rpms / glib2

Clone
Source Code
GIT

#3 Add patch to use GnuTLS for GHmac (for FIPS compliance)
Closed 3 years ago by catanzaro. Opened 4 years ago by walters.
rpms/ walters/glib2 ghmac-gnutls  into  master

file added
+690 
@@ -0,0 +1,690 @@ 
 

+ From d0f629b0688b5eaf9e509afd7b264fd78096c919 Mon Sep 17 00:00:00 2001
 

+ From: Colin Walters <walters@verbum.org>
 

+ Date: Fri, 7 Jun 2019 18:44:43 +0000
 

+ Subject: [PATCH 1/2] ghmac: Split off wrapper functions into ghmac-utils.c
 

+ 

+ Prep for adding a GnuTLS HMAC implementation; these are just
 

+ utility functions that call the "core" API.
 

+ ---
 

+  glib/ghmac-utils.c | 145 +++++++++++++++++++++++++++++++++++++++++++++
 

+  glib/ghmac.c       | 112 ----------------------------------
 

+  glib/meson.build   |   1 +
 

+  3 files changed, 146 insertions(+), 112 deletions(-)
 

+  create mode 100644 glib/ghmac-utils.c
 

+ 

+ diff --git a/glib/ghmac-utils.c b/glib/ghmac-utils.c
 

+ new file mode 100644
 

+ index 000000000..a17359ff1
 

+ --- /dev/null
 

+ +++ b/glib/ghmac-utils.c
 

+ @@ -0,0 +1,145 @@
 

+ +/* ghmac.h - data hashing functions
 

+ + *
 

+ + * Copyright (C) 2011  Collabora Ltd.
 

+ + * Copyright (C) 2019  Red Hat, Inc.
 

+ + *
 

+ + * This library is free software; you can redistribute it and/or
 

+ + * modify it under the terms of the GNU Lesser General Public
 

+ + * License as published by the Free Software Foundation; either
 

+ + * version 2.1 of the License, or (at your option) any later version.
 

+ + *
 

+ + * This library is distributed in the hope that it will be useful,
 

+ + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 

+ + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 

+ + * Lesser General Public License for more details.
 

+ + *
 

+ + * You should have received a copy of the GNU Lesser General Public License
 

+ + * along with this library; if not, see <http://www.gnu.org/licenses/>.
 

+ + */
 

+ +
 

+ +#include "config.h"
 

+ +
 

+ +#include <string.h>
 

+ +
 

+ +#include "ghmac.h"
 

+ +
 

+ +#include "glib/galloca.h"
 

+ +#include "gatomic.h"
 

+ +#include "gslice.h"
 

+ +#include "gmem.h"
 

+ +#include "gstrfuncs.h"
 

+ +#include "gtestutils.h"
 

+ +#include "gtypes.h"
 

+ +#include "glibintl.h"
 

+ +
 

+ +/**
 

+ + * g_compute_hmac_for_data:
 

+ + * @digest_type: a #GChecksumType to use for the HMAC
 

+ + * @key: (array length=key_len): the key to use in the HMAC
 

+ + * @key_len: the length of the key
 

+ + * @data: (array length=length): binary blob to compute the HMAC of
 

+ + * @length: length of @data
 

+ + *
 

+ + * Computes the HMAC for a binary @data of @length. This is a
 

+ + * convenience wrapper for g_hmac_new(), g_hmac_get_string()
 

+ + * and g_hmac_unref().
 

+ + *
 

+ + * The hexadecimal string returned will be in lower case.
 

+ + *
 

+ + * Returns: the HMAC of the binary data as a string in hexadecimal.
 

+ + *   The returned string should be freed with g_free() when done using it.
 

