#include <unistd.h>
#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/err.h>
-#include <openssl/provider.h>
-#endif
#include <isc/async.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
-#include <isc/fips.h>
+#include <isc/crypto.h>
#include <isc/hex.h>
#include <isc/lib.h>
#include <isc/log.h>
/* Default trust anchors */
static char anchortext[] = TRUST_ANCHORS;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-static OSSL_PROVIDER *fips = NULL, *base = NULL;
-#endif
-
/*
* Static function prototypes
*/
while (strpbrk(option, single_dash_opts) == &option[0]) {
switch (option[0]) {
case 'F':
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- fips = OSSL_PROVIDER_load(NULL, "fips");
- if (fips == NULL) {
- ERR_clear_error();
- fatal("Failed to load FIPS provider");
- }
- base = OSSL_PROVIDER_load(NULL, "base");
- if (base == NULL) {
- OSSL_PROVIDER_unload(fips);
- ERR_clear_error();
- fatal("Failed to load base provider");
- }
-#endif
- /* Already in FIPS mode? */
- if (isc_fips_mode()) {
- break;
- }
- if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+ if (isc_crypto_fips_enable() != ISC_R_SUCCESS) {
fatal("setting FIPS mode failed");
}
break;
isc_managers_destroy(&mctx, &loopmgr, &netmgr);
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- if (base != NULL) {
- OSSL_PROVIDER_unload(base);
- }
- if (fips != NULL) {
- OSSL_PROVIDER_unload(fips);
- }
-#endif
-
return 0;
}
#include <time.h>
#include <isc/attributes.h>
+#include <isc/crypto.h>
#include <isc/dir.h>
-#include <isc/fips.h>
#include <isc/lib.h>
#include <isc/loop.h>
#include <isc/netaddr.h>
static uint32_t splitwidth = 0xffffffff;
#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/err.h>
-#include <openssl/provider.h>
-#endif
-
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-static OSSL_PROVIDER *fips = NULL, *base = NULL;
-#endif
/*% opcode text */
static const char *const opcodetext[] = {
debugging = true;
break;
case 'F':
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- fips = OSSL_PROVIDER_load(NULL, "fips");
- if (fips == NULL) {
- ERR_clear_error();
- fatal("Failed to load FIPS provider");
- }
- base = OSSL_PROVIDER_load(NULL, "base");
- if (base == NULL) {
- OSSL_PROVIDER_unload(fips);
- ERR_clear_error();
- fatal("Failed to load base provider");
- }
-#endif
- /* Already in FIPS mode? */
- if (isc_fips_mode()) {
- break;
- }
- if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+ if (isc_crypto_fips_enable() != ISC_R_SUCCESS) {
fatal("setting FIPS mode failed");
}
break;
dig_startup();
dig_shutdown();
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- if (base != NULL) {
- OSSL_PROVIDER_unload(base);
- }
- if (fips != NULL) {
- OSSL_PROVIDER_unload(fips);
- }
-#endif
-
return exitcode;
}
$(LDADD) \
$(OPENSSL_LIBS)
+dnssec_ksr_CPPFLAGS= \
+ $(AM_CPPFLAGS) \
+ $(OPENSSL_CFLAGS)
+
+dnssec_ksr_LDADD = \
+ $(LDADD) \
+ $(OPENSSL_LIBS)
+
dnssec_signzone_CPPFLAGS = \
$(AM_CPPFLAGS) \
$(OPENSSL_CFLAGS)
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
-#include <isc/fips.h>
+#include <isc/crypto.h>
#include <isc/lib.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <dst/dst.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/err.h>
-#include <openssl/provider.h>
-#endif
-
#include "dnssectool.h"
const char *program = "dnssec-keygen";
