From a75ea01a155f6d6184973a788d3d9919690f7185 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 10 Oct 2025 09:17:08 +0200 Subject: [PATCH] - Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail. --- doc/Changelog | 3 +++ testcode/unitverify.c | 42 ++++++++++++++++++++++++++++++------------ 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 0c28d6bab..9e7bd3323 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +10 October 2025: Wouter + - Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail. + 3 October 2025: Yorgos - Note 'respip' and 'dns64' module order in the unbound.conf man page. diff --git a/testcode/unitverify.c b/testcode/unitverify.c index 12d5205b0..a101c528f 100644 --- a/testcode/unitverify.c +++ b/testcode/unitverify.c @@ -631,6 +631,7 @@ rh_allow_sha1_signatures_disabled(void) void verify_test(void) { + int do_sha1 = 1; unit_show_feature("signature verify"); #if defined(HAVE_SSL) && defined(USE_SHA1) @@ -643,27 +644,40 @@ verify_test(void) #else _putenv("OPENSSL_ENABLE_SHA1_SIGNATURES=1"); #endif + do_sha1 = 1; } +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + if (EVP_default_properties_is_fips_enabled(NULL)) + do_sha1 = 0; #endif +#endif /* HAVE_SSL and USE_SHA1 */ #ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_signatures.1", "20070818005004"); + } #endif #if defined(USE_DSA) && defined(USE_SHA1) - verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004"); - verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_signatures.2", "20080414005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.3", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.4", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.5", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.6", "20080416005004"); + verifytest_file(SRCDIRSTR "/testdata/test_signatures.7", "20070829144150"); + } #endif /* USE_DSA */ #ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_signatures.8", "20070829144150"); + } #endif #if (defined(HAVE_EVP_SHA256) || defined(HAVE_NSS) || defined(HAVE_NETTLE)) && defined(USE_SHA2) verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256", "20070829144150"); # ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_sigs.sha1_and_256", "20070829144150"); + } # endif verifytest_file(SRCDIRSTR "/testdata/test_sigs.rsasha256_draft", "20090101000000"); #endif @@ -672,8 +686,10 @@ verify_test(void) verifytest_file(SRCDIRSTR "/testdata/test_signatures.9", "20171215000000"); #endif #ifdef USE_SHA1 - verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022"); - verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004"); + if(do_sha1) { + verifytest_file(SRCDIRSTR "/testdata/test_sigs.hinfo", "20090107100022"); + verifytest_file(SRCDIRSTR "/testdata/test_sigs.revoked", "20080414005004"); + } #endif #ifdef USE_GOST if(sldns_key_EVP_load_gost_id()) @@ -699,7 +715,9 @@ verify_test(void) } #endif #ifdef USE_SHA1 - dstest_file(SRCDIRSTR "/testdata/test_ds.sha1"); + if(do_sha1) { + dstest_file(SRCDIRSTR "/testdata/test_ds.sha1"); + } #endif nsectest(); nsec3_hash_test(SRCDIRSTR "/testdata/test_nsec3_hash.1"); -- 2.47.3