+ + *
 

+ + * Since: 2.30
 

+ + */
 

+ +gchar *
 

+ +g_compute_hmac_for_data (GChecksumType  digest_type,
 

+ +                         const guchar  *key,
 

+ +                         gsize          key_len,
 

+ +                         const guchar  *data,
 

+ +                         gsize          length)
 

+ +{
 

+ +  GHmac *hmac;
 

+ +  gchar *retval;
 

+ +
 

+ +  g_return_val_if_fail (length == 0 || data != NULL, NULL);
 

+ +
 

+ +  hmac = g_hmac_new (digest_type, key, key_len);
 

+ +  if (!hmac)
 

+ +    return NULL;
 

+ +
 

+ +  g_hmac_update (hmac, data, length);
 

+ +  retval = g_strdup (g_hmac_get_string (hmac));
 

+ +  g_hmac_unref (hmac);
 

+ +
 

+ +  return retval;
 

+ +}
 

+ +
 

+ +/**
 

+ + * g_compute_hmac_for_bytes:
 

+ + * @digest_type: a #GChecksumType to use for the HMAC
 

+ + * @key: the key to use in the HMAC
 

+ + * @data: binary blob to compute the HMAC of
 

+ + *
 

+ + * Computes the HMAC for a binary @data. This is a
 

+ + * convenience wrapper for g_hmac_new(), g_hmac_get_string()
 

+ + * and g_hmac_unref().
 

+ + *
 

+ + * The hexadecimal string returned will be in lower case.
 

+ + *
 

+ + * Returns: the HMAC of the binary data as a string in hexadecimal.
 

+ + *   The returned string should be freed with g_free() when done using it.
 

+ + *
 

+ + * Since: 2.50
 

+ + */
 

+ +gchar *
 

+ +g_compute_hmac_for_bytes (GChecksumType  digest_type,
 

+ +                          GBytes        *key,
 

+ +                          GBytes        *data)
 

+ +{
 

+ +  gconstpointer byte_data;
 

+ +  gsize length;
 

+ +  gconstpointer key_data;
 

+ +  gsize key_len;
 

+ +
 

+ +  g_return_val_if_fail (data != NULL, NULL);
 

+ +  g_return_val_if_fail (key != NULL, NULL);
 

+ +
 

+ +  byte_data = g_bytes_get_data (data, &length);
 

+ +  key_data = g_bytes_get_data (key, &key_len);
 

+ +  return g_compute_hmac_for_data (digest_type, key_data, key_len, byte_data, length);
 

+ +}
 

+ +
 

+ +
 

+ +/**
 

+ + * g_compute_hmac_for_string:
 

+ + * @digest_type: a #GChecksumType to use for the HMAC
 

+ + * @key: (array length=key_len): the key to use in the HMAC
 

+ + * @key_len: the length of the key
 

+ + * @str: the string to compute the HMAC for
 

+ + * @length: the length of the string, or -1 if the string is nul-terminated
 

+ + *
 

+ + * Computes the HMAC for a string.
 

+ + *
 

+ + * The hexadecimal string returned will be in lower case.
 

+ + *
 

+ + * Returns: the HMAC as a hexadecimal string.
 

+ + *     The returned string should be freed with g_free()
 

+ + *     when done using it.
 

+ + *
 

+ + * Since: 2.30
 

+ + */
 

+ +gchar *
 

+ +g_compute_hmac_for_string (GChecksumType  digest_type,
 

+ +                           const guchar  *key,
 

+ +                           gsize          key_len,
 

+ +                           const gchar   *str,
 

+ +                           gssize         length)
 

+ +{
 

+ +  g_return_val_if_fail (length == 0 || str != NULL, NULL);
 

+ +
 

+ +  if (length < 0)
 

+ +    length = strlen (str);
 

+ +
 

+ +  return g_compute_hmac_for_data (digest_type, key, key_len,
 

+ +                                  (const guchar *) str, length);
 

+ +}
 

+ diff --git a/glib/ghmac.c b/glib/ghmac.c
 

+ index af9b6744a..79906a97f 100644
 

+ --- a/glib/ghmac.c
 

+ +++ b/glib/ghmac.c
 

+ @@ -329,115 +329,3 @@ g_hmac_get_digest (GHmac  *hmac,
 

+    g_checksum_update (hmac->digesto, buffer, len);
 

+    g_checksum_get_digest (hmac->digesto, buffer, digest_len);
 

+  }
 

+ -
 

+ -/**
 

+ - * g_compute_hmac_for_data:
 

+ - * @digest_type: a #GChecksumType to use for the HMAC
 

+ - * @key: (array length=key_len): the key to use in the HMAC
 

+ - * @key_len: the length of the key
 

+ - * @data: (array length=length): binary blob to compute the HMAC of
 

+ - * @length: length of @data
 

+ - *
 

+ - * Computes the HMAC for a binary @data of @length. This is a
 

+ - * convenience wrapper for g_hmac_new(), g_hmac_get_string()
 

+ - * and g_hmac_unref().
 

