Dig now supports selecting FIPS mode at runtime

To enable FIPS mode at runtime use 'dig -F'. The operating system must have FIPS support available for this to succeed. This is on by default when built with --enable-fips-mode.
2025-08-31 06:25:31 +00:00 · 2024-11-21 09:46:24 +11:00
parent 0989926745
commit fe7ce99270
3 changed files with 54 additions and 3 deletions
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -21,6 +21,7 @@

 #include <isc/attributes.h>
 #include <isc/dir.h>
+#include <isc/fips.h>
 #include <isc/loop.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
@@ -69,6 +70,16 @@ static bool short_form = false, printcmd = true, plusquest = false,
 	    pluscomm = false, ipv4only = false, ipv6only = false, digrc = true;
 static uint32_t splitwidth = 0xffffffff;

+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/err.h>
+#include <openssl/provider.h>
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+static OSSL_PROVIDER *fips = NULL, *base = NULL;
+#endif
+
 /*% opcode text */
 static const char *const opcodetext[] = {
 	"QUERY",      "IQUERY",	    "STATUS",	  "RESERVED3",
@@ -2573,8 +2584,8 @@ exit_or_usage:
 /*%
 * #true returned if value was used
 */
-static const char *single_dash_opts = "46dhimnruv";
-static const char *dash_opts = "46bcdfhikmnpqrtvyx";
+static const char *single_dash_opts = "46dFhimnruv";
+static const char *dash_opts = "46bcdFfhikmnpqrtvyx";
 static bool
 dash_option(char *option, char *next, dig_lookup_t **lookup,
 	    bool *open_type_class, bool *need_clone, bool config_only, int argc,
@@ -2631,6 +2642,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				debugging = true;
 			}
 			break;
+		case 'F': /* FIPS */
+			/* FIPS is handled in preparse_args() */
+			break;
 		case 'h':
 			help();
 			exit(EXIT_SUCCESS);
@@ -2904,6 +2918,28 @@ preparse_args(int argc, char **argv) {
 				/* For debugging early startup */
 				debugging = true;
 				break;
+			case 'F':
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+				fips = OSSL_PROVIDER_load(NULL, "fips");
+				if (fips == NULL) {
+					ERR_clear_error();
+					fatal("Failed to load FIPS provider");
+				}
+				base = OSSL_PROVIDER_load(NULL, "base");
+				if (base == NULL) {
+					OSSL_PROVIDER_unload(fips);
+					ERR_clear_error();
+					fatal("Failed to load base provider");
+				}
+#endif
+				/* Already in FIPS mode?  */
+				if (isc_fips_mode()) {
+					break;
+				}
+				if (isc_fips_set_mode(1) != ISC_R_SUCCESS) {
+					fatal("setting FIPS mode failed");
+				}
+				break;
 			case 'm':
 				memdebugging = true;
 				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
@@ -3428,5 +3464,14 @@ main(int argc, char **argv) {
 	dig_startup();
 	dig_shutdown();

+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+	if (base != NULL) {
+		OSSL_PROVIDER_unload(base);
+	}
+	if (fips != NULL) {
+		OSSL_PROVIDER_unload(fips);
+	}
+#endif
+
 	return exitcode;
 }