support of OpenSSL FIPS-140-2 library

This commit is contained in:
Andreas Steffen 2013-04-16 12:37:04 +02:00
parent ef934caba8
commit f4de6496a2
3 changed files with 21 additions and 1 deletions

View File

@ -46,6 +46,7 @@ ARG_WITH_SUBST([linux-headers], [\${top_srcdir}/src/include], [set director
ARG_WITH_SUBST([routing-table], [220], [set routing table to use for IPsec routes])
ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
ARG_WITH_SUBST([ipsec-script], [ipsec], [change the name of the ipsec script])
ARG_WITH_SUBST([fips-mode], [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
ARG_WITH_SET([tss], [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently supported values are "libcap" and "native"])

View File

@ -1,7 +1,7 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-openssl.la

View File

@ -457,6 +457,25 @@ METHOD(plugin_t, destroy, void,
plugin_t *openssl_plugin_create()
{
private_openssl_plugin_t *this;
int fips_mode;
fips_mode = lib->settings->get_int(lib->settings,
"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
#ifdef OPENSSL_FIPS
if (!FIPS_mode_set(fips_mode))
{
DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
return NULL;
}
DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
fips_mode ? "en" : "dis");
#else
DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
if (fips_mode)
{
return NULL;
}
#endif
INIT(this,
.public = {