Dig now supports selecting FIPS mode at runtime

To enable FIPS mode at runtime use 'dig -F'.  The operating system
must have FIPS support available for this to succeed.  This is on
by default when built with --enable-fips-mode.

diff --git a/bin/dig/Makefile.am b/bin/dig/Makefile.am
index 3e86eeb3ffabe2225c5e3ee026376dc1bfd7629e..18af2407c2e6a696d925b00ff0b8e798be7b1574 100644 (file)
--- a/bin/dig/Makefile.am
+++ b/bin/dig/Makefile.am
@@ -5,6 +5,7 @@ AM_CPPFLAGS +=                  \
        $(LIBDNS_CFLAGS)        \
        $(LIBISCCFG_CFLAGS)     \
        $(LIBIDN2_CFLAGS)       \
+       $(OPENSSL_CFLAGS)       \
        $(LIBUV_CFLAGS)         \
        $(OPENSSL_CFLAGS)
 
@@ -13,6 +14,7 @@ LDADD +=                      \
        $(LIBISC_LIBS)          \
        $(LIBDNS_LIBS)          \
        $(LIBISCCFG_LIBS)       \
+       $(OPENSSL_LIBS)         \
        $(LIBIDN2_LIBS)
 
 noinst_LTLIBRARIES = libdighost.la

diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 11a1b11dda1794eccab0c29d17f9779685db04f8..f6783deb4812411d3f2a7edeb3f4fcb05c2cb317 100644 (file)
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -21,6 +21,7 @@
 
 #include <isc/attributes.h>
 #include <isc/dir.h>
+#include <isc/fips.h>
 #include <isc/loop.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
@@ -69,6 +70,16 @@ static bool short_form = false, printcmd = true, plusquest = false,
            pluscomm = false, ipv4only = false, ipv6only = false, digrc = true;
 static uint32_t splitwidth = 0xffffffff;
 
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/err.h>
+#include <openssl/provider.h>
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 /*% opcode text */
 static const char *const opcodetext[] = {
        "QUERY",      "IQUERY",     "STATUS",     "RESERVED3",
@@ -2573,8 +2584,8 @@ exit_or_usage:
 /*%
  * #true returned if value was used
  */
-static const char *single_dash_opts = "46dhimnruv";
-static const char *dash_opts = "46bcdfhikmnpqrtvyx";
+static const char *single_dash_opts = "46dFhimnruv";
+static const char *dash_opts = "46bcdFfhikmnpqrtvyx";
 static bool
 dash_option(char *option, char *next, dig_lookup_t **lookup,
            bool *open_type_class, bool *need_clone, bool config_only, int argc,
@@ -2631,6 +2642,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
                                debugging = true;
                        }
                        break;
+               case 'F': /* FIPS */
+                       /* FIPS is handled in preparse_args() */
+                       break;
                case 'h':
                        help();
                        exit(EXIT_SUCCESS);
@@ -2904,6 +2918,28 @@ preparse_args(int argc, char **argv) {
                                /* For debugging early startup */
                                debugging = true;
                                break;
+                       case 'F':
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                               fips = OSSL_PROVIDER_load(NULL, "fips");
+                               if (fips == NULL) {
+                                       ERR_clear_error();
+                                       fatal("Failed to load FIPS provider");
+                               }
+                               base = OSSL_PROVIDER_load(NULL, "base");
+                               if (base == NULL) {
+                                       OSSL_PROVIDER_unload(fips);
+                                       ERR_clear_error();
+                                       fatal("Failed to load base provider");
+                               }
+#endif
+                               /* Already in FIPS mode?  */
+                               if (isc_fips_mode()) {
+                                       break;
+                               }
+                               if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+                                       fatal("setting FIPS mode failed");
+                               }
+                               break;
                        case 'm':
                                memdebugging = true;
                                isc_mem_debugging = ISC_MEM_DEBUGTRACE |
@@ -3428,5 +3464,14 @@ main(int argc, char **argv) {
        dig_startup();
        dig_shutdown();
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+       if (base != NULL) {
+               OSSL_PROVIDER_unload(base);
+       }
+       if (fips != NULL) {
+               OSSL_PROVIDER_unload(fips);
+       }
+#endif
+
        return exitcode;
 }

diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst
index 83c0ab7acf758ab15a3430fd7f0023a690cfa8b2..90c4a8dc96eac313bb69a834555d22ed44d11eb0 100644 (file)
--- a/bin/dig/dig.rst
+++ b/bin/dig/dig.rst
@@ -20,7 +20,7 @@ dig - DNS lookup utility
 
 Synopsis
 ~~~~~~~~
-:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
+:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-F**] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
 
 :program:`dig` [**-h**]
 
@@ -126,6 +126,10 @@ Options
    same way it would be presented as a query to :program:`dig` using the
    command-line interface.
 
+.. option:: -F
+
+   This option enables FIPS mode if supported by the cryptographic library in use.
+
 .. option:: -h
 
    Print a usage summary.