From 01b2be2b72bc5509e8155982b9dae0bc5914b6c9 Mon Sep 17 00:00:00 2001

From: Ondrej Kozina <okozina@redhat.com>

Date: Thu, 30 Oct 2014 15:21:31 +0100

Subject: [PATCH 1/2] libcryptsetup: drop FIPS power on self test

- cryptsetup library is not required to be FIPS certified anymore

  due to fact gcrypt PBKDF2 algorithm can be used instead of

  cryptsetup internal one.

- check in library constructor is no longer needed and therefore

  removed.

- all other checks regarding MK extraction or random generator

  restrictions remain the same

---

 lib/setup.c      |  5 -----

 lib/utils_fips.c | 23 +----------------------

 lib/utils_fips.h |  5 +----

 3 files changed, 2 insertions(+), 31 deletions(-)

diff --git a/lib/setup.c b/lib/setup.c

index 8261445..0ca9e11 100644

--- a/lib/setup.c

+++ b/lib/setup.c

@@ -2690,8 +2690,3 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,

 	return 0;

 }

-

-static void __attribute__((constructor)) libcryptsetup_ctor(void)

-{

-	crypt_fips_libcryptsetup_check();

-}

diff --git a/lib/utils_fips.c b/lib/utils_fips.c

index 9a3caae..1e284f6 100644

--- a/lib/utils_fips.c

+++ b/lib/utils_fips.c

@@ -1,7 +1,7 @@

 /*

  * FIPS mode utilities

  *

- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.

+ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.

  *

  * This program is free software; you can redistribute it and/or

  * modify it under the terms of the GNU General Public License

@@ -18,15 +18,11 @@

  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

  */

-#include <stdlib.h>

-#include <stdio.h>

 #include <unistd.h>

-#include "nls.h"

 #include "utils_fips.h"

 #if !ENABLE_FIPS

 int crypt_fips_mode(void) { return 0; }

-void crypt_fips_libcryptsetup_check(void) {}

 #else

 #include <fipscheck.h>

@@ -34,21 +30,4 @@ int crypt_fips_mode(void)

 {

 	return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK);

 }

-

-static void crypt_fips_verify(const char *name, const char *function)

-{

-	if (access(FIPS_MODULE_FILE, F_OK))

-		return;

-

-	if (!FIPSCHECK_verify(name, function)) {

-		fputs(_("FIPS checksum verification failed.\n"), stderr);

-		if (FIPSCHECK_kernel_fips_mode())

-			_exit(EXIT_FAILURE);

-	}

-}

-

-void crypt_fips_libcryptsetup_check(void)

-{

-	crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init");

-}

 #endif /* ENABLE_FIPS */

diff --git a/lib/utils_fips.h b/lib/utils_fips.h

index 59f2339..fc430bd 100644

--- a/lib/utils_fips.h

+++ b/lib/utils_fips.h

@@ -1,7 +1,7 @@

 /*

  * FIPS mode utilities

  *

- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.

+ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.

  *

  * This program is free software; you can redistribute it and/or

  * modify it under the terms of the GNU General Public License

@@ -21,9 +21,6 @@

 #ifndef _UTILS_FIPS_H

 #define _UTILS_FIPS_H

-struct crypt_device;

-

 int crypt_fips_mode(void);

-void crypt_fips_libcryptsetup_check(void);

 #endif /* _UTILS_FIPS_H */

-- 

1.9.3