]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Add --have-fips-dh to feature-test
authorMark Andrews <marka@isc.org>
Thu, 23 Dec 2021 03:55:50 +0000 (14:55 +1100)
committerMark Andrews <marka@isc.org>
Mon, 3 Apr 2023 02:06:04 +0000 (12:06 +1000)
Diffie-Hellman key echange doesn't appear to work in FIPS mode for
OpenSSL 1.x.x.  Add feature test (--have-fips-dh) to identify builds
where DH key exchanges work (non FIPS builds and OpenSSL 3.0.0+) and
exclude test that would otherwise fail.

bin/tests/system/Makefile.am
bin/tests/system/feature-test.c

index 3998b0d6f7e401fa7ebefc298562b7842bc5625d..380ad49d8ec55b2bcf67de97412108d8720c2d09 100644 (file)
@@ -34,7 +34,8 @@ check_PROGRAMS =              \
 
 feature_test_CPPFLAGS =                \
        $(AM_CPPFLAGS)          \
-       $(LIBDNS_CFLAGS)
+       $(LIBDNS_CFLAGS)        \
+       $(OPENSSL_CFLAGS)
 
 feature_test_LDADD =           \
        $(LDADD)                \
index 82a7269f361e811520d2369099a6fb2a9e53d58c..647db428a3f523cd44862d545f1b304600fb8fea 100644 (file)
@@ -17,6 +17,8 @@
 #include <string.h>
 #include <unistd.h>
 
+#include <openssl/opensslv.h>
+
 #include <isc/fips.h>
 #include <isc/md.h>
 #include <isc/net.h>
@@ -34,6 +36,7 @@ usage(void) {
        fprintf(stderr, "\t--enable-querytrace\n");
        fprintf(stderr, "\t--gethostname\n");
        fprintf(stderr, "\t--gssapi\n");
+       fprintf(stderr, "\t--have-fips-dh\n");
        fprintf(stderr, "\t--have-fips-mode\n");
        fprintf(stderr, "\t--have-geoip2\n");
        fprintf(stderr, "\t--have-json-c\n");
@@ -109,6 +112,25 @@ main(int argc, char **argv) {
 #endif /* HAVE_GSSAPI */
        }
 
+       if (strcmp(argv[1], "--have-fips-dh") == 0) {
+#if defined(ENABLE_FIPS_MODE)
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+               return (0);
+#else
+               return (1);
+#endif
+#else
+               if (isc_fips_mode()) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                       return (0);
+#else
+                       return (1);
+#endif
+               }
+               return (0);
+#endif
+       }
+
        if (strcmp(argv[1], "--have-fips-mode") == 0) {
 #if defined(ENABLE_FIPS_MODE)
                return (0);