openssl: Properly log FIPS mode when enabled via openssl.conf
[strongswan.git] / src / libstrongswan / plugins / openssl / openssl_plugin.c
1 /*
2 * Copyright (C) 2008-2013 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <openssl/err.h>
18 #include <openssl/evp.h>
19 #include <openssl/conf.h>
20 #include <openssl/rand.h>
21 #include <openssl/crypto.h>
22 #ifndef OPENSSL_NO_ENGINE
23 #include <openssl/engine.h>
24 #endif
25
26 #include "openssl_plugin.h"
27
28 #include <library.h>
29 #include <utils/debug.h>
30 #include <threading/thread.h>
31 #include <threading/mutex.h>
32 #include <threading/thread_value.h>
33 #include "openssl_util.h"
34 #include "openssl_crypter.h"
35 #include "openssl_hasher.h"
36 #include "openssl_sha1_prf.h"
37 #include "openssl_diffie_hellman.h"
38 #include "openssl_ec_diffie_hellman.h"
39 #include "openssl_rsa_private_key.h"
40 #include "openssl_rsa_public_key.h"
41 #include "openssl_ec_private_key.h"
42 #include "openssl_ec_public_key.h"
43 #include "openssl_x509.h"
44 #include "openssl_crl.h"
45 #include "openssl_pkcs7.h"
46 #include "openssl_pkcs12.h"
47 #include "openssl_rng.h"
48 #include "openssl_hmac.h"
49 #include "openssl_gcm.h"
50
51 #ifndef FIPS_MODE
52 #define FIPS_MODE 0
53 #endif
54
55 typedef struct private_openssl_plugin_t private_openssl_plugin_t;
56
57 /**
58 * private data of openssl_plugin
59 */
60 struct private_openssl_plugin_t {
61
62 /**
63 * public functions
64 */
65 openssl_plugin_t public;
66 };
67
68 /**
69 * Array of static mutexs, with CRYPTO_num_locks() mutex
70 */
71 static mutex_t **mutex = NULL;
72
73 /**
74 * Locking callback for static locks
75 */
76 static void locking_function(int mode, int type, const char *file, int line)
77 {
78 if (mutex)
79 {
80 if (mode & CRYPTO_LOCK)
81 {
82 mutex[type]->lock(mutex[type]);
83 }
84 else
85 {
86 mutex[type]->unlock(mutex[type]);
87 }
88 }
89 }
90
91 /**
92 * Implementation of dynlock
93 */
94 struct CRYPTO_dynlock_value {
95 mutex_t *mutex;
96 };
97
98 /**
99 * Callback to create a dynamic lock
100 */
101 static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
102 {
103 struct CRYPTO_dynlock_value *lock;
104
105 lock = malloc_thing(struct CRYPTO_dynlock_value);
106 lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
107 return lock;
108 }
109
110 /**
111 * Callback to (un-)lock a dynamic lock
112 */
113 static void lock_function(int mode, struct CRYPTO_dynlock_value *lock,
114 const char *file, int line)
115 {
116 if (mode & CRYPTO_LOCK)
117 {
118 lock->mutex->lock(lock->mutex);
119 }
120 else
121 {
122 lock->mutex->unlock(lock->mutex);
123 }
124 }
125
126 /**
127 * Callback to destroy a dynamic lock
128 */
129 static void destroy_function(struct CRYPTO_dynlock_value *lock,
130 const char *file, int line)
131 {
132 lock->mutex->destroy(lock->mutex);
133 free(lock);
134 }
135
136 /**
137 * Thread-local value used to cleanup thread-specific error buffers
138 */
139 static thread_value_t *cleanup;
140
141 /**
142 * Called when a thread is destroyed. Avoid recursion by setting the thread id
143 * explicitly.
144 */
145 static void cleanup_thread(void *arg)
146 {
147 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
148 CRYPTO_THREADID tid;
149
150 CRYPTO_THREADID_set_numeric(&tid, (u_long)(uintptr_t)arg);
151 ERR_remove_thread_state(&tid);
152 #else
153 ERR_remove_state((u_long)(uintptr_t)arg);
154 #endif
155 }
156
157 /**
158 * Thread-ID callback function
159 */
160 static u_long id_function(void)
161 {
162 u_long id;
163
164 /* ensure the thread ID is never zero, otherwise OpenSSL might try to
165 * acquire locks recursively */
166 id = 1 + (u_long)thread_current_id();
167
168 /* cleanup a thread's state later if OpenSSL interacted with it */
169 cleanup->set(cleanup, (void*)(uintptr_t)id);
170 return id;
171 }
172
173 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
174 /**
175 * Callback for thread ID
176 */
177 static void threadid_function(CRYPTO_THREADID *threadid)
178 {
179 CRYPTO_THREADID_set_numeric(threadid, id_function());
180 }
181 #endif /* OPENSSL_VERSION_NUMBER */
182
183 /**
184 * initialize OpenSSL for multi-threaded use
185 */
186 static void threading_init()
187 {
188 int i, num_locks;
189
190 cleanup = thread_value_create(cleanup_thread);
191
192 #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
193 CRYPTO_THREADID_set_callback(threadid_function);
194 #else
195 CRYPTO_set_id_callback(id_function);
196 #endif
197
198 CRYPTO_set_locking_callback(locking_function);
199
200 CRYPTO_set_dynlock_create_callback(create_function);
201 CRYPTO_set_dynlock_lock_callback(lock_function);
202 CRYPTO_set_dynlock_destroy_callback(destroy_function);
203
204 num_locks = CRYPTO_num_locks();
205 mutex = malloc(sizeof(mutex_t*) * num_locks);
206 for (i = 0; i < num_locks; i++)
207 {
208 mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
209 }
210 }
211
212 /**
213 * cleanup OpenSSL threading locks
214 */
215 static void threading_cleanup()
216 {
217 int i, num_locks;
218
219 num_locks = CRYPTO_num_locks();
220 for (i = 0; i < num_locks; i++)
221 {
222 mutex[i]->destroy(mutex[i]);
223 }
224 free(mutex);
225 mutex = NULL;
226
227 cleanup->destroy(cleanup);
228 }
229
230 /**
231 * Seed the OpenSSL RNG, if required
232 */
233 static bool seed_rng()
234 {
235 rng_t *rng = NULL;
236 char buf[32];
237
238 while (RAND_status() != 1)
239 {
240 if (!rng)
241 {
242 rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
243 if (!rng)
244 {
245 return FALSE;
246 }
247 }
248 if (!rng->get_bytes(rng, sizeof(buf), buf))
249 {
250 rng->destroy(rng);
251 return FALSE;
252 }
253 RAND_seed(buf, sizeof(buf));
254 }
255 DESTROY_IF(rng);
256 return TRUE;
257 }
258
259 METHOD(plugin_t, get_name, char*,
260 private_openssl_plugin_t *this)
261 {
262 return "openssl";
263 }
264
265 METHOD(plugin_t, get_features, int,
266 private_openssl_plugin_t *this, plugin_feature_t *features[])
267 {
268 static plugin_feature_t f[] = {
269 /* crypters */
270 PLUGIN_REGISTER(CRYPTER, openssl_crypter_create),
271 #ifndef OPENSSL_NO_AES
272 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 16),
273 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 24),
274 PLUGIN_PROVIDE(CRYPTER, ENCR_AES_CBC, 32),
275 #endif
276 #ifndef OPENSSL_NO_CAMELLIA
277 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 16),
278 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 24),
279 PLUGIN_PROVIDE(CRYPTER, ENCR_CAMELLIA_CBC, 32),
280 #endif
281 #ifndef OPENSSL_NO_RC5
282 PLUGIN_PROVIDE(CRYPTER, ENCR_RC5, 0),
283 #endif
284 #ifndef OPENSSL_NO_CAST
285 PLUGIN_PROVIDE(CRYPTER, ENCR_CAST, 0),
286 #endif
287 #ifndef OPENSSL_NO_BLOWFISH
288 PLUGIN_PROVIDE(CRYPTER, ENCR_BLOWFISH, 0),
289 #endif
290 #ifndef OPENSSL_NO_IDEA
291 PLUGIN_PROVIDE(CRYPTER, ENCR_IDEA, 16),
292 #endif
293 #ifndef OPENSSL_NO_DES
294 PLUGIN_PROVIDE(CRYPTER, ENCR_3DES, 24),
295 PLUGIN_PROVIDE(CRYPTER, ENCR_DES, 8),
296 PLUGIN_PROVIDE(CRYPTER, ENCR_DES_ECB, 8),
297 #endif
298 PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
299 /* hashers */
300 PLUGIN_REGISTER(HASHER, openssl_hasher_create),
301 #ifndef OPENSSL_NO_SHA1
302 PLUGIN_PROVIDE(HASHER, HASH_SHA1),
303 #endif
304 #ifndef OPENSSL_NO_MD2
305 PLUGIN_PROVIDE(HASHER, HASH_MD2),
306 #endif
307 #ifndef OPENSSL_NO_MD4
308 PLUGIN_PROVIDE(HASHER, HASH_MD4),
309 #endif
310 #ifndef OPENSSL_NO_MD5
311 PLUGIN_PROVIDE(HASHER, HASH_MD5),
312 #endif
313 #ifndef OPENSSL_NO_SHA256
314 PLUGIN_PROVIDE(HASHER, HASH_SHA224),
315 PLUGIN_PROVIDE(HASHER, HASH_SHA256),
316 #endif
317 #ifndef OPENSSL_NO_SHA512
318 PLUGIN_PROVIDE(HASHER, HASH_SHA384),
319 PLUGIN_PROVIDE(HASHER, HASH_SHA512),
320 #endif
321 #ifndef OPENSSL_NO_SHA1
322 /* keyed sha1 hasher (aka prf) */
323 PLUGIN_REGISTER(PRF, openssl_sha1_prf_create),
324 PLUGIN_PROVIDE(PRF, PRF_KEYED_SHA1),
325 #endif
326 #ifndef OPENSSL_NO_HMAC
327 PLUGIN_REGISTER(PRF, openssl_hmac_prf_create),
