eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-17 05:40:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

make FIPS checks compliant with new guidance

Browse Source 
(gmazyland: Simplified this NIST nonsense, should be still exactly
equivalent to former patch)
This commit is contained in:
Ondrej Kozina
2013-11-06 18:04:10 +01:00
committed by Milan Broz
parent e52d5f3d98
commit a21c0503f8
6 changed files with 22 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configure.ac
View File

@@ -6,6 +6,7 @@ LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
LIBCRYPTSETUP_VERSION_INFO=9:0:5 LIBCRYPTSETUP_VERSION_INFO=9:0:5
dnl library file name for FIPS selfcheck dnl library file name for FIPS selfcheck
LIBCRYPTSETUP_VERSION_FIPS="libcryptsetup.so.4" LIBCRYPTSETUP_VERSION_FIPS="libcryptsetup.so.4"
FIPS_MODULE_FILE="/etc/system-fips"
AC_CONFIG_SRCDIR(src/cryptsetup.c) AC_CONFIG_SRCDIR(src/cryptsetup.c)
AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_MACRO_DIR([m4])
@@ -84,6 +85,8 @@ if test "x$with_fips" = "xyes"; then
AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions]) AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions])
AC_DEFINE_UNQUOTED(LIBCRYPTSETUP_VERSION_FIPS, ["$LIBCRYPTSETUP_VERSION_FIPS"], AC_DEFINE_UNQUOTED(LIBCRYPTSETUP_VERSION_FIPS, ["$LIBCRYPTSETUP_VERSION_FIPS"],
[library file name for FIPS selfcheck]) [library file name for FIPS selfcheck])
AC_DEFINE_UNQUOTED(FIPS_MODULE_FILE, ["$FIPS_MODULE_FILE"],
[file checked to determine if running in FIPS mode])
if test "x$enable_static" = "xyes" -o "x$enable_static_cryptsetup" = "xyes" ; then if test "x$enable_static" = "xyes" -o "x$enable_static_cryptsetup" = "xyes" ; then
AC_MSG_ERROR([Static build is not compatible with FIPS.]) AC_MSG_ERROR([Static build is not compatible with FIPS.])
@@ -347,6 +350,7 @@ AC_SUBST([CRYPTO_STATIC_LIBS])
AC_SUBST([LIBCRYPTSETUP_VERSION]) AC_SUBST([LIBCRYPTSETUP_VERSION])
AC_SUBST([LIBCRYPTSETUP_VERSION_INFO]) AC_SUBST([LIBCRYPTSETUP_VERSION_INFO])
AC_SUBST([LIBCRYPTSETUP_VERSION_FIPS]) AC_SUBST([LIBCRYPTSETUP_VERSION_FIPS])
AC_SUBST([FIPS_MODULE_FILE])
dnl ========================================================================== dnl ==========================================================================
AC_ARG_ENABLE([dev-random], AS_HELP_STRING([--enable-dev-random], AC_ARG_ENABLE([dev-random], AS_HELP_STRING([--enable-dev-random],

7
lib/setup.c
View File

@@ -183,8 +183,6 @@ int init_crypto(struct crypt_device *ctx)
{ {
int r; int r;
crypt_fips_libcryptsetup_check(ctx);
r = crypt_random_init(ctx); r = crypt_random_init(ctx);
if (r < 0) { if (r < 0) {
log_err(ctx, _("Cannot initialize crypto RNG backend.\n")); log_err(ctx, _("Cannot initialize crypto RNG backend.\n"));
@@ -2605,3 +2603,8 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
return 0; return 0;
} }
static void __attribute__((constructor)) libcryptsetup_ctor(void)
{
crypt_fips_libcryptsetup_check();
}

25
lib/utils_fips.c
View File

@@ -1,7 +1,7 @@
/* /*
* FIPS mode utilities * FIPS mode utilities
* *
* Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved. * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License * modify it under the terms of the GNU General Public License
@@ -19,44 +19,35 @@
*/ */
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h>
#include <unistd.h> #include <unistd.h>
#include "libcryptsetup.h"
#include "nls.h" #include "nls.h"
#include "utils_fips.h" #include "utils_fips.h"
#if !ENABLE_FIPS #if !ENABLE_FIPS
int crypt_fips_mode(void) { return 0; } int crypt_fips_mode(void) { return 0; }
void crypt_fips_libcryptsetup_check(struct crypt_device *cd) {} void crypt_fips_libcryptsetup_check(void) {}
void crypt_fips_self_check(struct crypt_device *cd) {}
#else #else
#include <fipscheck.h> #include <fipscheck.h>
int crypt_fips_mode(void) int crypt_fips_mode(void)
{ {
return FIPSCHECK_kernel_fips_mode(); return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK);
} }
static void crypt_fips_verify(struct crypt_device *cd, static void crypt_fips_verify(const char *name, const char *function)
const char *name, const char *function)
{ {
if (!crypt_fips_mode()) if (!crypt_fips_mode())
return; return;
if (!FIPSCHECK_verify(name, function)) { if (!FIPSCHECK_verify(name, function)) {
crypt_log(cd, CRYPT_LOG_ERROR, _("FIPS checksum verification failed.\n")); fputs(_("FIPS checksum verification failed.\n"), stderr);
_exit(EXIT_FAILURE); _exit(EXIT_FAILURE);
} }
crypt_log(cd, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n"));
} }
void crypt_fips_libcryptsetup_check(struct crypt_device *cd) void crypt_fips_libcryptsetup_check(void)
{ {
crypt_fips_verify(cd, LIBCRYPTSETUP_VERSION_FIPS, "crypt_init"); crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init");
}
void crypt_fips_self_check(struct crypt_device *cd)
{
crypt_fips_verify(cd, NULL, NULL);
} }
#endif /* ENABLE_FIPS */ #endif /* ENABLE_FIPS */

5
lib/utils_fips.h
View File

@@ -1,7 +1,7 @@
/* /*
* FIPS mode utilities * FIPS mode utilities
* *
* Copyright (C) 2011-2012, Red Hat, Inc. All rights reserved. * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License * modify it under the terms of the GNU General Public License
@@ -24,7 +24,6 @@
struct crypt_device; struct crypt_device;
int crypt_fips_mode(void); int crypt_fips_mode(void);
void crypt_fips_libcryptsetup_check(struct crypt_device *cd); void crypt_fips_libcryptsetup_check(void);
void crypt_fips_self_check(struct crypt_device *cd);
#endif /* _UTILS_FIPS_H */ #endif /* _UTILS_FIPS_H */

3
src/cryptsetup.c
View File

@@ -1413,7 +1413,8 @@ int main(int argc, const char **argv)
bindtextdomain(PACKAGE, LOCALEDIR); bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE); textdomain(PACKAGE);
crypt_fips_self_check(NULL); if (crypt_fips_mode())
crypt_log(NULL, CRYPT_LOG_VERBOSE, _("Running in FIPS mode.\n"));
popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0); popt_context = poptGetContext(PACKAGE, argc, argv, popt_options, 0);
poptSetOtherOptionHelp(popt_context, poptSetOtherOptionHelp(popt_context,

2
tests/compat-test
View File

@@ -39,7 +39,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
TEST_UUID="12345678-1234-1234-1234-123456789abc" TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null) LOOPDEV=$(losetup -f 2>/dev/null)
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) [ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping() function remove_mapping()
{ {