Update wolfSSL plugin for strongSwan to resolve build conflicts

strongswan · Nov 3, 2022 · ad7ec62 · ad7ec62
1 parent d42f436
commit ad7ec62
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 22 deletions.
diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_common.h b/src/libstrongswan/plugins/wolfssl/wolfssl_common.h
@@ -47,20 +47,24 @@
 /* PARSE_ERROR is an enum entry in wolfSSL - not used in this plugin */
 #define PARSE_ERROR	WOLFSSL_PARSE_ERROR
 
-/* Remap unused enums from the OpenSSL compatibility layer to avoid conflicts */
-#define ASN1_BOOLEAN         REMAP_ASN1_BOOLEAN
-#define ASN1_OID             REMAP_ASN1_OID
-#define ASN1_INTEGER         REMAP_ASN1_INTEGER
-#define ASN1_BIT_STRING      REMAP_ASN1_BIT_STRING
-#define ASN1_IA5STRING       REMAP_ASN1_IA5STRING
-#define ASN1_OCTET_STRING    REMAP_ASN1_OCTET_STRING
-#define ASN1_UTCTIME         REMAP_ASN1_UTCTIME
-#define ASN1_GENERALIZEDTIME REMAP_ASN1_GENERALIZEDTIME
-
 #ifndef WOLFSSL_USER_SETTINGS
 	#include <wolfssl/options.h>
 #endif
+
+/* Disable inclusion of the wolfSSL OpenSSL compatibility layer header (if
+ * configured) as it is not used by the plugin and causes conflicts */
+#define WOLFSSL_OPENSSL_H_
+
+/* Conditionally include wolfssl/ssl.h to avoid conflicts between the wolfSSL
+ * and strongSwan ASN1 values in older wolfSSL versions */
+#ifdef WOLFSSL_COMMON_INC_SSL_H
 #include <wolfssl/ssl.h>
+#endif
+
+#if  defined(HAVE_FIPS) && \
+    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
+    #include <wolfssl/wolfcrypt/fips_test.h>
+#endif
 
 /* Special type used to handle EdDSA keys depending on config options */
 #if defined(HAVE_ED25519) || defined(HAVE_ED448)
@@ -82,15 +86,6 @@ typedef union {
 
 #undef PARSE_ERROR
 
-#undef ASN1_BOOLEAN
-#undef ASN1_OID
-#undef ASN1_INTEGER
-#undef ASN1_BIT_STRING
-#undef ASN1_IA5STRING
-#undef ASN1_OCTET_STRING
-#undef ASN1_UTCTIME
-#undef ASN1_GENERALIZEDTIME
-
 /* Eliminate macro conflicts */
 #undef RNG
 

diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/wolfssl/wolfssl_ec_diffie_hellman.c
@@ -31,6 +31,12 @@
 
 #include <utils/debug.h>
 
+#if defined(ECC_TIMING_RESISTANT) && \
+    (!defined(HAVE_FIPS) || \
+     (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5)))
+    #define USE_RNG_FOR_TIMING_RESISTANCE
+#endif
+
 typedef struct private_wolfssl_ec_diffie_hellman_t private_wolfssl_ec_diffie_hellman_t;
 
 /**
@@ -203,13 +209,14 @@ METHOD(key_exchange_t, set_private_key, bool,
 static bool compute_shared_key(private_wolfssl_ec_diffie_hellman_t *this)
 {
 	word32 len;
-#ifdef ECC_TIMING_RESISTANT
+#ifdef USE_RNG_FOR_TIMING_RESISTANCE
 	WC_RNG rng;
 
 	if (wc_InitRng(&rng) != 0)
 	{
 		return FALSE;
 	}
+
 	if (wc_ecc_set_rng(&this->key, &rng) != 0)
 	{
 		wc_FreeRng(&rng);
@@ -225,13 +232,13 @@ static bool compute_shared_key(private_wolfssl_ec_diffie_hellman_t *this)
 	{
 		DBG1(DBG_LIB, "ECDH shared secret computation failed");
 		chunk_clear(&this->shared_secret);
-#ifdef ECC_TIMING_RESISTANT
+#ifdef USE_RNG_FOR_TIMING_RESISTANCE
 		wc_FreeRng(&rng);
 #endif
 		return FALSE;
 	}
 	this->shared_secret.len = len;
-#ifdef ECC_TIMING_RESISTANT
+#ifdef USE_RNG_FOR_TIMING_RESISTANCE
 	wc_FreeRng(&rng);
 #endif
 	return TRUE;

diff --git a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
@@ -24,6 +24,7 @@
 #include <library.h>
 #include <utils/debug.h>
 
+#define WOLFSSL_COMMON_INC_SSL_H
 #include "wolfssl_common.h"
 #include "wolfssl_plugin.h"
 #include "wolfssl_aead.h"