[Swan-dev] FIPS algorithms list

Paul Wouters paul at nohats.ca
Mon May 4 00:57:12 UTC 2020

On Sat, 2 May 2020, Andrew Cagney wrote:

> I'm not sure about this, from algparse-02 FIPS - MD5?:

> -FIPS Encryption algorithms:
> +Encryption algorithms:

Indeed. It looks like it does not detect we are in FIPS mode.

I think calling PK11_IsFIPS() before you have opened a library
might not work as expected. As they look at the fips setting of
the system AND the fips mode of the database opened. I suspect
without database open, they always say "not FIPS mode".

Pluto sees this issue, because it does log:

FIPS mode disabled for pluto daemon
Warning: NSS library is running in FIPS mode

So NSS is running in fips mode, but when we asked it, it said it was
not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS
database in algparse too? Ofcourse, we don't parse ipsec.conf so we do
not know which database to open.

I tried adding:

 	SECStatus rv = NSS_Initialize("", "", "", SECMOD_DB, 0);

this returns SECSuccess, and the following call to libreswan_fipsmode()
then returns 1. So far so good. but this is followed by:

 	unexpected authentication of "NSS FIPS 140-2 Certificate DB" failed

And of course, we now also have this problem in plutomain where we check
fips mode before we open the nss database. I'm not sure if the ike
algorithm filter happens before we open the nss database or not.

I have to think about this.


More information about the Swan-dev mailing list