diff options
author | Ondrej Moris <omoris@redhat.com> | 2020-10-30 20:43:56 +0100 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2021-02-17 12:02:48 +0100 |
commit | fe3f9e2111bc5e4c2c0a7678077eca42ee97405a (patch) | |
tree | cbcff0104d160309bdafd00e17cb7cdba0afce0c | |
parent | 7e44152fd4076afb0b64ed311fd092669e71fa1e (diff) | |
download | gnutls-fe3f9e2111bc5e4c2c0a7678077eca42ee97405a.tar.gz |
fips: replace fipshmac usage with internal program
This introduces a non-installed program "fipshmac" and uses it for
generating HMAC files required in FIPS 140-2. The generated files are
installed along with the main library.
Resolves issues #1101.
Signed-off-by: Ondrej Moris <omoris@redhat.com>
Co-authored-by: Daiki Ueno <dueno@redhat.com>
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | configure.ac | 1 | ||||
-rw-r--r-- | lib/Makefile.am | 24 | ||||
-rw-r--r-- | lib/fipshmac.c | 82 |
4 files changed, 108 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore index 6981a7bf78..07937c33b2 100644 --- a/.gitignore +++ b/.gitignore @@ -219,6 +219,7 @@ libdane/gnutls-dane.pc libdane/libgnutls-dane.la lib/ext/libgnutls_ext.la lib/extras/libgnutls_extras.la +lib/fipshmac lib/gcrypt/libcrypto.la lib/gnutls-api.texi lib/gnutls.pc diff --git a/configure.ac b/configure.ac index 05985bd72d..d46c255778 100644 --- a/configure.ac +++ b/configure.ac @@ -741,6 +741,7 @@ LIBS=$save_LIBS gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"` AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library]) +AC_SUBST([gnutls_so]) AC_MSG_CHECKING([whether to build libdane]) AC_ARG_ENABLE(libdane, diff --git a/lib/Makefile.am b/lib/Makefile.am index 02504d8d10..6eb175bf6f 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -183,6 +183,30 @@ endif if ENABLE_FIPS140 thirdparty_libadd += $(FIPS140_LIBS) $(LTLIBDL) + +noinst_PROGRAMS = fipshmac +fipshmac_SOURCES = fipshmac.c +fipshmac_LDADD = libgnutls.la + +hmac_files = .libs/.$(gnutls_so).hmac + +all-local: $(hmac_files) + +.libs/.$(gnutls_so).hmac: libgnutls.la fipshmac + $(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@ + +CLEANFILES = $(hmac_files) + +install-exec-hook: $(hmac_files) + for file in $(hmac_files); do \ + $(INSTALL_DATA) $$file $(DESTDIR)$(libdir); \ + done + +uninstall-hook: + for file in $(hmac_files); do \ + basename=$$(expr $$file : '.*/\(.*\)'); \ + $(DESTDIR)$(libdir)/$$basename; \ + done endif if ENABLE_TROUSERS diff --git a/lib/fipshmac.c b/lib/fipshmac.c new file mode 100644 index 0000000000..001417ff59 --- /dev/null +++ b/lib/fipshmac.c @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2020 Red Hat + * + * Author: Ondrej Moris + * + * This file is part of GnuTLS. + * + * The GnuTLS is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +#include "config.h" + +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> + +#define HMAC_SIZE 32 +#define HMAC_ALGO GNUTLS_MAC_SHA256 + +int main(int argc, char *argv[]) { + gnutls_datum_t data = { NULL, 0 }; + gnutls_datum_t hex = { NULL, 0 }; + uint8_t buffer[HMAC_SIZE]; + gnutls_datum_t hmac = { buffer, sizeof(buffer) }; + int status = EXIT_FAILURE; + int ret; + + if (argc != 2) { + fprintf(stderr, "Usage: %s <file>\n", argv[0]); + goto error; + } + + ret = gnutls_load_file(argv[1], &data); + if (ret < 0) { + fprintf(stderr, "Could not load %s: %s\n", argv[1], + gnutls_strerror(ret)); + goto error; + } + + GNUTLS_FIPS140_SET_LAX_MODE(); + + ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY)-1, + data.data, data.size, buffer); + if (ret < 0) { + fprintf(stderr, "Could not calculate MAC on %s: %s\n", argv[1], + gnutls_strerror(ret)); + goto error; + } + + GNUTLS_FIPS140_SET_STRICT_MODE(); + + ret = gnutls_hex_encode2(&hmac, &hex); + if (ret < 0) { + fprintf(stderr, "Could not encode MAC value: %s\n", + gnutls_strerror(ret)); + goto error; + } + + printf("%s\n", hex.data); + + status = EXIT_SUCCESS; + + error: + gnutls_free(data.data); + gnutls_free(hex.data); + + return status; +} |