On Tue, 2 Oct 2018 at 19:50, Paul Wouters <[email protected]> wrote: > > On Mon, 1 Oct 2018, Andrew Cagney wrote: > > > I'm not seeing these FIPS falures? > > Odd. > > I see: > > [root@west ~]# /usr/bin/fipscheck /usr/local/libexec/ipsec/pluto > [root@west ~]# echo $? > 1 > > According to the man page this means: 1 Checksum mismatch > > [root@west ~]# ls -l /usr/local/libexec/ipsec/pluto > /usr/local/libexec/ipsec/.pluto.hmac > -rwxr-xr-x. 1 root root 8424104 Oct 1 19:46 /usr/local/libexec/ipsec/pluto > -rw-r--r--. 1 root root 65 Aug 23 19:41 > /usr/local/libexec/ipsec/.pluto.hmac > > Hmm, First I blamed 'make install-base' but 'make install' also didn't > write the file there. I also don't see the .hmac file for pluto in > /usr/lib64/fipscheck > > It seems 'make install-fipshmac' installs it. > > I guess that makes sense since we do this manually in the spec file for > rpm and otherwise the two would clash. So I think we should remove the > handling in the spec file and have install-fipsmac called when invoking > 'install' or 'install-base'. Although depending on the fipscheck > version, we want the hmac file in a different location. Perhaps a > variable we can set in make/rpm ?
Yea, it was a quick hack. It could test USE_FIPSCHECK and just 'dtrt'. Except, for RPMs, running fipshmac may not be the right thing. RPMs want the program installed un-stripped, so that they can first wave magic at it (creating things like separate debug info), and only after that run fipshmac. However, it probably wouldn't hurt and would be more intuitive. _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
