From 809353c19b97c274558e295b61f6ccb247eae61c77ec3da515ed36f57b9ebd23 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Fri, 26 Sep 2014 16:21:04 +0000 Subject: [PATCH] - Re-enabled gcrypt plugin and reverted to not enforce fips again as this breaks gcrypt and openssl plugins when the fips pattern option is not installed (fate#316931,bnc#856322). - Added empty strongswan-hmac package supposed to provide fips hmac files and enforce fips compliant operation later (bnc#856322). - Cleaned up conditional build flags in the rpm spec file. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=73 --- strongswan-fips-disablegcrypt.patch | 15 ---- strongswan.changes | 10 +++ strongswan.spec | 113 +++++++++++++++++++++------- 3 files changed, 94 insertions(+), 44 deletions(-) delete mode 100644 strongswan-fips-disablegcrypt.patch diff --git a/strongswan-fips-disablegcrypt.patch b/strongswan-fips-disablegcrypt.patch deleted file mode 100644 index 516aa3d..0000000 --- a/strongswan-fips-disablegcrypt.patch +++ /dev/null @@ -1,15 +0,0 @@ -References: fate#316931 - -Index: strongswan-5.1.3/conf/plugins/gcrypt.conf -=================================================================== ---- strongswan-5.1.3.orig/conf/plugins/gcrypt.conf -+++ strongswan-5.1.3/conf/plugins/gcrypt.conf -@@ -2,7 +2,7 @@ gcrypt { - - # Whether to load the plugin. Can also be an integer to increase the - # priority of this plugin. -- load = yes -+ load = no - - # Use faster random numbers in gcrypt; for testing only, produces weak keys! - # quick_random = no diff --git a/strongswan.changes b/strongswan.changes index f6d144b..696b245 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Sep 26 16:02:09 UTC 2014 - mt@suse.de + +- Re-enabled gcrypt plugin and reverted to not enforce fips again + as this breaks gcrypt and openssl plugins when the fips pattern + option is not installed (fate#316931,bnc#856322). +- Added empty strongswan-hmac package supposed to provide fips hmac + files and enforce fips compliant operation later (bnc#856322). +- Cleaned up conditional build flags in the rpm spec file. + ------------------------------------------------------------------- Thu Jul 3 13:39:45 UTC 2014 - meissner@suse.com diff --git a/strongswan.spec b/strongswan.spec index cc7e7e1..da463b0 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -31,18 +31,16 @@ Release: 0 %else %bcond_with tests %endif -%if 0%{suse_version} > 1110 -%bcond_without mysql -%else -%bcond_with mysql -%endif -%if 0%{suse_version} > 1110 -%bcond_without sqlite %bcond_without gcrypt +%bcond_without mysql +%bcond_without sqlite +%if 0%{suse_version} > 1110 +%bcond_without farp +%bcond_without afalg %bcond_without nm %else -%bcond_with sqlite -%bcond_with gcrypt +%bcond_with farp +%bcond_with afalg %bcond_with nm %endif %if 0%{suse_version} > 1220 @@ -63,7 +61,6 @@ Source4: README.SUSE Source5: %{name}.keyring Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch -Patch3: %{name}-fips-disablegcrypt.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -91,11 +88,15 @@ BuildRequires: libgcrypt-devel BuildRequires: NetworkManager-devel %endif %if %{with systemd} -BuildRequires: pkgconfig(systemd) +%{?systemd_requires} %endif BuildRequires: iptables +%if %{with systemd} %{!?_rundir: %global _rundir /run} %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d} +%else +%{!?_rundir: %global _rundir /var/run} +%endif %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -161,6 +162,15 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan library and plugins. +%package hmac +Summary: HMAC files for FIPS-140-2 integrity +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description hmac +The package is supposed to provide HMAC hash files for FIPS-140-2 +integrity and enforce FIPS-140-2 compliant operation. + %package ipsec Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security @@ -244,7 +254,6 @@ and the load testing plugin for IKEv2 daemon. %setup -q -n %{name}-%{upstream_version} %patch1 -p0 %patch2 -p0 -%patch3 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -255,24 +264,28 @@ export RPM_OPT_FLAGS CFLAGS #libtoolize --force #autoreconf %configure \ - --enable-conftest \ --enable-integrity-test \ --with-capabilities=libcap \ --with-plugindir=%{strongswan_plugins} \ - --with-fips=2 \ --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \ --with-piddir=%{_rundir}/%{name} \ --enable-pkcs11 \ --enable-openssl \ --enable-agent \ +%if %{with gcrypt} --enable-gcrypt \ +%else + --disable-gcrypt \ +%endif --enable-blowfish \ --enable-ctr \ --enable-ccm \ --enable-gcm \ --enable-unity \ --enable-md4 \ +%if %{with afalg} --enable-af-alg \ +%endif --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-sim-pcsc \ @@ -305,7 +318,9 @@ export RPM_OPT_FLAGS CFLAGS --enable-imv-scanner \ --enable-ha \ --enable-dhcp \ +%if %{with farp} --enable-farp \ +%endif --enable-smp \ --enable-sql \ --enable-attr-sql \ @@ -322,15 +337,13 @@ export RPM_OPT_FLAGS CFLAGS %if %{with sqlite} --enable-sqlite \ %endif -%if %{with gcrypt} - --enable-gcrypt \ -%endif %if %{with nm} --enable-nm \ %else --disable-nm \ %endif %if %{with tests} + --enable-conftest \ --enable-load-tester \ --enable-test-vectors \ %endif @@ -344,7 +357,9 @@ make %{?