GNU TLS FIPS140 support (Issue #5601, Issue #5622)

diff --git a/config-scripts/cups-ssl.m4 b/config-scripts/cups-ssl.m4
index 52f9c39f1cc4f50f9c8f7cd80c8aff6a1dd6831a..49fe42fe3a80d04982b95e00d819e9c7c62e910a 100644 (file)
--- a/config-scripts/cups-ssl.m4
+++ b/config-scripts/cups-ssl.m4
@@ -80,6 +80,7 @@ if test x$enable_ssl != xno; then
 
            SAVELIBS="$LIBS"
            LIBS="$LIBS $SSLLIBS"
+           AC_CHECK_FUNC(gnutls_fips140_set_mode, AC_DEFINE(HAVE_GNUTLS_FIPS140_SET_MODE))
            AC_CHECK_FUNC(gnutls_transport_set_pull_timeout_function, AC_DEFINE(HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION))
            AC_CHECK_FUNC(gnutls_priority_set_direct, AC_DEFINE(HAVE_GNUTLS_PRIORITY_SET_DIRECT))
            LIBS="$SAVELIBS"

diff --git a/config.h.in b/config.h.in
index f3b5e4c7a417fddad6f7b0a09d180d2f6103206a..d81c59e3616e9e3755fb794d8acffc177c5939b2 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -303,6 +303,13 @@
 #undef HAVE_SSL
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+#undef HAVE_GNUTLS_FIPS140_SET_MODE
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */

diff --git a/configure b/configure
index 629fdddbaa87c5c53294ed85e5831b449794af30..0392af142f5ffe42f6da75a5c68bd1ef069fbd0e 100755 (executable)
--- a/configure
+++ b/configure
@@ -8480,6 +8480,12 @@ fi
 
            SAVELIBS="$LIBS"
            LIBS="$LIBS $SSLLIBS"
+           ac_fn_c_check_func "$LINENO" "gnutls_fips140_set_mode" "ac_cv_func_gnutls_fips140_set_mode"
+if test "x$ac_cv_func_gnutls_fips140_set_mode" = xyes; then :
+  $as_echo "#define HAVE_GNUTLS_FIPS140_SET_MODE 1" >>confdefs.h
+
+fi
+
            ac_fn_c_check_func "$LINENO" "gnutls_transport_set_pull_timeout_function" "ac_cv_func_gnutls_transport_set_pull_timeout_function"
 if test "x$ac_cv_func_gnutls_transport_set_pull_timeout_function" = xyes; then :
   $as_echo "#define HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION 1" >>confdefs.h

diff --git a/cups/hash.c b/cups/hash.c
index a313725958eaf5c49b38ff00c8609f03485a43fb..621d119d44903cd41502ebd7a9031b13bc9a3ccc 100644 (file)
--- a/cups/hash.c
+++ b/cups/hash.c
@@ -190,6 +190,13 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
   unsigned char        temp[64];               /* Temporary hash buffer */
   size_t       tempsize = 0;           /* Truncate to this size? */
 
+
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  unsigned oldmode = gnutls_fips140_mode_enabled();
+
+  gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
   if (!strcmp(algorithm, "md5"))
     alg = GNUTLS_DIG_MD5;
   else if (!strcmp(algorithm, "sha"))
@@ -227,6 +234,10 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
       gnutls_hash_fast(alg, data, datalen, temp);
       memcpy(hash, temp, tempsize);
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+      gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
       return ((ssize_t)tempsize);
     }
 
@@ -235,9 +246,17 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
 
     gnutls_hash_fast(alg, data, datalen, hash);
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+    gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
     return ((ssize_t)gnutls_hash_get_len(alg));
   }
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
 #else
  /*
   * No hash support beyond MD5 without CommonCrypto or GNU TLS...
@@ -271,6 +290,10 @@ cupsHashData(const char    *algorithm,     /* I - Algorithm name */
 
   too_small:
 
+#ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
   _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hash buffer too small."), 1);
   return (-1);
 }

diff --git a/vcnet/config.h b/vcnet/config.h
index cf63021b26bae1eedce61b934153c4cc85655030..3a6b3fc7b4be6521d78506b5cf4121f72eac6752 100644 (file)
--- a/vcnet/config.h
+++ b/vcnet/config.h
@@ -379,6 +379,13 @@ typedef unsigned long useconds_t;
 #define HAVE_SSL 1
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */

diff --git a/xcode/config.h b/xcode/config.h
index 82cba73cc5fb183de34ec7c08490deeaee86c6e4..490b606cd5c3ca41bc917c41b560e55614b76c4b 100644 (file)
--- a/xcode/config.h
+++ b/xcode/config.h
@@ -309,6 +309,13 @@
 #define HAVE_SSL 1
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */