diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-04-16 12:37:04 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-04-16 12:37:04 +0200 |
| commit | f4de6496a2df21ddc31d61e4f5cf7fd9e7301e71 (patch) | |
| tree | caada065d084f9a531b4cccd3cf8dffbf4f20866 | |
| parent | ef934caba83f20acc6e8a2c1699837a3eb3972e3 (diff) | |
| download | strongswan-f4de6496a2df21ddc31d61e4f5cf7fd9e7301e71.tar.bz2 strongswan-f4de6496a2df21ddc31d61e4f5cf7fd9e7301e71.tar.xz | |
support of OpenSSL FIPS-140-2 library
| -rw-r--r-- | configure.in | 1 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/Makefile.am | 2 | ||||
| -rw-r--r-- | src/libstrongswan/plugins/openssl/openssl_plugin.c | 19 |
3 files changed, 21 insertions, 1 deletions
diff --git a/configure.in b/configure.in index 32abb70e9..9a00b6256 100644 --- a/configure.in +++ b/configure.in @@ -46,6 +46,7 @@ ARG_WITH_SUBST([linux-headers], [\${top_srcdir}/src/include], [set director ARG_WITH_SUBST([routing-table], [220], [set routing table to use for IPsec routes]) ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table]) ARG_WITH_SUBST([ipsec-script], [ipsec], [change the name of the ipsec script]) +ARG_WITH_SUBST([fips-mode], [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)]) ARG_WITH_SET([tss], [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"]) ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently supported values are "libcap" and "native"]) diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index e71567311..0ca27983f 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -1,7 +1,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -rdynamic +AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode} if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-openssl.la diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 915082234..ce6610ad6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -457,6 +457,25 @@ METHOD(plugin_t, destroy, void, plugin_t *openssl_plugin_create() { private_openssl_plugin_t *this; + int fips_mode; + + fips_mode = lib->settings->get_int(lib->settings, + "libstrongswan.plugins.openssl.fips_mode", FIPS_MODE); +#ifdef OPENSSL_FIPS + if (!FIPS_mode_set(fips_mode)) + { + DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode); + return NULL; + } + DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode, + fips_mode ? "en" : "dis"); +#else + DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode); + if (fips_mode) + { + return NULL; + } +#endif INIT(this, .public = { |