new: usr: Enable runtime selection of FIPS mode in dig and delv

'dig -F' and 'delv -F' can now be used to select FIPS mode at runtime.

Closes #5046

Merge branch '5046-enable-runtime-selection-of-fips-mode-in-dig' into 'main'

See merge request isc-projects/bind9!9754

bin/delv/Makefile.am

@@ -20,4 +20,5 @@ delv_LDADD =				\
 	$(LIBISC_LIBS)			\
 	$(LIBDNS_LIBS)			\
 	$(LIBNS_LIBS)			\
-	$(LIBISCCFG_LIBS)
+	$(LIBISCCFG_LIBS)		\
+	$(OPENSSL_LIBS)

bin/delv/delv.c

@@ -25,10 +25,17 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/err.h>
+#include <openssl/provider.h>
+#endif
+
 #include <isc/async.h>
 #include <isc/attributes.h>
 #include <isc/base64.h>
 #include <isc/buffer.h>
+#include <isc/fips.h>
 #include <isc/hex.h>
 #include <isc/log.h>
 #include <isc/managers.h>
@@ -156,6 +163,10 @@ static dns_fixedname_t qfn;
 /* Default trust anchors */
 static char anchortext[] = TRUST_ANCHORS;
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 /*
  * Static function prototypes
  */
@@ -1379,8 +1390,8 @@ plus_option(char *option) {
 /*
  * options: "46a:b:c:d:himp:q:t:vx:";
  */
-static const char *single_dash_opts = "46himv";
+static const char *single_dash_opts = "46Fhimv";
-static const char *dash_opts = "46abcdhimpqtvx";
+static const char *dash_opts = "46abcdFhimpqtvx";
 
 static bool
 dash_option(char *option, char *next, bool *open_type_class) {
@@ -1423,6 +1434,9 @@ dash_option(char *option, char *next, bool *open_type_class) {
 				use_ipv4 = false;
 			}
 			break;
+		case 'F': /* FIPS */
+			/* handled in preparse_args() */
+			break;
 		case 'h':
 			usage();
 			exit(EXIT_SUCCESS);
@@ -1601,6 +1615,28 @@ preparse_args(int argc, char **argv) {
 		option = &argv[0][1];
 		while (strpbrk(option, single_dash_opts) == &option[0]) {
 			switch (option[0]) {
+			case 'F':
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				fips = OSSL_PROVIDER_load(NULL, "fips");
+				if (fips == NULL) {
+					ERR_clear_error();
+					fatal("Failed to load FIPS provider");
+				}
+				base = OSSL_PROVIDER_load(NULL, "base");
+				if (base == NULL) {
+					OSSL_PROVIDER_unload(fips);
+					ERR_clear_error();
+					fatal("Failed to load base provider");
+				}
+#endif
+				/* Already in FIPS mode?  */
+				if (isc_fips_mode()) {
+					break;
+				}
+				if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+					fatal("setting FIPS mode failed");
+				}
+				break;
 			case 'm':
 				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
 						    ISC_MEM_DEBUGRECORD;
@@ -2262,5 +2298,14 @@ cleanup:
 
 	isc_managers_destroy(&mctx, &loopmgr, &netmgr);
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (base != NULL) {
+		OSSL_PROVIDER_unload(base);
+	}
+	if (fips != NULL) {
+		OSSL_PROVIDER_unload(fips);
+	}
+#endif
+
 	return 0;
 }

