fipscheck(8) [centos man page]
FIPSCHECK(8) fipscheck FIPSCHECK(8) NAME
fipscheck - perform a FIPS-140-2 validation check of one or more files SYNTAX
fipscheck [-s <hmac-suffix>] file1 [file2 ...] DESCRIPTION
fipscheck will perform a FIPS-140-2 validation of a file using a stored checksum of a file. The file containing the checksum value is first looked up in the /usr/lib{64,}/fipscheck directory and if not found there, it will be searched for in the same directory as the file which is being checksummed. The checksum file must have '.' prepended and '.hmac' appended to the original file name. The '.' must not be prepended to the file names in the /usr/lib{64,}/fipscheck directory. If invoked correctly the fipscheck command will not print anything to the standard output or error and set the return code based on the test result. A return code of 0 means the file passed the checksum test. A value of non-zero means the checksum failed. The -s option allows to specify the suffix of the hmac file names. The default value .hmac is used when this option is not specified. RETURN CODES
fipscheck can return the following return codes: 0 Checksum OK 1 Checksum mismatch 2 Missing filename 3 Cannot open the checksum file 4 Cannot read the file to be checksummed, or the checksum computation failed 5 Memory allocation error 10 and higher - Failure during self-checking the libfipscheck.so shared library 20 and higher - Failure during self-checking the fipscheck binary ENVIRONMENT VARIABLES
If you set the environment variable FIPSCHECK_DEBUG to "error", all error messages are sent to stderr. Setting this variable to "syslog" will send all error messages to the syslog daemon. FIPS MODE
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode by specifying fips=1 as kernel parameter. If the /boot director resides on a different partition, this needs to be specfied, for example boot=/dev/sda2. SEE ALSO
fipshmac(8), fipscheck.h(3), https://fedorahosted.org/fipscheck/ AUTHOR
Tomas Mraz <tmraz@redhat.com>. Man page by Paul Wouters <pwouters@redhat.com> COPYRIGHT
Copyright 2008, 2012 Red Hat, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. fipscheck April 11, 2012 FIPSCHECK(8)
Check Out this Related Man Page
FIPSCHECK(3) fipscheck FIPSCHECK(3) NAME
FIPSCHECK_verify, FIPSCHECK_verify_ex, FIPSCHECK_verify_files, FIPSCHECK_verify_files_ex, FIPSCHECK_fips_module_installed, FIPSCHECK_get_binary_path, FIPSCHECK_get_library_path, FIPSCHECK_kernel_fips_mode, fipscheck.h - Various functions relating to running in FIPS mode SYNOPSIS
#include <fipscheck.h> int FIPSCHECK_verify(const char *libname, const char *symbolname); int FIPSCHECK_verify_ex(const char *libname, const char *symbolname, const char *hmac_suffix, int fail_if_missing); int FIPSCHECK_verify_files(const char *files[]); int FIPSCHECK_verify_files_ex(const char *hmac_suffix, int fail_if_missing, const char *files[]); int FIPSCHECK_fips_module_installed(const char *libname, const char *symbolname, const char *hmac_suffix); int FIPSCHECK_get_binary_path(char *path, size_t pathlen); int FIPSCHECK_get_library_path(const char *libname, const char *symbolname, char *path, size_t pathlen); int FIPSCHECK_kernel_fips_mode(void); DESCRIPTION
The function FIPSCHECK_kernel_fips_mode() tests for the FIPS-140-2 mode in kernel. The function FIPSCHECK_verify() computes and compares HMAC-SHA256 checksum by spawning the fipscheck command. The parameters libname and symbolname determine which shared library file loaded into the process space will be checksummed. If these parameters are set to NULL, the executable of the calling process is checksummed. The function FIPSCHECK_verify_ex() in addition to the functionality above also allows to specify the full hmac_suffix with the default value of .hmac. And will return success if the hmac file is missing and the fail_if_missing parameter is set to 0. The function FIPSCHECK_verify_files() can be used to explicitly specify NULL terminated array of file names in the parameter files to check. Similarly the function FIPSCHECK_verify_files_ex() in addition to the functionality above also allows to specify the full hmac_suffix with the default value of .hmac. And will return success if the first hmac file is missing and the fail_if_missing parameter is set to 0. The checksum file contains the HMAC-SHA256 encoded in hexadecimal notation using lowercase letters with one EOL character appended at the end. The function FIPSCHECK_fips_module_installed() returns 1 if the hmac checksum file is found and 0 otherwise. The functions FIPSCHECK_get_library_path() and FIPSCHECK_get_binary_path() return the shared library and executable paths in the path. The buffer pointed to by the parameter must be large enough to hold the path otherwise the path is truncated. The size of the buffer is specified by the pathlen. RETURN VALUE
The main functions FIPSCHECK_verify() and FIPSCHECK_verify_files() return 1 when the verification of the binaries succeeds and 0 otherwise. The function FIPSCHECK_kernel_fips_mode() returns 1 when the kernel is in fips mode and 0 otherwise. The auxiliary functions FIPSCHECK_get_binary_path() and FIPSCHECK_get_library_path() return 0 on success and -1 if the path cannot be determined. FIPS MODE
A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode by specifying fips=1 as kernel parameter. Please refer to the security policy of the Kernel FIPS module for further details. SEE ALSO
fipscheck(8), fipshmac(8), https://fedorahosted.org/fipscheck/ AUTHOR
Tomas Mraz <tmraz@redhat.com>. Man page authors Paul Wouters <pwouters@redhat.com> and Tomas Mraz <tmraz@redhat.com>. COPYRIGHT
Copyright 2008, 2012 Red Hat, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. fipscheck 16 April 2012 FIPSCHECK(3)