aboutsummaryrefslogtreecommitdiff
path: root/crypt/crypt-entry.c
diff options
context:
space:
mode:
authorAlexandre Oliva <aoliva@redhat.com>2012-10-10 07:05:46 -0300
committerAlexandre Oliva <aoliva@redhat.com>2012-10-10 07:05:46 -0300
commite745142509a427ccb9b14ee94ff24f7f36f7f4b6 (patch)
tree4edd9f6cf6db3b386639494f831105ee557d452a /crypt/crypt-entry.c
parent4ba74a357376c8f8bf49487f96ae71cf2460c3f3 (diff)
downloadglibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.zip
glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.gz
glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.bz2
* crypt/crypt-entry.c: Include fips-private.h.
(__crypt_r, __crypt): Disable MD5 and DES if FIPS is enabled. * crypt/md5c-test.c (main): Tolerate disabled MD5. * sysdeps/unix/sysv/linux/fips-private.h: New file. * sysdeps/generic/fips-private.h: New file, dummy fallback.
Diffstat (limited to 'crypt/crypt-entry.c')
-rw-r--r--crypt/crypt-entry.c24
1 files changed, 21 insertions, 3 deletions
diff --git a/crypt/crypt-entry.c b/crypt/crypt-entry.c
index 9fb22bd..89c22e6 100644
--- a/crypt/crypt-entry.c
+++ b/crypt/crypt-entry.c
@@ -28,6 +28,7 @@
#endif
#include <string.h>
#include <errno.h>
+#include <fips-private.h>
#ifndef STATIC
#define STATIC static
@@ -92,8 +93,16 @@ __crypt_r (key, salt, data)
#ifdef _LIBC
/* Try to find out whether we have to use MD5 encryption replacement. */
if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0)
- return __md5_crypt_r (key, salt, (char *) data,
- sizeof (struct crypt_data));
+ {
+ /* FIPS rules out MD5 password encryption. */
+ if (fips_enabled_p ())
+ {
+ __set_errno (EPERM);
+ return NULL;
+ }
+ return __md5_crypt_r (key, salt, (char *) data,
+ sizeof (struct crypt_data));
+ }
/* Try to find out whether we have to use SHA256 encryption replacement. */
if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
@@ -115,6 +124,13 @@ __crypt_r (key, salt, data)
return NULL;
}
+ /* FIPS rules out DES password encryption. */
+ if (fips_enabled_p ())
+ {
+ __set_errno (EPERM);
+ return NULL;
+ }
+
/*
* Setup key schedule
*/
@@ -148,7 +164,9 @@ crypt (key, salt)
{
#ifdef _LIBC
/* Try to find out whether we have to use MD5 encryption replacement. */
- if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0)
+ if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0
+ /* Let __crypt_r deal with the error code if FIPS is enabled. */
+ && !fips_enabled_p ())
return __md5_crypt (key, salt);
/* Try to find out whether we have to use SHA256 encryption replacement. */