From 4f89028c6760b69b5f94aaa44523b0913b586ae6 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Fri, 20 Jun 2014 15:44:01 +0200 Subject: [PATCH] modify FIPS checks - we need a way to notify an user about running misconfigured system which will turn to be unusable in real FIPS mode. For more details look at: http://bugzilla.redhat.com/show_bug.cgi?id=1009707#c25 - also fixes invisble verbose log about running in FIPS mode due to its misplacement --- lib/utils_fips.c | 5 +++-- src/cryptsetup.c | 7 ++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/utils_fips.c b/lib/utils_fips.c index f1fa92e7..9a3caae5 100644 --- a/lib/utils_fips.c +++ b/lib/utils_fips.c @@ -37,12 +37,13 @@ int crypt_fips_mode(void) static void crypt_fips_verify(const char *name, const char *function) { - if (!crypt_fips_mode()) + if (access(FIPS_MODULE_FILE, F_OK)) return; if (!FIPSCHECK_verify(name, function)) { fputs(_("FIPS checksum verification failed.\n"), stderr); - _exit(EXIT_FAILURE); + if (FIPSCHECK_kernel_fips_mode()) + _exit(EXIT_FAILURE); } } diff --git a/src/cryptsetup.c b/src/cryptsetup.c index 3b63a2b2..a05af425 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -1487,9 +1487,6 @@ int main(int argc, const char **argv) bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); - if (crypt_fips_mode()) - crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n")); - popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0); poptSetOtherOptionHelp(popt_context, _("[OPTION...] ")); @@ -1531,6 +1528,10 @@ int main(int argc, const char **argv) if (r < -1) usage(popt_context, EXIT_FAILURE, poptStrerror(r), poptBadOption(popt_context, POPT_BADOPTION_NOALIAS)); + + if (crypt_fips_mode()) + crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n")); + if (opt_version_mode) { log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION); poptFreeContext(popt_context);