317 lines
10 KiB
Diff
317 lines
10 KiB
Diff
From 5b001b7962744b1bdaeb60b7c8cb9c682f907e03 Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Kozina <okozina@redhat.com>
|
|
Date: Tue, 28 Jun 2022 16:23:34 +0200
|
|
Subject: [PATCH] Delegate FIPS mode detection to configured crypto backend.
|
|
|
|
System FIPS mode check is no longer dependent on /etc/system-fips
|
|
file. The change should be compatible with older distributions since
|
|
we now depend on crypto backend internal routine.
|
|
|
|
This commit affects only FIPS enabled systems (with FIPS enabled
|
|
builds). In case this causes any regression in current distributions
|
|
feel free to drop the patch.
|
|
|
|
For reference see https://bugzilla.redhat.com/show_bug.cgi?id=2080516
|
|
---
|
|
lib/crypto_backend/crypto_backend.h | 3 ++
|
|
lib/crypto_backend/crypto_gcrypt.c | 17 +++++++++
|
|
lib/crypto_backend/crypto_kernel.c | 5 +++
|
|
lib/crypto_backend/crypto_nettle.c | 5 +++
|
|
lib/crypto_backend/crypto_nss.c | 5 +++
|
|
lib/crypto_backend/crypto_openssl.c | 26 ++++++++++++++
|
|
lib/internal.h | 1 -
|
|
lib/utils_fips.c | 55 -----------------------------
|
|
lib/utils_fips.h | 28 ---------------
|
|
po/POTFILES.in | 1 -
|
|
src/cryptsetup.h | 1 -
|
|
tests/compat-test | 2 +-
|
|
tests/compat-test2 | 2 +-
|
|
tests/keyring-compat-test | 2 +-
|
|
tests/luks2-reencryption-test | 2 +-
|
|
16 files changed, 65 insertions(+), 92 deletions(-)
|
|
delete mode 100644 lib/utils_fips.c
|
|
delete mode 100644 lib/utils_fips.h
|
|
|
|
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_backend.h
|
|
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_backend.h
|
|
@@ -135,4 +135,7 @@ static inline void crypt_backend_memzero
|
|
#endif
|
|
}
|
|
|
|
+/* crypto backend running in FIPS mode */
|
|
+bool crypt_fips_mode(void);
|
|
+
|
|
#endif /* _CRYPTO_BACKEND_H */
|
|
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_gcrypt.c
|
|
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_gcrypt.c
|
|
@@ -550,3 +550,20 @@ out:
|
|
return -ENOTSUP;
|
|
#endif
|
|
}
|
|
+
|
|
+#if !ENABLE_FIPS
|
|
+bool crypt_fips_mode(void) { return false; }
|
|
+#else
|
|
+bool crypt_fips_mode(void)
|
|
+{
|
|
+ static bool fips_mode = false, fips_checked = false;
|
|
+
|
|
+ if (fips_checked)
|
|
+ return fips_mode;
|
|
+
|
|
+ fips_mode = gcry_fips_mode_active();
|
|
+ fips_checked = true;
|
|
+
|
|
+ return fips_mode;
|
|
+}
|
|
+#endif /* ENABLE FIPS */
|
|
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_kernel.c
|
|
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_kernel.c
|
|
@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
|
|
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
|
iv, iv_length, tag, tag_length);
|
|
}
|
|
+
|
|
+bool crypt_fips_mode(void)
|
|
+{
|
|
+ return false;
|
|
+}
|
|
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nettle.c
|
|
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nettle.c
|
|
@@ -442,3 +442,8 @@ int crypt_bitlk_decrypt_key(const void *
|
|
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
|
iv, iv_length, tag, tag_length);
|
|
}
|
|
+
|
|
+bool crypt_fips_mode(void)
|
|
+{
|
|
+ return false;
|
|
+}
|
|
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_nss.c
|
|
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_nss.c
|
|
@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
|
|
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
|
|
iv, iv_length, tag, tag_length);
|
|
}
|
|
+
|
|
+bool crypt_fips_mode(void)
|
|
+{
|
|
+ return false;
|
|
+}
|
|
Index: cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/crypto_backend/crypto_openssl.c
|
|
+++ cryptsetup-2.3.7/lib/crypto_backend/crypto_openssl.c
|
|
@@ -574,3 +574,29 @@ out:
|
|
return -ENOTSUP;
|
|
#endif
|
|
}
|
|
+
|
|
+#if !ENABLE_FIPS
|
|
+bool crypt_fips_mode(void) { return false; }
|
|
+#else
|
|
+static bool openssl_fips_mode(void)
|
|
+{
|
|
+#if OPENSSL_VERSION_MAJOR >= 3
|
|
+ return EVP_default_properties_is_fips_enabled(NULL);
|
|
+#else
|
|
+ return FIPS_mode();
|
|
+#endif
|
|
+}
|
|
+
|
|
+bool crypt_fips_mode(void)
|
|
+{
|
|
+ static bool fips_mode = false, fips_checked = false;
|
|
+
|
|
+ if (fips_checked)
|
|
+ return fips_mode;
|
|
+
|
|
+ fips_mode = openssl_fips_mode();
|
|
+ fips_checked = true;
|
|
+
|
|
+ return fips_mode;
|
|
+}
|
|
+#endif /* ENABLE FIPS */
|
|
Index: cryptsetup-2.3.7/lib/internal.h
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/internal.h
|
|
+++ cryptsetup-2.3.7/lib/internal.h
|
|
@@ -38,7 +38,6 @@
|
|
#include "utils_crypt.h"
|
|
#include "utils_loop.h"
|
|
#include "utils_dm.h"
|
|
-#include "utils_fips.h"
|
|
#include "utils_keyring.h"
|
|
#include "utils_io.h"
|
|
#include "crypto_backend.h"
|
|
Index: cryptsetup-2.3.7/po/POTFILES.in
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/po/POTFILES.in
|
|
+++ cryptsetup-2.3.7/po/POTFILES.in
|
|
@@ -6,7 +6,6 @@ lib/volumekey.c
|
|
lib/crypt_plain.c
|
|
lib/utils_crypt.c
|
|