fprintf(stderr, " -l <file>: configuration file with dnssec-policy "
"statement\n");
fprintf(stderr, " -a <algorithm>:\n");
- if (!isc_fips_mode()) {
+ if (!isc_crypto_fips_mode()) {
fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
}
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ED25519 | ED448\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
- if (!isc_fips_mode()) {
+ if (!isc_crypto_fips_mode()) {
fprintf(stderr, " RSASHA1:\t[%d..%d]\n", min_rsa,
MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[%d..%d]\n", min_rsa,
fatal("unsupported algorithm: %s", algstr);
}
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
/* verify only in FIPS mode */
switch (ctx->alg) {
case DST_ALG_RSASHA1:
switch (ctx->alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
fatal("key size not specified (-b "
"option)");
}
switch (ctx->alg) {
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
fatal("SHA1 based keys not supported in FIPS mode");
}
FALLTHROUGH;
isc_textregion_t r;
unsigned char c;
int ch;
- bool set_fips_mode = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- OSSL_PROVIDER *fips = NULL, *base = NULL;
-#endif
keygen_ctx_t ctx = {
.options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
ctx.prepub = strtottl(isc_commandline_argument);
break;
case 'F':
- set_fips_mode = true;
+ if (isc_crypto_fips_enable() != ISC_R_SUCCESS) {
+ fatal("setting FIPS mode failed");
+ }
break;
case '?':
if (isc_commandline_option != '?') {
ctx.quiet = true;
}
- if (set_fips_mode) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- fips = OSSL_PROVIDER_load(NULL, "fips");
- if (fips == NULL) {
- ERR_clear_error();
- fatal("Failed to load FIPS provider");
- }
- base = OSSL_PROVIDER_load(NULL, "base");
- if (base == NULL) {
- OSSL_PROVIDER_unload(fips);
- ERR_clear_error();
- fatal("Failed to load base provider");
- }
-#endif
- if (!isc_fips_mode()) {
- if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
- fatal("setting FIPS mode failed");
- }
- }
- }
-
/*
* The DST subsystem will set FIPS mode if requested at build time.
* The minimum sizes are both raised to 2048.
*/
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
min_rsa = min_dh = 2048;
}
}
isc_mem_destroy(&mctx);
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- if (base != NULL) {
- OSSL_PROVIDER_unload(base);
- }
- if (fips != NULL) {
- OSSL_PROVIDER_unload(fips);
- }
-#endif
if (freeit != NULL) {
free(freeit);
}
#include <isc/buffer.h>
#include <isc/commandline.h>
-#include <isc/fips.h>
+#include <isc/crypto.h>
#include <isc/lex.h>
#include <isc/lib.h>
#include <isc/mem.h>
switch (ksr->alg) {
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
/* verify-only in FIPS mode */
fatal("unsupported algorithm: %s", algstr);
}
isc_buffer_t buf;
int ch;
char *endp;
- bool set_fips_mode = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- OSSL_PROVIDER *fips = NULL, *base = NULL;
-#endif
ksr_ctx_t ksr = {
.now = isc_stdtime_now(),
};
ksr.now, &ksr.setend);
break;
case 'F':
- set_fips_mode = true;
+ if (isc_crypto_fips_enable() != ISC_R_SUCCESS) {
+ fatal("setting FIPS mode failed");
+ }
break;
case 'f':
ksr.file = isc_commandline_argument;
* The DST subsystem will set FIPS mode if requested at build time.
* The minimum sizes are both raised to 2048.
*/
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
min_rsa = min_dh = 2048;
}
setup_logging();
- if (set_fips_mode) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- fips = OSSL_PROVIDER_load(NULL, "fips");
- if (fips == NULL) {
- fatal("Failed to load FIPS provider");
- }
- base = OSSL_PROVIDER_load(NULL, "base");
- if (base == NULL) {
- OSSL_PROVIDER_unload(fips);
- fatal("Failed to load base provider");
- }
-#endif
- if (!isc_fips_mode()) {
- if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
- fatal("setting FIPS mode failed");
- }
- }
- }
-
/* zone */
namestr = argv[1];
name = dns_fixedname_initname(&fname);
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/file.h>
-#include <isc/fips.h>
#include <isc/hash.h>
#include <isc/hex.h>
#include <isc/lib.h>
#include <dns/zoneverify.h>
#include <dst/dst.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/err.h>
-#include <openssl/provider.h>
-#endif
#include "dnssectool.h"
bool set_optout = false;
bool set_iter = false;
bool nonsecify = false;
- bool set_fips_mode = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- OSSL_PROVIDER *fips = NULL, *base = NULL;
-#endif
atomic_init(&shuttingdown, false);
atomic_init(&finished, false);
break;
case 'F':
- set_fips_mode = true;
+ if (isc_crypto_fips_enable() != ISC_R_SUCCESS) {
+ fatal("setting FIPS mode failed");
+ }
break;
case '?':
isc_managers_create(&mctx, nloops, &loopmgr, &netmgr);
- if (set_fips_mode) {
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- fips = OSSL_PROVIDER_load(NULL, "fips");
- if (fips == NULL) {
- ERR_clear_error();
- fatal("Failed to load FIPS provider");
- }
- base = OSSL_PROVIDER_load(NULL, "base");
- if (base == NULL) {
- OSSL_PROVIDER_unload(fips);
- ERR_clear_error();
- fatal("Failed to load base provider");
- }
-#endif
- if (!isc_fips_mode()) {
- if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
- fatal("setting FIPS mode failed");
- }
- }
- }
-
setup_logging();
argc -= isc_commandline_index;
isc_mem_stats(mctx, stdout);
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- if (base != NULL) {
- OSSL_PROVIDER_unload(base);
- }
- if (fips != NULL) {
- OSSL_PROVIDER_unload(fips);
- }
-#endif
-
isc_managers_destroy(&mctx, &loopmgr, &netmgr);
if (printstats) {
#include <isc/crypto.h>
#include <isc/dir.h>
#include <isc/file.h>
-#include <isc/fips.h>
#include <isc/hash.h>
#include <isc/httpd.h>
#include <isc/lib.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-#include <openssl/err.h>
-#include <openssl/provider.h>
-#endif
#ifdef HAVE_LIBXML2
#include <libxml/parser.h>
#include <libxml/xmlversion.h>
static bool disable6 = false;
static bool disable4 = false;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-static OSSL_PROVIDER *fips = NULL, *base = NULL;
-#endif
-
void
named_main_earlywarning(const char *format, ...) {
va_list args;
named_main_earlyfatal("option '-X' has been removed");
break;
case 'F':
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- fips = OSSL_PROVIDER_load(NULL, "fips");
- if (fips == NULL) {
- ERR_clear_error();
- named_main_earlyfatal(
- "Failed to load FIPS provider");
- }
- base = OSSL_PROVIDER_load(NULL, "base");
- if (base == NULL) {
- OSSL_PROVIDER_unload(fips);
- ERR_clear_error();
- named_main_earlyfatal(
- "Failed to load base provider");
- }
-#endif
- if (isc_fips_mode()) { /* Already in FIPS mode. */
- break;
- }
- if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+ if (isc_crypto_fips_enable() != ISC_R_SUCCESS) {
named_main_earlyfatal(
"setting FIPS mode failed");
}
named_os_shutdown();
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- if (base != NULL) {
- OSSL_PROVIDER_unload(base);
- }
- if (fips != NULL) {
- OSSL_PROVIDER_unload(fips);
- }
-#endif
-
#ifdef HAVE_GPERFTOOLS_PROFILER
ProfilerStop();
#endif /* ifdef HAVE_GPERFTOOLS_PROFILER */
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/file.h>
-#include <isc/fips.h>
#include <isc/hash.h>
#include <isc/hex.h>
#include <isc/hmac.h>
isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER,
ISC_LOG_NOTICE, "FIPS mode is %s",
- isc_fips_mode() ? "enabled" : "disabled");
+ isc_crypto_fips_mode() ? "enabled" : "disabled");
#if HAVE_LIBSYSTEMD
sd_notifyf(0,
#include <openssl/provider.h>
#endif
-#include <isc/fips.h>
+#include <isc/crypto.h>
#include <isc/lib.h>
#include <isc/md.h>
#include <isc/mem.h>
return 1;
#endif
#else
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
return 0;
#else
#if defined(ENABLE_FIPS_MODE)
return 0;
#else
- return isc_fips_mode() ? 0 : 1;
+ return isc_crypto_fips_mode() ? 0 : 1;
#endif
}
#include <unistd.h>
#include <isc/buffer.h>
+#include <isc/crypto.h>
#include <isc/dir.h>
#include <isc/file.h>
-#include <isc/fips.h>
#include <isc/lex.h>
#include <isc/mem.h>
#include <isc/once.h>
#include <openssl/param_build.h>
#endif
-#include <isc/fips.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/safe.h>
}
#if OPENSSL_VERSION_NUMBER >= 0x30200000L
- if (!isc_fips_mode()) {
+ if (!isc_crypto_fips_mode()) {
ret = opensslecdsa_set_deterministic(
pctx, dctx->key->key_alg);
if (ret != ISC_R_SUCCESS) {
include/isc/errno.h \
include/isc/error.h \
include/isc/file.h \
- include/isc/fips.h \
include/isc/formatcheck.h \
include/isc/fuzz.h \
include/isc/getaddresses.h \
errno2result.h \
error.c \
file.c \
- fips.c \
getaddresses.c \
hash.c \
hashmap.c \
* information regarding copyright ownership.
*/
+#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
#include <isc/crypto.h>
-#include <isc/fips.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/tls.h>
static isc_mem_t *isc__crypto_mctx = NULL;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *base = NULL, *fips = NULL;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+
const EVP_MD *isc__crypto_md5 = NULL;
const EVP_MD *isc__crypto_sha1 = NULL;
const EVP_MD *isc__crypto_sha224 = NULL;
isc__crypto_##alg = NULL; \
} \
}
-
#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
#define md_register_algorithm(alg, algname) \
{ \
#define md_unregister_algorithm(alg)
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+static isc_result_t
+register_algorithms(void) {
+ if (!isc_crypto_fips_mode()) {
+ md_register_algorithm(md5, "MD5");
+ }
+
+ md_register_algorithm(sha1, "SHA1");
+ md_register_algorithm(sha224, "SHA224");
+ md_register_algorithm(sha256, "SHA256");
+ md_register_algorithm(sha384, "SHA384");
+ md_register_algorithm(sha512, "SHA512");
+
+ return ISC_R_SUCCESS;
+}
+
+static void
+unregister_algorithms(void) {
+ md_unregister_algorithm(sha512);
+ md_unregister_algorithm(sha384);
+ md_unregister_algorithm(sha256);
+ md_unregister_algorithm(sha224);
+ md_unregister_algorithm(sha1);
+ md_unregister_algorithm(md5);
+}
+
+#undef md_unregister_algorithm
+#undef md_register_algorithm
+
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
/*
* This was crippled with LibreSSL, so just skip it:
#endif /* !defined(LIBRESSL_VERSION_NUMBER) */
+#if defined(HAVE_EVP_DEFAULT_PROPERTIES_ENABLE_FIPS)
+bool
+isc_crypto_fips_mode(void) {
+ return EVP_default_properties_is_fips_enabled(NULL) != 0;
+}
+
+isc_result_t
+isc_crypto_fips_enable(void) {
+ if (isc_crypto_fips_mode()) {
+ return ISC_R_SUCCESS;
+ }
+
+ INSIST(fips == NULL);
+ fips = OSSL_PROVIDER_load(NULL, "fips");
+ if (fips == NULL) {
+ return isc_tlserr2result(
+ ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
+ "OSSL_PROVIDER_load", ISC_R_CRYPTOFAILURE);
+ }
+
+ INSIST(base == NULL);
+ base = OSSL_PROVIDER_load(NULL, "base");
+ if (base == NULL) {
+ OSSL_PROVIDER_unload(fips);
+ return isc_tlserr2result(
+ ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
+ "OSS_PROVIDER_load", ISC_R_CRYPTOFAILURE);
+ }
+
+ if (EVP_default_properties_enable_fips(NULL, 1) == 0) {
+ return isc_tlserr2result(ISC_LOGCATEGORY_GENERAL,
+ ISC_LOGMODULE_CRYPTO,
+ "EVP_default_properties_enable_fips",
+ ISC_R_CRYPTOFAILURE);
+ }
+
+ unregister_algorithms();
+ register_algorithms();
+
+ return ISC_R_SUCCESS;
+}
+#elif defined(HAVE_FIPS_MODE)
+bool
+isc_crypto_fips_mode(void) {
+ return FIPS_mode() != 0;
+}
+
+isc_result_t
+isc_crypto_fips_enable(void) {
+ if (isc_crypto_fips_mode()) {
+ return ISC_R_SUCCESS;
+ }
+
+ if (FIPS_mode_set(1) == 0) {
+ return isc_tlserr2result(ISC_LOGCATEGORY_GENERAL,
+ ISC_LOGMODULE_CRYPTO, "FIPS_mode_set",
+ ISC_R_CRYPTOFAILURE);
+ }
+
+ unregister_algorithms();
+ register_algorithms();
+
+ return ISC_R_SUCCESS;
+}
+#else
+bool
+isc_crypto_fips_mode(void) {
+ return false;
+}
+
+isc_result_t
+isc_crypto_fips_enable(void) {
+ return ISC_R_NOTIMPLEMENTED;
+}
+#endif
+
void
isc__crypto_setdestroycheck(bool check) {
isc_mem_setdestroycheck(isc__crypto_mctx, check);
RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
+ register_algorithms();
+
+#if defined(ENABLE_FIPS_MODE)
+ if (isc_crypto_fips_enable() != ISC_R_SUCCESS) {
+ ERR_clear_error();
+ FATAL_ERROR("Failed to toggle FIPS mode but is "
+ "required for this build");
+ }
+#endif
+
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
isc_tlserr2result(ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_CRYPTO,
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
-
-#if defined(ENABLE_FIPS_MODE)
- if (!isc_fips_mode()) {
- if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
- isc_tlserr2result(ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_CRYPTO, "FIPS_mode_set",
- ISC_R_CRYPTOFAILURE);
- exit(EXIT_FAILURE);
- }
- }
-#endif
-
- md_register_algorithm(md5, "MD5");
- md_register_algorithm(sha1, "SHA1");
- md_register_algorithm(sha224, "SHA224");
- md_register_algorithm(sha256, "SHA256");
- md_register_algorithm(sha384, "SHA384");
- md_register_algorithm(sha512, "SHA512");
}
void
isc__crypto_shutdown(void) {
- md_unregister_algorithm(sha512);
- md_unregister_algorithm(sha384);
- md_unregister_algorithm(sha256);
- md_unregister_algorithm(sha224);
- md_unregister_algorithm(sha1);
- md_unregister_algorithm(md5);
+ unregister_algorithms();
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ if (base != NULL) {
+ OSSL_PROVIDER_unload(base);
+ }
+
+ if (fips != NULL) {
+ OSSL_PROVIDER_unload(fips);
+ }
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
OPENSSL_cleanup();
isc_mem_destroy(&isc__crypto_mctx);
}
-
-#undef md_unregister_algorithm
-#undef md_register_algorithm
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <isc/fips.h>
-#include <isc/util.h>
-
-#if defined(HAVE_EVP_DEFAULT_PROPERTIES_ENABLE_FIPS)
-#include <openssl/evp.h>
-bool
-isc_fips_mode(void) {
- return EVP_default_properties_is_fips_enabled(NULL) != 0;
-}
-
-isc_result_t
-isc_fips_set_mode(int mode) {
- return EVP_default_properties_enable_fips(NULL, mode) != 0
- ? ISC_R_SUCCESS
- : ISC_R_FAILURE;
-}
-#elif defined(HAVE_FIPS_MODE)
-#include <openssl/crypto.h>
-
-bool
-isc_fips_mode(void) {
- return FIPS_mode() != 0;
-}
-
-isc_result_t
-isc_fips_set_mode(int mode) {
- return FIPS_mode_set(mode) != 0 ? ISC_R_SUCCESS : ISC_R_FAILURE;
-}
-#else
-bool
-isc_fips_mode(void) {
- return false;
-}
-
-isc_result_t
-isc_fips_set_mode(int mode) {
- UNUSED(mode);
- return ISC_R_NOTIMPLEMENTED;
-}
-#endif
extern const EVP_MD *isc__crypto_sha384;
extern const EVP_MD *isc__crypto_sha512;
+bool
+isc_crypto_fips_mode(void);
+/*
+ * Return if FIPS mode is currently enabled or not.
