#include <time.h>
#include <unistd.h>
+#include <openssl/opensslv.h>
+
#include <isc/async.h>
#include <isc/atomic.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/file.h>
+#include <isc/fips.h>
#include <isc/hash.h>
#include <isc/hex.h>
#include <isc/loop.h>
#include <dns/zoneverify.h>
#include <dst/dst.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/provider.h>
+#endif
#include "dnssectool.h"
fprintf(stderr, "\t\tdirectory to find key files (.)\n");
fprintf(stderr, "\t-d directory:\n");
fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n");
+ fprintf(stderr, "\t-F:\tFIPS mode\n");
fprintf(stderr, "\t-g:\t");
fprintf(stderr, "update DS records based on child zones' "
"dsset-* files\n");
bool set_optout = false;
bool set_iter = false;
bool nonsecify = false;
+ bool set_fips_mode = false;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
atomic_init(&shuttingdown, false);
atomic_init(&finished, false);
break;
case 'F':
- /* Reserved for FIPS mode */
- FALLTHROUGH;
+ set_fips_mode = true;
+ break;
+
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
isc_managers_create(&mctx, nloops, &loopmgr, &netmgr);
+ if (set_fips_mode) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ fips = OSSL_PROVIDER_load(NULL, "fips");
+ if (fips == NULL) {
+ fatal("Failed to load FIPS provider");
+ }
+ base = OSSL_PROVIDER_load(NULL, "base");
+ if (base == NULL) {
+ OSSL_PROVIDER_unload(fips);
+ fatal("Failed to load base provider");
+ }
+#endif
+ if (!isc_fips_mode()) {
+ if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+ fatal("setting FIPS mode failed");
+ }
+ }
+ }
+
result = dst_lib_init(mctx, engine);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_mem_stats(mctx, stdout);
}
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ if (base != NULL) {
+ OSSL_PROVIDER_unload(base);
+ }
+ if (fips != NULL) {
+ OSSL_PROVIDER_unload(fips);
+ }
+#endif
+
isc_managers_destroy(&mctx, &loopmgr, &netmgr);
if (printstats) {
Synopsis
~~~~~~~~
-:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
+:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description
~~~~~~~~~~~
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
+.. option:: -F
+
+ This options turns on FIPS (US Federal Information Processing Standards)
+ mode if the underlying crytographic library supports running in FIPS
+ mode.
+
.. option:: -g
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``