From: Nikos Mavrogiannopoulos Date: Fri, 22 Nov 2013 11:23:19 +0000 (+0100) Subject: Do not allow MD5 in the high level crypto-api in FIPS mode. X-Git-Tag: gnutls_3_3_0pre0~520^2~56 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0d0bd4ce53623590fd1009e59bda0af05413afdf;p=thirdparty%2Fgnutls.git Do not allow MD5 in the high level crypto-api in FIPS mode. --- diff --git a/lib/crypto-api.c b/lib/crypto-api.c index 4a56bedd3c..354dd14b6c 100644 --- a/lib/crypto-api.c +++ b/lib/crypto-api.c @@ -314,6 +314,12 @@ gnutls_hmac_init(gnutls_hmac_hd_t * dig, gnutls_mac_algorithm_t algorithm, const void *key, size_t keylen) { +#ifdef ENABLE_FIPS140 + /* MD5 is only allowed internally for TLS */ + if (algorithm == GNUTLS_MAC_MD5) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); +#endif + *dig = gnutls_malloc(sizeof(mac_hd_st)); if (*dig == NULL) { gnutls_assert(); @@ -451,6 +457,12 @@ int gnutls_hash_init(gnutls_hash_hd_t * dig, gnutls_digest_algorithm_t algorithm) { +#ifdef ENABLE_FIPS140 + /* MD5 is only allowed internally for TLS */ + if (algorithm == GNUTLS_DIG_MD5) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); +#endif + *dig = gnutls_malloc(sizeof(digest_hd_st)); if (*dig == NULL) { gnutls_assert();