[Swan-dev] fips test results

Paul Wouters paul at nohats.ca
Wed Jul 15 20:07:16 EEST 2015

On Wed, 15 Jul 2015, Andrew Cagney wrote:

> fips-04-ikev2-md5 failed east:different
> - just needs an output tweak; missed this

It would need to fail properly due to md5 not being allowed.

> fips-01-ikev1-default incomplete east:truncated west:truncated
> fips-03-ikev1-md5 failed east:unchecked west:unchecked
> fips-06-ikev1-sha1 incomplete east:truncated west:truncated
> - the good news is that they no longer crash
> - I suspect IKEv1 lacks logic to filter out non-FIPS tests?

Ideally, the first and third one should work, using sha1. Only the md5
hardcoded one should fail.

> - IKEv1 uses MD5 to check for NAT and FIPS doesn't have MD5 so I'm not
> sure how far the test will get

Yes, I think the best way here is to allow a direct NSS md5 call that
is not restricted by fips mode. This is allowed because NATD payloads
do not involve key handling or authentication.

> fips-05-ikev1-gcm failed east:unchecked west:unchecked
> - "westnet-eastnet-gcm" #1: unsupported OAKLEY attribute.  Attribute OAKLEY_PRF
> - sends back NO_PROPOSAL_CHOSEN

Ideally, this would also pick sha1 and not md5 as prf and then work. It
related to the default proposal set I think.

Perhaps what we need to do is update the ikev1 proposal set to prefer
sha1 over md5? That might solve a lot of these problems without breaking
interop with older versions?

> when run against a non-FIPS pluto things are more of a mess; I'm
> tweaking things to skip the tests by default.
> However, I think it would be useful to always build pluto capable of
> being in FIPS mode so the "good" tests could be run.

Tests should always run with the fipscheck and labeled ipsec and audit
support enabled. The only reason we have not made those the default is
that debian/ubuntu was missing those packages. I am not sure if they are
still missing or not.


More information about the Swan-dev mailing list