unbound/unbound-1.16-fips-ed25519.patch

From cff6307f44c79df8975b3f205e98cd1a0464824b Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 27 Apr 2022 19:58:39 +0200
Subject: [PATCH] Disable ED25519 and ED448 in FIPS mode on openssl3

Both crypto functions are not allowed by FIPS 140-3. Use openssl 3.0
function to check FIPS mode presence and use it to make those algorithms
unsupported.
---
 unbound-1.16.0/config.h.in             |  4 ++++
 unbound-1.16.0/configure.ac            |  2 +-
 unbound-1.16.0/validator/val_secalgo.c | 17 ++++++++++++++++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/unbound-1.16.0/config.h.in b/unbound-1.16.0/config.h.in
index a080dde..cc1fbe8 100644
--- a/unbound-1.16.0/config.h.in
+++ b/unbound-1.16.0/config.h.in
@@ -222,6 +222,10 @@
 /* Define to 1 if you have the `EVP_cleanup' function. */
 #undef HAVE_EVP_CLEANUP
 
+/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled'
+   function. */
+#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+
 /* Define to 1 if you have the `EVP_DigestVerify' function. */
 #undef HAVE_EVP_DIGESTVERIFY
 
diff --git a/unbound-1.16.0/configure.ac b/unbound-1.16.0/configure.ac
index 1453b3a..69cb13b 100644
--- a/unbound-1.16.0/configure.ac
+++ b/unbound-1.16.0/configure.ac
@@ -906,7 +906,7 @@ else
 	AC_MSG_RESULT([no])
 fi
 AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
+AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex])
 
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
diff --git a/unbound-1.16.0/validator/val_secalgo.c b/unbound-1.16.0/validator/val_secalgo.c
index 7abf66f..6276675 100644
--- a/unbound-1.16.0/validator/val_secalgo.c
+++ b/unbound-1.16.0/validator/val_secalgo.c
@@ -215,6 +215,10 @@ ds_digest_size_supported(int algo)
 	switch(algo) {
 		case LDNS_SHA1:
 #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1)
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+			if (EVP_default_properties_is_fips_enabled(NULL))
+				return 0;
+#endif
 			return SHA_DIGEST_LENGTH;
 #else
 			if(fake_sha1) return 20;
@@ -325,7 +329,11 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
 #ifdef USE_SHA1
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+		return !EVP_default_properties_is_fips_enabled(NULL);
+#else
 		return 1;
+#endif
 #else
 		if(fake_sha1) return 1;
 		return 0;
@@ -341,15 +349,22 @@ dnskey_algo_id_is_supported(int id)
 	case LDNS_ECDSAP256SHA256:
 	case LDNS_ECDSAP384SHA384:
 #endif
+#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA)
+		return 1;
+#endif
 #ifdef USE_ED25519
 	case LDNS_ED25519:
 #endif
 #ifdef USE_ED448
 	case LDNS_ED448:
 #endif
-#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448)
+#if defined(USE_ED25519) || defined(USE_ED448)
+#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED
+		return !EVP_default_properties_is_fips_enabled(NULL);
+#else
 		return 1;
 #endif
+#endif
 
 #ifdef USE_GOST
 	case LDNS_ECC_GOST:
-- 
2.36.1