SHA256
1
0
forked from pool/strongswan
strongswan/strongswan_fipscheck.patch

90 lines
1.9 KiB
Diff
Raw Normal View History

--- src/ipsec/_ipsec.in
+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
+fipscheck()
+{
+ # when fips operation mode is not enabled, just report OK
+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
+ test "X$fips_enabled" = "X1" || return 0
+
+ # complain when _fipscheck is missed
+ test -x "$IPSEC_DIR/_fipscheck" || {
+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
+ return 4
+ }
+
+ # now execute it
+ $IPSEC_DIR/_fipscheck || {
+ rc=$?
+ echo "ipsec: strongSwan fips file integrity check failed" >&2
+ return $rc
+ }
+}
+
case "$1" in
'')
echo "Usage: $IPSEC_SCRIPT command argument ..."
@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco
shift
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$op" "$@"
rc="$?"
fi
@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$1"
rc="$?"
fi
@@ -208,6 +230,7 @@ route|unroute)
fi
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$op" "$1"
rc="$?"
fi
@@ -217,6 +240,7 @@ secrets)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE rereadsecrets
rc="$?"
fi
@@ -224,6 +248,7 @@ secrets)
;;
start)
shift
+ fipscheck || exit $?
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/ipsec
fi
@@ -297,6 +322,7 @@ up)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE up "$1"
rc="$?"
fi
@@ -332,6 +358,11 @@ esac
cmd="$1"
shift
+case $cmd in
+_fipscheck|_copyright|pki) ;;
+*) fipscheck || exit $? ;;
+esac
+
path="$IPSEC_DIR/$cmd"
if [ ! -x "$path" ]