From: Mark Andrews Date: Fri, 17 Dec 2021 06:55:51 +0000 (+1100) Subject: Don't register FIPS incompatible algorithms in FIPS mode X-Git-Tag: v9.19.12~38^2~42 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=07a3b5b02fa515c0b77b781eccc961512446d023;p=thirdparty%2Fbind9.git Don't register FIPS incompatible algorithms in FIPS mode HMACMD5 is not permitted in FIPS mode. Note that RSASHA1 is only permitted for verification of signatures. --- diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 66c911b0250..896ee762519 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -197,13 +198,16 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { UNUSED(engine); memset(dst_t_func, 0, sizeof(dst_t_func)); - RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); + RETERR(dst__openssl_init(engine)); /* Sets FIPS mode. */ + if (!isc_fips_mode()) { + RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); + } RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1])); RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224])); RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256])); RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); - RETERR(dst__openssl_init(engine)); + /* RSASHA1 (NSEC3RSASHA1) is verify only in FIPS mode. */ RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],