On Fri, 22 Jan 2016, jonetsu wrote:
libreswan uses NSS and supports a FIPS mode.
I know. I wouldn't call libreswan 'example code', though :)
I have browsed the code although did not find what I was looking for,
which is exactly what you mentioned above. In our systems we have to
verify that 'everything' is in FIPS mode at boot, before applications
are kicking off.
How is a library in FIPS mode when it hasn't yet initialised because the
application has not kicked of yet? Do you actually initialise them using
a test program?
So at most you can check the preconditions for full FIPS mode, which for
RHEL are:
- Are we a FIPS product (does /etc/system-fips exist?)
- Is the kernel in FIPS mode (does /proc/sys/crypto/fips_enabled contain
the value 1)
I personally wished NSS would lock out non-FIPS algorithms, so the
applications don't need any of that logic. Now I have to read the
FIPS documents too :P
Paul
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
