GNU TLS FIPS140 support (Issue #5601, Issue #5622)

diff --git a/config-scripts/cups-ssl.m4 b/config-scripts/cups-ssl.m4
index c1648b1c10e7439ba5018d2d9b1e22eb5eac4e10..4ce926f517e64bda233941a639756255957910a2 100644 (file)
--- a/config-scripts/cups-ssl.m4
+++ b/config-scripts/cups-ssl.m4
@@ -58,6 +58,7 @@ if test x$enable_ssl != xno; then
 
            SAVELIBS="$LIBS"
            LIBS="$LIBS $SSLLIBS"
+           AC_CHECK_FUNC(gnutls_fips140_set_mode, AC_DEFINE(HAVE_GNUTLS_FIPS140_SET_MODE))
            AC_CHECK_FUNC(gnutls_transport_set_pull_timeout_function, AC_DEFINE(HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION))
            AC_CHECK_FUNC(gnutls_priority_set_direct, AC_DEFINE(HAVE_GNUTLS_PRIORITY_SET_DIRECT))
            LIBS="$SAVELIBS"

diff --git a/config.h.in b/config.h.in
index 1c2d7a826c5711ed4637d3e3bca8d9693a3f51e2..5e93a9dac0211da9a34531933055fed3a9d7a748 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -301,6 +301,13 @@
 #undef HAVE_SSL
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+#undef HAVE_GNUTLS_FIPS140_SET_MODE
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */

diff --git a/configure b/configure
index eb848725c982f18cbc92cd955f1bc492ae6c7810..18be3db75577a41ee9f4732bcf886bf2a26acc51 100755 (executable)
--- a/configure
+++ b/configure
@@ -8308,6 +8308,12 @@ fi
 
            SAVELIBS="$LIBS"
            LIBS="$LIBS $SSLLIBS"
+           ac_fn_c_check_func "$LINENO" "gnutls_fips140_set_mode" "ac_cv_func_gnutls_fips140_set_mode"
+if test "x$ac_cv_func_gnutls_fips140_set_mode" = xyes; then :
+  $as_echo "#define HAVE_GNUTLS_FIPS140_SET_MODE 1" >>confdefs.h
+
+fi
+
            ac_fn_c_check_func "$LINENO" "gnutls_transport_set_pull_timeout_function" "ac_cv_func_gnutls_transport_set_pull_timeout_function"
 if test "x$ac_cv_func_gnutls_transport_set_pull_timeout_function" = xyes; then :
   $as_echo "#define HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION 1" >>confdefs.h

diff --git a/cups/hash.c b/cups/hash.c
index 061486076ca405978b33941838f0d0c40e1088f4..7b3ea818eafefff577111c2aae5cdc9d3f021313 100644 (file)
--- a/cups/hash.c
+++ b/cups/hash.c
@@ -185,6 +185,13 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
   unsigned char        temp[64];               /* Temporary hash buffer */
   size_t       tempsize = 0;           /* Truncate to this size? */
 
+
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  unsigned oldmode = gnutls_fips140_mode_enabled();
+
+  gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
   if (!strcmp(algorithm, "md5"))
     alg = GNUTLS_DIG_MD5;
   else if (!strcmp(algorithm, "sha"))
@@ -222,6 +229,10 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
       gnutls_hash_fast(alg, data, datalen, temp);
       memcpy(hash, temp, tempsize);
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+      gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
       return ((ssize_t)tempsize);
     }
 
@@ -230,9 +241,17 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
 
     gnutls_hash_fast(alg, data, datalen, hash);
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+    gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
     return ((ssize_t)gnutls_hash_get_len(alg));
   }
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
 #else
  /*
   * No hash support beyond MD5 without CommonCrypto or GNU TLS...
@@ -266,6 +285,10 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
 
   too_small:
 
+#ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
   _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hash buffer too small."), 1);
   return (-1);
 }

diff --git a/vcnet/config.h b/vcnet/config.h
index 4c6aa2fbe6af6b2e17a78a76d73b4e55790ac154..ad6919071fa57ffc8f1c5c78ae566b258b4880d8 100644 (file)
--- a/vcnet/config.h
+++ b/vcnet/config.h
@@ -375,6 +375,13 @@ typedef unsigned long useconds_t;
 #define HAVE_SSL 1
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */

diff --git a/xcode/config.h b/xcode/config.h
index b8684d9d528bed10e49787afbacf17eda0a484cf..13198f5bc7aa8fe048d35b3cd9fa1e1ee0a4c6f1 100644 (file)
--- a/xcode/config.h
+++ b/xcode/config.h
@@ -305,6 +305,13 @@
 #define HAVE_SSL 1
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */