-
Notifications
You must be signed in to change notification settings - Fork 833
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wolfssl FIPS (library) hash update issue #8203
Comments
Hi @volga629-1 , This is the procedure:
You should probably try it on Linux as a sanity check. Then once you have it working with strongswan on linux, move to windows. Here at wolfSSL we love knowing how people are using our software source code. Can you let us know a bit about yourself and this project? For example:
Please do let us know. Warm regards, Anthony |
I can reproduce same problem on Linux Fedora 39
|
When you do that, is it running ./fips_hash.sh to regenerated the fips hash? |
Can you please help us prioritize this request by telling us about yourself and your project? |
Yes, 100% , here are spec file
|
Can you first simply run the steps that I specified earlier:
|
Yes, please provide email and I will provide you info. |
I will try to simplify, but I need to stick with RPM system, because I can't tell 100% if there are issue when I need to repoint build to non standard locations. FIPs hash update
|
I recompiled again clean state and this time wolfssl loaded correctly.
|
You can reach me at [email protected] . I look forward to your message. Warm regards, Anthony |
When I compile on Windows same think fips hash update empty
|
Please look in the fips-hash.sh script to see what it is doing. Basically it, run the tests, and lets them fail and the fail message will give you the new hash. Are you getting the fail message with the new hash? |
I rebuilt Windows version one time and still fips hash is not updating properly.
|
Can you please post dependency for windows ? |
@anhu Should I try downgrade wolfssl ? I so that you use 5.7.2 I think might be related
|
No need, 5.7.4 is fine. There are no dependencies for windows. However, it would be better if you used visual studio. Can you do that? Our visual studio solution is very simple. |
5.7.2 is what I had on hand. |
I can't use visual studio, because need customize options for strongswan support, unless need adjust user_options.h. |
Yes, that is how you would do it. First you build on linux and make sure strongswan works there. Then you look at the |
Lets take your fips hash problems out of the equation first. You can do this: |
Please also note that you're rpm never executes the |
RPM process execute fips_hash.sh and strongswan is loading the wolfssl fips library not issue
|
|
My colleagues pointed out you can use your current method to generate an options .h and then use that to customize your user_settings.h in the visual studio build. |
Let me try this method |
This list which I am going to try
|
@anhu can you please confirm that user_setting.h look correct
|
Hi Volga, this seems like a bit too much. For example, you have HAVE_LINUXKM_PIE_SUPPORT which I would imagine isn't required. Same with HAVE_CAMELLIA and many others. May I ask how you constructed this file? |
I pulled what is compiled on linux. Normally I do configure
|
Can you please clarify the order, when test.exe should be run in case of Visual studio is in use.
|
OH, I see "RANDOM test passed!" which means you have the correct hash. The next possible problem might be that you need to call wc_SetSeed_Cb() and wolfCrypt_SetCb_fips() just before the wolfSSL initialization. You can see the following example application to see what i mean: https://github.com/wolfSSL/wolfssl-examples/blob/master/X9.146/gen_dual_keysig_cert.c#L131 Warm regards, Anthony |
My guess is in strongswan already should be done. I will check source code right now . Strongswan team is provided Patch to do Init properly
|
@anhu which option I can use to load HASH SHA1 it must requirement for strongswan.
|
Hmmm.... In a FIPS-ready build I believe SHA1 is disabled. I might need to setup an internal meeting to confer with my colleagues on this. Please stay tuned. |
Little a bit more details
|
Hi @volga629-1 I have setup a meeting with my colleagues for later today, but you seem to be giving this a high degree of urgency so I will give some interim advice. Perhaps the best idea is to use our general wolfssl release (non-fips-ready) and get that working on windows as a proof of concept. Once you have seen how that functions and you are satisfied, then when you have a conversation with us about commercial licensing and support, you can highlight that you will need SHA1. Please stay tuned; the meeting is set for late in the afternoon. Warm regards, Anthony |
Thank you for suggestion, I will try , but even for demo I will need FIPS @anhu Question regard strongswan is failing to load wolfssl Strongswan code is states
Is anything else prevent to load plugin ? In user_settings.h include
|
Hi @volga629-1 , It seems we have many issues one after the other. Why don't we setup a call over zoom or MS teams or Google Meet to get over these technical details? Please send me an invite to a meeting with a link to your favourite meeting system for 9:30 am tomorrow morning. You can send it to [email protected] . Warm regards, Anthony,. |
Thank you I will
I will send you invite soon. |
Got it, will be great to finally chat with you tomorrow. Warm regards, Anthony |
@anhu I am getting closer.
|
Do not define NO_AES_CBC |
Getting this and all options above is seems in right order
|
Did you check these in your user_settings.h ? |
Yes, multiply times. |
I'm positive you have AES 128 enabled. I would say you need to use the debugger to figure out where this is going wrong. To be clear, you have cleared the FIPS hurdle? |
Yes, getting closer
|
as a quick workaround, is there a way to configure strongswan to disable these PRFs? |
Let me check. |
@anhu
|
@anhu can you please check in Visual Studio tree I don't see dsa.c or dsa.h like in source I don't know if it on purpose or not, but wolfssl-fips.vcxproj is not including src dsa.c (potentially bug) I added this line
|
Yes!! That is a bug!! |
Please see #8238 |
Thank you. |
@anhu Hello,
|
That is is odd. What did you change? Warm regards, Anthony |
It just clean build. From strongswan prospective there are was commit to include user_settings.h I build fips library today on windows and if I checking there no available function by name in undef
|
How is it that you didn't have this error before? |
I think issue with include user_setting.h |
Version
5.7.4 FIPS
Description
Configure
Issue
I follow the process and compiled wolfssl fips multiply times with different variations on windows and library not working correctly . When I tried to start strongswan it generate error -203
Here forum thread which provide full information what was done before
Strongswan Start up with wolfssl dynamic library
Wolfssl crypt produce error when try generate hash
or this
The text was updated successfully, but these errors were encountered: