fips: rename hmac file to its previous name

Resolves: rhbz#2148269 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2022-12-15 10:30:55 +01:00 · 2022-12-15 10:30:55 +01:00 · 0efdf6a30a
commit 0efdf6a30a
parent 9727693a0e
3 changed files with 612 additions and 56 deletions
--- a/gnutls-3.7.6-gmp-static.patch
+++ b/gnutls-3.7.6-gmp-static.patch
@ -1,4 +1,3 @@
-From 88808f0b8906bdc32579c144a2c44401ee97798a Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Fri, 19 Aug 2022 12:32:27 +0900
 Subject: [PATCH] build: allow GMP to be statically linked
@ -17,17 +16,10 @@ and libhogweed in Nettle is also linked to the static library of GMP.

 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
- configure.ac   | 14 +++++++++++++-
- lib/fips.c     | 10 ++++++++++
- lib/fipshmac.c |  5 ++++-
- lib/global.c   |  2 ++
- 4 files changed, 29 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 96894b0be3..e4cf5eab81 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -742,6 +742,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_update)
+diff --color -ruNp a/configure.ac b/configure.ac
+--- a/configure.ac	2022-12-15 11:06:16.782726043 +0100
+++ b/configure.ac	2022-12-15 11:08:35.603451427 +0100
+@@ -744,6 +744,8 @@ AC_CHECK_FUNCS(nettle_cmac_kuznyechik_up
 LIBS=$save_LIBS
 
 # Check sonames of the linked libraries needed for FIPS selftests.
@ -36,7 +28,7 @@ index 96894b0be3..e4cf5eab81 100644
 save_LIBS=$LIBS
 LIBS="$LIBS $GMP_LIBS"
 AC_MSG_CHECKING([gmp soname])
-@@ -755,9 +757,14 @@ if test -z "$gmp_so"; then
+@@ -757,9 +759,14 @@ if test -z "$gmp_so"; then
 	gmp_so=none
 fi
 AC_MSG_RESULT($gmp_so)
@ -52,7 +44,7 @@ index 96894b0be3..e4cf5eab81 100644
 save_LIBS=$LIBS
 LIBS="$LIBS $NETTLE_LIBS"
 AC_MSG_CHECKING([nettle soname])
-@@ -773,7 +780,11 @@ fi
+@@ -775,7 +782,11 @@ fi
 AC_MSG_RESULT($nettle_so)
 AC_DEFINE_UNQUOTED([NETTLE_LIBRARY_SONAME], ["$nettle_so"], [The soname of nettle library])
 LIBS=$save_LIBS
@ -64,7 +56,7 @@ index 96894b0be3..e4cf5eab81 100644
 save_LIBS=$LIBS
 LIBS="$LIBS $HOGWEED_LIBS"
 AC_MSG_CHECKING([hogweed soname])
-@@ -789,6 +800,7 @@ fi
+@@ -791,6 +802,7 @@ fi
 AC_MSG_RESULT($hogweed_so)
 AC_DEFINE_UNQUOTED([HOGWEED_LIBRARY_SONAME], ["$hogweed_so"], [The soname of hogweed library])
 LIBS=$save_LIBS
@ -72,33 +64,42 @@ index 96894b0be3..e4cf5eab81 100644
 
 gnutls_so=libgnutls.so.`expr "$LT_CURRENT" - "$LT_AGE"`
 AC_DEFINE_UNQUOTED([GNUTLS_LIBRARY_SONAME], ["$gnutls_so"], [The soname of gnutls library])
-diff --git a/lib/fips.c b/lib/fips.c
-index 54eb4a37d4..42124ecf4e 100644
--- a/lib/fips.c
-+++ b/lib/fips.c
-@@ -149,7 +149,11 @@ void _gnutls_fips_mode_reset_zombie(void)
+diff --color -ruNp a/lib/fips.c b/lib/fips.c
+--- a/lib/fips.c	2022-12-15 11:06:16.868727731 +0100
+++ b/lib/fips.c	2022-12-15 11:12:42.744303409 +0100
+@@ -155,7 +155,11 @@ void _gnutls_fips_mode_reset_zombie(void
 #define GNUTLS_LIBRARY_NAME GNUTLS_LIBRARY_SONAME
 #define NETTLE_LIBRARY_NAME NETTLE_LIBRARY_SONAME
 #define HOGWEED_LIBRARY_NAME HOGWEED_LIBRARY_SONAME
 +
-+/* GMP can be statically linked. */
+/* GMP can be statically linked */
 +#ifdef GMP_LIBRARY_SONAME
 #define GMP_LIBRARY_NAME GMP_LIBRARY_SONAME
 +#endif
 
 #define HMAC_SIZE 32
 #define HMAC_ALGO GNUTLS_MAC_SHA256
