[Swan-dev] libreswan_fipsmode and friends
Paul Wouters
paul at nohats.ca
Tue Jan 13 16:19:05 EET 2015
On Tue, 13 Jan 2015, D. Hugh Redelmeier wrote:
> I don't really understand the combinatorics of these.
>
> First approximation:
> fipsmode = fipsproduct & fips_kernel
>
> except each is a 3-state value: yes, no, unknown. I think that
> "unknown" might mean "system broken".
>
> So what should the value computed for fipsmode be?
We will do fips only if we are both a fipsproduct and the kernel is
booted in fips mode.
> Also: when "unknown" is discovered, it is logged one or more times.
> Always in the libreswan_fips* function and sometimes in the caller.
> And they get called multiple times during a run.
>
> - is multiple logging sensible?
No. We should be determining this once during startup. We are not taking
into account magical changes of fips mode (which is not supposed to
happen runtime)
> It feels like an enum might be a clearer representation than a signed integer.
>
> I think that these are only used in pluto so they should be migrated
> from libswan.
I think rsasigkey also uses this, because fips puts limitations on new
key generation. Although currently we only allow generation of things
that are fips mode only (we are more secure than fips) this might change
in the future (eg if fips wants to ban RSA over ECC but we don't)
> There's a lot more in this commit that I haven't yet understood.
It went through a few requirement iterations, so there might be cruft there.
The idea is if we are not a fips product, don't log anything. If we are
a fips product but not in fips mode, log any issues that would be fatal
if we had been booted in fips mode.
Paul
More information about the Swan-dev
mailing list