Allow FIPS mode to be enabled at run time in named

If FIPS mode is supported by the OS 'named -F' will turn on FIPS mode.
2025-08-30 05:57:52 +00:00 · 2022-06-29 14:10:06 +10:00 · 2022-06-29 14:10:06 +10:00 · 6e8de4bcdc
commit 6e8de4bcdc
parent 5a2e82557e
3 changed files with 46 additions and 5 deletions
--- a/bin/named/main.c
+++ b/bin/named/main.c
@ -29,6 +29,7 @@
 #include <isc/commandline.h>
 #include <isc/dir.h>
 #include <isc/file.h>
+#include <isc/fips.h>
 #include <isc/hash.h>
 #include <isc/httpd.h>
 #include <isc/managers.h>
@ -85,7 +86,11 @@
 #endif /* ifdef HAVE_LIBSCF */

 #include <openssl/crypto.h>
+#include <openssl/evp.h>
 #include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/provider.h>
+#endif
 #ifdef HAVE_LIBXML2
 #include <libxml/parser.h>
 #include <libxml/xmlversion.h>
@ -96,6 +101,7 @@
 #ifdef HAVE_LIBNGHTTP2
 #include <nghttp2/nghttp2.h>
 #endif
+
 /*
 * Include header files for database drivers here.
 */
@ -134,6 +140,10 @@ static bool sigvalinsecs = false;
 static bool disable6 = false;
 static bool disable4 = false;

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 void
 named_main_earlywarning(const char *format, ...) {
 	va_list args;
@ -939,8 +949,27 @@ parse_command_line(int argc, char *argv[]) {
 			}
 			break;
 		case 'F':
-			/* Reserved for FIPS mode */
-			FALLTHROUGH;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+			fips = OSSL_PROVIDER_load(NULL, "fips");
+			if (fips == NULL) {
+				named_main_earlyfatal(
+					"Failed to load FIPS provider");
+			}
+			base = OSSL_PROVIDER_load(NULL, "base");
+			if (base == NULL) {
+				OSSL_PROVIDER_unload(fips);
+				named_main_earlyfatal(
+					"Failed to load base provider");
+			}
+#endif
+			if (isc_fips_mode()) { /* Already in FIPS mode. */
+				break;
+			}
+			if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+				named_main_earlyfatal(
+					"setting FIPS mode failed");
+			}
+			break;
 		case '?':
 			usage();
 			if (isc_commandline_option == '?') {
@ -1535,6 +1564,15 @@ main(int argc, char *argv[]) {

 	named_os_shutdown();

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+	if (base != NULL) {
+		OSSL_PROVIDER_unload(base);
+	}
+	if (fips != NULL) {
+		OSSL_PROVIDER_unload(fips);
+	}
+#endif
+
 #ifdef HAVE_GPERFTOOLS_PROFILER
 	ProfilerStop();
 #endif /* ifdef HAVE_GPERFTOOLS_PROFILER */
--- a/bin/named/named.rst
+++ b/bin/named/named.rst
@ -86,6 +86,12 @@ Options

   This option runs the server in the foreground (i.e., do not daemonize).

+.. option:: -F
+
+   This options turns on FIPS (US Federal Information Processing Standards)
+   mode if the underlying crytographic library supports running in FIPS
+   mode.
+
 .. option:: -g

   This option runs the server in the foreground and forces all logging to ``stderr``.
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@ -42,9 +42,6 @@
 #include <isc/util.h>

 #include "dst_internal.h"
-#ifdef HAVE_FIPS_MODE
-#include "dst_openssl.h" /* FIPS_mode() prototype */
-#endif			 /* ifdef HAVE_FIPS_MODE */
 #include "dst_parse.h"

 #define ISC_MD_md5    ISC_MD_MD5