This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [RFC] FIPS compliance and other crypt(3) improvements
On Oct 3, 2012, Alexandre Oliva <aoliva@redhat.com> wrote:
> Here's the revised, retested patchset I'm going to check in some 24+h
> from now, if I don't get objections. It's also available in branch
> lxoliva/crypt-fips-bz811753.
Patches installed, temp branch removed.
Thanks again for all the reviews.
> Reject out-of-spec salt passed to DES crypt
> From: Alexandre Oliva <aoliva@redhat.com>
> for ChangeLog
> * crypt/crypt-private.h: Include stdbool.h.
> (_ufc_setup_salt_r): Return bool.
> * crypt/crypt-entry.c: Include errno.h.
> (__crypt_r): Return NULL with EINVAL for bad salt.
> * crypt/crypt_util.c (bad_for_salt): New.
> (_ufc_setup_salt_r): Check that salt is long enough and within
> the specified alphabet.
> * crypt/badsalttest.c: New file.
> * crypt/Makefile (tests): Add it.
> ($(objpfx)badsalttest): New.
> Disable MD5 and DES crypt in FIPS mode
> From: Alexandre Oliva <aoliva@redhat.com>
> for ChangeLog
> * crypt/crypt-entry.c: Include fips-private.h.
> (__crypt_r, __crypt): Disable MD5 and DES if FIPS is enabled.
> * crypt/md5c-test.c (main): Tolerate disabled MD5.
> * sysdeps/unix/sysv/linux/fips-private.h: New file.
> * sysdeps/generic/fips-private.h: New file, dummy fallback.
> Add NEWS entry about fips mode
> From: Alexandre Oliva <aoliva@redhat.com>
> for ChangeLog
> * NEWS: Add note about FIPS mode. Wording suggested by Roland
> McGrath.
--
Alexandre Oliva, freedom fighter http://FSFLA.org/~lxoliva/
You must be the change you wish to see in the world. -- Gandhi
Be Free! -- http://FSFLA.org/ FSF Latin America board member
Free Software Evangelist Red Hat Brazil Compiler Engineer