Add --have-fips-dh to feature-test

Diffie-Hellman key echange doesn't appear to work in FIPS mode for OpenSSL 1.x.x. Add feature test (--have-fips-dh) to identify builds where DH key exchanges work (non FIPS builds and OpenSSL 3.0.0+) and exclude test that would otherwise fail.
2021-12-23 14:55:50 +11:00
parent fe8b41286f
commit 6be00b3042
2 changed files with 24 additions and 1 deletions
--- a/bin/tests/system/Makefile.am
+++ b/bin/tests/system/Makefile.am
@@ -34,7 +34,8 @@ check_PROGRAMS =		\

 feature_test_CPPFLAGS =		\
 	$(AM_CPPFLAGS)		\
-	$(LIBDNS_CFLAGS)
+	$(LIBDNS_CFLAGS)	\
+	$(OPENSSL_CFLAGS)

 feature_test_LDADD =		\
 	$(LDADD)		\
--- a/bin/tests/system/feature-test.c
+++ b/bin/tests/system/feature-test.c
@@ -17,6 +17,8 @@
 #include <string.h>
 #include <unistd.h>

+#include <openssl/opensslv.h>
+
 #include <isc/fips.h>
 #include <isc/md.h>
 #include <isc/net.h>
@@ -34,6 +36,7 @@ usage(void) {
 	fprintf(stderr, "\t--enable-querytrace\n");
 	fprintf(stderr, "\t--gethostname\n");
 	fprintf(stderr, "\t--gssapi\n");
+	fprintf(stderr, "\t--have-fips-dh\n");
 	fprintf(stderr, "\t--have-fips-mode\n");
 	fprintf(stderr, "\t--have-geoip2\n");
 	fprintf(stderr, "\t--have-json-c\n");
@@ -109,6 +112,25 @@ main(int argc, char **argv) {
 #endif /* HAVE_GSSAPI */
 	}

+	if (strcmp(argv[1], "--have-fips-dh") == 0) {
+#if defined(ENABLE_FIPS_MODE)
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		return (0);
+#else
+		return (1);
+#endif
+#else
+		if (isc_fips_mode()) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+			return (0);
+#else
+			return (1);
+#endif
+		}
+		return (0);
+#endif
+	}
+
 	if (strcmp(argv[1], "--have-fips-mode") == 0) {
 #if defined(ENABLE_FIPS_MODE)
 		return (0);