support of OpenSSL FIPS-140-2 library

configure.in

@@ -46,6 +46,7 @@ ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set director
 ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
 ARG_WITH_SUBST([ipsec-script],       [ipsec], [change the name of the ipsec script])
+ARG_WITH_SUBST([fips-mode],          [0], [set openssl FIPS mode: disabled(0), enabled(1), Suite B enabled(2)])
 
 ARG_WITH_SET([tss],                  [no], [set implementation of the Trusted Computing Group's Software Stack (TSS). Currently the only supported value is "trousers"])
 ARG_WITH_SET([capabilities],         [no], [set capability dropping library. Currently supported values are "libcap" and "native"])

src/libstrongswan/plugins/openssl/Makefile.am

@@ -1,7 +1,7 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic -DFIPS_MODE=${fips_mode}
 
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-openssl.la

src/libstrongswan/plugins/openssl/openssl_plugin.c

@@ -457,6 +457,25 @@ METHOD(plugin_t, destroy, void,
 plugin_t *openssl_plugin_create()
 {
 	private_openssl_plugin_t *this;
+	int fips_mode;
+
+	fips_mode = lib->settings->get_int(lib->settings,
+						"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode_set(fips_mode))
+	{
+		DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d)", fips_mode);
+		return NULL;
+	}
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) - %sabled ",fips_mode,
+				   fips_mode ? "en" : "dis");
+#else
+	DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
+	if (fips_mode)
+	{
+		return NULL;
+	}
+#endif
 
 	INIT(this,
 		.public = {