Add fips_mode check for kernel.

Akso add a separate function so we can detect that kernel and crypto lib is in different FIPS state (only for testing).
2025-12-05 16:00:05 +01:00 · 2025-11-13 21:56:05 +01:00
parent 7fba92260a
commit ccc0c69cd7
3 changed files with 24 additions and 1 deletions
--- a/lib/crypto_backend/cipher_generic.c
+++ b/lib/crypto_backend/cipher_generic.c
@@ -8,6 +8,8 @@

 #include <errno.h>
 #include <strings.h>
+#include <unistd.h>
+#include <fcntl.h>
 #include "crypto_backend.h"

 struct cipher_alg {
@@ -77,3 +79,21 @@ int crypt_cipher_wrapped_key(const char *name, const char *mode)

 	return ca ? (int)ca->wrapped_key : 0;
 }
+
+bool crypt_fips_mode_kernel(void)
+{
+	int fd;
+	char buf = 0;
+
+	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+	if (fd < 0)
+		return false;
+
+	if (read(fd, &buf, 1) != 1)
+		buf = '0';
+
+	close(fd);
+
+	return (buf == '1');
+}