_smp_mflags:%_smp_mflags} export RPM_BUILD_ROOT install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/ install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ -%if ! %{with systemd} +%if %{with systemd} +ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan +%else install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec @@ -362,6 +377,12 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets # EOT # +%if ! %{with mysql} +rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql +%endif +%if ! %{with sqlite} +rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql +%endif rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete @@ -372,26 +393,37 @@ install -c -m644 TODO NEWS README COPYING LICENSE \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ - +%if %{with systemd} %{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir} echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf +%endif -%post libs0 -p /sbin/ldconfig +%post libs0 +/sbin/ldconfig +%if %{with systemd} +%{?tmpfiles_create: %tmpfiles_create %{_tmpfilesdir}/%{name}.conf} +%else +test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name} +%endif %postun libs0 -p /sbin/ldconfig %pre ipsec +%if %{with systemd} %service_add_pre %{name}.service +%endif %post ipsec -%if ! %{with systemd} +%if %{with systemd} +%service_add_post %{name}.service +%else %{fillup_and_insserv ipsec} %endif -%{?tmpfiles_create: %tmpfiles_create %{_tmpfilesdir}/%{name}.conf } -%service_add_post %{name}.service %preun ipsec -%if ! %{with systemd} +%if %{with systemd} +%service_del_preun %{name}.service +%else %{stop_on_removal ipsec} %endif if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then @@ -402,20 +434,22 @@ if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \ %{_sysconfdir}/ipsec.conf.rpmsave.old fi -%service_del_preun %{name}.service %postun ipsec -%if ! %{with systemd} +%if %{with systemd} +%service_del_postun %{name}.service +%else %{insserv_cleanup} %endif -%service_del_postun %{name}.service - %files %defattr(-,root,root) %dir %{strongswan_docdir} %{strongswan_docdir}/README.SUSE +%files hmac +%defattr(-,root,root) + %files ipsec %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf @@ -431,6 +465,7 @@ fi %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} %{_unitdir}/strongswan.service +%{_sbindir}/rcstrongswan %else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec @@ -446,7 +481,9 @@ fi %{_libexecdir}/ipsec/_copyright %{_libexecdir}/ipsec/_updown %{_libexecdir}/ipsec/_updown_espmark +%if %{with test} %{_libexecdir}/ipsec/conftest +%endif %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/pt-tls-client @@ -459,7 +496,6 @@ fi %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so -%{_tmpfilesdir}/%{name}.conf %files doc %defattr(-,root,root) @@ -477,6 +513,9 @@ fi %files libs0 %defattr(-,root,root) +%if %{with systemd} +%{_tmpfilesdir}/%{name}.conf +%endif %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf %dir %{strongswan_configs} %dir %{strongswan_configs}/charon @@ -489,7 +528,9 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf @@ -523,10 +564,14 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf +%if %{with farp} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf +%if %{with gcrypt} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf @@ -591,7 +636,9 @@ fi %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-addrblock.so %{strongswan_plugins}/libstrongswan-aes.so +%if %{with afalg} %{strongswan_plugins}/libstrongswan-af-alg.so +%endif %{strongswan_plugins}/libstrongswan-agent.so %{strongswan_plugins}/libstrongswan-attr.so %{strongswan_plugins}/libstrongswan-attr-sql.so @@ -625,7 +672,9 @@ fi %{strongswan_plugins}/libstrongswan-eap-tls.so %{strongswan_plugins}/libstrongswan-eap-tnc.so %{strongswan_plugins}/libstrongswan-eap-ttls.so +%if %{with farp} %{strongswan_plugins}/libstrongswan-farp.so +%endif %{strongswan_plugins}/libstrongswan-fips-prf.so %{strongswan_plugins}/libstrongswan-gcm.so %if %{with gcrypt} @@ -685,7 +734,9 @@ fi %{strongswan_templates}/config/strongswan.conf %{strongswan_templates}/config/plugins/addrblock.conf %{strongswan_templates}/config/plugins/aes.conf +%if %{with afalg} %{strongswan_templates}/config/plugins/af-alg.conf +%endif %{strongswan_templates}/config/plugins/agent.conf %{strongswan_templates}/config/plugins/attr-sql.conf %{strongswan_templates}/config/plugins/attr.conf @@ -719,10 +770,14 @@ fi %{strongswan_templates}/config/plugins/eap-tls.conf %{strongswan_templates}/config/plugins/eap-tnc.conf %{strongswan_templates}/config/plugins/eap-ttls.conf +%if %{with farp} %{strongswan_templates}/config/plugins/farp.conf +%endif %{strongswan_templates}/config/plugins/fips-prf.conf %{strongswan_templates}/config/plugins/gcm.conf +%if %{with gcrypt} %{strongswan_templates}/config/plugins/gcrypt.conf +%endif %{strongswan_templates}/config/plugins/gmp.conf %{strongswan_templates}/config/plugins/ha.conf %{strongswan_templates}/config/plugins/hmac.conf