1320693 – add --with-crypt=nss to fipscheck (use NSS's HMAC library)

Bug 1320693 - add --with-crypt=nss to fipscheck (use NSS's HMAC library)

Summary: add --with-crypt=nss to fipscheck (use NSS's HMAC library)

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fipscheck
Sub Component:
Version:	25
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-23 18:14 UTC by cagney
Modified:	2017-02-24 10:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:	fipscheck-1.5.0-1.fc26
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-24 10:03:01 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add --with-crypto=nss and ability to use NSS's HMAC library (10.09 KB, patch) 2016-03-23 18:14 UTC, cagney	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description cagney 2016-03-23 18:14:12 UTC

Created attachment 1139678 [details]
Add --with-crypto=nss and ability to use NSS's HMAC library

(Using Fedora's bugzilla to submit patches to upstream fipscheck is a little weird :-/)

The attached patch adds the ability to configure/build fipscheck using NSS's HMAC library.  To use this feature, specify --with-crypto=nss when configuring fipscheck.

Tested by creating hmac files with fipshmac/openssl and verifying them with fipscheck/nss and vice versa.

See also bug #1320676

Comment 1 Paul Wouters 2016-03-23 21:51:26 UTC

this feature helps FIPS certifications of libreswan on embedded systems that don't use openssl. (yes they exist :)

Comment 2 Tomas Mraz 2016-03-24 10:35:50 UTC

To me it would be preferable to use kernel AF_ALG support instead, this way we could avoid any library dependency.

Comment 3 cagney 2016-04-07 14:24:04 UTC

(In reply to Tomas Mraz from comment #2)
> To me it would be preferable to use kernel AF_ALG support instead, this way
> we could avoid any library dependency.

As best I know, that only helps systems using a recent Linux kernel.

Comment 4 Tomas Mraz 2016-04-07 14:32:52 UTC

The AF_ALG support is in Linux kernel for quite long time. However you're right that it is a Linux-only thing. Is libreswan supported on other kernels?

Comment 5 Paul Wouters 2016-04-07 15:55:41 UTC

It supports the PF_KEY API which is the API on all platforms except linux

Comment 6 Jan Kurik 2016-07-26 05:09:09 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Note You need to log in before you can comment on or make changes to this bug.