Merge branch 'wip/dueno/fips-module-version' into 'master'

fips: add mechanism to embed FIPS module name in the library

See merge request gnutls/gnutls!1508

10 files changed, 161 insertions, 2 deletions

diff --git a/configure.ac b/configure.ac
index a4f8c183ae..895f845872 100644
--- a/configure.ac
+++ b/configure.ac
@@ -594,6 +594,24 @@ if [ test "$enable_fips" = "yes" ];then
             fips_key="orboDeJITITejsirpADONivirpUkvarP")
 
     AC_DEFINE_UNQUOTED([FIPS_KEY], ["$fips_key"], [The FIPS140-2 integrity key])
+
+    AC_ARG_WITH(fips140-module-name, AS_HELP_STRING([--with-fips140-module-name],
+                                 [specify the FIPS140 module name]),
+            fips_module_name="$withval",
+            fips_module_name=none)
+
+    if test "x$fips_module_name" != xnone; then
+       AC_DEFINE_UNQUOTED([FIPS_MODULE_NAME], ["$fips_module_name"], [The FIPS140 module name])
+    fi
+
+    AC_ARG_WITH(fips140-module-version, AS_HELP_STRING([--with-fips140-module-version],
+                                 [specify the FIPS140 module version]),
+            fips_module_version="$withval",
+            fips_module_version=none)
+
+    if test "x$fips_module_version" != xnone; then
+       AC_DEFINE_UNQUOTED([FIPS_MODULE_VERSION], ["$fips_module_version"], [The FIPS140 module version])
+    fi
   else
     enable_fips=no
     AC_MSG_WARN([[
@@ -864,7 +882,7 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit
 
 AM_CONDITIONAL(ENABLE_PKCS11, test "$with_p11_kit" != "no")
 
-AC_ARG_WITH(tpm,
+AC_ARG_WITH(tpm2,
 	AS_HELP_STRING([--without-tpm2],
 		[Disable TPM2 support.]),
 	[with_tpm2=$withval], [with_tpm2=auto])
@@ -1142,6 +1160,70 @@ AM_CONDITIONAL(NEEDS_LIBRT, test "$gnutls_needs_librt" = "yes")
 
 AC_DEFINE([GNUTLS_INTERNAL_BUILD], 1, [We allow temporarily usage of deprecated functions - until they are removed.])
 
+hw_features=
+if test "$enable_cryptodev" = yes; then
+	hw_features="$hw_features cryptodev"
+fi
+if test "$enable_afalg" = yes; then
+	hw_features="$hw_features afalg"
+fi
+if test "$use_padlock" = yes; then
+	hw_features="$hw_features padlock"
+fi
+if test "$with_p11_kit" = yes; then
+	hw_features="$hw_features pkcs11"
+fi
+if test "$with_tpm" = yes; then
+	hw_features="$hw_features tpm"
+fi
+if test "$have_tpm2" = yes; then
+	hw_features="$hw_features tpm2"
+fi
+if test "$enable_ktls" = yes; then
+	hw_features="$hw_features ktls"
+fi
+hw_features=`eval 'expr "$hw_features" : " \(.*\)"'`
+AC_DEFINE_UNQUOTED([HW_FEATURES], ["$hw_features"],
+	[The enabled hardware features])
+
+tls_features=
+if test "$ac_enable_ssl3" = yes; then
+	tls_features="$tls_features ssl3"
+fi
+if test "$ac_enable_ssl2" = yes; then
+	tls_features="$tls_features ssl2-compat"
+fi
+if test "$ac_enable_srtp" = yes; then
+	tls_features="$tls_features srtp"
+fi
+if test "$ac_enable_alpn" = yes; then
+	tls_features="$tls_features alpn"
+fi
+if test "$ac_enable_ocsp" = yes; then
+	tls_features="$tls_features ocsp"
+fi
+if test "$ac_enable_srp" = yes; then
+	tls_features="$tls_features srp"
+fi
+if test "$ac_enable_psk" = yes; then
+	tls_features="$tls_features psk"
+fi
+if test "$ac_enable_dhe" = yes; then
+	tls_features="$tls_features dhe"
+fi
+if test "$ac_enable_ecdhe" = yes; then
+	tls_features="$tls_features ecdhe"
+fi
+if test "$ac_enable_anon" = yes; then
+	tls_features="$tls_features auth-anon"
+fi
+if test "$ac_enable_heartbeat" = yes; then
+	tls_features="$tls_features heartbeat"
+fi
+tls_features=`eval 'expr "$tls_features" : " \(.*\)"'`
+AC_DEFINE_UNQUOTED([TLS_FEATURES], ["$tls_features"],
+	[The enabled TLS features])
+
 AC_DEFINE([fread_file], [_gnutls_fread_file], [static lib rename])
 AC_DEFINE([read_file], [_gnutls_read_file], [static lib rename])
 
diff --git a/devel/libgnutls.abignore b/devel/libgnutls.abignore
index afa9168b79..8c7e7f2abe 100644
--- a/devel/libgnutls.abignore
+++ b/devel/libgnutls.abignore
@@ -123,3 +123,6 @@ name = gnutls_fips140_get_operation_state
 
 [suppress_type]
 name = gnutls_fips140_operation_state_t
+
+[suppress_function]
+name = gnutls_get_library_config
diff --git a/devel/symbols.last b/devel/symbols.last
index d10b12d3ed..7535696f83 100644
--- a/devel/symbols.last
+++ b/devel/symbols.last
@@ -258,6 +258,7 @@ gnutls_fips140_pop_context@GNUTLS_3_7_3
 gnutls_fips140_push_context@GNUTLS_3_7_3
 gnutls_fips140_set_mode@GNUTLS_3_6_3
 gnutls_free@GNUTLS_3_4
+gnutls_get_library_config@GNUTLS_3_7_3
 gnutls_get_system_config_file@GNUTLS_3_6_9
 gnutls_global_deinit@GNUTLS_3_4
 gnutls_global_init@GNUTLS_3_4
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 833c75ef6e..9d54110ac9 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -1072,6 +1072,8 @@ FUNCS += functions/gnutls_fips140_push_context
 FUNCS += functions/gnutls_fips140_push_context.short
 FUNCS += functions/gnutls_fips140_set_mode
 FUNCS += functions/gnutls_fips140_set_mode.short
+FUNCS += functions/gnutls_get_library_config
+FUNCS += functions/gnutls_get_library_config.short
 FUNCS += functions/gnutls_get_system_config_file
 FUNCS += functions/gnutls_get_system_config_file.short
 FUNCS += functions/gnutls_global_deinit
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 8e1e25d06e..2037bf91a9 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -376,6 +376,7 @@ APIMANS += gnutls_fips140_mode_enabled.3
 APIMANS += gnutls_fips140_pop_context.3
 APIMANS += gnutls_fips140_push_context.3
 APIMANS += gnutls_fips140_set_mode.3
+APIMANS += gnutls_get_library_config.3
 APIMANS += gnutls_get_system_config_file.3
 APIMANS += gnutls_global_deinit.3
 APIMANS += gnutls_global_init.3
diff --git a/lib/global.c b/lib/global.c
index 77039d9ded..65c0b81709 100644
--- a/lib/global.c
+++ b/lib/global.c
@@ -531,3 +531,51 @@ static void _DESTRUCTOR lib_deinit(void)
 
