strongswan/strongswan_fipscheck.patch

--- src/ipsec/_ipsec.in
+++ src/ipsec/_ipsec.in	2014/11/07 11:28:25
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN
 
 IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
 
+fipscheck()
+{
+	# when fips operation mode is not enabled, just report OK
+	read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
+	test "X$fips_enabled" = "X1"    || return 0
+
+	# complain when _fipscheck is missed
+	test -x "$IPSEC_DIR/_fipscheck" || {
+		echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
+		return 4
+	}
+
+	# now execute it
+	$IPSEC_DIR/_fipscheck || {
+		rc=$?
+		echo "ipsec: strongSwan fips file integrity check failed" >&2
+		return $rc
+	}
+}
+
 case "$1" in
 '')
 	echo "Usage: $IPSEC_SCRIPT command argument ..."
@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco
 	shift
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$op" "$@"
 		rc="$?"
 	fi
@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$1"
 		rc="$?"
 	fi
@@ -208,6 +230,7 @@ route|unroute)
 	fi
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$op" "$1"
 		rc="$?"
 	fi
@@ -217,6 +240,7 @@ secrets)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE rereadsecrets
 		rc="$?"
 	fi
@@ -224,6 +248,7 @@ secrets)
 	;;
 start)
 	shift
+	fipscheck || exit $?
 	if [ -d /var/lock/subsys ]; then
 		touch /var/lock/subsys/ipsec
 	fi
@@ -297,6 +322,7 @@ up)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE up "$1"
 		rc="$?"
 	fi
@@ -332,6 +358,11 @@ esac
 cmd="$1"
 shift
 
+case $cmd in
+_fipscheck|_copyright|pki) ;;
+*) fipscheck || exit $?	;;
+esac
+
 path="$IPSEC_DIR/$cmd"
 
 if [ ! -x "$path" ]
- Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77 2014-11-21 13:01:59 +01:00			`--- src/ipsec/_ipsec.in`
			`+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25`
			`@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN`

			`IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"`

			`+fipscheck()`
			`+{`
			`+ # when fips operation mode is not enabled, just report OK`
			`+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled`
			`+ test "X$fips_enabled" = "X1" \|\| return 0`
			`+`
			`+ # complain when _fipscheck is missed`
			`+ test -x "$IPSEC_DIR/_fipscheck" \|\| {`
			`+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2`
			`+ return 4`
			`+ }`
			`+`
			`+ # now execute it`
			`+ $IPSEC_DIR/_fipscheck \|\| {`
			`+ rc=$?`
			`+ echo "ipsec: strongSwan fips file integrity check failed" >&2`
			`+ return $rc`
			`+ }`
			`+}`
			`+`
			`case "$1" in`
			`'')`
			`echo "Usage: $IPSEC_SCRIPT command argument ..."`
			`@@ -166,6 +186,7 @@ rereadall\|purgeocsp\|listcounters\|resetco`
			`shift`
			`if [ -e $IPSEC_CHARON_PID ]`
			`then`
			`+ fipscheck \|\| exit $?`
			`$IPSEC_STROKE "$op" "$@"`
			`rc="$?"`
			`fi`
			`@@ -175,6 +196,7 @@ purgeike\|purgecrls\|purgecerts)`
			`rc=7`
			`if [ -e $IPSEC_CHARON_PID ]`
			`then`
			`+ fipscheck \|\| exit $?`
			`$IPSEC_STROKE "$1"`
			`rc="$?"`
			`fi`
			`@@ -208,6 +230,7 @@ route\|unroute)`
			`fi`
			`if [ -e $IPSEC_CHARON_PID ]`
			`then`
			`+ fipscheck \|\| exit $?`
			`$IPSEC_STROKE "$op" "$1"`
			`rc="$?"`
			`fi`
			`@@ -217,6 +240,7 @@ secrets)`
			`rc=7`
			`if [ -e $IPSEC_CHARON_PID ]`
			`then`
			`+ fipscheck \|\| exit $?`
			`$IPSEC_STROKE rereadsecrets`
			`rc="$?"`
			`fi`
			`@@ -224,6 +248,7 @@ secrets)`
			`;;`
			`start)`
			`shift`
			`+ fipscheck \|\| exit $?`
			`if [ -d /var/lock/subsys ]; then`
			`touch /var/lock/subsys/ipsec`
			`fi`
			`@@ -297,6 +322,7 @@ up)`
			`rc=7`
			`if [ -e $IPSEC_CHARON_PID ]`
			`then`
			`+ fipscheck \|\| exit $?`
			`$IPSEC_STROKE up "$1"`
			`rc="$?"`
			`fi`
			`@@ -332,6 +358,11 @@ esac`
			`cmd="$1"`
			`shift`

			`+case $cmd in`
			`+_fipscheck\|_copyright\|pki) ;;`
			`+*) fipscheck \|\| exit $? ;;`
			`+esac`
			`+`
			`path="$IPSEC_DIR/$cmd"`

			`if [ ! -x "$path" ]`