git.ipfire.org Git - thirdparty/bind9.git/commit

author	Aydın Mercan <aydin@isc.org>
	Wed, 4 Dec 2024 10:11:45 +0000 (13:11 +0300)
committer	Michal Nowak <mnowak@isc.org>
	Mon, 9 Dec 2024 10:33:01 +0000 (10:33 +0000)
commit	8d093a6b66f4c68be3f5cba9aa19ddcbaa00dcba
tree	b58f8aa298799ba33a51447851d079590b7369e7	tree \| snapshot
parent	63060314098c8ac0ee61de19fe1e6002ecb5485d	commit \| diff

disable deterministic ecdsa for fips builds

FIPS 186-5 [1] allows the usage deterministic ECDSA (Section 6.3) which
is compabile with RFC 6979 [2] but OpenSSL seems to follow FIPS 186-4
(Section 6.3) [3] which only allows for random k values, failing
k value generation for OpenSSL >=3.2. [4]

Fix signing by not using deterministic ECDSA when FIPS mode is active.

[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
[2]: https://datatracker.ietf.org/doc/html/rfc6979
[3]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[4]: https://github.com/openssl/openssl/blob/85f17585b0d8b55b335f561e2862db14a20b1e64/crypto/ec/ecdsa_ossl.c#L201-L207

lib/dns/opensslecdsa_link.c		diff \| blob \| blame \| history
tests/dns/dst_test.c		diff \| blob \| blame \| history