Use soname instead of file name in fipshmac sections

Using fipshmac program with an argument, for example:
fipshmac /usr/lib64/libgnutls.so.30.28.1
would create a section [libgnutls.so.30.28.1]
and the internal comparison with soname would fail.

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>

1 files changed, 144 insertions, 83 deletions

diff --git a/lib/fips.c b/lib/fips.c
index e8a6c19465..c8277e50b1 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -23,9 +23,11 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 #include <unistd.h>
+#include "dirname.h"
 #include "errors.h"
 #include "file.h"
 #include "inih/ini.h"
+#include "str.h"
 #include <fips.h>
 #include <gnutls/self-test.h>
 #include <stdio.h>
@@ -34,6 +36,10 @@
 
 #include "gthreads.h"
 
+#ifdef HAVE_DL_ITERATE_PHDR
+#include <link.h>
+#endif
+
 unsigned int _gnutls_lib_state = LIB_STATE_POWERON;
 
 struct gnutls_fips140_context_st {
@@ -161,51 +167,32 @@ struct hmac_entry
 	uint8_t hmac[HMAC_SIZE];
 };
 
-typedef struct
+struct hmac_file
 {
 	int version;
 	struct hmac_entry gnutls;
 	struct hmac_entry nettle;
 	struct hmac_entry hogweed;
 	struct hmac_entry gmp;
-} hmac_file;
+};
 
-static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size)
+struct lib_paths
 {
-	int ret;
-	void *dl, *sym;
-	Dl_info info;
-
-	dl = dlopen(lib, RTLD_LAZY);
-	if (dl == NULL)
-		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
-
-	sym = dlsym(dl, symbol);
-	if (sym == NULL) {
-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
-		goto cleanup;
-	}
-
-	ret = dladdr(sym, &info);
-	if (ret == 0) {
-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
-		goto cleanup;
-	}
-
-	ret = snprintf(path, path_size, "%s", info.dli_fname);
-	if ((size_t)ret >= path_size) {
-		ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
-		goto cleanup;
-	}
-
-	ret = 0;
-cleanup:
-	dlclose(dl);
-	return ret;
-}
+	char gnutls[GNUTLS_PATH_MAX];
+	char nettle[GNUTLS_PATH_MAX];
+	char hogweed[GNUTLS_PATH_MAX];
+	char gmp[GNUTLS_PATH_MAX];
+};
 
-/* Parses hmac data and copies hex value into dest.
+/*
+ * get_hmac:
+ * @dest: buffer for the hex value
+ * @value: hmac value
+ *
+ * Parses hmac data and copies hex value into dest.
  * dest must point to at least HMAC_SIZE amount of memory
+ *
+ * Returns: 0 on success, a negative error code otherwise
  */
 static int get_hmac(uint8_t *dest, const char *value)
 {
@@ -244,7 +231,7 @@ lib_handler(struct hmac_entry *entry,
 
 static int handler(void *user, const char *section, const char *name, const char *value)
 {
-	hmac_file *p = (hmac_file *)user;
+	struct hmac_file *p = (struct hmac_file *)user;
 
 	if (!strcmp(section, "global")) {
 		if (!strcmp(name, "format-version")) {
@@ -266,26 +253,29 @@ static int handler(void *user, const char *section, const char *name, const char
 	return 1;
 }
 
-static int get_hmac_path(char *mac_file, size_t mac_file_size)
+/*
+ * get_hmac_path:
+ * @mac_file: buffer where the hmac file path will be written to
+ * @mac_file_size: size of the mac_file buffer
+ * @gnutls_path: path to the gnutls library, used to deduce hmac file path
+ * 
+ * Deduces hmac file path from the gnutls library path.
+ *
+ * Returns: 0 on success, a negative error code otherwise
+ */
+static int get_hmac_path(char *mac_file, size_t mac_file_size, const char *gnutls_path)
 {
 	int ret;
 	char *p;
-	char file[GNUTLS_PATH_MAX];
 
-	ret = get_library_path(GNUTLS_LIBRARY_NAME, "gnutls_global_init",
-			       file, sizeof(file));
-	if (ret < 0)
-		return ret;
+	p = strrchr(gnutls_path, '/');
 
-	p = strrchr(file, '/');
-
-	if (p == NULL) {
-		ret = snprintf(mac_file, mac_file_size, ".%s.hmac",
-			       file);
-	} else {
+	if (p == NULL)
+		ret = snprintf(mac_file, mac_file_size, ".%s.hmac", gnutls_path);
+	else
 		ret = snprintf(mac_file, mac_file_size, "%.*s/.%s.hmac",
-			       (int)(p - file), file, p + 1);
-	}
+			       (int)(p - gnutls_path), gnutls_path, p + 1);
+
 	if ((size_t)ret >= mac_file_size)
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
@@ -293,13 +283,12 @@ static int get_hmac_path(char *mac_file, size_t mac_file_size)
 	if (ret == 0)
 		return GNUTLS_E_SUCCESS;
 
-	if (p == NULL) {
-		ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac",
-			       file);
-	} else {
+	if (p == NULL)
+		ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac", gnutls_path);
+	else
 		ret = snprintf(mac_file, mac_file_size, "%.*s/fipscheck/.%s.hmac",
-			       (int)(p - file), file, p + 1);
-	}
+			       (int)(p - gnutls_path), gnutls_path, p + 1);
+
 	if ((size_t)ret >= mac_file_size)
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
@@ -310,51 +299,52 @@ static int get_hmac_path(char *mac_file, size_t mac_file_size)
 	return GNUTLS_E_FILE_ERROR;
 }
 
