mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

Add support for enabling and enforcing FIPS mode in OpenSSL:

Browse Source 
* Add configure option --enable-fips-mode that detects and enables FIPS mode
* Add a function to enable FIPS mode and call it on crypto init
* Log an OpenSSL error when FIPS_mode_set() fails and exit
* Report FIPS mode status in a separate log message from named
This commit is contained in:
Ondřej Surý
2018-10-14 14:32:02 +02:00
parent 0f62a5ce04
commit c4cee27f9b
5 changed files with 89 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
bin/named/server.c
View File

@@ -9243,8 +9243,17 @@ view_loaded(void *arg) {
"forcing zone maintenance"); "forcing zone maintenance");
named_os_started(); named_os_started();
#ifdef HAVE_FIPS_MODE
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE, "running"); NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
"FIPS mode is %s",
FIPS_mode() ? "enabled" : "disabled");
#endif
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_SERVER, ISC_LOG_NOTICE,
"running");
} }
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);

3
config.h.in
View File

@@ -147,6 +147,9 @@
/* Define to 1 if you have the <fcntl.h> header file. */ /* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H #undef HAVE_FCNTL_H
/* Define to 1 if you have the `FIPS_mode' function. */
#undef HAVE_FIPS_MODE
/* Build with GeoIP support */ /* Build with GeoIP support */
#undef HAVE_GEOIP #undef HAVE_GEOIP

42
configure vendored
View File

@@ -899,6 +899,7 @@ with_geoip
with_locktype with_locktype
with_libtool with_libtool
with_openssl with_openssl
enable_fips_mode
with_cc_alg with_cc_alg
enable_native_pkcs11 enable_native_pkcs11
with_pkcs11 with_pkcs11
@@ -1595,6 +1596,7 @@ Optional Features:
--enable-kqueue use BSD kqueue when available [default=yes] --enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto] --enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes] --enable-devpoll use /dev/poll when available [default=yes]
--enable-fips-mode enable FIPS mode in OpenSSL library [default=no]
--enable-native-pkcs11 use native PKCS11 for public-key crypto [default=no] --enable-native-pkcs11 use native PKCS11 for public-key crypto [default=no]
--enable-largefile 64-bit file support --enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes] --enable-backtrace log stack backtrace on abort [default=yes]
@@ -15715,6 +15717,46 @@ fi
done done
#
# Check whether FIPS mode is available and whether we should enable it
#
# Check whether --enable-fips-mode was given.
if test "${enable_fips_mode+set}" = set; then :
enableval=$enable_fips_mode;
else
enable_fips_mode="no"
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable FIPS mode in OpenSSL library" >&5
$as_echo_n "checking whether to enable FIPS mode in OpenSSL library... " >&6; }
case $enable_fips_mode in #(
yes) :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
for ac_func in FIPS_mode
do :
ac_fn_c_check_func "$LINENO" "FIPS_mode" "ac_cv_func_FIPS_mode"
if test "x$ac_cv_func_FIPS_mode" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_FIPS_MODE 1
_ACEOF
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "OpenSSL FIPS mode requested but not available.
See \`config.log' for more details" "$LINENO" 5; }
fi
done
;; #(
no) :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; } ;; #(
*) :
;;
esac
CFLAGS="$save_CFLAGS" CFLAGS="$save_CFLAGS"
LIBS="$save_LIBS" LIBS="$save_LIBS"
LDFLAGS="$save_LDFLAGS" LDFLAGS="$save_LDFLAGS"

15
configure.in
View File

@@ -836,6 +836,21 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
# #
AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg]) AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
#
# Check whether FIPS mode is available and whether we should enable it
#
AC_ARG_ENABLE([fips-mode],
[AS_HELP_STRING([--enable-fips-mode],
[enable FIPS mode in OpenSSL library [default=no]])],
[], [enable_fips_mode="no"])
AC_MSG_CHECKING([whether to enable FIPS mode in OpenSSL library])
AS_CASE([$enable_fips_mode],
[yes], [AC_MSG_RESULT([yes])
AC_CHECK_FUNCS([FIPS_mode],
[], [AC_MSG_FAILURE([OpenSSL FIPS mode requested but not available.])])],
[no], [AC_MSG_RESULT([no])])
CFLAGS="$save_CFLAGS" CFLAGS="$save_CFLAGS"
LIBS="$save_LIBS" LIBS="$save_LIBS"
LDFLAGS="$save_LDFLAGS" LDFLAGS="$save_LDFLAGS"

19
lib/dns/openssl_link.c
View File

@@ -53,6 +53,23 @@ static int nlocks;
static ENGINE *e = NULL; static ENGINE *e = NULL;
#endif #endif
static void
enable_fips_mode(void) {
#ifdef HAVE_FIPS_MODE
if (FIPS_mode() != 0) {
/*
* FIPS mode is already enabled.
*/
return;
}
if (FIPS_mode_set(1) == 0) {
dst__openssl_toresult2("FIPS_mode_set", DST_R_OPENSSLFAILURE);
exit(1);
}
#endif /* HAVE_FIPS_MODE */
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void static void
lock_callback(int mode, int type, const char *file, int line) { lock_callback(int mode, int type, const char *file, int line) {
@@ -145,6 +162,8 @@ dst__openssl_init(const char *engine) {
UNUSED(engine); UNUSED(engine);
#endif #endif
enable_fips_mode();
#ifdef DNS_CRYPTO_LEAKS #ifdef DNS_CRYPTO_LEAKS
CRYPTO_malloc_debug_init(); CRYPTO_malloc_debug_init();
CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);