From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 1 Aug 2019 18:25:35 +0000 (-0400)
Subject: GNU TLS FIPS140 support (Issue #5601, Issue #5622)
X-Git-Tag: v2.2.12~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f26c6b713a3fbf24785827cc1b1251ea25c83fb;p=thirdparty%2Fcups.git

GNU TLS FIPS140 support (Issue #5601, Issue #5622)
---

diff --git a/config-scripts/cups-ssl.m4 b/config-scripts/cups-ssl.m4
index 52f9c39f1c..49fe42fe3a 100644
--- a/config-scripts/cups-ssl.m4
+++ b/config-scripts/cups-ssl.m4
@@ -80,6 +80,7 @@ if test x$enable_ssl != xno; then
 
 	    SAVELIBS="$LIBS"
 	    LIBS="$LIBS $SSLLIBS"
+	    AC_CHECK_FUNC(gnutls_fips140_set_mode, AC_DEFINE(HAVE_GNUTLS_FIPS140_SET_MODE))
 	    AC_CHECK_FUNC(gnutls_transport_set_pull_timeout_function, AC_DEFINE(HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION))
 	    AC_CHECK_FUNC(gnutls_priority_set_direct, AC_DEFINE(HAVE_GNUTLS_PRIORITY_SET_DIRECT))
 	    LIBS="$SAVELIBS"
diff --git a/config.h.in b/config.h.in
index f3b5e4c7a4..d81c59e361 100644
--- a/config.h.in
+++ b/config.h.in
@@ -303,6 +303,13 @@
 #undef HAVE_SSL
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+#undef HAVE_GNUTLS_FIPS140_SET_MODE
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */
diff --git a/configure b/configure
index 629fdddbaa..0392af142f 100755
--- a/configure
+++ b/configure
@@ -8480,6 +8480,12 @@ fi
 
 	    SAVELIBS="$LIBS"
 	    LIBS="$LIBS $SSLLIBS"
+	    ac_fn_c_check_func "$LINENO" "gnutls_fips140_set_mode" "ac_cv_func_gnutls_fips140_set_mode"
+if test "x$ac_cv_func_gnutls_fips140_set_mode" = xyes; then :
+  $as_echo "#define HAVE_GNUTLS_FIPS140_SET_MODE 1" >>confdefs.h
+
+fi
+
 	    ac_fn_c_check_func "$LINENO" "gnutls_transport_set_pull_timeout_function" "ac_cv_func_gnutls_transport_set_pull_timeout_function"
 if test "x$ac_cv_func_gnutls_transport_set_pull_timeout_function" = xyes; then :
   $as_echo "#define HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION 1" >>confdefs.h
diff --git a/cups/hash.c b/cups/hash.c
index a313725958..621d119d44 100644
--- a/cups/hash.c
+++ b/cups/hash.c
@@ -190,6 +190,13 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
   unsigned char	temp[64];		/* Temporary hash buffer */
   size_t	tempsize = 0;		/* Truncate to this size? */
 
+
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  unsigned oldmode = gnutls_fips140_mode_enabled();
+
+  gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
   if (!strcmp(algorithm, "md5"))
     alg = GNUTLS_DIG_MD5;
   else if (!strcmp(algorithm, "sha"))
@@ -227,6 +234,10 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
       gnutls_hash_fast(alg, data, datalen, temp);
       memcpy(hash, temp, tempsize);
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+      gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
       return ((ssize_t)tempsize);
     }
 
@@ -235,9 +246,17 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
     gnutls_hash_fast(alg, data, datalen, hash);
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+    gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
     return ((ssize_t)gnutls_hash_get_len(alg));
   }
 
+#  ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#  endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
 #else
  /*
   * No hash support beyond MD5 without CommonCrypto or GNU TLS...
@@ -271,6 +290,10 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
   too_small:
 
+#ifdef HAVE_GNUTLS_FIPS140_SET_MODE
+  gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif /* HAVE_GNUTLS_FIPS140_SET_MODE */
+
   _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Hash buffer too small."), 1);
   return (-1);
 }
diff --git a/vcnet/config.h b/vcnet/config.h
index cf63021b26..3a6b3fc7b4 100644
--- a/vcnet/config.h
+++ b/vcnet/config.h
@@ -379,6 +379,13 @@ typedef unsigned long useconds_t;
 #define HAVE_SSL 1
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */
diff --git a/xcode/config.h b/xcode/config.h
index 82cba73cc5..490b606cd5 100644
--- a/xcode/config.h
+++ b/xcode/config.h
@@ -309,6 +309,13 @@
 #define HAVE_SSL 1
 
 
+/*
+ * Do we have the gnutls_fips140_set_mode function?
+ */
+
+/* #undef HAVE_GNUTLS_FIPS140_SET_MODE */
+
+
 /*
  * Do we have the gnutls_transport_set_pull_timeout_function function?
  */