diff options
| author | Alexandre Oliva <aoliva@redhat.com> | 2012-10-10 07:05:46 -0300 |
|---|---|---|
| committer | Alexandre Oliva <aoliva@redhat.com> | 2012-10-10 07:05:46 -0300 |
| commit | e745142509a427ccb9b14ee94ff24f7f36f7f4b6 (patch) | |
| tree | 4edd9f6cf6db3b386639494f831105ee557d452a /crypt | |
| parent | 4ba74a357376c8f8bf49487f96ae71cf2460c3f3 (diff) | |
* crypt/crypt-entry.c: Include fips-private.h.
(__crypt_r, __crypt): Disable MD5 and DES if FIPS is enabled.
* crypt/md5c-test.c (main): Tolerate disabled MD5.
* sysdeps/unix/sysv/linux/fips-private.h: New file.
* sysdeps/generic/fips-private.h: New file, dummy fallback.
Diffstat (limited to 'crypt')
| -rw-r--r-- | crypt/crypt-entry.c | 24 | ||||
| -rw-r--r-- | crypt/md5c-test.c | 5 |
2 files changed, 25 insertions, 4 deletions
diff --git a/crypt/crypt-entry.c b/crypt/crypt-entry.c index 9fb22bdac4..89c22e6897 100644 --- a/crypt/crypt-entry.c +++ b/crypt/crypt-entry.c @@ -28,6 +28,7 @@ #endif #include <string.h> #include <errno.h> +#include <fips-private.h> #ifndef STATIC #define STATIC static @@ -92,8 +93,16 @@ __crypt_r (key, salt, data) #ifdef _LIBC /* Try to find out whether we have to use MD5 encryption replacement. */ if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0) - return __md5_crypt_r (key, salt, (char *) data, - sizeof (struct crypt_data)); + { + /* FIPS rules out MD5 password encryption. */ + if (fips_enabled_p ()) + { + __set_errno (EPERM); + return NULL; + } + return __md5_crypt_r (key, salt, (char *) data, + sizeof (struct crypt_data)); + } /* Try to find out whether we have to use SHA256 encryption replacement. */ if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0) @@ -115,6 +124,13 @@ __crypt_r (key, salt, data) return NULL; } + /* FIPS rules out DES password encryption. */ + if (fips_enabled_p ()) + { + __set_errno (EPERM); + return NULL; + } + /* * Setup key schedule */ @@ -148,7 +164,9 @@ crypt (key, salt) { #ifdef _LIBC /* Try to find out whether we have to use MD5 encryption replacement. */ - if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0) + if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0 + /* Let __crypt_r deal with the error code if FIPS is enabled. */ + && !fips_enabled_p ()) return __md5_crypt (key, salt); /* Try to find out whether we have to use SHA256 encryption replacement. */ diff --git a/crypt/md5c-test.c b/crypt/md5c-test.c index f56d0eb4ab..c80e40202d 100644 --- a/crypt/md5c-test.c +++ b/crypt/md5c-test.c @@ -9,7 +9,10 @@ main (int argc, char *argv[]) int result = 0; cp = crypt ("Hello world!", salt); - result |= strcmp ("$1$saltstri$YMyguxXMBpd2TEZ.vS/3q1", cp); + + /* MD5 is disabled in FIPS mode. */ + if (cp) + result |= strcmp ("$1$saltstri$YMyguxXMBpd2TEZ.vS/3q1", cp); return result; } |