Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
author: Florence Blanc-Renaud <frenaud@redhat.com> 2016-06-27 10:23:14 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-06-29 16:17:27 +0200
commit: 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 (patch)
tree: 0c01a8d4c49a40aa8643ebef05423653cd6901f2
parent: d7898ac2eb3b9d7b0e24579c9d8ea2f541f55268 (diff)
download: freeipa-3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271.tar.gz
freeipa-3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271.tar.xz
freeipa-3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271.zip
6 files changed, 39 insertions, 3 deletions
diff --git a/client/ipa-client-install b/client/ipa-client-install
index 1cdaf7b3e..cee202f89 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -45,7 +45,7 @@ try:
     import ipaclient.ntpconf
     from ipapython.ipautil import (
         run, user_input, CalledProcessError, file_exists, dir_exists,
-        realm_to_suffix)
+        realm_to_suffix, is_fips_enabled)
     from ipaplatform.tasks import tasks
     from ipaplatform import services
     from ipaplatform.paths import paths
@@ -3076,6 +3076,9 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    if is_fips_enabled():
+        sys.exit("Installing IPA client in FIPS mode is not supported")
+
     tasks.check_selinux_status()
     logging_setup(options)
     root_logger.debug(
diff --git a/install/tools/ipactl b/install/tools/ipactl
index 547b21d87..e6a1b5a22 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -31,7 +31,8 @@ from ipaserver.install.dsinstance import config_dirname
 from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipalib import api, errors
 from ipapython.ipaldap import IPAdmin
-from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
+from ipapython.ipautil import (
+    wait_for_open_ports, wait_for_open_socket, is_fips_enabled)
 from ipapython import config
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -545,6 +546,9 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
+    if is_fips_enabled():
+        raise IpactlError("Starting IPA server in FIPS mode is not supported")
+
     # check if IPA is configured at all
     try:
         check_IPA_configuration()
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index dddefea0b..d6fbe32f6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -134,6 +134,7 @@ class BasePathNamespace(object):
     SYSTEMD_PKI_TOMCAT_SERVICE = "/etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service"
     DNSSEC_TRUSTED_KEY = "/etc/trusted-key.key"
     HOME_DIR = "/home"
+    PROC_FIPS_ENABLED = "/proc/sys/crypto/fips_enabled"
     ROOT_IPA_CACHE = "/root/.ipa_cache"
     ROOT_PKI = "/root/.pki"
     DOGTAG_ADMIN_P12 = "/root/ca-agent.p12"
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 34e05d366..c7e20c510 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1428,3 +1428,22 @@ if six.PY2:
                 type(value).__name__))
 else:
     fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def is_fips_enabled():
+    """
+    Checks whether this host is FIPS-enabled.
+
+    Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+    file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+    or if the file /proc/sys/crypto/fips_enabled does not exist,
+    the function returns False.
+    """
+    try:
+        with open(paths.PROC_FIPS_ENABLED, 'r') as f:
+            if f.read().strip() != '0':
+                return True
+    except IOError:
+        # Consider that the host is not fips-enabled if the file does not exist
+        pass
+    return False
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index c28c095fb..c0c676b87 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -22,7 +22,8 @@ from ipapython.install.common import step
 from ipapython.install.core import Knob
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import (
-    decrypt_file, format_netloc, ipa_generate_password, run, user_input)
+    decrypt_file, format_netloc, ipa_generate_password, run, user_input,
+    is_fips_enabled)
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
@@ -319,6 +320,10 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
+    if is_fips_enabled():
+        raise RuntimeError(
+            "Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0277d324a..9e5bc0aa8 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -483,6 +483,10 @@ def install_check(installer):
     options = installer
     filename = installer.replica_file
 
+    if ipautil.is_fips_enabled():
+        raise RuntimeError(
+            "Installing IPA server in FIPS mode is not supported")
+
     tasks.check_selinux_status()
 
     if is_ipa_configured():
author	Florence Blanc-Renaud <frenaud@redhat.com>	2016-06-27 10:23:14 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-06-29 16:17:27 +0200
commit	3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 (patch)
tree	0c01a8d4c49a40aa8643ebef05423653cd6901f2
parent	d7898ac2eb3b9d7b0e24579c9d8ea2f541f55268 (diff)
download	freeipa-3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271.tar.gz freeipa-3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271.tar.xz freeipa-3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271.zip