+ - *
 

+ - * The hexadecimal string returned will be in lower case.
 

+ - *
 

+ - * Returns: the HMAC of the binary data as a string in hexadecimal.
 

+ - *   The returned string should be freed with g_free() when done using it.
 

+ - *
 

+ - * Since: 2.30
 

+ - */
 

+ -gchar *
 

+ -g_compute_hmac_for_data (GChecksumType  digest_type,
 

+ -                         const guchar  *key,
 

+ -                         gsize          key_len,
 

+ -                         const guchar  *data,
 

+ -                         gsize          length)
 

+ -{
 

+ -  GHmac *hmac;
 

+ -  gchar *retval;
 

+ -
 

+ -  g_return_val_if_fail (length == 0 || data != NULL, NULL);
 

+ -
 

+ -  hmac = g_hmac_new (digest_type, key, key_len);
 

+ -  if (!hmac)
 

+ -    return NULL;
 

+ -
 

+ -  g_hmac_update (hmac, data, length);
 

+ -  retval = g_strdup (g_hmac_get_string (hmac));
 

+ -  g_hmac_unref (hmac);
 

+ -
 

+ -  return retval;
 

+ -}
 

+ -
 

+ -/**
 

+ - * g_compute_hmac_for_bytes:
 

+ - * @digest_type: a #GChecksumType to use for the HMAC
 

+ - * @key: the key to use in the HMAC
 

+ - * @data: binary blob to compute the HMAC of
 

+ - *
 

+ - * Computes the HMAC for a binary @data. This is a
 

+ - * convenience wrapper for g_hmac_new(), g_hmac_get_string()
 

+ - * and g_hmac_unref().
 

+ - *
 

+ - * The hexadecimal string returned will be in lower case.
 

+ - *
 

+ - * Returns: the HMAC of the binary data as a string in hexadecimal.
 

+ - *   The returned string should be freed with g_free() when done using it.
 

+ - *
 

+ - * Since: 2.50
 

+ - */
 

+ -gchar *
 

+ -g_compute_hmac_for_bytes (GChecksumType  digest_type,
 

+ -                          GBytes        *key,
 

+ -                          GBytes        *data)
 

+ -{
 

+ -  gconstpointer byte_data;
 

+ -  gsize length;
 

+ -  gconstpointer key_data;
 

+ -  gsize key_len;
 

+ -
 

+ -  g_return_val_if_fail (data != NULL, NULL);
 

+ -  g_return_val_if_fail (key != NULL, NULL);
 

+ -
 

+ -  byte_data = g_bytes_get_data (data, &length);
 

+ -  key_data = g_bytes_get_data (key, &key_len);
 

+ -  return g_compute_hmac_for_data (digest_type, key_data, key_len, byte_data, length);
 

+ -}
 

+ -
 

+ -
 

+ -/**
 

+ - * g_compute_hmac_for_string:
 

+ - * @digest_type: a #GChecksumType to use for the HMAC
 

+ - * @key: (array length=key_len): the key to use in the HMAC
 

+ - * @key_len: the length of the key
 

+ - * @str: the string to compute the HMAC for
 

+ - * @length: the length of the string, or -1 if the string is nul-terminated
 

+ - *
 

+ - * Computes the HMAC for a string.
 

+ - *
 

+ - * The hexadecimal string returned will be in lower case.
 

+ - *
 

+ - * Returns: the HMAC as a hexadecimal string.
 

+ - *     The returned string should be freed with g_free()
 

+ - *     when done using it.
 

