This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [RFC] FIPS compliance and other crypt(3) improvements
- From: Roland McGrath <roland at hack dot frob dot com>
- To: Alexandre Oliva <aoliva at redhat dot com>
- Cc: Andreas Jaeger <aj at suse dot com>, libc-alpha at sourceware dot org
- Date: Tue, 2 Oct 2012 15:52:26 -0700 (PDT)
- Subject: Re: [RFC] FIPS compliance and other crypt(3) improvements
- References: <or8vgtdcmg.fsf@livre.localdomain><1442760.qMLEhZCddU@byrd><orehmg1d1i.fsf@livre.localdomain><1879762.yjXqKX9gY1@byrd><orobklh0fb.fsf@livre.localdomain>
> +static const char *tests[][2] = {
Brace on new line, indent appropriately.
> /*
> + * Return false iff C is in the specified alphabet for crypt salt.
> + */
> +
> +static bool
> +bad_for_salt (c)
> + char c;
Use a prototype defn.
> +fips_enabled_p (void)
> +{
> + static enum {
Brace on new line, indent appropriately.
> +* Recognize and enable FIPS mode from Linux's /proc/sys/crypto/fips_enabled,
> + disabling MD5 and DES crypt algorithms when the mode is enabled. Reject
> + out-of-spec salt bytes in DES implementation.
This looks like a log entry more than a NEWS entry.
A NEWS entry should describe things meaningful to a user:
* The `crypt' function now fails if passed salt bytes that violate the
specification for those values. On Linux, the `crypt' function will
consult /proc/sys/crypto/fips_enabled to determine if "FIPS mode" is
enabled, and fail on encrypted strings using the MD5 or DES algorithm
when the mode is enabled.
Thanks,
Roland