On Wed, Jul 29, 2020 at 02:22:52 +1000, Herbert Xu wrote: > On Tue, Jul 28, 2020 at 05:47:30PM +0200, Antony Antony wrote: > > when enabled, 1, redact XFRM SA secret in the netlink response to > > xfrm_get_sa() or dump all sa. > > > > e.g > > echo 1 > /proc/sys/net/core/xfrm_redact_secret > > ip xfrm state > > src 172.16.1.200 dst 172.16.1.100 > > proto esp spi 0x00000002 reqid 2 mode tunnel > > replay-window 0 > > aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96 > > > > the aead secret is redacted. > > > > /proc/sys/core/net/xfrm_redact_secret is a toggle. > > Once enabled, either at compile or via proc, it can not be disabled. > > Redacting secret is a FIPS 140-2 requirement. > > Couldn't you use the existing fips_enabled sysctl?
that could be a step, however, not yet. Libreswan in FIPS mode with xfrm_redact_secret enabled would work fine, however, enabling xfrm_redact_secret would break Strongswan in FIPS mode. We can add this option fips_enabled once Strongswan does not need SA secret, child_sa->update(). Also there was interest to able to use xfrm_redact_secret independent of FIPS. I thik for now it best to be ouside fips_enabled.
