Accepting request 1094810 from network:vpn

OBS-URL: https://build.opensuse.org/request/show/1094810
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=91

fips-enforce.conf

@@ -3,8 +3,7 @@
 # and kernel crypto API (af-alg) algorithms are supported.
 #
 # The strongswan-hmac package is supposed to be used/installed when fips
-# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script
+# is enabled and provides this blacklist disabling other plugins
-# verifying the components and this blacklist disabling other plugins
 # providing further and/or alternative algorithm implementations.
 #
 gcrypt {

fipscheck.sh.in

@@ -1,69 +0,0 @@
-#! /bin/bash
-#
-# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# Author: Marius Tomaschewski <mt@suse.de>
-#
-IPSEC_DIR="@IPSEC_DIR@"
-IPSEC_LIBDIR="@IPSEC_LIBDIR@"
-IPSEC_BINDIR="@IPSEC_BINDIR@"
-IPSEC_SBINDIR="@IPSEC_SBINDIR@"
-fipscheck_bin="/usr/bin/fipscheck"
-
-# minimal usage hint
-if test $# -gt 0 ; then
-	echo "usage: ipsec _fipscheck" >&2
-	exit 2
-fi
-
-#
-# "ipsec xxx" starts this script only if crypto/fips_enabled=1,
-# except while a manually enforced check via "ipsec _fipscheck".
-#
-#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
-#test "X$fips_enabled" = "X1" || exit 0
-
-# verify that fipscheck is installed
-test -x "$fipscheck_bin" || {
-	test "X$FIPSCHECK_DEBUG" = "Xerror" && \
-	echo "${0##*/}: $fipscheck_bin utility missed" >&2
-	exit 4
-}
-
-shopt -s nullglob
-
-files=()
-for h in ${IPSEC_DIR}/.*.hmac \
-	 ${IPSEC_LIBDIR}/.*.hmac \
-	 ${IPSEC_LIBDIR}/imcvs/.*.hmac \
-	 ${IPSEC_LIBDIR}/plugins/.*.hmac \
-	 ${IPSEC_SBINDIR}/.ipsec.hmac \
-	;
-do
-	dir="${h%/*}"
-	name="${h##*/.}"
-	file="${dir}/${name%.hmac}"
-	# some part is not installed
-	test -f "${file}" && files+=("$file")
-done
-
-if test ${#files[@]} -gt 0 ; then
-	$fipscheck_bin ${files[@]} ; exit $?
-elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then
-	echo "${0##*/}: unable to find any checksum/hmac file" >&2
-fi
-exit 3
-

strongswan.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Thu Jun 22 13:24:08 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
+
+- Removed .hmac files + hmac integrity check logic from strongswan-hmac
+  package as it is not mandated anymore by FIPS (boo#1185116)
+- Removed folliwng files:
+  [- strongswan_fipscheck.patch]
+  [- fipscheck.sh.in]
+  Note: strongswan-hmac package is not removed as it still provides a
+  config file that doesn't allow non-fips approved algorithms
+
 -------------------------------------------------------------------
 Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
 

strongswan.spec

@@ -55,13 +55,9 @@ Source3:        %{name}-rpmlintrc
 Source4:        README.SUSE
 Source5:        %{name}.keyring
 %if %{with fipscheck}
-Source6:        fipscheck.sh.in
 Source7:        fips-enforce.conf
 %endif
 Patch2:         %{name}_ipsec_service.patch
-%if %{with fipscheck}
-Patch3:         %{name}_fipscheck.patch
-%endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
 Patch6:         harden_strongswan.service.patch
 BuildRequires:  bison
@@ -95,9 +91,6 @@ BuildRequires:  pkgconfig(libsystemd)
 %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
 BuildRequires:  autoconf
 BuildRequires:  automake
-%if %{with fipscheck}
-BuildRequires:  fipscheck
-%endif
 BuildRequires:  libtool
 Requires:       strongswan-ipsec = %{version}
 
@@ -153,18 +146,14 @@ StrongSwan is an IPsec-based VPN solution for Linux.
 This package provides the strongswan library and plugins.
 
 %package hmac
-Summary:        HMAC files for FIPS-140-2 integrity in strongSwan
+Summary:        Config file to disable non FIPS-140-2 algos in strongSwan
 Group:          Productivity/Networking/Security
-Requires:       fipscheck
 Requires:       strongswan-ipsec = %{version}
 Requires:       strongswan-libs0 = %{version}
 
 %description hmac
-The package provides HMAC hash files for FIPS-140-2 integrity checks,
+The package provides a config file disabling alternative algorithm
-a config file disabling alternative algorithm implementations and a
+implementation when FIPS-140-2 compliant operation mode is enabled.
-_fipscheck helper script preforming the integrity checks before e.g.
-"ipsec start" action is executed, when FIPS-140-2 compliant operation
-mode is enabled.
 
