Delv now supports selecting FIPS mode at runtime

To enable FIPS mode at runtime use 'delv -F'.  The operating system
must have FIPS support available for this to succeed.  This is on
by default when built with --enable-fips-mode.

diff --git a/bin/delv/Makefile.am b/bin/delv/Makefile.am
index 3c51bd8015b4a1a36e3fce212f27359a66dc8d51..1930c241f7584933a79c4bf4fbf797c3c533cdb0 100644 (file)
--- a/bin/delv/Makefile.am
+++ b/bin/delv/Makefile.am
@@ -20,4 +20,5 @@ delv_LDADD =                          \
        $(LIBISC_LIBS)                  \
        $(LIBDNS_LIBS)                  \
        $(LIBNS_LIBS)                   \
-       $(LIBISCCFG_LIBS)
+       $(LIBISCCFG_LIBS)               \
+       $(OPENSSL_LIBS)

diff --git a/bin/delv/delv.c b/bin/delv/delv.c
index 35cee4fa4929ac77dfda98c3a4970c627561052f..e6371bc5fddf57c14e2308c02f64fcfa2f2d2d9e 100644 (file)
--- a/bin/delv/delv.c
+++ b/bin/delv/delv.c
@@ -25,10 +25,17 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/err.h>
+#include <openssl/provider.h>
+#endif
+
 #include <isc/async.h>
 #include <isc/attributes.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
+#include <isc/fips.h>
 #include <isc/hex.h>
 #include <isc/log.h>
 #include <isc/managers.h>
@@ -156,6 +163,10 @@ static dns_fixedname_t qfn;
 /* Default trust anchors */
 static char anchortext[] = TRUST_ANCHORS;
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 /*
  * Static function prototypes
  */
@@ -1379,8 +1390,8 @@ plus_option(char *option) {
 /*
  * options: "46a:b:c:d:himp:q:t:vx:";
  */
-static const char *single_dash_opts = "46himv";
-static const char *dash_opts = "46abcdhimpqtvx";
+static const char *single_dash_opts = "46Fhimv";
+static const char *dash_opts = "46abcdFhimpqtvx";
 
 static bool
 dash_option(char *option, char *next, bool *open_type_class) {
@@ -1423,6 +1434,9 @@ dash_option(char *option, char *next, bool *open_type_class) {
                                use_ipv4 = false;
                        }
                        break;
+               case 'F': /* FIPS */
+                       /* handled in preparse_args() */
+                       break;
                case 'h':
                        usage();
                        exit(EXIT_SUCCESS);
@@ -1601,6 +1615,28 @@ preparse_args(int argc, char **argv) {
                option = &argv[0][1];
                while (strpbrk(option, single_dash_opts) == &option[0]) {
                        switch (option[0]) {
+                       case 'F':
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+                               fips = OSSL_PROVIDER_load(NULL, "fips");
+                               if (fips == NULL) {
+                                       ERR_clear_error();
+                                       fatal("Failed to load FIPS provider");
+                               }
+                               base = OSSL_PROVIDER_load(NULL, "base");
+                               if (base == NULL) {
+                                       OSSL_PROVIDER_unload(fips);
+                                       ERR_clear_error();
+                                       fatal("Failed to load base provider");
+                               }
+#endif
+                               /* Already in FIPS mode?  */
+                               if (isc_fips_mode()) {
+                                       break;
+                               }
+                               if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+                                       fatal("setting FIPS mode failed");
+                               }
+                               break;
                        case 'm':
                                isc_mem_debugging = ISC_MEM_DEBUGTRACE |
                                                    ISC_MEM_DEBUGRECORD;
@@ -2262,5 +2298,14 @@ cleanup:
 
        isc_managers_destroy(&mctx, &loopmgr, &netmgr);
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+       if (base != NULL) {
+               OSSL_PROVIDER_unload(base);
+       }
+       if (fips != NULL) {
+               OSSL_PROVIDER_unload(fips);
+       }
+#endif
+
        return 0;
 }

diff --git a/bin/delv/delv.rst b/bin/delv/delv.rst
index 74239c9bc1e21c00ad8b11183a816d27cc4c34c5..c32601e8b49b55970db818b5fa9cde52b7bdfb6c 100644 (file)
--- a/bin/delv/delv.rst
+++ b/bin/delv/delv.rst
@@ -21,7 +21,7 @@ delv - DNS lookup and validation utility
 Synopsis
 ~~~~~~~~
 
-:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
+:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-F**] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
 
 :program:`delv` [**-h**]
 
@@ -138,6 +138,10 @@ Options
    :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for
    additional debugging details.
 
+.. option:: -F
+
+   This option enables FIPS mode if supported by the cryptographic library in use.
+
 .. option:: -h
 
    This option displays the :program:`delv` help usage output and exits.