[Swan-dev] fips test results
Andrew Cagney
andrew.cagney at gmail.com
Wed Jul 15 19:58:23 EEST 2015
FYI, I've taken a first pass at enabling the FIPS tests.
When run against a FIPS built pluto I see:
fips-02-ikev2-default passed
fips-07-ikev2-3des-sha256 passed
fips-08-ikev2-x509 passed
fips-09-ikev2-gcm passed
- cool
fips-04-ikev2-md5 failed east:different
- just needs an output tweak; missed this
fips-01-ikev1-default incomplete east:truncated west:truncated
fips-03-ikev1-md5 failed east:unchecked west:unchecked
fips-06-ikev1-sha1 incomplete east:truncated west:truncated
- the good news is that they no longer crash
- sends back SITUATION_NOT_SUPPORTED
- I suspect IKEv1 lacks logic to filter out non-FIPS tests?
- IKEv1 uses MD5 to check for NAT and FIPS doesn't have MD5 so I'm not
sure how far the test will get
fips-05-ikev1-gcm failed east:unchecked west:unchecked
- "westnet-eastnet-gcm" #1: unsupported OAKLEY attribute. Attribute OAKLEY_PRF
- sends back NO_PROPOSAL_CHOSEN
when run against a non-FIPS pluto things are more of a mess; I'm
tweaking things to skip the tests by default.
However, I think it would be useful to always build pluto capable of
being in FIPS mode so the "good" tests could be run.
Andrew
More information about the Swan-dev
mailing list