strongswan/strongswan_fipscheck.patch
Marius Tomaschewski 9463c65a84 - Added generation of fips hmac hash files using fipshmac utility
and a _fipscheck script to verify binaries/libraries/plugings
  shipped in the strongswan-hmac package.
  With enabled fips in the kernel, the ipsec script will call it
  before any action or in a enforced/manual "ipsec _fipscheck" call.
  Added config file to load openssl and kernel af-alg plugins, but
  not all the other modules which provide further/alternative algs.
  Applied a filter disallowing non-approved algorithms in fips mode.
  (fate#316931,bnc#856322).
  [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
  and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
  registration order again as ordering them by identifier caused
  weaker algorithms to be proposed first by default (bsc#897512).
  [+0001-restore-registration-algorithm-order.bug897512.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
2014-11-21 12:01:59 +00:00

90 lines
1.9 KiB
Diff

--- src/ipsec/_ipsec.in
+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
+fipscheck()
+{
+ # when fips operation mode is not enabled, just report OK
+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
+ test "X$fips_enabled" = "X1" || return 0
+
+ # complain when _fipscheck is missed
+ test -x "$IPSEC_DIR/_fipscheck" || {
+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
+ return 4
+ }
+
+ # now execute it
+ $IPSEC_DIR/_fipscheck || {
+ rc=$?
+ echo "ipsec: strongSwan fips file integrity check failed" >&2
+ return $rc
+ }
+}
+
case "$1" in
'')
echo "Usage: $IPSEC_SCRIPT command argument ..."
@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco
shift
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$op" "$@"
rc="$?"
fi
@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$1"
rc="$?"
fi
@@ -208,6 +230,7 @@ route|unroute)
fi
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$op" "$1"
rc="$?"
fi
@@ -217,6 +240,7 @@ secrets)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE rereadsecrets
rc="$?"
fi
@@ -224,6 +248,7 @@ secrets)
;;
start)
shift
+ fipscheck || exit $?
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/ipsec
fi
@@ -297,6 +322,7 @@ up)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE up "$1"
rc="$?"
fi
@@ -332,6 +358,11 @@ esac
cmd="$1"
shift
+case $cmd in
+_fipscheck|_copyright|pki) ;;
+*) fipscheck || exit $? ;;
+esac
+
path="$IPSEC_DIR/$cmd"
if [ ! -x "$path" ]