diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h --- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_backend.h 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/crypto_backend/crypto_backend.h 2022-08-10 17:04:13.727162964 +0200 @@ -134,5 +134,8 @@ static inline void crypt_backend_memzero while(n--) *p++ = 0; #endif } + +/* crypto backend running in FIPS mode */ +bool crypt_fips_mode(void); #endif /* _CRYPTO_BACKEND_H */ diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c --- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_gcrypt.c 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/crypto_backend/crypto_gcrypt.c 2022-08-10 17:06:28.163895662 +0200 @@ -550,3 +550,20 @@ out: return -ENOTSUP; #endif } + +#if !ENABLE_FIPS +bool crypt_fips_mode(void) { return false; } +#else +bool crypt_fips_mode(void) +{ + static bool fips_mode = false, fips_checked = false; + + if (fips_checked) + return fips_mode; + + fips_mode = gcry_fips_mode_active(); + fips_checked = true; + + return fips_mode; +} +#endif /* ENABLE FIPS */ diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c --- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_kernel.c 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/crypto_backend/crypto_kernel.c 2022-08-10 17:07:06.720105794 +0200 @@ -416,3 +416,8 @@ int crypt_bitlk_decrypt_key(const void * return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, iv, iv_length, tag, tag_length); } + +bool crypt_fips_mode(void) +{ + return false; +} diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c --- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nettle.c 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nettle.c 2022-08-10 17:07:18.127167962 +0200 @@ -446,3 +446,8 @@ int crypt_bitlk_decrypt_key(const void * return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, iv, iv_length, tag, tag_length); } + +bool crypt_fips_mode(void) +{ + return false; +} diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c --- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_nss.c 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/crypto_backend/crypto_nss.c 2022-08-10 17:07:24.547202954 +0200 @@ -395,3 +395,8 @@ int crypt_bitlk_decrypt_key(const void * return crypt_bitlk_decrypt_key_kernel(key, key_length, in, out, length, iv, iv_length, tag, tag_length); } + +bool crypt_fips_mode(void) +{ + return false; +} diff -rupN cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c --- cryptsetup-2.4.3.old/lib/crypto_backend/crypto_openssl.c 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/crypto_backend/crypto_openssl.c 2022-08-10 17:05:51.483695770 +0200 @@ -809,3 +809,29 @@ out: return -ENOTSUP; #endif } + +#if !ENABLE_FIPS +bool crypt_fips_mode(void) { return false; } +#else +static bool openssl_fips_mode(void) +{ +#if OPENSSL_VERSION_MAJOR >= 3 + return EVP_default_properties_is_fips_enabled(NULL); +#else + return FIPS_mode(); +#endif +} + +bool crypt_fips_mode(void) +{ + static bool fips_mode = false, fips_checked = false; + + if (fips_checked) + return fips_mode; + + fips_mode = openssl_fips_mode(); + fips_checked = true; + + return fips_mode; +} +#endif /* ENABLE FIPS */ diff -rupN cryptsetup-2.4.3.old/lib/internal.h cryptsetup-2.4.3/lib/internal.h --- cryptsetup-2.4.3.old/lib/internal.h 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/internal.h 2022-08-10 17:03:00.348765820 +0200 @@ -38,7 +38,6 @@ #include "utils_crypt.h" #include "utils_loop.h" #include "utils_dm.h" -#include "utils_fips.h" #include "utils_keyring.h" #include "utils_io.h" #include "crypto_backend/crypto_backend.h" diff -rupN cryptsetup-2.4.3.old/lib/Makemodule.am cryptsetup-2.4.3/lib/Makemodule.am --- cryptsetup-2.4.3.old/lib/Makemodule.am 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/Makemodule.am 2022-08-10 17:03:00.342765787 +0200 @@ -54,8 +54,6 @@ libcryptsetup_la_SOURCES = \ lib/utils_loop.h \ lib/utils_devpath.c \ lib/utils_wipe.c \ - lib/utils_fips.c \ - lib/utils_fips.h \ lib/utils_device.c \ lib/utils_keyring.c \ lib/utils_keyring.h \ diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.c cryptsetup-2.4.3/lib/utils_fips.c --- cryptsetup-2.4.3.old/lib/utils_fips.c 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/utils_fips.c 1970-01-01 01:00:00.000000000 +0100 @@ -1,55 +0,0 @@ -/* - * FIPS mode utilities - * - * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - -#include -#include -#include -#include "utils_fips.h" - -#if !ENABLE_FIPS -bool crypt_fips_mode(void) { return false; } -#else -static bool fips_checked = false; -static bool fips_mode = false; - -static bool kernel_fips_mode(void) -{ - int fd; - char buf[1] = ""; - - if ((fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY)) >= 0) { - while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR); - close(fd); - } - - return (buf[0] == '1'); -} - -bool crypt_fips_mode(void) -{ - if (fips_checked) - return fips_mode; - - fips_mode = kernel_fips_mode() && !access("/etc/system-fips", F_OK); - fips_checked = true; - - return fips_mode; -} -#endif /* ENABLE_FIPS */ diff -rupN cryptsetup-2.4.3.old/lib/utils_fips.h cryptsetup-2.4.3/lib/utils_fips.h --- cryptsetup-2.4.3.old/lib/utils_fips.h 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/lib/utils_fips.h 1970-01-01 01:00:00.000000000 +0100 @@ -1,28 +0,0 @@ -/* - * FIPS mode utilities - * - * Copyright (C) 2011-2021 Red Hat, Inc. All rights reserved. - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - */ - -#ifndef _UTILS_FIPS_H -#define _UTILS_FIPS_H - -#include - -bool crypt_fips_mode(void); - -#endif /* _UTILS_FIPS_H */ diff -rupN cryptsetup-2.4.3.old/Makefile.in cryptsetup-2.4.3/Makefile.in --- cryptsetup-2.4.3.old/Makefile.in 2022-01-13 10:24:33.000000000 +0100 +++ cryptsetup-2.4.3/Makefile.in 2022-08-10 17:28:09.508914077 +0200 @@ -281,7 +281,6 @@ am_libcryptsetup_la_OBJECTS = lib/libcry lib/libcryptsetup_la-utils_loop.lo \ lib/libcryptsetup_la-utils_devpath.lo \ lib/libcryptsetup_la-utils_wipe.lo \ - lib/libcryptsetup_la-utils_fips.lo \ lib/libcryptsetup_la-utils_device.lo \ lib/libcryptsetup_la-utils_keyring.lo \ lib/libcryptsetup_la-utils_device_locking.lo \ @@ -547,7 +546,6 @@ am__depfiles_remade = lib/$(DEPDIR)/cryp lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo \ lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo \ lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo \ - lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo \ lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo \ lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo \ lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo \ @@ -1036,8 +1034,6 @@ libcryptsetup_la_SOURCES = \ lib/utils_loop.h \ lib/utils_devpath.c \ lib/utils_wipe.c \ - lib/utils_fips.c \ - lib/utils_fips.h \ lib/utils_device.c \ lib/utils_keyring.c \ lib/utils_keyring.h \ @@ -1551,8 +1547,6 @@ lib/libcryptsetup_la-utils_devpath.lo: l lib/$(DEPDIR)/$(am__dirstamp) lib/libcryptsetup_la-utils_wipe.lo: lib/$(am__dirstamp) \ lib/$(DEPDIR)/$(am__dirstamp) -lib/libcryptsetup_la-utils_fips.lo: lib/$(am__dirstamp) \ - lib/$(DEPDIR)/$(am__dirstamp) lib/libcryptsetup_la-utils_device.lo: lib/$(am__dirstamp) \ lib/$(DEPDIR)/$(am__dirstamp) lib/libcryptsetup_la-utils_keyring.lo: lib/$(am__dirstamp) \ @@ -1811,7 +1805,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo@am__quote@ # am--include-marker @@ -2105,13 +2098,6 @@ lib/libcryptsetup_la-utils_wipe.lo: lib/ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_wipe.lo `test -f 'lib/utils_wipe.c' || echo '$(srcdir)/'`lib/utils_wipe.c -lib/libcryptsetup_la-utils_fips.lo: lib/utils_fips.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_fips.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='lib/utils_fips.c' object='lib/libcryptsetup_la-utils_fips.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -c -o lib/libcryptsetup_la-utils_fips.lo `test -f 'lib/utils_fips.c' || echo '$(srcdir)/'`lib/utils_fips.c - lib/libcryptsetup_la-utils_device.lo: lib/utils_device.