[Swan-dev] FIPS algorithms list
Andrew Cagney
andrew.cagney at gmail.com
Mon May 4 02:28:27 UTC 2020
On Sun, 3 May 2020 at 20:57, Paul Wouters <paul at nohats.ca> wrote:
>
> On Sat, 2 May 2020, Andrew Cagney wrote:
>
> > I'm not sure about this, from algparse-02 FIPS - MD5?:
>
> > -FIPS Encryption algorithms:
> > +Encryption algorithms:
>
> Indeed. It looks like it does not detect we are in FIPS mode.
>
> I think calling PK11_IsFIPS() before you have opened a library
> might not work as expected. As they look at the fips setting of
> the system AND the fips mode of the database opened. I suspect
> without database open, they always say "not FIPS mode".
>
> Pluto sees this issue, because it does log:
>
> FIPS Mode: NO
> FIPS mode disabled for pluto daemon
> Warning: NSS library is running in FIPS mode
>
> So NSS is running in fips mode, but when we asked it, it said it was
> not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS
> database in algparse too? Ofcourse, we don't parse ipsec.conf so we do
> not know which database to open.
Why do I have this feeling of deja-vu...
* Need to ensure that NSS is initialized before calling
* ike_alg_init(). Sanity checks and algorithm testing
* require a working NSS.
*
* When testing the algorithms in FIPS mode (i.e., executing
* crypto code) NSS needs to be pointed at a real FIPS mode
* NSS directory.
>
> I tried adding:
>
> SECStatus rv = NSS_Initialize("", "", "", SECMOD_DB, 0);
>
> this returns SECSuccess, and the following call to libreswan_fipsmode()
> then returns 1. So far so good. but this is followed by:
>
> unexpected authentication of "NSS FIPS 140-2 Certificate DB" failed
>
> And of course, we now also have this problem in plutomain where we check
> fips mode before we open the nss database. I'm not sure if the ike
> algorithm filter happens before we open the nss database or not.
>
> I have to think about this.
>
> Paul
More information about the Swan-dev
mailing list