rpms / ipa

Clone
Source Code
GIT

Files

  1.   35e84f4e05b37a9f2eb6472a44416cbcc05ba072
  2.   SOURCES
  3.   1009-Do-not-allow-installation-in-FIPS-mode.patch
Blob Blame History Raw 
From 0ea5a5970f7661e240b6ff3ebec4ea2414c47837 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:56:28 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://bugzilla.redhat.com/show_bug.cgi?id=1131570
---
 install/tools/ipactl                       | 6 ++++++
 ipa-client/ipa-install/ipa-client-install  | 4 ++++
 ipaserver/install/server/install.py        | 5 +++++
 ipaserver/install/server/replicainstall.py | 5 +++++
 4 files changed, 20 insertions(+)

diff --git a/install/tools/ipactl b/install/tools/ipactl
index acad7ff3771561d5dce530317b65aaf117f153a1..cf906ccbbe5c98013a5f640e90e1f3c9052f19cb 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -532,6 +532,12 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+    if (args[0] in ('start', 'restart') and
+        os.path.exists('/proc/sys/crypto/fips_enabled')):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                raise IpactlError("Cannot start IPA server in FIPS mode")
+
     # check if IPA is configured at all
     try:
         check_IPA_configuration()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 543c6f027f2312792e7ad33533db8e7c10a3cddb..586b11bdf37cf22f50980d6b84d6dcd12cfd50e7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -3051,6 +3051,10 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA client in FIPS mode")
     tasks.check_selinux_status()
     logging_setup(options)
     root_logger.debug(
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index f62874f085ee3ae478fc769465fe375abc4465e6..67af71011fe16d17ce1db857a1c99b2125a3590d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -303,6 +303,11 @@ def install_check(installer):
 
     dogtag_constants = dogtag.install_constants
 
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
     tasks.check_selinux_status()
 
     if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 55c58335c5bbc6993999da4c465e58f4ce3225aa..1994316c1ff066f7e7e615c51ea7157f55a75201 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -312,6 +312,11 @@ def install_check(installer):
     options = installer
     filename = installer.replica_file
 
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
     tasks.check_selinux_status()
 
     client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-- 
2.4.3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation