Re: FC12: Hidden files in /usr/bin/*

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/22/2010 11:11 AM, Ralf Corsepius wrote:
>> - in some circumstances (government, regulated companies) encryption
>>      must be certified to the FIPS 140-2 standard
>
> I don't know this "standard".

Well, FIPS 140-2 is a requirement put out by US federal government that 
every piece of encryption used by the government (including I think the 
military) must conform to. Since the US is arguably leading in the 
'official' cryptography, FIPS 140-2 is often adopted worldwide whenever 
a formal cryptography qualification is required. It's not exactly hard 
to find out about it:

http://en.wikipedia.org/wiki/FIPS_140-2
http://csrc.nist.gov/groups/STM/cmvp/standards.html#02

> May-be this "fips standard" collides with the FHS, may-be this standard
> is defective?
...
> Does it really mandate pollution /usr/bin and thus $PATH?

OK, I see, you don't object to the checksums in principle, just to the 
location of the files. I don't believe that FIPS requires a specific 
location for the checksums---it's just that they are to be found 
somewhere. I can see two possible solutions:

- fipscheck looks for the checksum in some standard location, for 
instance /lib/lib64/hmac/usr/bin/xyz, similar to how it was done in RHEL5

- we find a way to stick the checksum in the executable itself, either 
by being clever about computing a checksum that will agree with the 
executable AFTER the checksum is written in (I have no idea how to do 
that) or by excluding the checksum field from the checksum calculation.

Both seem to be an 'upstream' issues. Question to Jared Wilson: was the 
RHEL solution you talked about done upstream or as a patch in the RHEL 
package?

NB, when I try to validate the binaries, I get

[root@localhost]# FIPSCHECK_DEBUG=error fipscheck /usr/bin/fipscheck
fipscheck: FIPS_mode_set() failed

with the exit code 14, implying that the self-test of the libfipscheck 
library failed. Also, the checksums don't match:

[root@localhost]# sha256sum /usr/bin/fipscheck
f7a11277bcfb470dba958b9f1c5bc54b9af2bbec2f4e64af96673bb63b51b58a

does not agree with the stored SHA

[root@localhost]# cat /usr/bin/.fipscheck.hmac
e817bd09307c10a9d53cca95f73dd694cbf0cefebc452e515406eee0226b11a6

Is my crypto compromised :) ?
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux