]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Don't register FIPS incompatible algorithms in FIPS mode
authorMark Andrews <marka@isc.org>
Fri, 17 Dec 2021 06:55:51 +0000 (17:55 +1100)
committerMark Andrews <marka@isc.org>
Mon, 3 Apr 2023 02:06:03 +0000 (12:06 +1000)
HMACMD5 is not permitted in FIPS mode.

Note that RSASHA1 is only permitted for verification of signatures.

lib/dns/dst_api.c

index 66c911b025018857aa3f8a3b92f49b66cde00c74..896ee7625192f041f707a283c7b1c3fabac5109f 100644 (file)
@@ -40,6 +40,7 @@
 #include <isc/buffer.h>
 #include <isc/dir.h>
 #include <isc/file.h>
+#include <isc/fips.h>
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/once.h>
@@ -197,13 +198,16 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
        UNUSED(engine);
 
        memset(dst_t_func, 0, sizeof(dst_t_func));
-       RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+       RETERR(dst__openssl_init(engine)); /* Sets FIPS mode. */
+       if (!isc_fips_mode()) {
+               RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+       }
        RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
        RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
        RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
        RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
        RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
-       RETERR(dst__openssl_init(engine));
+       /* RSASHA1 (NSEC3RSASHA1) is verify only in FIPS mode. */
        RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
                                    DST_ALG_RSASHA1));
        RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],