From 26fbd0f033fdb32d6fc2ef579218c63605dd21c404b5a9e75f028d82282d8682 Mon Sep 17 00:00:00 2001 From: Mohd Saquib Date: Fri, 23 Jun 2023 09:01:07 +0000 Subject: [PATCH] Accepting request 1094809 from home:msaquib:branches:network:vpn - Removed .hmac files + hmac integrity check logic from strongswan-hmac package as it is not mandated anymore by FIPS (boo#1185116) - Removed folliwng files: [- strongswan_fipscheck.patch] [- fipscheck.sh.in] Note: strongswan-hmac package is not removed as it still provides a config file that doesn't allow non-fips approved algorithms OBS-URL: https://build.opensuse.org/request/show/1094809 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=153 --- fips-enforce.conf | 3 +- fipscheck.sh.in | 69 ----------------------------- strongswan.changes | 11 +++++ strongswan.spec | 61 ++----------------------- strongswan_fipscheck.patch | 91 -------------------------------------- 5 files changed, 15 insertions(+), 220 deletions(-) delete mode 100644 fipscheck.sh.in delete mode 100644 strongswan_fipscheck.patch diff --git a/fips-enforce.conf b/fips-enforce.conf index 637b5c8..5e140cc 100644 --- a/fips-enforce.conf +++ b/fips-enforce.conf @@ -3,8 +3,7 @@ # and kernel crypto API (af-alg) algorithms are supported. # # The strongswan-hmac package is supposed to be used/installed when fips -# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script -# verifying the components and this blacklist disabling other plugins +# is enabled and provides this blacklist disabling other plugins # providing further and/or alternative algorithm implementations. # gcrypt { diff --git a/fipscheck.sh.in b/fipscheck.sh.in deleted file mode 100644 index 54c989c..0000000 --- a/fipscheck.sh.in +++ /dev/null @@ -1,69 +0,0 @@ -#! /bin/bash -# -# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, see . -# -# Author: Marius Tomaschewski -# -IPSEC_DIR="@IPSEC_DIR@" -IPSEC_LIBDIR="@IPSEC_LIBDIR@" -IPSEC_BINDIR="@IPSEC_BINDIR@" -IPSEC_SBINDIR="@IPSEC_SBINDIR@" -fipscheck_bin="/usr/bin/fipscheck" - -# minimal usage hint -if test $# -gt 0 ; then - echo "usage: ipsec _fipscheck" >&2 - exit 2 -fi - -# -# "ipsec xxx" starts this script only if crypto/fips_enabled=1, -# except while a manually enforced check via "ipsec _fipscheck". -# -#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled -#test "X$fips_enabled" = "X1" || exit 0 - -# verify that fipscheck is installed -test -x "$fipscheck_bin" || { - test "X$FIPSCHECK_DEBUG" = "Xerror" && \ - echo "${0##*/}: $fipscheck_bin utility missed" >&2 - exit 4 -} - -shopt -s nullglob - -files=() -for h in ${IPSEC_DIR}/.*.hmac \ - ${IPSEC_LIBDIR}/.*.hmac \ - ${IPSEC_LIBDIR}/imcvs/.*.hmac \ - ${IPSEC_LIBDIR}/plugins/.*.hmac \ - ${IPSEC_SBINDIR}/.ipsec.hmac \ - ; -do - dir="${h%/*}" - name="${h##*/.}" - file="${dir}/${name%.hmac}" - # some part is not installed - test -f "${file}" && files+=("$file") -done - -if test ${#files[@]} -gt 0 ; then - $fipscheck_bin ${files[@]} ; exit $? -elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then - echo "${0##*/}: unable to find any checksum/hmac file" >&2 -fi -exit 3 - diff --git a/strongswan.changes b/strongswan.changes index c67e46f..cb3057b 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Jun 22 13:24:08 UTC 2023 - Mohd Saquib + +- Removed .hmac files + hmac integrity check logic from strongswan-hmac + package as it is not mandated anymore by FIPS (boo#1185116) +- Removed folliwng files: + [- strongswan_fipscheck.patch] + [- fipscheck.sh.in] + Note: strongswan-hmac package is not removed as it still provides a + config file that doesn't allow non-fips approved algorithms + ------------------------------------------------------------------- Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt diff --git a/strongswan.spec b/strongswan.spec index 7410a41..85cfcef 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -55,13 +55,9 @@ Source3: %{name}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring %if %{with fipscheck} -Source6: fipscheck.sh.in Source7: fips-enforce.conf %endif Patch2: %{name}_ipsec_service.patch -%if %{with fipscheck} -Patch3: %{name}_fipscheck.patch -%endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch Patch6: harden_strongswan.service.patch BuildRequires: bison @@ -95,9 +91,6 @@ BuildRequires: pkgconfig(libsystemd) %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d} BuildRequires: autoconf BuildRequires: automake -%if %{with fipscheck} -BuildRequires: fipscheck -%endif BuildRequires: libtool Requires: strongswan-ipsec = %{version} @@ -153,18 +146,14 @@ StrongSwan is an IPsec-based VPN solution for Linux. This package provides the strongswan library and plugins. %package hmac -Summary: HMAC files for FIPS-140-2 integrity in strongSwan +Summary: Config file to disable non FIPS-140-2 algos in strongSwan Group: Productivity/Networking/Security -Requires: fipscheck Requires: strongswan-ipsec = %{version} Requires: strongswan-libs0 = %{version} %description hmac -The package provides HMAC hash files for FIPS-140-2 integrity checks, -a config file disabling alternative algorithm implementations and a -_fipscheck helper script preforming the integrity checks before e.g. -"ipsec start" action is executed, when FIPS-140-2 compliant operation -mode is enabled. +The package provides a config file disabling alternative algorithm +implementation when FIPS-140-2 compliant operation mode is enabled. %package ipsec Summary: IPsec-based VPN solution @@ -230,21 +219,10 @@ and the load testing plugin for IKEv2 daemon. %prep %setup -q -n %{name}-%{upstream_version} %patch2 -p1 -%if %{with fipscheck} -%patch3 -p1 -%endif %patch5 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < %{_sourcedir}/strongswan.init.in \ > strongswan.init -%if %{with fipscheck} -sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \ - -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \ - -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \ - -e 's|@IPSEC_BINDIR@|%{_bindir}|g' \ - < %{_sourcedir}/fipscheck.sh.in \ - > _fipscheck -%endif %patch6 -p1 %build @@ -412,33 +390,10 @@ install -c -m644 %{_sourcedir}/README.SUSE \ install -d -m 0755 %{buildroot}%{_tmpfilesdir} echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf %if %{with fipscheck} -# -# note: keep the following, _fipscheck's and file lists in sync -# -install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/ install -c -m644 %{_sourcedir}/fips-enforce.conf \ %{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf # disable bypass-lan plugin by default sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf -# create fips hmac hashes _after_ install post run -%{expand:%%global __os_install_post {%__os_install_post - for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \ - %{buildroot}/%{strongswan_libdir}/imcvs/*.so \ - %{buildroot}/%{strongswan_plugins}/*.so \ - %{buildroot}/%{_libexecdir}/ipsec/charon \ - %{buildroot}/%{_libexecdir}/ipsec/charon-nm \ - %{buildroot}/%{_libexecdir}/ipsec/stroke \ - %{buildroot}/%{_libexecdir}/ipsec/starter \ - %{buildroot}/%{_libexecdir}/ipsec/pool \ - %{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \ - %{buildroot}/%{_libexecdir}/ipsec/_fipscheck \ - %{buildroot}/%{_bindir}/pt-tls-client \ - %{buildroot}/%{_sbindir}/ipsec \ - ; - do - /usr/bin/fipshmac "$f" - done -}} %endif %post libs0 @@ -498,16 +453,6 @@ fi %dir %{strongswan_configs} %dir %{strongswan_configs}/charon %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf -%dir %{strongswan_libdir} -%{strongswan_libdir}/.*.hmac -%{strongswan_libdir}/imcvs/.*.hmac -%dir %{strongswan_plugins} -%{strongswan_plugins}/.*.hmac -%dir %{_libexecdir}/ipsec -%{_libexecdir}/ipsec/_fipscheck -%{_libexecdir}/ipsec/.*.hmac -%{_sbindir}/.ipsec.hmac -%{_bindir}/.pt-tls-client.hmac %endif %files ipsec diff --git a/strongswan_fipscheck.patch b/strongswan_fipscheck.patch deleted file mode 100644 index 50bfb3f..0000000 --- a/strongswan_fipscheck.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in -index ea399b8..ea8ed8a 100644 ---- a/src/ipsec/_ipsec.in -+++ b/src/ipsec/_ipsec.in -@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o - - command_dir="$IPSEC_DIR" - -+fipscheck() -+{ -+ # when fips operation mode is not enabled, just report OK -+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled -+ test "X$fips_enabled" = "X1" || return 0 -+ -+ # complain when _fipscheck is missed -+ test -x "$IPSEC_DIR/_fipscheck" || { -+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2 -+ return 4 -+ } -+ -+ # now execute it -+ $IPSEC_DIR/_fipscheck || { -+ rc=$? -+ echo "ipsec: strongSwan fips file integrity check failed" >&2 -+ return $rc -+ } -+} -+ - case "$1" in - '') - echo "$IPSEC_SCRIPT command [arguments]" -@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters) - shift - if [ -e $IPSEC_CHARON_PID ] - then -+ fipscheck || exit $? - $IPSEC_STROKE "$op" "$@" - rc="$?" - fi -@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts) - rc=7 - if [ -e $IPSEC_CHARON_PID ] - then -+ fipscheck || exit $? - $IPSEC_STROKE "$1" - rc="$?" - fi -@@ -195,6 +217,7 @@ route|unroute) - fi - if [ -e $IPSEC_CHARON_PID ] - then -+ fipscheck || exit $? - $IPSEC_STROKE "$op" "$1" - rc="$?" - fi -@@ -204,6 +227,7 @@ secrets) - rc=7 - if [ -e $IPSEC_CHARON_PID ] - then -+ fipscheck || exit $? - $IPSEC_STROKE rereadsecrets - rc="$?" - fi -@@ -211,6 +235,7 @@ secrets) - ;; - start) - shift -+ fipscheck || exit $? - if [ -d /var/lock/subsys ]; then - touch /var/lock/subsys/ipsec - fi -@@ -289,6 +314,7 @@ up) - rc=7 - if [ -e $IPSEC_CHARON_PID ] - then -+ fipscheck || exit $? - $IPSEC_STROKE up "$1" - rc="$?" - fi -@@ -338,6 +364,11 @@ esac - cmd="$1" - shift - -+case $cmd in -+_fipscheck|_copyright|pki) ;; -+*) fipscheck || exit $? ;; -+esac -+ - path="$command_dir/$cmd" - - if [ ! -x "$path" ]