FIPS mode support

Closes #818
2018-01-06 08:50:50 -08:00 · 2018-01-06 08:50:50 -08:00 · 45c15a65ad
parent 753a7d07b1
commit 45c15a65ad
3 changed files with 29 additions and 0 deletions
--- a/openssl-sys/src/lib.rs
+++ b/openssl-sys/src/lib.rs
@ -2694,4 +2694,9 @@ extern "C" {
    pub fn SMIME_read_CMS(bio: *mut BIO, bcont: *mut *mut BIO) -> *mut CMS_ContentInfo;
    #[cfg(not(libressl))]
    pub fn CMS_ContentInfo_free(cms: *mut CMS_ContentInfo);
+
+    #[cfg(not(libressl))]
+    pub fn FIPS_mode_set(onoff: c_int) -> c_int;
+    #[cfg(not(libressl))]
+    pub fn FIPS_mode() -> c_int;
 }
--- a/openssl/src/fips.rs
+++ b/openssl/src/fips.rs
@ -0,0 +1,22 @@
+//! FIPS 140-2 support.
+//!
+//! See [OpenSSL's documentation] for details.
+//!
+//! [OpenSSL's documentation]: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
+use cvt;
+use error::ErrorStack;
+use ffi;
+
+/// Moves the library into or out of the FIPS 140-2 mode of operation.
+///
+/// This corresponds to `FIPS_mode_set`.
+pub fn enable(enabled: bool) -> Result<(), ErrorStack> {
+    unsafe { cvt(ffi::FIPS_mode_set(enabled as _)).map(|_| ()) }
+}
+
+/// Determines if the library is running in the FIPS 140-2 mode of operation.
+///
+/// This corresponds to `FIPS_mode`.
+pub fn enabled() -> bool {
+    unsafe { ffi::FIPS_mode() != 0 }
+}
--- a/openssl/src/lib.rs
+++ b/openssl/src/lib.rs
@ -41,6 +41,8 @@ pub mod dsa;
 pub mod ec;
 pub mod error;
 pub mod ex_data;
+#[cfg(not(libressl))]
+pub mod fips;
 pub mod hash;
 pub mod memcmp;
 pub mod nid;