Skip to content

Initial commit for strongswan patch for wolfProvider #238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Initial commit for strongswan patch for wolfProvider #238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d4a3d3b
Initial commit for strongswan patch for wolfProvider, setup new direc…
ColtonWilley Apr 7, 2025
8ac7b65
Update wolfProvider/README.md
ColtonWilley Apr 15, 2025
faedd05
Update wolfProvider/README.md
ColtonWilley Apr 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions wolfProvider/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# wolfSSL Open Source Project Ports with wolfProvider

The goal of the wolfProvider project is to replace the crypto used by OpenSSL
with wolfCrypt or wolfCrypt FIPS, with the least amount of changes possible.

Each of the project directories contains a patch file for a specific version of the Open
Source Project.

To apply a patch file, change to the project's directory and run
`patch -p1 < /path/to/PROJ-patch.txt`. Build the project normally.

The projects supported are:

| Directory | Project | Repository |
| :--- | :--- | :--- |
|strongswan|[strongswan](https://strongswan.org/)|[repo link](https://github.com/strongswan/strongswan.git)|


# Licensing

wolfSSL and wolfCrypt are either licensed for use under the GPLv2 (or at your
option any later version) or a standard commercial license. For users who
cannot use wolfSSL under GPLv2 (or any later version), a commercial license to
wolfSSL and wolfCrypt is available. For license inquiries, please contact
wolfSSL Inc. directly at [email protected].

All non-wolfSSL projects in this repository are licensed under their
respective project licenses.

# Support

For support or build issues, please contact the wolfSSL support team at
[email protected].
92 changes: 92 additions & 0 deletions wolfProvider/strongswan/strongswan-6.0.1-wolfprov.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index f567a8d6e..a4b06d5f9 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -792,28 +792,6 @@ static int concat_ossl_providers(OSSL_PROVIDER *provider, void *cbdata)
plugin_t *openssl_plugin_create()
{
private_openssl_plugin_t *this;
- int fips_mode;
-
- fips_mode = lib->settings->get_int(lib->settings,
- "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
-#ifdef OPENSSL_FIPS
- if (fips_mode)
- {
- if (FIPS_mode() != fips_mode && !FIPS_mode_set(fips_mode))
- {
- DBG1(DBG_LIB, "unable to set OpenSSL FIPS mode(%d) from (%d)",
- fips_mode, FIPS_mode());
- return NULL;
- }
- }
-#elif OPENSSL_VERSION_NUMBER < 0x30000000L
- /* OpenSSL 3.0+ is handled below */
- if (fips_mode)
- {
- DBG1(DBG_LIB, "OpenSSL FIPS mode(%d) unavailable", fips_mode);
- return NULL;
- }
-#endif

INIT(this,
.public = {
@@ -840,49 +818,16 @@ plugin_t *openssl_plugin_create()
#endif /* OPENSSL_VERSION_NUMBER */

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are patching it anyway, consider adding an #error in the #else case to avoid configuration errors.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory this could also work with a pre ossl 3 engine implementation, possibly ours even though it has not been tested. I would prefer to preserve that possible call path for the future.

- if (fips_mode)
- {
- OSSL_PROVIDER *fips;
-
- fips = OSSL_PROVIDER_load(NULL, "fips");
- if (!fips)
- {
- DBG1(DBG_LIB, "unable to load OpenSSL FIPS provider");
- destroy(this);
- return NULL;
- }
- /* explicitly load the base provider containing encoding functions */
- OSSL_PROVIDER_load(NULL, "base");
- }
- else if (lib->settings->get_bool(lib->settings, "%s.plugins.openssl.load_legacy",
- TRUE, lib->ns))
- {
- /* load the legacy provider for algorithms like MD4, DES, BF etc. */
- OSSL_PROVIDER_load(NULL, "legacy");
- /* explicitly load the default provider, as mentioned by crypto(7) */
- OSSL_PROVIDER_load(NULL, "default");
- }
- ossl_provider_names_t data = {};
- OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
- dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2,
- "providers loaded by OpenSSL:%s", data.names);
-#endif /* OPENSSL_VERSION_NUMBER */
-
-#ifdef OPENSSL_FIPS
- /* we do this here as it may have been enabled via openssl.conf */
- fips_mode = FIPS_mode();
- dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2,
- "OpenSSL FIPS mode(%d) - %sabled ", fips_mode, fips_mode ? "en" : "dis");
-#endif /* OPENSSL_FIPS */
+ if (OSSL_PROVIDER_load(NULL, "libwolfprov") == NULL) {
+ DBG1(DBG_LIB, "Error loading wolfProvider");
+ return NULL;
+ }

-#if OPENSSL_VERSION_NUMBER < 0x1010100fL
- if (!seed_rng())
- {
- DBG1(DBG_CFG, "no RNG found to seed OpenSSL");
- destroy(this);
- return NULL;
- }
-#endif /* OPENSSL_VERSION_NUMBER */
+ ossl_provider_names_t data = {};
+ OSSL_PROVIDER_do_all(NULL, concat_ossl_providers, &data);
+ dbg(DBG_LIB, strpfx(lib->ns, "charon") ? 1 : 2,
+ "providers loaded by OpenSSL:%s", data.names);
+#endif

return &this->public.plugin;
}