From 3645b48ec5b4c838e6105230e5b8b29e9a4047b6b1c524c94715dfcab973a1fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tomas.chvatal@gmail.com>
Date: Thu, 10 Jul 2014 12:59:35 +0000
Subject: [PATCH] Accepting request 239460 from
 home:msmeissn:branches:network:vpn

- disable gcrypt plugin by default, so it will only use openssl
  FATE#316931
- enable fips mode 2

OBS-URL: https://build.opensuse.org/request/show/239460
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=70
---
 strongswan-fips-disablegcrypt.patch | 13 +++++++++++++
 strongswan.changes                  |  7 +++++++
 strongswan.spec                     |  3 +++
 3 files changed, 23 insertions(+)
 create mode 100644 strongswan-fips-disablegcrypt.patch

diff --git a/strongswan-fips-disablegcrypt.patch b/strongswan-fips-disablegcrypt.patch
new file mode 100644
index 0000000..dbc4619
--- /dev/null
+++ b/strongswan-fips-disablegcrypt.patch
@@ -0,0 +1,13 @@
+Index: strongswan-5.1.3/conf/plugins/gcrypt.conf
+===================================================================
+--- strongswan-5.1.3.orig/conf/plugins/gcrypt.conf
++++ strongswan-5.1.3/conf/plugins/gcrypt.conf
+@@ -2,7 +2,7 @@ gcrypt {
+ 
+     # Whether to load the plugin. Can also be an integer to increase the
+     # priority of this plugin.
+-    load = yes
++    load = no
+ 
+     # Use faster random numbers in gcrypt; for testing only, produces weak keys!
+     # quick_random = no
diff --git a/strongswan.changes b/strongswan.changes
index 0e04f4e..aaf6c07 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jul  3 13:39:45 UTC 2014 - meissner@suse.com
+
+- disable gcrypt plugin by default, so it will only use openssl
+  FATE#316931
+- enable fips mode 2
+
 -------------------------------------------------------------------
 Fri Jun 20 17:38:07 UTC 2014 - crrodriguez@opensuse.org
 
diff --git a/strongswan.spec b/strongswan.spec
index 8a0d5ad..cc7e7e1 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -63,6 +63,7 @@ Source4:        README.SUSE
 Source5:        %{name}.keyring
 Patch1:         %{name}_modprobe_syslog.patch
 Patch2:         %{name}_ipsec_service.patch
+Patch3:         %{name}-fips-disablegcrypt.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@@ -243,6 +244,7 @@ and the load testing plugin for IKEv2 daemon.
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
+%patch3 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -257,6 +259,7 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-integrity-test \
 	--with-capabilities=libcap \
 	--with-plugindir=%{strongswan_plugins} \
+	--with-fips=2 \
 	--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
 	--with-piddir=%{_rundir}/%{name} \
 	--enable-pkcs11 \