From 87ded67cb6d20cd3d90a30315a6a676361639a9e Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 25 Jun 2012 15:13:44 +0000
Subject: [PATCH] - disable RSAMD5 if in FIPS mode (for openssl and for
 libnss).

git-svn-id: file:///svn/unbound/trunk@2702 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog           | 2 +-
 validator/val_secalgo.c | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index 47f28ff26..becacc260 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,5 @@
 25 June 2012: Wouter
-	- disable RSAMD5 if in FIPS mode (when compiled with openssl).
+	- disable RSAMD5 if in FIPS mode (for openssl and for libnss).
 
 22 June 2012: Wouter
 	- implement DS records, NSEC3 and ECDSA for compile with libnss.
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 659627090..ca3101b2a 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -615,11 +615,13 @@ dnskey_algo_id_is_supported(int id)
 {
 	/* uses libNSS */
 	switch(id) {
+	case LDNS_RSAMD5:
+		/* disable MD5 support if FIPS mode is enabled in libnss */
+		return !PK11_IsFIPS();
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
-	case LDNS_RSAMD5:
 #ifdef USE_SHA2
 	case LDNS_RSASHA256:
 #endif
-- 
2.47.3