As part of an internal project at work, I'm investigating a Windows tunneling solution using STunnel. As a requirement of my work, I am to modify STunnel to use OpenSSL's FIPS APIs. And, with only a couple of speedbumps, I was able to achieve this.
However I'd like to make my code a little more robust--to provide some notification to the user if OpenSSL's FIPS mode is active or not. To this point I've not been able to figure out a way to do this. In my copy of the STunnel source, I've modified the routine ssl_init() in ssl.c to make a call to FIPS_mode_set(1) (as demonstrated on page 33 of http://www.openssl.org/docs/fips/UserGuide-1.0.pdf). Below is a copy of my current copy of ssl_init():
void ssl_init(void) { /* to keep CLI structure for verify callback */ #if defined(OPENSSL_FIPS) && defined(USE_FIPS) if (!FIPS_mode_set(1)) { s_log(LOG_CRIT, "Could not set FIPS mdoe!"); } else { s_log(LOG_INFO, "In FIPS mode."); } #endif /* rest of ssl_init() from original source */ }
As I've found out, the s_log calls do nothing because the STunnel window has not been displayed yet. Ideally, in the case where the FIPS_mode_set() call fails, I'd like to invoke an error handler to cause the STunnel service to fail to start. But trying to make a call to something like sslerror() caused a program crash. Any ideas on how to make these changes?