 	_gnutls_global_deinit(1);
 }
+
+static const struct gnutls_library_config_st _gnutls_library_config[] = {
+#ifdef FIPS_MODULE_NAME
+	{ "fips-module-name", FIPS_MODULE_NAME },
+#endif
+#ifdef FIPS_MODULE_VERSION
+	{ "fips-module-version", FIPS_MODULE_VERSION },
+#endif
+	{ "libgnutls-soname", GNUTLS_LIBRARY_SONAME },
+	{ "libnettle-soname", NETTLE_LIBRARY_SONAME },
+	{ "libhogweed-soname", HOGWEED_LIBRARY_SONAME },
+	{ "libgmp-soname", GMP_LIBRARY_SONAME },
+	{ "hardware-features", HW_FEATURES },
+	{ "tls-features", TLS_FEATURES },
+	{ NULL, NULL }
+};
+
+/**
+ * gnutls_get_library_config:
+ *
+ * Returns the library configuration as key value pairs.
+ * Currently defined keys are:
+ *
+ *  - fips-module-name: the name of the FIPS140 module
+ *
+ *  - fips-module-version: the version of the FIPS140 module
+ *
+ *  - libgnutls-soname: the SONAME of the library itself
+ *
+ *  - libnettle-soname: the library SONAME of linked libnettle
+ *
+ *  - libhogweed-soname: the library SONAME of linked libhogweed
+ *
+ *  - libgmp-soname: the library SONAME of linked libgmp
+ *
+ *  - hardware-features: enabled hardware support features
+ *
+ *  - tls-features: enabled TLS protocol features
+ *
+ * Returns: a NUL-terminated %gnutls_library_config_st array
+ *
+ * Since: 3.7.3
+ */
+const gnutls_library_config_st *
+gnutls_get_library_config(void)
+{
+	return _gnutls_library_config;
+}
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 0e96be81e8..6359a0edb6 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1232,6 +1232,11 @@ typedef struct {
 	unsigned int size;
 } gnutls_datum_t;
 
+typedef struct gnutls_library_config_st {
+	const char *name;
+	const char *value;
+} gnutls_library_config_st;
+
 
 typedef struct gnutls_params_st {
 	gnutls_params_type_t type;
@@ -2284,6 +2289,8 @@ int gnutls_certificate_set_rawpk_key_file(gnutls_certificate_credentials_t cred,
 int gnutls_global_init(void);
 void gnutls_global_deinit(void);
 
+const gnutls_library_config_st *gnutls_get_library_config(void);
+
   /**
    * gnutls_time_func:
    * @t: where to store time.
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 40a3984cbf..30e96abafe 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1375,6 +1375,7 @@ GNUTLS_3_7_3
 	gnutls_fips140_get_operation_state;
 	gnutls_fips140_push_context;
 	gnutls_fips140_pop_context;
+	gnutls_get_library_config;
  local:
 	*;
 } GNUTLS_3_7_2;
diff --git a/src/cli.c b/src/cli.c
index 09f7efc2c3..5378b72256 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -1640,6 +1640,15 @@ static void cmd_parser(int argc, char **argv)
 		exit(1);
 	}
 
+	if (HAVE_OPT(LIST_CONFIG)) {
+		const gnutls_library_config_st *p;
+
+		for (p = gnutls_get_library_config(); p->name; p++) {
+			log_msg(stdout, "%s: %s\n", p->name, p->value);
+		}
+		exit(0);
+	}
+
 	if (HAVE_OPT(BENCHMARK_CIPHERS)) {
 		benchmark_cipher(OPT_VALUE_DEBUG);
 		exit(0);
diff --git a/src/gnutls-cli-options.json b/src/gnutls-cli-options.json
index 0777e6b198..bffa18e365 100644
--- a/src/gnutls-cli-options.json
+++ b/src/gnutls-cli-options.json
@@ -387,6 +387,11 @@
         "desc": "Reports the status of the FIPS140-2 mode in gnutls library"
       },
       {
+        "detail": "",
+        "long-option": "list-config",
+        "desc": "Reports the configuration of the library"
+      },
+      {
         "desc": "Redirect informational messages to a specific file.",
         "arg-type": "string",
         "long-option": "logfile",
@@ -418,4 +423,4 @@
       }
     ]
   }
-]
\ No newline at end of file
+]