On Sat, Mar 2, 2024, at 03:32, Salz, Rich wrote: > I’m curious what various implementations do about FIPS support. “We > don’t care” is fine and reasonable, but I don’t want to hear from you > folks :). The issue is that the AEAD sequence number must be generated > within the FIPS module, and QUIC mandates a particular construct for it. > > Replies to me will be summarized for the list, thanks.
We don't do this, but there is a plan. https://searchfox.org/nss/source/lib/ssl/sslprimitive.c#167-175 shows the plan that we haven't implemented. The idea is that the TLS stack exports an encryption primitive, which then performs nonce generation within the PKCS#11 module according to the TLS rules. PKCS#11 has the necessary interfaces. Decryption can't work that way and so doesn't: the caller has to provide the number. I don't know if FIPS insists on anti-replay tracking within the module, but we don't do that (and likely can't).
