diff options
| author | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-08-01 14:25:35 -0400 |
|---|---|---|
| committer | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-08-01 14:25:35 -0400 |
| commit | 2f26c6b713a3fbf24785827cc1b1251ea25c83fb (patch) | |
| tree | d373385dbe550a1d7bbb7163f6bba56bbca4acf3 | |
| parent | d11af547d16d31d08cdf1c22584ddae4df255f71 (diff) | |
| download | cups-2f26c6b713a3fbf24785827cc1b1251ea25c83fb.tar.gz | |
GNU TLS FIPS140 support (Issue #5601, Issue #5622)
| -rw-r--r-- | config-scripts/cups-ssl.m4 | 1 | ||||
| -rw-r--r-- | config.h.in | 7 | ||||
| -rwxr-xr-x | configure | 6 | ||||
| -rw-r--r-- | cups/hash.c | 23 | ||||
| -rw-r--r-- | vcnet/config.h | 7 | ||||
| -rw-r--r-- | xcode/config.h | 7 |
6 files changed, 51 insertions, 0 deletions
diff --git a/config-scripts/cups-ssl.m4 b/config-scripts/cups-ssl.m4 index 52f9c39f1..49fe42fe3 100644 --- a/config-scripts/cups-ssl.m4 +++ b/config-scripts/cups-ssl.m4 @@ -80,6 +80,7 @@ if test x$enable_ssl != xno; then SAVELIBS="$LIBS" LIBS="$LIBS $SSLLIBS" + AC_CHECK_FUNC(gnutls_fips140_set_mode, AC_DEFINE(HAVE_GNUTLS_FIPS140_SET_MODE)) AC_CHECK_FUNC(gnutls_transport_set_pull_timeout_function, AC_DEFINE(HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION)) AC_CHECK_FUNC(gnutls_priority_set_direct, AC_DEFINE(HAVE_GNUTLS_PRIORITY_SET_DIRECT)) LIBS="$SAVELIBS" diff --git a/config.h.in b/config.h.in index f3b5e4c7a..d81c59e36 100644 --- a/config.h.in +++ b/config.h.in @@ -304,6 +304,13 @@ /* + * Do we have the gnutls_fips140_set_mode function? + */ + +#undef HAVE_GNUTLS_FIPS140_SET_MODE + + +/* * Do we have the gnutls_transport_set_pull_timeout_function function? */ @@ -8480,6 +8480,12 @@ fi SAVELIBS="$LIBS" LIBS="$LIBS $SSLLIBS" + ac_fn_c_check_func "$LINENO" "gnutls_fips140_set_mode" "ac_cv_func_gnutls_fips140_set_mode" +if test "x$ac_cv_func_gnutls_fips140_set_mode" = xyes; then : + $as_echo "#define HAVE_GNUTLS_FIPS140_SET_MODE 1" >>confdefs.h + +fi + ac_fn_c_check_func "$LINENO" "gnutls_transport_set_pull_timeout_function" "ac_cv_func_gnutls_transport_set_pull_timeout_function" if test "x$ac_cv_func_gnutls_transport_set_pull_timeout_function" = xyes; then : $as_echo "#define HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION 1" >>confdefs.h diff --git a/cups/hash.c b/cups/hash.c index a31372595..621d119d4 100644 --- a/cups/hash.c +++ b/cups/hash.c @@ -190,6 +190,13 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ unsigned char temp[64]; /* Temporary hash buffer */ size_t tempsize = 0; /* Truncate to this size? */ + +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + unsigned oldmode = gnutls_fips140_mode_enabled(); + + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + if (!strcmp(algorithm, "md5")) alg = GNUTLS_DIG_MD5; else if (!strcmp(algorithm, "sha")) @@ -227,6 +234,10 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ gnutls_hash_fast(alg, data, datalen, temp); memcpy(hash, temp, tempsize); +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + return ((ssize_t)tempsize); } @@ -235,9 +246,17 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ gnutls_hash_fast(alg, data, datalen, hash); +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + return ((ssize_t)gnutls_hash_get_len(alg)); } +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + #else /* * No hash support beyond MD5 without CommonCrypto or GNU TLS... @@ -271,6 +290,10 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ too_small: +#ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +#endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hash buffer too small."), 1); return (-1); } diff --git a/vcnet/config.h b/vcnet/config.h index cf63021b2..3a6b3fc7b 100644 --- a/vcnet/config.h +++ b/vcnet/config.h @@ -380,6 +380,13 @@ typedef unsigned long useconds_t; /* + * Do we have the gnutls_fips140_set_mode function? + */ + +/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */ + + +/* * Do we have the gnutls_transport_set_pull_timeout_function function? */ diff --git a/xcode/config.h b/xcode/config.h index 82cba73cc..490b606cd 100644 --- a/xcode/config.h +++ b/xcode/config.h @@ -310,6 +310,13 @@ /* + * Do we have the gnutls_fips140_set_mode function? + */ + +/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */ + + +/* * Do we have the gnutls_transport_set_pull_timeout_function function? */ |