- disable RSAMD5 if in FIPS mode (for openssl and for libnss).

git-svn-id: file:///svn/unbound/trunk@2702 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,5 +1,5 @@
 25 June 2012: Wouter
-	- disable RSAMD5 if in FIPS mode (when compiled with openssl).
+	- disable RSAMD5 if in FIPS mode (for openssl and for libnss).
 
 22 June 2012: Wouter
 	- implement DS records, NSEC3 and ECDSA for compile with libnss.

validator/val_secalgo.c

@@ -615,11 +615,13 @@ dnskey_algo_id_is_supported(int id)
 {
 	/* uses libNSS */
 	switch(id) {
+	case LDNS_RSAMD5:
+		/* disable MD5 support if FIPS mode is enabled in libnss */
+		return !PK11_IsFIPS();
 	case LDNS_DSA:
 	case LDNS_DSA_NSEC3:
 	case LDNS_RSASHA1:
 	case LDNS_RSASHA1_NSEC3:
-	case LDNS_RSAMD5:
 #ifdef USE_SHA2
 	case LDNS_RSASHA256:
 #endif