 %package ipsec
 Summary:        IPsec-based VPN solution
@@ -230,21 +219,10 @@ and the load testing plugin for IKEv2 daemon.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch2 -p1
-%if %{with fipscheck}
-%patch3 -p1
-%endif
 %patch5 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < %{_sourcedir}/strongswan.init.in \
      > strongswan.init
-%if %{with fipscheck}
-sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
-    -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g'  \
-    -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g'      \
-    -e 's|@IPSEC_BINDIR@|%{_bindir}|g'        \
-     < %{_sourcedir}/fipscheck.sh.in        \
-     > _fipscheck
-%endif
 %patch6 -p1
 
 %build
@@ -412,33 +390,10 @@ install -c -m644 %{_sourcedir}/README.SUSE \
 install -d -m 0755 %{buildroot}%{_tmpfilesdir}
 echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
 %if %{with fipscheck}
-#
-# note: keep the following, _fipscheck's and file lists in sync
-#
-install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
 install -c -m644 %{_sourcedir}/fips-enforce.conf \
                  %{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
 # disable bypass-lan plugin by default
 sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
-# create fips hmac hashes _after_ install post run
-%{expand:%%global __os_install_post {%__os_install_post
-	for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
-		 %{buildroot}/%{strongswan_libdir}/imcvs/*.so \
-		 %{buildroot}/%{strongswan_plugins}/*.so \
-		 %{buildroot}/%{_libexecdir}/ipsec/charon \
-		 %{buildroot}/%{_libexecdir}/ipsec/charon-nm \
-		 %{buildroot}/%{_libexecdir}/ipsec/stroke \
-		 %{buildroot}/%{_libexecdir}/ipsec/starter \
-		 %{buildroot}/%{_libexecdir}/ipsec/pool \
-		 %{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
-		 %{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
-		 %{buildroot}/%{_bindir}/pt-tls-client \
-		 %{buildroot}/%{_sbindir}/ipsec \
-		;
-	do
-		/usr/bin/fipshmac "$f"
-	done
-}}
 %endif
 
 %post libs0
@@ -498,16 +453,6 @@ fi
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
-%dir %{strongswan_libdir}
-%{strongswan_libdir}/.*.hmac
-%{strongswan_libdir}/imcvs/.*.hmac
-%dir %{strongswan_plugins}
-%{strongswan_plugins}/.*.hmac
-%dir %{_libexecdir}/ipsec
-%{_libexecdir}/ipsec/_fipscheck
-%{_libexecdir}/ipsec/.*.hmac
-%{_sbindir}/.ipsec.hmac
-%{_bindir}/.pt-tls-client.hmac
 %endif
 
 %files ipsec

strongswan_fipscheck.patch

@@ -1,91 +0,0 @@
-diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
-index ea399b8..ea8ed8a 100644
---- a/src/ipsec/_ipsec.in
-+++ b/src/ipsec/_ipsec.in
-@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o
- 
- command_dir="$IPSEC_DIR"
- 
-+fipscheck()
-+{
-+	# when fips operation mode is not enabled, just report OK
-+	read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
-+	test "X$fips_enabled" = "X1"    || return 0
-+
-+	# complain when _fipscheck is missed
-+	test -x "$IPSEC_DIR/_fipscheck" || {
-+		echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
-+		return 4
-+	}
-+
-+	# now execute it
-+	$IPSEC_DIR/_fipscheck || {
-+		rc=$?
-+		echo "ipsec: strongSwan fips file integrity check failed" >&2
-+		return $rc
-+	}
-+}
-+
- case "$1" in
- '')
- 	echo "$IPSEC_SCRIPT command [arguments]"
-@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
- 	shift
- 	if [ -e $IPSEC_CHARON_PID ]
- 	then
-+		fipscheck || exit $?
- 		$IPSEC_STROKE "$op" "$@"
- 		rc="$?"
- 	fi
-@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts)
- 	rc=7
- 	if [ -e $IPSEC_CHARON_PID ]
- 	then
-+		fipscheck || exit $?
- 		$IPSEC_STROKE "$1"
- 		rc="$?"
- 	fi
-@@ -195,6 +217,7 @@ route|unroute)
- 	fi
- 	if [ -e $IPSEC_CHARON_PID ]
- 	then
-+		fipscheck || exit $?
- 		$IPSEC_STROKE "$op" "$1"
- 		rc="$?"
- 	fi
-@@ -204,6 +227,7 @@ secrets)
- 	rc=7
- 	if [ -e $IPSEC_CHARON_PID ]
- 	then
-+		fipscheck || exit $?
- 		$IPSEC_STROKE rereadsecrets
- 		rc="$?"
- 	fi
-@@ -211,6 +235,7 @@ secrets)
- 	;;
- start)
- 	shift
-+	fipscheck || exit $?
- 	if [ -d /var/lock/subsys ]; then
- 		touch /var/lock/subsys/ipsec
- 	fi
-@@ -289,6 +314,7 @@ up)
- 	rc=7
- 	if [ -e $IPSEC_CHARON_PID ]
- 	then
-+		fipscheck || exit $?
- 		$IPSEC_STROKE up "$1"
- 		rc="$?"
- 	fi
-@@ -338,6 +364,11 @@ esac
- cmd="$1"
- shift
- 
-+case $cmd in
-+_fipscheck|_copyright|pki) ;;
-+*) fipscheck || exit $?	;;
-+esac
-+
- path="$command_dir/$cmd"
- 
- if [ ! -x "$path" ]