Hi,
While I was looking into strongswan's openssl plugin implementation, I
noticed a couple inconsistencies as follows:
1. Call to ENGINE_load_builtin_engine seems redundant as this function is
called by OPENSSL_config which is invoked earlier in the openssl plugin.
2. As per openssl's fips policy
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf ,
calls to ENGINE_register_* are prohibited in fips mode. But strongswan's
openssl plugin calls ENGINE_register_* irrespective of fips mode set.
I have created the following patch to address these issues:
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c
b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index e48efe3..a56e128 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -567,8 +567,10 @@ plugin_t *openssl_plugin_create()
#ifndef OPENSSL_NO_ENGINE
/* activate support for hardware accelerators */
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
+ if (!fips_mode)
+ {
+ ENGINE_register_all_complete();
+ }
#endif /* OPENSSL_NO_ENGINE */
if (!seed_rng())
Thanks
Avesh
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index e48efe3..a56e128 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -567,8 +567,10 @@ plugin_t *openssl_plugin_create()
#ifndef OPENSSL_NO_ENGINE
/* activate support for hardware accelerators */
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
+ if (!fips_mode)
+ {
+ ENGINE_register_all_complete();
+ }
#endif /* OPENSSL_NO_ENGINE */
if (!seed_rng())
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
