1 Reply by volga629

(17 replies, posted in wolfSSL)

Thank you for all support. I opened GitHub issue, to continue find correct formula.

Go to forum: wolfSSL

2 Reply by volga629

(17 replies, posted in wolfSSL)

I tried rebuild dynamic library and still having issue. I followed the process and tried compile and run update  fips hash.
I think it time to open GitHub issue,  seems like hash update process having issue in Windows.


$ ldd charon-svc.exe
        ntdll.dll => /c/Windows/SYSTEM32/ntdll.dll (0x7ffb75230000)
        KERNEL32.DLL => /c/Windows/System32/KERNEL32.DLL (0x7ffb73c10000)
        KERNELBASE.dll => /c/Windows/System32/KERNELBASE.dll (0x7ffb726b0000)
        ADVAPI32.dll => /c/Windows/System32/ADVAPI32.dll (0x7ffb73890000)
        msvcrt.dll => /c/Windows/System32/msvcrt.dll (0x7ffb73e70000)
        sechost.dll => /c/Windows/System32/sechost.dll (0x7ffb73530000)
        bcrypt.dll => /c/Windows/System32/bcrypt.dll (0x7ffb72c10000)
        RPCRT4.dll => /c/Windows/System32/RPCRT4.dll (0x7ffb73720000)
        WS2_32.dll => /c/Windows/System32/WS2_32.dll (0x7ffb739b0000)
        fwpuclnt.dll => /c/Windows/SYSTEM32/fwpuclnt.dll (0x7ffb6f0e0000)
        IPHLPAPI.DLL => /c/Windows/SYSTEM32/IPHLPAPI.DLL (0x7ffb70d10000)
        libwolfssl-42.dll => /home/volg629/strongswan-5.9.14/strongswan-sec/libwolfssl-42.dll (0x7ffb148f0000)
        CRYPT32.dll => /c/Windows/System32/CRYPT32.dll (0x7ffb72540000)
        ucrtbase.dll => /c/Windows/System32/ucrtbase.dll (0x7ffb72d00000)
        WINHTTP.dll => /c/Windows/SYSTEM32/WINHTTP.dll (0x7ffb6e9c0000)
        libgcc_s_seh-1.dll => /mingw64/bin/libgcc_s_seh-1.dll (0x7ffb485b0000)
        libdl.dll => /mingw64/bin/libdl.dll (0x7ffb4b4d0000)
        libunbound-8.dll => /mingw64/bin/libunbound-8.dll (0x7ffb14050000)
        libldns-3.dll => /mingw64/bin/libldns-3.dll (0x7ffb335f0000)
        libwinpthread-1.dll => /mingw64/bin/libwinpthread-1.dll (0x7ffb43380000)
        libssl-3-x64.dll => /mingw64/bin/libssl-3-x64.dll (0x7ffb21d30000)
        libcrypto-3-x64.dll => /mingw64/bin/libcrypto-3-x64.dll (0x26be2410000)
        libcrypto-3-x64.dll => /mingw64/bin/libcrypto-3-x64.dll (0x26be28f0000)
        libcrypto-3-x64.dll => /mingw64/bin/libcrypto-3-x64.dll (0x7ffb05a80000)
        USER32.dll => /c/Windows/System32/USER32.dll (0x7ffb73a30000)
        win32u.dll => /c/Windows/System32/win32u.dll (0x7ffb72e20000)
        GDI32.dll => /c/Windows/System32/GDI32.dll (0x7ffb73be0000)
        gdi32full.dll => /c/Windows/System32/gdi32full.dll (0x7ffb72af0000)
        msvcp_win.dll => /c/Windows/System32/msvcp_win.dll (0x7ffb72ec0000)

volga629@Desktop1 MSYS ~/strongswan-5.9.14/strongswan-sec
$ ./charon-svc.exe
Starting Power On Self Test
Pre-Operational Self Test FAILURE
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.14, Windows Client 10.0.22621 (SP 0.0))
00[LIB] wolfssl FIPS mode unavailable (-203)
00[LIB] plugin 'wolfssl': failed to load - wolfssl_plugin_create returned NULL
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-svc' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[CFG] failed to read the resolver config: error reading file (No such file or directory)
00[CFG] failed to create a DNS resolver instance
00[LIB] failed to load 3 critical plugin features

Go to forum: wolfSSL

3 Reply by volga629

(17 replies, posted in wolfSSL)

Sorry, I was need to clarify. That message after I ran make second time.

