On Mon, 1 Oct 2018, Andrew Cagney wrote:
I'm not seeing these FIPS falures?
Odd.
I see:
[root@west ~]# /usr/bin/fipscheck /usr/local/libexec/ipsec/pluto
[root@west ~]# echo $?
1
According to the man page this means: 1 Checksum mismatch
[root@west ~]# ls -l /usr/local/libexec/ipsec/pluto /usr/local/libexec/ipsec/.pluto.hmac
-rwxr-xr-x. 1 root root 8424104 Oct 1 19:46 /usr/local/libexec/ipsec/pluto
-rw-r--r--. 1 root root 65 Aug 23 19:41
/usr/local/libexec/ipsec/.pluto.hmac
Hmm, First I blamed 'make install-base' but 'make install' also didn't
write the file there. I also don't see the .hmac file for pluto in
/usr/lib64/fipscheck
It seems 'make install-fipshmac' installs it.
I guess that makes sense since we do this manually in the spec file for
rpm and otherwise the two would clash. So I think we should remove the
handling in the spec file and have install-fipsmac called when invoking
'install' or 'install-base'. Although depending on the fipscheck
version, we want the hmac file in a different location. Perhaps a
variable we can set in make/rpm ?
Paul
On Sun, 30 Sep 2018 at 19:33, Paul Wouters <[email protected]> wrote:
#FIPS check fialing?
algparse-01
algparse-02-fips
#FIPS startup failures
fips-03-ikev1-md5
fips-04-ikev2-md5
fips-06-ikev1-3des-sha1
fips-07-ikev2-3des-sha256
fips-09-ikev2-gcm
fips-10-ikev2-psk
fips-11-ikev2-esp-dh
fips-12-ikev2-esp-dh-wrong
fips-default-ikev1-01-nofips-east
fips-default-ikev1-02-nofips-west
fips-default-ikev2-01-nofips-east
fips-default-ikev2-02-nofips-west
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
