1 Topic by volga629 (edited by volga629 2024-11-15 11:11:37)

  • Registered: 2024-10-30
  • Posts: 29

Topic: Strongswan WolfSSL FIPS Windows MSYS

Hello Everyone,
How I can check if output library dll is built FIPS compliant  ?
When I try to load wolfssl plugin in strongswan it complains about missing FIPS support

I  used --enable-fips=ready

Plugin 

$ cat strongswan.d/charon/wolfssl.conf
wolfssl {

    # Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.
    fips_mode = yes

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

}

Log 


 ./charon-svc.exe -h
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.14, Windows Client 10.0.22621 (SP 0.0))
00[LIB] wolfssl FIPS mode unavailable (-203)
00[LIB] plugin 'wolfssl': failed to load - wolfssl_plugin_create returned NULL

Share

  • Registered: 2021-07-06
  • Posts: 139

Re: Strongswan WolfSSL FIPS Windows MSYS

Hello volga629,

-203 IN_CORE_FIPS_E means our FIPS hash check failed.  When building wolfSSL FIPS you must update the FIPS hash after any build option/environment change, you can either run the script fips-hash.sh in the root of the wolfSSL directory or run the wolfCrypt test and copy the hash it outputs to fips_test.c.  Then rebuild and retry using wolfSSL with strongswan.

Thanks,
Kareem

Share

  • Registered: 2024-10-30
  • Posts: 29

Re: Strongswan WolfSSL FIPS Windows MSYS

Thank you for reply, I tried the following process, but it didn't helped. I will try to recompile from clean source. 

./configure 
make
./fips-hash.sh
make 
make install DESTDIR=/home/directory

Share