diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h index 5278c345..88cc2d59 100644 --- a/lib/crypto_backend/crypto_backend.h +++ b/lib/crypto_backend/crypto_backend.h @@ -31,7 +31,7 @@ struct crypt_hmac; struct crypt_cipher; struct crypt_storage; -int crypt_backend_init(void); +int crypt_backend_init(bool fips); void crypt_backend_destroy(void); #define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */ diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c index 2845382e..67f26067 100644 --- a/lib/crypto_backend/crypto_gcrypt.c +++ b/lib/crypto_backend/crypto_gcrypt.c @@ -94,7 +94,7 @@ static void crypt_hash_test_whirlpool_bug(void) crypto_backend_whirlpool_bug = 1; } -int crypt_backend_init(void) +int crypt_backend_init(bool fips __attribute__((unused))) { int r; diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c index 2e3d65b2..ce84cfac 100644 --- a/lib/crypto_backend/crypto_kernel.c +++ b/lib/crypto_backend/crypto_kernel.c @@ -117,7 +117,7 @@ static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *op return 0; } -int crypt_backend_init(void) +int crypt_backend_init(bool fips __attribute__((unused))) { struct utsname uts; struct sockaddr_alg sa = { diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c index 0860a52d..c9b9f5f8 100644 --- a/lib/crypto_backend/crypto_nettle.c +++ b/lib/crypto_backend/crypto_nettle.c @@ -213,7 +213,7 @@ static struct hash_alg *_get_alg(const char *name) return NULL; } -int crypt_backend_init(void) +int crypt_backend_init(bool fips __attribute__((unused))) { return 0; } diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c index ebe9de0e..a84d3d65 100644 --- a/lib/crypto_backend/crypto_nss.c +++ b/lib/crypto_backend/crypto_nss.c @@ -75,7 +75,7 @@ static struct hash_alg *_get_alg(const char *name) return NULL; } -int crypt_backend_init(void) +int crypt_backend_init(bool fips __attribute__((unused))) { int r; diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c index 92eeb33c..2a490ce5 100644 --- a/lib/crypto_backend/crypto_openssl.c +++ b/lib/crypto_backend/crypto_openssl.c @@ -88,7 +88,7 @@ struct hash_alg { #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) -static void openssl_backend_init(void) +static void openssl_backend_init(bool fips __attribute__((unused))) { OpenSSL_add_all_algorithms(); } @@ -150,7 +150,7 @@ static void openssl_backend_exit(void) #endif } -static int openssl_backend_init(void) +static int openssl_backend_init(bool fips) { /* * OpenSSL >= 3.0.0 provides some algorithms in legacy provider @@ -158,23 +158,30 @@ static int openssl_backend_init(void) #if OPENSSL_VERSION_MAJOR >= 3 int r; - ossl_ctx = OSSL_LIB_CTX_new(); - if (!ossl_ctx) - return -EINVAL; + /* + * In FIPS mode we keep default OpenSSL context & global config + */ + if (!fips) { + ossl_ctx = OSSL_LIB_CTX_new(); + if (!ossl_ctx) + return -EINVAL; - ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0); - if (!ossl_default) { - OSSL_LIB_CTX_free(ossl_ctx); - return -EINVAL; + ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0); + if (!ossl_default) { + OSSL_LIB_CTX_free(ossl_ctx); + return -EINVAL; + } + + /* Optional */ + ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0); } - /* Optional */ - ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0); - - r = snprintf(backend_version, sizeof(backend_version), "%s %s%s", + r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s", OpenSSL_version(OPENSSL_VERSION), ossl_default ? "[default]" : "", - ossl_legacy ? "[legacy]" : ""); + ossl_legacy ? "[legacy]" : "", + fips ? "[fips]" : ""); + if (r < 0 || (size_t)r >= sizeof(backend_version)) { openssl_backend_exit(); return -EINVAL; @@ -193,12 +200,12 @@ static const char *openssl_backend_version(void) } #endif -int crypt_backend_init(void) +int crypt_backend_init(bool fips) { if (crypto_backend_initialised) return 0; - if (openssl_backend_init()) + if (openssl_backend_init(fips)) return -EINVAL; crypto_backend_initialised = 1; diff --git a/lib/setup.c b/lib/setup.c index dc5459f5..a5dfd843 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -227,7 +227,7 @@ int init_crypto(struct crypt_device *ctx) return r; } - r = crypt_backend_init(); + r = crypt_backend_init(crypt_fips_mode()); if (r < 0) log_err(ctx, _("Cannot initialize crypto backend.")); diff --git a/lib/utils_fips.c b/lib/utils_fips.c index 4fa22fb9..0c2b6434 100644 --- a/lib/utils_fips.c +++ b/lib/utils_fips.c @@ -24,9 +24,9 @@ #include "utils_fips.h" #if !ENABLE_FIPS -int crypt_fips_mode(void) { return 0; } +bool crypt_fips_mode(void) { return false; } #else -static int kernel_fips_mode(void) +static bool kernel_fips_mode(void) { int fd; char buf[1] = ""; @@ -36,10 +36,10 @@ static int kernel_fips_mode(void) close(fd); } - return (buf[0] == '1') ? 1 : 0; + return (buf[0] == '1'); } -int crypt_fips_mode(void) +bool crypt_fips_mode(void) { return kernel_fips_mode() && !access("/etc/system-fips", F_OK); } diff --git a/lib/utils_fips.h b/lib/utils_fips.h index 51b110b5..13cfc9fb 100644 --- a/lib/utils_fips.h +++ b/lib/utils_fips.h @@ -21,6 +21,8 @@ #ifndef _UTILS_FIPS_H #define _UTILS_FIPS_H -int crypt_fips_mode(void); +#include + +bool crypt_fips_mode(void); #endif /* _UTILS_FIPS_H */ diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c index 025585de..6484e97a 100644 --- a/tests/crypto-vectors.c +++ b/tests/crypto-vectors.c @@ -1301,7 +1301,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[] exit(77); } - if (crypt_backend_init()) + if (crypt_backend_init(fips_mode())) exit_test("Crypto backend init error.", EXIT_FAILURE); printf("Test vectors using %s crypto backend.\n", crypt_backend_version());