-@@ -168,7 +172,9 @@ typedef struct
+@@ -173,7 +177,9 @@ struct hmac_file
 	struct hmac_entry gnutls;
 	struct hmac_entry nettle;
 	struct hmac_entry hogweed;
 +#ifdef GMP_LIBRARY_SONAME
 	struct hmac_entry gmp;
 +#endif
- } hmac_file;
+ };
 
- static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size)
-@@ -259,8 +265,10 @@ static int handler(void *user, const char *section, const char *name, const char
+ struct lib_paths
+@@ -181,7 +187,9 @@ struct lib_paths
+ 	char gnutls[GNUTLS_PATH_MAX];
+ 	char nettle[GNUTLS_PATH_MAX];
+ 	char hogweed[GNUTLS_PATH_MAX];
+#ifdef GMP_LIBRARY_SONAME
+ 	char gmp[GNUTLS_PATH_MAX];
+#endif
+ };
+ 
+ /*
+@@ -245,8 +253,10 @@ static int handler(void *user, const cha
 		return lib_handler(&p->nettle, section, name, value);
 	} else if (!strcmp(section, HOGWEED_LIBRARY_NAME)) {
 		return lib_handler(&p->hogweed, section, name, value);
@ -109,42 +110,60 @@ index 54eb4a37d4..42124ecf4e 100644
 	} else {
 		return 0;
 	}
-@@ -408,9 +416,11 @@ static int check_binary_integrity(void)
- 	ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
+@@ -389,8 +399,10 @@ static int callback(struct dl_phdr_info
+ 		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
+ 	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
+#ifdef GMP_LIBRARY_SONAME
+ 	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ 		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
+#endif
+ 	return 0;
+ }
+ 
+@@ -411,10 +423,12 @@ static int load_lib_paths(struct lib_pat
+ 		_gnutls_debug_log("Hogweed library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
+#ifdef GMP_LIBRARY_SONAME
+ 	if (paths->gmp[0] == '\0') {
+ 		_gnutls_debug_log("Gmp library path was not found\n");
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 	}
+#endif
+ 
+ 	return GNUTLS_E_SUCCESS;
+ }
+@@ -467,9 +481,11 @@ static int check_binary_integrity(void)
+ 	ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
 	if (ret < 0)
 		return ret;
 +#ifdef GMP_LIBRARY_SONAME
- 	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
+ 	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
 	if (ret < 0)
 		return ret;
 +#endif
 
 	return 0;
 }
-diff --git a/lib/fipshmac.c b/lib/fipshmac.c
-index b091572bdf..363077f3e2 100644
--- a/lib/fipshmac.c
-+++ b/lib/fipshmac.c
-@@ -159,10 +159,13 @@ int main(int argc, char **argv)
- 	ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u");
- 	if (ret < 0)
- 		return EXIT_FAILURE;
-	
-+
-+	/* GMP can be statically linked. */
+diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c
+--- a/lib/fipshmac.c	2022-12-15 11:06:16.785726102 +0100
+++ b/lib/fipshmac.c	2022-12-15 11:13:34.533320156 +0100
+@@ -107,8 +107,10 @@ static int callback(struct dl_phdr_info
+ 		return print_lib(path, soname);
+ 	if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+ 		return print_lib(path, soname);
 +#ifdef GMP_LIBRARY_SONAME
- 	ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init");
- 	if (ret < 0)
- 		return EXIT_FAILURE;
+ 	if (!strcmp(soname, GMP_LIBRARY_SONAME))
+ 		return print_lib(path, soname);
 +#endif
- 
- 	return EXIT_SUCCESS;
+         return 0;
 }
-diff --git a/lib/global.c b/lib/global.c
-index 1b372c15bd..9f3c7b22bd 100644
--- a/lib/global.c
-+++ b/lib/global.c
