From: Nikos Mavrogiannopoulos Date: Wed, 3 Sep 2014 14:52:54 +0000 (+0200) Subject: fips140: check the integrity of GMP X-Git-Tag: gnutls_3_4_0~995 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e24fcd89673af5c72dd2570aafbcabac1f35a753;p=thirdparty%2Fgnutls.git fips140: check the integrity of GMP --- diff --git a/lib/fips.c b/lib/fips.c index e97835cde1..dd68ba0d39 100644 --- a/lib/fips.c +++ b/lib/fips.c @@ -95,6 +95,7 @@ const char *p; #define GNUTLS_LIBRARY_NAME "libgnutls.so.28" #define NETTLE_LIBRARY_NAME "libnettle.so.4" #define HOGWEED_LIBRARY_NAME "libhogweed.so.2" +#define GMP_LIBRARY_NAME "libgmp.so.10" static const char fips_key[] = "I'd rather be skiing"; @@ -137,15 +138,25 @@ static void get_hmac_file(char *mac_file, size_t mac_file_size, const char* orig char* p; p = strrchr(orig, '/'); - if (p==NULL) { snprintf(mac_file, mac_file_size, ".%s"HMAC_SUFFIX, orig); return; } - snprintf(mac_file, mac_file_size, "%.*s/.%s"HMAC_SUFFIX, (int)(p-orig), orig, p+1); } +static void get_hmac_file2(char *mac_file, size_t mac_file_size, const char* orig) +{ +char* p; + + p = strrchr(orig, '/'); + if (p==NULL) { + snprintf(mac_file, mac_file_size, "fipscheck/%s"HMAC_SUFFIX, orig); + return; + } + snprintf(mac_file, mac_file_size, "%.*s/fipscheck/%s"HMAC_SUFFIX, (int)(p-orig), orig, p+1); +} + /* Run an HMAC using the key above on the library binary data. * Returns true on success and false on error. */ @@ -186,11 +197,16 @@ static unsigned check_binary_integrity(const char* libname, const char* symbol) /* now open the .hmac file and compare */ get_hmac_file(mac_file, sizeof(mac_file), file); - + ret = gnutls_load_file(mac_file, &data); if (ret < 0) { - _gnutls_debug_log("Could not open %s"HMAC_SUFFIX" for MAC testing: %s\n", file, gnutls_strerror(ret)); - return gnutls_assert_val(0); + _gnutls_debug_log("Could not open %s for MAC testing: %s\n", mac_file, gnutls_strerror(ret)); + get_hmac_file2(mac_file, sizeof(mac_file), file); + ret = gnutls_load_file(mac_file, &data); + if (ret < 0) { + _gnutls_debug_log("Could not open %s for MAC testing: %s\n", mac_file, gnutls_strerror(ret)); + return gnutls_assert_val(0); + } } hmac_size = sizeof(hmac); @@ -344,6 +360,12 @@ int _gnutls_fips_perform_self_checks2(void) gnutls_assert(); goto error; } + + ret = check_binary_integrity(GMP_LIBRARY_NAME, "__gmpz_init"); + if (ret == 0) { + gnutls_assert(); + goto error; + } return 0;