about summary refs log tree commit diff
path: root/crypt
diff options
context:
space:
mode:
authorAlexandre Oliva <aoliva@redhat.com>2012-10-10 07:05:46 -0300
committerAlexandre Oliva <aoliva@redhat.com>2012-10-10 07:05:46 -0300
commite745142509a427ccb9b14ee94ff24f7f36f7f4b6 (patch)
tree4edd9f6cf6db3b386639494f831105ee557d452a /crypt
parent4ba74a357376c8f8bf49487f96ae71cf2460c3f3 (diff)
downloadglibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.gz
glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.xz
glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.zip
* crypt/crypt-entry.c: Include fips-private.h.
(__crypt_r, __crypt): Disable MD5 and DES if FIPS is enabled.
* crypt/md5c-test.c (main): Tolerate disabled MD5.
* sysdeps/unix/sysv/linux/fips-private.h: New file.
* sysdeps/generic/fips-private.h: New file, dummy fallback.
Diffstat (limited to 'crypt')
-rw-r--r--crypt/crypt-entry.c24
-rw-r--r--crypt/md5c-test.c5
2 files changed, 25 insertions, 4 deletions
diff --git a/crypt/crypt-entry.c b/crypt/crypt-entry.c
index 9fb22bdac4..89c22e6897 100644
--- a/crypt/crypt-entry.c
+++ b/crypt/crypt-entry.c
@@ -28,6 +28,7 @@
 #endif
 #include <string.h>
 #include <errno.h>
+#include <fips-private.h>
 
 #ifndef STATIC
 #define STATIC static
@@ -92,8 +93,16 @@ __crypt_r (key, salt, data)
 #ifdef _LIBC
   /* Try to find out whether we have to use MD5 encryption replacement.  */
   if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0)
-    return __md5_crypt_r (key, salt, (char *) data,
-			  sizeof (struct crypt_data));
+    {
+      /* FIPS rules out MD5 password encryption.  */
+      if (fips_enabled_p ())
+	{
+	  __set_errno (EPERM);
+	  return NULL;
+	}
+      return __md5_crypt_r (key, salt, (char *) data,
+			    sizeof (struct crypt_data));
+    }
 
   /* Try to find out whether we have to use SHA256 encryption replacement.  */
   if (strncmp (sha256_salt_prefix, salt, sizeof (sha256_salt_prefix) - 1) == 0)
@@ -115,6 +124,13 @@ __crypt_r (key, salt, data)
       return NULL;
     }
 
+  /* FIPS rules out DES password encryption.  */
+  if (fips_enabled_p ())
+    {
+      __set_errno (EPERM);
+      return NULL;
+    }
+
   /*
    * Setup key schedule
    */
@@ -148,7 +164,9 @@ crypt (key, salt)
 {
 #ifdef _LIBC
   /* Try to find out whether we have to use MD5 encryption replacement.  */
-  if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0)
+  if (strncmp (md5_salt_prefix, salt, sizeof (md5_salt_prefix) - 1) == 0
+      /* Let __crypt_r deal with the error code if FIPS is enabled.  */
+      && !fips_enabled_p ())
     return __md5_crypt (key, salt);
 
   /* Try to find out whether we have to use SHA256 encryption replacement.  */
diff --git a/crypt/md5c-test.c b/crypt/md5c-test.c
index f56d0eb4ab..c80e40202d 100644
--- a/crypt/md5c-test.c
+++ b/crypt/md5c-test.c
@@ -9,7 +9,10 @@ main (int argc, char *argv[])
   int result = 0;
 
   cp = crypt ("Hello world!", salt);
-  result |= strcmp ("$1$saltstri$YMyguxXMBpd2TEZ.vS/3q1", cp);
+
+  /* MD5 is disabled in FIPS mode.  */
+  if (cp)
+    result |= strcmp ("$1$saltstri$YMyguxXMBpd2TEZ.vS/3q1", cp);
 
   return result;
 }