Please confirm  the build process

autoreconf -ifv
./configure
make
./fips_hash.sh
make
make install DESTDIR=install_dir

Go to forum: wolfSSL

4 Reply by volga629

(17 replies, posted in wolfSSL)

If I build dynamic library error 

Escape buffer max too small
base64   test passed!
wolfSSL Entering base16_test
base16   test passed!
wolfSSL Entering asn_test
asn      test passed!
wolfSSL Entering random_test
in my Fips callback, ok = 0, err = -203
message = In Core Integrity check FIPS error
hash = 11FC92013108BCB799AF1141F7BE8EB3E314240A8985736469BBDC33D5A94A0C
In core integrity hash check failure, copy above hash
into verifyCore[] in fips_test.c and rebuild
RANDOM   test failed!
 error L=17866 code=-197 (FIPS mode not allowed error)
 [fiducial line numbers: 9103 28041 46740 59294]
wolfSSL Entering wolfCrypt_Cleanup
Exiting main with return code: -1

Go to forum: wolfSSL

5 Reply by volga629

(17 replies, posted in wolfSSL)

Is it possible related to --enable-static  that hash is not generated ?

Go to forum: wolfSSL

6 Reply by volga629

(17 replies, posted in wolfSSL)

Is this give better info ?
I tried to enable --enable-debug


$ ./wolfcrypt/test/testwolfcrypt
------------------------------------------------------------------------------
 wolfSSL version 5.7.4
------------------------------------------------------------------------------
FIPS module version in use: wolfCrypt v7.0.0
error    test passed!
wolfSSL Entering memory_test
MEMORY   test passed!
wolfSSL Entering base64_test
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad end of line in Base64 Decode
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode bad character
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Escape buffer max too small
base64   test passed!
wolfSSL Entering base16_test
base16   test passed!
wolfSSL Entering asn_test
asn      test passed!
wolfSSL Entering random_test
in my Fips callback, ok = 0, err = -197
message = FIPS mode not allowed error
hash =
RANDOM   test failed!
 error L=17866 code=-197 (FIPS mode not allowed error)
 [fiducial line numbers: 9103 28041 46740 59294]
wolfSSL Entering wolfCrypt_Cleanup
Exiting main with return code: -1

Go to forum: wolfSSL

7 Reply by volga629

(17 replies, posted in wolfSSL)

I am not sure what I am doing incorrectly, but even tried to pass -DWOLFCRYPT_FIPS_CORE_HASH_VALUE
I tried to enable debug log. 

            --disable-examples \
            LDFLAGS="-lws2_32 -lcrypt32 -Wl,-s -Wl,--gc-sections" \
            CFLAGS="-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=8D29242F610EAEA179605BB1A99974EBC72B0ECDB26B483B226A729F36FC82A2"

Curent configure options  need remove      --disable-static \

 ./configure --host=x86_64-w64-mingw32 --enable-reproducible-build --enable-keygen --enable-rsapss \
            --enable-secure-renegotiation --enable-fastmath \
            --enable-ed25519 --enable-curve25519 \
            --enable-static=yes \
            --enable-shared=no \
            --enable-fips=ready \
            --enable-opensslall \
            --enable-ecc \
            --enable-ocsp \
            --enable-crl \
            --enable-psk \
            --disable-fpecc \
            --disable-aligndata \
            --disable-static \
            --disable-jni \
            --disable-crl-monitor\
            --disable-examples \
            LDFLAGS="-lws2_32 -lcrypt32 -Wl,-s -Wl,--gc-sections" \
            CFLAGS="-DWOLFCRYPT_FIPS_CORE_HASH_VALUE=8D29242F610EAEA179605BB1A99974EBC72B0ECDB26B483B226A729F36FC82A2"

Go to forum: wolfSSL

8 Reply by volga629

(17 replies, posted in wolfSSL)

In testWolfCrypt I am getting error 

$ ./wolfcrypt/test/testwolfcrypt
------------------------------------------------------------------------------
 wolfSSL version 5.7.4
------------------------------------------------------------------------------
FIPS module version in use: wolfCrypt v7.0.0
error    test passed!
MEMORY   test passed!
base64   test passed!
base16   test passed!
asn      test passed!
in my Fips callback, ok = 0, err = -197
message = FIPS mode not allowed error
hash =
RANDOM   test failed!
 error L=17866 code=-197 (FIPS mode not allowed error)
 [fiducial line numbers: 9103 28041 46740 59294]
Exiting main with return code: -1

Go to forum: wolfSSL

9 Reply by volga629

(17 replies, posted in wolfSSL)

I tried disable shared library and rebuilt with static and still having trouble to run FIPS wolfssl. This time getting -197 

$ ./charon-svc.exe
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.14, Windows Client 10.0.22621 (SP 0.0))
00[LIB] wolfssl FIPS mode unavailable (-197)
00[LIB] plugin 'wolfssl': failed to load - wolfssl_plugin_create returned NULL
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-svc' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[CFG] failed to read the resolver config: error reading file (No such file or directory)
00[CFG] failed to create a DNS resolver instance
00[LIB] failed to load 3 critical plugin features

Go to forum: wolfSSL

10 Reply by volga629

(17 replies, posted in wolfSSL)

I  will try rebuild from source again, but strongswan start up error is point  that wolfssl library is not fully working.
Can you please post requirements to build wolfssl properly on Windows.

Start up error

$ ./charon-svc.exe -h
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.14, Windows Client 10.0.22621 (SP 0.0))
00[LIB] wolfssl FIPS mode unavailable (-203)
00[LIB] plugin 'wolfssl': failed to load - wolfssl_plugin_create returned NULL
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-svc' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[CFG] failed to read the resolver config: error reading file (No such file or directory)
00[CFG] failed to create a DNS resolver instance
00[LIB] failed to load 3 critical plugin features

Go to forum: wolfSSL

11 Reply by volga629

(17 replies, posted in wolfSSL)

I tried recompile clean source and result the same -203 error when strongswan tries to load wolfssl library libwolfssl-42.dll

 CC       wolfcrypt/src/src_libwolfssl_la-signature.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wc_encrypt.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wolfmath.lo
  CC       wolfcrypt/src/src_libwolfssl_la-memory.lo
  CC       wolfcrypt/src/src_libwolfssl_la-asn.lo
  CC       wolfcrypt/src/src_libwolfssl_la-coding.lo
  CC       wolfcrypt/src/src_libwolfssl_la-md5.lo
  CC       wolfcrypt/src/src_libwolfssl_la-pkcs12.lo
  CC       wolfcrypt/src/src_libwolfssl_la-tfm.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wc_lms.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wc_lms_impl.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wc_xmss.lo
  CC       wolfcrypt/src/src_libwolfssl_la-wc_xmss_impl.lo
  CC       wolfcrypt/src/src_libwolfssl_la-fe_operations.lo
  CC       wolfcrypt/src/src_libwolfssl_la-ge_operations.lo
  CC       wolfcrypt/src/src_libwolfssl_la-fe_448.lo
  CC       wolfcrypt/src/src_libwolfssl_la-ge_448.lo
  CC       src/libwolfssl_la-internal.lo
  CC       src/libwolfssl_la-wolfio.lo
  CC       src/libwolfssl_la-keys.lo
  CC       src/libwolfssl_la-ssl.lo
  CC       src/libwolfssl_la-tls.lo
  CC       src/libwolfssl_la-tls13.lo
  CC       src/libwolfssl_la-ocsp.lo
  CC       src/libwolfssl_la-dtls.lo
  CC       wolfcrypt/test/test.o
  CCLD     src/libwolfssl.la
  CCLD     wolfcrypt/benchmark/benchmark.exe
  CCLD     wolfcrypt/test/testwolfcrypt.exe
make[2]: Leaving directory '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready'
make[1]: Leaving directory '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready'

volga629@Desktop1 MSYS ~/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready
$ bash -x ./fips-hash.sh
+ test '!' -x ./wolfcrypt/test/testwolfcrypt
+ test '!' -s ./wolfcrypt/src/fips_test.c
++ ./wolfcrypt/test/testwolfcrypt
++ sed -n 's/hash = \(.*\)/\1/p'
+ NEWHASH=76B04B1BDFA4454AF3C54F678D29FDF1D83C51F9CC65A81E19F12B27CF839B0F
+ test -n 76B04B1BDFA4454AF3C54F678D29FDF1D83C51F9CC65A81E19F12B27CF839B0F
+ cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
+ sed 's/^".*";/"76B04B1BDFA4454AF3C54F678D29FDF1D83C51F9CC65A81E19F12B27CF839B0F";/' wolfcrypt/src/fips_test.c.bak
 make install DESTDIR=$(pwd)/wolfssl-fips-build
make -j9  install-recursive
make[1]: Entering directory '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready'
make[2]: Entering directory '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready'
make[2]: warning: -j9 forced in submake: resetting jobserver mode.
make[3]: Entering directory '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready'
make[3]: warning: -j9 forced in submake: resetting jobserver mode.
/bin/sh /home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/build-aux/install-sh -d /home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/wolfssl-fips-build/usr/bin
/usr/bin/install -c wolfssl-config /home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/wolfssl-fips-build/usr/bin
 /usr/bin/mkdir -p '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/wolfssl-fips-build/usr/share/doc/wolfssl'
 /usr/bin/mkdir -p '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/wolfssl-fips-build/usr/share/doc/wolfssl/example'
 /usr/bin/mkdir -p '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/wolfssl-fips-build/usr/include'
 /usr/bin/mkdir -p '/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/wolfssl-fips-build/usr/lib/pkgconfig'

Go to forum: wolfSSL

12 Reply by volga629

(17 replies, posted in wolfSSL)

Thank you for reply, I tried the following process, but it didn't helped. I will try to recompile from clean source. 

./configure 
make
./fips-hash.sh
make 
make install DESTDIR=/home/directory

Go to forum: wolfSSL

13 Topic by volga629

(17 replies, posted in wolfSSL)

Hello Everyone,
How I can check if output library dll is built FIPS compliant  ?
When I try to load wolfssl plugin in strongswan it complains about missing FIPS support

I  used --enable-fips=ready

Plugin 

$ cat strongswan.d/charon/wolfssl.conf
wolfssl {

    # Enable to prevent loading the plugin if wolfSSL is not in FIPS mode.
    fips_mode = yes

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

}

Log 


 ./charon-svc.exe -h
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.14, Windows Client 10.0.22621 (SP 0.0))
00[LIB] wolfssl FIPS mode unavailable (-203)
00[LIB] plugin 'wolfssl': failed to load - wolfssl_plugin_create returned NULL

Go to forum: wolfSSL

14 Reply by volga629

(13 replies, posted in wolfSSL)

Thank you for confirmation

Go to forum: wolfSSL

15 Reply by volga629

(13 replies, posted in wolfSSL)

For test purpose I compiled FIPS source without Visual Studio and that generated library which  strongswan is complete compilation no error.
Also it generate all required header files .

Is this good way to do too ?

Configure 

 ./configure --host=x86_64-w64-mingw32 --enable-reproducible-build --enable-keygen --enable-rsapss \
            --enable-secure-renegotiation --enable-strongswan --enable-fastmath \
            --enable-ed25519 --enable-curve25519 --enable-fips=ready  --prefix=$(pwd)/wolfssl-fips-build \
            --enable-ecc \
            --disable-fpecc \
            --disable-aligndata \
            --disable-static \
            --disable-jni \
            --disable-crl-monitor\
            --disable-examples \
            LDFLAGS="-lws2_32 -lcrypt32 -Wl,-s -Wl,--gc-sections"

