Marius Tomaschewski
9463c65a84
and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
90 lines
1.9 KiB
Diff
90 lines
1.9 KiB
Diff
--- src/ipsec/_ipsec.in
|
|
+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25
|
|
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN
|
|
|
|
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
|
|
|
|
+fipscheck()
|
|
+{
|
|
+ # when fips operation mode is not enabled, just report OK
|
|
+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
|
|
+ test "X$fips_enabled" = "X1" || return 0
|
|
+
|
|
+ # complain when _fipscheck is missed
|
|
+ test -x "$IPSEC_DIR/_fipscheck" || {
|
|
+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
|
|
+ return 4
|
|
+ }
|
|
+
|
|
+ # now execute it
|
|
+ $IPSEC_DIR/_fipscheck || {
|
|
+ rc=$?
|
|
+ echo "ipsec: strongSwan fips file integrity check failed" >&2
|
|
+ return $rc
|
|
+ }
|
|
+}
|
|
+
|
|
case "$1" in
|
|
'')
|
|
echo "Usage: $IPSEC_SCRIPT command argument ..."
|
|
@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco
|
|
shift
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
+ fipscheck || exit $?
|
|
$IPSEC_STROKE "$op" "$@"
|
|
rc="$?"
|
|
fi
|
|
@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts)
|
|
rc=7
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
+ fipscheck || exit $?
|
|
$IPSEC_STROKE "$1"
|
|
rc="$?"
|
|
fi
|
|
@@ -208,6 +230,7 @@ route|unroute)
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
+ fipscheck || exit $?
|
|
$IPSEC_STROKE "$op" "$1"
|
|
rc="$?"
|
|
fi
|
|
@@ -217,6 +240,7 @@ secrets)
|
|
rc=7
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
+ fipscheck || exit $?
|
|
$IPSEC_STROKE rereadsecrets
|
|
rc="$?"
|
|
fi
|
|
@@ -224,6 +248,7 @@ secrets)
|
|
;;
|
|
start)
|
|
shift
|
|
+ fipscheck || exit $?
|
|
if [ -d /var/lock/subsys ]; then
|
|
touch /var/lock/subsys/ipsec
|
|
fi
|
|
@@ -297,6 +322,7 @@ up)
|
|
rc=7
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
+ fipscheck || exit $?
|
|
$IPSEC_STROKE up "$1"
|
|
rc="$?"
|
|
fi
|
|
@@ -332,6 +358,11 @@ esac
|
|
cmd="$1"
|
|
shift
|
|
|
|
+case $cmd in
|
|
+_fipscheck|_copyright|pki) ;;
|
|
+*) fipscheck || exit $? ;;
|
|
+esac
|
|
+
|
|
path="$IPSEC_DIR/$cmd"
|
|
|
|
if [ ! -x "$path" ]
|