-@@ -548,7 +548,9 @@ static const struct gnutls_library_config_st _gnutls_library_config[] = {
+ 
+diff --color -ruNp a/lib/global.c b/lib/global.c
+--- a/lib/global.c	2022-12-15 11:06:16.061711888 +0100
+++ b/lib/global.c	2022-12-15 11:08:35.604451446 +0100
+@@ -540,7 +540,9 @@ static const struct gnutls_library_confi
 	{ "libgnutls-soname", GNUTLS_LIBRARY_SONAME },
 	{ "libnettle-soname", NETTLE_LIBRARY_SONAME },
 	{ "libhogweed-soname", HOGWEED_LIBRARY_SONAME },
@ -154,6 +173,3 @@ index 1b372c15bd..9f3c7b22bd 100644
 	{ "hardware-features", HW_FEATURES },
 	{ "tls-features", TLS_FEATURES },
 	{ NULL, NULL }
-- 
-2.37.1
-
--- a/gnutls-3.7.8-revert-hmac-name.patch
+++ b/gnutls-3.7.8-revert-hmac-name.patch
@ -0,0 +1,534 @@
+diff --color -ruNp a/configure.ac b/configure.ac
+--- a/configure.ac	2022-05-27 09:17:26.000000000 +0200
+++ b/configure.ac	2022-12-15 11:00:18.830698584 +0100
+@@ -619,6 +619,8 @@ if [ test "$enable_fips" = "yes" ];then
+     if test "x$fips_module_version" != xnone; then
+        AC_DEFINE_UNQUOTED([FIPS_MODULE_VERSION], ["$fips_module_version"], [The FIPS140 module version])
+     fi
+
+    AC_CHECK_FUNCS(dl_iterate_phdr)
+   else
+     enable_fips=no
+     AC_MSG_WARN([[
+diff --color -ruNp a/lib/fips.c b/lib/fips.c
+--- a/lib/fips.c	2022-12-15 10:59:57.460279029 +0100
+++ b/lib/fips.c	2022-12-15 11:00:18.831698604 +0100
+@@ -23,9 +23,11 @@
+ #include <gnutls/gnutls.h>
+ #include <gnutls/crypto.h>
+ #include <unistd.h>
+#include "dirname.h"
+ #include "errors.h"
+ #include "file.h"
+ #include "inih/ini.h"
+#include "str.h"
+ #include <fips.h>
+ #include <gnutls/self-test.h>
+ #include <stdio.h>
+@@ -34,6 +36,10 @@
+ 
+ #include "gthreads.h"
+ 
+#ifdef HAVE_DL_ITERATE_PHDR
+#include <link.h>
+#endif
+
+ unsigned int _gnutls_lib_state = LIB_STATE_POWERON;
+ 
+ struct gnutls_fips140_context_st {
+@@ -153,7 +159,6 @@ void _gnutls_fips_mode_reset_zombie(void
+ 
+ #define HMAC_SIZE 32
+ #define HMAC_ALGO GNUTLS_MAC_SHA256
+-#define HMAC_FILE_NAME ".gnutls.hmac"
+ #define HMAC_FORMAT_VERSION 1
+ 
+ struct hmac_entry
+@@ -162,51 +167,32 @@ struct hmac_entry
+ 	uint8_t hmac[HMAC_SIZE];
+ };
+ 
+-typedef struct
+struct hmac_file
+ {
+ 	int version;
+ 	struct hmac_entry gnutls;
+ 	struct hmac_entry nettle;
+ 	struct hmac_entry hogweed;
+ 	struct hmac_entry gmp;
+-} hmac_file;
+};
+ 
+-static int get_library_path(const char* lib, const char* symbol, char* path, size_t path_size)
+struct lib_paths
+ {
+-	int ret;
+-	void *dl, *sym;
+-	Dl_info info;
+-
+-	dl = dlopen(lib, RTLD_LAZY);
+-	if (dl == NULL)
+-		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-
+-	sym = dlsym(dl, symbol);
+-	if (sym == NULL) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = dladdr(sym, &info);
+-	if (ret == 0) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = snprintf(path, path_size, "%s", info.dli_fname);
+-	if ((size_t)ret >= path_size) {
+-		ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+-		goto cleanup;
+-	}
+-
+-	ret = 0;
+-cleanup:
+-	dlclose(dl);
+-	return ret;
+-}
+	char gnutls[GNUTLS_PATH_MAX];
+	char nettle[GNUTLS_PATH_MAX];
+	char hogweed[GNUTLS_PATH_MAX];
+	char gmp[GNUTLS_PATH_MAX];
+};
+ 
+-/* Parses hmac data and copies hex value into dest.
