From 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <frenaud@redhat.com>
Date: Mon, 27 Jun 2016 10:23:14 +0200
Subject: Do not allow installation in FIPS mode

https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipapython/ipautil.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'ipapython/ipautil.py')

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 34e05d366..c7e20c510 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1428,3 +1428,22 @@ if six.PY2:
                 type(value).__name__))
 else:
     fsdecode = os.fsdecode  #pylint: disable=no-member
+
+
+def is_fips_enabled():
+    """
+    Checks whether this host is FIPS-enabled.
+
+    Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+    file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+    or if the file /proc/sys/crypto/fips_enabled does not exist,
+    the function returns False.
+    """
+    try:
+        with open(paths.PROC_FIPS_ENABLED, 'r') as f:
+            if f.read().strip() != '0':
+                return True
+    except IOError:
+        # Consider that the host is not fips-enabled if the file does not exist
+        pass
+    return False
-- 
cgit