Merge branch 'wip/dueno/fips-secret-transport' into 'master'

session: Tolerate non-approved DH parameter usage in FIPS mode

See merge request GNOME/libsecret!145
This commit is contained in:
Daiki Ueno 2024-07-22 21:06:37 +00:00
commit 71a2e530a5
6 changed files with 112 additions and 0 deletions

View File

@ -12,6 +12,7 @@ variables:
matrix: matrix:
- CRYPTO: libgcrypt - CRYPTO: libgcrypt
- CRYPTO: gnutls - CRYPTO: gnutls
GNUTLS_FORCE_FIPS_MODE: [0, 1]
- CRYPTO: disabled - CRYPTO: disabled
fedora:Werror: fedora:Werror:

36
egg/egg-fips-gnutls.c Normal file
View File

@ -0,0 +1,36 @@
/*
* libsecret
*
* Copyright (C) 2024 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include "egg-fips.h"
#include <gnutls/gnutls.h>
EggFipsMode
egg_fips_get_mode (void)
{
return gnutls_fips140_mode_enabled ();
}
void
egg_fips_set_mode (EggFipsMode mode)
{
gnutls_fips140_set_mode (mode, GNUTLS_FIPS140_SET_MODE_THREAD);
}

33
egg/egg-fips-libgcrypt.c Normal file
View File

@ -0,0 +1,33 @@
/*
* libsecret
*
* Copyright (C) 2024 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include "egg-fips.h"
EggFipsMode
egg_fips_get_mode (void)
{
return EGG_FIPS_MODE_DISABLED;
}
void
egg_fips_set_mode (EggFipsMode mode)
{
(void)mode;
}

31
egg/egg-fips.h Normal file
View File

@ -0,0 +1,31 @@
/*
* libsecret
*
* Copyright (C) 2024 Red Hat, Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#ifndef EGG_FIPS_H_
#define EGG_FIPS_H_
typedef enum {
EGG_FIPS_MODE_DISABLED = 0,
/* Other values are specific to each backend */
} EggFipsMode;
EggFipsMode egg_fips_get_mode (void);
void egg_fips_set_mode (EggFipsMode mode);
#endif /* EGG_FIPS_H_ */

View File

@ -18,6 +18,7 @@ if with_crypto
if with_gcrypt if with_gcrypt
libegg_sources += [ libegg_sources += [
'egg-dh-libgcrypt.c', 'egg-dh-libgcrypt.c',
'egg-fips-libgcrypt.c',
'egg-hkdf-libgcrypt.c', 'egg-hkdf-libgcrypt.c',
'egg-keyring1-libgcrypt.c', 'egg-keyring1-libgcrypt.c',
'egg-libgcrypt.c', 'egg-libgcrypt.c',
@ -25,6 +26,7 @@ if with_crypto
elif with_gnutls elif with_gnutls
libegg_sources += [ libegg_sources += [
'egg-dh-gnutls.c', 'egg-dh-gnutls.c',
'egg-fips-gnutls.c',
'egg-hkdf-gnutls.c', 'egg-hkdf-gnutls.c',
'egg-keyring1-gnutls.c', 'egg-keyring1-gnutls.c',
] ]

View File

@ -19,6 +19,7 @@
#ifdef WITH_CRYPTO #ifdef WITH_CRYPTO
#include "egg/egg-dh.h" #include "egg/egg-dh.h"
#include "egg/egg-fips.h"
#include "egg/egg-hkdf.h" #include "egg/egg-hkdf.h"
#endif #endif
@ -78,6 +79,7 @@ request_open_session_aes (SecretSession *session)
{ {
GBytes *buffer; GBytes *buffer;
GVariant *argument; GVariant *argument;
EggFipsMode fips_mode;
g_assert (session->params == NULL); g_assert (session->params == NULL);
g_assert (session->privat == NULL); g_assert (session->privat == NULL);
@ -98,9 +100,12 @@ request_open_session_aes (SecretSession *session)
g_printerr ("\n"); g_printerr ("\n");
#endif #endif
fips_mode = egg_fips_get_mode ();
egg_fips_set_mode (EGG_FIPS_MODE_DISABLED);
if (!egg_dh_gen_pair (session->params, 0, if (!egg_dh_gen_pair (session->params, 0,
&session->publi, &session->privat)) &session->publi, &session->privat))
g_return_val_if_reached (NULL); g_return_val_if_reached (NULL);
egg_fips_set_mode (fips_mode);
buffer = egg_dh_pubkey_export (session->publi); buffer = egg_dh_pubkey_export (session->publi);
g_return_val_if_fail (buffer != NULL, NULL); g_return_val_if_fail (buffer != NULL, NULL);
@ -121,6 +126,7 @@ response_open_session_aes (SecretSession *session,
const gchar *sig; const gchar *sig;
egg_dh_pubkey *peer; egg_dh_pubkey *peer;
GBytes *ikm; GBytes *ikm;
EggFipsMode fips_mode;
sig = g_variant_get_type_string (response); sig = g_variant_get_type_string (response);
g_return_val_if_fail (sig != NULL, FALSE); g_return_val_if_fail (sig != NULL, FALSE);
@ -147,7 +153,10 @@ response_open_session_aes (SecretSession *session,
g_printerr ("\n"); g_printerr ("\n");
#endif #endif
fips_mode = egg_fips_get_mode ();
egg_fips_set_mode (EGG_FIPS_MODE_DISABLED);
ikm = egg_dh_gen_secret (peer, session->privat, session->params); ikm = egg_dh_gen_secret (peer, session->privat, session->params);
egg_fips_set_mode (fips_mode);
egg_dh_pubkey_free (peer); egg_dh_pubkey_free (peer);
#if 0 #if 0