support of OpenSSL FIPS-140-2 library
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 16 Apr 2013 10:37:04 +0000 (12:37 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 16 Apr 2013 10:37:04 +0000 (12:37 +0200)
configure.in
src/libstrongswan/plugins/openssl/Makefile.am
src/libstrongswan/plugins/openssl/openssl_plugin.c

index 32abb70..9a00b62 100644 (file)
@@ -46,6 +46,7 @@ ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set director
 ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
+ARG_WITH_SUBST([fips-mode],          [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
 
 ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])
index e715673..0ca2798 100644 (file)
@@ -1,7 +1,7 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-openssl.la
index 9150822..ce6610a 100644 (file)
@@ -457,6 +457,25 @@ METHOD(plugin_t, destroy, void,
 plugin_t *openssl_plugin_create()
 {
        private_openssl_plugin_t *this;
+       int fips_mode;
+
+       fips_mode = lib->settings->get_int(lib->settings,
+                                               "libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+#ifdef OPENSSL_FIPS
+       if (!FIPS_mode_set(fips_mode))
+       {
+               DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+               return NULL;
+       }
+       DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
+                                  fips_mode ? "en" : "dis");
+#else
+       DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
+       if (fips_mode)
+       {
+               return NULL;
+       }
+#endif
 
        INIT(this,
                .public = {