lib/utils_loop.c
|
|
-lib/utils_fips.c
|
|
lib/utils_device.c
|
|
lib/utils_devpath.c
|
|
lib/utils_pbkdf.c
|
|
Index: cryptsetup-2.3.7/src/cryptsetup.h
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/src/cryptsetup.h
|
|
+++ cryptsetup-2.3.7/src/cryptsetup.h
|
|
@@ -43,7 +43,6 @@
|
|
#include "lib/nls.h"
|
|
#include "lib/utils_crypt.h"
|
|
#include "lib/utils_loop.h"
|
|
-#include "lib/utils_fips.h"
|
|
#include "lib/utils_io.h"
|
|
#include "lib/utils_blkid.h"
|
|
|
|
Index: cryptsetup-2.3.7/tests/compat-test
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/tests/compat-test
|
|
+++ cryptsetup-2.3.7/tests/compat-test
|
|
@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
|
|
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
|
|
|
LOOPDEV=$(losetup -f 2>/dev/null)
|
|
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
|
|
function remove_mapping()
|
|
{
|
|
Index: cryptsetup-2.3.7/tests/compat-test2
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/tests/compat-test2
|
|
+++ cryptsetup-2.3.7/tests/compat-test2
|
|
@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
|
|
TEST_UUID="12345678-1234-1234-1234-123456789abc"
|
|
|
|
LOOPDEV=$(losetup -f 2>/dev/null)
|
|
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
|
|
function remove_mapping()
|
|
{
|
|
Index: cryptsetup-2.3.7/tests/keyring-compat-test
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/tests/keyring-compat-test
|
|
+++ cryptsetup-2.3.7/tests/keyring-compat-test
|
|
@@ -26,7 +26,7 @@ PWD="aaa"
|
|
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
|
|
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
|
|
|
|
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
|
|
function remove_mapping()
|
|
{
|
|
Index: cryptsetup-2.3.7/tests/luks2-reencryption-test
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/tests/luks2-reencryption-test
|
|
+++ cryptsetup-2.3.7/tests/luks2-reencryption-test
|
|
@@ -24,7 +24,7 @@ PWD1="93R4P4pIqAH8"
|
|
PWD2="1cND4319812f"
|
|
PWD3="1-9Qu5Ejfnqv"
|
|
|
|
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
|
|
|
|
function dm_crypt_features()
|
|
{
|
|
Index: cryptsetup-2.3.7/lib/utils_fips.c
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/utils_fips.c
|
|
+++ cryptsetup-2.3.7/lib/utils_fips.c
|
|
@@ -1,46 +1 @@
|
|
-/*
|
|
- * FIPS mode utilities
|
|
- *
|
|
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
|
|
- *
|
|
- * This program is free software; you can redistribute it and/or
|
|
- * modify it under the terms of the GNU General Public License
|
|
- * as published by the Free Software Foundation; either version 2
|
|
- * of the License, or (at your option) any later version.
|
|
- *
|
|
- * This program is distributed in the hope that it will be useful,
|
|
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
- * GNU General Public License for more details.
|
|
- *
|
|
- * You should have received a copy of the GNU General Public License
|
|
- * along with this program; if not, write to the Free Software
|
|
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
- */
|
|
-
|
|
-#include <unistd.h>
|
|
-#include <fcntl.h>
|
|
-#include <errno.h>
|
|
-#include "utils_fips.h"
|
|
-
|
|
-#if !ENABLE_FIPS
|
|
-int crypt_fips_mode(void) { return 0; }
|
|
-#else
|
|
-static int kernel_fips_mode(void)
|
|
-{
|
|
- int fd;
|
|
- char buf[1] = "";
|
|
-
|
|
- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
|
|
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
|
|
- close(fd);
|
|
- }
|
|
-
|
|
- return (buf[0] == '1') ? 1 : 0;
|
|
-}
|
|
-
|
|
-int crypt_fips_mode(void)
|
|
-{
|
|
- return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
|
|
-}
|
|
-#endif /* ENABLE_FIPS */
|
|
+/* keep an empty file to avoid running autogen.sh */
|
|
Index: cryptsetup-2.3.7/lib/utils_fips.h
|
|
===================================================================
|
|
--- cryptsetup-2.3.7.orig/lib/utils_fips.h
|
|
+++ cryptsetup-2.3.7/lib/utils_fips.h
|
|
@@ -1,26 +1 @@
|
|
-/*
|
|
- * FIPS mode utilities
|
|
- *
|
|
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
|
|
- *
|
|
- * This program is free software; you can redistribute it and/or
|
|
- * modify it under the terms of the GNU General Public License
|
|
- * as published by the Free Software Foundation; either version 2
|
|
- * of the License, or (at your option) any later version.
|
|
- *
|
|
- * This program is distributed in the hope that it will be useful,
|
|
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
- * GNU General Public License for more details.
|
|
- *
|
|
- * You should have received a copy of the GNU General Public License
|
|
- * along with this program; if not, write to the Free Software
|
|
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
- */
|
|
-
|
|
-#ifndef _UTILS_FIPS_H
|
|
-#define _UTILS_FIPS_H
|
|
-
|
|
-int crypt_fips_mode(void);
|
|
-
|
|
-#endif /* _UTILS_FIPS_H */
|
|
+/* keep an empty file to avoid running autogen.sh */
|