+ - *
 

+ - * Since: 2.30
 

+ - */
 

+ -gchar *
 

+ -g_compute_hmac_for_string (GChecksumType  digest_type,
 

+ -                           const guchar  *key,
 

+ -                           gsize          key_len,
 

+ -                           const gchar   *str,
 

+ -                           gssize         length)
 

+ -{
 

+ -  g_return_val_if_fail (length == 0 || str != NULL, NULL);
 

+ -
 

+ -  if (length < 0)
 

+ -    length = strlen (str);
 

+ -
 

+ -  return g_compute_hmac_for_data (digest_type, key, key_len,
 

+ -                                  (const guchar *) str, length);
 

+ -}
 

+ diff --git a/glib/meson.build b/glib/meson.build
 

+ index 8350ea283..ea496c053 100644
 

+ --- a/glib/meson.build
 

+ +++ b/glib/meson.build
 

+ @@ -150,6 +150,7 @@ glib_sources = files(
 

+    'ggettext.c',
 

+    'ghash.c',
 

+    'ghmac.c',
 

+ +  'ghmac-utils.c',
 

+    'ghook.c',
 

+    'ghostutils.c',
 

+    'giochannel.c',
 

+ -- 

+ 2.21.0
 

+ 

+ 

+ From cbb206f6e39fb1e16073d74506b77ebb4ec2dc28 Mon Sep 17 00:00:00 2001
 

+ From: Colin Walters <walters@verbum.org>
 

+ Date: Fri, 7 Jun 2019 19:36:54 +0000
 

+ Subject: [PATCH 2/2] Add a gnutls backend for GHmac
 

+ 

+ For RHEL we want apps to use FIPS-certified crypto libraries,
 

+ and HMAC apparently counts as "keyed" and hence needs to
 

+ be validated.
 

+ 

+ Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1630260
 

+ Replaces: https://gitlab.gnome.org/GNOME/glib/merge_requests/897
 

+ 

+ This is a build-time option that backs the GHmac API with GnuTLS.
 

+ Most distributors ship glib-networking built with GnuTLS, and
 

+ most apps use glib-networking, so this isn't a net-new library
 

+ in most cases.
 

+ 

+ However, a fun wrinkle is that the GnuTLS HMAC API doesn't expose
 

+ the necessary bits to implement `g_hmac_copy()`; OpenSSL does.
 

+ I chose to just make that abort for now since I didn't find
 

+ apps using it.
 

+ ---
 

+  glib/gchecksum.c        |   9 +--
 

+  glib/gchecksumprivate.h |  32 +++++++++
 

+  glib/ghmac-gnutls.c     | 155 ++++++++++++++++++++++++++++++++++++++++
 

+  glib/ghmac.c            |   3 +
 

+  glib/meson.build        |  10 ++-
 

+  glib/tests/hmac.c       |   6 ++
 

+  meson.build             |   7 ++
 

+  meson_options.txt       |   5 ++
 

+  8 files changed, 221 insertions(+), 6 deletions(-)
 

+  create mode 100644 glib/gchecksumprivate.h
 

+  create mode 100644 glib/ghmac-gnutls.c
 

+ 

+ diff --git a/glib/gchecksum.c b/glib/gchecksum.c
 

+ index f55a871ba..8d91e299c 100644
 

+ --- a/glib/gchecksum.c
 

+ +++ b/glib/gchecksum.c
 

+ @@ -20,7 +20,7 @@
 

+  

+  #include <string.h>
 

+  

+ -#include "gchecksum.h"
 

+ +#include "gchecksumprivate.h"
 

+  

+  #include "gslice.h"
 

+  #include "gmem.h"
 

+ @@ -173,9 +173,9 @@ sha_byte_reverse (guint32 *buffer,
 

+  }
 

+  #endif /* G_BYTE_ORDER == G_BIG_ENDIAN */
 

+  

+ -static gchar *
 

+ -digest_to_string (guint8 *digest,
 

+ -                  gsize   digest_len)
 

+ +gchar *
 

+ +gchecksum_digest_to_string (guint8 *digest,
 

+ +                            gsize   digest_len)
 

+  {
 

+    gsize i, len = digest_len * 2;
 

+    gchar *retval;
 

+ @@ -194,6 +194,7 @@ digest_to_string (guint8 *digest,
 

+  

+    return retval;
 

+  }
 

+ +#define digest_to_string gchecksum_digest_to_string
 

+  

+  /*
 

+   * MD5 Checksum
 

+ diff --git a/glib/gchecksumprivate.h b/glib/gchecksumprivate.h
 

+ new file mode 100644
 

+ index 000000000..86c7a3b61
 

+ --- /dev/null
 

+ +++ b/glib/gchecksumprivate.h
 

+ @@ -0,0 +1,32 @@
 

+ +/* gstdioprivate.h - Private GLib stdio functions
 

+ + *
 

+ + * Copyright 2017 Руслан Ижбулатов
 

+ + *
 

+ + * This library is free software; you can redistribute it and/or
 

+ + * modify it under the terms of the GNU Lesser General Public
 

+ + * License as published by the Free Software Foundation; either
 

+ + * version 2.1 of the License, or (at your option) any later version.
 

