diff --git a/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch b/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch new file mode 100644 index 0000000..350a863 --- /dev/null +++ b/cryptsetup-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch @@ -0,0 +1,316 @@ +From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 28 Jun 2022 16:23:34 +0200 +Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend. + +System FIPS mode check is no longer dependent on /etc/system-fips +file. The change should be compatible with older distributions since +we now depend on crypto backend internal routine. + +This commit affects only FIPS enabled systems (with FIPS enabled +builds). In case this causes any regression in current distributions +feel free to drop the patch. + +For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516 +--- + lib/crypto_backend/crypto_backend.h | 3 ++ + lib/crypto_backend/crypto_gcrypt.c | 17 +++++++++ + lib/crypto_backend/crypto_kernel.c | 5 +++ + lib/crypto_backend/crypto_nettle.c | 5 +++ + lib/crypto_backend/crypto_nss.c | 5 +++ + lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++ + lib/internal.h | 1 - + lib/utils_fips.c | 55 ----------------------------- + lib/utils_fips.h | 28 --------------- + po/POTFILES.in | 1 - + src/cryptsetup.h | 1 - + tests/compat-test | 2 +- + tests/compat-test2 | 2 +- + tests/keyring-compat-test | 2 +- + tests/luks2-reencryption-test | 2 +- + 16 files changed, 65 insertions(+), 92 deletions(-) + delete mode 100644 lib/utils_fips.c + delete mode 100644 lib/utils_fips.h + +Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h +=================================================================== +--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h ++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h +@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero + #endif + } + ++/* crypto backend running in FIPS mode */ ++bool crypt_fips_mode(void); ++ + #endif /* _CRYPTO_BACKEND_H */ +Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c +=================================================================== +--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c ++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c +@@ -550,3 +550,20 @@ out: + return -ENOTSUP; + #endif + } ++ ++#if !ENABLE_FIPS ++bool crypt_fips_mode(void) { return false; } ++#else ++bool crypt_fips_mode(void) ++{ ++ static bool fips_mode = false, fips_checked = false; ++ ++ if (fips_checked) ++ return fips_mode; ++ ++ fips_mode = gcry_fips_mode_active(); ++ fips_checked = true; ++ ++ return fips_mode; ++} ++#endif /* ENABLE FIPS */ +Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c +=================================================================== +--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c ++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c +@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void * + return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, + iv, iv_length, tag, tag_length); + } ++ ++bool crypt_fips_mode(void) ++{ ++ return false; ++} +Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c +=================================================================== +--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c ++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c +@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void * + return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, + iv, iv_length, tag, tag_length); + } ++ ++bool crypt_fips_mode(void) ++{ ++ return false; ++} +Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c +=================================================================== +--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c ++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c +@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void * + return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, + iv, iv_length, tag, tag_length); + } ++ ++bool crypt_fips_mode(void) ++{ ++ return false; ++} +Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c +=================================================================== +--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c ++++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c +@@ -574,3 +574,29 @@ out: + return -ENOTSUP; + #endif + } ++ ++#if !ENABLE_FIPS ++bool crypt_fips_mode(void) { return false; } ++#else ++static bool openssl_fips_mode(void) ++{ ++#if OPENSSL_VERSION_MAJOR >= 3 ++ return EVP_default_properties_is_fips_enabled(NULL); ++#else ++ return FIPS_mode(); ++#endif ++} ++ ++bool crypt_fips_mode(void) ++{ ++ static bool fips_mode = false, fips_checked = false; ++ ++ if (fips_checked) ++ return fips_mode; ++ ++ fips_mode = openssl_fips_mode(); ++ fips_checked = true; ++ ++ return fips_mode; ++} ++#endif /* ENABLE FIPS */ +Index: cryptsetup-2.3.7/lib/internal.h +=================================================================== +--- cryptsetup-2.3.7.orig/lib/internal.h ++++ cryptsetup-2.3.7/lib/internal.h +@@ -38,7 +38,6 @@ + #include "utils_crypt.h" + #include "utils_loop.h" + #include "utils_dm.h" +-#include "utils_fips.h" + #include "utils_keyring.h" + #include "utils_io.h" + #include "crypto_backend.h" +Index: cryptsetup-2.3.7/po/POTFILES.in +=================================================================== +--- cryptsetup-2.3.7.orig/po/POTFILES.in ++++ cryptsetup-2.3.7/po/POTFILES.in +@@ -6,7 +6,6 @@ lib/volumekey.c + lib/crypt_plain.c + lib/utils_crypt.c + lib/utils_loop.c +-lib/utils_fips.c + lib/utils_device.c + lib/utils_devpath.c + lib/utils_pbkdf.c +Index: cryptsetup-2.3.7/src/cryptsetup.h +=================================================================== +--- cryptsetup-2.3.7.orig/src/cryptsetup.h ++++ cryptsetup-2.3.7/src/cryptsetup.h +@@ -43,7 +43,6 @@ + #include "lib/nls.h" + #include "lib/utils_crypt.h" + #include "lib/utils_loop.h" +-#include "lib/utils_fips.h" + #include "lib/utils_io.h" + #include "lib/utils_blkid.h" + +Index: cryptsetup-2.3.7/tests/compat-test +=================================================================== +--- cryptsetup-2.3.7.orig/tests/compat-test ++++ cryptsetup-2.3.7/tests/compat-test +@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264" + TEST_UUID="12345678-1234-1234-1234-123456789abc" + + LOOPDEV=$(losetup -f 2>/dev/null) +-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) ++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + + function remove_mapping() + { +Index: cryptsetup-2.3.7/tests/compat-test2 +=================================================================== +--- cryptsetup-2.3.7.orig/tests/compat-test2 ++++ cryptsetup-2.3.7/tests/compat-test2 +@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f + TEST_UUID="12345678-1234-1234-1234-123456789abc" + + LOOPDEV=$(losetup -f 2>/dev/null) +-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) ++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + + function remove_mapping() + { +Index: cryptsetup-2.3.7/tests/keyring-compat-test +=================================================================== +--- cryptsetup-2.3.7.orig/tests/keyring-compat-test ++++ cryptsetup-2.3.7/tests/keyring-compat-test +@@ -26,7 +26,7 @@ PWD="aaa" + [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." + CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup + +-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) ++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + + function remove_mapping() + { +Index: cryptsetup-2.3.7/tests/luks2-reencryption-test +=================================================================== +--- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test ++++ cryptsetup-2.3.7/tests/luks2-reencryption-test +@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8" + PWD2="1cND4319812f" + PWD3="1-9Qu5Ejfnqv" + +-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) ++FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) + + function dm_crypt_features() + { +Index: cryptsetup-2.3.7/lib/utils_fips.c +=================================================================== +--- cryptsetup-2.3.7.orig/lib/utils_fips.c ++++ cryptsetup-2.3.7/lib/utils_fips.c +@@ -1,46 +1 @@ +-/* +- * FIPS mode utilities +- * +- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version 2 +- * of the License, or (at your option) any later version. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program; if not, write to the Free Software +- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +- */ +- +-#include +-#include +-#include +-#include "utils_fips.h" +- +-#if !ENABLE_FIPS +-int crypt_fips_mode(void) { return 0; } +-#else +-static int kernel_fips_mode(void) +-{ +- int fd; +- char buf[1] = ""; +- +- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) { +- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); +- close(fd); +- } +- +- return (buf[0] == '1') ? 1 : 0; +-} +- +-int crypt_fips_mode(void) +-{ +- return kernel_fips_mode() && !access("/etc/system-fips", F_OK); +-} +-#endif /* ENABLE_FIPS */ ++/* keep an empty file to avoid running autogen.sh */ +Index: cryptsetup-2.3.7/lib/utils_fips.h +=================================================================== +--- cryptsetup-2.3.7.orig/lib/utils_fips.h ++++ cryptsetup-2.3.7/lib/utils_fips.h +@@ -1,26 +1 @@ +-/* +- * FIPS mode utilities +- * +- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version 2 +- * of the License, or (at your option) any later version. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program; if not, write to the Free Software +- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +- */ +- +-#ifndef _UTILS_FIPS_H +-#define _UTILS_FIPS_H +- +-int crypt_fips_mode(void); +- +-#endif /* _UTILS_FIPS_H */ ++/* keep an empty file to avoid running autogen.sh */ diff --git a/cryptsetup.spec b/cryptsetup.spec index 1f790e7..3d7dda7 100644 --- a/cryptsetup.spec +++ b/cryptsetup.spec @@ -34,7 +34,8 @@ Patch9: %{name}-2.6.0-Move-cipher_dm2c-to-crypto-utilities.patch Patch10: %{name}-2.6.0-Code-cleanup.patch Patch11: %{name}-2.6.0-Copy-also-integrity-string-in-legacy-mode.patch Patch12: %{name}-2.6.0-Fix-internal-crypt-segment-compare-routine.patch -Patch13: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch +Patch13: %{name}-2.6.0-Delegate-FIPS-mode-detection-to-configured-crypto-ba.patch +Patch14: %{name}-2.6.1-Abort-encryption-when-header-and-data-devices-are-sa.patch %description The cryptsetup package contains a utility for setting up @@ -103,6 +104,7 @@ can be used for offline reencryption of disk in situ. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 %patch0 -p1 chmod -x misc/dracut_90reencrypt/*