328 #ifndef OPENSSL_NO_MD5
329 PLUGIN_PROVIDE(PRF, PRF_HMAC_MD5),
330 #endif
331 #ifndef OPENSSL_NO_SHA1
332 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA1),
333 #endif
334 #ifndef OPENSSL_NO_SHA256
335 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_256),
336 #endif
337 #ifndef OPENSSL_NO_SHA512
338 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_384),
339 PLUGIN_PROVIDE(PRF, PRF_HMAC_SHA2_512),
340 #endif
341 PLUGIN_REGISTER(SIGNER, openssl_hmac_signer_create),
342 #ifndef OPENSSL_NO_MD5
343 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_96),
344 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_MD5_128),
345 #endif
346 #ifndef OPENSSL_NO_SHA1
347 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_96),
348 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_128),
349 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA1_160),
350 #endif
351 #ifndef OPENSSL_NO_SHA256
352 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_128),
353 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_256_256),
354 #endif
355 #ifndef OPENSSL_NO_SHA512
356 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_192),
357 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_384_384),
358 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_256),
359 PLUGIN_PROVIDE(SIGNER, AUTH_HMAC_SHA2_512_512),
360 #endif
361 #endif /* OPENSSL_NO_HMAC */
362 #if OPENSSL_VERSION_NUMBER >= 0x1000100fL
363 #ifndef OPENSSL_NO_AES
364 /* AES GCM */
365 PLUGIN_REGISTER(AEAD, openssl_gcm_create),
366 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16),
367 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24),
368 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32),
369 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16),
370 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24),
371 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32),
372 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16),
373 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24),
374 PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32),
375 #endif /* OPENSSL_NO_AES */
376 #endif /* OPENSSL_VERSION_NUMBER */
377 #ifndef OPENSSL_NO_DH
378 /* MODP DH groups */
379 PLUGIN_REGISTER(DH, openssl_diffie_hellman_create),
380 PLUGIN_PROVIDE(DH, MODP_2048_BIT),
381 PLUGIN_PROVIDE(DH, MODP_2048_224),
382 PLUGIN_PROVIDE(DH, MODP_2048_256),
383 PLUGIN_PROVIDE(DH, MODP_1536_BIT),
384 PLUGIN_PROVIDE(DH, MODP_3072_BIT),
385 PLUGIN_PROVIDE(DH, MODP_4096_BIT),
386 PLUGIN_PROVIDE(DH, MODP_6144_BIT),
387 PLUGIN_PROVIDE(DH, MODP_8192_BIT),
388 PLUGIN_PROVIDE(DH, MODP_1024_BIT),
389 PLUGIN_PROVIDE(DH, MODP_1024_160),
390 PLUGIN_PROVIDE(DH, MODP_768_BIT),
391 PLUGIN_PROVIDE(DH, MODP_CUSTOM),
392 #endif
393 #ifndef OPENSSL_NO_RSA
394 /* RSA private/public key loading */
395 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_load, TRUE),
396 PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
397 PLUGIN_REGISTER(PRIVKEY, openssl_rsa_private_key_connect, FALSE),
398 PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
399 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_rsa_private_key_gen, FALSE),
400 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_RSA),
401 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
402 PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
403 PLUGIN_REGISTER(PUBKEY, openssl_rsa_public_key_load, TRUE),
404 PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
405 /* signature/encryption schemes */
406 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_NULL),
407 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_NULL),
408 #ifndef OPENSSL_NO_SHA1
409 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA1),
410 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA1),
411 #endif
412 #ifndef OPENSSL_NO_SHA256
413 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA224),
414 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA256),
415 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA224),
416 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA256),
417 #endif
418 #ifndef OPENSSL_NO_SHA512
419 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA384),
420 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_SHA512),
421 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA384),
422 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_SHA512),
423 #endif
424 #ifndef OPENSSL_NO_MD5
425 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_RSA_EMSA_PKCS1_MD5),
426 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_RSA_EMSA_PKCS1_MD5),
427 #endif
428 PLUGIN_PROVIDE(PRIVKEY_DECRYPT, ENCRYPT_RSA_PKCS1),
429 PLUGIN_PROVIDE(PUBKEY_ENCRYPT, ENCRYPT_RSA_PKCS1),
430 #endif /* OPENSSL_NO_RSA */
431 /* certificate/CRL loading */
