Dominique Leuenberger 2023-06-24 18:13:38 +00:00 committed by Git OBS Bridge
commit e08e5b1209
5 changed files with 15 additions and 220 deletions

View File

@ -3,8 +3,7 @@
# and kernel crypto API (af-alg) algorithms are supported.
#
# The strongswan-hmac package is supposed to be used/installed when fips
# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script
# verifying the components and this blacklist disabling other plugins
# is enabled and provides this blacklist disabling other plugins
# providing further and/or alternative algorithm implementations.
#
gcrypt {

View File

@ -1,69 +0,0 @@
#! /bin/bash
#
# Copyright (C) 2014 SUSE LINUX GmbH, Nuernberg, Germany.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, see <http://www.gnu.org/licenses/>.
#
# Author: Marius Tomaschewski <mt@suse.de>
#
IPSEC_DIR="@IPSEC_DIR@"
IPSEC_LIBDIR="@IPSEC_LIBDIR@"
IPSEC_BINDIR="@IPSEC_BINDIR@"
IPSEC_SBINDIR="@IPSEC_SBINDIR@"
fipscheck_bin="/usr/bin/fipscheck"
# minimal usage hint
if test $# -gt 0 ; then
echo "usage: ipsec _fipscheck" >&2
exit 2
fi
#
# "ipsec xxx" starts this script only if crypto/fips_enabled=1,
# except while a manually enforced check via "ipsec _fipscheck".
#
#read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
#test "X$fips_enabled" = "X1" || exit 0
# verify that fipscheck is installed
test -x "$fipscheck_bin" || {
test "X$FIPSCHECK_DEBUG" = "Xerror" && \
echo "${0##*/}: $fipscheck_bin utility missed" >&2
exit 4
}
shopt -s nullglob
files=()
for h in ${IPSEC_DIR}/.*.hmac \
${IPSEC_LIBDIR}/.*.hmac \
${IPSEC_LIBDIR}/imcvs/.*.hmac \
${IPSEC_LIBDIR}/plugins/.*.hmac \
${IPSEC_SBINDIR}/.ipsec.hmac \
;
do
dir="${h%/*}"
name="${h##*/.}"
file="${dir}/${name%.hmac}"
# some part is not installed
test -f "${file}" && files+=("$file")
done
if test ${#files[@]} -gt 0 ; then
$fipscheck_bin ${files[@]} ; exit $?
elif test "X$FIPSCHECK_DEBUG" = "Xerror" ; then
echo "${0##*/}: unable to find any checksum/hmac file" >&2
fi
exit 3

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Jun 22 13:24:08 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
- Removed .hmac files + hmac integrity check logic from strongswan-hmac
package as it is not mandated anymore by FIPS (boo#1185116)
- Removed folliwng files:
[- strongswan_fipscheck.patch]
[- fipscheck.sh.in]
Note: strongswan-hmac package is not removed as it still provides a
config file that doesn't allow non-fips approved algorithms
-------------------------------------------------------------------
Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt <jengelh@inai.de>

