forked from pool/strongswan
Accepting request 768830 from home:iznogood:branches:network:vpn
- Drop upstream fixed patches: * strongswan_modprobe_syslog.patch * strongswan_fipsfilter.patch * 0006-fix-compilation-error-by-adding-stdint.h.patch OBS-URL: https://build.opensuse.org/request/show/768830 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=119
This commit is contained in:
parent
152d7b558c
commit
2811ed33c6
@ -1,30 +0,0 @@
|
||||
From 831a9ea232f128c13c36066a704f6ccafa335244 Mon Sep 17 00:00:00 2001
|
||||
From: Nirmoy Das <ndas@suse.de>
|
||||
Date: Tue, 5 Sep 2017 11:17:16 +0200
|
||||
Subject: [PATCH] fix compilation error by adding stdint.h
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
error:
|
||||
utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this function); did you mean ‘__intptr_t’?
|
||||
for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++)
|
||||
^~~~~~~~~
|
||||
__intptr_t
|
||||
---
|
||||
src/libstrongswan/utils/utils/memory.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200
|
||||
@@ -22,6 +22,8 @@
|
||||
#ifndef MEMORY_H_
|
||||
#define MEMORY_H_
|
||||
|
||||
+#include <stdint.h>
|
||||
+
|
||||
/**
|
||||
* Helper function that compares two binary blobs for equality
|
||||
*/
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 30 13:43:50 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
|
||||
|
||||
- Drop upstream fixed patches:
|
||||
* strongswan_modprobe_syslog.patch
|
||||
* strongswan_fipsfilter.patch
|
||||
* 0006-fix-compilation-error-by-adding-stdint.h.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
|
@ -75,17 +75,12 @@ Source5: %{name}.keyring
|
||||
Source6: fipscheck.sh.in
|
||||
Source7: fips-enforce.conf
|
||||
%endif
|
||||
# Needs rebase
|
||||
Patch1: %{name}_modprobe_syslog.patch
|
||||
Patch2: %{name}_ipsec_service.patch
|
||||
%if %{with fipscheck}
|
||||
Patch3: %{name}_fipscheck.patch
|
||||
# Patch4 needs rebase, file it patches no longer exists in tarball.
|
||||
Patch4: %{name}_fipsfilter.patch
|
||||
%endif
|
||||
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
||||
# Needs rebase
|
||||
Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
@ -257,17 +252,11 @@ and the load testing plugin for IKEv2 daemon.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
# Needs rebase, file it patches no longer exists.
|
||||
#patch1 -p1
|
||||
%patch2 -p1
|
||||
%if %{with fipscheck}
|
||||
%patch3 -p1
|
||||
# Needs rebase, file it patches no longer exists.
|
||||
#patch4 -p1
|
||||
%endif
|
||||
%patch5 -p1
|
||||
# Needs rebase.
|
||||
#patch6 -p1
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< %{_sourcedir}/strongswan.init.in \
|
||||
> strongswan.init
|
||||
|
@ -1,283 +0,0 @@
|
||||
From 8f3f1bd6907df8221a93c849ed4b43474444e13b Mon Sep 17 00:00:00 2001
|
||||
From: Marius Tomaschewski <mt@suse.de>
|
||||
Date: Mon, 5 Jan 2015 14:57:39 +0100
|
||||
Subject: [PATCH] strongswan: filter algorithms for fips mode
|
||||
|
||||
References: fate#316931,bnc#856322
|
||||
|
||||
From 818cd5f1b6455237a82f385b60a2513cdd9c5eef Mon Sep 17 00:00:00 2001
|
||||
From: Nirmoy Das <ndas@suse.de>
|
||||
Date: Mon, 17 Jul 2017 15:15:14 +0200
|
||||
Subject: [PATCH] strongswan_fipsfilter
|
||||
|
||||
---
|
||||
src/libcharon/config/proposal.c | 184 +++++++++++++++++++++++++++++++++++-----
|
||||
1 file changed, 165 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
|
