[Openswan dev] _realsetup fipscheck stuff

Tuomo Soini tis at foobar.fi
Mon Jul 13 03:58:44 EDT 2009


I think this fipscheck stuff in _realsetup is wrong now. fipscheck
binary calls are run if system fips is enabled (proc has fips enabled).

But what if you want non-nss version of openswan on fips enabled system.

Now _realsetup has fipscheck calls even when openswan is compiled
without USE_LIBNSS and USE_FIPSCHECK.

Compile without USE_FIPSCHECK should mean no fipscheck calls in _realsetup.

What's correct fix? I don't know. Should we have _realsetup.fipscheck
which get run by _realsetup if _realsetup was compiled with fipscheck
enabled or is there possibility to add fipscheck parts of _realsetup.in
to _realsetup only if USE_FIPSCHECK was enabled on compile time?

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Dev mailing list