From 75e45462f097a9a75747b3f44d7672f2547e63e9 Mon Sep 17 00:00:00 2001

From: Milan Broz <gmazyland@gmail.com>

Date: Tue, 14 Sep 2021 09:56:05 +0200

Subject: [PATCH 04/11] Cache FIPS mode check.

We do not support switch while the crypto backend is already initialized,

so it does not make sense to check repeatedly for the FIPS mode status.

---

 lib/utils_fips.c | 11 ++++++++++-

 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/utils_fips.c b/lib/utils_fips.c

index 0c2b6434..640ff0e3 100644

--- a/lib/utils_fips.c

+++ b/lib/utils_fips.c

@@ -26,6 +26,9 @@

 #if !ENABLE_FIPS

 bool crypt_fips_mode(void) { return false; }

 #else

+static bool fips_checked = false;

+static bool fips_mode = false;

+

 static bool kernel_fips_mode(void)

 {

 	int fd;

@@ -41,6 +44,12 @@ static bool kernel_fips_mode(void)

 bool crypt_fips_mode(void)

 {

-	return kernel_fips_mode() && !access("/etc/system-fips", F_OK);

+	if (fips_checked)

+		return fips_mode;

+

+	fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);

+	fips_checked = true;

+

+	return fips_mode;

 }

 #endif /* ENABLE_FIPS */

-- 

2.27.0