On 01/22/2010 11:11 AM, Ralf Corsepius wrote: >> - in some circumstances (government, regulated companies) encryption >> must be certified to the FIPS 140-2 standard > > I don't know this "standard". Well, FIPS 140-2 is a requirement put out by US federal government that every piece of encryption used by the government (including I think the military) must conform to. Since the US is arguably leading in the 'official' cryptography, FIPS 140-2 is often adopted worldwide whenever a formal cryptography qualification is required. It's not exactly hard to find out about it: http://en.wikipedia.org/wiki/FIPS_140-2 http://csrc.nist.gov/groups/STM/cmvp/standards.html#02 > May-be this "fips standard" collides with the FHS, may-be this standard > is defective? ... > Does it really mandate pollution /usr/bin and thus $PATH? OK, I see, you don't object to the checksums in principle, just to the location of the files. I don't believe that FIPS requires a specific location for the checksums---it's just that they are to be found somewhere. I can see two possible solutions: - fipscheck looks for the checksum in some standard location, for instance /lib/lib64/hmac/usr/bin/xyz, similar to how it was done in RHEL5 - we find a way to stick the checksum in the executable itself, either by being clever about computing a checksum that will agree with the executable AFTER the checksum is written in (I have no idea how to do that) or by excluding the checksum field from the checksum calculation. Both seem to be an 'upstream' issues. Question to Jared Wilson: was the RHEL solution you talked about done upstream or as a patch in the RHEL package? NB, when I try to validate the binaries, I get [root@localhost]# FIPSCHECK_DEBUG=error fipscheck /usr/bin/fipscheck fipscheck: FIPS_mode_set() failed with the exit code 14, implying that the self-test of the libfipscheck library failed. Also, the checksums don't match: [root@localhost]# sha256sum /usr/bin/fipscheck f7a11277bcfb470dba958b9f1c5bc54b9af2bbec2f4e64af96673bb63b51b58a does not agree with the stored SHA [root@localhost]# cat /usr/bin/.fipscheck.hmac e817bd09307c10a9d53cca95f73dd694cbf0cefebc452e515406eee0226b11a6 Is my crypto compromised :) ? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
