 0:
e3ffab
         sys.exit("\nYou must be root to run ipa-client-install.\n")
e3ffab
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
e3ffab
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
e3ffab
+            if f.read().strip() != '0':
e3ffab
+                sys.exit("Cannot install IPA client in FIPS mode")
e3ffab
     tasks.check_selinux_status()
e3ffab
     logging_setup(options)
e3ffab
     root_logger.debug(
590d18
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
590d18
index f62874f085ee3ae478fc769465fe375abc4465e6..67af71011fe16d17ce1db857a1c99b2125a3590d 100644
590d18
--- a/ipaserver/install/server/install.py
590d18
+++ b/ipaserver/install/server/install.py
590d18
@@ -303,6 +303,11 @@ def install_check(installer):
590d18
 
590d18
     dogtag_constants = dogtag.install_constants
590d18
 
590d18
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
590d18
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
590d18
+            if f.read().strip() != '0':
590d18
+                sys.exit("Cannot install IPA server in FIPS mode")
590d18
+
590d18
     tasks.check_selinux_status()
590d18
 
590d18
     if options.master_password:
590d18
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
590d18
index 55c58335c5bbc6993999da4c465e58f4ce3225aa..1994316c1ff066f7e7e615c51ea7157f55a75201 100644
590d18
--- a/ipaserver/install/server/replicainstall.py
590d18
+++ b/ipaserver/install/server/replicainstall.py
590d18
@@ -312,6 +312,11 @@ def install_check(installer):
590d18
     options = installer
590d18
     filename = installer.replica_file
590d18
 
590d18
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
590d18
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
590d18
+            if f.read().strip() != '0':
590d18
+                sys.exit("Cannot install IPA server in FIPS mode")
590d18
+
590d18
     tasks.check_selinux_status()
590d18
 
590d18
     client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
e3ffab
-- 
590d18
2.5.1
e3ffab