Go to file
Dominique Leuenberger 1902611f9f Accepting request 262968 from network:vpn
- Updated strongswan-hmac package description (bsc#856322).

- Disabled explicit gpg validation; osc source_validator does it.
- Guarded fipscheck and hmac package in the spec file for >13.1.

- Added generation of fips hmac hash files using fipshmac utility
  and a _fipscheck script to verify binaries/libraries/plugings
  shipped in the strongswan-hmac package.
  With enabled fips in the kernel, the ipsec script will call it
  before any action or in a enforced/manual "ipsec _fipscheck" call.
  Added config file to load openssl and kernel af-alg plugins, but
  not all the other modules which provide further/alternative algs.
  Applied a filter disallowing non-approved algorithms in fips mode.
  (fate#316931,bnc#856322).
  [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
  and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
  registration order again as ordering them by identifier caused
  weaker algorithms to be proposed first by default (bsc#897512).
  [+0001-restore-registration-algorithm-order.bug897512.patch]

- Re-enabled gcrypt plugin and reverted to not enforce fips again
  as this breaks gcrypt and openssl plugins when the fips pattern
  option is not installed (fate#316931,bnc#856322).
  [- strongswan-fips-disablegcrypt.patch]
- Added empty strongswan-hmac package supposed to provide fips hmac
  files and enforce fips compliant operation later (bnc#856322).

OBS-URL: https://build.opensuse.org/request/show/262968
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=58
2014-11-26 09:33:53 +00:00
.gitattributes OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1 2007-12-13 03:49:24 +00:00
.gitignore OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1 2007-12-13 03:49:24 +00:00
0001-restore-registration-algorithm-order.bug897512.patch - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
fips-enforce.conf - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
fipscheck.sh.in - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
README.SUSE - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
strongswan_fipscheck.patch - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
strongswan_fipsfilter.patch - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
strongswan_ipsec_service.patch - Updated to strongSwan 5.0.1 release. Changes digest: 2012-10-31 16:08:08 +00:00
strongswan_modprobe_syslog.patch - WORK-IN-PROGRESS snapshot: Update to strongSwan 5.0.1 2012-10-30 17:16:52 +00:00
strongswan-5.1.3-rpmlintrc - Updated to strongSwan 5.1.3 providing the following changes: 2014-04-15 06:12:43 +00:00
strongswan-5.1.3.tar.bz2 - Updated to strongSwan 5.1.3 providing the following changes: 2014-04-15 06:12:43 +00:00
strongswan-5.1.3.tar.bz2.sig - Updated to strongSwan 5.1.3 providing the following changes: 2014-04-15 06:12:43 +00:00
strongswan.changes [- strongswan-fips-disablegcrypt.patch] 2014-11-25 11:29:20 +00:00
strongswan.init.in - Fixed rpmlint runlevel & fsf warnings, updated rpmlintrc 2012-02-15 13:48:10 +00:00
strongswan.keyring Accepting request 143934 from home:sbrabec:gpg-offline-verify 2012-12-04 10:25:06 +00:00
strongswan.spec - Updated strongswan-hmac package description (bsc#856322). 2014-11-25 11:25:10 +00:00

Dear Customer,

please note, that the strongswan release 4.5 changes the keyexchange mode
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
"[...]
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
come for IKEv1 to go into retirement and to cede its place to the much more
robust, powerful and versatile IKEv2 protocol!
[...]"

This requires adoption of either the "conn %default" or all other IKEv1
"conn" sections in the /etc/ipsec.conf to use explicit:

	keyexchange=ikev1

The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.


The strongswan package does not provide any files except of this README,
but triggers the installation of the charon daemon and the "traditional"
strongswan-ipsec package providing the "ipsec" script and service.
The ipsec.service is an alias link to the "strongswan.service" systemd
service unit and created by "systemctl enable strongswan.service".


There is a new strongswan-nm package with a NetworkManager specific charon-nm
binary controlling the charon daemon through D-Bus and designed to work using
the NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the IKEv2
charon daemon and plugins only. 


The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
which disables all non-openssl algorithm implementations.

When fips operation mode is enabled in the kernel using the fips=1 boot
parameter, the strongswan fips checks are executed in front of any start
action of the "ipsec" script provided by the "strongswan-ipsec" package
and a verification problem causes a failure as required by fips-140-2.
Further, it is not required to enable the fips_mode in the openssl plugin
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
it automatically as needed.

The "ipsec _fipscheck" command allows to execute the fips checks manually
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
e.g. for testing purposes.


Have a lot of fun...