diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h
--- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h 2022-08-10 17:04:13.727162964 +0200
@@ -134,5 +134,8 @@ static inline void crypt_backend_memzero
while(n--) *p++ = 0;
#endif
}
+
+/* crypto backend running in FIPS mode */
+bool crypt_fips_mode(void);
#endif /* _CRYPTO_BACKEND_H */
diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c
--- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c 2022-08-10 17:06:28.163895662 +0200
@@ -550,3 +550,20 @@ out:
return -ENOTSUP;
#endif
}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = gcry_fips_mode_active();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c
--- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c 2022-08-10 17:07:06.720105794 +0200
@@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c
--- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c 2022-08-10 17:07:18.127167962 +0200
@@ -446,3 +446,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c
--- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c 2022-08-10 17:07:24.547202954 +0200
@@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void *
return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length,
iv, iv_length, tag, tag_length);
}
+
+bool crypt_fips_mode(void)
+{
+ return false;
+}
diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c
--- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c 2022-08-10 17:05:51.483695770 +0200
@@ -809,3 +809,29 @@ out:
return -ENOTSUP;
#endif
}
+
+#if !ENABLE_FIPS
+bool crypt_fips_mode(void) { return false; }
+#else
+static bool openssl_fips_mode(void)
+{
+#if OPENSSL_VERSION_MAJOR >= 3
+ return EVP_default_properties_is_fips_enabled(NULL);
+#else
+ return FIPS_mode();
+#endif
+}
+
+bool crypt_fips_mode(void)
+{
+ static bool fips_mode = false, fips_checked = false;
+
+ if (fips_checked)
+ return fips_mode;
+
+ fips_mode = openssl_fips_mode();
+ fips_checked = true;
+
+ return fips_mode;
+}
+#endif /* ENABLE FIPS */
diff -rupN cryptsetup-2.4.3.old/lib/internal.h cryptsetup-2.4.3/lib/internal.h
--- cryptsetup-2.4.3.old/lib/internal.h 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/internal.h 2022-08-10 17:03:00.348765820 +0200
@@ -38,7 +38,6 @@
#include "utils_crypt.h"
#include "utils_loop.h"
#include "utils_dm.h"
-#include "utils_fips.h"
#include "utils_keyring.h"
#include "utils_io.h"
#include "crypto_backend/crypto_backend.h"
diff -rupN cryptsetup-2.4.3.old/lib/Makemodule.am cryptsetup-2.4.3/lib/Makemodule.am
--- cryptsetup-2.4.3.old/lib/Makemodule.am 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/Makemodule.am 2022-08-10 17:03:00.342765787 +0200
@@ -54,8 +54,6 @@ libcryptsetup_la_SOURCES = \
lib/utils_loop.h \
lib/utils_devpath.c \
lib/utils_wipe.c \
- lib/utils_fips.c \
- lib/utils_fips.h \
lib/utils_device.c \
lib/utils_keyring.c \
lib/utils_keyring.h \
diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.c cryptsetup-2.4.3/lib/utils_fips.c
--- cryptsetup-2.4.3.old/lib/utils_fips.c 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/utils_fips.c 1970-01-01 01:00:00.000000000 +0100
@@ -1,55 +0,0 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <errno.h>
-#include "utils_fips.h"
-
-#if !ENABLE_FIPS
-bool crypt_fips_mode(void) { return false; }
-#else
-static bool fips_checked = false;
-static bool fips_mode = false;
-
-static bool kernel_fips_mode(void)
-{
- int fd;
- char buf[1] = "";
-
- if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) {
- while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
- close(fd);
- }
-
- return (buf[0] == '1');
-}
-
-bool crypt_fips_mode(void)
-{
- if (fips_checked)
- return fips_mode;
-
- fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK);
- fips_checked = true;
-
- return fips_mode;
-}
-#endif /* ENABLE_FIPS */
diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.h cryptsetup-2.4.3/lib/utils_fips.h
--- cryptsetup-2.4.3.old/lib/utils_fips.h 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/lib/utils_fips.h 1970-01-01 01:00:00.000000000 +0100
@@ -1,28 +0,0 @@
-/*
- * FIPS mode utilities
- *
- * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifndef _UTILS_FIPS_H
-#define _UTILS_FIPS_H
-
-#include <stdbool.h>
-
-bool crypt_fips_mode(void);
-
-#endif /* _UTILS_FIPS_H */
diff -rupN cryptsetup-2.4.3.old/Makefile.in cryptsetup-2.4.3/Makefile.in
--- cryptsetup-2.4.3.old/Makefile.in 2022-01-13 10:24:33.000000000 +0100
+++ cryptsetup-2.4.3/Makefile.in 2022-08-10 17:28:09.508914077 +0200
@@ -281,7 +281,6 @@ am_libcryptsetup_la_OBJECTS = lib/libcry
lib/libcryptsetup_la-utils_loop.lo \
lib/libcryptsetup_la-utils_devpath.lo \
lib/libcryptsetup_la-utils_wipe.lo \
- lib/libcryptsetup_la-utils_fips.lo \
lib/libcryptsetup_la-utils_device.lo \
lib/libcryptsetup_la-utils_keyring.lo \
lib/libcryptsetup_la-utils_device_locking.lo \
@@ -547,7 +546,6 @@ am__depfiles_remade = lib/$(DEPDIR)/cryp
lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo \
lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo \
lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo \
- lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo \
lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo \
lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo \
lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo \
@@ -1036,8 +1034,6 @@ libcryptsetup_la_SOURCES = \
lib/utils_loop.h \
lib/utils_devpath.c \
lib/utils_wipe.c \
- lib/utils_fips.c \
- lib/utils_fips.h \
lib/utils_device.c \
lib/utils_keyring.c \
lib/utils_keyring.h \
@@ -1551,8 +1547,6 @@ lib/libcryptsetup_la-utils_devpath.lo: l
lib/$(DEPDIR)/$(am__dirstamp)
lib/libcryptsetup_la-utils_wipe.lo: lib/$(am__dirstamp) \
lib/$(DEPDIR)/$(am__dirstamp)
-lib/libcryptsetup_la-utils_fips.lo: lib/$(am__dirstamp) \
- lib/$(DEPDIR)/$(am__dirstamp)
lib/libcryptsetup_la-utils_device.lo: lib/$(am__dirstamp) \
lib/$(DEPDIR)/$(am__dirstamp)
lib/libcryptsetup_la-utils_keyring.lo: lib/$(am__dirstamp) \
@@ -1811,7 +1805,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo@am__quote@ # am--include-marker
-@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo@am__quote@ # am--include-marker
@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo@am__quote@ # am--include-marker
@@ -2105,13 +2098,6 @@ lib/libcryptsetup_la-utils_wipe.lo: lib/
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_wipe.lo `test -f 'lib/utils_wipe.c' || echo '$(srcdir)/'`lib/utils_wipe.c
-lib/libcryptsetup_la-utils_fips.lo: lib/utils_fips.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_fips.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c
-@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lib/utils_fips.c' object='lib/libcryptsetup_la-utils_fips.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c
-
lib/libcryptsetup_la-utils_device.lo: lib/utils_device.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_device.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo -c -o lib/libcryptsetup_la-utils_device.lo `test -f 'lib/utils_device.c' || echo '$(srcdir)/'`lib/utils_device.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
@@ -2987,7 +2973,6 @@ distclean: distclean-recursive
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo
@@ -3124,7 +3109,6 @@ maintainer-clean: maintainer-clean-recur
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo
- -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo
-rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo
diff -rupN cryptsetup-2.4.3.old/po/POTFILES.in cryptsetup-2.4.3/po/POTFILES.in
--- cryptsetup-2.4.3.old/po/POTFILES.in 2022-01-13 10:23:53.000000000 +0100
+++ cryptsetup-2.4.3/po/POTFILES.in 2022-08-10 17:03:30.306926994 +0200
@@ -6,7 +6,6 @@ lib/volumekey.c
lib/crypt_plain.c
lib/utils_crypt.c
lib/utils_loop.c
-lib/utils_fips.c
lib/utils_device.c
lib/utils_devpath.c
lib/utils_pbkdf.c
diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.h cryptsetup-2.4.3/src/cryptsetup.h
--- cryptsetup-2.4.3.old/src/cryptsetup.h 2022-01-13 10:14:51.000000000 +0100
+++ cryptsetup-2.4.3/src/cryptsetup.h 2022-08-10 17:03:30.307926999 +0200
@@ -44,7 +44,6 @@
#include "lib/bitops.h"
#include "lib/utils_crypt.h"
#include "lib/utils_loop.h"
-#include "lib/utils_fips.h"
#include "lib/utils_io.h"
#include "lib/utils_blkid.h"
#include "lib/libcryptsetup_macros.h"
diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test
--- cryptsetup-2.4.3.old/tests/compat-test 2022-08-10 16:36:36.593578847 +0200
+++ cryptsetup-2.4.3/tests/compat-test 2022-08-10 17:03:30.308927004 +0200
@@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2
--- cryptsetup-2.4.3.old/tests/compat-test2 2022-08-10 16:36:57.610677161 +0200
+++ cryptsetup-2.4.3/tests/compat-test2 2022-08-10 17:03:30.308927004 +0200
@@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f
TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null)
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test
--- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-08-10 16:36:36.594578852 +0200
+++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-08-10 17:09:55.062022004 +0200
@@ -26,7 +26,7 @@ PWD="aaa"
[ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".."
CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function remove_mapping()
{
diff -rupN cryptsetup-2.4.3.old/tests/luks2-reencryption-test cryptsetup-2.4.3/tests/luks2-reencryption-test
--- cryptsetup-2.4.3.old/tests/luks2-reencryption-test 2022-08-10 16:37:14.711757148 +0200
+++ cryptsetup-2.4.3/tests/luks2-reencryption-test 2022-08-10 17:03:30.310927015 +0200
@@ -25,7 +25,7 @@ PWD2="1cND4319812f"
PWD3="1-9Qu5Ejfnqv"
DEV_LINK="reenc-test-link"
-[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
function dm_crypt_features()
{