]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Allow FIPS mode to be enabled at run time in named
authorMark Andrews <marka@isc.org>
Wed, 29 Jun 2022 04:10:06 +0000 (14:10 +1000)
committerMark Andrews <marka@isc.org>
Mon, 3 Apr 2023 02:05:29 +0000 (12:05 +1000)
If FIPS mode is supported by the OS 'named -F' will turn on FIPS
mode.

bin/named/main.c
bin/named/named.rst
lib/dns/hmac_link.c

index 22e3a8ebe9b8158c9bb3443c60ea9c11d5b4aa61..7f8fbd76c8059cf900a942180574596793c49853 100644 (file)
@@ -29,6 +29,7 @@
 #include <isc/commandline.h>
 #include <isc/dir.h>
 #include <isc/file.h>
+#include <isc/fips.h>
 #include <isc/hash.h>
 #include <isc/httpd.h>
 #include <isc/managers.h>
 #endif /* ifdef HAVE_LIBSCF */
 
 #include <openssl/crypto.h>
+#include <openssl/evp.h>
 #include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/provider.h>
+#endif
 #ifdef HAVE_LIBXML2
 #include <libxml/parser.h>
 #include <libxml/xmlversion.h>
 #ifdef HAVE_LIBNGHTTP2
 #include <nghttp2/nghttp2.h>
 #endif
+
 /*
  * Include header files for database drivers here.
  */
@@ -134,6 +140,10 @@ static bool sigvalinsecs = false;
 static bool disable6 = false;
 static bool disable4 = false;
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 void
 named_main_earlywarning(const char *format, ...) {
        va_list args;
@@ -939,8 +949,27 @@ parse_command_line(int argc, char *argv[]) {
                        }
                        break;
                case 'F':
-                       /* Reserved for FIPS mode */
-                       FALLTHROUGH;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+                       fips = OSSL_PROVIDER_load(NULL, "fips");
+                       if (fips == NULL) {
+                               named_main_earlyfatal(
+                                       "Failed to load FIPS provider");
+                       }
+                       base = OSSL_PROVIDER_load(NULL, "base");
+                       if (base == NULL) {
+                               OSSL_PROVIDER_unload(fips);
+                               named_main_earlyfatal(
+                                       "Failed to load base provider");
+                       }
+#endif
+                       if (isc_fips_mode()) { /* Already in FIPS mode. */
+                               break;
+                       }
+                       if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+                               named_main_earlyfatal(
+                                       "setting FIPS mode failed");
+                       }
+                       break;
                case '?':
                        usage();
                        if (isc_commandline_option == '?') {
@@ -1535,6 +1564,15 @@ main(int argc, char *argv[]) {
 
        named_os_shutdown();
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+       if (base != NULL) {
+               OSSL_PROVIDER_unload(base);
+       }
+       if (fips != NULL) {
+               OSSL_PROVIDER_unload(fips);
+       }
+#endif
+
 #ifdef HAVE_GPERFTOOLS_PROFILER
        ProfilerStop();
 #endif /* ifdef HAVE_GPERFTOOLS_PROFILER */
index 9bda28e8c249a99fbc9f342f69ff16890208f76d..698ffcdfd1606bceba87357cacce2762d61812ec 100644 (file)
@@ -86,6 +86,12 @@ Options
 
    This option runs the server in the foreground (i.e., do not daemonize).
 
+.. option:: -F
+
+   This options turns on FIPS (US Federal Information Processing Standards)
+   mode if the underlying crytographic library supports running in FIPS
+   mode.
+
 .. option:: -g
 
    This option runs the server in the foreground and forces all logging to ``stderr``.
index 0a0df8a25bb7fc45f332a19e399b9858e7ac9178..d099d9e65fc726372c75288977be719f9c1466e4 100644 (file)
@@ -42,9 +42,6 @@
 #include <isc/util.h>
 
 #include "dst_internal.h"
-#ifdef HAVE_FIPS_MODE
-#include "dst_openssl.h" /* FIPS_mode() prototype */
-#endif                  /* ifdef HAVE_FIPS_MODE */
 #include "dst_parse.h"
 
 #define ISC_MD_md5    ISC_MD_MD5