+/*
+ * get_hmac:
+ * @dest: buffer for the hex value
+ * @value: hmac value
+ *
+ * Parses hmac data and copies hex value into dest.
+  * dest must point to at least HMAC_SIZE amount of memory
+ *
+ * Returns: 0 on success, a negative error code otherwise
+  */
+ static int get_hmac(uint8_t *dest, const char *value)
+ {
+@@ -245,7 +231,7 @@ lib_handler(struct hmac_entry *entry,
+ 
+ static int handler(void *user, const char *section, const char *name, const char *value)
+ {
+-	hmac_file *p = (hmac_file *)user;
+	struct hmac_file *p = (struct hmac_file *)user;
+ 
+ 	if (!strcmp(section, "global")) {
+ 		if (!strcmp(name, "format-version")) {
+@@ -267,24 +253,29 @@ static int handler(void *user, const cha
+ 	return 1;
+ }
+ 
+-static int get_hmac_path(char *mac_file, size_t mac_file_size)
+/*
+ * get_hmac_path:
+ * @mac_file: buffer where the hmac file path will be written to
+ * @mac_file_size: size of the mac_file buffer
+ * @gnutls_path: path to the gnutls library, used to deduce hmac file path
+ * 
+ * Deduces hmac file path from the gnutls library path.
+ *
+ * Returns: 0 on success, a negative error code otherwise
+ */
+static int get_hmac_path(char *mac_file, size_t mac_file_size, const char *gnutls_path)
+ {
+ 	int ret;
+ 	char *p;
+-	char file[GNUTLS_PATH_MAX];
+ 
+-	ret = get_library_path(GNUTLS_LIBRARY_NAME, "gnutls_global_init",
+-			       file, sizeof(file));
+-	if (ret < 0)
+-		return ret;
+-
+-	p = strrchr(file, '/');
+	p = strrchr(gnutls_path, '/');
+ 
+ 	if (p == NULL)
+-		ret = snprintf(mac_file, mac_file_size, HMAC_FILE_NAME);
+		ret = snprintf(mac_file, mac_file_size, ".%s.hmac", gnutls_path);
+ 	else
+-		ret = snprintf(mac_file, mac_file_size,
+-			       "%.*s/"HMAC_FILE_NAME, (int)(p - file), file);
+		ret = snprintf(mac_file, mac_file_size, "%.*s/.%s.hmac",
+			       (int)(p - gnutls_path), gnutls_path, p + 1);
+
+ 	if ((size_t)ret >= mac_file_size)
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+@@ -293,10 +284,11 @@ static int get_hmac_path(char *mac_file,
+ 		return GNUTLS_E_SUCCESS;
+ 
+ 	if (p == NULL)
+-		ret = snprintf(mac_file, mac_file_size, "fipscheck/"HMAC_FILE_NAME);
+		ret = snprintf(mac_file, mac_file_size, "fipscheck/.%s.hmac", gnutls_path);
+ 	else
+-		ret = snprintf(mac_file, mac_file_size,
+-			       "%.*s/fipscheck/"HMAC_FILE_NAME, (int)(p - file), file);
+		ret = snprintf(mac_file, mac_file_size, "%.*s/fipscheck/.%s.hmac",
+			       (int)(p - gnutls_path), gnutls_path, p + 1);
+
+ 	if ((size_t)ret >= mac_file_size)
+ 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+ 
+@@ -307,51 +299,52 @@ static int get_hmac_path(char *mac_file,
+ 	return GNUTLS_E_FILE_ERROR;
+ }
+ 
+-static int load_hmac_file(hmac_file *p)
+/*
+ * load_hmac_file:
+ * @hmac_file: hmac file structure
+ * @hmac_path: path to the hmac file
+ *
+ * Loads the hmac file into the hmac file structure.
