[Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Rob Crittenden rcritten at redhat.com
Mon Jun 27 13:55:20 UTC 2016 

Petr Spacek wrote:
> On 27.6.2016 08:38, Florence Blanc-Renaud wrote:
>> Hi,
>>
>> this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client
>> installation in a FIPS-140 mode
>> It prevents installation of FreeIPA if the host is fips-enabled.
>>
>> https://fedorahosted.org/freeipa/ticket/5761
>>
>> freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch
>>
>>
>> >From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
>> From: Florence Blanc-Renaud <frenaud at redhat.com>
>> Date: Fri, 24 Jun 2016 16:16:22 +0200
>> Subject: [PATCH] Do not allow installation in FIPS mode
>>
>> https://fedorahosted.org/freeipa/ticket/5761
>> ---
>>   client/ipa-client-install                  | 4 ++++
>>   install/tools/ipactl                       | 6 ++++++
>>   ipaserver/install/server/install.py        | 5 +++++
>>   ipaserver/install/server/replicainstall.py | 5 +++++
>>   4 files changed, 20 insertions(+)
>>
>> diff --git a/client/ipa-client-install b/client/ipa-client-install
>> index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755
>> --- a/client/ipa-client-install
>> +++ b/client/ipa-client-install
>> @@ -3064,6 +3064,10 @@ def main():
>>
>>       if not os.getegid() == 0:
>>           sys.exit("\nYou must be root to run ipa-client-install.\n")
>> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>
> Usually it is safer to call open() and catch exception if the file does not
> exist. The code above has inherent problem with race-conditions between time
> of check (path.exists) and time of use (open).
>
> Of course it is not a problem here because this file is part of kernel's
> interface but in general please use the try: open() except: form.
>
>> +            if f.read().strip() != '0':
>> +                sys.exit("Cannot install IPA client in FIPS mode")
>
> Personally I would like to see more informative messages.
>
> I would recommend something like "<something> is not supported in FIPS mode".
>
> In my eyes it is difference between "How do I ...? You dont!" vs "How do I
> ...? Sorry, we do not support that right now."

Given that this code is duplicated 4 times I'd also move it to a 
function in ipapython, is_fips_enabled() or something .

rob

>
>
> Sorry for nitpicking! :-)
>
> Petr^2 Spacek
>
>
>
>>       tasks.check_selinux_status()
>>       logging_setup(options)
>>       root_logger.debug(
>> diff --git a/install/tools/ipactl b/install/tools/ipactl
>> index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755
>> --- a/install/tools/ipactl
>> +++ b/install/tools/ipactl
>> @@ -545,6 +545,12 @@ def main():
>>       elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
>>           raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
>>
>> +    if (args[0] in ('start', 'restart') and
>> +        os.path.exists('/proc/sys/crypto/fips_enabled')):
>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>> +            if f.read().strip() != '0':
>> +                raise IpactlError("Cannot start IPA server in FIPS mode")
>> +
>>       # check if IPA is configured at all
>>       try:
>>           check_IPA_configuration()
>> diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
>> index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644
>> --- a/ipaserver/install/server/install.py
>> +++ b/ipaserver/install/server/install.py
>> @@ -319,6 +319,11 @@ def install_check(installer):
>>       external_ca_file = installer._external_ca_file
>>       http_ca_cert = installer._ca_cert
>>
>> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>> +            if f.read().strip() != '0':
>> +                sys.exit("Cannot install IPA server in FIPS mode")
>> +
>>       tasks.check_selinux_status()
>>
>>       if options.master_password:
>> diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
>> index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644
>> --- a/ipaserver/install/server/replicainstall.py
>> +++ b/ipaserver/install/server/replicainstall.py
>> @@ -485,6 +485,11 @@ def install_check(installer):
>>       options = installer
>>       filename = installer.replica_file
>>
>> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>> +            if f.read().strip() != '0':
>> +                sys.exit("Cannot install IPA server in FIPS mode")
>> +
>>       tasks.check_selinux_status()
>>
>>       if is_ipa_configured():
>> -- 2.7.4
>

More information about the Freeipa-devel mailing list