[Swan-dev] FIPS algorithms list

Paul Wouters paul at nohats.ca
Thu May 7 04:19:26 UTC 2020


On Sun, 3 May 2020, Andrew Cagney wrote:

>> So NSS is running in fips mode, but when we asked it, it said it was
>> not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS
>> database in algparse too? Ofcourse, we don't parse ipsec.conf so we do
>> not know which database to open.
>
> Why do I have this feeling of deja-vu...
>
>         * Need to ensure that NSS is initialized before calling
>         * ike_alg_init().  Sanity checks and algorithm testing
>         * require a working NSS.
>         *
>         * When testing the algorithms in FIPS mode (i.e., executing
>         * crypto code) NSS needs to be pointed at a real FIPS mode
>         * NSS directory.

Things in git master should now be working properly again. The plutomain
code was changed so it does not have to check the fips status twice. And
the algparse case now initializes nss without db, so then nss returns
the system/kernel fips mode as its own fips mode.

Paul


More information about the Swan-dev mailing list