From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 28 Jun 2012 06:54:16 +0000 (+0000)
Subject: 	- detect if openssl has FIPS_mode.
X-Git-Tag: release-1.4.18rc1~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=097c70be9154e3b7fe03f4b42f0fd2a80140d571;p=thirdparty%2Funbound.git

	- detect if openssl has FIPS_mode.


git-svn-id: file:///svn/unbound/trunk@2703 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/config.h.in b/config.h.in
index a04096039..bfadf52da 100644
--- a/config.h.in
+++ b/config.h.in
@@ -106,6 +106,9 @@
 /* Define to 1 if you have the `fcntl' function. */
 #undef HAVE_FCNTL
 
+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
 /* Define to 1 if you have the `fork' function. */
 #undef HAVE_FORK
 
diff --git a/configure b/configure
index 6a69522e9..f94575715 100755
--- a/configure
+++ b/configure
@@ -16418,7 +16418,7 @@ fi
 
 done
 
-for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512
+for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff --git a/configure.ac b/configure.ac
index 5f9b265a4..1e1772ea0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -538,7 +538,7 @@ ACX_WITH_SSL
 ACX_LIB_SSL
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
diff --git a/doc/Changelog b/doc/Changelog
index becacc260..7add3ba09 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+28 June 2012: Wouter
+	- detect if openssl has FIPS_mode.
+
 25 June 2012: Wouter
 	- disable RSAMD5 if in FIPS mode (for openssl and for libnss).
 
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index ca3101b2a..f6d4af497 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -151,9 +151,13 @@ dnskey_algo_id_is_supported(int id)
 {
 	switch(id) {
 	case LDNS_RSAMD5:
+#ifdef HAVE_FIPS_MODE
 		/* openssl can return if the system is in FIPS mode, 
 		 * which does not allow MD5 hashes for network traffic */
 		return !FIPS_mode();
+#else
+		return 1;
+#endif
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1: