[Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

Florence Blanc-Renaud frenaud at redhat.com
Mon Jun 27 18:14:19 UTC 2016 

On 06/27/2016 03:55 PM, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 27.6.2016 08:38, Florence Blanc-Renaud wrote:
>>> Hi,
>>>
>>> this fix is a port of Bug 1131570 - Do not allow IdM
>>> server/replica/client
>>> installation in a FIPS-140 mode
>>> It prevents installation of FreeIPA if the host is fips-enabled.
>>>
>>> https://fedorahosted.org/freeipa/ticket/5761
>>>
>>> freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch
>>>
>>>
>>> >From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001
>>> From: Florence Blanc-Renaud <frenaud at redhat.com>
>>> Date: Fri, 24 Jun 2016 16:16:22 +0200
>>> Subject: [PATCH] Do not allow installation in FIPS mode
>>>
>>> https://fedorahosted.org/freeipa/ticket/5761
>>> ---
>>>   client/ipa-client-install                  | 4 ++++
>>>   install/tools/ipactl                       | 6 ++++++
>>>   ipaserver/install/server/install.py        | 5 +++++
>>>   ipaserver/install/server/replicainstall.py | 5 +++++
>>>   4 files changed, 20 insertions(+)
>>>
>>> diff --git a/client/ipa-client-install b/client/ipa-client-install
>>> index
>>> 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904
>>> 100755
>>> --- a/client/ipa-client-install
>>> +++ b/client/ipa-client-install
>>> @@ -3064,6 +3064,10 @@ def main():
>>>
>>>       if not os.getegid() == 0:
>>>           sys.exit("\nYou must be root to run ipa-client-install.\n")
>>> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
>>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>>
>> Usually it is safer to call open() and catch exception if the file
>> does not
>> exist. The code above has inherent problem with race-conditions
>> between time
>> of check (path.exists) and time of use (open).
>>
>> Of course it is not a problem here because this file is part of kernel's
>> interface but in general please use the try: open() except: form.
>>
>>> +            if f.read().strip() != '0':
>>> +                sys.exit("Cannot install IPA client in FIPS mode")
>>
>> Personally I would like to see more informative messages.
>>
>> I would recommend something like "<something> is not supported in FIPS
>> mode".
>>
>> In my eyes it is difference between "How do I ...? You dont!" vs "How
>> do I
>> ...? Sorry, we do not support that right now."
>
> Given that this code is duplicated 4 times I'd also move it to a
> function in ipapython, is_fips_enabled() or something .
>
> rob
>
>>
>>
>> Sorry for nitpicking! :-)
>>
>> Petr^2 Spacek
>>
>>
>>
>>>       tasks.check_selinux_status()
>>>       logging_setup(options)
>>>       root_logger.debug(
>>> diff --git a/install/tools/ipactl b/install/tools/ipactl
>>> index
>>> 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552
>>> 100755
>>> --- a/install/tools/ipactl
>>> +++ b/install/tools/ipactl
>>> @@ -545,6 +545,12 @@ def main():
>>>       elif args[0] != "start" and args[0] != "stop" and args[0] !=
>>> "restart" and args[0] != "status":
>>>           raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
>>>
>>> +    if (args[0] in ('start', 'restart') and
>>> +        os.path.exists('/proc/sys/crypto/fips_enabled')):
>>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>>> +            if f.read().strip() != '0':
>>> +                raise IpactlError("Cannot start IPA server in FIPS
>>> mode")
>>> +
>>>       # check if IPA is configured at all
>>>       try:
>>>           check_IPA_configuration()
>>> diff --git a/ipaserver/install/server/install.py
>>> b/ipaserver/install/server/install.py
>>> index
>>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d
>>> 100644
>>> --- a/ipaserver/install/server/install.py
>>> +++ b/ipaserver/install/server/install.py
>>> @@ -319,6 +319,11 @@ def install_check(installer):
>>>       external_ca_file = installer._external_ca_file
>>>       http_ca_cert = installer._ca_cert
>>>
>>> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
>>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>>> +            if f.read().strip() != '0':
>>> +                sys.exit("Cannot install IPA server in FIPS mode")
>>> +
>>>       tasks.check_selinux_status()
>>>
>>>       if options.master_password:
>>> diff --git a/ipaserver/install/server/replicainstall.py
>>> b/ipaserver/install/server/replicainstall.py
>>> index
>>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291
>>> 100644
>>> --- a/ipaserver/install/server/replicainstall.py
>>> +++ b/ipaserver/install/server/replicainstall.py
>>> @@ -485,6 +485,11 @@ def install_check(installer):
>>>       options = installer
>>>       filename = installer.replica_file
>>>
>>> +    if os.path.exists('/proc/sys/crypto/fips_enabled'):
>>> +        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
>>> +            if f.read().strip() != '0':
>>> +                sys.exit("Cannot install IPA server in FIPS mode")
>>> +
>>>       tasks.check_selinux_status()
>>>
>>>       if is_ipa_configured():
>>> -- 2.7.4
>>
>
Hi all,

thanks for your suggestions. Updated patch attached.
Flo.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-frenaud-0008-2-Do-not-allow-installation-in-FIPS-mode.patch
Type: text/x-patch
Size: 5211 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160627/66637827/attachment.bin>

More information about the Freeipa-devel mailing list