[strongSwan-dev] strongswan's openssl plugin issues
Avesh Agarwal
avesh.ncsu at gmail.com
Thu Oct 23 22:29:03 CEST 2014
Hi,
While I was looking into strongswan's openssl plugin implementation, I
noticed a couple inconsistencies as follows:
1. Call to ENGINE_load_builtin_engine seems redundant as this function is
called by OPENSSL_config which is invoked earlier in the openssl plugin.
2. As per openssl's fips policy
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf ,
calls to ENGINE_register_* are prohibited in fips mode. But strongswan's
openssl plugin calls ENGINE_register_* irrespective of fips mode set.
I have created the following patch to address these issues:
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c
b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index e48efe3..a56e128 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -567,8 +567,10 @@ plugin_t *openssl_plugin_create()
#ifndef OPENSSL_NO_ENGINE
/* activate support for hardware accelerators */
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
+ if (!fips_mode)
+ {
+ ENGINE_register_all_complete();
+ }
#endif /* OPENSSL_NO_ENGINE */
if (!seed_rng())
Thanks
Avesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141023/75f93e53/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan-openssl.patch
Type: text/x-patch
Size: 577 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141023/75f93e53/attachment.bin>
More information about the Dev
mailing list