| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jul 2020 20:36:58 +0200
From: Antony Antony <antony.antony@...unet.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
CC: Antony Antony <antony.antony@...unet.com>,
Steffen Klassert <steffen.klassert@...unet.com>,
<netdev@...r.kernel.org>,
Stephan Müller <smueller@...onox.de>,
Antony Antony <antony@...nome.org>
Subject: Re: [PATCH ipsec-next] xfrm: add
/proc/sys/core/net/xfrm_redact_secret
On Wed, Jul 29, 2020 at 02:22:52 +1000, Herbert Xu wrote:
> On Tue, Jul 28, 2020 at 05:47:30PM +0200, Antony Antony wrote:
> > when enabled, 1, redact XFRM SA secret in the netlink response to
> > xfrm_get_sa() or dump all sa.
> >
> > e.g
> > echo 1 > /proc/sys/net/core/xfrm_redact_secret
> > ip xfrm state
> > src 172.16.1.200 dst 172.16.1.100
> > proto esp spi 0x00000002 reqid 2 mode tunnel
> > replay-window 0
> > aead rfc4106(gcm(aes)) 0x0000000000000000000000000000000000000000 96
> >
> > the aead secret is redacted.
> >
> > /proc/sys/core/net/xfrm_redact_secret is a toggle.
> > Once enabled, either at compile or via proc, it can not be disabled.
> > Redacting secret is a FIPS 140-2 requirement.
>
> Couldn't you use the existing fips_enabled sysctl?
that could be a step, however, not yet.
Libreswan in FIPS mode with xfrm_redact_secret enabled would work fine, however, enabling xfrm_redact_secret would break Strongswan in FIPS mode. We can add this option fips_enabled once Strongswan does not need SA secret, child_sa->update().
Also there was interest to able to use xfrm_redact_secret independent of FIPS.
I thik for now it best to be ouside fips_enabled.
Powered by blists - more mailing lists