On Fri, 22 Jan 2016, jonetsu wrote:
For instance if the system at boot finds a FIPS-related error then it should stop everything. For instance binary integrity failure. Report using one of the FIPS logical interfaces and reboot. No library or application will do that.
Why would that be the right choice? In the case of libreswan, the ideal case is actually that it starts up, notices the problem, and ensures there remains a packet block in place for all known VPN endpoints to prevent packet leaks. Aborting (like we currently do) actually could cause packet leaks. I'm sure every application could have their own things that it prefers to do. Rebooting the machine might actually also be making things worse.
It is still a Wish that OpenSource applications and libraries in general should log errors in a standardized way, thus providing not only error-free runtime parsing of log messages, but assurance that critical errors do get logged. OpenSSL for instance will abort if an app tries to use a non-FIPS algorithm while running in FIPS mode.
The audit kernel subsystem (that libreswan also supports) is such an attempt. Paul -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
