--- src/ipsec/_ipsec.in
+++ src/ipsec/_ipsec.in	2014/11/07 11:28:25
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN
 
 IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
 
+fipscheck()
+{
+	# when fips operation mode is not enabled, just report OK
+	read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
+	test "X$fips_enabled" = "X1"    || return 0
+
+	# complain when _fipscheck is missed
+	test -x "$IPSEC_DIR/_fipscheck" || {
+		echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
+		return 4
+	}
+
+	# now execute it
+	$IPSEC_DIR/_fipscheck || {
+		rc=$?
+		echo "ipsec: strongSwan fips file integrity check failed" >&2
+		return $rc
+	}
+}
+
 case "$1" in
 '')
 	echo "Usage: $IPSEC_SCRIPT command argument ..."
@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco
 	shift
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$op" "$@"
 		rc="$?"
 	fi
@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$1"
 		rc="$?"
 	fi
@@ -208,6 +230,7 @@ route|unroute)
 	fi
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$op" "$1"
 		rc="$?"
 	fi
@@ -217,6 +240,7 @@ secrets)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE rereadsecrets
 		rc="$?"
 	fi
@@ -224,6 +248,7 @@ secrets)
 	;;
 start)
 	shift
+	fipscheck || exit $?
 	if [ -d /var/lock/subsys ]; then
 		touch /var/lock/subsys/ipsec
 	fi
@@ -297,6 +322,7 @@ up)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE up "$1"
 		rc="$?"
 	fi
@@ -332,6 +358,11 @@ esac
 cmd="$1"
 shift
 
+case $cmd in
+_fipscheck|_copyright|pki) ;;
+*) fipscheck || exit $?	;;
+esac
+
 path="$IPSEC_DIR/$cmd"
 
 if [ ! -x "$path" ]