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcryptsetup_la_CPPFLAGS) $(CPPFLAGS) $(libcryptsetup_la_CFLAGS) $(CFLAGS) -MT lib/libcryptsetup_la-utils_device.lo -MD -MP -MF lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo -c -o lib/libcryptsetup_la-utils_device.lo `test -f 'lib/utils_device.c' || echo '$(srcdir)/'`lib/utils_device.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) lib/$(DEPDIR)/libcryptsetup_la-utils_device.Tpo lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo @@ -2987,7 +2973,6 @@ distclean: distclean-recursive -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo @@ -3124,7 +3109,6 @@ maintainer-clean: maintainer-clean-recur -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_device_locking.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_devpath.Plo - -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_fips.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_keyring.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_loop.Plo -rm -f lib/$(DEPDIR)/libcryptsetup_la-utils_pbkdf.Plo diff -rupN cryptsetup-2.4.3.old/po/POTFILES.in cryptsetup-2.4.3/po/POTFILES.in --- cryptsetup-2.4.3.old/po/POTFILES.in 2022-01-13 10:23:53.000000000 +0100 +++ cryptsetup-2.4.3/po/POTFILES.in 2022-08-10 17:03:30.306926994 +0200 @@ -6,7 +6,6 @@ lib/volumekey.c lib/crypt_plain.c lib/utils_crypt.c lib/utils_loop.c -lib/utils_fips.c lib/utils_device.c lib/utils_devpath.c lib/utils_pbkdf.c diff -rupN cryptsetup-2.4.3.old/src/cryptsetup.h cryptsetup-2.4.3/src/cryptsetup.h --- cryptsetup-2.4.3.old/src/cryptsetup.h 2022-01-13 10:14:51.000000000 +0100 +++ cryptsetup-2.4.3/src/cryptsetup.h 2022-08-10 17:03:30.307926999 +0200 @@ -44,7 +44,6 @@ #include "lib/bitops.h" #include "lib/utils_crypt.h" #include "lib/utils_loop.h" -#include "lib/utils_fips.h" #include "lib/utils_io.h" #include "lib/utils_blkid.h" #include "lib/libcryptsetup_macros.h" diff -rupN cryptsetup-2.4.3.old/tests/compat-test cryptsetup-2.4.3/tests/compat-test --- cryptsetup-2.4.3.old/tests/compat-test 2022-08-10 16:36:36.593578847 +0200 +++ cryptsetup-2.4.3/tests/compat-test 2022-08-10 17:03:30.308927004 +0200 @@ -44,7 +44,7 @@ KEY_MATERIAL5_EXT="S331776-395264" TEST_UUID="12345678-1234-1234-1234-123456789abc" LOOPDEV=$(losetup -f 2>/dev/null) -[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) +FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) function remove_mapping() { diff -rupN cryptsetup-2.4.3.old/tests/compat-test2 cryptsetup-2.4.3/tests/compat-test2 --- cryptsetup-2.4.3.old/tests/compat-test2 2022-08-10 16:36:57.610677161 +0200 +++ cryptsetup-2.4.3/tests/compat-test2 2022-08-10 17:03:30.308927004 +0200 @@ -42,7 +42,7 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-f TEST_UUID="12345678-1234-1234-1234-123456789abc" LOOPDEV=$(losetup -f 2>/dev/null) -[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) +FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) function remove_mapping() { diff -rupN cryptsetup-2.4.3.old/tests/keyring-compat-test cryptsetup-2.4.3/tests/keyring-compat-test --- cryptsetup-2.4.3.old/tests/keyring-compat-test 2022-08-10 16:36:36.594578852 +0200 +++ cryptsetup-2.4.3/tests/keyring-compat-test 2022-08-10 17:09:55.062022004 +0200 @@ -26,7 +26,7 @@ PWD="aaa" [ -z "$CRYPTSETUP_PATH" ] && CRYPTSETUP_PATH=".." CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup -[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) +FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) function remove_mapping() { diff -rupN cryptsetup-2.4.3.old/tests/luks2-reencryption-test cryptsetup-2.4.3/tests/luks2-reencryption-test --- cryptsetup-2.4.3.old/tests/luks2-reencryption-test 2022-08-10 16:37:14.711757148 +0200 +++ cryptsetup-2.4.3/tests/luks2-reencryption-test 2022-08-10 17:03:30.310927015 +0200 @@ -25,7 +25,7 @@ PWD2="1cND4319812f" PWD3="1-9Qu5Ejfnqv" DEV_LINK="reenc-test-link" -[ -f /etc/system-fips ] && FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) +FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null) function dm_crypt_features() {