From d4a3d3b25556db740daa02f3873cbe3039dab29d Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 7 Apr 2025 12:22:10 -0700 Subject: [PATCH 1/3] Initial commit for strongswan patch for wolfProvider, setup new directory structure for wolfProvider OSP patches --- wolfProvider/README.md | 33 +++++++ .../strongswan-6.0.1-wolfprov.patch | 92 +++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 wolfProvider/README.md create mode 100644 wolfProvider/strongswan/strongswan-6.0.1-wolfprov.patch diff --git a/wolfProvider/README.md b/wolfProvider/README.md new file mode 100644 index 00000000..25c1bbff --- /dev/null +++ b/wolfProvider/README.md @@ -0,0 +1,33 @@ +# wolfSSL Open Source Project Ports with wolfProvider + +The goal of the wolfProvider project is to replace the crypto used by OpenSSL +with wolfCrypt or wolfCrypt FIPS, with the least amount of changes possible. + +Each of the project directories a patch file for a specific version of the Open +Source Project. + +To apply a patch file, change to the project's directory and run +`patch -p1 <../PROJ-patch.txt`. Build the project normally. + +The projects supported are: + +| Directory | Project | Repository | +| :--- | :--- | :--- | +|strongswan|[strongswan](https://strongswan.org/)|[repo link](https://github.com/strongswan/strongswan.git)| + + +# Licensing + +wolfSSL and wolfCrypt are either licensed for use under the GPLv2 (or at your +option any later version) or a standard commercial license. For users who +cannot use wolfSSL under GPLv2 (or any later version), a commercial license to +wolfSSL and wolfCrypt is available. For license inquiries, please contact +wolfSSL Inc. directly at licensing@wolfssl.com. + +All non-wolfSSL projects in this repository are licensed under their +respective project licenses. + +# Support + +For support or build issues, please contact the wolfSSL support team at +support@wolfssl.com. diff --git a/wolfProvider/strongswan/strongswan-6.0.1-wolfprov.patch b/wolfProvider/strongswan/strongswan-6.0.1-wolfprov.patch new file mode 100644 index 00000000..24c244c4 --- /dev/null +++ b/wolfProvider/strongswan/strongswan-6.0.1-wolfprov.patch @@ -0,0 +1,92 @@ +diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c +index f567a8d6e..a4b06d5f9 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c ++++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c +@@ -792,28 +792,6 @@ static int concat_ossl_providers(OSSL_PROVIDER *provider, void *cbdata) + plugin_t *openssl_plugin_create() + { + private_openssl_plugin_t *this; +- int fips_mode; +- +- fips_mode = lib->settings->get_int(lib->settings, +- "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns); +-#ifdef OPENSSL_FIPS +- if (fips_mode) +- { +- if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode)) +- { +- DBG1(DBG_LIB, "unable to set OpenSSL FIPS mode(%d) from (%d)", +- fips_mode, FIPS_mode()); +- return NULL; +- } +- } +-#elif OPENSSL_VERSION_NUMBER < 0x30000000L +- /* OpenSSL 3.0+ is handled below */ +- if (fips_mode) +- { +- DBG1(DBG_LIB, "OpenSSL FIPS mode(%d) unavailable", fips_mode); +- return NULL; +- } +-#endif + + INIT(this, + .public = { +@@ -840,49 +818,16 @@ plugin_t *openssl_plugin_create() + #endif /* OPENSSL_VERSION_NUMBER */ + + #if OPENSSL_VERSION_NUMBER >= 0x30000000L +- if (fips_mode) +- { +- OSSL_PROVIDER *fips; +- +- fips = OSSL_PROVIDER_load(NULL, "fips"); +- if (!fips) +- { +- DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider"); +- destroy(this); +- return NULL; +- } +- /* explicitly load the base provider containing encoding functions */ +- OSSL_PROVIDER_load(NULL, "base"); +- } +- else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy", +- TRUE, lib->ns)) +- { +- /* load the legacy provider for algorithms like MD4, DES, BF etc. */ +- OSSL_PROVIDER_load(NULL, "legacy"); +- /* explicitly load the default provider, as mentioned by crypto(7) */ +- OSSL_PROVIDER_load(NULL, "default"); +- } +- ossl_provider_names_t data = {}; +- OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); +- dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2, +- "providers loaded by OpenSSL:%s", data.names); +-#endif /* OPENSSL_VERSION_NUMBER */ +- +-#ifdef OPENSSL_FIPS +- /* we do this here as it may have been enabled via openssl.conf */ +- fips_mode = FIPS_mode(); +- dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2, +- "OpenSSL FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis"); +-#endif /* OPENSSL_FIPS */ ++ if (OSSL_PROVIDER_load(NULL, "libwolfprov") == NULL) { ++ DBG1(DBG_LIB, "Error loading wolfProvider"); ++ return NULL; ++ } + +-#if OPENSSL_VERSION_NUMBER < 0x1010100fL +- if (!seed_rng()) +- { +- DBG1(DBG_CFG, "no RNG found to seed OpenSSL"); +- destroy(this); +- return NULL; +- } +-#endif /* OPENSSL_VERSION_NUMBER */ ++ ossl_provider_names_t data = {}; ++ OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data); ++ dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2, ++ "providers loaded by OpenSSL:%s", data.names); ++#endif + + return &this->public.plugin; + } From 8ac7b651b058d5c7f6943512c19199970063d65f Mon Sep 17 00:00:00 2001 From: cwilley Date: Tue, 15 Apr 2025 10:08:07 -0700 Subject: [PATCH 2/3] Update wolfProvider/README.md Co-authored-by: Juliusz Sosinowicz <49391366+julek-wolfssl@users.noreply.github.com> --- wolfProvider/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfProvider/README.md b/wolfProvider/README.md index 25c1bbff..a9580a7d 100644 --- a/wolfProvider/README.md +++ b/wolfProvider/README.md @@ -3,7 +3,7 @@ The goal of the wolfProvider project is to replace the crypto used by OpenSSL with wolfCrypt or wolfCrypt FIPS, with the least amount of changes possible. -Each of the project directories a patch file for a specific version of the Open +Each of the project directories contains a patch file for a specific version of the Open Source Project. To apply a patch file, change to the project's directory and run From faedd0589c63de6b5faf75a15a712f9d2ed9c668 Mon Sep 17 00:00:00 2001 From: cwilley Date: Tue, 15 Apr 2025 10:08:18 -0700 Subject: [PATCH 3/3] Update wolfProvider/README.md Co-authored-by: Juliusz Sosinowicz <49391366+julek-wolfssl@users.noreply.github.com> --- wolfProvider/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfProvider/README.md b/wolfProvider/README.md index a9580a7d..c31ccd1d 100644 --- a/wolfProvider/README.md +++ b/wolfProvider/README.md @@ -7,7 +7,7 @@ Each of the project directories contains a patch file for a specific version of Source Project. To apply a patch file, change to the project's directory and run -`patch -p1 <../PROJ-patch.txt`. Build the project normally. +`patch -p1 < /path/to/PROJ-patch.txt`. Build the project normally. The projects supported are: