search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.36k stars 835 forks source link

Wolfssl FIPS (library) hash update issue #8203

Open volga629-1 opened 4 hours ago

volga629-1 commented 4 hours ago

Version

5.7.4 FIPS

Description

Configure 

 ./configure --host=x86_64-w64-mingw32 --enable-reproducible-build --enable-keygen --enable-rsapss \
            --enable-secure-renegotiation --enable-fastmath \
            --enable-ed25519 --enable-curve25519 \
            --enable-debug \
            --enable-fips=ready \
            --enable-opensslall \
            --enable-ecc \
            --enable-ocsp \
            --enable-crl \
            --enable-psk \
            --disable-fpecc \
            --disable-aligndata \
            --disable-jni \
            --disable-crl-monitor\
            --disable-examples \
            LDFLAGS="-lws2_32 -lcrypt32 -Wl,-s -Wl,--gc-sections"

Issue

I follow the process and compiled wolfssl fips multiply times with different variations on windows and library not working correctly . When I tried to start strongswan it generate error -203

Here forum thread which provide full information what was done before 

https://www.wolfssl.com/forums/post8085.html#p8085

Strongswan Start up with wolfssl dynamic library 

$ ldd charon-svc.exe
        ntdll.dll => /c/Windows/SYSTEM32/ntdll.dll (0x7ffb75230000)
        KERNEL32.DLL => /c/Windows/System32/KERNEL32.DLL (0x7ffb73c10000)
        KERNELBASE.dll => /c/Windows/System32/KERNELBASE.dll (0x7ffb726b0000)
        ADVAPI32.dll => /c/Windows/System32/ADVAPI32.dll (0x7ffb73890000)
        msvcrt.dll => /c/Windows/System32/msvcrt.dll (0x7ffb73e70000)
        sechost.dll => /c/Windows/System32/sechost.dll (0x7ffb73530000)
        bcrypt.dll => /c/Windows/System32/bcrypt.dll (0x7ffb72c10000)
        RPCRT4.dll => /c/Windows/System32/RPCRT4.dll (0x7ffb73720000)
        WS2_32.dll => /c/Windows/System32/WS2_32.dll (0x7ffb739b0000)
        fwpuclnt.dll => /c/Windows/SYSTEM32/fwpuclnt.dll (0x7ffb6f0e0000)
        IPHLPAPI.DLL => /c/Windows/SYSTEM32/IPHLPAPI.DLL (0x7ffb70d10000)
        libwolfssl-42.dll => /home/volga629/strongswan-5.9.14/strongswan-sec/libwolfssl-42.dll (0x7ffb148f0000)
        CRYPT32.dll => /c/Windows/System32/CRYPT32.dll (0x7ffb72540000)
        ucrtbase.dll => /c/Windows/System32/ucrtbase.dll (0x7ffb72d00000)
        WINHTTP.dll => /c/Windows/SYSTEM32/WINHTTP.dll (0x7ffb6e9c0000)
        libgcc_s_seh-1.dll => /mingw64/bin/libgcc_s_seh-1.dll (0x7ffb485b0000)
        libdl.dll => /mingw64/bin/libdl.dll (0x7ffb4b4d0000)
        libunbound-8.dll => /mingw64/bin/libunbound-8.dll (0x7ffb14050000)
        libldns-3.dll => /mingw64/bin/libldns-3.dll (0x7ffb335f0000)
        libwinpthread-1.dll => /mingw64/bin/libwinpthread-1.dll (0x7ffb43380000)
        libssl-3-x64.dll => /mingw64/bin/libssl-3-x64.dll (0x7ffb21d30000)
        libcrypto-3-x64.dll => /mingw64/bin/libcrypto-3-x64.dll (0x26be2410000)
        libcrypto-3-x64.dll => /mingw64/bin/libcrypto-3-x64.dll (0x26be28f0000)
        libcrypto-3-x64.dll => /mingw64/bin/libcrypto-3-x64.dll (0x7ffb05a80000)
        USER32.dll => /c/Windows/System32/USER32.dll (0x7ffb73a30000)
        win32u.dll => /c/Windows/System32/win32u.dll (0x7ffb72e20000)
        GDI32.dll => /c/Windows/System32/GDI32.dll (0x7ffb73be0000)
        gdi32full.dll => /c/Windows/System32/gdi32full.dll (0x7ffb72af0000)
        msvcp_win.dll => /c/Windows/System32/msvcp_win.dll (0x7ffb72ec0000)

volg629@Desktop1 MSYS ~/strongswan-5.9.14/strongswan-sec
$ ./charon-svc.exe
Starting Power On Self Test
Pre-Operational Self Test FAILURE
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.14, Windows Client 10.0.22621 (SP 0.0))
00[LIB] wolfssl FIPS mode unavailable (-203)
00[LIB] plugin 'wolfssl': failed to load - wolfssl_plugin_create returned NULL
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-svc' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon-svc' has unmet dependency: HASHER:HASH_SHA1
00[CFG] failed to read the resolver config: error reading file (No such file or directory)
00[CFG] failed to create a DNS resolver instance
00[LIB] failed to load 3 critical plugin features

Wolfssl crypt produce error when try generate hash 

$ ./wolfcrypt/test/testwolfcrypt
------------------------------------------------------------------------------
 wolfSSL version 5.7.4
------------------------------------------------------------------------------
FIPS module version in use: wolfCrypt v7.0.0
error    test passed!
wolfSSL Entering memory_test
MEMORY   test passed!
wolfSSL Entering base64_test
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too big
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad Base64 Decode data, too small
Bad end of line in Base64 Decode
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Bad Base64 Decode data, too big
Escape buffer max too small
base64   test passed!
wolfSSL Entering base16_test
base16   test passed!
wolfSSL Entering asn_test
asn      test passed!
wolfSSL Entering random_test
in my Fips callback, ok = 0, err = -197
message = FIPS mode not allowed error
hash =
RANDOM   test failed!
 error L=17866 code=-197 (FIPS mode not allowed error)
 [fiducial line numbers: 9103 28041 46740 59294]
wolfSSL Entering wolfCrypt_Cleanup
Exiting main with return code: -1

or this 

Escape buffer max too small
base64   test passed!
wolfSSL Entering base16_test
base16   test passed!
wolfSSL Entering asn_test
asn      test passed!
wolfSSL Entering random_test
in my Fips callback, ok = 0, err = -203
message = In Core Integrity check FIPS error
hash = 11FC92013108BCB799AF1141F7BE8EB3E314240A8985736469BBDC33D5A94A0C
In core integrity hash check failure, copy above hash
into verifyCore[] in fips_test.c and rebuild
RANDOM   test failed!
 error L=17866 code=-197 (FIPS mode not allowed error)
 [fiducial line numbers: 9103 28041 46740 59294]
wolfSSL Entering wolfCrypt_Cleanup
Exiting main with return code: -1
anhu commented 3 hours ago

Hi @volga629-1 ,

This is the procedure: 

unzip wolfssl-5.7.2-gplv3-fips-ready.zip
cd wolfssl-5.7.2-gplv3-fips-ready
./configure --enable-fips=ready
make
./fips_hash.sh
make
make check

You should probably try it on Linux as a sanity check. Then once you have it working with strongswan on linux, move to windows.

Here at wolfSSL we love knowing how people are using our software source code. Can you let us know a bit about yourself and this project? For example:

Please do let us know.

Warm regards, Anthony