"forcing zone maintenance");
named_os_started();
+
+#ifdef HAVE_FIPS_MODE
+ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+ NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+ "FIPS mode is %s",
+ FIPS_mode() ? "enabled" : "disabled");
+#endif
+
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE, "running");
+ NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+ "running");
}
return (ISC_R_SUCCESS);
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
+/* Define to 1 if you have the `FIPS_mode' function. */
+#undef HAVE_FIPS_MODE
+
/* Build with GeoIP support */
#undef HAVE_GEOIP
with_locktype
with_libtool
with_openssl
+enable_fips_mode
with_cc_alg
enable_native_pkcs11
with_pkcs11
--enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
+ --enable-fips-mode enable FIPS mode in OpenSSL library [default=no]
--enable-native-pkcs11 use native PKCS11 for public-key crypto [default=no]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
done
+#
+# Check whether FIPS mode is available and whether we should enable it
+#
+# Check whether --enable-fips-mode was given.
+if test "${enable_fips_mode+set}" = set; then :
+ enableval=$enable_fips_mode;
+else
+ enable_fips_mode="no"
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable FIPS mode in OpenSSL library" >&5
+$as_echo_n "checking whether to enable FIPS mode in OpenSSL library... " >&6; }
+case $enable_fips_mode in #(
+ yes) :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ for ac_func in FIPS_mode
+do :
+ ac_fn_c_check_func "$LINENO" "FIPS_mode" "ac_cv_func_FIPS_mode"
+if test "x$ac_cv_func_FIPS_mode" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_FIPS_MODE 1
+_ACEOF
+
+else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "OpenSSL FIPS mode requested but not available.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
+ ;; #(
+ no) :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;; #(
+ *) :
+ ;;
+esac
+
CFLAGS="$save_CFLAGS"
LIBS="$save_LIBS"
LDFLAGS="$save_LDFLAGS"
#
AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
+#
+# Check whether FIPS mode is available and whether we should enable it
+#
+AC_ARG_ENABLE([fips-mode],
+ [AS_HELP_STRING([--enable-fips-mode],
+ [enable FIPS mode in OpenSSL library [default=no]])],
+ [], [enable_fips_mode="no"])
+
+AC_MSG_CHECKING([whether to enable FIPS mode in OpenSSL library])
+AS_CASE([$enable_fips_mode],
+ [yes], [AC_MSG_RESULT([yes])
+ AC_CHECK_FUNCS([FIPS_mode],
+ [], [AC_MSG_FAILURE([OpenSSL FIPS mode requested but not available.])])],
+ [no], [AC_MSG_RESULT([no])])
+
CFLAGS="$save_CFLAGS"
LIBS="$save_LIBS"
LDFLAGS="$save_LDFLAGS"
static ENGINE *e = NULL;
#endif
+static void
+enable_fips_mode(void) {
+#ifdef HAVE_FIPS_MODE
+ if (FIPS_mode() != 0) {
+ /*
+ * FIPS mode is already enabled.
+ */
+ return;
+ }
+
+ if (FIPS_mode_set(1) == 0) {
+ dst__openssl_toresult2("FIPS_mode_set", DST_R_OPENSSLFAILURE);
+ exit(1);
+ }
+#endif /* HAVE_FIPS_MODE */
+}
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
lock_callback(int mode, int type, const char *file, int line) {
UNUSED(engine);
#endif
+ enable_fips_mode();
+
#ifdef DNS_CRYPTO_LEAKS
CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
projects / thirdparty / bind9.git / commitdiff
