diff --git a/fips-enforce.conf b/fips-enforce.conf
index 637b5c8..5e140cc 100644
--- a/fips-enforce.conf
+++ b/fips-enforce.conf
@@ -3,8 +3,7 @@
# and kernel crypto API (af-alg) algorithms are supported.
#
# The strongswan-hmac package is supposed to be used/installed when fips
-# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script
-# verifying the components and this blacklist disabling other plugins
+# is enabled and provides this blacklist disabling other plugins
# providing further and/or alternative algorithm implementations.
#
gcrypt {
diff --git a/fipscheck.sh.in b/fipscheck.sh.in
deleted file mode 100644
index 54c989c..0000000
--- a/fipscheck.sh.in
+++ /dev/null
@@ -1,69 +0,0 @@
-#! /bin/bash
-#
-# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, see .
-#
-# Author: Marius Tomaschewski
-#
-IPSEC_DIR="@IPSEC_DIR@"
-IPSEC_LIBDIR="@IPSEC_LIBDIR@"
-IPSEC_BINDIR="@IPSEC_BINDIR@"
-IPSEC_SBINDIR="@IPSEC_SBINDIR@"
-fipscheck_bin="/usr/bin/fipscheck"
-
-# minimal usage hint
-if test $# -gt 0 ; then
- echo "usage: ipsec _fipscheck" >&2
- exit 2
-fi
-
-#
-# "ipsec xxx" starts this script only if crypto/fips_enabled=1,
-# except while a manually enforced check via "ipsec _fipscheck".
-#
-#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
-#test "X$fips_enabled" = "X1" || exit 0
-
-# verify that fipscheck is installed
-test -x "$fipscheck_bin" || {
- test "X$FIPSCHECK_DEBUG" = "Xerror" && \
- echo "${0##*/}: $fipscheck_bin utility missed" >&2
- exit 4
-}
-
-shopt -s nullglob
-
-files=()
-for h in ${IPSEC_DIR}/.*.hmac \
- ${IPSEC_LIBDIR}/.*.hmac \
- ${IPSEC_LIBDIR}/imcvs/.*.hmac \
- ${IPSEC_LIBDIR}/plugins/.*.hmac \
- ${IPSEC_SBINDIR}/.ipsec.hmac \
- ;
-do
- dir="${h%/*}"
- name="${h##*/.}"
- file="${dir}/${name%.hmac}"
- # some part is not installed
- test -f "${file}" && files+=("$file")
-done
-
-if test ${#files[@]} -gt 0 ; then
- $fipscheck_bin ${files[@]} ; exit $?
-elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then
- echo "${0##*/}: unable to find any checksum/hmac file" >&2
-fi
-exit 3
-
diff --git a/strongswan.changes b/strongswan.changes
index c67e46f..cb3057b 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Thu Jun 22 13:24:08 UTC 2023 - Mohd Saquib
+
+- Removed .hmac files + hmac integrity check logic from strongswan-hmac
+ package as it is not mandated anymore by FIPS (boo#1185116)
+- Removed folliwng files:
+ [- strongswan_fipscheck.patch]
+ [- fipscheck.sh.in]
+ Note: strongswan-hmac package is not removed as it still provides a
+ config file that doesn't allow non-fips approved algorithms
+
-------------------------------------------------------------------
Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt
diff --git a/strongswan.spec b/strongswan.spec
index 7410a41..85cfcef 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -55,13 +55,9 @@ Source3: %{name}-rpmlintrc
Source4: README.SUSE
Source5: %{name}.keyring
%if %{with fipscheck}
-Source6: fipscheck.sh.in
Source7: fips-enforce.conf
%endif
Patch2: %{name}_ipsec_service.patch
-%if %{with fipscheck}
-Patch3: %{name}_fipscheck.patch
-%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: harden_strongswan.service.patch
BuildRequires: bison
@@ -95,9 +91,6 @@ BuildRequires: pkgconfig(libsystemd)
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
BuildRequires: autoconf
BuildRequires: automake
-%if %{with fipscheck}
-BuildRequires: fipscheck
-%endif
BuildRequires: libtool
Requires: strongswan-ipsec = %{version}
@@ -153,18 +146,14 @@ StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan library and plugins.
%package hmac
-Summary: HMAC files for FIPS-140-2 integrity in strongSwan
+Summary: Config file to disable non FIPS-140-2 algos in strongSwan
Group: Productivity/Networking/Security
-Requires: fipscheck
Requires: strongswan-ipsec = %{version}
Requires: strongswan-libs0 = %{version}
%description hmac
-The package provides HMAC hash files for FIPS-140-2 integrity checks,
-a config file disabling alternative algorithm implementations and a
-_fipscheck helper script preforming the integrity checks before e.g.
-"ipsec start" action is executed, when FIPS-140-2 compliant operation
-mode is enabled.
+The package provides a config file disabling alternative algorithm
+implementation when FIPS-140-2 compliant operation mode is enabled.
%package ipsec
Summary: IPsec-based VPN solution
@@ -230,21 +219,10 @@ and the load testing plugin for IKEv2 daemon.
