On Sun, 3 May 2020, Andrew Cagney wrote:
So NSS is running in fips mode, but when we asked it, it said it was not running in fips mode. So, using NSS to determine fips mode means we have to open the NSS database in algparse too? Ofcourse, we don't parse ipsec.conf so we do not know which database to open.Why do I have this feeling of deja-vu... * Need to ensure that NSS is initialized before calling * ike_alg_init(). Sanity checks and algorithm testing * require a working NSS. * * When testing the algorithms in FIPS mode (i.e., executing * crypto code) NSS needs to be pointed at a real FIPS mode * NSS directory.
Things in git master should now be working properly again. The plutomain code was changed so it does not have to check the fips status twice. And the algparse case now initializes nss without db, so then nss returns the system/kernel fips mode as its own fips mode. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
