[Swan-dev] FIPS algorithms list

Andrew Cagney andrew.cagney at gmail.com
Mon May 4 02:28:27 UTC 2020

On Sun, 3 May 2020 at 20:57, Paul Wouters <paul at nohats.ca> wrote:
> On Sat, 2 May 2020, Andrew Cagney wrote:
> > I'm not sure about this, from algparse-02 FIPS - MD5?:
> > -FIPS Encryption algorithms:
> > +Encryption algorithms:
> Indeed. It looks like it does not detect we are in FIPS mode.
> I think calling PK11_IsFIPS() before you have opened a library
> might not work as expected. As they look at the fips setting of
> the system AND the fips mode of the database opened. I suspect
> without database open, they always say "not FIPS mode".
> Pluto sees this issue, because it does log:
> FIPS Mode: NO
> FIPS mode disabled for pluto daemon
> Warning: NSS library is running in FIPS mode
> So NSS is running in fips mode, but when we asked it, it said it was
> not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS
> database in algparse too? Ofcourse, we don't parse ipsec.conf so we do
> not know which database to open.

Why do I have this feeling of deja-vu...

         * Need to ensure that NSS is initialized before calling
         * ike_alg_init().  Sanity checks and algorithm testing
         * require a working NSS.
         * When testing the algorithms in FIPS mode (i.e., executing
         * crypto code) NSS needs to be pointed at a real FIPS mode
         * NSS directory.

> I tried adding:
>         SECStatus rv = NSS_Initialize("", "", "", SECMOD_DB, 0);
> this returns SECSuccess, and the following call to libreswan_fipsmode()
> then returns 1. So far so good. but this is followed by:
>         unexpected authentication of "NSS FIPS 140-2 Certificate DB" failed
> And of course, we now also have this problem in plutomain where we check
> fips mode before we open the nss database. I'm not sure if the ike
> algorithm filter happens before we open the nss database or not.
> I have to think about this.
> Paul

More information about the Swan-dev mailing list