- Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail.

2026-02-03 04:09:28 -05:00 · 2025-10-10 09:17:08 +02:00 · 2025-10-10 09:17:08 +02:00 · a75ea01a15
commit a75ea01a15
parent 21f02a0865
2 changed files with 33 additions and 12 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+10 October 2025: Wouter
+	- Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail.
+
 3 October 2025: Yorgos
 	- Note 'respip' and 'dns64' module order in the unbound.conf
 	  man page.
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@ -631,6 +631,7 @@ rh_allow_sha1_signatures_disabled(void)
 void 
 verify_test(void)
 {
+	int do_sha1 = 1;
 	unit_show_feature("signature verify");

 #if defined(HAVE_SSL) && defined(USE_SHA1)
@ -643,27 +644,40 @@ verify_test(void)
 #else
 		_putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1");
 #endif
+		do_sha1 = 1;
 	}
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+	if (EVP_default_properties_is_fips_enabled(NULL))
+		do_sha1 = 0;
 #endif
+#endif /* HAVE_SSL and USE_SHA1 */

 #ifdef USE_SHA1
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
+	if(do_sha1) {
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004");
+	}
 #endif
 #if defined(USE_DSA) && defined(USE_SHA1)
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004");
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004");
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004");
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004");
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004");
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150");
+	if(do_sha1) {
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004");
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004");
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004");
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004");
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004");
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150");
+	}
 #endif /* USE_DSA */
 #ifdef USE_SHA1
-	verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150");
+	if(do_sha1) {
+		verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150");
+	}
 #endif
 #if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2)
 	verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256", "20070829144150");
 #  ifdef USE_SHA1
-	verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150");
+	if(do_sha1) {
+		verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150");
+	}
 #  endif
 	verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256_draft", "20090101000000");
 #endif
@ -672,8 +686,10 @@ verify_test(void)
 	verifytest_file(SRCDIRSTR "/testdata/test_signatures.9", "20171215000000");
 #endif
 #ifdef USE_SHA1
-	verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022");
-	verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004");
+	if(do_sha1) {
+		verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022");
+		verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004");
+	}
 #endif
 #ifdef USE_GOST
 	if(sldns_key_EVP_load_gost_id())
@ -699,7 +715,9 @@ verify_test(void)
 	}
 #endif
 #ifdef USE_SHA1
-	dstest_file(SRCDIRSTR "/testdata/test_ds.sha1");
+	if(do_sha1) {
+		dstest_file(SRCDIRSTR "/testdata/test_ds.sha1");
+	}
 #endif
 	nsectest();
 	nsec3_hash_test(SRCDIRSTR "/testdata/test_nsec3_hash.1");