||||
index 6c71f78..0640140 100644
|
||||
--- a/src/libcharon/config/proposal.c
|
||||
+++ b/src/libcharon/config/proposal.c
|
||||
@@ -27,6 +27,11 @@
|
||||
#include <crypto/prfs/prf.h>
|
||||
#include <crypto/crypters/crypter.h>
|
||||
#include <crypto/signers/signer.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <unistd.h>
|
||||
+#include <errno.h>
|
||||
|
||||
ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
|
||||
"PROTO_NONE",
|
||||
@@ -190,6 +195,122 @@ METHOD(proposal_t, strip_dh, void,
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
+static bool kernel_fips_enabled(void)
|
||||
+{
|
||||
+ char buf[1] = { '\0' };
|
||||
+ int fd;
|
||||
+
|
||||
+ fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
|
||||
+ if (fd >= 0) {
|
||||
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR);
|
||||
+ close(fd);
|
||||
+ }
|
||||
+ return buf[0] == '1';
|
||||
+}
|
||||
+
|
||||
+static bool fips_enabled(void)
|
||||
+{
|
||||
+ static int enabled = -1;
|
||||
+ if (enabled == -1)
|
||||
+ enabled = kernel_fips_enabled();
|
||||
+ return enabled;
|
||||
+}
|
||||
+
|
||||
+static bool fips_filter(protocol_id_t protocol, transform_type_t type, u_int16_t alg)
|
||||
+{
|
||||
+ switch (protocol)
|
||||
+ {
|
||||
+ case PROTO_IKE:
|
||||
+ case PROTO_ESP:
|
||||
+ case PROTO_AH:
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* not applicable protocol */
|
||||
+ return TRUE;
|
||||
+ }
|
||||
+
|
||||
+ switch (type)
|
||||
+ {
|
||||
+ case ENCRYPTION_ALGORITHM:
|
||||
+ switch (alg)
|
||||
+ {
|
||||
+ /* crypter */
|
||||
+ case ENCR_3DES:
|
||||
+ case ENCR_AES_CBC:
|
||||
+ case ENCR_AES_CTR:
|
||||
+ /* aead */
|
||||
+ case ENCR_AES_GCM_ICV8:
|
||||
+ case ENCR_AES_GCM_ICV12:
|
||||
+ case ENCR_AES_GCM_ICV16:
|
||||
+ case ENCR_AES_CCM_ICV8:
|
||||
+ case ENCR_AES_CCM_ICV12:
|
||||
+ case ENCR_AES_CCM_ICV16:
|
||||
+ return TRUE;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ case INTEGRITY_ALGORITHM:
|
||||
+ switch (alg)
|
||||
+ {
|
||||
+ case AUTH_HMAC_SHA1_96:
|
||||
+ case AUTH_HMAC_SHA1_160:
|
||||
+ case AUTH_HMAC_SHA2_256_96:
|
||||
+ case AUTH_HMAC_SHA2_256_128:
|
||||
+ case AUTH_HMAC_SHA2_384_192:
|
||||
+ case AUTH_HMAC_SHA2_512_256:
|
||||
+ case AUTH_AES_CMAC_96:
|
||||
+ return TRUE;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ case PSEUDO_RANDOM_FUNCTION:
|
||||
+ switch (alg)
|
||||
+ {
|
||||
+ case PRF_HMAC_SHA1:
|
||||
+ case PRF_HMAC_SHA2_256:
|
||||
+ case PRF_HMAC_SHA2_384:
|
||||
+ case PRF_HMAC_SHA2_512:
|
||||
+ case PRF_AES128_CMAC:
|
||||
+ return TRUE;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ case DIFFIE_HELLMAN_GROUP:
|
||||
+ switch (alg)
|
||||
+ {
|
||||
+ case MODP_2048_BIT:
|
||||
+ case MODP_3072_BIT:
|
||||
+ case MODP_4096_BIT:
|
||||
+ case MODP_8192_BIT:
|
||||
+ case MODP_2048_224:
|
||||
+ case MODP_2048_256:
|
||||
+ case ECP_224_BIT:
|
||||
+ case ECP_256_BIT:
|
||||
+ case ECP_384_BIT:
|
||||
+ case ECP_521_BIT:
|
||||
+ return TRUE;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ break;
|
||||
+ case EXTENDED_SEQUENCE_NUMBERS:
|
||||
+ switch (alg)
|
||||
+ {
|
||||
+ case EXT_SEQ_NUMBERS:
|
||||
+ case NO_EXT_SEQ_NUMBERS:
|
||||
+ return TRUE;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ return !fips_enabled();
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Select a matching proposal from this and other, insert into selected.
