Discussion:
[strongSwan] Which version of openssl to use with strongswan
Peter Hsiang
2018-10-22 17:54:06 UTC
Permalink
Hi,


Which version of openssl is compatible with strongswan 5.6.1 for Android?


I tried using the strongswan version of openssl from strongswan.org:

https://git.strongswan.org/?p=android-ndk-openssl.git;a=summary

but it seems this version of openssl is old and does not have some functions used by strongswan 5.6.1:


'DH_get0_key' 'BN_num_bytes' 'OpenSSL_add_all_algorithms' 'BN_is_odd' 'BN_is_one' 'EVP_get_digestbynid' 'EVP_PKEY_CTX_set_rsa_padding' 'EVP_PKEY_CTX_set_rsa_pss_saltlen' 'EVP_PKEY_CTX_set_rsa_mgf1_md' 'EVP_DigestVerifyUpdate' 'RSA_get0_key' 'EVP_get_digestbynid' 'X509_get0_signature'


Thanks,

Peter

-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
Tobias Brunner
2018-10-23 08:14:43 UTC
Permalink
Hi Peter,

> I tried using the strongswan version of openssl from strongswan.org:
>
> https://git.strongswan.org/?p=android-ndk-openssl.git;a=summary
>
> but it seems this version of openssl is old and does not have some
> functions used by strongswan 5.6.1:

Yeah, that repository is not really maintained anymore (the version in
it is too old anyway, Google would reject an app with it when uploading
to Play). We currently use BoringSSL (see [1]). If you want to use
OpenSSL you'd have to port a newer version yourself.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientBuild#The-openssl-Directory
Peter Hsiang
2018-10-23 18:05:18 UTC
Permalink
Hi Tobias,

Thanks. With the newer boringssl included with Android P, the OPENSSL_malloc() and OPENSSL_free() are no longer compatible with the generic malloc() and free() used in Strongswan. Objects allocated in Strongswan (often used in chunk_t) can be freed by boringssl functions that call their version of free().
https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md

Do we have porting guidelines for integrating strongswan with boringssl for Android P?

I see there is an older version of boringssl https://git.strongswan.org/?p=android-ndk-boringssl.git;a=log. Would this work on Android P, and would it co-exist with the copy already in Android P (sharing the same libcrypto_static.a object files name space)?

Thanks,
Peter

-----Original Message-----
From: Tobias Brunner <***@strongswan.org>
Sent: Tuesday, October 23, 2018 1:15 AM
To: Peter Hsiang <***@nvidia.com>; ***@lists.strongswan.org
Subject: Re: [strongSwan] Which version of openssl to use with strongswan

Hi Peter,

> I tried using the strongswan version of openssl from strongswan.org:
>
> https://git.strongswan.org/?p=android-ndk-openssl.git;a=summary
>
> but it seems this version of openssl is old and does not have some
> functions used by strongswan 5.6.1:

Yeah, that repository is not really maintained anymore (the version in it is too old anyway, Google would reject an app with it when uploading to Play). We currently use BoringSSL (see [1]). If you want to use OpenSSL you'd have to port a newer version yourself.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientBuild#The-openssl-Directory

-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
----------------------------------------------------------------------------
Tobias Brunner
2018-10-24 07:23:13 UTC
Permalink
Hi Peter,

> Do we have porting guidelines for integrating strongswan with boringssl for Android P?

Nope. You shouldn't use the system's libraries from an app anyway.

> I see there is an older version of boringssl https://git.strongswan.org/?p=android-ndk-boringssl.git;a=log

That's exactly what I was referring you to.

> Would this work on Android P, and would it co-exist with the copy already in Android P (sharing the same libcrypto_static.a object files name space)?

The openssl plugin (or rather libstrongswan) links that version
statically, which doesn't seems to conflict with anything the Java part
does.

Regards,
Tobias
Peter Hsiang
2018-10-25 18:33:53 UTC
Permalink
Hi Tobias,


Thanks. The version of boringssl on strongswan.org has not been updated for about the same amount of time as the openssl on strongswan.org.

Would Google also reject app compiled with this version of boringssl when uploading to Play?


Building with the Android's build tools (Android repo, and not just NDK), the system's boringssl library is built and the object files for 'libcrypto' goes to the common output directory path:

./obj/SHARED_LIBRARIES/libcrypto_intermediates

Even for static lib build, the non-system copy of any library sharing the same lib name would normally write to the same output path. Perhaps there is a different build setup without the visibility to the system's copy of libcrytpo so there is no issue of paths collision?


Thanks,

Peter

________________________________
From: Tobias Brunner <***@strongswan.org>
Sent: Wednesday, October 24, 2018 12:23:13 AM
To: Peter Hsiang; ***@lists.strongswan.org
Subject: Re: [strongSwan] Which version of openssl to use with strongswan

Hi Peter,

> Do we have porting guidelines for integrating strongswan with boringssl for Android P?

Nope. You shouldn't use the system's libraries from an app anyway.

> I see there is an older version of boringssl https://git.strongswan.org/?p=android-ndk-boringssl.git;a=log

That's exactly what I was referring you to.

> Would this work on Android P, and would it co-exist with the copy already in Android P (sharing the same libcrypto_static.a object files name space)?

The openssl plugin (or rather libstrongswan) links that version
statically, which doesn't seems to conflict with anything the Java part
does.

Regards,
Tobias

-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
Tobias Brunner
2018-10-26 06:56:58 UTC
Permalink
Hi Peter,

> Would Google also reject app compiled with this version of boringssl
> when uploading to Play?

It hasn't so far.

> Building with the Android's build tools (Android repo, and not just
> NDK), the system's boringssl library is built and the object files for
> 'libcrypto' goes to the common output directory path:

That's different. If you are not building the app with the NDK, but the
regular daemon (using the top level Android.mk in the source tree),
don't follow the description I pointed to, but use the system's version
of the library.

Regards,
Tobias
Loading...