rpms / cryptsetup

Clone
Source Code
GIT

Files

  1.   79c0bda216b4dc8c2ab8f7e6f36d86c224297012
  2.   SOURCES
  3.   cryptsetup-2.4.1-Do-not-load-own-OpenSSL-backend-context-in-FIPS-mode.patch
Blob Blame History Raw 
From f8eb7b225affe8b6b9f02ab6a90fd2e73181a526 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Mon, 13 Sep 2021 19:45:05 +0200
Subject: [PATCH 03/11] Do not load own OpenSSL backend context in FIPS mode.

In the FIPS mode keep configuration up to the system wide config.
---
 lib/crypto_backend/crypto_backend.h |  2 +-
 lib/crypto_backend/crypto_gcrypt.c  |  2 +-
 lib/crypto_backend/crypto_kernel.c  |  2 +-
 lib/crypto_backend/crypto_nettle.c  |  2 +-
 lib/crypto_backend/crypto_nss.c     |  2 +-
 lib/crypto_backend/crypto_openssl.c | 39 +++++++++++++++++------------
 lib/setup.c                         |  2 +-
 lib/utils_fips.c                    |  8 +++---
 lib/utils_fips.h                    |  4 ++-
 tests/crypto-vectors.c              |  2 +-
 10 files changed, 37 insertions(+), 28 deletions(-)

diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h
index 5278c345..88cc2d59 100644
--- a/lib/crypto_backend/crypto_backend.h
+++ b/lib/crypto_backend/crypto_backend.h
@@ -31,7 +31,7 @@ struct crypt_hmac;
 struct crypt_cipher;
 struct crypt_storage;
 
-int crypt_backend_init(void);
+int crypt_backend_init(bool fips);
 void crypt_backend_destroy(void);
 
 #define CRYPT_BACKEND_KERNEL (1 << 0)	/* Crypto uses kernel part, for benchmark */
diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c
index 2845382e..67f26067 100644
--- a/lib/crypto_backend/crypto_gcrypt.c
+++ b/lib/crypto_backend/crypto_gcrypt.c
@@ -94,7 +94,7 @@ static void crypt_hash_test_whirlpool_bug(void)
 		crypto_backend_whirlpool_bug = 1;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	int r;
 
diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c
index 2e3d65b2..ce84cfac 100644
--- a/lib/crypto_backend/crypto_kernel.c
+++ b/lib/crypto_backend/crypto_kernel.c
@@ -117,7 +117,7 @@ static int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *op
 	return 0;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	struct utsname uts;
 	struct sockaddr_alg sa = {
diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c
index 0860a52d..c9b9f5f8 100644
--- a/lib/crypto_backend/crypto_nettle.c
+++ b/lib/crypto_backend/crypto_nettle.c
@@ -213,7 +213,7 @@ static struct hash_alg *_get_alg(const char *name)
 	return NULL;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	return 0;
 }
diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c
index ebe9de0e..a84d3d65 100644
--- a/lib/crypto_backend/crypto_nss.c
+++ b/lib/crypto_backend/crypto_nss.c
@@ -75,7 +75,7 @@ static struct hash_alg *_get_alg(const char *name)
 	return NULL;
 }
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips __attribute__((unused)))
 {
 	int r;
 
diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c
index 92eeb33c..2a490ce5 100644
--- a/lib/crypto_backend/crypto_openssl.c
+++ b/lib/crypto_backend/crypto_openssl.c
@@ -88,7 +88,7 @@ struct hash_alg {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
     (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
 
-static void openssl_backend_init(void)
+static void openssl_backend_init(bool fips __attribute__((unused)))
 {
 	OpenSSL_add_all_algorithms();
 }
@@ -150,7 +150,7 @@ static void openssl_backend_exit(void)
 #endif
 }
 
-static int openssl_backend_init(void)
+static int openssl_backend_init(bool fips)
 {
 /*
  * OpenSSL >= 3.0.0 provides some algorithms in legacy provider
@@ -158,23 +158,30 @@ static int openssl_backend_init(void)
 #if OPENSSL_VERSION_MAJOR >= 3
 	int r;
 
