[Swan-dev] issues based on last night's laptop run that need to be fixed / explained before release
Paul Wouters
paul at nohats.ca
Tue Oct 2 23:50:49 UTC 2018
On Mon, 1 Oct 2018, Andrew Cagney wrote:
> I'm not seeing these FIPS falures?
Odd.
I see:
[root at west ~]# /usr/bin/fipscheck /usr/local/libexec/ipsec/pluto
[root at west ~]# echo $?
1
According to the man page this means: 1 Checksum mismatch
[root at west ~]# ls -l /usr/local/libexec/ipsec/pluto /usr/local/libexec/ipsec/.pluto.hmac
-rwxr-xr-x. 1 root root 8424104 Oct 1 19:46 /usr/local/libexec/ipsec/pluto
-rw-r--r--. 1 root root 65 Aug 23 19:41 /usr/local/libexec/ipsec/.pluto.hmac
Hmm, First I blamed 'make install-base' but 'make install' also didn't
write the file there. I also don't see the .hmac file for pluto in /usr/lib64/fipscheck
It seems 'make install-fipshmac' installs it.
I guess that makes sense since we do this manually in the spec file for
rpm and otherwise the two would clash. So I think we should remove the
handling in the spec file and have install-fipsmac called when invoking
'install' or 'install-base'. Although depending on the fipscheck
version, we want the hmac file in a different location. Perhaps a
variable we can set in make/rpm ?
Paul
> On Sun, 30 Sep 2018 at 19:33, Paul Wouters <paul at nohats.ca> wrote:
>
>> #FIPS check fialing?
>> algparse-01
>> algparse-02-fips
>
>> #FIPS startup failures
>> fips-03-ikev1-md5
>> fips-04-ikev2-md5
>> fips-06-ikev1-3des-sha1
>> fips-07-ikev2-3des-sha256
>> fips-09-ikev2-gcm
>> fips-10-ikev2-psk
>> fips-11-ikev2-esp-dh
>> fips-12-ikev2-esp-dh-wrong
>> fips-default-ikev1-01-nofips-east
>> fips-default-ikev1-02-nofips-west
>> fips-default-ikev2-01-nofips-east
>> fips-default-ikev2-02-nofips-west
>
More information about the Swan-dev
mailing list