Accepting request 1094810 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/1094810 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=91
This commit is contained in:
commit
e08e5b1209
@ -3,8 +3,7 @@
|
||||
# and kernel crypto API (af-alg) algorithms are supported.
|
||||
#
|
||||
# The strongswan-hmac package is supposed to be used/installed when fips
|
||||
# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script
|
||||
# verifying the components and this blacklist disabling other plugins
|
||||
# is enabled and provides this blacklist disabling other plugins
|
||||
# providing further and/or alternative algorithm implementations.
|
||||
#
|
||||
gcrypt {
|
||||
|
@ -1,69 +0,0 @@
|
||||
#! /bin/bash
|
||||
#
|
||||
# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along
|
||||
# with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# Author: Marius Tomaschewski <mt@suse.de>
|
||||
#
|
||||
IPSEC_DIR="@IPSEC_DIR@"
|
||||
IPSEC_LIBDIR="@IPSEC_LIBDIR@"
|
||||
IPSEC_BINDIR="@IPSEC_BINDIR@"
|
||||
IPSEC_SBINDIR="@IPSEC_SBINDIR@"
|
||||
fipscheck_bin="/usr/bin/fipscheck"
|
||||
|
||||
# minimal usage hint
|
||||
if test $# -gt 0 ; then
|
||||
echo "usage: ipsec _fipscheck" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
#
|
||||
# "ipsec xxx" starts this script only if crypto/fips_enabled=1,
|
||||
# except while a manually enforced check via "ipsec _fipscheck".
|
||||
#
|
||||
#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
|
||||
#test "X$fips_enabled" = "X1" || exit 0
|
||||
|
||||
# verify that fipscheck is installed
|
||||
test -x "$fipscheck_bin" || {
|
||||
test "X$FIPSCHECK_DEBUG" = "Xerror" && \
|
||||
echo "${0##*/}: $fipscheck_bin utility missed" >&2
|
||||
exit 4
|
||||
}
|
||||
|
||||
shopt -s nullglob
|
||||
|
||||
files=()
|
||||
for h in ${IPSEC_DIR}/.*.hmac \
|
||||
${IPSEC_LIBDIR}/.*.hmac \
|
||||
${IPSEC_LIBDIR}/imcvs/.*.hmac \
|
||||
${IPSEC_LIBDIR}/plugins/.*.hmac \
|
||||
${IPSEC_SBINDIR}/.ipsec.hmac \
|
||||
;
|
||||
do
|
||||
dir="${h%/*}"
|
||||
name="${h##*/.}"
|
||||
file="${dir}/${name%.hmac}"
|
||||
# some part is not installed
|
||||
test -f "${file}" && files+=("$file")
|
||||
done
|
||||
|
||||
if test ${#files[@]} -gt 0 ; then
|
||||
$fipscheck_bin ${files[@]} ; exit $?
|
||||
elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then
|
||||
echo "${0##*/}: unable to find any checksum/hmac file" >&2
|
||||
fi
|
||||
exit 3
|
||||
|
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 22 13:24:08 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
|
||||
|
||||
- Removed .hmac files + hmac integrity check logic from strongswan-hmac
|
||||
package as it is not mandated anymore by FIPS (boo#1185116)
|
||||
- Removed folliwng files:
|
||||
[- strongswan_fipscheck.patch]
|
||||
[- fipscheck.sh.in]
|
||||
Note: strongswan-hmac package is not removed as it still provides a
|
||||
config file that doesn't allow non-fips approved algorithms
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
|
@ -55,13 +55,9 @@ Source3: %{name}-rpmlintrc
|
||||
Source4: README.SUSE
|
||||
Source5: %{name}.keyring
|
||||
%if %{with fipscheck}
|
||||
Source6: fipscheck.sh.in
|
||||
Source7: fips-enforce.conf
|
||||
%endif
|
||||
Patch2: %{name}_ipsec_service.patch
|
||||
%if %{with fipscheck}
|
||||
Patch3: %{name}_fipscheck.patch
|
||||
%endif
|
||||
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
||||
Patch6: harden_strongswan.service.patch
|
||||
BuildRequires: bison
|
||||
@ -95,9 +91,6 @@ BuildRequires: pkgconfig(libsystemd)
|
||||
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
%if %{with fipscheck}
|
||||
BuildRequires: fipscheck
|
||||
%endif
|
||||
BuildRequires: libtool
|
||||
Requires: strongswan-ipsec = %{version}
|
||||
|
||||
@ -153,18 +146,14 @@ StrongSwan is an IPsec-based VPN solution for Linux.
|
||||
This package provides the strongswan library and plugins.
|
||||
|
||||
%package hmac
|
||||
Summary: HMAC files for FIPS-140-2 integrity in strongSwan
|
||||
Summary: Config file to disable non FIPS-140-2 algos in strongSwan
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: fipscheck
|
||||
Requires: strongswan-ipsec = %{version}
|
||||
Requires: strongswan-libs0 = %{version}
|
||||
|
||||
%description hmac
|
||||
The package provides HMAC hash files for FIPS-140-2 integrity checks,
|
||||
a config file disabling alternative algorithm implementations and a
|
||||
_fipscheck helper script preforming the integrity checks before e.g.
|
||||
"ipsec start" action is executed, when FIPS-140-2 compliant operation
|
||||
mode is enabled.
|
||||
The package provides a config file disabling alternative algorithm
|
||||
implementation when FIPS-140-2 compliant operation mode is enabled.