-	ossl_ctx = OSSL_LIB_CTX_new();
-	if (!ossl_ctx)
-		return -EINVAL;
+	/*
+	 * In FIPS mode we keep default OpenSSL context & global config
+	 */
+	if (!fips) {
+		ossl_ctx = OSSL_LIB_CTX_new();
+		if (!ossl_ctx)
+			return -EINVAL;
 
-	ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
-	if (!ossl_default) {
-		OSSL_LIB_CTX_free(ossl_ctx);
-		return -EINVAL;
-	}
+		ossl_default = OSSL_PROVIDER_try_load(ossl_ctx, "default", 0);
+		if (!ossl_default) {
+			OSSL_LIB_CTX_free(ossl_ctx);
+			return -EINVAL;
+		}
 
-	/* Optional */
-	ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
+		/* Optional */
+		ossl_legacy = OSSL_PROVIDER_try_load(ossl_ctx, "legacy", 0);
+	}
 
-	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s",
+	r = snprintf(backend_version, sizeof(backend_version), "%s %s%s%s",
 		OpenSSL_version(OPENSSL_VERSION),
 		ossl_default ? "[default]" : "",
-		ossl_legacy  ? "[legacy]" : "");
+		ossl_legacy  ? "[legacy]" : "",
+		fips  ? "[fips]" : "");
+
 	if (r < 0 || (size_t)r >= sizeof(backend_version)) {
 		openssl_backend_exit();
 		return -EINVAL;
@@ -193,12 +200,12 @@ static const char *openssl_backend_version(void)
 }
 #endif
 
-int crypt_backend_init(void)
+int crypt_backend_init(bool fips)
 {
 	if (crypto_backend_initialised)
 		return 0;
 
-	if (openssl_backend_init())
+	if (openssl_backend_init(fips))
 		return -EINVAL;
 
 	crypto_backend_initialised = 1;
diff --git a/lib/setup.c b/lib/setup.c
index dc5459f5..a5dfd843 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -227,7 +227,7 @@ int init_crypto(struct crypt_device *ctx)
 		return r;
 	}
 
-	r = crypt_backend_init();
+	r = crypt_backend_init(crypt_fips_mode());
 	if (r < 0)
 		log_err(ctx, _("Cannot initialize crypto backend."));
 
diff --git a/lib/utils_fips.c b/lib/utils_fips.c
index 4fa22fb9..0c2b6434 100644
--- a/lib/utils_fips.c
+++ b/lib/utils_fips.c
@@ -24,9 +24,9 @@
 #include "utils_fips.h"
 
 #if !ENABLE_FIPS
-int crypt_fips_mode(void) { return 0; }
+bool crypt_fips_mode(void) { return false; }
 #else
-static int kernel_fips_mode(void)
+static bool kernel_fips_mode(void)
 {
 	int fd;
 	char buf[1] = "";
@@ -36,10 +36,10 @@ static int kernel_fips_mode(void)
 		close(fd);
 	}
 
-	return (buf[0] == '1') ? 1 : 0;
+	return (buf[0] == '1');
 }
 
-int crypt_fips_mode(void)
+bool crypt_fips_mode(void)
 {
 	return kernel_fips_mode() && !access("/etc/system-fips", F_OK);
 }
diff --git a/lib/utils_fips.h b/lib/utils_fips.h
index 51b110b5..13cfc9fb 100644
--- a/lib/utils_fips.h
+++ b/lib/utils_fips.h
@@ -21,6 +21,8 @@
 #ifndef _UTILS_FIPS_H
 #define _UTILS_FIPS_H
 
-int crypt_fips_mode(void);
+#include <stdbool.h>
+
+bool crypt_fips_mode(void);
 
 #endif /* _UTILS_FIPS_H */
diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c
index 025585de..6484e97a 100644
--- a/tests/crypto-vectors.c
+++ b/tests/crypto-vectors.c
@@ -1301,7 +1301,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 		exit(77);
 	}
 
-	if (crypt_backend_init())
+	if (crypt_backend_init(fips_mode()))
 		exit_test("Crypto backend init error.", EXIT_FAILURE);
 
 	printf("Test vectors using %s crypto backend.\n", crypt_backend_version());
-- 
2.27.0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation