diff --git a/config.h.in b/config.h.in index a080dde0d..cc1fbe864 100644 --- a/config.h.in +++ b/config.h.in @@ -222,6 +222,10 @@ /* Define to 1 if you have the `EVP_cleanup' function. */ #undef HAVE_EVP_CLEANUP +/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled' + function. */ +#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + /* Define to 1 if you have the `EVP_DigestVerify' function. */ #undef HAVE_EVP_DIGESTVERIFY diff --git a/configure b/configure index 8a4bc01e1..0029d5b42 100755 --- a/configure +++ b/configure @@ -18546,7 +18546,7 @@ fi done -for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex +for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" diff --git a/configure.ac b/configure.ac index 2752749f8..e41c811ae 100644 --- a/configure.ac +++ b/configure.ac @@ -907,7 +907,7 @@ else AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex]) # these check_funcs need -lssl BAKLIBS="$LIBS" diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 7abf66f01..6276675c0 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -215,6 +215,10 @@ ds_digest_size_supported(int algo) switch(algo) { case LDNS_SHA1: #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + if (EVP_default_properties_is_fips_enabled(NULL)) + return 0; +#endif return SHA_DIGEST_LENGTH; #else if(fake_sha1) return 20; @@ -325,7 +329,11 @@ dnskey_algo_id_is_supported(int id) case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: #ifdef USE_SHA1 +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + return !EVP_default_properties_is_fips_enabled(NULL); +#else return 1; +#endif #else if(fake_sha1) return 1; return 0; @@ -341,15 +349,22 @@ dnskey_algo_id_is_supported(int id) case LDNS_ECDSAP256SHA256: case LDNS_ECDSAP384SHA384: #endif +#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) + return 1; +#endif #ifdef USE_ED25519 case LDNS_ED25519: #endif #ifdef USE_ED448 case LDNS_ED448: #endif -#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) +#if defined(USE_ED25519) || defined(USE_ED448) +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + return !EVP_default_properties_is_fips_enabled(NULL); +#else return 1; #endif +#endif #ifdef USE_GOST case LDNS_ECC_GOST: