charon.plugins.openssl.fips_mode = 0
Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
+ Set OpenSSL FIPS mode. With OpenSSL before 3.0, the supported values are
+ disabled(0), enabled(1) and Suite B enabled(2). With OpenSSL 3+, any value
+ other than 0 will explicitly load the fips and base providers (_load_legacy_
+ will be ignored). The latter still requires the config in fipsmodule.cnf
+ (e.g. for the module's MAC), but allows explicitly loading the provider if
+ it's not activated in that config.
+
charon.plugins.openssl.load_legacy = yes
Load the legacy provider in OpenSSL 3+ for algorithms like MD4, DES, or
Blowfish (the first two are required for EAP-MSCHAPv2). If disabled, the
- default provider is loaded, or those configured in the OpenSSL config.
+ default provider is loaded, or those configured in the OpenSSL config (e.g.
+ the fips provider).
{
if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode))
{
- DBG1(DBG_LIB, "unable to set openssl FIPS mode(%d) from (%d)",
+ DBG1(DBG_LIB, "unable to set OpenSSL FIPS mode(%d) from (%d)",
fips_mode, FIPS_mode());
return NULL;
}
}
-#else
+#elif OPENSSL_VERSION_NUMBER < 0x30000000L
+ /* OpenSSL 3.0+ is handled below */
if (fips_mode)
{
- DBG1(DBG_LIB, "openssl FIPS mode(%d) unavailable", fips_mode);
+ DBG1(DBG_LIB, "OpenSSL FIPS mode(%d) unavailable", fips_mode);
return NULL;
}
#endif
#endif /* OPENSSL_VERSION_NUMBER */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
- TRUE, lib->ns))
+ if (fips_mode)
+ {
+ OSSL_PROVIDER *fips;
+
+ fips = OSSL_PROVIDER_load(NULL, "fips");
+ if (!fips)
+ {
+ DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
+ return NULL;
+ }
+ array_insert_create(&this->providers, ARRAY_TAIL, fips);
+ /* explicitly load the base provider containing encoding functions */
+ array_insert_create(&this->providers, ARRAY_TAIL,
+ OSSL_PROVIDER_load(NULL, "base"));
+ }
+ else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
+ TRUE, lib->ns))
{
/* load the legacy provider for algorithms like MD4, DES, BF etc. */
array_insert_create(&this->providers, ARRAY_TAIL,
/* we do this here as it may have been enabled via openssl.conf */
fips_mode = FIPS_mode();
dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2,
- "openssl FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
+ "OpenSSL FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
#endif /* OPENSSL_FIPS */
#if OPENSSL_VERSION_NUMBER < 0x1010100fL
projects / thirdparty / strongswan.git / commitdiff