|
||||
*/
|
||||
@@ -611,6 +732,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
+ if (!fips_filter(this->protocol, token->type, token->algorithm))
|
||||
+ {
|
||||
+ DBG1(DBG_CFG, "algorithm '%s' not permitted in fips mode", alg);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
add_algorithm(this, token->type, token->algorithm, token->keysize);
|
||||
|
||||
return TRUE;
|
||||
@@ -753,6 +879,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
|
||||
+ continue;
|
||||
+
|
||||
switch (encryption)
|
||||
{
|
||||
case ENCR_AES_GCM_ICV16:
|
||||
@@ -806,6 +935,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
|
||||
+ continue;
|
||||
+
|
||||
switch (encryption)
|
||||
{
|
||||
case ENCR_AES_CBC:
|
||||
@@ -850,6 +982,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity))
|
||||
+ continue;
|
||||
+
|
||||
switch (integrity)
|
||||
{
|
||||
case AUTH_HMAC_SHA2_256_128:
|
||||
@@ -905,6 +1040,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &prf, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, PSEUDO_RANDOM_FUNCTION, prf))
|
||||
+ continue;
|
||||
+
|
||||
switch (prf)
|
||||
{
|
||||
case PRF_HMAC_SHA1:
|
||||
@@ -964,6 +1102,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &group, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, DIFFIE_HELLMAN_GROUP, group))
|
||||
+ continue;
|
||||
+
|
||||
switch (group)
|
||||
{
|
||||
case MODP_NULL:
|
||||
@@ -1004,6 +1145,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
{
|
||||
private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
|
||||
|
||||
+#define fips_add_algorithm(this, type, alg, len) \
|
||||
+ if (fips_filter(this->protocol, type, alg)) \
|
||||
+ add_algorithm(this, type, alg, len);
|
||||
+
|
||||
switch (protocol)
|
||||
{
|
||||
case PROTO_IKE:
|
||||
@@ -1014,31 +1159,32 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
}
|
||||
break;
|
||||
case PROTO_ESP:
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
|
||||
+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
break;
|
||||
case PROTO_AH:
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
|
||||
+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
|
||||
+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
+#undef fips_add_algorithm
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
--
|
||||
2.13.2
|
||||
|
@ -1,56 +0,0 @@
|
||||
Index: strongswan-5.6.2/src/starter/klips.c
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200
|
||||
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
|
||||
/* ipsec module makes the pf_key proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ipsec"));
|
||||
+ ignore_result(system("modprobe -s ipsec"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -42,9 +42,9 @@ bool starter_klips_init(void)
|
||||
}
|
||||
|
||||
/* load crypto algorithm modules */
|
||||
- ignore_result(system("modprobe -qv ipsec_aes"));
|
||||
- ignore_result(system("modprobe -qv ipsec_blowfish"));
|
||||
- ignore_result(system("modprobe -qv ipsec_sha2"));
|
||||
+ ignore_result(system("modprobe -s ipsec_aes"));
|
||||
+ ignore_result(system("modprobe -s ipsec_blowfish"));
|
||||
+ ignore_result(system("modprobe -s ipsec_sha2"));
|
||||
|
||||
DBG2(DBG_APP, "found KLIPS IPsec stack");
|
||||
return TRUE;
|
||||
Index: strongswan-5.6.2/src/starter/netkey.c
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200
|
||||
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
|
||||
/* af_key module makes the netkey proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv af_key"));
|
||||
+ ignore_result(system("modprobe -s af_key"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
|
||||
/* make sure that all required IPsec modules are loaded */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ah4"));
|
||||
- ignore_result(system("modprobe -qv esp4"));
|
||||
- ignore_result(system("modprobe -qv ipcomp"));
|
||||
- ignore_result(system("modprobe -qv xfrm4_tunnel"));
|
||||
- ignore_result(system("modprobe -qv xfrm_user"));
|
||||
+ ignore_result(system("modprobe -s ah4"));
|
||||
+ ignore_result(system("modprobe -s esp4"));
|
||||
+ ignore_result(system("modprobe -s ipcomp"));
|
||||
+ ignore_result(system("modprobe -s xfrm4_tunnel"));
|
||||
+ ignore_result(system("modprobe -s xfrm_user"));
|
||||
}
|
||||
|
||||
DBG2(DBG_APP, "found netkey IPsec stack");
|
Loading…
Reference in New Issue
Block a user