+ */
+
+isc_result_t
+isc_crypto_fips_enable(void);
+/*
+ * Enable FIPS mode. It cannot be disabled afterwards.
+ *
+ * This function is NOT thread safe.
+ */
+
/**
* Private
*/
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-#pragma once
-
-/*****
-***** Module Info
-*****/
-
-/***
- *** Imports
- ***/
-
-#include <isc/types.h>
-
-/***
- *** Functions
- ***/
-
-bool
-isc_fips_mode(void);
-/*
- * Return if FIPS mode is currently enabled or not
- */
-
-isc_result_t
-isc_fips_set_mode(int mode);
-/*
- * Enable FIPS mode.
- */
#include <isc/atomic.h>
#include <isc/crypto.h>
-#include <isc/fips.h>
#include <isc/ht.h>
#include <isc/log.h>
#include <isc/magic.h>
#include <stdbool.h>
#include <stdlib.h>
-#include <isc/fips.h>
+#include <isc/crypto.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/region.h>
goto cleanup;
}
- if (check_algorithms && isc_fips_mode() &&
+ if (check_algorithms && isc_crypto_fips_mode() &&
(key->algorithm == DNS_KEYALG_RSASHA1 ||
key->algorithm == DNS_KEYALG_NSEC3RSASHA1))
{
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
case DNS_KEYALG_RSASHA512:
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
min = 2048;
} else {
min = DNS_KEYALG_RSASHA512 ? 1024 : 512;
#define UNIT_TESTING
#include <cmocka.h>
+#include <isc/crypto.h>
#include <isc/file.h>
-#include <isc/fips.h>
#include <isc/hex.h>
#include <isc/lib.h>
#include <isc/result.h>
dst_context_destroy(&ctx);
#if OPENSSL_VERSION_NUMBER >= 0x30200000L
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
assert_memory_not_equal(sigbuf1->base, sigbuf2->base, siglen);
} else {
assert_memory_equal(sigbuf1->base, sigbuf2->base, siglen);
#include <cmocka.h>
#include <isc/buffer.h>
-#include <isc/fips.h>
+#include <isc/crypto.h>
#include <isc/hex.h>
#include <isc/hmac.h>
#include <isc/lib.h>
assert_int_equal(isc_hmac_init(hmac_st, "", 0, NULL),
ISC_R_NOTIMPLEMENTED);
- if (!isc_fips_mode()) {
+ if (!isc_crypto_fips_mode()) {
expect_assert_failure(isc_hmac_init(NULL, "", 0, ISC_MD_MD5));
expect_assert_failure(
ISC_RUN_TEST_IMPL(isc_hmac_md5) {
isc_hmac_t *hmac_st = *state;
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
skip();
return;
}
#include <cmocka.h>
#include <isc/buffer.h>
-#include <isc/fips.h>
+#include <isc/crypto.h>
#include <isc/hex.h>
#include <isc/lib.h>
#include <isc/md.h>
assert_int_equal(isc_md_init(md, NULL), ISC_R_NOTIMPLEMENTED);
- if (!isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
+ assert_int_equal(isc_md_init(md, ISC_MD_MD5),
+ ISC_R_NOTIMPLEMENTED);
+ } else {
assert_int_equal(isc_md_init(md, ISC_MD_MD5), ISC_R_SUCCESS);
assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
}
ISC_RUN_TEST_IMPL(isc_md_md5) {
isc_md_t *md = *state;
- if (isc_fips_mode()) {
+ if (isc_crypto_fips_mode()) {
skip();
return;
}
projects / thirdparty / bind9.git / commitdiff
