#define LISTEN_DEFAULT_FIPS_CURVES "P-256:P-384:P-521"
#endif
+/* FIPS-approved signature algorithms for AWS-LC FIPS builds */
+#ifndef CONNECT_DEFAULT_FIPS_SIGALGS
+#define CONNECT_DEFAULT_FIPS_SIGALGS \
+ "ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
+ "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
+ "rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
+#endif
+
+#ifndef LISTEN_DEFAULT_FIPS_SIGALGS
+#define LISTEN_DEFAULT_FIPS_SIGALGS \
+ "ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
+ "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
+ "rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
+#endif
+
+#ifndef CONNECT_DEFAULT_FIPS_CLIENT_SIGALGS
+#define CONNECT_DEFAULT_FIPS_CLIENT_SIGALGS \
+ "ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
+ "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
+ "rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
+#endif
+
+#ifndef LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS
+#define LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS \
+ "ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:" \
+ "rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:" \
+ "rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512"
+#endif
+
/* named curve used as defaults for ECDHE ciphers */
#ifndef ECDHE_DEFAULT_CURVE
#define ECDHE_DEFAULT_CURVE "prime256v1"
global_ssl.listen_default_curves = strdup(LISTEN_DEFAULT_FIPS_CURVES);
free(global_ssl.connect_default_curves);
global_ssl.connect_default_curves = strdup(CONNECT_DEFAULT_FIPS_CURVES);
+#if defined(SSL_CTX_set1_sigalgs_list)
+ free(global_ssl.listen_default_sigalgs);
+ global_ssl.listen_default_sigalgs = strdup(LISTEN_DEFAULT_FIPS_SIGALGS);
+ free(global_ssl.connect_default_sigalgs);
+ global_ssl.connect_default_sigalgs = strdup(CONNECT_DEFAULT_FIPS_SIGALGS);
+ free(global_ssl.listen_default_client_sigalgs);
+ global_ssl.listen_default_client_sigalgs = strdup(LISTEN_DEFAULT_FIPS_CLIENT_SIGALGS);
+ free(global_ssl.connect_default_client_sigalgs);
+ global_ssl.connect_default_client_sigalgs = strdup(CONNECT_DEFAULT_FIPS_CLIENT_SIGALGS);
+#endif
}
#endif /* OPENSSL_IS_AWSLC */