Created attachment 1139678 [details] Add --with-crypto=nss and ability to use NSS's HMAC library (Using Fedora's bugzilla to submit patches to upstream fipscheck is a little weird :-/) The attached patch adds the ability to configure/build fipscheck using NSS's HMAC library. To use this feature, specify --with-crypto=nss when configuring fipscheck. Tested by creating hmac files with fipshmac/openssl and verifying them with fipscheck/nss and vice versa. See also bug #1320676
this feature helps FIPS certifications of libreswan on embedded systems that don't use openssl. (yes they exist :)
To me it would be preferable to use kernel AF_ALG support instead, this way we could avoid any library dependency.
(In reply to Tomas Mraz from comment #2) > To me it would be preferable to use kernel AF_ALG support instead, this way > we could avoid any library dependency. As best I know, that only helps systems using a recent Linux kernel.
The AF_ALG support is in Linux kernel for quite long time. However you're right that it is a Linux-only thing. Is libreswan supported on other kernels?
It supports the PF_KEY API which is the API on all platforms except linux
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.