swtpm: Implement fips_mode_enabled()
Implement fips_mode_enabeld() to check whether FIPS is enabledand
use the new function to check for FIPS mode enablement before
trying to disable it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
index 0ae2845..de149b3 100644
--- a/src/swtpm/fips.c
+++ b/src/swtpm/fips.c
@@ -54,6 +54,16 @@
#include <openssl/err.h>
+bool fips_mode_enabled(void)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ int mode = EVP_default_properties_is_fips_enabled(NULL);
+#else
+ int mode = FIPS_mode();
+#endif
+ return mode != 0;
+}
+
/*
* disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures
*
@@ -65,29 +75,22 @@
#if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
int fips_mode_disable(void)
{
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- int mode = EVP_default_properties_is_fips_enabled(NULL);
-#else
- int mode = FIPS_mode();
-#endif
int ret = 0;
- if (mode != 0) {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- int rc = EVP_default_properties_enable_fips(NULL, 0);
+ int rc = EVP_default_properties_enable_fips(NULL, 0);
#else
- int rc = FIPS_mode_set(0);
+ int rc = FIPS_mode_set(0);
#endif
- if (rc == 1) {
- logprintf(STDOUT_FILENO,
- "Warning: Disabled OpenSSL FIPS mode\n");
- } else {
- unsigned long err = ERR_get_error();
- logprintf(STDERR_FILENO,
- "Failed to disable OpenSSL FIPS mode: %s\n",
- ERR_error_string(err, NULL));
- ret = -1;
- }
+ if (rc == 1) {
+ logprintf(STDOUT_FILENO,
+ "Warning: Disabled OpenSSL FIPS mode\n");
+ } else {
+ unsigned long err = ERR_get_error();
+ logprintf(STDERR_FILENO,
+ "Failed to disable OpenSSL FIPS mode: %s\n",
+ ERR_error_string(err, NULL));
+ ret = -1;
}
return ret;
}
diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
index 40cda4d..1761def 100644
--- a/src/swtpm/fips.h
+++ b/src/swtpm/fips.h
@@ -38,6 +38,9 @@
#ifndef _SWTPM_FIPS_H_
#define _SWTPM_FIPS_H_
+#include <stdbool.h>
+
+bool fips_mode_enabled(void);
int fips_mode_disable(void);
#endif /* _SWTPM_FIPS_H_ */
diff --git a/src/swtpm/tpmlib.c b/src/swtpm/tpmlib.c
index fa1a3f6..4771995 100644
--- a/src/swtpm/tpmlib.c
+++ b/src/swtpm/tpmlib.c
@@ -132,7 +132,7 @@
}
}
- if (fips_mode_disable() < 0)
+ if (fips_mode_enabled() && fips_mode_disable() < 0)
goto error_terminate;
return TPM_SUCCESS;