]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Do not allow MD5 in the high level crypto-api in FIPS mode.
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 22 Nov 2013 11:23:19 +0000 (12:23 +0100)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 27 Nov 2013 10:41:44 +0000 (11:41 +0100)
lib/crypto-api.c

index 4a56bedd3c828fd0534c8bc6878d4c21d457445c..354dd14b6c60c667f679f864fc2e478847d8bd4a 100644 (file)
@@ -314,6 +314,12 @@ gnutls_hmac_init(gnutls_hmac_hd_t * dig,
                 gnutls_mac_algorithm_t algorithm,
                 const void *key, size_t keylen)
 {
+#ifdef ENABLE_FIPS140
+       /* MD5 is only allowed internally for TLS */
+       if (algorithm == GNUTLS_MAC_MD5)
+               return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+#endif
+
        *dig = gnutls_malloc(sizeof(mac_hd_st));
        if (*dig == NULL) {
                gnutls_assert();
@@ -451,6 +457,12 @@ int
 gnutls_hash_init(gnutls_hash_hd_t * dig,
                 gnutls_digest_algorithm_t algorithm)
 {
+#ifdef ENABLE_FIPS140
+       /* MD5 is only allowed internally for TLS */
+       if (algorithm == GNUTLS_DIG_MD5)
+               return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM);
+#endif
+
        *dig = gnutls_malloc(sizeof(digest_hd_st));
        if (*dig == NULL) {
                gnutls_assert();