Index: gnutls-3.8.8/lib/fips.c =================================================================== --- gnutls-3.8.8.orig/lib/fips.c +++ gnutls-3.8.8/lib/fips.c @@ -349,11 +349,90 @@ static int load_hmac_file(struct hmac_fi } /* + * check_dep_lib_hmac: + * @path: path to the library which hmac should be compared + * + * Verify that HMAC of a given library matches the hmac in the file + * provided by the library, named: ..so..hmac. + * + * Returns: 0 on successful HMAC verification, a negative error code otherwise + */ +static int check_dep_lib_hmac(const char *path) +{ + int ret; + unsigned prev; + uint8_t hmac[HMAC_SIZE]; + gnutls_datum_t data; + char hmac_path[GNUTLS_PATH_MAX]; + uint8_t lib_hmac[HMAC_SIZE]; + size_t lib_hmac_size; + + _gnutls_debug_log("Loading: %s\n", path); + ret = gnutls_load_file(path, &data); + if (ret < 0) { + _gnutls_debug_log("Could not load %s: %s\n", path, + gnutls_strerror(ret)); + return gnutls_assert_val(ret); + } + + prev = _gnutls_get_lib_state(); + _gnutls_switch_lib_state(LIB_STATE_OPERATIONAL); + ret = gnutls_hmac_fast(HMAC_ALGO, FIPS_KEY, sizeof(FIPS_KEY) - 1, + data.data, data.size, hmac); + _gnutls_switch_lib_state(prev); + + gnutls_free(data.data); + if (ret < 0) { + _gnutls_debug_log("Could not calculate HMAC for %s: %s\n", path, + gnutls_strerror(ret)); + return gnutls_assert_val(ret); + } + + /* Check now the integrity of the hmac provided by the library */ + ret = get_hmac_path(hmac_path, sizeof(hmac_path), path); + if (ret < 0) { + _gnutls_debug_log("Could not get hmac file path: %s\n", + gnutls_strerror(ret)); + return ret; + } + _gnutls_debug_log("Loading: %s\n", hmac_path); + ret = gnutls_load_file(hmac_path, &data); + if (ret < 0) { + _gnutls_debug_log("Could not load %s: %s\n", hmac_path, + gnutls_strerror(ret)); + return gnutls_assert_val(ret); + } + lib_hmac_size = hex_data_size(data.size); + /* trim eventual newlines from the end of the data read from file */ + while ((data.size > 0) && (data.data[data.size - 1] == '\n')) { + data.data[data.size - 1] = 0; + data.size--; + } + ret = gnutls_hex_decode(&data, lib_hmac, &lib_hmac_size); + gnutls_free(data.data); + if (ret < 0) { + _gnutls_debug_log("Could not hex decode hmac\n"); + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + } + ret = gnutls_memcmp(lib_hmac, hmac, HMAC_SIZE); + if (ret){ + _gnutls_debug_log("Calculated MAC for %s does not match\n", + path); + gnutls_memset(hmac, 0, HMAC_SIZE); + gnutls_memset(lib_hmac, 0, HMAC_SIZE); + return gnutls_assert_val(GNUTLS_E_PARSING_ERROR); + } + _gnutls_debug_log("Successfully verified MAC for %s\n", path); + gnutls_memset(hmac, 0, HMAC_SIZE); + return 0; +} + +/* * check_lib_hmac: * @entry: hmac file entry * @path: path to the library which hmac should be compared * - * Verify that HMAC from hmac file entry matches HMAC of given library. + * Verify that HMAC from hmac file entry matches HMAC of gnutls library. * * Returns: 0 on successful HMAC verification, a negative error code otherwise */ @@ -496,17 +575,20 @@ static int check_binary_integrity(void) if (ret < 0) return ret; #ifdef NETTLE_LIBRARY_SONAME - ret = check_lib_hmac(&hmac.nettle, paths.nettle); + //ret = check_lib_hmac(&hmac.nettle, paths.nettle); + ret = check_dep_lib_hmac(paths.nettle); if (ret < 0) return ret; #endif #ifdef HOGWEED_LIBRARY_SONAME - ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); + //ret = check_lib_hmac(&hmac.hogweed, paths.hogweed); + ret = check_dep_lib_hmac(paths.hogweed); if (ret < 0) return ret; #endif #ifdef GMP_LIBRARY_SONAME - ret = check_lib_hmac(&hmac.gmp, paths.gmp); + //ret = check_lib_hmac(&hmac.gmp, paths.gmp); + ret = check_dep_lib_hmac(paths.gmp); if (ret < 0) return ret; #endif