All,
Are there any current plans to include FIPS complaint mode in stunnel? I have asked some of my peers on other US Government projects and they indicated this would be a help to them as well.
Looking at the users guide from the OpenSSL site (http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf) it would not appear to be a great amount of effort to make a stunnel that functions in a FIPS complaint mode.
Attached I have included the patch I have created (with some help from friends). It does not do the final linking correctly as I am not very good with autmake.
Please let me know what you think.
Thank you George
diff -u -r @stunnel-4.20/configure.ac stunnel-4.20/configure.ac --- @stunnel-4.20/configure.ac 2006-11-11 09:58:01.000000000 -0500 +++ stunnel-4.20/configure.ac 2007-03-26 18:35:09.000000000 -0400 @@ -260,6 +260,51 @@ CFLAGS="$CFLAGS -I$ssldir/include" LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto"
+AC_ARG_WITH(fips, + [ --with-fips Enable OpenSSL FIPS mode], + [ + if test "x$withval" != "xno" ; then + INCLUDES="=l$ssldir/include" + AC_CACHE_CHECK([for FIPS mode], ac_cv_fips, [ + AC_TRY_COMPILE( + [ #include <openssl/fips.h> ], + [ FIPS_mode_set(1); ], + [ ac_cv_fips="yes" ], + [ ac_cv_fips="no" ] + ) + ]) + fi + ] +) +if test "x$ac_cv_fips" = "xyes" ; then + CPPFLAGS="$CPPFLAGS -DOPENSSL_FIPS" + FIPS_MODE=yes + AC_SUBST(FIPS_MODE) +fi + +AC_ARG_WITH(fips, + [ --with-fips Enable OpenSSL FIPS mode], + [ + if test "x$withval" != "xno" ; then + INCLUDES="=l$ssldir/include" + AC_CACHE_CHECK([for FIPS mode], ac_cv_fips, [ + AC_TRY_COMPILE( + [ #include <openssl/fips.h> ], + [ FIPS_mode_set(1); ], + [ ac_cv_fips="yes" ], + [ ac_cv_fips="no" ] + ) + ]) + fi + ] +) +if test "x$ac_cv_fips" = "xyes" ; then + CPPFLAGS="$CPPFLAGS -DOPENSSL_FIPS" + FIPS_MODE=yes + AC_SUBST(FIPS_MODE) +fi +AM_CONDITIONAL(FIPS_MODE, test x$ac_cv_fips = xyes) + # Check for obsolete RSAref library AC_MSG_CHECKING([for obsolete RSAref library]) saved_LIBS="$LIBS" Only in stunnel-4.20: configure.ac.orig diff -u -r @stunnel-4.20/src/common.h stunnel-4.20/src/common.h --- @stunnel-4.20/src/common.h 2006-11-17 04:03:18.000000000 -0500 +++ stunnel-4.20/src/common.h 2007-03-26 18:35:03.000000000 -0400 @@ -321,6 +321,9 @@ #if SSLEAY_VERSION_NUMBER >= 0x00907000L #include <openssl/ocsp.h> #endif /* OpenSSL-0.9.7 */ +#ifdef OPENSSL_FIPS +#include <openssl/fips.h> +#endif #else /* HAVE_OPENSSL */ #include <lhash.h> #include <ssl.h> diff -u -r @stunnel-4.20/src/options.c stunnel-4.20/src/options.c --- @stunnel-4.20/src/options.c 2006-11-05 08:04:37.000000000 -0500 +++ stunnel-4.20/src/options.c 2007-03-26 18:35:03.000000000 -0400 @@ -556,7 +556,11 @@ /* ciphers */ switch(cmd) { case CMD_INIT: +#ifndef OPENSSL_FIPS section->cipher_list=SSL_DEFAULT_CIPHER_LIST; +#else + section->cipher_list="!ADH:!RC4:!RC2:!IDEA:!MD5:!NULL:TLSv1"; +#endif break; case CMD_EXEC: if(strcasecmp(opt, "ciphers")) @@ -564,7 +568,11 @@ section->cipher_list=stralloc(arg); return NULL; /* OK */ case CMD_DEFAULT: +#ifndef OPENSSL_FIPS log_raw("%-15s = %s", "ciphers", SSL_DEFAULT_CIPHER_LIST); +#else + log_raw("%-15s = %s", "ciphers", "!ADH:!RC4:!RC2:!IDEA:!MD5:!NULL:TLSv1"); +#endif break; case CMD_HELP: log_raw("%-15s = list of permitted SSL ciphers", "ciphers"); @@ -726,6 +734,31 @@ } #endif
+ /* fips mode */ +#ifndef USE_WIN32 + switch(cmd) { + case CMD_INIT: + options.option.fips_mode=0; + break; + case CMD_EXEC: + if(strcasecmp(opt, "fips")) + break; + if(!strcasecmp(arg, "yes")) + options.option.fips_mode = 1; + else if(!strcasecmp(arg, "no")) + options.option.fips_mode = 0; + else + return "argument should be either 'yes' or 'no'"; + return NULL; /* OK */ + case CMD_DEFAULT: + break; + case CMD_HELP: + log_raw("%-15s = yes|no FIPS mode", + "fips"); + break; + } +#endif + /* execargs */ #ifndef USE_WIN32 switch(cmd) { diff -u -r @stunnel-4.20/src/prototypes.h stunnel-4.20/src/prototypes.h --- @stunnel-4.20/src/prototypes.h 2006-11-11 08:03:05.000000000 -0500 +++ stunnel-4.20/src/prototypes.h 2007-03-26 18:35:03.000000000 -0400 @@ -142,6 +142,7 @@ unsigned int foreground:1; unsigned int syslog:1; /* log to syslog */ unsigned int rand_write:1; /* overwrite rand_file */ + unsigned int fips_mode:1; #ifdef USE_WIN32 unsigned int taskbar:1; /* enable the taskbar icon */ #endif diff -u -r @stunnel-4.20/src/stunnel.c stunnel-4.20/src/stunnel.c --- @stunnel-4.20/src/stunnel.c 2006-11-30 15:47:45.000000000 -0500 +++ stunnel-4.20/src/stunnel.c 2007-03-26 18:35:03.000000000 -0400 @@ -59,6 +59,7 @@ #ifndef USE_WIN32 int main(int argc, char* argv[]) { /* execution begins here 8-) */
+unsigned long e; main_initialize(argc>1 ? argv[1] : NULL, argc>2 ? argv[2] : NULL);
signal(SIGPIPE, SIG_IGN); /* avoid 'broken pipe' signal */ @@ -72,6 +73,21 @@ signal(SIGHUP, signal_handler); /* signal(SIGSEGV, signal_handler); */
+#ifdef OPENSSL_FIPS + if(options.option.fips_mode) { + if (!FIPS_mode_set(1)) { + log_raw("Failed to enter FIPS mode"); + ERR_load_crypto_strings(); + while((e = ERR_get_error())) { + log_raw(ERR_error_string(e,NULL)); + } + return 1; /* failure */ + } else { + log_raw("FIPS mode enabled"); + } + } +#endif + main_execute();
return 0; /* success */