diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-22 12:23:19 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2013-11-27 11:41:44 +0100 |
commit | 0d0bd4ce53623590fd1009e59bda0af05413afdf (patch) | |
tree | f0b7e478e197398d825435d7d72f33bc5d398276 /lib/crypto-api.c | |
parent | 55f12b400aff520b54dd4e921766f5481ce3b17a (diff) | |
download | gnutls-0d0bd4ce53623590fd1009e59bda0af05413afdf.tar.gz |
Do not allow MD5 in the high level crypto-api in FIPS mode.
Diffstat (limited to 'lib/crypto-api.c')
-rw-r--r-- | lib/crypto-api.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/crypto-api.c b/lib/crypto-api.c index 4a56bedd3c..354dd14b6c 100644 --- a/lib/crypto-api.c +++ b/lib/crypto-api.c @@ -314,6 +314,12 @@ gnutls_hmac_init(gnutls_hmac_hd_t * dig, gnutls_mac_algorithm_t algorithm, const void *key, size_t keylen) { +#ifdef ENABLE_FIPS140 + /* MD5 is only allowed internally for TLS */ + if (algorithm == GNUTLS_MAC_MD5) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); +#endif + *dig = gnutls_malloc(sizeof(mac_hd_st)); if (*dig == NULL) { gnutls_assert(); @@ -451,6 +457,12 @@ int gnutls_hash_init(gnutls_hash_hd_t * dig, gnutls_digest_algorithm_t algorithm) { +#ifdef ENABLE_FIPS140 + /* MD5 is only allowed internally for TLS */ + if (algorithm == GNUTLS_DIG_MD5) + return gnutls_assert_val(GNUTLS_E_UNWANTED_ALGORITHM); +#endif + *dig = gnutls_malloc(sizeof(digest_hd_st)); if (*dig == NULL) { gnutls_assert(); |