upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-22 07:41:16 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- detect if openssl has FIPS_mode.

Browse source 
git-svn-id: file:///svn/unbound/trunk@2703 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2012-06-28 06:54:16 +00:00
parent 87ded67cb6
commit 097c70be91
5 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config.h.in
View file

@ -106,6 +106,9 @@
/* Define to 1 if you have the `fcntl' function. */ /* Define to 1 if you have the `fcntl' function. */
#undef HAVE_FCNTL #undef HAVE_FCNTL
/* Define to 1 if you have the `FIPS_mode' function. */
#undef HAVE_FIPS_MODE
/* Define to 1 if you have the `fork' function. */ /* Define to 1 if you have the `fork' function. */
#undef HAVE_FORK #undef HAVE_FORK

2
configure vendored
View file

@ -16418,7 +16418,7 @@ fi
done done
for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
do : do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

2
configure.ac
View file

@ -538,7 +538,7 @@ ACX_WITH_SSL
ACX_LIB_SSL ACX_LIB_SSL
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512]) AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [ AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
AC_INCLUDES_DEFAULT AC_INCLUDES_DEFAULT
#ifdef HAVE_OPENSSL_ERR_H #ifdef HAVE_OPENSSL_ERR_H

3
doc/Changelog
View file

@ -1,3 +1,6 @@
28 June 2012: Wouter
- detect if openssl has FIPS_mode.
25 June 2012: Wouter 25 June 2012: Wouter
- disable RSAMD5 if in FIPS mode (for openssl and for libnss). - disable RSAMD5 if in FIPS mode (for openssl and for libnss).

4
validator/val_secalgo.c
View file

@ -151,9 +151,13 @@ dnskey_algo_id_is_supported(int id)
{ {
switch(id) { switch(id) {
case LDNS_RSAMD5: case LDNS_RSAMD5:
#ifdef HAVE_FIPS_MODE
/* openssl can return if the system is in FIPS mode, /* openssl can return if the system is in FIPS mode,
* which does not allow MD5 hashes for network traffic */ * which does not allow MD5 hashes for network traffic */
return !FIPS_mode(); return !FIPS_mode();
#else
return 1;
#endif
case LDNS_DSA: case LDNS_DSA:
case LDNS_DSA_NSEC3: case LDNS_DSA_NSEC3:
case LDNS_RSASHA1: case LDNS_RSASHA1: