SHA256
1
0
forked from pool/strongswan
strongswan/fips-enforce.conf
Marius Tomaschewski 9463c65a84 - Added generation of fips hmac hash files using fipshmac utility
and a _fipscheck script to verify binaries/libraries/plugings
  shipped in the strongswan-hmac package.
  With enabled fips in the kernel, the ipsec script will call it
  before any action or in a enforced/manual "ipsec _fipscheck" call.
  Added config file to load openssl and kernel af-alg plugins, but
  not all the other modules which provide further/alternative algs.
  Applied a filter disallowing non-approved algorithms in fips mode.
  (fate#316931,bnc#856322).
  [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
  and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
  registration order again as ordering them by identifier caused
  weaker algorithms to be proposed first by default (bsc#897512).
  [+0001-restore-registration-algorithm-order.bug897512.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
2014-11-21 12:01:59 +00:00

53 lines
742 B
Plaintext

#
# When fips is enabled (fips=1 kernel parameter), only certified openssl
# and kernel crypto API (af-alg) algorithms are supported.
#
# The strongswan-hmac package is supposed to be used/installed when fips
# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script
# verifying the components and this blacklist disabling other plugins
# providing further and/or alternative algorithm implementations.
#
gcrypt {
load = no
}
blowfish {
load = no
}
random {
load = no
}
des {
load = no
}
aes {
load = no
}
rc2 {
load = no
}
ctr {
load = no
}
cmac {
load = no
}
xcbc {
load = no
}
md4 {
load = no
}
md5 {
load = no
}
sha1 {
load = no
}
sha2 {
load = no
}
ccm {
load = no
}