+ *
+ * Returns: 0 on success, a negative error code otherwise
+ */
+static int load_hmac_file(struct hmac_file *hmac_file, const char *hmac_path)
+ {
+ 	int ret;
+ 	FILE *stream;
+-	char hmac_path[GNUTLS_PATH_MAX];
+-
+-	ret = get_hmac_path(hmac_path, sizeof(hmac_path));
+-	if (ret < 0)
+-		return gnutls_assert_val(ret);
+ 
+ 	stream = fopen(hmac_path, "r");
+ 	if (stream == NULL)
+ 		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+ 
+-	gnutls_memset(p, 0, sizeof(*p));
+-	ret = ini_parse_file(stream, handler, p);
+	gnutls_memset(hmac_file, 0, sizeof(*hmac_file));
+	ret = ini_parse_file(stream, handler, hmac_file);
+ 	fclose(stream);
+ 	if (ret < 0)
+ 		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ 
+-	if (p->version != HMAC_FORMAT_VERSION)
+	if (hmac_file->version != HMAC_FORMAT_VERSION)
+ 		return gnutls_assert_val(GNUTLS_E_PARSING_ERROR);
+ 
+ 	return 0;
+ }
+ 
+-/* Run an HMAC using the key above on the library binary data.
+- * Returns 0 on success and negative value on error.
+/*
+ * check_lib_hmac:
+ * @entry: hmac file entry
+ * @path: path to the library which hmac should be compared
+ *
+ * Verify that HMAC from hmac file entry matches HMAC of given library.
+ *
+ * Returns: 0 on successful HMAC verification, a negative error code otherwise
+  */
+-static int check_lib_hmac(struct hmac_entry *entry,
+-			  const char *lib, const char *sym)
+static int check_lib_hmac(struct hmac_entry *entry, const char *path)
+ {
+ 	int ret;
+ 	unsigned prev;
+-	char path[GNUTLS_PATH_MAX];
+ 	uint8_t hmac[HMAC_SIZE];
+ 	gnutls_datum_t data;
+ 
+-	ret = get_library_path(lib, sym, path, sizeof(path));
+-	if (ret < 0) {
+-		_gnutls_debug_log("Could not get lib path for %s: %s\n",
+-				  lib, gnutls_strerror(ret));
+-		return gnutls_assert_val(ret);
+-	}
+-
+ 	_gnutls_debug_log("Loading: %s\n", path);
+ 	ret = gnutls_load_file(path, &data);
+ 	if (ret < 0) {
+@@ -382,28 +375,99 @@ static int check_lib_hmac(struct hmac_en
+ 	return 0;
+ }
+ 
+#ifdef HAVE_DL_ITERATE_PHDR
+
+static int callback(struct dl_phdr_info *info, size_t size, void *data)
+{
+	const char *path = info->dlpi_name;
+	const char *soname = last_component(path);
+	struct lib_paths *paths = (struct lib_paths *)data;
+
+	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->gnutls, GNUTLS_PATH_MAX, path);
+	else if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->nettle, GNUTLS_PATH_MAX, path);
+	else if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->hogweed, GNUTLS_PATH_MAX, path);
+	else if (!strcmp(soname, GMP_LIBRARY_SONAME))
+		_gnutls_str_cpy(paths->gmp, GNUTLS_PATH_MAX, path);
+	return 0;
+}
+
+static int load_lib_paths(struct lib_paths *paths)
+{
+	memset(paths, 0, sizeof(*paths));
+	dl_iterate_phdr(callback, paths);
+	
+	if (paths->gnutls[0] == '\0') {
+		_gnutls_debug_log("Gnutls library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+	if (paths->nettle[0] == '\0') {
+		_gnutls_debug_log("Nettle library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+	if (paths->hogweed[0] == '\0') {
+		_gnutls_debug_log("Hogweed library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+	if (paths->gmp[0] == '\0') {
+		_gnutls_debug_log("Gmp library path was not found\n");
+		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+	}
+
+	return GNUTLS_E_SUCCESS;
+}
+
+#else
+
+static int load_lib_paths(struct lib_paths *paths)
+{
+	(void)paths;
+	_gnutls_debug_log("Function dl_iterate_phdr is missing\n");
+	return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+}
+
+#endif /* HAVE_DL_ITERATE_PHDR */
+
+ static int check_binary_integrity(void)
+ {
+ 	int ret;
+-	hmac_file file;
+	struct lib_paths paths;
+	struct hmac_file hmac;
+	char hmac_path[GNUTLS_PATH_MAX];
+
+	ret = load_lib_paths(&paths);
+	if (ret < 0) {
+		_gnutls_debug_log("Could not load library paths: %s\n",
+				  gnutls_strerror(ret));
+		return ret;
+	}
+
+	ret = get_hmac_path(hmac_path, sizeof(hmac_path), paths.gnutls);
+	if (ret < 0) {
+		_gnutls_debug_log("Could not get hmac file path: %s\n",
+				  gnutls_strerror(ret));
+		return ret;
+	}
+ 
+-	ret = load_hmac_file(&file);
+	ret = load_hmac_file(&hmac, hmac_path);
+ 	if (ret < 0) {
+ 		_gnutls_debug_log("Could not load hmac file: %s\n",
+ 				  gnutls_strerror(ret));
+ 		return ret;
+ 	}
+ 
+-	ret = check_lib_hmac(&file.gnutls, GNUTLS_LIBRARY_NAME, "gnutls_global_init");
+	ret = check_lib_hmac(&hmac.gnutls, paths.gnutls);
+ 	if (ret < 0)
+ 		return ret;
+-	ret = check_lib_hmac(&file.nettle, NETTLE_LIBRARY_NAME, "nettle_aes_set_encrypt_key");
+	ret = check_lib_hmac(&hmac.nettle, paths.nettle);
+ 	if (ret < 0)
+ 		return ret;
+-	ret = check_lib_hmac(&file.hogweed, HOGWEED_LIBRARY_NAME, "nettle_mpz_sizeinbase_256_u");
+	ret = check_lib_hmac(&hmac.hogweed, paths.hogweed);
+ 	if (ret < 0)
+ 		return ret;
+-	ret = check_lib_hmac(&file.gmp, GMP_LIBRARY_NAME, "__gmpz_init");
+	ret = check_lib_hmac(&hmac.gmp, paths.gmp);
+ 	if (ret < 0)
+ 		return ret;
+ 
+diff --color -ruNp a/lib/fipshmac.c b/lib/fipshmac.c
+--- a/lib/fipshmac.c	2022-12-15 10:59:57.461279049 +0100
+++ b/lib/fipshmac.c	2022-12-15 11:00:18.832698623 +0100
+@@ -22,12 +22,14 @@
+ 
+ #include "config.h"
+ 
+-#include <gnutls/gnutls.h>
+-#include <gnutls/crypto.h>
+-#include <dlfcn.h>
+-#include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+
+#ifdef HAVE_DL_ITERATE_PHDR
+
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <link.h>
+ #include "dirname.h"
+ #include "errors.h"
+ 
+@@ -36,40 +38,6 @@
+ #define HMAC_ALGO GNUTLS_MAC_SHA256
+ #define HMAC_STR_SIZE (2 * HMAC_SIZE + 1)
+ 
+-static int get_path(const char *lib, const char *symbol, char *path, size_t path_size)
+-{
+-	int ret;
+-	void *dl, *sym;
+-	Dl_info info;
+-
+-	dl = dlopen(lib, RTLD_LAZY);
+-	if (dl == NULL)
