mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 22:45:39 +00:00
dnssec-signzone can now enable FIPS mode from the commandline
'dnssec-signzone -F' will now enable FIPS mode if supported by the crypto provider and not already enabled.
This commit is contained in:
Mark Andrews
@@ -37,4 +37,15 @@ dnssec_keygen_CPPFLAGS = \
|
|||||||
|
|
||||||
dnssec_keygen_LDADD = \
|
dnssec_keygen_LDADD = \
|
||||||
$(LDADD) \
|
$(LDADD) \
|
||||||
$(LIBISCCFG_LIBS)
|
$(LIBISCCFG_LIBS) \
|
||||||
|
$(OPENSSL_LIBS)
|
||||||
|
|
||||||
|
dnssec_signzone_CPPFLAGS = \
|
||||||
|
$(AM_CPPFLAGS) \
|
||||||
|
$(LIBISCCFG_CFLAGS) \
|
||||||
|
$(OPENSSL_CFLAGS)
|
||||||
|
|
||||||
|
dnssec_signzone_LDADD = \
|
||||||
|
$(LDADD) \
|
||||||
|
$(LIBISCCFG_LIBS) \
|
||||||
|
$(OPENSSL_LIBS)
|
||||||
|
|||||||
@@ -33,6 +33,8 @@
|
|||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#include <openssl/opensslv.h>
|
||||||
|
|
||||||
#include <isc/async.h>
|
#include <isc/async.h>
|
||||||
#include <isc/atomic.h>
|
#include <isc/atomic.h>
|
||||||
#include <isc/attributes.h>
|
#include <isc/attributes.h>
|
||||||
@@ -40,6 +42,7 @@
|
|||||||
#include <isc/commandline.h>
|
#include <isc/commandline.h>
|
||||||
#include <isc/dir.h>
|
#include <isc/dir.h>
|
||||||
#include <isc/file.h>
|
#include <isc/file.h>
|
||||||
|
#include <isc/fips.h>
|
||||||
#include <isc/hash.h>
|
#include <isc/hash.h>
|
||||||
#include <isc/hex.h>
|
#include <isc/hex.h>
|
||||||
#include <isc/loop.h>
|
#include <isc/loop.h>
|
||||||
@@ -85,6 +88,9 @@
|
|||||||
#include <dns/zoneverify.h>
|
#include <dns/zoneverify.h>
|
||||||
|
|
||||||
#include <dst/dst.h>
|
#include <dst/dst.h>
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||||
|
#include <openssl/provider.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
#include "dnssectool.h"
|
#include "dnssectool.h"
|
||||||
|
|
||||||
@@ -3221,6 +3227,7 @@ usage(void) {
|
|||||||
fprintf(stderr, "\t\tdirectory to find key files (.)\n");
|
fprintf(stderr, "\t\tdirectory to find key files (.)\n");
|
||||||
fprintf(stderr, "\t-d directory:\n");
|
fprintf(stderr, "\t-d directory:\n");
|
||||||
fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n");
|
fprintf(stderr, "\t\tdirectory to find dsset-* files (.)\n");
|
||||||
|
fprintf(stderr, "\t-F:\tFIPS mode\n");
|
||||||
fprintf(stderr, "\t-g:\t");
|
fprintf(stderr, "\t-g:\t");
|
||||||
fprintf(stderr, "update DS records based on child zones' "
|
fprintf(stderr, "update DS records based on child zones' "
|
||||||
"dsset-* files\n");
|
"dsset-* files\n");
|
||||||
@@ -3362,6 +3369,10 @@ main(int argc, char *argv[]) {
|
|||||||
bool set_optout = false;
|
bool set_optout = false;
|
||||||
bool set_iter = false;
|
bool set_iter = false;
|
||||||
bool nonsecify = false;
|
bool nonsecify = false;
|
||||||
|
bool set_fips_mode = false;
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||||
|
OSSL_PROVIDER *fips = NULL, *base = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
atomic_init(&shuttingdown, false);
|
atomic_init(&shuttingdown, false);
|
||||||
atomic_init(&finished, false);
|
atomic_init(&finished, false);
|
||||||
@@ -3651,8 +3662,9 @@ main(int argc, char *argv[]) {
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 'F':
|
case 'F':
|
||||||
/* Reserved for FIPS mode */
|
set_fips_mode = true;
|
||||||
FALLTHROUGH;
|
break;
|
||||||
|
|
||||||
case '?':
|
case '?':
|
||||||
if (isc_commandline_option != '?') {
|
if (isc_commandline_option != '?') {
|
||||||
fprintf(stderr, "%s: invalid argument -%c\n",
|
fprintf(stderr, "%s: invalid argument -%c\n",
|
||||||
@@ -3721,6 +3733,25 @@ main(int argc, char *argv[]) {
|
|||||||
|
|
||||||
isc_managers_create(&mctx, nloops, &loopmgr, &netmgr);
|
isc_managers_create(&mctx, nloops, &loopmgr, &netmgr);
|
||||||
|
|
||||||
|
if (set_fips_mode) {
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||||
|
fips = OSSL_PROVIDER_load(NULL, "fips");
|
||||||
|
if (fips == NULL) {
|
||||||
|
fatal("Failed to load FIPS provider");
|
||||||
|
}
|
||||||
|
base = OSSL_PROVIDER_load(NULL, "base");
|
||||||
|
if (base == NULL) {
|
||||||
|
OSSL_PROVIDER_unload(fips);
|
||||||
|
fatal("Failed to load base provider");
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if (!isc_fips_mode()) {
|
||||||
|
if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
|
||||||
|
fatal("setting FIPS mode failed");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
result = dst_lib_init(mctx, engine);
|
result = dst_lib_init(mctx, engine);
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
fatal("could not initialize dst: %s",
|
fatal("could not initialize dst: %s",
|
||||||
@@ -4104,6 +4135,15 @@ main(int argc, char *argv[]) {
|
|||||||
isc_mem_stats(mctx, stdout);
|
isc_mem_stats(mctx, stdout);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||||
|
if (base != NULL) {
|
||||||
|
OSSL_PROVIDER_unload(base);
|
||||||
|
}
|
||||||
|
if (fips != NULL) {
|
||||||
|
OSSL_PROVIDER_unload(fips);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
isc_managers_destroy(&mctx, &loopmgr, &netmgr);
|
isc_managers_destroy(&mctx, &loopmgr, &netmgr);
|
||||||
|
|
||||||
if (printstats) {
|
if (printstats) {
|
||||||
|
|||||||
@@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool
|
|||||||
Synopsis
|
Synopsis
|
||||||
~~~~~~~~
|
~~~~~~~~
|
||||||
|
|
||||||
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
|
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
|
||||||
|
|
||||||
Description
|
Description
|
||||||
~~~~~~~~~~~
|
~~~~~~~~~~~
|
||||||
@@ -71,6 +71,12 @@ Options
|
|||||||
engine identifier that drives the cryptographic accelerator or
|
engine identifier that drives the cryptographic accelerator or
|
||||||
hardware service module (usually ``pkcs11``).
|
hardware service module (usually ``pkcs11``).
|
||||||
|
|
||||||
|
.. option:: -F
|
||||||
|
|
||||||
|
This options turns on FIPS (US Federal Information Processing Standards)
|
||||||
|
mode if the underlying crytographic library supports running in FIPS
|
||||||
|
mode.
|
||||||
|
|
||||||
.. option:: -g
|
.. option:: -g
|
||||||
|
|
||||||
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
|
This option indicates that DS records for child zones should be generated from a ``dsset-`` or ``keyset-``
|
||||||
|
|||||||
Reference in New Issue
Block a user