[Swan-dev] FIPS algorithms list

Andrew Cagney andrew.cagney at gmail.com
Thu May 7 20:31:55 UTC 2020


On Thu, 7 May 2020 at 00:19, Paul Wouters <paul at nohats.ca> wrote:
>
> On Sun, 3 May 2020, Andrew Cagney wrote:
>
> >> So NSS is running in fips mode, but when we asked it, it said it was
> >> not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS
> >> database in algparse too? Ofcourse, we don't parse ipsec.conf so we do
> >> not know which database to open.
> >
> > Why do I have this feeling of deja-vu...
> >
> >         * Need to ensure that NSS is initialized before calling
> >         * ike_alg_init().  Sanity checks and algorithm testing
> >         * require a working NSS.
> >         *
> >         * When testing the algorithms in FIPS mode (i.e., executing
> >         * crypto code) NSS needs to be pointed at a real FIPS mode
> >         * NSS directory.
>
> Things in git master should now be working properly again. The plutomain
> code was changed so it does not have to check the fips status twice. And
> the algparse case now initializes nss without db, so then nss returns
> the system/kernel fips mode as its own fips mode.

Nice, testing made a big jump in the right direction.


More information about the Swan-dev mailing list