diff options
author | Alexandre Oliva <aoliva@redhat.com> | 2012-10-10 07:05:46 -0300 |
---|---|---|
committer | Alexandre Oliva <aoliva@redhat.com> | 2012-10-10 07:05:46 -0300 |
commit | e745142509a427ccb9b14ee94ff24f7f36f7f4b6 (patch) | |
tree | 4edd9f6cf6db3b386639494f831105ee557d452a /crypt/crypt-entry.c | |
parent | 4ba74a357376c8f8bf49487f96ae71cf2460c3f3 (diff) | |
download | glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.zip glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.gz glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.bz2 |
* crypt/crypt-entry.c: Include fips-private.h.
(__crypt_r, __crypt): Disable MD5 and DES if FIPS is enabled.
* crypt/md5c-test.c (main): Tolerate disabled MD5.
* sysdeps/unix/sysv/linux/fips-private.h: New file.
* sysdeps/generic/fips-private.h: New file, dummy fallback.
Diffstat (limited to 'crypt/crypt-entry.c')
-rw-r--r-- | crypt/crypt-entry.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/crypt/crypt-entry.c b/crypt/crypt-entry.c index 9fb22bd..89c22e6 100644 --- a/crypt/crypt-entry.c +++ b/crypt/crypt-entry.c @@ -28,6 +28,7 @@ #endif #include <string.h> #include <errno.h> +#include <fips-private.h> #ifndef STATIC #define STATIC static @@ -92,8 +93,16 @@ __crypt_r (key, salt, data) #ifdef _LIBC /* Try to find out whether we have to use MD5 encryption replacement. */ if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0) - return __md5_crypt_r (key, salt, (char *) data, - sizeof (struct crypt_data)); + { + /* FIPS rules out MD5 password encryption. */ + if (fips_enabled_p ()) + { + __set_errno (EPERM); + return NULL; + } + return __md5_crypt_r (key, salt, (char *) data, + sizeof (struct crypt_data)); + } /* Try to find out whether we have to use SHA256 encryption replacement. */ if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0) @@ -115,6 +124,13 @@ __crypt_r (key, salt, data) return NULL; } + /* FIPS rules out DES password encryption. */ + if (fips_enabled_p ()) + { + __set_errno (EPERM); + return NULL; + } + /* * Setup key schedule */ @@ -148,7 +164,9 @@ crypt (key, salt) { #ifdef _LIBC /* Try to find out whether we have to use MD5 encryption replacement. */ - if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0) + if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0 + /* Let __crypt_r deal with the error code if FIPS is enabled. */ + && !fips_enabled_p ()) return __md5_crypt (key, salt); /* Try to find out whether we have to use SHA256 encryption replacement. */ |