- detect if openssl has FIPS_mode.

git-svn-id: file:///svn/unbound/trunk@2703 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2012-06-28 06:54:16 +00:00 · 2012-06-28 06:54:16 +00:00 · 097c70be91
commit 097c70be91
parent 87ded67cb6
5 changed files with 12 additions and 2 deletions
--- a/config.h.in
+++ b/config.h.in
@ -106,6 +106,9 @@
 /* Define to 1 if you have the `fcntl' function. */
 #undef HAVE_FCNTL

+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
 /* Define to 1 if you have the `fork' function. */
 #undef HAVE_FORK

--- a/2
+++ b/2
@ -16418,7 +16418,7 @@ fi

 done

-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
--- a/configure.ac
+++ b/configure.ac
@ -538,7 +538,7 @@ ACX_WITH_SSL
 ACX_LIB_SSL
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+28 June 2012: Wouter
+	- detect if openssl has FIPS_mode.
+
 25 June 2012: Wouter
 	- disable RSAMD5 if in FIPS mode (for openssl and for libnss).

--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@ -151,9 +151,13 @@ dnskey_algo_id_is_supported(int id)
 {
 	switch(id) {
 	case LDNS_RSAMD5:
+#ifdef HAVE_FIPS_MODE
 		/* openssl can return if the system is in FIPS mode, 
 		 * which does not allow MD5 hashes for network traffic */
 		return !FIPS_mode();
+#else
+		return 1;
+#endif
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1: