FIPS: make it possible to specify the fipshmac binary #64
Conversation
Yes indeed. At the moment the hmac key must be specified/changed at two places. We may move the key into a separate file, as you suggest. I'm not sure about introducing a new dependency to fipshmac, but I'll check. |
|
The idea of this patch is that on fips-free distribution or in CI environment you can test with openssl and when you use fips you will likely have fipshmac available. Not a great solution only checking the existence of the tool, though. It seems other utilities for fips handling exist, too. |
hramrach
force-pushed
the
master
branch
2 times, most recently
from
6240b03
to
1b3e0bd
Compare
Signed-off-by: Michal Suchanek <[email protected]>
hramrach
changed the title
|
This passes both on the CI and in the distro with FIPSHMAC=fipshmac and looks like overall improvement to readability. |
When patched with the distribution key the openssl script creating hmac with zero key does not work and all tests fail.
This makes the openssl invocation into a separate script which can be replaced by dstribution-provided fipshmac passed as FIPSHMAC make variable.
I considered writing a test program that includes fips.c and prints the key but that does not work with cross-compilation.
Storing the key in a separate file so that it can be both included in fips.c and used in the openssl script might be also an option.