modify FIPS checks

- we need a way to notify an user about running misconfigured system which will turn to be unusable in real FIPS mode. For more details look at: http://bugzilla.redhat.com/show_bug.cgi?id=1009707#c25 - also fixes invisble verbose log about running in FIPS mode due to its misplacement
2025-12-17 05:40:13 +01:00 · 2014-06-20 15:44:01 +02:00
parent 6b4c33d3a5
commit 4f89028c67
2 changed files with 7 additions and 5 deletions
--- a/lib/utils_fips.c
+++ b/lib/utils_fips.c
@@ -37,12 +37,13 @@ int crypt_fips_mode(void)

 static void crypt_fips_verify(const char *name, const char *function)
 {
-	if (!crypt_fips_mode())
+	if (access(FIPS_MODULE_FILE, F_OK))
 		return;

 	if (!FIPSCHECK_verify(name, function)) {
 		fputs(_("FIPS checksum verification failed.\n"), stderr);
-		_exit(EXIT_FAILURE);
+		if (FIPSCHECK_kernel_fips_mode())
+			_exit(EXIT_FAILURE);
 	}
 }

--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -1487,9 +1487,6 @@ int main(int argc, const char **argv)
 	bindtextdomain(PACKAGE, LOCALEDIR);
 	textdomain(PACKAGE);

-	if (crypt_fips_mode())
-		crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n"));
-
 	popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
 	poptSetOtherOptionHelp(popt_context,
 	                       _("[OPTION...] <action> <action-specific>"));
@@ -1531,6 +1528,10 @@ int main(int argc, const char **argv)
 	if (r < -1)
 		usage(popt_context, EXIT_FAILURE, poptStrerror(r),
 		      poptBadOption(popt_context, POPT_BADOPTION_NOALIAS));
+
+	if (crypt_fips_mode())
+		crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n"));
+
 	if (opt_version_mode) {
 		log_std("%s %s\n", PACKAGE_NAME, PACKAGE_VERSION);
 		poptFreeContext(popt_context);