- Fix unbound for openssl in FIPS mode, it uses the digests with

  the EVP call contexts.

git-svn-id: file:///svn/unbound/trunk@4908 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 520aa6cf7ab6d85ad97682410cb868ff8c74b05d..c7480e78831cba50d49b7b903257b143c1952e11 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 17 September 2018: Wouter
        - Fix compile on Mac for unbound, provide explicit_bzero when libc
          does not have it.
+       - Fix unbound for openssl in FIPS mode, it uses the digests with
+         the EVP call contexts.
 
 13 September 2018: Wouter
        - Fix seed for random backup code to use explicit zero when wiped.

diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index 95200a48b61b8b9a4d68bad25e44194004db320e..4fb735f7ae0d05172f20a3d58a923014497c0b47 100644 (file)
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -77,6 +77,22 @@ int fake_dsa = 0;
 /** fake SHA1 support for unit tests */
 int fake_sha1 = 0;
 
+/**
+ * Output a libcrypto openssl error to the logfile.
+ * @param str: string to add to it.
+ * @param e: the error to output, error number from ERR_get_error().
+ */
+static void
+log_crypto_error(const char* str, unsigned long e)
+{
+       char buf[128];
+       /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
+       ERR_error_string_n(e, buf, sizeof(buf));
+       /* buf now contains */
+       /* error:[error code]:[library name]:[function name]:[reason string] */
+       log_err("%s crypto %s", str, buf);
+}
+
 /* return size of digest if supported, or 0 otherwise */
 size_t
 nsec3_hash_algo_size_supported(int id)
@@ -96,7 +112,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 {
        switch(algo) {
        case NSEC3_HASH_SHA1:
+#ifdef OPENSSL_FIPS
+               if(!sldns_digest_evp(buf, les, rest, EVP_sha1()))
+                       log_crypto_error("could not digest with EVP_sha1",
+                               ERR_get_error());
+#else
                (void)SHA1(buf, len, res);
+#endif
                return 1;
        default:
                return 0;
@@ -106,7 +128,13 @@ secalgo_nsec3_hash(int algo, unsigned char* buf, size_t len,
 void
 secalgo_hash_sha256(unsigned char* buf, size_t len, unsigned char* res)
 {
+#ifdef OPENSSL_FIPS
+       if(!sldns_digest_evp(buf, les, rest, EVP_sha256()))
+               log_crypto_error("could not digest with EVP_sha256",
+                       ERR_get_error());
+#else
        (void)SHA256(buf, len, res);
+#endif
 }
 
 /**
@@ -165,12 +193,24 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
        switch(algo) {
 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
                case LDNS_SHA1:
+#ifdef OPENSSL_FIPS
+                       if(!sldns_digest_evp(buf, les, rest, EVP_sha1()))
+                               log_crypto_error("could not digest with EVP_sha1",
+                                       ERR_get_error());
+#else
                        (void)SHA1(buf, len, res);
+#endif
                        return 1;
 #endif
 #ifdef HAVE_EVP_SHA256
                case LDNS_SHA256:
+#ifdef OPENSSL_FIPS
+                       if(!sldns_digest_evp(buf, les, rest, EVP_sha256()))
+                               log_crypto_error("could not digest with EVP_sha256",
+                                       ERR_get_error());
+#else
                        (void)SHA256(buf, len, res);
+#endif
                        return 1;
 #endif
 #ifdef USE_GOST
@@ -181,7 +221,13 @@ secalgo_ds_digest(int algo, unsigned char* buf, size_t len,
 #endif
 #ifdef USE_ECDSA
                case LDNS_SHA384:
+#ifdef OPENSSL_FIPS
+                       if(!sldns_digest_evp(buf, les, rest, EVP_sha384()))
+                               log_crypto_error("could not digest with EVP_sha256",
+                                       ERR_get_error());
+#else
                        (void)SHA384(buf, len, res);
+#endif
                        return 1;
 #endif
                default: 
@@ -248,22 +294,6 @@ dnskey_algo_id_is_supported(int id)
        }
 }
 
-/**
- * Output a libcrypto openssl error to the logfile.
- * @param str: string to add to it.
- * @param e: the error to output, error number from ERR_get_error().
- */
-static void
-log_crypto_error(const char* str, unsigned long e)
-{
-       char buf[128];
-       /* or use ERR_error_string if ERR_error_string_n is not avail TODO */
-       ERR_error_string_n(e, buf, sizeof(buf));
-       /* buf now contains */
-       /* error:[error code]:[library name]:[function name]:[reason string] */
-       log_err("%s crypto %s", str, buf);
-}
-
 #ifdef USE_DSA
 /**
  * Setup DSA key digest in DER encoding ...