432 PLUGIN_REGISTER(CERT_DECODE, openssl_x509_load, TRUE),
433 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509),
434 PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
435 PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
436 PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
437 PLUGIN_REGISTER(CERT_DECODE, openssl_crl_load, TRUE),
438 PLUGIN_PROVIDE(CERT_DECODE, CERT_X509_CRL),
439 #if OPENSSL_VERSION_NUMBER >= 0x0090807fL
440 #ifndef OPENSSL_NO_CMS
441 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs7_load, TRUE),
442 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS7),
443 #endif /* OPENSSL_NO_CMS */
444 #endif /* OPENSSL_VERSION_NUMBER */
445 PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE),
446 PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12),
447 #ifndef OPENSSL_NO_ECDH
448 /* EC DH groups */
449 PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create),
450 PLUGIN_PROVIDE(DH, ECP_256_BIT),
451 PLUGIN_PROVIDE(DH, ECP_384_BIT),
452 PLUGIN_PROVIDE(DH, ECP_521_BIT),
453 PLUGIN_PROVIDE(DH, ECP_224_BIT),
454 PLUGIN_PROVIDE(DH, ECP_192_BIT),
455 #endif
456 #ifndef OPENSSL_NO_ECDSA
457 /* EC private/public key loading */
458 PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE),
459 PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
460 PLUGIN_REGISTER(PRIVKEY_GEN, openssl_ec_private_key_gen, FALSE),
461 PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ECDSA),
462 PLUGIN_REGISTER(PUBKEY, openssl_ec_public_key_load, TRUE),
463 PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
464 /* signature encryption schemes */
465 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_NULL),
466 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_NULL),
467 #ifndef OPENSSL_NO_SHA1
468 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA1_DER),
469 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA1_DER),
470 #endif
471 #ifndef OPENSSL_NO_SHA256
472 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA256_DER),
473 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA256_DER),
474 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_256),
475 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_256),
476 #endif
477 #ifndef OPENSSL_NO_SHA512
478 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA384_DER),
479 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_WITH_SHA512_DER),
480 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA384_DER),
481 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_WITH_SHA512_DER),
482 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_384),
483 PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ECDSA_521),
484 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_384),
485 PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
486 #endif
487 #endif /* OPENSSL_NO_ECDSA */
488 PLUGIN_REGISTER(RNG, openssl_rng_create),
489 PLUGIN_PROVIDE(RNG, RNG_STRONG),
490 PLUGIN_PROVIDE(RNG, RNG_WEAK),
491 };
492 *features = f;
493 return countof(f);
494 }
495
496 METHOD(plugin_t, destroy, void,
497 private_openssl_plugin_t *this)
498 {
499 CONF_modules_free();
500 OBJ_cleanup();
501 EVP_cleanup();
502 #ifndef OPENSSL_NO_ENGINE
503 ENGINE_cleanup();
504 #endif /* OPENSSL_NO_ENGINE */
505 CRYPTO_cleanup_all_ex_data();
506 threading_cleanup();
507 ERR_free_strings();
508
509 free(this);
510 }
511
512 /*
513 * see header file
514 */
515 plugin_t *openssl_plugin_create()
516 {
517 private_openssl_plugin_t *this;
518 int fips_mode;
519
520 fips_mode = lib->settings->get_int(lib->settings,
521 "libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
522 #ifdef OPENSSL_FIPS
523 if (fips_mode)
524 {
525 if (!FIPS_mode_set(fips_mode))
526 {
527 DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
528 return NULL;
529 }
530 }
531 #else
532 if (fips_mode)
533 {
534 DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
535 return NULL;
536 }
537 #endif
538
539 INIT(this,
540 .public = {
541 .plugin = {
542 .get_name = _get_name,
543 .get_features = _get_features,
544 .destroy = _destroy,
545 },
546 },
547 );
548
549 threading_init();
550
551 OPENSSL_config(NULL);
552 OpenSSL_add_all_algorithms();
553
554 #ifdef OPENSSL_FIPS
555 /* we do this here as it may have been enabled via openssl.conf */
556 fips_mode = FIPS_mode();
557 DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ", fips_mode,
558 fips_mode ? "en" : "dis");
559 #endif /* OPENSSL_FIPS */
560
561 #ifndef OPENSSL_NO_ENGINE
562 /* activate support for hardware accelerators */
563 ENGINE_load_builtin_engines();
564 ENGINE_register_all_complete();
565 #endif /* OPENSSL_NO_ENGINE */
566
567 if (!seed_rng())
568 {
569 DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
570 destroy(this);
571 return NULL;
572 }
573
574 return &this->public.plugin;
575 }