+ + *
 

+ + * This library is distributed in the hope that it will be useful,
 

+ + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 

+ + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 

+ + * Lesser General Public License for more details.
 

+ + *
 

+ + * You should have received a copy of the GNU Lesser General Public License
 

+ + * along with this library; if not, see <http://www.gnu.org/licenses/>.
 

+ + */
 

+ +
 

+ +#ifndef __G_CHECKSUMPRIVATE_H__
 

+ +#define __G_CHECKSUMPRIVATE_H__
 

+ +
 

+ +#include "gchecksum.h"
 

+ +
 

+ +G_BEGIN_DECLS
 

+ +
 

+ +gchar *
 

+ +gchecksum_digest_to_string (guint8 *digest,
 

+ +                            gsize   digest_len);
 

+ +
 

+ +G_END_DECLS
 

+ +
 

+ +#endif
 

+ \ No newline at end of file
 

+ diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c
 

+ new file mode 100644
 

+ index 000000000..90defb852
 

+ --- /dev/null
 

+ +++ b/glib/ghmac-gnutls.c
 

+ @@ -0,0 +1,155 @@
 

+ +/* ghmac.h - data hashing functions
 

+ + *
 

+ + * Copyright (C) 2011  Collabora Ltd.
 

+ + * Copyright (C) 2019  Red Hat, Inc.
 

+ + *
 

+ + * This library is free software; you can redistribute it and/or
 

+ + * modify it under the terms of the GNU Lesser General Public
 

+ + * License as published by the Free Software Foundation; either
 

+ + * version 2.1 of the License, or (at your option) any later version.
 

+ + *
 

+ + * This library is distributed in the hope that it will be useful,
 

+ + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 

+ + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 

+ + * Lesser General Public License for more details.
 

+ + *
 

+ + * You should have received a copy of the GNU Lesser General Public License
 

+ + * along with this library; if not, see <http://www.gnu.org/licenses/>.
 

+ + */
 

+ +
 

+ +#include "config.h"
 

+ +
 

+ +#include <string.h>
 

+ +#include <gnutls/crypto.h>
 

+ +
 

+ +#include "ghmac.h"
 

+ +
 

+ +#include "glib/galloca.h"
 

+ +#include "gatomic.h"
 

+ +#include "gslice.h"
 

+ +#include "gmem.h"
 

+ +#include "gstrfuncs.h"
 

+ +#include "gchecksumprivate.h"
 

+ +#include "gtestutils.h"
 

+ +#include "gtypes.h"
 

+ +#include "glibintl.h"
 

+ +
 

+ +#ifndef HAVE_GNUTLS
 

+ +#error "build configuration error"
 

+ +#endif
 

+ +
 

+ +struct _GHmac
 

+ +{
 

+ +  int ref_count;
 

+ +  GChecksumType digest_type;
 

+ +  gnutls_hmac_hd_t hmac;
 

+ +  gchar *digest_str;
 

+ +};
 

+ +
 

+ +GHmac *
 

+ +g_hmac_new (GChecksumType  digest_type,
 

+ +            const guchar  *key,
 

+ +            gsize          key_len)
 

+ +{
 

+ +  gnutls_mac_algorithm_t algo;
 

+ +  GHmac *hmac = g_slice_new0 (GHmac);
 

+ +  hmac->ref_count = 1;
 

+ +  hmac->digest_type = digest_type;  

+ +
 

+ +  switch (digest_type)
 

+ +    {
 

+ +    case G_CHECKSUM_MD5:
 

+ +      algo = GNUTLS_MAC_MD5;
 

+ +      break;
 

+ +    case G_CHECKSUM_SHA1:
 

+ +      algo = GNUTLS_MAC_SHA1;
 

+ +      break;
 

+ +    case G_CHECKSUM_SHA256:
 

