[Swan-dev] annoying AES_XCBC FIPS, er, quirk
andrew.cagney at gmail.com
Tue Mar 27 18:01:13 UTC 2018
Up until now pluto hasn't had to deal with an algorithm that has both
FIPS and non-FIPS implementations, and instead, code has been assuming
that an algorithm marked as FIPS is so for both IKE and ESP/AH.
Unfortunately AES_XCBC breaks that assumption - the kernel's AES_XCBC
is assumed to be FIPS compliant, but Pluto's internal implementation
is decidedly not.
The consequence is that, in FIPS mode, AES_XCBC_96 gets listed as a
valid IKE integrity algorithm vis:
AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS
(aes_xcbc aes128_xcbc aes128_xcbc_96)
Fortunately, because the underlying PRF (AES_XCBC) isn't valid (and
isn't listed), the parser will reject attempts to use it.
something for later,
More information about the Swan-dev