commit 5e03ed6c322ff59ecc5cc621729a2442863599a1
author Stefan Berger <stefanb@linux.ibm.com> Sat Jul 23 02:32:44 2022 -0400
committer Stefan Berger <stefanb@us.ibm.com> Mon Aug 15 12:56:43 2022 -0400
tree 3fb938b0030f18d6eb26535b9e32e4c0b04fb7ba
parent 412a9067fdaa3b4c7969d74bc311a31c2bf63126

swtpm: Implement fips_mode_enabled()

Implement fips_mode_enabeld() to check whether FIPS is enabledand
use the new function to check for FIPS mode enablement before
trying to disable it.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

src/swtpm/fips.c

diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
index 0ae2845..de149b3 100644
--- a/src/swtpm/fips.c
+++ b/src/swtpm/fips.c
@@ -54,6 +54,16 @@
 
 #include <openssl/err.h>
 
+bool fips_mode_enabled(void)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    int mode = EVP_default_properties_is_fips_enabled(NULL);
+#else
+    int mode = FIPS_mode();
+#endif
+    return mode != 0;
+}
+
 /*
  * disable_fips_mode: If possible, disable FIPS mode to avoid libtpms failures
  *
@@ -65,29 +75,22 @@
 #if defined(HAVE_OPENSSL_FIPS_H) || defined(HAVE_OPENSSL_FIPS_MODE_SET_API)
 int fips_mode_disable(void)
 {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-    int mode = EVP_default_properties_is_fips_enabled(NULL);
-#else
-    int mode = FIPS_mode();
-#endif
     int ret = 0;
 
-    if (mode != 0) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-        int rc = EVP_default_properties_enable_fips(NULL, 0);
+    int rc = EVP_default_properties_enable_fips(NULL, 0);
 #else
-        int rc = FIPS_mode_set(0);
+    int rc = FIPS_mode_set(0);
 #endif
-        if (rc == 1) {
-            logprintf(STDOUT_FILENO,
-                      "Warning: Disabled OpenSSL FIPS mode\n");
-        } else {
-            unsigned long err = ERR_get_error();
-            logprintf(STDERR_FILENO,
-                      "Failed to disable OpenSSL FIPS mode: %s\n",
-                      ERR_error_string(err, NULL));
-            ret = -1;
-        }
+    if (rc == 1) {
+        logprintf(STDOUT_FILENO,
+                  "Warning: Disabled OpenSSL FIPS mode\n");
+    } else {
+        unsigned long err = ERR_get_error();
+        logprintf(STDERR_FILENO,
+                  "Failed to disable OpenSSL FIPS mode: %s\n",
+                  ERR_error_string(err, NULL));
+        ret = -1;
     }
     return ret;
 }

src/swtpm/fips.h

diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
index 40cda4d..1761def 100644
--- a/src/swtpm/fips.h
+++ b/src/swtpm/fips.h
@@ -38,6 +38,9 @@
 #ifndef _SWTPM_FIPS_H_
 #define _SWTPM_FIPS_H_
 
+#include <stdbool.h>
+
+bool fips_mode_enabled(void);
 int fips_mode_disable(void);
 
 #endif /* _SWTPM_FIPS_H_ */

src/swtpm/tpmlib.c

diff --git a/src/swtpm/tpmlib.c b/src/swtpm/tpmlib.c
index fa1a3f6..4771995 100644
--- a/src/swtpm/tpmlib.c
+++ b/src/swtpm/tpmlib.c
@@ -132,7 +132,7 @@
         }
     }
 
-    if (fips_mode_disable() < 0)
+    if (fips_mode_enabled() && fips_mode_disable() < 0)
         goto error_terminate;
 
     return TPM_SUCCESS;