From 01b2be2b72bc5509e8155982b9dae0bc5914b6c9 Mon Sep 17 00:00:00 2001 From: Ondrej Kozina Date: Thu, 30 Oct 2014 15:21:31 +0100 Subject: [PATCH 1/2] libcryptsetup: drop FIPS power on self test - cryptsetup library is not required to be FIPS certified anymore due to fact gcrypt PBKDF2 algorithm can be used instead of cryptsetup internal one. - check in library constructor is no longer needed and therefore removed. - all other checks regarding MK extraction or random generator restrictions remain the same --- lib/setup.c | 5 ----- lib/utils_fips.c | 23 +---------------------- lib/utils_fips.h | 5 +---- 3 files changed, 2 insertions(+), 31 deletions(-) diff --git a/lib/setup.c b/lib/setup.c index 8261445..0ca9e11 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -2690,8 +2690,3 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name, return 0; } - -static void __attribute__((constructor)) libcryptsetup_ctor(void) -{ - crypt_fips_libcryptsetup_check(); -} diff --git a/lib/utils_fips.c b/lib/utils_fips.c index 9a3caae..1e284f6 100644 --- a/lib/utils_fips.c +++ b/lib/utils_fips.c @@ -1,7 +1,7 @@ /* * FIPS mode utilities * - * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -18,15 +18,11 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ -#include -#include #include -#include "nls.h" #include "utils_fips.h" #if !ENABLE_FIPS int crypt_fips_mode(void) { return 0; } -void crypt_fips_libcryptsetup_check(void) {} #else #include @@ -34,21 +30,4 @@ int crypt_fips_mode(void) { return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK); } - -static void crypt_fips_verify(const char *name, const char *function) -{ - if (access(FIPS_MODULE_FILE, F_OK)) - return; - - if (!FIPSCHECK_verify(name, function)) { - fputs(_("FIPS checksum verification failed.\n"), stderr); - if (FIPSCHECK_kernel_fips_mode()) - _exit(EXIT_FAILURE); - } -} - -void crypt_fips_libcryptsetup_check(void) -{ - crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init"); -} #endif /* ENABLE_FIPS */ diff --git a/lib/utils_fips.h b/lib/utils_fips.h index 59f2339..fc430bd 100644 --- a/lib/utils_fips.h +++ b/lib/utils_fips.h @@ -1,7 +1,7 @@ /* * FIPS mode utilities * - * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved. + * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License @@ -21,9 +21,6 @@ #ifndef _UTILS_FIPS_H #define _UTILS_FIPS_H -struct crypt_device; - int crypt_fips_mode(void); -void crypt_fips_libcryptsetup_check(void); #endif /* _UTILS_FIPS_H */ -- 1.9.3