diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-09-03 16:52:54 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2014-09-03 16:52:54 +0200 |
commit | e24fcd89673af5c72dd2570aafbcabac1f35a753 (patch) | |
tree | 22bb12c88b19fe6105b019c867a0d3aecde88d32 /lib | |
parent | d1de36af91c5ac86dd2b1ab18b0b230a0b1e5d31 (diff) | |
download | gnutls-e24fcd89673af5c72dd2570aafbcabac1f35a753.tar.gz |
fips140: check the integrity of GMP
Diffstat (limited to 'lib')
-rw-r--r-- | lib/fips.c | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/lib/fips.c b/lib/fips.c index e97835cde1..dd68ba0d39 100644 --- a/lib/fips.c +++ b/lib/fips.c @@ -95,6 +95,7 @@ const char *p; #define GNUTLS_LIBRARY_NAME "libgnutls.so.28" #define NETTLE_LIBRARY_NAME "libnettle.so.4" #define HOGWEED_LIBRARY_NAME "libhogweed.so.2" +#define GMP_LIBRARY_NAME "libgmp.so.10" static const char fips_key[] = "I'd rather be skiing"; @@ -137,15 +138,25 @@ static void get_hmac_file(char *mac_file, size_t mac_file_size, const char* orig char* p; p = strrchr(orig, '/'); - if (p==NULL) { snprintf(mac_file, mac_file_size, ".%s"HMAC_SUFFIX, orig); return; } - snprintf(mac_file, mac_file_size, "%.*s/.%s"HMAC_SUFFIX, (int)(p-orig), orig, p+1); } +static void get_hmac_file2(char *mac_file, size_t mac_file_size, const char* orig) +{ +char* p; + + p = strrchr(orig, '/'); + if (p==NULL) { + snprintf(mac_file, mac_file_size, "fipscheck/%s"HMAC_SUFFIX, orig); + return; + } + snprintf(mac_file, mac_file_size, "%.*s/fipscheck/%s"HMAC_SUFFIX, (int)(p-orig), orig, p+1); +} + /* Run an HMAC using the key above on the library binary data. * Returns true on success and false on error. */ @@ -186,11 +197,16 @@ static unsigned check_binary_integrity(const char* libname, const char* symbol) /* now open the .hmac file and compare */ get_hmac_file(mac_file, sizeof(mac_file), file); - + ret = gnutls_load_file(mac_file, &data); if (ret < 0) { - _gnutls_debug_log("Could not open %s"HMAC_SUFFIX" for MAC testing: %s\n", file, gnutls_strerror(ret)); - return gnutls_assert_val(0); + _gnutls_debug_log("Could not open %s for MAC testing: %s\n", mac_file, gnutls_strerror(ret)); + get_hmac_file2(mac_file, sizeof(mac_file), file); + ret = gnutls_load_file(mac_file, &data); + if (ret < 0) { + _gnutls_debug_log("Could not open %s for MAC testing: %s\n", mac_file, gnutls_strerror(ret)); + return gnutls_assert_val(0); + } } hmac_size = sizeof(hmac); @@ -344,6 +360,12 @@ int _gnutls_fips_perform_self_checks2(void) gnutls_assert(); goto error; } + + ret = check_binary_integrity(GMP_LIBRARY_NAME, "__gmpz_init"); + if (ret == 0) { + gnutls_assert(); + goto error; + } return 0; |