s3:modules: Allow SHA1 usage for file IDs in FIPS mode

This is non-cryptographic use!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/modules/hash_inode.c b/source3/modules/hash_inode.c
index d4752061e50e33801995c12f48d2ee5c295e9b66..231538c72cbc1a46e631698743f53f6e9e858cff 100644 (file)
--- a/source3/modules/hash_inode.c
+++ b/source3/modules/hash_inode.c
@@ -23,6 +23,15 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 
+/* Those macros are only available in GnuTLS >= 3.6.4 */
+#ifndef GNUTLS_FIPS140_SET_LAX_MODE
+#define GNUTLS_FIPS140_SET_LAX_MODE()
+#endif
+
+#ifndef GNUTLS_FIPS140_SET_STRICT_MODE
+#define GNUTLS_FIPS140_SET_STRICT_MODE()
+#endif
+
 SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname)
 {
        gnutls_hash_hd_t hash_hnd = NULL;
@@ -39,6 +48,8 @@ SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname)
        upper_sname = talloc_strdup_upper(talloc_tos(), sname);
        SMB_ASSERT(upper_sname != NULL);
 
+       GNUTLS_FIPS140_SET_LAX_MODE();
+
        rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_SHA1);
        if (rc < 0) {
                goto out;
@@ -73,6 +84,7 @@ SMB_INO_T hash_inode(const SMB_STRUCT_STAT *sbuf, const char *sname)
                  sname, (uintmax_t)result);
 
 out:
+       GNUTLS_FIPS140_SET_STRICT_MODE();
        TALLOC_FREE(upper_sname);
 
        DBG_DEBUG("hash_inode '%s': ino=%ju\n",