From a21c0503f83d24d19acf2b128c0cfcb2142d9805 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Wed, 6 Nov 2013 18:04:10 +0100 Subject: [PATCH] make FIPS checks compliant with new guidance (gmazyland: Simplified this NIST nonsense, should be still exactly equivalent to former patch) --- configure.ac | 4 ++++ lib/setup.c | 7 +++++-- lib/utils_fips.c | 25 ++++++++----------------- lib/utils_fips.h | 5 ++--- src/cryptsetup.c | 3 ++- tests/compat-test | 2 +- 6 files changed, 22 insertions(+), 24 deletions(-) diff --git a/configure.ac b/configure.ac index f600ee70..1c456be1 100644 --- a/configure.ac +++ b/configure.ac @@ -6,6 +6,7 @@ LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-) LIBCRYPTSETUP_VERSION_INFO=9:0:5 dnl library file name for FIPS selfcheck LIBCRYPTSETUP_VERSION_FIPS="libcryptsetup.so.4" +FIPS_MODULE_FILE="/etc/system-fips" AC_CONFIG_SRCDIR(src/cryptsetup.c) AC_CONFIG_MACRO_DIR([m4]) @@ -84,6 +85,8 @@ if test "x$with_fips" = "xyes"; then AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions]) AC_DEFINE_UNQUOTED(LIBCRYPTSETUP_VERSION_FIPS, ["$LIBCRYPTSETUP_VERSION_FIPS"], [library file name for FIPS selfcheck]) + AC_DEFINE_UNQUOTED(FIPS_MODULE_FILE, ["$FIPS_MODULE_FILE"], + [file checked to determine if running in FIPS mode]) if test "x$enable_static" = "xyes" -o "x$enable_static_cryptsetup" = "xyes" ; then AC_MSG_ERROR([Static build is not compatible with FIPS.]) @@ -347,6 +350,7 @@ AC_SUBST([CRYPTO_STATIC_LIBS]) AC_SUBST([LIBCRYPTSETUP_VERSION]) AC_SUBST([LIBCRYPTSETUP_VERSION_INFO]) AC_SUBST([LIBCRYPTSETUP_VERSION_FIPS]) +AC_SUBST([FIPS_MODULE_FILE]) dnl ========================================================================== AC_ARG_ENABLE([dev-random], AS_HELP_STRING([--enable-dev-random], diff --git a/lib/setup.c b/lib/setup.c index 1d720749..33640522 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -183,8 +183,6 @@ int init_crypto(struct crypt_device *ctx) { int r; - crypt_fips_libcryptsetup_check(ctx); - r = crypt_random_init(ctx); if (r < 0) { log_err(ctx, _("Cannot initialize crypto RNG backend.\n")); @@ -2605,3 +2603,8 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name, return 0; } + +static void __attribute__((constructor)) libcryptsetup_ctor(void) +{ + crypt_fips_libcryptsetup_check(); +} diff --git a/lib/utils_fips.c b/lib/utils_fips.c index 0391d61d..f1fa92e7 100644 --- a/lib/utils_fips.c +++ b/lib/utils_fips.c @@ -1,7 +1,7 @@ /* * FIPS mode utilities * - * Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -19,44 +19,35 @@ */ #include +#include #include -#include "libcryptsetup.h" #include "nls.h" #include "utils_fips.h" #if !ENABLE_FIPS int crypt_fips_mode(void) { return 0; } -void crypt_fips_libcryptsetup_check(struct crypt_device *cd) {} -void crypt_fips_self_check(struct crypt_device *cd) {} +void crypt_fips_libcryptsetup_check(void) {} #else #include int crypt_fips_mode(void) { - return FIPSCHECK_kernel_fips_mode(); + return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK); } -static void crypt_fips_verify(struct crypt_device *cd, - const char *name, const char *function) +static void crypt_fips_verify(const char *name, const char *function) { if (!crypt_fips_mode()) return; if (!FIPSCHECK_verify(name, function)) { - crypt_log(cd, CRYPT_LOG_ERROR, _("FIPS checksum verification failed.\n")); + fputs(_("FIPS checksum verification failed.\n"), stderr); _exit(EXIT_FAILURE); } - - crypt_log(cd, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n")); } -void crypt_fips_libcryptsetup_check(struct crypt_device *cd) +void crypt_fips_libcryptsetup_check(void) { - crypt_fips_verify(cd, LIBCRYPTSETUP_VERSION_FIPS, "crypt_init"); -} - -void crypt_fips_self_check(struct crypt_device *cd) -{ - crypt_fips_verify(cd, NULL, NULL); + crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init"); } #endif /* ENABLE_FIPS */ diff --git a/lib/utils_fips.h b/lib/utils_fips.h index d4d22396..59f23399 100644 --- a/lib/utils_fips.h +++ b/lib/utils_fips.h @@ -1,7 +1,7 @@ /* * FIPS mode utilities * - * Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -24,7 +24,6 @@ struct crypt_device; int crypt_fips_mode(void); -void crypt_fips_libcryptsetup_check(struct crypt_device *cd); -void crypt_fips_self_check(struct crypt_device *cd); +void crypt_fips_libcryptsetup_check(void); #endif /* _UTILS_FIPS_H */ diff --git a/src/cryptsetup.c b/src/cryptsetup.c index b8941ab6..85fd11f3 100644 --- a/src/cryptsetup.c +++ b/src/cryptsetup.c @@ -1413,7 +1413,8 @@ int main(int argc, const char **argv) bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); - crypt_fips_self_check(NULL); + if (crypt_fips_mode()) + crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n")); popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0); poptSetOtherOptionHelp(popt_context, diff --git a/tests/compat-test b/tests/compat-test index ab3ade5d..80606728 100755 --- a/tests/compat-test +++ b/tests/compat-test @@ -39,7 +39,7 @@ KEY_MATERIAL5_EXT="S331776-395264" TEST_UUID="12345678-1234-1234-1234-123456789abc" LOOPDEV=$(losetup -f 2>/dev/null) -FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) +[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) function remove_mapping() {