Description of problem: Support for FIPS mode would be benefical to BIND, especially IdM. However FIPS certified cannot be any low-level implementations of Diffie-Hellman key exchange. Look at possibility to replace built-in functions with higher level implementation EVP_* [1], which might be possibly ceritifed in FIPS. Current code will not conform to FIPS in any way. Try to reuse already implemented things from OpenSSL. Version-Release number of selected component (if applicable): bind-9.11.2-5.P1.fc28.i686 Additional info: [1] https://wiki.openssl.org/index.php/Manual:EVP_PKEY_derive(3)
I think upstream has implemented enough high level DH API from OpenSSL 3.0, which implements a FIPS compatible way. That is part of all 9.18.x versions. Especially in upstream commit e18777c758 [1]. Incldued in MR 5385 [2]. 1. https://gitlab.isc.org/isc-projects/bind9/commit/e18777c7582d54d227714882e9e79746ce48e002 2. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385