-static int load_hmac_file(hmac_file *p)
+/*
+ * load_hmac_file:
+ * @hmac_file: hmac file structure
+ * @hmac_path: path to the hmac file
+ *
+ * Loads the hmac file into the hmac file structure.
+ *
+ * Returns: 0 on success, a negative error code otherwise
+ */
+static int load_hmac_file(struct hmac_file *hmac_file, const char *hmac_path)
 {
 	int ret;
 	FILE *stream;
-	char hmac_path[GNUTLS_PATH_MAX];
-
-	ret = get_hmac_path(hmac_path, sizeof(hmac_path));
-	if (ret < 0)
-		return gnutls_assert_val(ret);
 
 	stream = fopen(hmac_path, "r");
 	if (stream == NULL)
 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
 
-	gnutls_memset(p, 0, sizeof(*p));
-	ret = ini_parse_file(stream, handler, p);
+	gnutls_memset(hmac_file, 0, sizeof(*hmac_file));
+	ret = ini_parse_file(stream, handler, hmac_file);
 	fclose(stream);
 	if (ret < 0)
 		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
 
-	if (p->version != HMAC_FORMAT_VERSION)
+	if (hmac_file->version != HMAC_FORMAT_VERSION)
 		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
 
 	return 0;
 }
 
-/* Run an HMAC using the key above on the library binary data.
- * Returns 0 on success and negative value on error.
+/*
+ * check_lib_hmac:
+ * @entry: hmac file entry
+ * @path: path to the library which hmac should be compared
+ *
+ * Verify that HMAC from hmac file entry matches HMAC of given library.
+ *
+ * Returns: 0 on successful HMAC verification, a negative error code otherwise
  */
-static int check_lib_hmac(struct hmac_entry *entry,
-			  const char *lib, const char *sym)
+static int check_lib_hmac(struct hmac_entry *entry, const char *path)
 {
 	int ret;
 	unsigned prev;
-	char path[GNUTLS_PATH_MAX];
 	uint8_t hmac[HMAC_SIZE];
 	gnutls_datum_t data;
 
-	ret = get_library_path(lib, sym, path, sizeof(path));
-	if (ret < 0) {
-		_gnutls_debug_log("Could not get lib path for %s: %s\n",
-				  lib, gnutls_strerror(ret));
-		return gnutls_assert_val(ret);
-	}
-
 	_gnutls_debug_log("Loading: %s\n", path);
 	ret = gnutls_load_file(path, &data);
 	if (ret < 0) {
@@ -385,28 +375,99 @@ static int check_lib_hmac(struct hmac_entry *entry,
 	return 0;
 }
 
+#ifdef HAVE_DL_ITERATE_PHDR
+
+static int callback(struct dl_phdr_info *info, size_t size, void *data)
+{
+	const char *path = info->dlpi_name;
+	const char *soname = last_component(path);
+	struct lib_paths *paths = (struct lib_paths *)data;
+
+	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
+	else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
+	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
+	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
+	return 0;
+}
+
+static int load_lib_paths(struct lib_paths *paths)
+{
+	memset(paths, 0, sizeof(*paths));
+	dl_iterate_phdr(callback, paths);
+	
+	if (paths->gnutls[0] == '\0') {
+		_gnutls_debug_log("Gnutls library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+	if (paths->nettle[0] == '\0') {
+		_gnutls_debug_log("Nettle library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+	if (paths->hogweed[0] == '\0') {
+		_gnutls_debug_log("Hogweed library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+	if (paths->gmp[0] == '\0') {
+		_gnutls_debug_log("Gmp library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+
+	return GNUTLS_E_SUCCESS;
+}
+
+#else
+
+static int load_lib_paths(struct lib_paths *paths)
+{
+	(void)paths;
+	_gnutls_debug_log("Function dl_iterate_phdr is missing\n");
+	return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+}
+
+#endif /* HAVE_DL_ITERATE_PHDR */
+
 static int check_binary_integrity(void)
 {
 	int ret;
-	hmac_file file;
+	struct lib_paths paths;
+	struct hmac_file hmac;
+	char hmac_path[GNUTLS_PATH_MAX];
+
+	ret = load_lib_paths(&paths);
+	if (ret < 0) {
+		_gnutls_debug_log("Could not load library paths: %s\n",
+				  gnutls_strerror(ret));
+		return ret;
+	}
+
+	ret = get_hmac_path(hmac_path, sizeof(hmac_path), paths.gnutls);
+	if (ret < 0) {
+		_gnutls_debug_log("Could not get hmac file path: %s\n",
+				  gnutls_strerror(ret));
+		return ret;
+	}
 
-	ret = load_hmac_file(&file);
+	ret = load_hmac_file(&hmac, hmac_path);
 	if (ret < 0) {
 		_gnutls_debug_log("Could not load hmac file: %s\n",
 				  gnutls_strerror(ret));
 		return ret;
 	}
 
-	ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init");
+	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
 	if (ret < 0)
 		return ret;
-	ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
+	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
 	if (ret < 0)
 		return ret;
-	ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
+	ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
 	if (ret < 0)
 		return ret;
-	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
+	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
 	if (ret < 0)
 		return ret;