From: Michal Nowak <mnowak@isc.org>
Date: Mon, 9 Dec 2024 11:55:53 +0000 (+0000)
Subject: fix: usr: disable deterministic ecdsa for fips builds
X-Git-Tag: v9.21.4~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=707dded979825eead45d19213458e77118c5cdae;p=thirdparty%2Fbind9.git

fix: usr: disable deterministic ecdsa for fips builds

FIPS 186-5 [1] allows the usage deterministic ECDSA (Section 6.3) which
is compabile with RFC 6979 [2] but OpenSSL seems to follow FIPS 186-4
(Section 6.3) [3] which only allows for random k values, failing
k value generation for OpenSSL >=3.2. [4]

Fix signing by not using deterministic ECDSA when FIPS mode is active.

[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
[2]: https://datatracker.ietf.org/doc/html/rfc6979
[3]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[4]: https://github.com/openssl/openssl/blob/85f17585b0d8b55b335f561e2862db14a20b1e64/crypto/ec/ecdsa_ossl.c#L201-L207

Closes #5072

Merge branch '5072-the-ecdsa_determinism_test-check-fails-on-ol-9-5-fips' into 'main'

See merge request isc-projects/bind9!9808
---

707dded979825eead45d19213458e77118c5cdae