+ +      algo = GNUTLS_MAC_SHA256;
 

+ +      break;
 

+ +    case G_CHECKSUM_SHA384:
 

+ +      algo = GNUTLS_MAC_SHA384;
 

+ +      break;
 

+ +    case G_CHECKSUM_SHA512:
 

+ +      algo = GNUTLS_MAC_SHA512;
 

+ +      break;
 

+ +    default:
 

+ +      g_return_val_if_reached (NULL);
 

+ +    }
 

+ +
 

+ +  gnutls_hmac_init (&hmac->hmac, algo, key, key_len);
 

+ +
 

+ +  return hmac;
 

+ +}
 

+ +
 

+ +GHmac *
 

+ +g_hmac_copy (const GHmac *hmac)
 

+ +{
 

+ +  g_error ("g_hmac_copy is not available with GnuTLS-backend GHmac");
 

+ +}
 

+ +
 

+ +GHmac *
 

+ +g_hmac_ref (GHmac *hmac)
 

+ +{
 

+ +  g_return_val_if_fail (hmac != NULL, NULL);
 

+ +
 

+ +  g_atomic_int_inc (&hmac->ref_count);
 

+ +
 

+ +  return hmac;
 

+ +}
 

+ +
 

+ +void
 

+ +g_hmac_unref (GHmac *hmac)
 

+ +{
 

+ +  g_return_if_fail (hmac != NULL);
 

+ +
 

+ +  if (g_atomic_int_dec_and_test (&hmac->ref_count))
 

+ +    {
 

+ +      gnutls_hmac_deinit (hmac->hmac, NULL);
 

+ +      g_free (hmac->digest_str);
 

+ +      g_slice_free (GHmac, hmac);
 

+ +    }
 

+ +}
 

+ +
 

+ +
 

+ +void
 

+ +g_hmac_update (GHmac        *hmac,
 

+ +               const guchar *data,
 

+ +               gssize        length)
 

+ +{
 

+ +  g_return_if_fail (hmac != NULL);
 

+ +  g_return_if_fail (length == 0 || data != NULL);
 

+ +
 

+ +  gnutls_hmac (hmac->hmac, data, length);
 

+ +}
 

+ +
 

+ +const gchar *
 

+ +g_hmac_get_string (GHmac *hmac)
 

+ +{
 

+ +  guint8 *buffer;
 

+ +  gsize digest_len;
 

+ +
 

+ +  g_return_val_if_fail (hmac != NULL, NULL);
 

+ +
 

+ +  if (hmac->digest_str)
 

+ +    return hmac->digest_str;
 

+ +
 

+ +  digest_len = g_checksum_type_get_length (hmac->digest_type);
 

+ +  buffer = g_alloca (digest_len);
 

+ +
 

+ +  gnutls_hmac_output (hmac->hmac, buffer);
 

+ +  hmac->digest_str = gchecksum_digest_to_string (buffer, digest_len);
 

+ +  return hmac->digest_str;
 

+ +}
 

+ +
 

+ +
 

+ +void
 

+ +g_hmac_get_digest (GHmac  *hmac,
 

+ +                   guint8 *buffer,
 

+ +                   gsize  *digest_len)
 

+ +{
 

+ +  g_return_if_fail (hmac != NULL);
 

+ +
 

+ +  gnutls_hmac_output (hmac->hmac, buffer);
 

+ +  *digest_len = g_checksum_type_get_length (hmac->digest_type);
 

+ +}
 

+ diff --git a/glib/ghmac.c b/glib/ghmac.c
 

+ index 79906a97f..b5df948f6 100644
 

+ --- a/glib/ghmac.c
 

+ +++ b/glib/ghmac.c
 

+ @@ -33,6 +33,9 @@
 

+  #include "gtypes.h"
 

+  #include "glibintl.h"
 

+  

+ +#ifdef HAVE_GNUTLS
 

+ +#error "build configuration error"
 

+ +#endif
 

+  

+  /**
 

+   * SECTION:hmac
 

+ diff --git a/glib/meson.build b/glib/meson.build
 

+ index ea496c053..bda0d3e26 100644
 

+ --- a/glib/meson.build
 

+ +++ b/glib/meson.build
 

+ @@ -149,7 +149,6 @@ glib_sources = files(
 

+    'gfileutils.c',
 

+    'ggettext.c',
 

+    'ghash.c',
 

+ -  'ghmac.c',
 

+    'ghmac-utils.c',
 

+    'ghook.c',
 

+    'ghostutils.c',
 

+ @@ -201,6 +200,7 @@ glib_sources = files(
 

+    'gurifuncs.c',
 

+    'gutils.c',
 

+    'gutilsprivate.h',
 

+ +  'gchecksumprivate.h',
 

+    'guuid.c',
 

+    'gvariant.c',
 

+    'gvariant-core.c',
 

+ @@ -245,6 +245,12 @@ else
 

+    glib_dtrace_hdr = []
 

+  endif
 

+  

+ +if get_option('gnutls')
 

+ +  glib_sources += files('ghmac-gnutls.c')
 

+ +else
 

+ +  glib_sources += files('ghmac.c')
 

+ +endif
 

+ +
 

+  pcre_static_args = []
 

+  

+  if use_pcre_static_flag
 

+ @@ -271,7 +277,7 @@ libglib = library('glib-2.0',
 

+    # intl.lib is not compatible with SAFESEH
 

+    link_args : [noseh_link_args, glib_link_flags, win32_ldflags],
 

+    include_directories : configinc,
 

+ -  dependencies : pcre_deps + [thread_dep, libintl, librt] + libiconv + platform_deps,
 

+ +  dependencies : pcre_deps + libgnutls_dep + [thread_dep, libintl, librt] + libiconv + platform_deps,
 

+    c_args : glib_c_args,
 

+    objc_args : glib_c_args,
 

+  )
 

+ diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c
 

+ index 3ac3206df..5212c2523 100644
 

+ --- a/glib/tests/hmac.c
 

+ +++ b/glib/tests/hmac.c
 

+ @@ -1,3 +1,5 @@
 

+ +#include "config.h"
 

+ +
 

+  #include <glib.h>
 

+  #include <string.h>
 

+  #include <stdlib.h>
 

+ @@ -427,6 +429,9 @@ test_hmac_ref_unref (void)
 

+  static void
 

+  test_hmac_copy (void)
 

+  {
 

+ +#ifdef HAVE_GNUTLS
 

+ +  g_test_skip ("No g_hmac_copy with gnutls");
 

+ +#else
 

+    GHmac *hmac, *check;
 

+  

+    hmac = g_hmac_new (G_CHECKSUM_SHA256, (guchar*)"aaa", 3);
 

+ @@ -435,6 +440,7 @@ test_hmac_copy (void)
 

+    g_assert_cmpstr (g_hmac_get_string (hmac), ==, g_hmac_get_string (check));
 

+    g_hmac_unref (check);
 

+    g_hmac_unref (hmac);
 

+ +#endif
 

+  }
 

+  

+  static void
 

+ diff --git a/meson.build b/meson.build
 

+ index 832044947..139ff2d03 100644
 

+ --- a/meson.build
 

+ +++ b/meson.build
 

+ @@ -1815,6 +1815,13 @@ if host_system == 'linux' and get_option('libmount')
 

+    glib_conf.set('HAVE_LIBMOUNT', 1)
 

+  endif
 

+  

+ +# gnutls is used optionally by ghmac
 

+ +libgnutls_dep = []
 

+ +if get_option('gnutls')
 

+ +  libgnutls_dep = [dependency('gnutls', version : '>=3.6.7', required : true)]
 

+ +  glib_conf.set('HAVE_GNUTLS', 1)
 

+ +endif
 

+ +
 

+  if host_system == 'windows'
 

+    winsock2 = cc.find_library('ws2_32')
 

+  endif
 

+ diff --git a/meson_options.txt b/meson_options.txt
 

+ index 5c5b4dfe1..a4e4dcfaa 100644
 

+ --- a/meson_options.txt
 

+ +++ b/meson_options.txt
 

+ @@ -34,6 +34,11 @@ option('libmount',
 

+         value : true,
 

+         description : 'build with libmount support')
 

+  

+ +option('gnutls',
 

+ +       type : 'boolean',
 

+ +       value : false,
 

+ +       description : 'build with gnutls support')
 

