strongswan/fips-enforce.conf

#
# When fips is enabled (fips=1 kernel parameter), only certified openssl
# and kernel crypto API (af-alg) algorithms are supported.
#
# The strongswan-hmac package is supposed to be used/installed when fips
# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script
# verifying the components and this blacklist disabling other plugins
# providing further and/or alternative algorithm implementations.
#
gcrypt {
    load = no
}
blowfish {
    load = no
}
random {
    load = no
}
des {
    load = no
}
aes {
    load = no
}
rc2 {
    load = no
}
ctr {
    load = no
}
cmac {
    load = no
}
xcbc {
    load = no
}
md4 {
    load = no
}
md5 {
    load = no
}
sha1 {
    load = no
}
sha2 {
    load = no
}
ccm {
    load = no
}
- Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77 2014-11-21 13:01:59 +01:00			`#`
			`# When fips is enabled (fips=1 kernel parameter), only certified openssl`
			`# and kernel crypto API (af-alg) algorithms are supported.`
			`#`
			`# The strongswan-hmac package is supposed to be used/installed when fips`
			`# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script`
			`# verifying the components and this blacklist disabling other plugins`
			`# providing further and/or alternative algorithm implementations.`
			`#`
			`gcrypt {`
			`load = no`
			`}`
			`blowfish {`
			`load = no`
			`}`
			`random {`
			`load = no`
			`}`
			`des {`
			`load = no`
			`}`
			`aes {`
			`load = no`
			`}`
			`rc2 {`
			`load = no`
			`}`
			`ctr {`
			`load = no`
			`}`
			`cmac {`
			`load = no`
			`}`
			`xcbc {`
			`load = no`
			`}`
			`md4 {`
			`load = no`
			`}`
			`md5 {`
			`load = no`
			`}`
			`sha1 {`
			`load = no`
			`}`
			`sha2 {`
			`load = no`
			`}`
			`ccm {`
			`load = no`
			`}`