fips: replace fipshmac usage with internal program

This introduces a non-installed program "fipshmac" and uses it for
generating HMAC files required in FIPS 140-2.  The generated files are
installed along with the main library.

Resolves issues #1101.

Signed-off-by: Ondrej Moris <omoris@redhat.com>
Co-authored-by: Daiki Ueno <dueno@redhat.com>

diff --git a/.gitignore b/.gitignore
index 6981a7bf788664e1841f4a3e1780e90dcd3c5128..07937c33b2f65fbb3ed21a1217cf9fa81cb2871e 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -219,6 +219,7 @@ libdane/gnutls-dane.pc
 libdane/libgnutls-dane.la
 lib/ext/libgnutls_ext.la
 lib/extras/libgnutls_extras.la
+lib/fipshmac
 lib/gcrypt/libcrypto.la
 lib/gnutls-api.texi
 lib/gnutls.pc

diff --git a/configure.ac b/configure.ac
index 05985bd72d95f19eba1f7fa3d2299f018fc125bf..d46c25577817d460cec1394d57e6f74b865a8cf1 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -741,6 +741,7 @@ LIBS=$save_LIBS
 
 gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"`
 AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library])
+AC_SUBST([gnutls_so])
 
 AC_MSG_CHECKING([whether to build libdane])
 AC_ARG_ENABLE(libdane,

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 02504d8d10940221216f4329d5de1200603952e9..6eb175bf6f632edea0f4d55b40df3243baf43092 100644 (file)
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -183,6 +183,30 @@ endif
 
 if ENABLE_FIPS140
 thirdparty_libadd += $(FIPS140_LIBS) $(LTLIBDL)
+
+noinst_PROGRAMS = fipshmac
+fipshmac_SOURCES = fipshmac.c
+fipshmac_LDADD = libgnutls.la
+
+hmac_files = .libs/.$(gnutls_so).hmac
+
+all-local: $(hmac_files)
+
+.libs/.$(gnutls_so).hmac: libgnutls.la fipshmac
+       $(AM_V_GEN) $(builddir)/fipshmac .libs/$(gnutls_so) > $@-t && mv $@-t $@
+
+CLEANFILES = $(hmac_files)
+
+install-exec-hook: $(hmac_files)
+       for file in $(hmac_files); do \
+               $(INSTALL_DATA) $$file $(DESTDIR)$(libdir); \
+       done
+
+uninstall-hook:
+       for file in $(hmac_files); do \
+               basename=$$(expr $$file : '.*/\(.*\)'); \
+               $(DESTDIR)$(libdir)/$$basename; \
+       done
 endif
 
 if ENABLE_TROUSERS

diff --git a/lib/fipshmac.c b/lib/fipshmac.c
new file mode 100644 (file)
index 0000000..001417f
--- /dev/null
+++ b/lib/fipshmac.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2020 Red Hat
+ *
+ * Author: Ondrej Moris
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#include "config.h"
+
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#define HMAC_SIZE 32
+#define HMAC_ALGO GNUTLS_MAC_SHA256
+
+int main(int argc, char *argv[]) {
+       gnutls_datum_t data = { NULL, 0 };
+       gnutls_datum_t hex = { NULL, 0 };
+       uint8_t buffer[HMAC_SIZE];
+       gnutls_datum_t hmac = { buffer, sizeof(buffer) };
+       int status = EXIT_FAILURE;
+       int ret;
+
+       if (argc != 2) {
+               fprintf(stderr, "Usage: %s <file>\n", argv[0]);
+               goto error;
+       }
+
+       ret = gnutls_load_file(argv[1], &data);
+       if (ret < 0) {
+               fprintf(stderr, "Could not load %s: %s\n", argv[1],
+                       gnutls_strerror(ret));
+               goto error;
+       }
+
+       GNUTLS_FIPS140_SET_LAX_MODE();
+
+       ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY)-1,
+                              data.data, data.size, buffer);
+       if (ret < 0) {
+               fprintf(stderr, "Could not calculate MAC on %s: %s\n", argv[1],
+                       gnutls_strerror(ret));
+               goto error;
+       }
+
+       GNUTLS_FIPS140_SET_STRICT_MODE();
+
+       ret = gnutls_hex_encode2(&hmac, &hex);
+       if (ret < 0) {
+               fprintf(stderr, "Could not encode MAC value: %s\n",
+                       gnutls_strerror(ret));
+               goto error;
+       }
+
+       printf("%s\n", hex.data);
+
+       status = EXIT_SUCCESS;
+
+ error:
+       gnutls_free(data.data);
+       gnutls_free(hex.data);
+
+       return status;
+}