forked from pool/strongswan
Marius Tomaschewski
9463c65a84
and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
70 lines
1.9 KiB
Bash
70 lines
1.9 KiB
Bash
#! /bin/bash
|
|
#
|
|
# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License along
|
|
# with this program; if not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
# Author: Marius Tomaschewski <mt@suse.de>
|
|
#
|
|
IPSEC_DIR="@IPSEC_DIR@"
|
|
IPSEC_LIBDIR="@IPSEC_LIBDIR@"
|
|
IPSEC_BINDIR="@IPSEC_BINDIR@"
|
|
IPSEC_SBINDIR="@IPSEC_SBINDIR@"
|
|
fipscheck_bin="/usr/bin/fipscheck"
|
|
|
|
# minimal usage hint
|
|
if test $# -gt 0 ; then
|
|
echo "usage: ipsec _fipscheck" >&2
|
|
exit 2
|
|
fi
|
|
|
|
#
|
|
# "ipsec xxx" starts this script only if crypto/fips_enabled=1,
|
|
# except while a manually enforced check via "ipsec _fipscheck".
|
|
#
|
|
#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
|
|
#test "X$fips_enabled" = "X1" || exit 0
|
|
|
|
# verify that fipscheck is installed
|
|
test -x "$fipscheck_bin" || {
|
|
test "X$FIPSCHECK_DEBUG" = "Xerror" && \
|
|
echo "${0##*/}: $fipscheck_bin utility missed" >&2
|
|
exit 4
|
|
}
|
|
|
|
shopt -s nullglob
|
|
|
|
files=()
|
|
for h in ${IPSEC_DIR}/.*.hmac \
|
|
${IPSEC_LIBDIR}/.*.hmac \
|
|
${IPSEC_LIBDIR}/imcvs/.*.hmac \
|
|
${IPSEC_LIBDIR}/plugins/.*.hmac \
|
|
${IPSEC_SBINDIR}/.ipsec.hmac \
|
|
;
|
|
do
|
|
dir="${h%/*}"
|
|
name="${h##*/.}"
|
|
file="${dir}/${name%.hmac}"
|
|
# some part is not installed
|
|
test -f "${file}" && files+=("$file")
|
|
done
|
|
|
|
if test ${#files[@]} -gt 0 ; then
|
|
$fipscheck_bin ${files[@]} ; exit $?
|
|
elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then
|
|
echo "${0##*/}: unable to find any checksum/hmac file" >&2
|
|
fi
|
|
exit 3
|
|
|