bin/delv/delv.rst

@@ -21,7 +21,7 @@ delv - DNS lookup and validation utility
 Synopsis
 ~~~~~~~~
 
-:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
+:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-F**] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
 
 :program:`delv` [**-h**]
 
@@ -138,6 +138,10 @@ Options
    :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for
    additional debugging details.
 
+.. option:: -F
+
+   This option enables FIPS mode if supported by the cryptographic library in use.
+
 .. option:: -h
 
    This option displays the :program:`delv` help usage output and exits.

bin/dig/Makefile.am

@@ -5,6 +5,7 @@ AM_CPPFLAGS +=			\
 	$(LIBDNS_CFLAGS)	\
 	$(LIBISCCFG_CFLAGS)	\
 	$(LIBIDN2_CFLAGS)	\
+	$(OPENSSL_CFLAGS)	\
 	$(LIBUV_CFLAGS)		\
 	$(OPENSSL_CFLAGS)
 
@@ -13,6 +14,7 @@ LDADD +=			\
 	$(LIBISC_LIBS)		\
 	$(LIBDNS_LIBS)		\
 	$(LIBISCCFG_LIBS)	\
+	$(OPENSSL_LIBS)		\
 	$(LIBIDN2_LIBS)
 
 noinst_LTLIBRARIES = libdighost.la

bin/dig/dig.c

@@ -21,6 +21,7 @@
 
 #include <isc/attributes.h>
 #include <isc/dir.h>
+#include <isc/fips.h>
 #include <isc/loop.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
@@ -69,6 +70,16 @@ static bool short_form = false, printcmd = true, plusquest = false,
 	    pluscomm = false, ipv4only = false, ipv6only = false, digrc = true;
 static uint32_t splitwidth = 0xffffffff;
 
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/err.h>
+#include <openssl/provider.h>
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 /*% opcode text */
 static const char *const opcodetext[] = {
 	"QUERY",      "IQUERY",	    "STATUS",	  "RESERVED3",
@@ -2573,8 +2584,8 @@ exit_or_usage:
 /*%
  * #true returned if value was used
  */
-static const char *single_dash_opts = "46dhimnruv";
+static const char *single_dash_opts = "46dFhimnruv";
-static const char *dash_opts = "46bcdfhikmnpqrtvyx";
+static const char *dash_opts = "46bcdFfhikmnpqrtvyx";
 static bool
 dash_option(char *option, char *next, dig_lookup_t **lookup,
 	    bool *open_type_class, bool *need_clone, bool config_only, int argc,
@@ -2631,6 +2642,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				debugging = true;
 			}
 			break;
+		case 'F': /* FIPS */
+			/* FIPS is handled in preparse_args() */
+			break;
 		case 'h':
 			help();
 			exit(EXIT_SUCCESS);
@@ -2904,6 +2918,28 @@ preparse_args(int argc, char **argv) {
 				/* For debugging early startup */
 				debugging = true;
 				break;
+			case 'F':
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				fips = OSSL_PROVIDER_load(NULL, "fips");
+				if (fips == NULL) {
+					ERR_clear_error();
+					fatal("Failed to load FIPS provider");
+				}
+				base = OSSL_PROVIDER_load(NULL, "base");
+				if (base == NULL) {
+					OSSL_PROVIDER_unload(fips);
+					ERR_clear_error();
+					fatal("Failed to load base provider");
+				}
+#endif
+				/* Already in FIPS mode?  */
+				if (isc_fips_mode()) {
+					break;
+				}
+				if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+					fatal("setting FIPS mode failed");
+				}
+				break;
 			case 'm':
 				memdebugging = true;
 				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
@@ -3428,5 +3464,14 @@ main(int argc, char **argv) {
 	dig_startup();
 	dig_shutdown();
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (base != NULL) {
+		OSSL_PROVIDER_unload(base);
+	}
+	if (fips != NULL) {
+		OSSL_PROVIDER_unload(fips);
+	}
+#endif
+
 	return exitcode;
 }

bin/dig/dig.rst

@@ -20,7 +20,7 @@ dig - DNS lookup utility
 
 Synopsis
 ~~~~~~~~
-:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
+:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-F**] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
 
 :program:`dig` [**-h**]
 
@@ -126,6 +126,10 @@ Options
    same way it would be presented as a query to :program:`dig` using the
    command-line interface.
 
+.. option:: -F
+
+   This option enables FIPS mode if supported by the cryptographic library in use.
+
 .. option:: -h
 
    Print a usage summary.