[Swan] PSK length in FIPS mode
Paul Wouters
paul at nohats.ca
Tue Jun 23 23:13:42 UTC 2020
On Tue, 23 Jun 2020, John Serink wrote:
> I am using libreswan to connect to a Cisco 4431 IOS based router.
> I am getting this error when using a 12 byte PSK:
> Jun 23 16:52:19 [pluto] "XXXX" #2: WARNING: connection XXXX PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes
> required)
>
> Here is the entry in the ipsec.secrets file:
> A.B.C.D : PSK "abcdefrghast"
>
> The PSK is 12 bytes.
I tried to reproduce this.
002 "westnet-eastnet-ipv4-psk-ikev2" #1: WARNING: connection westnet-eastnet-ipv4-psk-ikev2 PSK length of 12 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
What version of libreswan is this?
> I need to keep the PSK at 12 bytes as some industrial based routers we use in the field has a max of 12 bytes.
That is dangerously small, especially if you are using 12 ascii
characters and not true random hex.
> Is there any work around for this on libreswan?
It is only a warning when not running in FIPS mode. If you are running
in FIPS mode, then it might be a bug we have fixed on our end in the
past.
Paul
More information about the Swan
mailing list