diff --git a/bin/delv/Makefile.am b/bin/delv/Makefile.am index 3c51bd8015..1930c241f7 100644 --- a/bin/delv/Makefile.am +++ b/bin/delv/Makefile.am @@ -20,4 +20,5 @@ delv_LDADD = \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) \ $(LIBNS_LIBS) \ - $(LIBISCCFG_LIBS) + $(LIBISCCFG_LIBS) \ + $(OPENSSL_LIBS) diff --git a/bin/delv/delv.c b/bin/delv/delv.c index 35cee4fa49..e6371bc5fd 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -25,10 +25,17 @@ #include #include +#include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif + #include #include #include #include +#include #include #include #include @@ -156,6 +163,10 @@ static dns_fixedname_t qfn; /* Default trust anchors */ static char anchortext[] = TRUST_ANCHORS; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +static OSSL_PROVIDER *fips = NULL, *base = NULL; +#endif + /* * Static function prototypes */ @@ -1379,8 +1390,8 @@ plus_option(char *option) { /* * options: "46a:b:c:d:himp:q:t:vx:"; */ -static const char *single_dash_opts = "46himv"; -static const char *dash_opts = "46abcdhimpqtvx"; +static const char *single_dash_opts = "46Fhimv"; +static const char *dash_opts = "46abcdFhimpqtvx"; static bool dash_option(char *option, char *next, bool *open_type_class) { @@ -1423,6 +1434,9 @@ dash_option(char *option, char *next, bool *open_type_class) { use_ipv4 = false; } break; + case 'F': /* FIPS */ + /* handled in preparse_args() */ + break; case 'h': usage(); exit(EXIT_SUCCESS); @@ -1601,6 +1615,28 @@ preparse_args(int argc, char **argv) { option = &argv[0][1]; while (strpbrk(option, single_dash_opts) == &option[0]) { switch (option[0]) { + case 'F': +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + fips = OSSL_PROVIDER_load(NULL, "fips"); + if (fips == NULL) { + ERR_clear_error(); + fatal("Failed to load FIPS provider"); + } + base = OSSL_PROVIDER_load(NULL, "base"); + if (base == NULL) { + OSSL_PROVIDER_unload(fips); + ERR_clear_error(); + fatal("Failed to load base provider"); + } +#endif + /* Already in FIPS mode? */ + if (isc_fips_mode()) { + break; + } + if (isc_fips_set_mode(1) != ISC_R_SUCCESS) { + fatal("setting FIPS mode failed"); + } + break; case 'm': isc_mem_debugging = ISC_MEM_DEBUGTRACE | ISC_MEM_DEBUGRECORD; @@ -2262,5 +2298,14 @@ cleanup: isc_managers_destroy(&mctx, &loopmgr, &netmgr); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (base != NULL) { + OSSL_PROVIDER_unload(base); + } + if (fips != NULL) { + OSSL_PROVIDER_unload(fips); + } +#endif + return 0; } diff --git a/bin/delv/delv.rst b/bin/delv/delv.rst index 74239c9bc1..c32601e8b4 100644 --- a/bin/delv/delv.rst +++ b/bin/delv/delv.rst @@ -21,7 +21,7 @@ delv - DNS lookup and validation utility Synopsis ~~~~~~~~ -:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...] +:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-F**] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...] :program:`delv` [**-h**] @@ -138,6 +138,10 @@ Options :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for additional debugging details. +.. option:: -F + + This option enables FIPS mode if supported by the cryptographic library in use. + .. option:: -h This option displays the :program:`delv` help usage output and exits.