+ +
 

+  option('internal_pcre',
 

+         type : 'boolean',
 

+         value : false,
 

+ -- 

+ 2.21.0
 

+

file modified
+11 -1 
@@ -2,13 +2,19 @@ 
 

  

  Name: glib2
 

  Version: 2.61.1
 

- Release: 1%{?dist}
 

+ Release: 2%{?dist}
 

  Summary: A library of handy utility functions
 

  

  License: LGPLv2+
 

  URL: http://www.gtk.org
 

  Source0: http://download.gnome.org/sources/glib/2.61/glib-%{version}.tar.xz
 

  

+ # https://gitlab.gnome.org/GNOME/glib/merge_requests/903
 

+ # https://bugzilla.redhat.com/show_bug.cgi?id=1630260
 

+ Patch37: ghmac-gnutls.patch
 

+ # And the BR for this
 

+ BuildRequires: pkgconfig(gnutls)
 

+ 

  BuildRequires: chrpath
 

  BuildRequires: gcc
 

  BuildRequires: gcc-c++
 
@@ -93,6 +99,7 @@ 
 

      -Dsystemtap=true \
 

      -Dgtk_doc=true \
 

      -Dfam=true \
 

+     -Dgnutls=true \
 

      -Dinstalled_tests=true
 

  

  %meson_build
 
@@ -219,6 +226,9 @@ 
 

  %{_datadir}/installed-tests
 

  

  %changelog
 

+ * Mon Jun 10 2019 Colin Walters <walters@redhat.com> - 2.60.3-2
 

+ - Back GHmac with GnuTLS for FIPS
 

+ 

  * Fri May 24 2019 Kalev Lember <klember@redhat.com> - 2.61.1-1
 

  - Update to 2.61.1

I don't think this is an appropriate use of a downstream patch. It should either be, er, hashed out upstream, or else just remain RHEL-specific.

or else just remain RHEL-specific.

I understand your point of view, and I think debating it here is good.

However, unless you have a specific technical objection (new information specific to Fedora that isn't also an argument against applying upstream) - bigger picture an important aspect to Fedora is being an upstream for RHEL. Sometimes we do things or carry changes in Fedora that are somewhat RHEL focused because basically that's how a lot of the people who are employed to work on Fedora and the broader FOSS ecosystem derive their income. It's an important aspect of sustaining the project.

(In practice of course Fedora and RHEL do diverge in sometimes unnecessary ways but that's mostly for bad reasons, not intentional)

You're replacing a public GLib API function with g_error(), and the whole thing is a workaround for a problem that doesn't even affect Fedora. This is a tough problem best discussed and solved upstream.

If we add a large downstream patch then I'm pretty sure it's going to end up with me having to rebase it with each upstream release. I'd much prefer having it upstream because of that :)

But if upstreaming it fails and the patch is really necessary for RHEL, then I think it makes sense to keep Fedora and RHEL in sync wrt the patch (even if it ends up being more work for me).

So the upstreaming discussion is going rather badly. I'll drop my objection if you can implement g_hmac_copy(), either with new GnuTLS API, or by using something other than GnuTLS. If that's too hard, then I really think this should be RHEL-only.

g_hmac_copy() is now available, so I think this would be OK for F31 provided the patch is updated to use g_hmac_copy().

g_hmac_copy() is now available, so I think this would be OK for F31 provided the patch is updated to use g_hmac_copy().

Whoops, I meant gnutls_hmac_copy(), from https://gitlab.com/gnutls/gnutls/-/merge_requests/1035.

Pull-Request has been closed by catanzaro
3 years ago

Since this is needed in ELN, I'm going to go ahead and push an updated version of this patch that uses gnutls_hmac_copy(). (I've also poked a bit upstream, but I expect this will require a substantial rework to upstream.)

Kalev, if you wind up hitting any nontrivial rebase conflict in the future, feel free to dump the problem on me (although hopefully it should be rare, as this code is not touched terribly often).

Kalev, if you wind up hitting any nontrivial rebase conflict in the future, feel free to dump the problem on me (although hopefully it should be rare, as this code is not touched terribly often).

Will do!
Metadata
None
No Tags
Changes Summary 2
+690
file added
ghmac-gnutls.patch
+11 -1
file changed
glib2.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.