|
Packit |
b66677 |
FIPSCHECK project
|
|
Packit |
b66677 |
=================
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
This package contains library (libfipscheck) and helper binaries which
|
|
Packit |
b66677 |
implement the integrity check of libraries and binaries as required by
|
|
Packit |
b66677 |
FIPS-140-2 validated modules.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
The integrity check is only one of many requirements needed for validation
|
|
Packit |
b66677 |
of a software cryptographic module.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
Dependencies
|
|
Packit |
b66677 |
============
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
The package depends on the OpenSSL library for its operation.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
Commands
|
|
Packit |
b66677 |
========
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
fipshmac [-d <path-to-destination-dir>] [-s <hmac-suffix>] <filenames-to-be-checksummed>
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
This command will create a checksum file in the same directory as the file
|
|
Packit |
b66677 |
which is being checksummed. It will prepend '.' and append <hmac-suffix> to the
|
|
Packit |
b66677 |
original file name. If the suffix is not specified '.hmac' is used.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
* return values (exit codes): 0 - OK
|
|
Packit |
b66677 |
2 - Missing filename
|
|
Packit |
b66677 |
3 - Cannot open the checksum file
|
|
Packit |
b66677 |
4 - Cannot read the file to be checksummed, or the checksum computation failed
|
|
Packit |
b66677 |
5 - Memory allocation error
|
|
Packit |
b66677 |
6,7 - Cannot write to the checksum file
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
If invoked correctly the fipshmac command will not print anything to the
|
|
Packit |
b66677 |
standard output or error. Otherwise it will print an error message to stderr.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
If destination directory is specified with -d the resulting files will be put
|
|
Packit |
b66677 |
into it and '.' will not be prepended to the file names.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
fipscheck [-s <hmac-suffix>] <filenames-to-be-checksummed>
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
This command will verify a checksum of a file. The file containing the checksum
|
|
Packit |
b66677 |
value is first looked up in the /usr/lib{64,}/fipscheck directory and if not
|
|
Packit |
b66677 |
found there in the same directory as the file which is being checksummed.
|
|
Packit |
b66677 |
The checksum file must have '.' prepended and <hmac-suffix> appended to the original
|
|
Packit |
b66677 |
file name. The '.' must not be prepended to the file names in the
|
|
Packit |
b66677 |
/usr/lib{64,}/fipscheck directory. If the suffix is not specified '.hmac' is used.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
* return values (exit codes): 0 - OK
|
|
Packit |
b66677 |
1 - Checksum mismatch
|
|
Packit |
b66677 |
2 - Missing filename
|
|
Packit |
b66677 |
3 - Cannot open the checksum file
|
|
Packit |
b66677 |
4 - Cannot read the file to be checksummed, or the checksum computation failed
|
|
Packit |
b66677 |
5 - Memory allocation error
|
|
Packit |
b66677 |
10 and higher - Failure during self-checking the libfipscheck.so shared library
|
|
Packit |
b66677 |
20 and higher - Failure during self-checking the fipscheck binary
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
If invoked correctly the fipscheck command will not print anything to the
|
|
Packit |
b66677 |
standard output or error. If you set an environment variable FIPSCHECK_DEBUG to
|
|
Packit |
b66677 |
value "syslog", it will send eventual error messages to the syslog. If you set
|
|
Packit |
b66677 |
it to value "error", it will send them to the stderr.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
Library API
|
|
Packit |
b66677 |
===========
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
See man 3 fipscheck.h manual page for description of the fipscheck library API.
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
Format of the checksum file
|
|
Packit |
b66677 |
===========================
|
|
Packit |
b66677 |
|
|
Packit |
b66677 |
The file contains HMAC-SHA256 encoded in hexadecimal notation with
|
|
Packit |
b66677 |
lowercase letters with one EOL character appended.
|