Skip to content

Introduce --enable-gnutls-relax-mode, apply it in cupsHashData() #5622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zdohnal wants to merge 2 commits into from
Closed

Introduce --enable-gnutls-relax-mode, apply it in cupsHashData() #5622

zdohnal wants to merge 2 commits into from

Conversation

@zdohnal
Copy link
Contributor

@zdohnal zdohnal commented Jul 29, 2019

@michaelrsweet
Copy link
Collaborator

michaelrsweet commented Jul 30, 2019

@zdohnal Is the GNUTLS_FIPS140_SET_LAX_MODE call not an actual function? I would prefer to just auto-detect it at configure time and call it if it is defined. The more knobs we get the less likely it is that it will work... :/

@michaelrsweet michaelrsweet self-assigned this Jul 30, 2019
@michaelrsweet michaelrsweet added this to the CUPS 2.3.x milestone Jul 30, 2019
@michaelrsweet michaelrsweet mentioned this pull request Jul 30, 2019
Closed
@zdohnal
Copy link
Contributor Author

zdohnal commented Jul 31, 2019
edited
Loading

It is actually macro for:

if (gnutls_fips140_mode_enabled())
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);

See https://gnutls.org/manual/html_node/FIPS140_002d2-mode.html

Ok, I'll see what I can do in cups-ssl.m4 about it.

@michaelrsweet
Copy link
Collaborator

michaelrsweet commented Aug 1, 2019

@zdohnal Based on the documentation for that function, we can safely do a configure check for gnutls_fips140_set_mode and then do:

unsigned oldmode = gnutls_fips140_mode_enabled();
gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);

...

gnutls_fips140_set_mode(oldmode, GNUTLS_FIPS140_SET_MODE_THREAD);

This will save and restore the mode around the hashing calls, and hopefully not step on any other users of this API (since we'd restore the previous setting, not just put it back to strict...)

michaelrsweet added a commit that referenced this pull request Aug 1, 2019
@michaelrsweet
GNU TLS FIPS140 support (Issue #5601, Issue #5622)
9ec6124
michaelrsweet added a commit that referenced this pull request Aug 1, 2019
@michaelrsweet
GNU TLS FIPS140 support (Issue #5601, Issue #5622)
2f26c6b
@michaelrsweet
Copy link
Collaborator

michaelrsweet commented Aug 1, 2019

Pushed changes for both 2.3.x and 2.2.x. Please review and let me know if this addresses your issues...

[master 9ec6124] GNU TLS FIPS140 support (Issue #5601, Issue #5622)

[branch-2.2 2f26c6b] GNU TLS FIPS140 support (Issue #5601, Issue #5622)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@michaelrsweet michaelrsweet

Labels

priority-medium

Projects

None yet

Milestone

CUPS 2.2.x Updates

Development

Successfully merging this pull request may close these issues.

2 participants

@zdohnal @michaelrsweet