| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200728162252.GA3255@gondor.apana.org.au>
Date: Wed, 29 Jul 2020 02:22:52 +1000
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Antony Antony <antony.antony@...unet.com>
Cc: Steffen Klassert <steffen.klassert@...unet.com>,
netdev@...r.kernel.org,
Stephan Müller <smueller@...onox.de>,
Antony Antony <antony@...nome.org>
Subject: Re: [PATCH ipsec-next] xfrm: add
/proc/sys/core/net/xfrm_redact_secret
On Tue, Jul 28, 2020 at 05:47:30PM +0200, Antony Antony wrote:
> when enabled, 1, redact XFRM SA secret in the netlink response to
> xfrm_get_sa() or dump all sa.
>
> e.g
> echo 1 > /proc/sys/net/core/xfrm_redact_secret
> ip xfrm state
> src 172.16.1.200 dst 172.16.1.100
> proto esp spi 0x00000002 reqid 2 mode tunnel
> replay-window 0
> aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96
>
> the aead secret is redacted.
>
> /proc/sys/core/net/xfrm_redact_secret is a toggle.
> Once enabled, either at compile or via proc, it can not be disabled.
> Redacting secret is a FIPS 140-2 requirement.
Couldn't you use the existing fips_enabled sysctl?
Cheers,
--
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists