Blob Blame History Raw
From ec381c10fc6080b1e2594cbee857725c886566d4 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 21 Oct 2014 14:56:28 +0200
Subject: [PATCH] Do not allow installation in FIPS mode

https://bugzilla.redhat.com/show_bug.cgi?id=1131570
---
 install/tools/ipa-replica-install         | 5 +++++
 install/tools/ipa-server-install          | 5 +++++
 install/tools/ipactl                      | 6 ++++++
 ipa-client/ipa-install/ipa-client-install | 4 ++++
 4 files changed, 20 insertions(+)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index d3b520abf635ccc324b74bca31f241960a33d950..70190b718965518803b9767325d58f9526c32f7c 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -457,6 +457,11 @@ def main():
     if os.geteuid() != 0:
         sys.exit("\nYou must be root to run this script.\n")
 
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
     standard_logging_setup(log_file_name, debug=options.debug)
     root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
     root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 4fd4d8171ab89b805449a6625e9c5ea2d0921fa5..3b748aaab37fa8806ebc7a4983ed97cc8243a9c4 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -662,6 +662,11 @@ def main():
     if os.getegid() != 0:
         sys.exit("Must be root to set up server")
 
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA server in FIPS mode")
+
     tasks.check_selinux_status()
 
     signal.signal(signal.SIGTERM, signal_handler)
diff --git a/install/tools/ipactl b/install/tools/ipactl
index b1b0b6e26fa97cdc953c86eee22e160782b57379..56d24b0dab1770d23348f4c60db62bab3bd508d4 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -480,6 +480,12 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+    if (args[0] in ('start', 'restart') and
+        os.path.exists('/proc/sys/crypto/fips_enabled')):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                raise IpactlError("Cannot start IPA server in FIPS mode")
+
     # check if IPA is configured at all
     try:
         check_IPA_configuration()
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 75a1711a7e1fdc9359ad02d55ad94d65af51ea93..53d969ee0b607a4392a008daebaf3befc0785084 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2865,6 +2865,10 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if os.path.exists('/proc/sys/crypto/fips_enabled'):
+        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+            if f.read().strip() != '0':
+                sys.exit("Cannot install IPA client in FIPS mode")
     tasks.check_selinux_status()
     logging_setup(options)
     root_logger.debug(
-- 
2.1.0