diff --git a/tests/00modules-test b/tests/00modules-test index 20d4b7e2..90c96c9f 100755 --- a/tests/00modules-test +++ b/tests/00modules-test @@ -17,6 +17,9 @@ if [ "$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)" = "1" ] ; then echo "Kernel running in FIPS mode." fi +./crypto-check fips_mode && echo "Crypto backend running in FIPS mode." +./crypto-check fips_mode_kernel && echo "Kernel running in FIPS mode." + if [ -f /etc/os-release ] ; then source /etc/os-release echo "$PRETTY_NAME ($NAME) $VERSION" diff --git a/tests/align-test b/tests/align-test index aa7d79a2..11d73329 100755 --- a/tests/align-test +++ b/tests/align-test @@ -10,8 +10,6 @@ PWD1="93R4P4pIqAH8" PWD2="mymJeD8ivEhE" FAST_PBKDF="--pbkdf-force-iterations 1000" -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then CRYPTSETUP_VALGRIND=$CRYPTSETUP else @@ -22,7 +20,7 @@ fi fips_mode() { - [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] + ./crypto-check fips_mode } cleanup() { diff --git a/tests/api-test.c b/tests/api-test.c index 66fec006..5fd07aea 100644 --- a/tests/api-test.c +++ b/tests/api-test.c @@ -64,6 +64,7 @@ #define LUKS_PHDR_SIZE_B 1024 static int _fips_mode = 0; +static int _fips_mode_kernel = 0; static char *DEVICE_1 = NULL; static char *DEVICE_2 = NULL; @@ -293,8 +294,9 @@ static int _setup(void) return 1; _fips_mode = fips_mode(); + _fips_mode_kernel = fips_mode_kernel(); if (_debug) - printf("FIPS MODE: %d\n", _fips_mode); + printf("FIPS MODE: LIB %d, KERNEL %d\n", _fips_mode, _fips_mode_kernel); /* Use default log callback */ crypt_set_log_callback(NULL, &global_log_callback, NULL); @@ -1833,7 +1835,7 @@ static void TcryptTest(void) CRYPT_FREE(cd); // Following test uses non-FIPS algorithms in the cipher chain - if(_fips_mode) + if(_fips_mode || _fips_mode_kernel) return; OK_(crypt_init(&cd, tcrypt_dev2)); diff --git a/tests/api_test.h b/tests/api_test.h index ec6abd46..e317967d 100644 --- a/tests/api_test.h +++ b/tests/api_test.h @@ -31,6 +31,7 @@ int t_dm_capi_string_supported(void); int t_set_readahead(const char *device, unsigned value); int fips_mode(void); +int fips_mode_kernel(void); int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset); diff --git a/tests/compat-test b/tests/compat-test index 1a956b56..069580d2 100755 --- a/tests/compat-test +++ b/tests/compat-test @@ -50,7 +50,6 @@ KEY_MATERIAL5_EXT="S331776-395264" TEST_UUID="12345678-1234-1234-1234-123456789abc" LOOPDEV=$(losetup -f 2>/dev/null) -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) remove_mapping() { @@ -83,7 +82,7 @@ trap _sigchld CHLD fips_mode() { - [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] + ./crypto-check fips_mode } can_fail_fips() diff --git a/tests/compat-test-opal b/tests/compat-test-opal index 2422cc75..de44addb 100755 --- a/tests/compat-test-opal +++ b/tests/compat-test-opal @@ -42,8 +42,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" TEST_UUID="12345678-1234-1234-1234-123456789abc" -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - remove_mapping() { [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 @@ -73,7 +71,7 @@ trap _sigchld CHLD fips_mode() { - [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] + ./crypto-check fips_mode } can_fail_fips() diff --git a/tests/compat-test2 b/tests/compat-test2 index ec4eb156..c8e41feb 100755 --- a/tests/compat-test2 +++ b/tests/compat-test2 @@ -48,7 +48,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" TEST_UUID="12345678-1234-1234-1234-123456789abc" LOOPDEV=$(losetup -f 2>/dev/null) -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) remove_mapping() { @@ -88,7 +87,7 @@ trap _sigchld CHLD fips_mode() { - [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] + ./crypto-check fips_mode } can_fail_fips() diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c index 6e94fbf0..e06722f4 100644 --- a/tests/crypto-vectors.c +++ b/tests/crypto-vectors.c @@ -18,8 +18,6 @@ # define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) #endif -static bool fips_active = false; - static void printhex(const char *s, const char *buf, size_t len) { size_t i; @@ -31,24 +29,6 @@ static void printhex(const char *s, const char *buf, size_t len) fflush(stdout); } -static bool fips_mode(void) -{ - int fd; - char buf = 0; - - fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); - - if (fd < 0) - return false; - - if (read(fd, &buf, 1) != 1) - buf = '0'; - - close(fd); - - return (buf == '1'); -} - /* * KDF tests */ @@ -1043,7 +1023,7 @@ static int pbkdf_test_vectors(void) vec->salt, vec->salt_length, result, vec->output_length, vec->iterations, vec->memory, vec->parallelism) < 0) { - if (vec->can_fail_fips && fips_mode()) { + if (vec->can_fail_fips && crypt_fips_mode()) { printf("[API FAILED, IGNORED (FIPS mode)]\n"); continue; } @@ -1552,7 +1532,7 @@ static int kernel_capi_check_test(void) if (!r) printf("[OK]\n"); else if (r == -ENOENT || r == -ENOTSUP || - (fips_active && !capi_test_vectors[i].fips)) + (crypt_fips_mode_kernel() && !capi_test_vectors[i].fips)) printf("[N/A]\n"); else return EXIT_FAILURE; @@ -1580,8 +1560,6 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[] } #endif - fips_active = fips_mode(); - if (crypt_backend_init()) exit_test("Crypto backend init error.", EXIT_FAILURE); @@ -1615,7 +1593,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[] exit_test("Kernel CAPI test failed.", EXIT_FAILURE); if (default_alg_test()) { - if (fips_mode()) + if (crypt_fips_mode()) printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n"); else exit_test("\nDefault compiled-in algorithms test failed.", EXIT_FAILURE); diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test index 36658fc9..26f0e103 100755 --- a/tests/keyring-compat-test +++ b/tests/keyring-compat-test @@ -33,8 +33,6 @@ else CRYPTSETUP_LIB_VALGRIND=../.libs fi -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - remove_mapping() { [ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME @@ -115,9 +113,9 @@ test_and_prepare_keyring() { load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped." } -fips_mode() +fips_mode_kernel() { - [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] + ./crypto-check fips_mode_kernel } add_device() { @@ -205,7 +203,7 @@ diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corrupti echo "OK" #test serpent cipher, cbc mode, tcw IV -fips_mode || { +fips_mode_kernel || { echo -n "Testing $CIPHER_CBC_TCW..." dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test index 11823ee9..58288e5d 100755 --- a/tests/luks2-reencryption-test +++ b/tests/luks2-reencryption-test @@ -54,8 +54,6 @@ HAVE_KEYRING=0 JSON_MSIZE=16384 IMG_JSON=luks2-digest-1.json -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) - dm_crypt_features() { VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) @@ -163,7 +161,7 @@ skip() fips_mode() { - [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] + ./crypto-check fips_mode || ./crypto-check fips_mode_kernel } add_scsi_device() { diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test index b3386e29..45a0b290 100755 --- a/tests/reencryption-compat-test +++ b/tests/reencryption-compat-test @@ -30,11 +30,10 @@ LUKS1_DECRYPT="LUKS-$LUKS1_DECRYPT_UUID" MNT_DIR=./mnt_luks START_DIR=$(pwd) -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) fips_mode() { - [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] + ./crypto-check fips_mode || ./crypto-check fips_mode_kernel } del_scsi_device() diff --git a/tests/test_utils.c b/tests/test_utils.c index 44d5a5db..56aebb7e 100644 --- a/tests/test_utils.c +++ b/tests/test_utils.c @@ -165,20 +165,12 @@ int t_set_readahead(const char *device, unsigned value) int fips_mode(void) { - int fd; - char buf = 0; + return _system("./crypto-check fips_mode", 1) == 0; +} - fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); - - if (fd < 0) - return 0; - - if (read(fd, &buf, 1) != 1) - buf = '0'; - - close(fd); - - return (buf == '1'); +int fips_mode_kernel(void) +{ + return _system("./crypto-check fips_mode_kernel", 1) == 0; } /*