Delegate FIPS mode detection to configured crypto backend.

System FIPS mode check is no longer dependent on /etc/system-fips
file. The change should be compatible with older distributions since
we now depend on crypto backend internal routine.

This commit affects only FIPS enabled systems (with FIPS enabled
builds). In case this causes any regression in current distributions
feel free to drop the patch.

For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516

lib/Makemodule.am

@@ -53,8 +53,6 @@ libcryptsetup_la_SOURCES = \
 	lib/utils_loop.h		\
 	lib/utils_devpath.c		\
 	lib/utils_wipe.c		\
-	lib/utils_fips.c		\
-	lib/utils_fips.h		\
 	lib/utils_device.c		\
 	lib/utils_keyring.c		\
 	lib/utils_keyring.h		\

lib/crypto_backend/crypto_backend.h

@@ -152,4 +152,7 @@ static inline void crypt_backend_memzero(void *s, size_t n)
 /* Memcmp helper (memcmp in constant time) */
 int crypt_backend_memeq(const void *m1, const void *m2, size_t n);
 
+/* crypto backend running in FIPS mode */
+bool crypt_fips_mode(void);
+
 #endif /* _CRYPTO_BACKEND_H */

lib/crypto_backend/crypto_gcrypt.c

@@ -555,3 +555,20 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return crypt_internal_memeq(m1, m2, n);
 }
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+bool crypt_fips_mode(void)
+{
+	static bool fips_mode = false, fips_checked = false;
+
+	if (fips_checked)
+		return fips_mode;
+
+	fips_mode = gcry_fips_mode_active();
+	fips_checked = true;
+
+	return fips_mode;
+}
+#endif /* ENABLE FIPS */

lib/crypto_backend/crypto_kernel.c

@@ -421,3 +421,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return crypt_internal_memeq(m1, m2, n);
 }
+
+bool crypt_fips_mode(void)
+{
+	return false;
+}

lib/crypto_backend/crypto_nettle.c

@@ -453,3 +453,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 	/* The logic is inverse to memcmp... */
 	return !memeql_sec(m1, m2, n);
 }
+
+bool crypt_fips_mode(void)
+{
+	return false;
+}

lib/crypto_backend/crypto_nss.c

@@ -400,3 +400,8 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return NSS_SecureMemcmp(m1, m2, n);
 }
+
+bool crypt_fips_mode(void)
+{
+	return false;
+}

lib/crypto_backend/crypto_openssl.c

@@ -812,3 +812,29 @@ int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
 {
 	return CRYPTO_memcmp(m1, m2, n);
 }
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+static bool openssl_fips_mode(void)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+	return EVP_default_properties_is_fips_enabled(NULL);
+#else
+	return FIPS_mode();
+#endif
+}
+
+bool crypt_fips_mode(void)
+{
+	static bool fips_mode = false, fips_checked = false;
+
+	if (fips_checked)
+		return fips_mode;
+
+	fips_mode = openssl_fips_mode();
+	fips_checked = true;
+
+	return fips_mode;
+}
+#endif /* ENABLE FIPS */

lib/internal.h

@@ -38,7 +38,6 @@
 #include "utils_crypt.h"
 #include "utils_loop.h"
 #include "utils_dm.h"
-#include "utils_fips.h"
 #include "utils_keyring.h"
 #include "utils_io.h"
 #include "crypto_backend/crypto_backend.h"

lib/utils_fips.c

@@ -1,55 +0,0 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include "utils_fips.h"
-
-#if !ENABLE_FIPS
-bool crypt_fips_mode(void) { return false; }
-#else
-static bool fips_checked = false;
-static bool fips_mode = false;
-
-static bool kernel_fips_mode(void)
-{
-	int fd;
-	char buf[1] = "";
-
-	if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
-		while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
-		close(fd);
-	}
-
-	return (buf[0] == '1');
-}
-
-bool crypt_fips_mode(void)
-{
-	if (fips_checked)
-		return fips_mode;
-
-	fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);
-	fips_checked = true;
-
-	return fips_mode;
-}
-#endif /* ENABLE_FIPS */

lib/utils_fips.h

@@ -1,28 +0,0 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2022 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifndef _UTILS_FIPS_H
-#define _UTILS_FIPS_H
-
-#include <stdbool.h>
-
-bool crypt_fips_mode(void);
-
-#endif /* _UTILS_FIPS_H */

po/POTFILES.in

@@ -6,7 +6,6 @@ lib/volumekey.c
 lib/crypt_plain.c
 lib/utils_crypt.c
 lib/utils_loop.c
-lib/utils_fips.c
 lib/utils_device.c
 lib/utils_devpath.c
 lib/utils_pbkdf.c

src/cryptsetup.h

@@ -44,7 +44,6 @@
 #include "lib/bitops.h"
 #include "lib/utils_crypt.h"
 #include "lib/utils_loop.h"
-#include "lib/utils_fips.h"
 #include "lib/utils_io.h"
 #include "lib/utils_blkid.h"
 #include "lib/libcryptsetup_macros.h"

tests/compat-test

@@ -45,7 +45,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 function remove_mapping()
 {

tests/compat-test2

@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 function remove_mapping()
 {

tests/keyring-compat-test

@@ -29,7 +29,7 @@ CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
 CRYPTSETUP_VALGRIND=../.libs/cryptsetup
 CRYPTSETUP_LIB_VALGRIND=../.libs
 
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 function remove_mapping()
 {

tests/luks2-reencryption-test

@@ -27,7 +27,7 @@ PWD2="1cND4319812f"
 PWD3="1-9Qu5Ejfnqv"
 DEV_LINK="reenc-test-link"
 
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 function dm_crypt_features()
 {