[Swan-dev] FIPS algorithms list
andrew.cagney at gmail.com
Thu May 7 20:31:55 UTC 2020
On Thu, 7 May 2020 at 00:19, Paul Wouters <paul at nohats.ca> wrote:
> On Sun, 3 May 2020, Andrew Cagney wrote:
> >> So NSS is running in fips mode, but when we asked it, it said it was
> >> not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS
> >> database in algparse too? Ofcourse, we don't parse ipsec.conf so we do
> >> not know which database to open.
> > Why do I have this feeling of deja-vu...
> > * Need to ensure that NSS is initialized before calling
> > * ike_alg_init(). Sanity checks and algorithm testing
> > * require a working NSS.
> > *
> > * When testing the algorithms in FIPS mode (i.e., executing
> > * crypto code) NSS needs to be pointed at a real FIPS mode
> > * NSS directory.
> Things in git master should now be working properly again. The plutomain
> code was changed so it does not have to check the fips status twice. And
> the algparse case now initializes nss without db, so then nss returns
> the system/kernel fips mode as its own fips mode.
Nice, testing made a big jump in the right direction.
More information about the Swan-dev