aboutsummaryrefslogtreecommitdiff
path: root/sysdeps/unix/sysv/linux
diff options
context:
space:
mode:
authorAlexandre Oliva <aoliva@redhat.com>2012-10-10 07:05:46 -0300
committerAlexandre Oliva <aoliva@redhat.com>2012-10-10 07:05:46 -0300
commite745142509a427ccb9b14ee94ff24f7f36f7f4b6 (patch)
tree4edd9f6cf6db3b386639494f831105ee557d452a /sysdeps/unix/sysv/linux
parent4ba74a357376c8f8bf49487f96ae71cf2460c3f3 (diff)
downloadglibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar
glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.gz
glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.tar.bz2
glibc-e745142509a427ccb9b14ee94ff24f7f36f7f4b6.zip
* crypt/crypt-entry.c: Include fips-private.h.
(__crypt_r, __crypt): Disable MD5 and DES if FIPS is enabled. * crypt/md5c-test.c (main): Tolerate disabled MD5. * sysdeps/unix/sysv/linux/fips-private.h: New file. * sysdeps/generic/fips-private.h: New file, dummy fallback.
Diffstat (limited to 'sysdeps/unix/sysv/linux')
-rw-r--r--sysdeps/unix/sysv/linux/fips-private.h74
1 files changed, 74 insertions, 0 deletions
diff --git a/sysdeps/unix/sysv/linux/fips-private.h b/sysdeps/unix/sysv/linux/fips-private.h
new file mode 100644
index 0000000000..81d1b617f4
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/fips-private.h
@@ -0,0 +1,74 @@
+/* FIPS compliance status test for GNU/Linux systems.
+ Copyright (C) 2012 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#ifndef _FIPS_PRIVATE_H
+#define _FIPS_PRIVATE_H
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <not-cancel.h>
+#include <stdbool.h>
+
+/* Return true if FIPS mode is enabled. See
+ sysdeps/generic/fips-private.h for more information. */
+
+static inline bool
+fips_enabled_p (void)
+{
+ static enum
+ {
+ FIPS_UNTESTED = 0,
+ FIPS_ENABLED = 1,
+ FIPS_DISABLED = -1,
+ FIPS_TEST_FAILED = -2
+ } checked;
+
+ if (checked == FIPS_UNTESTED)
+ {
+ int fd = open_not_cancel_2 ("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+ if (fd != -1)
+ {
+ /* This is more than enough, the file contains a single integer. */
+ char buf[32];
+ ssize_t n;
+ n = TEMP_FAILURE_RETRY (read_not_cancel (fd, buf, sizeof (buf) - 1));
+ close_not_cancel_no_status (fd);
+
+ if (n > 0)
+ {
+ /* Terminate the string. */
+ buf[n] = '\0';
+
+ char *endp;
+ long int res = strtol (buf, &endp, 10);
+ if (endp != buf && (*endp == '\0' || *endp == '\n'))
+ checked = (res > 0) ? FIPS_ENABLED : FIPS_DISABLED;
+ }
+ }
+
+ if (checked == FIPS_UNTESTED)
+ checked = FIPS_TEST_FAILED;
+ }
+
+ return checked == FIPS_ENABLED;
+}
+
+#endif /* _FIPS_PRIVATE_H */