jengelh/strongswan
SHA256
1
0
Fork 0
forked from pool/strongswan
Code Pull Requests Activity

Accepting request 769616 from network:vpn

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/769616
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=71
This commit is contained in:
Dominique Leuenberger 2020-02-06 12:18:28 +00:00 committed by Git OBS Bridge
commit 12fdfc6265
5 changed files with 9 additions and 381 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
0006-fix-compilation-error-by-adding-stdint.h.patch
View File

@ -1,30 +0,0 @@
From 831a9ea232f128c13c36066a704f6ccafa335244 Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@suse.de>
Date: Tue, 5 Sep 2017 11:17:16 +0200
Subject: [PATCH] fix compilation error by adding stdint.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
error:
utils/utils/memory.h:99:15: error: uintptr_t undeclared (first use in this function); did you mean __intptr_t?
for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++)
^~~~~~~~~
__intptr_t
---
src/libstrongswan/utils/utils/memory.h | 2 ++
1 file changed, 2 insertions(+)
Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
===================================================================
--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200
@@ -22,6 +22,8 @@
#ifndef MEMORY_H_
#define MEMORY_H_
+#include <stdint.h>
+
/**
* Helper function that compares two binary blobs for equality
*/

8
strongswan.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Jan 30 13:43:50 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
- Drop upstream fixed patches:
* strongswan_modprobe_syslog.patch
* strongswan_fipsfilter.patch
* 0006-fix-compilation-error-by-adding-stdint.h.patch
-------------------------------------------------------------------
Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>

13
strongswan.spec
View File

@ -75,17 +75,12 @@ Source5: %{name}.keyring
Source6: fipscheck.sh.in
Source7: fips-enforce.conf
%endif
# Needs rebase
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
%if %{with fipscheck}
Patch3: %{name}_fipscheck.patch
# Patch4 needs rebase, file it patches no longer exists in tarball.
Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
# Needs rebase
Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@ -257,17 +252,11 @@ and the load testing plugin for IKEv2 daemon.
%prep
%setup -q -n %{name}-%{upstream_version}
# Needs rebase, file it patches no longer exists.
#patch1 -p1
%patch2 -p1
%if %{with fipscheck}
%patch3 -p1
# Needs rebase, file it patches no longer exists.
#patch4 -p1
%endif
%patch5 -p1
# Needs rebase.
#patch6 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
> strongswan.init

