eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-13 20:00:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add --enable-fips for linking with fipscheck library.

Browse Source 
Initialize binary and library selfcheck if running in FIPS mode.

(Actually available only on Fedora/Red Hat distros.)
This commit is contained in:
Milan Broz
2012-05-21 01:26:08 +02:00
parent 0f4431d0bb
commit 45e0942755
11 changed files with 120 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@@ -1,3 +1,7 @@
2012-05-21 Milan Broz <gmazyland@gmail.com>
* Add --enable-fips for linking with fipscheck library.
* Initialize binary and library selfcheck if running in FIPS mode.
2012-05-09 Milan Broz <gmazyland@gmail.com> 2012-05-09 Milan Broz <gmazyland@gmail.com>
* Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0). * Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0).
* Allow empty cipher (cipher_null) for testing. * Allow empty cipher (cipher_null) for testing.

10
configure.in
View File

@@ -69,6 +69,16 @@ AC_ARG_ENABLE([fips], AS_HELP_STRING([--enable-fips],[enable FIPS mode restricti
if test "x$with_fips" = "xyes"; then if test "x$with_fips" = "xyes"; then
AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions]) AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions])
if test "x$enable_static" = "xyes" -o "x$enable_static_cryptsetup" = "xyes" ; then
AC_MSG_ERROR([Static build is not compatible with FIPS.])
fi
saved_LIBS=$LIBS
AC_CHECK_LIB(fipscheck, FIPSCHECK_verify, ,[AC_MSG_ERROR([You need the fipscheck library.])])
AC_SUBST(FIPSCHECK_LIBS, $LIBS)
LIBS=$saved_LIBS
fi fi
AC_DEFUN([NO_FIPS], [ AC_DEFUN([NO_FIPS], [

3
lib/Makefile.am
View File

@@ -38,6 +38,7 @@ libcryptsetup_la_LIBADD = \
@UUID_LIBS@ \ @UUID_LIBS@ \
@DEVMAPPER_LIBS@ \ @DEVMAPPER_LIBS@ \
@CRYPTO_LIBS@ \ @CRYPTO_LIBS@ \
@FIPSCHECK_LIBS@ \
$(common_ldadd) $(common_ldadd)
@@ -54,6 +55,8 @@ libcryptsetup_la_SOURCES = \
utils_loop.h \ utils_loop.h \
utils_devpath.c \ utils_devpath.c \
utils_wipe.c \ utils_wipe.c \
utils_fips.c \
utils_fips.h \
libdevmapper.c \ libdevmapper.c \
utils_dm.h \ utils_dm.h \
volumekey.c \ volumekey.c \

3
lib/crypto_backend/crypto_gcrypt.c
View File

@@ -37,12 +37,13 @@ struct crypt_hmac {
int hash_len; int hash_len;
}; };
int crypt_backend_init(struct crypt_device *ctx __attribute__((unused))) int crypt_backend_init(struct crypt_device *ctx)
{ {
if (crypto_backend_initialised) if (crypto_backend_initialised)
return 0; return 0;
log_dbg("Initialising gcrypt crypto backend."); log_dbg("Initialising gcrypt crypto backend.");
crypt_fips_libcryptsetup_check(ctx);
if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) { if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
if (!gcry_check_version (GCRYPT_REQ_VERSION)) { if (!gcry_check_version (GCRYPT_REQ_VERSION)) {
return -ENOSYS; return -ENOSYS;

1
lib/internal.h
View File

@@ -35,6 +35,7 @@
#include "utils_crypt.h" #include "utils_crypt.h"
#include "utils_loop.h" #include "utils_loop.h"
#include "utils_dm.h" #include "utils_dm.h"
#include "utils_fips.h"
/* to silent gcc -Wcast-qual for const cast */ /* to silent gcc -Wcast-qual for const cast */
#define CONST_CAST(x) (x)(uintptr_t) #define CONST_CAST(x) (x)(uintptr_t)

