- disable RSAMD5 if in FIPS mode (when compiled with openssl).

git-svn-id: file:///svn/unbound/trunk@2701 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2012-06-25 15:02:52 +00:00 · 2012-06-25 15:02:52 +00:00 · 98b6f90637
commit 98b6f90637
parent b9ed797a22
2 changed files with 7 additions and 1 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+25 June 2012: Wouter
+	- disable RSAMD5 if in FIPS mode (when compiled with openssl).
+
 22 June 2012: Wouter
 	- implement DS records, NSEC3 and ECDSA for compile with libnss.

--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@ -150,11 +150,14 @@ int
 dnskey_algo_id_is_supported(int id)
 {
 	switch(id) {
+	case LDNS_RSAMD5:
+		/* openssl can return if the system is in FIPS mode, 
+		 * which does not allow MD5 hashes for network traffic */
+		return !FIPS_mode();
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
-	case LDNS_RSAMD5:
 #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
 	case LDNS_RSASHA256:
 #endif