rpm/strongswan
SHA256
1
0
Fork 0
forked from pool/strongswan
Code Pull Requests Activity
233d1d3c87
strongswan/fips-enforce.conf

52 lines
666 B
Plaintext
Raw Normal View History

- Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
2014-11-21 13:01:59 +01:00
#
# When fips is enabled (fips=1 kernel parameter), only certified openssl
# and kernel crypto API (af-alg) algorithms are supported.
#
# The strongswan-hmac package is supposed to be used/installed when fips
Accepting request 1094809 from home:msaquib:branches:network:vpn - Removed .hmac files + hmac integrity check logic from strongswan-hmac package as it is not mandated anymore by FIPS (boo#1185116) - Removed folliwng files: [- strongswan_fipscheck.patch] [- fipscheck.sh.in] Note: strongswan-hmac package is not removed as it still provides a config file that doesn't allow non-fips approved algorithms OBS-URL: https://build.opensuse.org/request/show/1094809 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=153
2023-06-23 11:01:07 +02:00
# is enabled and provides this blacklist disabling other plugins
- Added generation of fips hmac hash files using fipshmac utility and a _fipscheck script to verify binaries/libraries/plugings shipped in the strongswan-hmac package. With enabled fips in the kernel, the ipsec script will call it before any action or in a enforced/manual "ipsec _fipscheck" call. Added config file to load openssl and kernel af-alg plugins, but not all the other modules which provide further/alternative algs. Applied a filter disallowing non-approved algorithms in fips mode. (fate#316931,bnc#856322). [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] - Fixed file list in the optional (disabled) strongswan-test package. - Fixed build of the strongswan built-in integrity checksum library and enabled building it only on architectures tested to work. - Fix to use bug number 897048 instead 856322 in last changes entry. - Applied an upstream patch reverting to store algorithms in the registration order again as ordering them by identifier caused weaker algorithms to be proposed first by default (bsc#897512). [+0001-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
2014-11-21 13:01:59 +01:00
# providing further and/or alternative algorithm implementations.
#
gcrypt {
load = no
}
blowfish {
load = no
}
random {
load = no
}
des {
load = no
}
aes {
load = no
}
rc2 {
load = no
}
ctr {
load = no
}
cmac {
load = no
}
xcbc {
load = no
}
md4 {
load = no
}
md5 {
load = no
}
sha1 {
load = no
}
sha2 {
load = no
}
ccm {
load = no
}
Copy Permalink