Dig now supports selecting FIPS mode at runtime

To enable FIPS mode at runtime use 'dig -F'.  The operating system
must have FIPS support available for this to succeed.  This is on
by default when built with --enable-fips-mode.

bin/dig/Makefile.am

@@ -5,6 +5,7 @@ AM_CPPFLAGS +=			\
 	$(LIBDNS_CFLAGS)	\
 	$(LIBISCCFG_CFLAGS)	\
 	$(LIBIDN2_CFLAGS)	\
+	$(OPENSSL_CFLAGS)	\
 	$(LIBUV_CFLAGS)		\
 	$(OPENSSL_CFLAGS)
 
@@ -13,6 +14,7 @@ LDADD +=			\
 	$(LIBISC_LIBS)		\
 	$(LIBDNS_LIBS)		\
 	$(LIBISCCFG_LIBS)	\
+	$(OPENSSL_LIBS)		\
 	$(LIBIDN2_LIBS)
 
 noinst_LTLIBRARIES = libdighost.la

bin/dig/dig.c

@@ -21,6 +21,7 @@
 
 #include <isc/attributes.h>
 #include <isc/dir.h>
+#include <isc/fips.h>
 #include <isc/loop.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
@@ -69,6 +70,16 @@ static bool short_form = false, printcmd = true, plusquest = false,
 	    pluscomm = false, ipv4only = false, ipv6only = false, digrc = true;
 static uint32_t splitwidth = 0xffffffff;
 
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/err.h>
+#include <openssl/provider.h>
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 /*% opcode text */
 static const char *const opcodetext[] = {
 	"QUERY",      "IQUERY",	    "STATUS",	  "RESERVED3",
@@ -2573,8 +2584,8 @@ exit_or_usage:
 /*%
  * #true returned if value was used
  */
-static const char *single_dash_opts = "46dhimnruv";
-static const char *dash_opts = "46bcdfhikmnpqrtvyx";
+static const char *single_dash_opts = "46dFhimnruv";
+static const char *dash_opts = "46bcdFfhikmnpqrtvyx";
 static bool
 dash_option(char *option, char *next, dig_lookup_t **lookup,
 	    bool *open_type_class, bool *need_clone, bool config_only, int argc,
@@ -2631,6 +2642,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				debugging = true;
 			}
 			break;
+		case 'F': /* FIPS */
+			/* FIPS is handled in preparse_args() */
+			break;
 		case 'h':
 			help();
 			exit(EXIT_SUCCESS);
@@ -2904,6 +2918,28 @@ preparse_args(int argc, char **argv) {
 				/* For debugging early startup */
 				debugging = true;
 				break;
+			case 'F':
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				fips = OSSL_PROVIDER_load(NULL, "fips");
+				if (fips == NULL) {
+					ERR_clear_error();
+					fatal("Failed to load FIPS provider");
+				}
+				base = OSSL_PROVIDER_load(NULL, "base");
+				if (base == NULL) {
+					OSSL_PROVIDER_unload(fips);
+					ERR_clear_error();
+					fatal("Failed to load base provider");
+				}
+#endif
+				/* Already in FIPS mode?  */
+				if (isc_fips_mode()) {
+					break;
+				}
+				if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+					fatal("setting FIPS mode failed");
+				}
+				break;
 			case 'm':
 				memdebugging = true;
 				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
@@ -3428,5 +3464,14 @@ main(int argc, char **argv) {
 	dig_startup();
 	dig_shutdown();
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (base != NULL) {
+		OSSL_PROVIDER_unload(base);
+	}
+	if (fips != NULL) {
+		OSSL_PROVIDER_unload(fips);
+	}
+#endif
+
 	return exitcode;
 }

bin/dig/dig.rst

@@ -20,7 +20,7 @@ dig - DNS lookup utility
 
 Synopsis
 ~~~~~~~~
-:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
+:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-F**] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
 
 :program:`dig` [**-h**]
 
@@ -126,6 +126,10 @@ Options
    same way it would be presented as a query to :program:`dig` using the
    command-line interface.
 
+.. option:: -F
+
+   This option enables FIPS mode if supported by the cryptographic library in use.
+
 .. option:: -h
 
    Print a usage summary.