From: Mark Andrews Date: Thu, 23 Dec 2021 03:55:50 +0000 (+1100) Subject: Add --have-fips-dh to feature-test X-Git-Tag: v9.19.12~38^2~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6be00b3042e579950f9e66b1cb2c4f2e08b47e76;p=thirdparty%2Fbind9.git Add --have-fips-dh to feature-test Diffie-Hellman key echange doesn't appear to work in FIPS mode for OpenSSL 1.x.x. Add feature test (--have-fips-dh) to identify builds where DH key exchanges work (non FIPS builds and OpenSSL 3.0.0+) and exclude test that would otherwise fail. --- diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 3998b0d6f7e..380ad49d8ec 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -34,7 +34,8 @@ check_PROGRAMS = \ feature_test_CPPFLAGS = \ $(AM_CPPFLAGS) \ - $(LIBDNS_CFLAGS) + $(LIBDNS_CFLAGS) \ + $(OPENSSL_CFLAGS) feature_test_LDADD = \ $(LDADD) \ diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 82a7269f361..647db428a3f 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -17,6 +17,8 @@ #include #include +#include + #include #include #include @@ -34,6 +36,7 @@ usage(void) { fprintf(stderr, "\t--enable-querytrace\n"); fprintf(stderr, "\t--gethostname\n"); fprintf(stderr, "\t--gssapi\n"); + fprintf(stderr, "\t--have-fips-dh\n"); fprintf(stderr, "\t--have-fips-mode\n"); fprintf(stderr, "\t--have-geoip2\n"); fprintf(stderr, "\t--have-json-c\n"); @@ -109,6 +112,25 @@ main(int argc, char **argv) { #endif /* HAVE_GSSAPI */ } + if (strcmp(argv[1], "--have-fips-dh") == 0) { +#if defined(ENABLE_FIPS_MODE) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + return (0); +#else + return (1); +#endif +#else + if (isc_fips_mode()) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + return (0); +#else + return (1); +#endif + } + return (0); +#endif + } + if (strcmp(argv[1], "--have-fips-mode") == 0) { #if defined(ENABLE_FIPS_MODE) return (0);