[Swan] FIPS mode

Lennart Sorensen lsorense at csclub.uwaterloo.ca
Tue Apr 14 19:31:22 EEST 2015


On Tue, Apr 14, 2015 at 11:07:08AM -0400, Paul Wouters wrote:
> Yes, the kernel crypto is also getting FIPS validated (and has in the
> past as well) and that includes all combinations of supported
> architectures and with/without acceleration drivers. It has even
> resulted in blacklisting some acceleration modules that did not fully
> comply (eg some could only use 128 bit keys and would error on 256)

Like the Geode LX800 which only does 128bit AES in hardware, and the
kernel has to switch to software to do anything else.  Such an odd
design choice.

> Right. Although one of the reasons I like NSS, is that it deals with all
> the X.509 / ASN.1 / disk to ram / ram to disk issues. Strongswan has its
> own code for that, and that is a lot of custom code. freeswan/openswan
> had the X.509 patch that became strongswan, and it generated half the
> CVE's we got. I'm very happy libreswan 3.13 will remove the last bit of
> that code and outsources all that work to the NSS library. Because an
> IKE daemon should not have an ASN.1 parser :)

Well the nss bit does seem like it probably is the best option, and the
support for offloading to dedicated hardware and not even seeing the
keys in libreswan is an interesting one (not that I have access to any
hardware that can do that).

ASN.1 parsers like xml parsers are evil horrible things that often have
security problems it seems.  The less we have of them to maintain
the better.

-- 
len Sorensen


More information about the Swan mailing list