- disable RSAMD5 if in FIPS mode (when compiled with openssl).

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 25 Jun 2012 15:02:52 +0000 (15:02 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 25 Jun 2012 15:02:52 +0000 (15:02 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 25 Jun 2012 15:02:52 +0000 (15:02 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 25 Jun 2012 15:02:52 +0000 (15:02 +0000)
diff --git a/doc/Changelog b/doc/Changelog

index e4af5412c20438ebde709dbcb71eace6ea4fd079..47f28ff2662fbcda5a3933a91cec6155040ee5a4 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+25 June 2012: Wouter
+       - disable RSAMD5 if in FIPS mode (when compiled with openssl).
+
  22 June 2012: Wouter
         - implement DS records, NSEC3 and ECDSA for compile with libnss.
  
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c

index 5cd8cb7047b36d415adeb35c3b276d5aab9b8cbd..6596270907bd1dd2189bade14e83778a3e0b1930 100644 (file)
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -150,11 +150,14 @@ int
  dnskey_algo_id_is_supported(int id)
  {
         switch(id) {
+       case LDNS_RSAMD5:
+               /* openssl can return if the system is in FIPS mode, 
+                * which does not allow MD5 hashes for network traffic */
+               return !FIPS_mode();
         case LDNS_DSA:
         case LDNS_DSA_NSEC3:
         case LDNS_RSASHA1:
         case LDNS_RSASHA1_NSEC3:
-       case LDNS_RSAMD5:
  #if defined(HAVE_EVP_SHA256) && defined(USE_SHA2)
         case LDNS_RSASHA256:
  #endif
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 25 Jun 2012 15:02:52 +0000 (15:02 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 25 Jun 2012 15:02:52 +0000 (15:02 +0000)
doc/Changelog		patch \| blob \| blame \| history
validator/val_secalgo.c		patch \| blob \| blame \| history