- detect if openssl has FIPS_mode.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Thu, 28 Jun 2012 06:54:16 +0000 (06:54 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Thu, 28 Jun 2012 06:54:16 +0000 (06:54 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Thu, 28 Jun 2012 06:54:16 +0000 (06:54 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Thu, 28 Jun 2012 06:54:16 +0000 (06:54 +0000)
diff --git a/config.h.in b/config.h.in

index a040960395e1c3530697dedee4d1dd1dab42eab6..bfadf52da3c155d1b3cbec8421cbf094cb976eda 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -106,6 +106,9 @@
  /* Define to 1 if you have the `fcntl' function. */
  #undef HAVE_FCNTL
  
+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
  /* Define to 1 if you have the `fork' function. */
  #undef HAVE_FORK
  
diff --git a/configure b/configure

index 6a69522e98dc90b519809712da4bad5dfe7fc999..f945757158cfd6a46b9fd8be1ff3082b05bd0656 100755 (executable)
--- a/configure
+++ b/configure
@@ -16418,7 +16418,7 @@ fi
  
  done
  
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
  do :
    as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
  ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff --git a/configure.ac b/configure.ac

index 5f9b265a4da8d1561f5a2c4261560b8f0105396d..1e1772ea0ca751a38a19d0dd0328767ced12d08f 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -538,7 +538,7 @@ ACX_WITH_SSL
  ACX_LIB_SSL
  AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
  AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
  AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
  AC_INCLUDES_DEFAULT
  #ifdef HAVE_OPENSSL_ERR_H
diff --git a/doc/Changelog b/doc/Changelog

index becacc260c09b29dbe33d7098e7f1168a3d5e253..7add3ba092ce92b27fa525b663568c3fe6728022 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+28 June 2012: Wouter
+       - detect if openssl has FIPS_mode.
+
  25 June 2012: Wouter
         - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
  
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c

index ca3101b2afd22f1319e985ce46bf3010da44323c..f6d4af49739750c4556d6c36b99a135383c4fa8e 100644 (file)
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -151,9 +151,13 @@ dnskey_algo_id_is_supported(int id)
  {
         switch(id) {
         case LDNS_RSAMD5:
+#ifdef HAVE_FIPS_MODE
                 /* openssl can return if the system is in FIPS mode, 
                  * which does not allow MD5 hashes for network traffic */
                 return !FIPS_mode();
+#else
+               return 1;
+#endif
         case LDNS_DSA:
         case LDNS_DSA_NSEC3:
         case LDNS_RSASHA1:
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Thu, 28 Jun 2012 06:54:16 +0000 (06:54 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Thu, 28 Jun 2012 06:54:16 +0000 (06:54 +0000)
config.h.in		patch \| blob \| blame \| history
configure		patch \| blob \| blame \| history
configure.ac		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
validator/val_secalgo.c		patch \| blob \| blame \| history