- disable RSAMD5 if in FIPS mode (for openssl and for libnss).

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 25 Jun 2012 15:13:44 +0000 (15:13 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 25 Jun 2012 15:13:44 +0000 (15:13 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 25 Jun 2012 15:13:44 +0000 (15:13 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 25 Jun 2012 15:13:44 +0000 (15:13 +0000)
diff --git a/doc/Changelog b/doc/Changelog

index 47f28ff2662fbcda5a3933a91cec6155040ee5a4..becacc260c09b29dbe33d7098e7f1168a3d5e253 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,5 @@
  25 June 2012: Wouter
-       - disable RSAMD5 if in FIPS mode (when compiled with openssl).
+       - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
  
  22 June 2012: Wouter
         - implement DS records, NSEC3 and ECDSA for compile with libnss.
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c

index 6596270907bd1dd2189bade14e83778a3e0b1930..ca3101b2afd22f1319e985ce46bf3010da44323c 100644 (file)
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -615,11 +615,13 @@ dnskey_algo_id_is_supported(int id)
  {
         /* uses libNSS */
         switch(id) {
+       case LDNS_RSAMD5:
+               /* disable MD5 support if FIPS mode is enabled in libnss */
+               return !PK11_IsFIPS();
         case LDNS_DSA:
         case LDNS_DSA_NSEC3:
         case LDNS_RSASHA1:
         case LDNS_RSASHA1_NSEC3:
-       case LDNS_RSAMD5:
  #ifdef USE_SHA2
         case LDNS_RSASHA256:
  #endif
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 25 Jun 2012 15:13:44 +0000 (15:13 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 25 Jun 2012 15:13:44 +0000 (15:13 +0000)
doc/Changelog		patch \| blob \| blame \| history
validator/val_secalgo.c		patch \| blob \| blame \| history