fips: replace fipshmac usage with internal program

This introduces a non-installed program "fipshmac" and uses it for
generating HMAC files required in FIPS 140-2.  The generated files are
installed along with the main library.

Resolves issues #1101.

Signed-off-by: Ondrej Moris <omoris@redhat.com>
Co-authored-by: Daiki Ueno <dueno@redhat.com>

4 files changed, 108 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index 6981a7bf78..07937c33b2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -219,6 +219,7 @@ libdane/gnutls-dane.pc
 libdane/libgnutls-dane.la
 lib/ext/libgnutls_ext.la
 lib/extras/libgnutls_extras.la
+lib/fipshmac
 lib/gcrypt/libcrypto.la
 lib/gnutls-api.texi
 lib/gnutls.pc
diff --git a/configure.ac b/configure.ac
index 05985bd72d..d46c255778 100644
--- a/configure.ac
+++ b/configure.ac
@@ -741,6 +741,7 @@ LIBS=$save_LIBS
 
 gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"`
 AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library])
+AC_SUBST([gnutls_so])
 
 AC_MSG_CHECKING([whether to build libdane])
 AC_ARG_ENABLE(libdane,
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 02504d8d10..6eb175bf6f 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -183,6 +183,30 @@ endif
 
 if ENABLE_FIPS140
 thirdparty_libadd += $(FIPS140_LIBS) $(LTLIBDL)
+
+noinst_PROGRAMS = fipshmac
+fipshmac_SOURCES = fipshmac.c
+fipshmac_LDADD = libgnutls.la
+
+hmac_files = .libs/.$(gnutls_so).hmac
+
+all-local: $(hmac_files)
+
+.libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
+	$(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
+
+CLEANFILES = $(hmac_files)
+
+install-exec-hook: $(hmac_files)
+	for file in $(hmac_files); do \
+		$(INSTALL_DATA) $$file $(DESTDIR)$(libdir); \
+	done
+
+uninstall-hook:
+	for file in $(hmac_files); do \
+		basename=$$(expr $$file : '.*/\(.*\)'); \
+		$(DESTDIR)$(libdir)/$$basename; \
+	done
 endif
 
 if ENABLE_TROUSERS
diff --git a/lib/fipshmac.c b/lib/fipshmac.c
new file mode 100644
index 0000000000..001417ff59
--- /dev/null
+++ b/lib/fipshmac.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2020 Red Hat
+ *
+ * Author: Ondrej Moris
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#include "config.h"
+
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define HMAC_SIZE 32
+#define HMAC_ALGO GNUTLS_MAC_SHA256
+
+int main(int argc, char *argv[]) {
+	gnutls_datum_t data = { NULL, 0 };
+	gnutls_datum_t hex = { NULL, 0 };
+	uint8_t buffer[HMAC_SIZE];
+	gnutls_datum_t hmac = { buffer, sizeof(buffer) };
+	int status = EXIT_FAILURE;
+	int ret;
+
+	if (argc != 2) {
+		fprintf(stderr, "Usage: %s <file>\n", argv[0]);
+		goto error;
+	}
+
+	ret = gnutls_load_file(argv[1], &data);
+	if (ret < 0) {
+		fprintf(stderr, "Could not load %s: %s\n", argv[1],
+			gnutls_strerror(ret));
+		goto error;
+	}
+
+	GNUTLS_FIPS140_SET_LAX_MODE();
+
+	ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY)-1,
+			       data.data, data.size, buffer);
+	if (ret < 0) {
+		fprintf(stderr, "Could not calculate MAC on %s: %s\n", argv[1],
+			gnutls_strerror(ret));
+		goto error;
+	}
+
+	GNUTLS_FIPS140_SET_STRICT_MODE();
+
+	ret = gnutls_hex_encode2(&hmac, &hex);
+	if (ret < 0) {
+		fprintf(stderr, "Could not encode MAC value: %s\n",
+			gnutls_strerror(ret));
+		goto error;
+	}
+
+	printf("%s\n", hex.data);
+
+	status = EXIT_SUCCESS;
+
+ error:
+	gnutls_free(data.data);
+	gnutls_free(hex.data);
+
+	return status;
+}