283
strongswan_fipsfilter.patch
View File

@ -1,283 +0,0 @@
From 8f3f1bd6907df8221a93c849ed4b43474444e13b Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.de>
Date: Mon, 5 Jan 2015 14:57:39 +0100
Subject: [PATCH] strongswan: filter algorithms for fips mode
References: fate#316931,bnc#856322
From 818cd5f1b6455237a82f385b60a2513cdd9c5eef Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@suse.de>
Date: Mon, 17 Jul 2017 15:15:14 +0200
Subject: [PATCH] strongswan_fipsfilter
---
src/libcharon/config/proposal.c | 184 +++++++++++++++++++++++++++++++++++-----
1 file changed, 165 insertions(+), 19 deletions(-)
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 6c71f78..0640140 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -27,6 +27,11 @@
#include <crypto/prfs/prf.h>
#include <crypto/crypters/crypter.h>
#include <crypto/signers/signer.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
"PROTO_NONE",
@@ -190,6 +195,122 @@ METHOD(proposal_t, strip_dh, void,
enumerator->destroy(enumerator);
}
+static bool kernel_fips_enabled(void)
+{
+ char buf[1] = { '\0' };
+ int fd;
+
+ fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+ if (fd >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
+ close(fd);
+ }
+ return buf[0] == '1';
+}
+
+static bool fips_enabled(void)
+{
+ static int enabled = -1;
+ if (enabled == -1)
+ enabled = kernel_fips_enabled();
+ return enabled;
+}
+
+static bool fips_filter(protocol_id_t protocol, transform_type_t type, u_int16_t alg)
+{
+ switch (protocol)
+ {
+ case PROTO_IKE:
+ case PROTO_ESP:
+ case PROTO_AH:
+ break;
+ default:
+ /* not applicable protocol */
+ return TRUE;
+ }
+
+ switch (type)
+ {
+ case ENCRYPTION_ALGORITHM:
+ switch (alg)
+ {
+ /* crypter */
+ case ENCR_3DES:
+ case ENCR_AES_CBC:
+ case ENCR_AES_CTR:
+ /* aead */
+ case ENCR_AES_GCM_ICV8:
+ case ENCR_AES_GCM_ICV12:
+ case ENCR_AES_GCM_ICV16:
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ return TRUE;
+ default:
+ break;
+ }
+ break;
+ case INTEGRITY_ALGORITHM:
+ switch (alg)
+ {
+ case AUTH_HMAC_SHA1_96:
+ case AUTH_HMAC_SHA1_160:
+ case AUTH_HMAC_SHA2_256_96:
+ case AUTH_HMAC_SHA2_256_128:
+ case AUTH_HMAC_SHA2_384_192:
+ case AUTH_HMAC_SHA2_512_256:
+ case AUTH_AES_CMAC_96:
+ return TRUE;
+ default:
+ break;
+ }
+ break;
+ case PSEUDO_RANDOM_FUNCTION:
+ switch (alg)
+ {
+ case PRF_HMAC_SHA1:
+ case PRF_HMAC_SHA2_256:
+ case PRF_HMAC_SHA2_384:
+ case PRF_HMAC_SHA2_512:
+ case PRF_AES128_CMAC:
+ return TRUE;
+ default:
+ break;
+ }
+ break;
+ case DIFFIE_HELLMAN_GROUP:
+ switch (alg)
+ {
+ case MODP_2048_BIT:
+ case MODP_3072_BIT:
+ case MODP_4096_BIT:
+ case MODP_8192_BIT:
+ case MODP_2048_224:
+ case MODP_2048_256:
+ case ECP_224_BIT:
+ case ECP_256_BIT:
+ case ECP_384_BIT:
+ case ECP_521_BIT:
+ return TRUE;
+ default:
+ break;
+ }
+ break;
+ case EXTENDED_SEQUENCE_NUMBERS:
+ switch (alg)
+ {
+ case EXT_SEQ_NUMBERS:
+ case NO_EXT_SEQ_NUMBERS:
+ return TRUE;
+ default:
+ break;
+ }
+ default:
+ break;
+ }
+ return !fips_enabled();
+}
+
/**
* Select a matching proposal from this and other, insert into selected.
*/
@@ -611,6 +732,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
return FALSE;
}
+ if (!fips_filter(this->protocol, token->type, token->algorithm))
+ {
+ DBG1(DBG_CFG, "algorithm '%s' not permitted in fips mode", alg);
+ return FALSE;
+ }
add_algorithm(this, token->type, token->algorithm, token->keysize);
return TRUE;
@@ -753,6 +879,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
{
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
+ continue;
+
switch (encryption)
{
case ENCR_AES_GCM_ICV16:
@@ -806,6 +935,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
{
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
+ continue;
+
switch (encryption)
{
case ENCR_AES_CBC:
@@ -850,6 +982,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
{
+ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity))
+ continue;
+
switch (integrity)
{
case AUTH_HMAC_SHA2_256_128:
@@ -905,6 +1040,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &prf, &plugin_name))
{
+ if (!fips_filter(PROTO_IKE, PSEUDO_RANDOM_FUNCTION, prf))
+ continue;
+
switch (prf)
{
case PRF_HMAC_SHA1:
@@ -964,6 +1102,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, &group, &plugin_name))
{
+ if (!fips_filter(PROTO_IKE, DIFFIE_HELLMAN_GROUP, group))
+ continue;
+
switch (group)
{
case MODP_NULL:
@@ -1004,6 +1145,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
{
private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
+#define fips_add_algorithm(this, type, alg, len) \
+ if (fips_filter(this->protocol, type, alg)) \
+ add_algorithm(this, type, alg, len);
+
switch (protocol)
{
case PROTO_IKE:
@@ -1014,31 +1159,32 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
}
break;
case PROTO_ESP:
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
break;
case PROTO_AH:
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
break;
default:
break;
}
+#undef fips_add_algorithm
return &this->public;
}
--
2.13.2

56
strongswan_modprobe_syslog.patch
View File

@ -1,56 +0,0 @@
Index: strongswan-5.6.2/src/starter/klips.c
===================================================================
--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
/* ipsec module makes the pf_key proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv ipsec"));
+ ignore_result(system("modprobe -s ipsec"));
}
/* now test again */
@@ -42,9 +42,9 @@ bool starter_klips_init(void)
}
/* load crypto algorithm modules */
- ignore_result(system("modprobe -qv ipsec_aes"));
- ignore_result(system("modprobe -qv ipsec_blowfish"));
- ignore_result(system("modprobe -qv ipsec_sha2"));
+ ignore_result(system("modprobe -s ipsec_aes"));
+ ignore_result(system("modprobe -s ipsec_blowfish"));
+ ignore_result(system("modprobe -s ipsec_sha2"));
DBG2(DBG_APP, "found KLIPS IPsec stack");
return TRUE;
Index: strongswan-5.6.2/src/starter/netkey.c
===================================================================
--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv af_key"));
+ ignore_result(system("modprobe -s af_key"));
}
/* now test again */
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv ah4"));
- ignore_result(system("modprobe -qv esp4"));
- ignore_result(system("modprobe -qv ipcomp"));
- ignore_result(system("modprobe -qv xfrm4_tunnel"));
- ignore_result(system("modprobe -qv xfrm_user"));
+ ignore_result(system("modprobe -s ah4"));
+ ignore_result(system("modprobe -s esp4"));
+ ignore_result(system("modprobe -s ipcomp"));
+ ignore_result(system("modprobe -s xfrm4_tunnel"));
+ ignore_result(system("modprobe -s xfrm_user"));
}
DBG2(DBG_APP, "found netkey IPsec stack");