View File

@ -55,13 +55,9 @@ Source3: %{name}-rpmlintrc
Source4: README.SUSE
Source5: %{name}.keyring
%if %{with fipscheck}
Source6: fipscheck.sh.in
Source7: fips-enforce.conf
%endif
Patch2: %{name}_ipsec_service.patch
%if %{with fipscheck}
Patch3: %{name}_fipscheck.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: harden_strongswan.service.patch
BuildRequires: bison
@ -95,9 +91,6 @@ BuildRequires: pkgconfig(libsystemd)
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
BuildRequires: autoconf
BuildRequires: automake
%if %{with fipscheck}
BuildRequires: fipscheck
%endif
BuildRequires: libtool
Requires: strongswan-ipsec = %{version}
@ -153,18 +146,14 @@ StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan library and plugins.
%package hmac
Summary: HMAC files for FIPS-140-2 integrity in strongSwan
Summary: Config file to disable non FIPS-140-2 algos in strongSwan
Group: Productivity/Networking/Security
Requires: fipscheck
Requires: strongswan-ipsec = %{version}
Requires: strongswan-libs0 = %{version}
%description hmac
The package provides HMAC hash files for FIPS-140-2 integrity checks,
a config file disabling alternative algorithm implementations and a
_fipscheck helper script preforming the integrity checks before e.g.
"ipsec start" action is executed, when FIPS-140-2 compliant operation
mode is enabled.
The package provides a config file disabling alternative algorithm
implementation when FIPS-140-2 compliant operation mode is enabled.
%package ipsec
Summary: IPsec-based VPN solution
@ -230,21 +219,10 @@ and the load testing plugin for IKEv2 daemon.
%prep
%setup -q -n %{name}-%{upstream_version}
%patch2 -p1
%if %{with fipscheck}
%patch3 -p1
%endif
%patch5 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
> strongswan.init
%if %{with fipscheck}
sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
-e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
-e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
-e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
< %{_sourcedir}/fipscheck.sh.in \
> _fipscheck
%endif
%patch6 -p1
%build
@ -412,33 +390,10 @@ install -c -m644 %{_sourcedir}/README.SUSE \
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
%if %{with fipscheck}
#
# note: keep the following, _fipscheck's and file lists in sync
#
install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
install -c -m644 %{_sourcedir}/fips-enforce.conf \
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
# disable bypass-lan plugin by default
sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
# create fips hmac hashes _after_ install post run
%{expand:%%global __os_install_post {%__os_install_post
for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
%{buildroot}/%{strongswan_libdir}/imcvs/*.so \
%{buildroot}/%{strongswan_plugins}/*.so \
%{buildroot}/%{_libexecdir}/ipsec/charon \
%{buildroot}/%{_libexecdir}/ipsec/charon-nm \
%{buildroot}/%{_libexecdir}/ipsec/stroke \
%{buildroot}/%{_libexecdir}/ipsec/starter \
%{buildroot}/%{_libexecdir}/ipsec/pool \
%{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
%{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
%{buildroot}/%{_bindir}/pt-tls-client \
%{buildroot}/%{_sbindir}/ipsec \
;
do
/usr/bin/fipshmac "$f"
done
}}
%endif
%post libs0
@ -498,16 +453,6 @@ fi
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
%dir %{strongswan_libdir}
%{strongswan_libdir}/.*.hmac
%{strongswan_libdir}/imcvs/.*.hmac
%dir %{strongswan_plugins}
%{strongswan_plugins}/.*.hmac
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_fipscheck
%{_libexecdir}/ipsec/.*.hmac
%{_sbindir}/.ipsec.hmac
%{_bindir}/.pt-tls-client.hmac
%endif
%files ipsec

View File

@ -1,91 +0,0 @@
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index ea399b8..ea8ed8a 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o
command_dir="$IPSEC_DIR"
+fipscheck()
+{
+ # when fips operation mode is not enabled, just report OK
+ read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
+ test "X$fips_enabled" = "X1" || return 0
+
+ # complain when _fipscheck is missed
+ test -x "$IPSEC_DIR/_fipscheck" || {
+ echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
+ return 4
+ }
+
+ # now execute it
+ $IPSEC_DIR/_fipscheck || {
+ rc=$?
+ echo "ipsec: strongSwan fips file integrity check failed" >&2
+ return $rc
+ }
+}
+
case "$1" in
'')
echo "$IPSEC_SCRIPT command [arguments]"
@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
shift
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$op" "$@"
rc="$?"
fi
@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$1"
rc="$?"
fi
@@ -195,6 +217,7 @@ route|unroute)
fi
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE "$op" "$1"
rc="$?"
fi
@@ -204,6 +227,7 @@ secrets)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE rereadsecrets
rc="$?"
fi
@@ -211,6 +235,7 @@ secrets)
;;
start)
shift
+ fipscheck || exit $?
if [ -d /var/lock/subsys ]; then
touch /var/lock/subsys/ipsec
fi
@@ -289,6 +314,7 @@ up)
rc=7
if [ -e $IPSEC_CHARON_PID ]
then
+ fipscheck || exit $?
$IPSEC_STROKE up "$1"
rc="$?"
fi
@@ -338,6 +364,11 @@ esac
cmd="$1"
shift
+case $cmd in
+_fipscheck|_copyright|pki) ;;
+*) fipscheck || exit $? ;;
+esac
+
path="$command_dir/$cmd"
if [ ! -x "$path" ]