Commit dc40b91c authored by Ondrej Kozina's avatar Ondrej Kozina Committed by Milan Broz

libcryptsetup: drop FIPS power on self test

- cryptsetup library is not required to be FIPS certified anymore
  due to fact gcrypt PBKDF2 algorithm can be used instead of
  cryptsetup internal one.

- check in library constructor is no longer needed and therefore
  removed.

- all other checks regarding MK extraction or random generator
  restrictions remain the same
parent eccf3475
......@@ -5,7 +5,6 @@ dnl library version from <major>.<minor>.<release>[-<suffix>]
LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-)
LIBCRYPTSETUP_VERSION_INFO=10:0:6
dnl library file name for FIPS selfcheck
LIBCRYPTSETUP_VERSION_FIPS="libcryptsetup.so.4"
FIPS_MODULE_FILE="/etc/system-fips"
AC_CONFIG_SRCDIR(src/cryptsetup.c)
......@@ -78,15 +77,13 @@ AC_SUBST(POPT_LIBS, $LIBS)
LIBS=$saved_LIBS
dnl ==========================================================================
dnl FIPS extensions
dnl FIPS extensions (only for RHEL)
AC_ARG_ENABLE([fips], AS_HELP_STRING([--enable-fips],[enable FIPS mode restrictions]),
[with_fips=$enableval],
[with_fips=no])
if test "x$with_fips" = "xyes"; then
AC_DEFINE(ENABLE_FIPS, 1, [Enable FIPS mode restrictions])
AC_DEFINE_UNQUOTED(LIBCRYPTSETUP_VERSION_FIPS, ["$LIBCRYPTSETUP_VERSION_FIPS"],
[library file name for FIPS selfcheck])
AC_DEFINE_UNQUOTED(FIPS_MODULE_FILE, ["$FIPS_MODULE_FILE"],
[file checked to determine if running in FIPS mode])
......@@ -141,6 +138,14 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
[AM_PATH_LIBGCRYPT([1.6.1], [use_internal_pbkdf2=0], [use_internal_pbkdf2=1])])
AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])
AC_MSG_CHECKING([internal gcrypt PBKDF2 implementation])
if test $use_internal_pbkdf2 = 0; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
NO_FIPS([])
fi
if test x$enable_static_cryptsetup = xyes; then
saved_LIBS=$LIBS
LIBS="$saved_LIBS $LIBGCRYPT_LIBS -static"
......
......@@ -2690,8 +2690,3 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
return 0;
}
static void __attribute__((constructor)) libcryptsetup_ctor(void)
{
crypt_fips_libcryptsetup_check();
}
/*
* FIPS mode utilities
*
* Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2015, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
......@@ -18,15 +18,11 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include "nls.h"
#include "utils_fips.h"
#if !ENABLE_FIPS
int crypt_fips_mode(void) { return 0; }
void crypt_fips_libcryptsetup_check(void) {}
#else
#include <fipscheck.h>
......@@ -34,21 +30,4 @@ int crypt_fips_mode(void)
{
return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK);
}
static void crypt_fips_verify(const char *name, const char *function)
{
if (access(FIPS_MODULE_FILE, F_OK))
return;
if (!FIPSCHECK_verify(name, function)) {
fputs(_("FIPS checksum verification failed.\n"), stderr);
if (FIPSCHECK_kernel_fips_mode())
_exit(EXIT_FAILURE);
}
}
void crypt_fips_libcryptsetup_check(void)
{
crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init");
}
#endif /* ENABLE_FIPS */
/*
* FIPS mode utilities
*
* Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
* Copyright (C) 2011-2015, Red Hat, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
......@@ -21,9 +21,6 @@
#ifndef _UTILS_FIPS_H
#define _UTILS_FIPS_H
struct crypt_device;
int crypt_fips_mode(void);
void crypt_fips_libcryptsetup_check(void);
#endif /* _UTILS_FIPS_H */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment