From: Tim Weller Date: Tue, 4 Oct 2022 16:44:09 +0000 (-0500) Subject: wolfssl: Updates to resolve build conflicts X-Git-Tag: 5.9.9rc1~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af71f14ba38397491226b46c43f21f0f418ec5d5;p=thirdparty%2Fstrongswan.git wolfssl: Updates to resolve build conflicts The wolfSSL's OpenSSL compatibility layer is not used by the plugin at all and preventing its inclusion avoids conflicts with ASN1_ constants. The inclusion of wolfssl/ssl.h is moved to the only file that requires it as older wolfSSL versions defined a conflicting ASN1_GENERALIZEDTIME. Other changes address issues with the FIPS use case. Closes strongswan/strongswan#1332 --- diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_common.h b/src/libstrongswan/plugins/wolfssl/wolfssl_common.h index cdefff4c65..9c944e7119 100644 --- a/src/libstrongswan/plugins/wolfssl/wolfssl_common.h +++ b/src/libstrongswan/plugins/wolfssl/wolfssl_common.h @@ -47,20 +47,18 @@ /* PARSE_ERROR is an enum entry in wolfSSL - not used in this plugin */ #define PARSE_ERROR WOLFSSL_PARSE_ERROR -/* Remap unused enums from the OpenSSL compatibility layer to avoid conflicts */ -#define ASN1_BOOLEAN REMAP_ASN1_BOOLEAN -#define ASN1_OID REMAP_ASN1_OID -#define ASN1_INTEGER REMAP_ASN1_INTEGER -#define ASN1_BIT_STRING REMAP_ASN1_BIT_STRING -#define ASN1_IA5STRING REMAP_ASN1_IA5STRING -#define ASN1_OCTET_STRING REMAP_ASN1_OCTET_STRING -#define ASN1_UTCTIME REMAP_ASN1_UTCTIME -#define ASN1_GENERALIZEDTIME REMAP_ASN1_GENERALIZEDTIME - #ifndef WOLFSSL_USER_SETTINGS #include #endif -#include + +/* Disable inclusion of the wolfSSL OpenSSL compatibility layer header (if + * configured) as it is not used by the plugin and causes conflicts */ +#define WOLFSSL_OPENSSL_H_ + +#if defined(HAVE_FIPS) && \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) + #include +#endif /* Special type used to handle EdDSA keys depending on config options */ #if defined(HAVE_ED25519) || defined(HAVE_ED448) @@ -82,15 +80,6 @@ typedef union { #undef PARSE_ERROR -#undef ASN1_BOOLEAN -#undef ASN1_OID -#undef ASN1_INTEGER -#undef ASN1_BIT_STRING -#undef ASN1_IA5STRING -#undef ASN1_OCTET_STRING -#undef ASN1_UTCTIME -#undef ASN1_GENERALIZEDTIME - /* Eliminate macro conflicts */ #undef RNG diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c index 4ee286f712..6d7ed570dd 100644 --- a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c @@ -31,6 +31,12 @@ #include +#if defined(ECC_TIMING_RESISTANT) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5))) + #define USE_RNG_FOR_TIMING_RESISTANCE +#endif + typedef struct private_wolfssl_ec_diffie_hellman_t private_wolfssl_ec_diffie_hellman_t; /** @@ -203,13 +209,14 @@ METHOD(key_exchange_t, set_private_key, bool, static bool compute_shared_key(private_wolfssl_ec_diffie_hellman_t *this) { word32 len; -#ifdef ECC_TIMING_RESISTANT +#ifdef USE_RNG_FOR_TIMING_RESISTANCE WC_RNG rng; if (wc_InitRng(&rng) != 0) { return FALSE; } + if (wc_ecc_set_rng(&this->key, &rng) != 0) { wc_FreeRng(&rng); @@ -225,13 +232,13 @@ static bool compute_shared_key(private_wolfssl_ec_diffie_hellman_t *this) { DBG1(DBG_LIB, "ECDH shared secret computation failed"); chunk_clear(&this->shared_secret); -#ifdef ECC_TIMING_RESISTANT +#ifdef USE_RNG_FOR_TIMING_RESISTANCE wc_FreeRng(&rng); #endif return FALSE; } this->shared_secret.len = len; -#ifdef ECC_TIMING_RESISTANT +#ifdef USE_RNG_FOR_TIMING_RESISTANCE wc_FreeRng(&rng); #endif return TRUE; diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c index b53bd8b09b..d4b4989b09 100644 --- a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c +++ b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c @@ -21,10 +21,11 @@ * THE SOFTWARE. */ +#include "wolfssl_common.h" + #include #include -#include "wolfssl_common.h" #include "wolfssl_plugin.h" #include "wolfssl_aead.h" #include "wolfssl_crypter.h" @@ -44,6 +45,8 @@ #include "wolfssl_x_diffie_hellman.h" #include "wolfssl_xof.h" +#include + #ifndef FIPS_MODE #define FIPS_MODE 0 #endif