+-		return gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-
+-	sym = dlsym(dl, symbol);
+-	if (sym == NULL) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = dladdr(sym, &info);
+-	if (ret == 0) {
+-		ret = gnutls_assert_val(GNUTLS_E_FILE_ERROR);
+-		goto cleanup;
+-	}
+-
+-	ret = snprintf(path, path_size, "%s", info.dli_fname);
+-	if ((size_t)ret >= path_size) {
+-		ret = gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
+-		goto cleanup;
+-	}
+-
+-	ret = 0;
+-cleanup:
+-	dlclose(dl);
+-	return ret;
+-}
+-
+ static int get_hmac(const char *path, char *hmac, size_t hmac_size)
+ {
+ 	int ret;
+@@ -99,7 +67,7 @@ static int get_hmac(const char *path, ch
+ 	return 0;
+ }
+ 
+-static int print_lib_path(const char *path)
+static int print_lib(const char *path, const char *soname)
+ {
+ 	int ret;
+ 	char *real_path = NULL;
+@@ -119,7 +87,7 @@ static int print_lib_path(const char *pa
+ 		goto cleanup;
+ 	}
+ 
+-	printf("[%s]\n", last_component(path));
+	printf("[%s]\n", soname);
+ 	printf("path = %s\n", real_path);
+ 	printf("hmac = %s\n", hmac);
+ 
+@@ -128,25 +96,24 @@ cleanup:
+ 	return ret;
+ }
+ 
+-static int print_lib_dl(const char *lib, const char *sym)
+static int callback(struct dl_phdr_info *info, size_t size, void *data)
+ {
+-	int ret;
+-	char path[GNUTLS_PATH_MAX];
+-
+-	ret = get_path(lib, sym, path, sizeof(path));
+-	if (ret < 0) {
+-		fprintf(stderr, "Could not get lib path for %s: %s\n",
+-                        lib, gnutls_strerror(ret));
+-		return ret;
+-	}
+	const char *path = info->dlpi_name;
+	const char *soname = last_component(path);
+ 
+-	return print_lib_path(path);
+	if (!strcmp(soname, GNUTLS_LIBRARY_SONAME))
+		return print_lib(data ? data : path, soname);
+	if (!strcmp(soname, NETTLE_LIBRARY_SONAME))
+		return print_lib(path, soname);
+	if (!strcmp(soname, HOGWEED_LIBRARY_SONAME))
+		return print_lib(path, soname);
+	if (!strcmp(soname, GMP_LIBRARY_SONAME))
+		return print_lib(path, soname);
+        return 0;
+ }
+ 
+ int main(int argc, char **argv)
+ {
+-	int ret;
+-
+ 	if (argc != 1 && argc != 2) {
+ 		fprintf(stderr, "Usage: %s [gnutls_so_path]\n", last_component(argv[0]));
+ 		return EXIT_FAILURE;
+@@ -155,24 +122,15 @@ int main(int argc, char **argv)
+ 	printf("[global]\n");
+ 	printf("format-version = %d\n", FORMAT_VERSION);
+ 
+-	if (argc == 2)
+-		ret = print_lib_path(argv[1]);
+-	else
+-		ret = print_lib_dl(GNUTLS_LIBRARY_SONAME, "gnutls_global_init");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
+	return dl_iterate_phdr(callback, argc == 2 ? argv[1] : NULL);
+}
+ 
+-	ret = print_lib_dl(NETTLE_LIBRARY_SONAME, "nettle_aes_set_encrypt_key");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
+-	
+-	ret = print_lib_dl(HOGWEED_LIBRARY_SONAME, "nettle_mpz_sizeinbase_256_u");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
+-	
+-	ret = print_lib_dl(GMP_LIBRARY_SONAME, "__gmpz_init");
+-	if (ret < 0)