%prep
%setup -q -n %{name}-%{upstream_version}
%patch2 -p1
-%if %{with fipscheck}
-%patch3 -p1
-%endif
%patch5 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
> strongswan.init
-%if %{with fipscheck}
-sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
- -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
- -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
- -e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
- < %{_sourcedir}/fipscheck.sh.in \
- > _fipscheck
-%endif
%patch6 -p1
%build
@@ -412,33 +390,10 @@ install -c -m644 %{_sourcedir}/README.SUSE \
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
%if %{with fipscheck}
-#
-# note: keep the following, _fipscheck's and file lists in sync
-#
-install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
install -c -m644 %{_sourcedir}/fips-enforce.conf \
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
# disable bypass-lan plugin by default
sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
-# create fips hmac hashes _after_ install post run
-%{expand:%%global __os_install_post {%__os_install_post
- for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
- %{buildroot}/%{strongswan_libdir}/imcvs/*.so \
- %{buildroot}/%{strongswan_plugins}/*.so \
- %{buildroot}/%{_libexecdir}/ipsec/charon \
- %{buildroot}/%{_libexecdir}/ipsec/charon-nm \
- %{buildroot}/%{_libexecdir}/ipsec/stroke \
- %{buildroot}/%{_libexecdir}/ipsec/starter \
- %{buildroot}/%{_libexecdir}/ipsec/pool \
- %{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
- %{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
- %{buildroot}/%{_bindir}/pt-tls-client \
- %{buildroot}/%{_sbindir}/ipsec \
- ;
- do
- /usr/bin/fipshmac "$f"
- done
-}}
%endif
%post libs0
@@ -498,16 +453,6 @@ fi
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
-%dir %{strongswan_libdir}
-%{strongswan_libdir}/.*.hmac
-%{strongswan_libdir}/imcvs/.*.hmac
-%dir %{strongswan_plugins}
-%{strongswan_plugins}/.*.hmac
-%dir %{_libexecdir}/ipsec
-%{_libexecdir}/ipsec/_fipscheck
-%{_libexecdir}/ipsec/.*.hmac
-%{_sbindir}/.ipsec.hmac
-%{_bindir}/.pt-tls-client.hmac
%endif
%files ipsec
diff --git a/strongswan_fipscheck.patch b/strongswan_fipscheck.patch
deleted file mode 100644
index 50bfb3f..0000000
--- a/strongswan_fipscheck.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
-index ea399b8..ea8ed8a 100644
---- a/src/ipsec/_ipsec.in
-+++ b/src/ipsec/_ipsec.in
-@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o
-
- command_dir="$IPSEC_DIR"
-
-+fipscheck()
-+{
-+ # when fips operation mode is not enabled, just report OK
-+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
-+ test "X$fips_enabled" = "X1" || return 0
-+
-+ # complain when _fipscheck is missed
-+ test -x "$IPSEC_DIR/_fipscheck" || {
-+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
-+ return 4
-+ }
-+
-+ # now execute it
-+ $IPSEC_DIR/_fipscheck || {
-+ rc=$?
-+ echo "ipsec: strongSwan fips file integrity check failed" >&2
-+ return $rc
-+ }
-+}
-+
- case "$1" in
- '')
- echo "$IPSEC_SCRIPT command [arguments]"
-@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
- shift
- if [ -e $IPSEC_CHARON_PID ]
- then
-+ fipscheck || exit $?
- $IPSEC_STROKE "$op" "$@"
- rc="$?"
- fi
-@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts)
- rc=7
- if [ -e $IPSEC_CHARON_PID ]
- then
-+ fipscheck || exit $?
- $IPSEC_STROKE "$1"
- rc="$?"
- fi
-@@ -195,6 +217,7 @@ route|unroute)
- fi
- if [ -e $IPSEC_CHARON_PID ]
- then
-+ fipscheck || exit $?
- $IPSEC_STROKE "$op" "$1"
- rc="$?"
- fi
-@@ -204,6 +227,7 @@ secrets)
- rc=7
- if [ -e $IPSEC_CHARON_PID ]
- then
-+ fipscheck || exit $?
- $IPSEC_STROKE rereadsecrets
- rc="$?"
- fi
-@@ -211,6 +235,7 @@ secrets)
- ;;
- start)
- shift
-+ fipscheck || exit $?
- if [ -d /var/lock/subsys ]; then
- touch /var/lock/subsys/ipsec
- fi
-@@ -289,6 +314,7 @@ up)
- rc=7
- if [ -e $IPSEC_CHARON_PID ]
- then
-+ fipscheck || exit $?
- $IPSEC_STROKE up "$1"
- rc="$?"
- fi
-@@ -338,6 +364,11 @@ esac
- cmd="$1"
- shift
-
-+case $cmd in
-+_fipscheck|_copyright|pki) ;;
-+*) fipscheck || exit $? ;;
-+esac
-+
- path="$command_dir/$cmd"
-
- if [ ! -x "$path" ]