- Added generation of fips hmac hash files using fipshmac utility

and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
2014-11-21 12:01:59 +00:00
parent ee9ed2353d
commit 9463c65a84
8 changed files with 1038 additions and 9 deletions
--- a/fipscheck.sh.in
+++ b/fipscheck.sh.in
@@ -0,0 +1,69 @@
+#! /bin/bash
+#
+# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# Author: Marius Tomaschewski <mt@suse.de>
+#
+IPSEC_DIR="@IPSEC_DIR@"
+IPSEC_LIBDIR="@IPSEC_LIBDIR@"
+IPSEC_BINDIR="@IPSEC_BINDIR@"
+IPSEC_SBINDIR="@IPSEC_SBINDIR@"
+fipscheck_bin="/usr/bin/fipscheck"
+
+# minimal usage hint
+if test $# -gt 0 ; then
+	echo "usage: ipsec _fipscheck" >&2
+	exit 2
+fi
+
+#
+# "ipsec xxx" starts this script only if crypto/fips_enabled=1,
+# except while a manually enforced check via "ipsec _fipscheck".
+#
+#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
+#test "X$fips_enabled" = "X1" || exit 0
+
+# verify that fipscheck is installed
+test -x "$fipscheck_bin" || {
+	test "X$FIPSCHECK_DEBUG" = "Xerror" && \
+	echo "${0##*/}: $fipscheck_bin utility missed" >&2
+	exit 4
+}
+
+shopt -s nullglob
+
+files=()
+for h in ${IPSEC_DIR}/.*.hmac \
+	 ${IPSEC_LIBDIR}/.*.hmac \
+	 ${IPSEC_LIBDIR}/imcvs/.*.hmac \
+	 ${IPSEC_LIBDIR}/plugins/.*.hmac \
+	 ${IPSEC_SBINDIR}/.ipsec.hmac \
+	;
+do
+	dir="${h%/*}"
+	name="${h##*/.}"
+	file="${dir}/${name%.hmac}"
+	# some part is not installed
+	test -f "${file}" && files+=("$file")
+done
+
+if test ${#files[@]} -gt 0 ; then
+	$fipscheck_bin ${files[@]} ; exit $?
+elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then
+	echo "${0##*/}: unable to find any checksum/hmac file" >&2
+fi
+exit 3
+