1FIPSCHECK(3)                       fipscheck                      FIPSCHECK(3)
2
3
4

NAME

6       FIPSCHECK_verify, FIPSCHECK_verify_ex, FIPSCHECK_verify_files,
7       FIPSCHECK_verify_files_ex, FIPSCHECK_fips_module_installed,
8       FIPSCHECK_get_binary_path, FIPSCHECK_get_library_path,
9       FIPSCHECK_kernel_fips_mode, fipscheck.h - Various functions relating to
10       running in FIPS mode
11

SYNOPSIS

13       #include <fipscheck.h>
14
15
16       int FIPSCHECK_verify(const char *libname, const char *symbolname);
17
18       int FIPSCHECK_verify_ex(const char *libname, const char *symbolname,
19                               const char *hmac_suffix, int fail_if_missing);
20
21       int FIPSCHECK_verify_files(const char *files[]);
22
23       int FIPSCHECK_verify_files_ex(const char *hmac_suffix,
24                                     int fail_if_missing,
25                                     const char *files[]);
26
27       int FIPSCHECK_fips_module_installed(const char *libname,
28                                           const char *symbolname,
29                                           const char *hmac_suffix);
30
31       int FIPSCHECK_get_binary_path(char *path, size_t pathlen);
32
33       int FIPSCHECK_get_library_path(const char *libname,
34                                      const char *symbolname, char *path,
35                                      size_t pathlen);
36
37       int FIPSCHECK_kernel_fips_mode(void);
38

DESCRIPTION

40       The function FIPSCHECK_kernel_fips_mode() tests for the FIPS-140-2 mode
41       in kernel.
42
43       The function FIPSCHECK_verify() computes and compares HMAC-SHA256
44       checksum by spawning the fipscheck command. The parameters libname and
45       symbolname determine which shared library file loaded into the process
46       space will be checksummed. If these parameters are set to NULL, the
47       executable of the calling process is checksummed.
48
49       The function FIPSCHECK_verify_ex() in addition to the functionality
50       above also allows to specify the full hmac_suffix with the default
51       value of .hmac. And will return success if the hmac file is missing and
52       the fail_if_missing parameter is set to 0.
53
54       The function FIPSCHECK_verify_files() can be used to explicitly specify
55       NULL terminated array of file names in the parameter files to check.
56
57       Similarly the function FIPSCHECK_verify_files_ex() in addition to the
58       functionality above also allows to specify the full hmac_suffix with
59       the default value of .hmac. And will return success if the first hmac
60       file is missing and the fail_if_missing parameter is set to 0.
61
62       The checksum file contains the HMAC-SHA256 encoded in hexadecimal
63       notation using lowercase letters with one EOL character appended at the
64       end.
65
66       The function FIPSCHECK_fips_module_installed() returns 1 if the hmac
67       checksum file is found and 0 otherwise.
68
69       The functions FIPSCHECK_get_library_path() and
70       FIPSCHECK_get_binary_path() return the shared library and executable
71       paths in the path. The buffer pointed to by the parameter must be large
72       enough to hold the path otherwise the path is truncated. The size of
73       the buffer is specified by the pathlen.
74

RETURN VALUE

76       The main functions FIPSCHECK_verify() and FIPSCHECK_verify_files()
77       return 1 when the verification of the binaries succeeds and 0
78       otherwise. The function FIPSCHECK_kernel_fips_mode() returns 1 when the
79       kernel is in fips mode and 0 otherwise.
80
81       The auxiliary functions FIPSCHECK_get_binary_path() and
82       FIPSCHECK_get_library_path() return 0 on success and -1 if the path
83       cannot be determined.
84

FIPS MODE

86       A kernel compiled with CONFIG_CRYPTO_FIPS=y can be booted in fips mode
87       by specifying fips=1 as kernel parameter. Please refer to the security
88       policy of the Kernel FIPS module for further details.
89

SEE ALSO

91       fipscheck(8), fipshmac(8), https://fedorahosted.org/fipscheck/
92

AUTHOR

94       Tomas Mraz <tmraz@redhat.com>.
95
96       Man page authors Paul Wouters <pwouters@redhat.com> and Tomas Mraz
97       <tmraz@redhat.com>.
98
100       Copyright 2008, 2012 Red Hat, Inc. All rights reserved.
101
102       Redistribution and use in source and binary forms, with or without
103       modification, are permitted provided that the following conditions are
104       met:
105
106       1. Redistributions of source code must retain the above copyright
107       notice, this list of conditions and the following disclaimer.
108
109       2. Redistributions in binary form must reproduce the above copyright
110       notice, this list of conditions and the following disclaimer in the
111       documentation and/or other materials provided with the distribution.
112
113
114
115fipscheck                        16 April 2012                    FIPSCHECK(3)
Impressum