|
|
4f8adc |
From 01b2be2b72bc5509e8155982b9dae0bc5914b6c9 Mon Sep 17 00:00:00 2001
|
|
|
4f8adc |
From: Ondrej Kozina <okozina@redhat.com>
|
|
|
4f8adc |
Date: Thu, 30 Oct 2014 15:21:31 +0100
|
|
|
4f8adc |
Subject: [PATCH 1/2] libcryptsetup: drop FIPS power on self test
|
|
|
4f8adc |
|
|
|
4f8adc |
- cryptsetup library is not required to be FIPS certified anymore
|
|
|
4f8adc |
due to fact gcrypt PBKDF2 algorithm can be used instead of
|
|
|
4f8adc |
cryptsetup internal one.
|
|
|
4f8adc |
|
|
|
4f8adc |
- check in library constructor is no longer needed and therefore
|
|
|
4f8adc |
removed.
|
|
|
4f8adc |
|
|
|
4f8adc |
- all other checks regarding MK extraction or random generator
|
|
|
4f8adc |
restrictions remain the same
|
|
|
4f8adc |
---
|
|
|
4f8adc |
lib/setup.c | 5 -----
|
|
|
4f8adc |
lib/utils_fips.c | 23 +----------------------
|
|
|
4f8adc |
lib/utils_fips.h | 5 +----
|
|
|
4f8adc |
3 files changed, 2 insertions(+), 31 deletions(-)
|
|
|
4f8adc |
|
|
|
4f8adc |
diff --git a/lib/setup.c b/lib/setup.c
|
|
|
4f8adc |
index 8261445..0ca9e11 100644
|
|
|
4f8adc |
--- a/lib/setup.c
|
|
|
4f8adc |
+++ b/lib/setup.c
|
|
|
4f8adc |
@@ -2690,8 +2690,3 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
|
|
|
4f8adc |
|
|
|
4f8adc |
return 0;
|
|
|
4f8adc |
}
|
|
|
4f8adc |
-
|
|
|
4f8adc |
-static void __attribute__((constructor)) libcryptsetup_ctor(void)
|
|
|
4f8adc |
-{
|
|
|
4f8adc |
- crypt_fips_libcryptsetup_check();
|
|
|
4f8adc |
-}
|
|
|
4f8adc |
diff --git a/lib/utils_fips.c b/lib/utils_fips.c
|
|
|
4f8adc |
index 9a3caae..1e284f6 100644
|
|
|
4f8adc |
--- a/lib/utils_fips.c
|
|
|
4f8adc |
+++ b/lib/utils_fips.c
|
|
|
4f8adc |
@@ -1,7 +1,7 @@
|
|
|
4f8adc |
/*
|
|
|
4f8adc |
* FIPS mode utilities
|
|
|
4f8adc |
*
|
|
|
4f8adc |
- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
|
|
|
4f8adc |
+ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.
|
|
|
4f8adc |
*
|
|
|
4f8adc |
* This program is free software; you can redistribute it and/or
|
|
|
4f8adc |
* modify it under the terms of the GNU General Public License
|
|
|
4f8adc |
@@ -18,15 +18,11 @@
|
|
|
4f8adc |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
4f8adc |
*/
|
|
|
4f8adc |
|
|
|
4f8adc |
-#include <stdlib.h>
|
|
|
4f8adc |
-#include <stdio.h>
|
|
|
4f8adc |
#include <unistd.h>
|
|
|
4f8adc |
-#include "nls.h"
|
|
|
4f8adc |
#include "utils_fips.h"
|
|
|
4f8adc |
|
|
|
4f8adc |
#if !ENABLE_FIPS
|
|
|
4f8adc |
int crypt_fips_mode(void) { return 0; }
|
|
|
4f8adc |
-void crypt_fips_libcryptsetup_check(void) {}
|
|
|
4f8adc |
#else
|
|
|
4f8adc |
#include <fipscheck.h>
|
|
|
4f8adc |
|
|
|
4f8adc |
@@ -34,21 +30,4 @@ int crypt_fips_mode(void)
|
|
|
4f8adc |
{
|
|
|
4f8adc |
return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK);
|
|
|
4f8adc |
}
|
|
|
4f8adc |
-
|
|
|
4f8adc |
-static void crypt_fips_verify(const char *name, const char *function)
|
|
|
4f8adc |
-{
|
|
|
4f8adc |
- if (access(FIPS_MODULE_FILE, F_OK))
|
|
|
4f8adc |
- return;
|
|
|
4f8adc |
-
|
|
|
4f8adc |
- if (!FIPSCHECK_verify(name, function)) {
|
|
|
4f8adc |
- fputs(_("FIPS checksum verification failed.\n"), stderr);
|
|
|
4f8adc |
- if (FIPSCHECK_kernel_fips_mode())
|
|
|
4f8adc |
- _exit(EXIT_FAILURE);
|
|
|
4f8adc |
- }
|
|
|
4f8adc |
-}
|
|
|
4f8adc |
-
|
|
|
4f8adc |
-void crypt_fips_libcryptsetup_check(void)
|
|
|
4f8adc |
-{
|
|
|
4f8adc |
- crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init");
|
|
|
4f8adc |
-}
|
|
|
4f8adc |
#endif /* ENABLE_FIPS */
|
|
|
4f8adc |
diff --git a/lib/utils_fips.h b/lib/utils_fips.h
|
|
|
4f8adc |
index 59f2339..fc430bd 100644
|
|
|
4f8adc |
--- a/lib/utils_fips.h
|
|
|
4f8adc |
+++ b/lib/utils_fips.h
|
|
|
4f8adc |
@@ -1,7 +1,7 @@
|
|
|
4f8adc |
/*
|
|
|
4f8adc |
* FIPS mode utilities
|
|
|
4f8adc |
*
|
|
|
4f8adc |
- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
|
|
|
4f8adc |
+ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.
|
|
|
4f8adc |
*
|
|
|
4f8adc |
* This program is free software; you can redistribute it and/or
|
|
|
4f8adc |
* modify it under the terms of the GNU General Public License
|
|
|
4f8adc |
@@ -21,9 +21,6 @@
|
|
|
4f8adc |
#ifndef _UTILS_FIPS_H
|
|
|
4f8adc |
#define _UTILS_FIPS_H
|
|
|
4f8adc |
|
|
|
4f8adc |
-struct crypt_device;
|
|
|
4f8adc |
-
|
|
|
4f8adc |
int crypt_fips_mode(void);
|
|
|
4f8adc |
-void crypt_fips_libcryptsetup_check(void);
|
|
|
4f8adc |
|
|
|
4f8adc |
#endif /* _UTILS_FIPS_H */
|
|
|
4f8adc |
--
|
|
|
4f8adc |
1.9.3
|
|
|
4f8adc |
|