Library

volga629@dskt01 MSYS ~/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/wolfssl-fips-build
$ ls -alh lib/
total 2.2M
drwxr-xr-x 1 volga629 Domain Users    0 Nov 12 13:41 .
drwxr-xr-x 1 volga629 Domain Users    0 Nov 12 13:41 ..
-rw-r--r-- 1 volga629 Domain Users 2.2M Nov 12 13:41 libwolfssl.dll.a
-rw-r--r-- 1 volga629 Domain Users 1019 Nov 12 13:41 libwolfssl.la
drwxr-xr-x 1 volga629 Domain Users    0 Nov 12 13:41 pkgconfig

```

Go to forum: wolfSSL

16 Reply by volga629

(13 replies, posted in wolfSSL)

I resolved issue above with additional def

List 

#define OPENSSL_ALL
#define SESSION_CERTS
#define ECC_USER_CURVES
#define HAVE_SUPPORTED_CURVES
#define HAVE_CRL
#define HAVE_OCSP
#define HAVE_EX_DATA
#define HAVE_TLS_EXTENSIONS
#define HAVE_ECC192
#define HAVE_ECC224
#define HAVE_ECC256
#define HAVE_ECC384
#define HAVE_ECC521
#define HAVE_FFDHE_4096
#define HAVE_FFDHE_6144
#define HAVE_FFDHE_8192
#define HAVE_AESGCM
#define HAVE_HASHDRBG
#define HAVE_THREAD_LS
#define HAVE_AEAD
#define HAVE_HKDF
#define WOLFSSL_DES_ECB
#define WOLFSSL_LOG_PRINTF
#define WOLFSSL_PUBLIC_MP
#define WOLFSSL_DTLS
#define WC_RSA_PSS
#define WOLFSSL_TLS13
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_KEY_GEN
#define WOLFSSL_SHA384
#define WOLFSSL_SHA512
#define WOLFSSL_KEY_GEN
#define WOLFSSL_CERT_GEN
#define WOLFSSL_CERT_EXT
#define WOLFSSL_CERT_REQ
#define NO_DES
#define NO_DES3
#define NO_MD5
#define NO_OLD_TLS
#define NO_PSK
#define NO_RC4
#define NO_DSA
#define NO_MD4

But strongswan still missing some refs

Paste build output

https://paste.centos.org/view/b93316c4

Go to forum: wolfSSL

17 Reply by volga629

(13 replies, posted in wolfSSL)

I tried to compile and first error is asked to add HAVE_TLS_EXTENSIONS.
Right now is failing here are please check screenshot.

https://pasteboard.co/4DcZHwHXtLf4.png




10:37:55:285    1>C:\msys64\home\volga629\strongswan-5.9.14\wolfssl-5.7.4-gplv3-fips-ready\src\internal.c(39616,1): error C1189: #error:  "No encryption algorithm available for default ticket encryption."

Go to forum: wolfSSL

18 Reply by volga629

(13 replies, posted in wolfSSL)

I will need you help to identify the issue.
I added additional Path in Visual Studio, but it not resolve the issue.
When compiling strongswan it quits on wolfssl 

*** Warning: linker path does not have real file for library -lwolfssl.
*** I have the capability to make that library automatically link in when
*** you link to this library.  But I can only do this if you have a
*** shared version of the library, which you do not appear to have
*** because I did check the linker path looking for a file starting
*** with libwolfssl and none of the candidates passed a file format test
*** using a file magic. Last file checked: /mingw64/lib/libldns.dll.a
*** The inter-library dependencies that have been dropped here will be
*** automatically added whenever a program is linked with this library
*** or is declared to -dlopen it.

*** Since this library must not contain undefined symbols,
*** because either the platform does not support them or
*** it was explicitly requested with -no-undefined,
*** libtool will only create a static version of it.

I specified additional library path for strongswan too 

LDFLAGS="-L/mingw64/lib -L$(pwd)/wolfssl-5.7.4-gplv3-fips-ready/DLL-Release2/x64"

Go to forum: wolfSSL

19 Reply by volga629

(13 replies, posted in wolfSSL)

I figure out linkage issue, but wolfssl give  undef functions errors


https://paste.centos.org/view/2a303948

Go to forum: wolfSSL

20 Reply by volga629

(13 replies, posted in wolfSSL)

I tried add custom PATH in Visual studio , but error still present.
Also added 

LDFLAGS="-L$(pwd)/wolfssl-5.7.4-gplv3-fips-ready/DLL-Release2" \

Go to forum: wolfSSL

21 Reply by volga629

(13 replies, posted in wolfSSL)

I added the following PATH. Is this correct ?
Some reason can't upload screenshot.




http://ftpsrv01.networklab.ca/scripts/Screenshot%202024-11-11%20at%2012.58.13%E2%80%AFPM.png

Go to forum: wolfSSL

22 Reply by volga629

(13 replies, posted in wolfSSL)

Sorry I forgot  to  mention that Windows setup.

Go to forum: wolfSSL

23 Topic by volga629

(13 replies, posted in wolfSSL)

Hello Everyone,
After library is built in Visual Studio , should I need to run make install from shell, because LD is failing to locate -lwolfssl when compiling strongswan 


libtool: link: ( cd ".libs" && rm -f "libstrongswan-kernel-wfp.la" && cp -pR "../libstrongswan-kernel-wfp.la" "libstrongswan-kernel-wfp.la" )
/bin/sh ../../../../libtool  --tag=CC   --mode=link gcc  -Wno-format -Wno-format-security -Wno-implicit-fallthrough -Wno-missing-field-initializers -Wno-pointer-sign -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -g -O2 -Wall -Wno-pointer-sign -Wno-format-security -mno-ms-bitfields -include /home/volga629/strongswan-5.9.14/config.h   -o ipsecdump.exe ipsecdump.o libstrongswan-kernel-wfp.la ../../../../src/libstrongswan/libstrongswan.la
libtool: link: gcc -Wno-format -Wno-format-security -Wno-implicit-fallthrough -Wno-missing-field-initializers -Wno-pointer-sign -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -g -O2 -Wall -Wno-pointer-sign -Wno-format-security -mno-ms-bitfields -include /home/volga629/strongswan-5.9.14/config.h -o .libs/ipsecdump.exe ipsecdump.o  ./.libs/libstrongswan-kernel-wfp.a -lfwpuclnt ../../../../src/libstrongswan/.libs/libstrongswan.a -L/home/volga629/strongswan-5.9.14/wolfssl-5.7.4-gplv3-fips-ready/DLL-Release -ldl -lws2_32 -lpsapi -lwinhttp -lunbound -lldns -lwolfssl
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: cannot find -lwolfssl: No such file or directory
collect2.exe: error: ld returned 1 exit status

Go to forum: wolfSSL

24 Reply by volga629

(2 replies, posted in wolfSSL)

Thank you, that resolves the issue

Go to forum: wolfSSL

25 Topic by volga629

(2 replies, posted in wolfSSL)

Hello Everyone,
I am trying to compile strongswan with  wolfssl and process failing on PARSE_ERROR.

Environment windows , wolfssl FIPS  is compiled with Visual Studio
Strongswan I tried multiply versions 5.9.14 , 5.9.12 , 6.0.0beta6 they all produce same error 


In file included from C:/msys64/home/volga629/strongswan-6.0.0beta6/wolfssl-5.7.4-gplv3-fips-ready/wolfssl/ssl.h:35,
                 from wolfssl_plugin.c:48:
C:/msys64/home/volga629/strongswan-6.0.0beta6/wolfssl-5.7.4-gplv3-fips-ready/wolfssl/error-ssl.h:56:5: error: redeclaration of enumerator 'PARSE_ERROR'
   56 |     PARSE_ERROR                  = -306,   /* parse error on header    */
      |     ^~~~~~~~~~~
In file included from ../../../../src/libstrongswan/utils/utils.h:59,
                 from ../../../../src/libstrongswan/library.h:102,
                 from wolfssl_common.h:28,
                 from wolfssl_plugin.c:24:
../../../../src/libstrongswan/utils/utils/status.h:47:9: note: previous definition of 'PARSE_ERROR' with type 'enum status_t'

Go to forum: wolfSSL