+-		return EXIT_FAILURE;
+#else
+ 
+-	return EXIT_SUCCESS;
+int main(void)
+{
+	fprintf(stderr, "Function dl_iterate_phdr is missing\n");
+	return EXIT_FAILURE;
+ }
+
+#endif /* HAVE_DL_ITERATE_PHDR */
+diff --color -ruNp a/lib/Makefile.am b/lib/Makefile.am
+--- a/lib/Makefile.am	2022-05-18 16:46:00.000000000 +0200
+++ b/lib/Makefile.am	2022-12-15 11:00:18.789697779 +0100
+@@ -202,14 +202,14 @@ noinst_PROGRAMS = fipshmac
+ fipshmac_SOURCES = fipshmac.c
+ fipshmac_LDADD = libgnutls.la ../gl/libgnu.la
+ 
+-hmac_files = .libs/.gnutls.hmac
+hmac_file = .libs/.$(gnutls_so).hmac
+ 
+-all-local: $(hmac_files)
+all-local: $(hmac_file)
+ 
+-.libs/.gnutls.hmac: libgnutls.la fipshmac
+$(hmac_file): libgnutls.la fipshmac
+ 	$(AM_V_GEN) $(builddir)/fipshmac > $@-t && mv $@-t $@
+ 
+-CLEANFILES = $(hmac_files)
+CLEANFILES = $(hmac_file)
+ endif
+ 
+ if NEED_LTLIBDL
--- a/gnutls.spec
+++ b/gnutls.spec
@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }

 Version: 3.7.6
-Release: 14%{?dist}
+Release: 15%{?dist}
 # not upstreamed
 Patch: gnutls-3.6.7-no-now-guile.patch
 Patch: gnutls-3.2.7-rpath.patch
@ -37,6 +37,7 @@ Patch: gnutls-3.7.8-integrity-check.patch
 Patch: gnutls-3.7.6-fips-service-indicator-test-functions.patch
 Patch: gnutls-3.7.6-fips-ccm-taglen.patch
 Patch: gnutls-3.7.6-fips-rsa-pss-saltlen.patch
+Patch: gnutls-3.7.8-revert-hmac-name.patch

 # not upstreamed
 Patch: gnutls-3.7.3-disable-config-reload.patch
@ -331,8 +332,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gnutls-dane.pc
 # doing it twice should be a no-op the second time,
 # and this way we avoid redefining it and missing a future change
 %{__spec_install_post}
-./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
-sed -i "s^$RPM_BUILD_ROOT/usr^^" $RPM_BUILD_ROOT%{_libdir}/.gnutls.hmac
+fname=`basename $RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30.*.*`
+./lib/fipshmac "$RPM_BUILD_ROOT%{_libdir}/libgnutls.so.30" > "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
+sed -i "s^$RPM_BUILD_ROOT/usr^^" "$RPM_BUILD_ROOT%{_libdir}/.$fname.hmac"
+ln -s ".$fname.hmac" "$RPM_BUILD_ROOT%{_libdir}/.libgnutls.so.30.hmac"
 %endif

 %if %{with fips}
@ -353,7 +356,7 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %files -f gnutls.lang
 %{_libdir}/libgnutls.so.30*
 %if %{with fips}
-%{_libdir}/.gnutls.hmac
+%{_libdir}/.libgnutls.so.30*.hmac
 %endif
 %doc README.md AUTHORS NEWS THANKS
 %license LICENSE doc/COPYING doc/COPYING.LESSER
@ -401,6 +404,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif

 %changelog
+* Thu Dec 15 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.6-15
+- fips: rename hmac file to its previous name (#2148269)
+
 * Tue Nov 22 2022 Daiki Ueno <dueno@redhat.com> - 3.7.6-14
 - cipher: add restriction on CCM tag length under FIPS mode (#2137807)
 - nettle: mark non-compliant RSA-PSS salt length to be not-approved (#2143266)