5
lib/setup.c
View File

@@ -1832,6 +1832,11 @@ int crypt_volume_key_get(struct crypt_device *cd,
unsigned key_len; unsigned key_len;
int r = -EINVAL; int r = -EINVAL;
if (crypt_fips_mode()) {
log_err(cd, "Function not available in FIPS mode.\n");
return -EACCES;
}
key_len = crypt_get_volume_key_size(cd); key_len = crypt_get_volume_key_size(cd);
if (key_len > *volume_key_size) { if (key_len > *volume_key_size) {
log_err(cd, _("Volume key buffer too small.\n")); log_err(cd, _("Volume key buffer too small.\n"));

60
lib/utils_fips.c Normal file
View File

@@ -0,0 +1,60 @@
/*
* FIPS mode utilities
*
* Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include <stdlib.h>
#include "libcryptsetup.h"
#include "utils_fips.h"
#include "config.h"
#if !ENABLE_FIPS
int crypt_fips_mode(void) { return 0; }
void crypt_fips_libcryptsetup_check(struct crypt_device *cd) {}
void crypt_fips_self_check(struct crypt_device *cd) {}
#else
#include <fipscheck.h>
int crypt_fips_mode(void)
{
return FIPSCHECK_kernel_fips_mode();
}
static void crypt_fips_verify(struct crypt_device *cd,
const char *name, const char *function)
{
if (!crypt_fips_mode())
return;
if (!FIPSCHECK_verify(name, function)) {
crypt_log(cd, CRYPT_LOG_ERROR, "FIPS checksum verification failed.\n");
exit(EXIT_FAILURE);
}
crypt_log(cd, CRYPT_LOG_VERBOSE, "Running in FIPS mode.\n");
}
void crypt_fips_libcryptsetup_check(struct crypt_device *cd)
{
crypt_fips_verify(cd, "libcryptsetup.so", "crypt_init");
}
void crypt_fips_self_check(struct crypt_device *cd)
{
crypt_fips_verify(cd, NULL, NULL);
}
#endif /* ENABLE_FIPS */

29
lib/utils_fips.h Normal file
View File

@@ -0,0 +1,29 @@
/*
* FIPS mode utilities
*
* Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* version 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifndef _UTILS_FIPS_H
#define _UTILS_FIPS_H
struct crypt_device;
int crypt_fips_mode(void);
void crypt_fips_libcryptsetup_check(struct crypt_device *cd);
void crypt_fips_self_check(struct crypt_device *cd);
#endif /* _UTILS_FIPS_H */

4
src/Makefile.am
View File

@@ -12,12 +12,14 @@ INCLUDES = \
cryptsetup_SOURCES = \ cryptsetup_SOURCES = \
$(top_builddir)/lib/utils_crypt.c \ $(top_builddir)/lib/utils_crypt.c \
$(top_builddir)/lib/utils_loop.c \ $(top_builddir)/lib/utils_loop.c \
$(top_builddir)/lib/utils_fips.c \
cryptsetup.c \ cryptsetup.c \
cryptsetup.h cryptsetup.h
cryptsetup_LDADD = \ cryptsetup_LDADD = \
$(top_builddir)/lib/libcryptsetup.la \ $(top_builddir)/lib/libcryptsetup.la \
@POPT_LIBS@ @POPT_LIBS@ \
@FIPSCHECK_LIBS@
cryptsetup_CFLAGS = -Wall cryptsetup_CFLAGS = -Wall

2
src/cryptsetup.c
View File

@@ -1317,6 +1317,8 @@ int main(int argc, const char **argv)
bindtextdomain(PACKAGE, LOCALEDIR); bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE); textdomain(PACKAGE);
crypt_fips_self_check(NULL);
popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0); popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
poptSetOtherOptionHelp(popt_context, poptSetOtherOptionHelp(popt_context,
N_("[OPTION...] <action> <action-specific>]")); N_("[OPTION...] <action> <action-specific>]"));

1
src/cryptsetup.h
View File

@@ -27,6 +27,7 @@
#include "lib/nls.h" #include "lib/nls.h"
#include "lib/utils_crypt.h" #include "lib/utils_crypt.h"
#include "lib/utils_loop.h" #include "lib/utils_loop.h"
#include "lib/utils_fips.h"
#define DEFAULT_CIPHER(type) (DEFAULT_##type##_CIPHER "-" DEFAULT_##type##_MODE) #define DEFAULT_CIPHER(type) (DEFAULT_##type##_CIPHER "-" DEFAULT_##type##_MODE)