diff options
| author | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-08-01 14:24:58 -0400 |
|---|---|---|
| committer | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-08-01 14:24:58 -0400 |
| commit | 9ec6124c376bc0e12a711997264c886130510eda (patch) | |
| tree | e4a9849d36b99ffcfaf821d5cfb8da96bd15e047 | |
| parent | 8e048e4d39bee9d6b0849d5804a625a064957459 (diff) | |
| download | cups-9ec6124c376bc0e12a711997264c886130510eda.tar.gz | |
GNU TLS FIPS140 support (Issue #5601, Issue #5622)
| -rw-r--r-- | config-scripts/cups-ssl.m4 | 1 | ||||
| -rw-r--r-- | config.h.in | 7 | ||||
| -rwxr-xr-x | configure | 6 | ||||
| -rw-r--r-- | cups/hash.c | 23 | ||||
| -rw-r--r-- | vcnet/config.h | 7 | ||||
| -rw-r--r-- | xcode/config.h | 7 |
6 files changed, 51 insertions, 0 deletions
diff --git a/config-scripts/cups-ssl.m4 b/config-scripts/cups-ssl.m4 index c1648b1c1..4ce926f51 100644 --- a/config-scripts/cups-ssl.m4 +++ b/config-scripts/cups-ssl.m4 @@ -58,6 +58,7 @@ if test x$enable_ssl != xno; then SAVELIBS="$LIBS" LIBS="$LIBS $SSLLIBS" + AC_CHECK_FUNC(gnutls_fips140_set_mode, AC_DEFINE(HAVE_GNUTLS_FIPS140_SET_MODE)) AC_CHECK_FUNC(gnutls_transport_set_pull_timeout_function, AC_DEFINE(HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION)) AC_CHECK_FUNC(gnutls_priority_set_direct, AC_DEFINE(HAVE_GNUTLS_PRIORITY_SET_DIRECT)) LIBS="$SAVELIBS" diff --git a/config.h.in b/config.h.in index 1c2d7a826..5e93a9dac 100644 --- a/config.h.in +++ b/config.h.in @@ -302,6 +302,13 @@ /* + * Do we have the gnutls_fips140_set_mode function? + */ + +#undef HAVE_GNUTLS_FIPS140_SET_MODE + + +/* * Do we have the gnutls_transport_set_pull_timeout_function function? */ @@ -8308,6 +8308,12 @@ fi SAVELIBS="$LIBS" LIBS="$LIBS $SSLLIBS" + ac_fn_c_check_func "$LINENO" "gnutls_fips140_set_mode" "ac_cv_func_gnutls_fips140_set_mode" +if test "x$ac_cv_func_gnutls_fips140_set_mode" = xyes; then : + $as_echo "#define HAVE_GNUTLS_FIPS140_SET_MODE 1" >>confdefs.h + +fi + ac_fn_c_check_func "$LINENO" "gnutls_transport_set_pull_timeout_function" "ac_cv_func_gnutls_transport_set_pull_timeout_function" if test "x$ac_cv_func_gnutls_transport_set_pull_timeout_function" = xyes; then : $as_echo "#define HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION 1" >>confdefs.h diff --git a/cups/hash.c b/cups/hash.c index 061486076..7b3ea818e 100644 --- a/cups/hash.c +++ b/cups/hash.c @@ -185,6 +185,13 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ unsigned char temp[64]; /* Temporary hash buffer */ size_t tempsize = 0; /* Truncate to this size? */ + +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + unsigned oldmode = gnutls_fips140_mode_enabled(); + + gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + if (!strcmp(algorithm, "md5")) alg = GNUTLS_DIG_MD5; else if (!strcmp(algorithm, "sha")) @@ -222,6 +229,10 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ gnutls_hash_fast(alg, data, datalen, temp); memcpy(hash, temp, tempsize); +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + return ((ssize_t)tempsize); } @@ -230,9 +241,17 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ gnutls_hash_fast(alg, data, datalen, hash); +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + return ((ssize_t)gnutls_hash_get_len(alg)); } +# ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +# endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + #else /* * No hash support beyond MD5 without CommonCrypto or GNU TLS... @@ -266,6 +285,10 @@ cupsHashData(const char *algorithm, /* I - Algorithm name */ too_small: +#ifdef HAVE_GNUTLS_FIPS140_SET_MODE + gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD); +#endif /* HAVE_GNUTLS_FIPS140_SET_MODE */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hash buffer too small."), 1); return (-1); } diff --git a/vcnet/config.h b/vcnet/config.h index 4c6aa2fbe..ad6919071 100644 --- a/vcnet/config.h +++ b/vcnet/config.h @@ -376,6 +376,13 @@ typedef unsigned long useconds_t; /* + * Do we have the gnutls_fips140_set_mode function? + */ + +/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */ + + +/* * Do we have the gnutls_transport_set_pull_timeout_function function? */ diff --git a/xcode/config.h b/xcode/config.h index b8684d9d5..13198f5bc 100644 --- a/xcode/config.h +++ b/xcode/config.h @@ -306,6 +306,13 @@ /* + * Do we have the gnutls_fips140_set_mode function? + */ + +/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */ + + +/* * Do we have the gnutls_transport_set_pull_timeout_function function? */ |