#include <stdlib.h>
#include <unistd.h>
+#include <openssl/opensslv.h>
+
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isccfg/grammar.h>
#include <isccfg/kaspconf.h>
#include <isccfg/namedconf.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/provider.h>
+#endif
#include "dnssectool.h"
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
+ fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
fprintf(stderr, " -p <protocol>: (default: 3 [dnssec])\n");
fprintf(stderr, " -s <strength>: strength value this key signs DNS "
const char *engine = NULL;
unsigned char c;
int ch;
+ bool set_fips_mode = false;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
keygen_ctx_t ctx = {
.options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC,
ctx.prepub = strtottl(isc_commandline_argument);
break;
case 'F':
- /* Reserved for FIPS mode */
- FALLTHROUGH;
+ set_fips_mode = true;
+ break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
ctx.quiet = true;
}
+ if (set_fips_mode) {
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ fips = OSSL_PROVIDER_load(NULL, "fips");
+ if (fips == NULL) {
+ fatal("Failed to load FIPS provider");
+ }
+ base = OSSL_PROVIDER_load(NULL, "base");
+ if (base == NULL) {
+ OSSL_PROVIDER_unload(fips);
+ fatal("Failed to load base provider");
+ }
+#endif
+ if (!isc_fips_mode()) {
+ if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+ fatal("setting FIPS mode failed");
+ }
+ }
+ }
+
ret = dst_lib_init(mctx, engine);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
isc_mem_destroy(&mctx);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+ if (base != NULL) {
+ OSSL_PROVIDER_unload(base);
+ }
+ if (fips != NULL) {
+ OSSL_PROVIDER_unload(fips);
+ }
+#endif
if (freeit != NULL) {
free(freeit);
}
Synopsis
~~~~~~~~
-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
+:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
This option sets the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key-Signing Key) and REVOKE.
+.. option:: -F
+
+ This options turns on FIPS (US Federal Information Processing Standards)
+ mode if the underlying crytographic library supports running in FIPS
+ mode.
+
.. option:: -G
This option generates a key, but does not publish it or sign with it. This option is