[Openswan dev] Openswan + FIPS thoughts
David McCullough
David_Mccullough at securecomputing.com
Mon Oct 29 19:08:52 EDT 2007
Hi Dev,
We are just starting out on a FIPS certification for some of our
products, and they will include Openswan. So far we can see no
problems with getting the certification, but we are interested in some
feedback on the changes we need to make to get this through.
In order to reduce the complexity and potential for trouble, the
approach we are taking is to minimise the number of instances of alg's
that need FIPS certification, hopefull to one of each.
First up OCF helps us a lot here, it can provide all our kernel and
user crypto needs. Since Openswan is using OCF, that helps to :-)
Then comes key generation, we use OpenSSL for that (which also uses
OCF), and there is a FIPS version of OpenSSL, which is all good.
OpenSSL also uses OCF, more goodness from a FIPS point of view.
Now the catch, Openswan uses libgmp and does it's own thing for the
bignum stuff and key gen etc, except for a few areas where it currently
uses OCF, it's not complete enough though.
We are considering two possible approaches:
1) Replace all the libgmp/crypto code in Openswan user space to use
libssl/openssl exclusively. This will mean we have a single
point of testing/implementation for FIPS. It also means that
OpenSwan will continue to use OCF for user space as appropriate,
but can also take advantage of the many other openssl engines and
accelerators.
2) The second, perhaps not so pretty solution, is to hook
everything in openswan userspace as has been done already for
OCF, but to do it for everything that FIPS cares about.
I am not sure of the history here, so perhaps there is a reason why it
should or shouldn't be done this way or that.
Would switching from libgmp/ouwn crypto to a completely libssl solution
for the big num and user space crypto code be attractive to the openswan
community ?
Thanks for any feedback,
Davidm
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
Secure Computing - SnapGear http://www.uCdot.org http://www.cyberguard.com
More information about the Dev
mailing list