From 0ea5a5970f7661e240b6ff3ebec4ea2414c47837 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 21 Oct 2014 14:56:28 +0200 Subject: [PATCH] Do not allow installation in FIPS mode https://bugzilla.redhat.com/show_bug.cgi?id=1131570 --- install/tools/ipactl | 6 ++++++ ipa-client/ipa-install/ipa-client-install | 4 ++++ ipaserver/install/server/install.py | 5 +++++ ipaserver/install/server/replicainstall.py | 5 +++++ 4 files changed, 20 insertions(+) diff --git a/install/tools/ipactl b/install/tools/ipactl index acad7ff3771561d5dce530317b65aaf117f153a1..cf906ccbbe5c98013a5f640e90e1f3c9052f19cb 100755 --- a/install/tools/ipactl +++ b/install/tools/ipactl @@ -532,6 +532,12 @@ def main(): elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": raise IpactlError("Unrecognized action [" + args[0] + "]", 2) + if (args[0] in ('start', 'restart') and + os.path.exists('/proc/sys/crypto/fips_enabled')): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + raise IpactlError("Cannot start IPA server in FIPS mode") + # check if IPA is configured at all try: check_IPA_configuration() diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 543c6f027f2312792e7ad33533db8e7c10a3cddb..586b11bdf37cf22f50980d6b84d6dcd12cfd50e7 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -3051,6 +3051,10 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") + if os.path.exists('/proc/sys/crypto/fips_enabled'): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + sys.exit("Cannot install IPA client in FIPS mode") tasks.check_selinux_status() logging_setup(options) root_logger.debug( diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index f62874f085ee3ae478fc769465fe375abc4465e6..67af71011fe16d17ce1db857a1c99b2125a3590d 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -303,6 +303,11 @@ def install_check(installer): dogtag_constants = dogtag.install_constants + if os.path.exists('/proc/sys/crypto/fips_enabled'): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() if options.master_password: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 55c58335c5bbc6993999da4c465e58f4ce3225aa..1994316c1ff066f7e7e615c51ea7157f55a75201 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -312,6 +312,11 @@ def install_check(installer): options = installer filename = installer.replica_file + if os.path.exists('/proc/sys/crypto/fips_enabled'): + with open('/proc/sys/crypto/fips_enabled', 'r') as f: + if f.read().strip() != '0': + sys.exit("Cannot install IPA server in FIPS mode") + tasks.check_selinux_status() client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) -- 2.4.3