Skip to content

--enable-fips-mode option breaks build of hmacmd5.c and md5.c

Summary

When specifying the "--enable-fips-mode=yes" option with./configure command, the build fails on lib/isc/hmacmd5.c and lib/isc/md5.c.

Building on CentOS7.

BIND version used

9.12.4

Steps to reproduce

-unpack 9.12.4 tarball -run "./configure --enable-fips-mode=yes" -run "make" command

What is the current bug behavior?

./make command produces the following output (the build breaks similarly when the build process reaches lib/isc/md5.c): ... gcc -std=gnu99 -I/tmp/bind-test/bind-9.12.4 -I../.. -I./unix/include -I./pthreads/include -I./x86_32/include -I./include -I./include -I/tmp/bind-test/bind-9.12.4/lib/dns/include -I../../lib/dns/include -D_REENTRANT -DOPENSSL -DPK11_LIB_LOCATION="undefined" -D_GNU_SOURCE -g -O2 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -c hmacmd5.c hmacmd5.c:409:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ at end of input EMPTY_TRANSLATION_UNIT ^ make[2]: *** [hmacmd5.o] Error 1 make[2]: Leaving directory /tmp/bind-test/bind-9.12.4/lib/isc' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory /tmp/bind-test/bind-9.12.4/lib' make: *** [subdirs] Error 1

What is the expected correct behavior?

The build completes successfully.

Relevant configuration files

When the "--enable-fips-mode=yes" option is specified, the following value is set in config.h: /* Disable MD5 functions (for FIPSmode) */ #define PK11_MD5_DISABLE 1

Thus, the PK11_MD5_DISABLE C preprocessor value has been defined. The following C preprocessor logic is found in both hmacmd5.c and md5.c:

#include "config.h" #include <pk11/site.h>

#ifndef PK11_MD5_DISABLE

#include <isc/util.h>

//body of code here #else /* !PK11_MD5_DISABLE / EMPTY_TRANSLATION_UNIT #endif / PK11_MD5_DISABLE */

The problem (I think), is that the "EMPTY_TRANSLATION_UNIT" macro is defined in the lib/isc/util.h file. So, when PK11_MD5_DISABLE is defined, isc/util.h is never included and thus EMPTY_TRANSLATION_UNIT is never set. This causes the pre-processor failure as seen in the compile snippet.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)

Possible fixes

If you move the "#include <isc/util.h>" directive such that it preceeds the "#ifndef PK11_MD5_DISABLE" directive, then the build completes successfully. For example:

#include "config.h" #include <pk11/site.h>

#include <isc/util.h>

#ifndef PK11_MD5_DISABLE ...

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information