[strongSwan-dev] strongswan's openssl plugin issues

[Avesh Agarwal]

Hi,

While I was looking into strongswan's openssl plugin implementation, I
noticed a couple inconsistencies as follows:

1. Call to ENGINE_load_builtin_engine seems redundant as this function is
called by OPENSSL_config which is invoked earlier in the openssl plugin.

2. As per openssl's fips policy
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf ,
calls to ENGINE_register_* are prohibited in fips mode. But strongswan's
openssl plugin calls ENGINE_register_* irrespective of fips mode set.

I have created the following patch to address these issues:

diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c
b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index e48efe3..a56e128 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -567,8 +567,10 @@ plugin_t *openssl_plugin_create()

 #ifndef OPENSSL_NO_ENGINE
        /* activate support for hardware accelerators */
-       ENGINE_load_builtin_engines();
-       ENGINE_register_all_complete();
+       if (!fips_mode)
+       {
+               ENGINE_register_all_complete();
+       }
 #endif /* OPENSSL_NO_ENGINE */

        if (!seed_rng())


Thanks
Avesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141023/75f93e53/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan-openssl.patch
Type: text/x-patch
Size: 577 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20141023/75f93e53/attachment.bin>