From 0ea5a5970f7661e240b6ff3ebec4ea2414c47837 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:56:28 +0200
Subject: [PATCH] Do not allow installation in FIPS mode
https://bugzilla.redhat.com/show_bug.cgi?id=1131570
---
install/tools/ipactl | 6 ++++++
ipa-client/ipa-install/ipa-client-install | 4 ++++
ipaserver/install/server/install.py | 5 +++++
ipaserver/install/server/replicainstall.py | 5 +++++
4 files changed, 20 insertions(+)
diff --git a/install/tools/ipactl b/install/tools/ipactl
index acad7ff3771561d5dce530317b65aaf117f153a1..cf906ccbbe5c98013a5f640e90e1f3c9052f19cb 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -532,6 +532,12 @@ def main():
elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
+ if (args[0] in ('start', 'restart') and
+ os.path.exists('/proc/sys/crypto/fips_enabled')):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ raise IpactlError("Cannot start IPA server in FIPS mode")
+
# check if IPA is configured at all
try:
check_IPA_configuration()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 543c6f027f2312792e7ad33533db8e7c10a3cddb..586b11bdf37cf22f50980d6b84d6dcd12cfd50e7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -3051,6 +3051,10 @@ def main():
if not os.getegid() == 0:
sys.exit("\nYou must be root to run ipa-client-install.\n")
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ sys.exit("Cannot install IPA client in FIPS mode")
tasks.check_selinux_status()
logging_setup(options)
root_logger.debug(
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index f62874f085ee3ae478fc769465fe375abc4465e6..67af71011fe16d17ce1db857a1c99b2125a3590d 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -303,6 +303,11 @@ def install_check(installer):
dogtag_constants = dogtag.install_constants
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ sys.exit("Cannot install IPA server in FIPS mode")
+
tasks.check_selinux_status()
if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 55c58335c5bbc6993999da4c465e58f4ce3225aa..1994316c1ff066f7e7e615c51ea7157f55a75201 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -312,6 +312,11 @@ def install_check(installer):
options = installer
filename = installer.replica_file
+ if os.path.exists('/proc/sys/crypto/fips_enabled'):
+ with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+ if f.read().strip() != '0':
+ sys.exit("Cannot install IPA server in FIPS mode")
+
tasks.check_selinux_status()
client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
--
2.4.3