strongswan/fipscheck.sh.in
Marius Tomaschewski 9463c65a84 - Added generation of fips hmac hash files using fipshmac utility
and a _fipscheck script to verify binaries/libraries/plugings
  shipped in the strongswan-hmac package.
  With enabled fips in the kernel, the ipsec script will call it
  before any action or in a enforced/manual "ipsec _fipscheck" call.
  Added config file to load openssl and kernel af-alg plugins, but
  not all the other modules which provide further/alternative algs.
  Applied a filter disallowing non-approved algorithms in fips mode.
  (fate#316931,bnc#856322).
  [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
  and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
  registration order again as ordering them by identifier caused
  weaker algorithms to be proposed first by default (bsc#897512).
  [+0001-restore-registration-algorithm-order.bug897512.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
2014-11-21 12:01:59 +00:00

70 lines
1.9 KiB
Bash

#! /bin/bash
#
# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, see <http://www.gnu.org/licenses/>.
#
# Author: Marius Tomaschewski <mt@suse.de>
#
IPSEC_DIR="@IPSEC_DIR@"
IPSEC_LIBDIR="@IPSEC_LIBDIR@"
IPSEC_BINDIR="@IPSEC_BINDIR@"
IPSEC_SBINDIR="@IPSEC_SBINDIR@"
fipscheck_bin="/usr/bin/fipscheck"
# minimal usage hint
if test $# -gt 0 ; then
echo "usage: ipsec _fipscheck" >&2
exit 2
fi
#
# "ipsec xxx" starts this script only if crypto/fips_enabled=1,
# except while a manually enforced check via "ipsec _fipscheck".
#
#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
#test "X$fips_enabled" = "X1" || exit 0
# verify that fipscheck is installed
test -x "$fipscheck_bin" || {
test "X$FIPSCHECK_DEBUG" = "Xerror" && \
echo "${0##*/}: $fipscheck_bin utility missed" >&2
exit 4
}
shopt -s nullglob
files=()
for h in ${IPSEC_DIR}/.*.hmac \
${IPSEC_LIBDIR}/.*.hmac \
${IPSEC_LIBDIR}/imcvs/.*.hmac \
${IPSEC_LIBDIR}/plugins/.*.hmac \
${IPSEC_SBINDIR}/.ipsec.hmac \
;
do
dir="${h%/*}"
name="${h##*/.}"
file="${dir}/${name%.hmac}"
# some part is not installed
test -f "${file}" && files+=("$file")
done
if test ${#files[@]} -gt 0 ; then
$fipscheck_bin ${files[@]} ; exit $?
elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then
echo "${0##*/}: unable to find any checksum/hmac file" >&2
fi
exit 3