|
||||
|
||||
%package ipsec
|
||||
Summary: IPsec-based VPN solution
|
||||
@ -230,21 +219,10 @@ and the load testing plugin for IKEv2 daemon.
|
||||
%prep
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
%patch2 -p1
|
||||
%if %{with fipscheck}
|
||||
%patch3 -p1
|
||||
%endif
|
||||
%patch5 -p1
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< %{_sourcedir}/strongswan.init.in \
|
||||
> strongswan.init
|
||||
%if %{with fipscheck}
|
||||
sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
|
||||
-e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
|
||||
-e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
|
||||
-e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
|
||||
< %{_sourcedir}/fipscheck.sh.in \
|
||||
> _fipscheck
|
||||
%endif
|
||||
%patch6 -p1
|
||||
|
||||
%build
|
||||
@ -412,33 +390,10 @@ install -c -m644 %{_sourcedir}/README.SUSE \
|
||||
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
||||
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
%if %{with fipscheck}
|
||||
#
|
||||
# note: keep the following, _fipscheck's and file lists in sync
|
||||
#
|
||||
install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
|
||||
install -c -m644 %{_sourcedir}/fips-enforce.conf \
|
||||
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
|
||||
# disable bypass-lan plugin by default
|
||||
sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
|
||||
# create fips hmac hashes _after_ install post run
|
||||
%{expand:%%global __os_install_post {%__os_install_post
|
||||
for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
|
||||
%{buildroot}/%{strongswan_libdir}/imcvs/*.so \
|
||||
%{buildroot}/%{strongswan_plugins}/*.so \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/charon \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/charon-nm \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/stroke \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/starter \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/pool \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
|
||||
%{buildroot}/%{_bindir}/pt-tls-client \
|
||||
%{buildroot}/%{_sbindir}/ipsec \
|
||||
;
|
||||
do
|
||||
/usr/bin/fipshmac "$f"
|
||||
done
|
||||
}}
|
||||
%endif
|
||||
|
||||
%post libs0
|
||||
@ -498,16 +453,6 @@ fi
|
||||
%dir %{strongswan_configs}
|
||||
%dir %{strongswan_configs}/charon
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
|
||||
%dir %{strongswan_libdir}
|
||||
%{strongswan_libdir}/.*.hmac
|
||||
%{strongswan_libdir}/imcvs/.*.hmac
|
||||
%dir %{strongswan_plugins}
|
||||
%{strongswan_plugins}/.*.hmac
|
||||
%dir %{_libexecdir}/ipsec
|
||||
%{_libexecdir}/ipsec/_fipscheck
|
||||
%{_libexecdir}/ipsec/.*.hmac
|
||||
%{_sbindir}/.ipsec.hmac
|
||||
%{_bindir}/.pt-tls-client.hmac
|
||||
%endif
|
||||
|
||||
%files ipsec
|
||||
|
@ -1,91 +0,0 @@
|
||||
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
|
||||
index ea399b8..ea8ed8a 100644
|
||||
--- a/src/ipsec/_ipsec.in
|
||||
+++ b/src/ipsec/_ipsec.in
|
||||
@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o
|
||||
|
||||
command_dir="$IPSEC_DIR"
|
||||
|
||||
+fipscheck()
|
||||
+{
|
||||
+ # when fips operation mode is not enabled, just report OK
|
||||
+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
|
||||
+ test "X$fips_enabled" = "X1" || return 0
|
||||
+
|
||||
+ # complain when _fipscheck is missed
|
||||
+ test -x "$IPSEC_DIR/_fipscheck" || {
|
||||
+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
|
||||
+ return 4
|
||||
+ }
|
||||
+
|
||||
+ # now execute it
|
||||
+ $IPSEC_DIR/_fipscheck || {
|
||||
+ rc=$?
|
||||
+ echo "ipsec: strongSwan fips file integrity check failed" >&2
|
||||
+ return $rc
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
case "$1" in
|
||||
'')
|
||||
echo "$IPSEC_SCRIPT command [arguments]"
|
||||
@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
|
||||
shift
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
+ fipscheck || exit $?
|
||||
$IPSEC_STROKE "$op" "$@"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
+ fipscheck || exit $?
|
||||
$IPSEC_STROKE "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -195,6 +217,7 @@ route|unroute)
|
||||
fi
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
+ fipscheck || exit $?
|
||||
$IPSEC_STROKE "$op" "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -204,6 +227,7 @@ secrets)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
+ fipscheck || exit $?
|
||||
$IPSEC_STROKE rereadsecrets
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -211,6 +235,7 @@ secrets)
|
||||
;;
|
||||
start)
|
||||
shift
|
||||
+ fipscheck || exit $?
|
||||
if [ -d /var/lock/subsys ]; then
|
||||
touch /var/lock/subsys/ipsec
|
||||
fi
|
||||
@@ -289,6 +314,7 @@ up)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
+ fipscheck || exit $?
|
||||
$IPSEC_STROKE up "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -338,6 +364,11 @@ esac
|
||||
cmd="$1"
|
||||
shift
|
||||
|
||||
+case $cmd in
|
||||
+_fipscheck|_copyright|pki) ;;
|
||||
+*) fipscheck || exit $? ;;
|
||||
+esac
|
||||
+
|
||||
path="$command_dir/$cmd"
|
||||
|
||||
if [ ! -x "$path" ]
|
Loading…
Reference in New Issue
Block a user