[strongSwan] strongSwan + the wolfCrypt FIPS 140-2 Crypto module (2)

kaleb himes kaleb at wolfssl.com
Thu Feb 25 19:42:14 CET 2021


Hello strongSwan community,

As some may be aware, wolfSSL added support for strongSwan in April of 2019. The upstream commit can be reviewed here: https://github.com/strongswan/strongswan/pull/133 <https://github.com/strongswan/strongswan/pull/133>
 
Users can test the latest development master of wolfSSL with the latest version of strongSwan using the following setup:
 
## wolfSSL

$ git clone https://github.com/wolfSSL/wolfssl.git <https://github.com/wolfSSL/wolfssl.git>
 
$ cd wolfssl

$ ./autogen.sh

$ ./configure --enable-opensslall --enable-keygen --enable-rsapss --enable-des3 --enable-dtls --enable-certgen --enable-certreq --enable-certext --enable-sessioncerts --enable-crl --enable-ocsp CFLAGS="-DWOLFSSL_DES_ECB -DWOLFSSL_LOG_PRINTF -DWOLFSSL_PUBLIC_MP -DHAVE_EX_DATA"

$ make

$ make check

$ sudo make install
## Strongswan
 
# if the following packages are not already installed:
$ sudo apt-get install flex bison byacc libsoup2.4-dev gperf
 



$ git clone https://github.com/strongswan/strongswan.git <https://github.com/strongswan/strongswan.git>
$ cd strongswan

$ ./autogen.sh
 
#if packages are missing autogen.sh must be re-run

$ ./configure --disable-defaults --enable-pki --enable-wolfssl --enable-pem

$ make

$ make check

$ sudo make install
 
wolfSSL has had interest in enabling FIPS support with strongSwan so our engineers verified everything is working with the wolfCrypt FIPS 140-2 validated Module!
 
The steps used for testing are as follows:

Using the wolfSSL commercial FIPS release v4.7.0 which internally has the wolfCrypt v4.0.0 FIPS 140-2 validated Crypto Module, and was located in the /home/user-name/Downloads directory on the target test system, Linux 4.15 Ubuntu 18.04 LTSrunning on Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz.
 
a.     wolfSSL was configured and installed with these settings:
                                      i.     ./configure --enable-opensslall --enable-keygen --enable-rsapss --enable-des3 --enable-dtls --enable-certgen --enable-certreq --enable-certext --enable-sessioncerts --enable-crl --enable-ocsp CFLAGS="-DWOLFSSL_DES_ECB -DWOLFSSL_LOG_PRINTF -DWOLFSSL_PUBLIC_MP -DHAVE_EX_DATA -DFP_MAX_BITS=8192" --enable-ed25519 --enable-curve25519 --enable-fips=v2 --enable-intelasm --prefix=$(pwd)/../fips-install-dir
                                    ii.     make
                                   iii.     make install
b.     A custom install location was used which equated to /home/user-name/Downloads/fips-install-dir so the configuration for strongSwan accounted for this.
c.     strongSwan was cloned to /home/user-name/Downloads with “git clone https://github.com/strongswan/strongswan.git <https://github.com/strongswan/strongswan.git>”
d.     StongSwan was configure and installed with these settings:
                                      i.     ./configure --disable-defaults --enable-pki --enable-wolfssl --enable-pem --prefix=$(pwd)/../strongswan-install-dir wolfssl_CFLAGS="-I$(pwd)/../fips-install-dir/include" wolfssl_LIBS="-L$(pwd)/../fips-install-dir/lib -lwolfssl"
                                    ii.     make
                                   iii.     make install
                                   iv.     make check
e.     In the make check stage of the test, it was observed that 1 test was failing.
        i.     Passed 34 of 35 'libstrongswan' suites
FAIL: libstrongswan_tests
==================
1 of 1 test failed
==================
f.      Reviewing the logs t was apparent one of the RSA tests was failing.
g.     Upon further debugging it turned out the failure was a test in strongSwan that was attempting to create an RSA key size of 1536-bits.
                            i.     Running case 'generate':
DEBUG: key_sizes[_i] set to 1024
+ PASS
DEBUG: key_sizes[_i] set to 1536
- FAIL
DEBUG: key_sizes[_i] set to 2048
+ PASS
DEBUG: key_sizes[_i] set to 3072
+ PASS
DEBUG: key_sizes[_i] set to 4096
+ PASS
h.     wolfSSL has a function RsaSizeCheck() which in FIPS mode will specifically reject any non FIPS RSA key sizes so this failure is not only expected, it is a good thing for those wanting to use strongSwan in FIPS mode and ensure only FIPS validated RSA key sizes will be supported!
 
wolfSSL is pleased to let the strongSwan community know that with the latest release of wolfSSL v4.7.0 and the wolfCrypt FIPS 140-2 module validated on FIPS certificate 3389 <https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3389>, strongSwan support is working splendidly and wolfSSL engineers will be making efforts to ensure continued support into the future!
 
If you have any questions about wolfSSL, wolfCrypt FIPS, or strongSwan and wolfSSL together please contact our support staff anytime at “support [at] wolfssl [dot] com” or via our Zendesk portal by registering and opening a support incident at “wolfssl [dot] Zendesk [dot] com” anytime.

Warmest Regards,

Kaleb Himes
Software Engineer
www.wolfssl.com

If you appreciate your experience with wolfSSL
please leave us a star at https://github.com/wolfSSL/wolfssl!

TLS1.3 IS AVAILABLE in wolfSSL!



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210225/af3f4090/attachment-0001.html>


More information about the Users mailing list