- Re-enabled gcrypt plugin and reverted to not enforce fips again

as this breaks gcrypt and openssl plugins when the fips pattern
  option is not installed (fate#316931,bnc#856322).
- Added empty strongswan-hmac package supposed to provide fips hmac
  files and enforce fips compliant operation later (bnc#856322).
- Cleaned up conditional build flags in the rpm spec file.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=73

strongswan-fips-disablegcrypt.patch

@@ -1,15 +0,0 @@
-References: fate#316931
-
-Index: strongswan-5.1.3/conf/plugins/gcrypt.conf
-===================================================================
---- strongswan-5.1.3.orig/conf/plugins/gcrypt.conf
-+++ strongswan-5.1.3/conf/plugins/gcrypt.conf
-@@ -2,7 +2,7 @@ gcrypt {
- 
-     # Whether to load the plugin. Can also be an integer to increase the
-     # priority of this plugin.
--    load = yes
-+    load = no
- 
-     # Use faster random numbers in gcrypt; for testing only, produces weak keys!
-     # quick_random = no

strongswan.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Sep 26 16:02:09 UTC 2014 - mt@suse.de
+
+- Re-enabled gcrypt plugin and reverted to not enforce fips again
+  as this breaks gcrypt and openssl plugins when the fips pattern
+  option is not installed (fate#316931,bnc#856322).
+- Added empty strongswan-hmac package supposed to provide fips hmac
+  files and enforce fips compliant operation later (bnc#856322).
+- Cleaned up conditional build flags in the rpm spec file.
+
 -------------------------------------------------------------------
 Thu Jul  3 13:39:45 UTC 2014 - meissner@suse.com
 

strongswan.spec

@@ -31,18 +31,16 @@ Release:        0
 %else
 %bcond_with     tests
 %endif
-%if 0%{suse_version} > 1110
-%bcond_without  mysql
-%else
-%bcond_with     mysql
-%endif
-%if 0%{suse_version} > 1110
-%bcond_without  sqlite
 %bcond_without  gcrypt
+%bcond_without  mysql
+%bcond_without  sqlite
+%if 0%{suse_version} > 1110
+%bcond_without  farp
+%bcond_without  afalg
 %bcond_without  nm
 %else
-%bcond_with     sqlite
-%bcond_with     gcrypt
+%bcond_with     farp
+%bcond_with     afalg
 %bcond_with     nm
 %endif
 %if 0%{suse_version} > 1220
@@ -63,7 +61,6 @@ Source4:        README.SUSE
 Source5:        %{name}.keyring
 Patch1:         %{name}_modprobe_syslog.patch
 Patch2:         %{name}_ipsec_service.patch
-Patch3:         %{name}-fips-disablegcrypt.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@@ -91,11 +88,15 @@ BuildRequires:  libgcrypt-devel
 BuildRequires:  NetworkManager-devel
 %endif
 %if %{with systemd}
-BuildRequires:  pkgconfig(systemd)
+%{?systemd_requires}
 %endif
 BuildRequires:  iptables
+%if %{with systemd}
 %{!?_rundir: %global _rundir /run}
 %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
+%else
+%{!?_rundir: %global _rundir /var/run}
+%endif
 
 %description
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -161,6 +162,15 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
 
 This package provides the strongswan library and plugins.
 
+%package hmac
+Summary:        HMAC files for FIPS-140-2 integrity
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description hmac
+The package is supposed to provide HMAC hash files for FIPS-140-2
+integrity and enforce FIPS-140-2 compliant operation.
+
 %package ipsec
 Summary:        OpenSource IPsec-based VPN Solution
 Group:          Productivity/Networking/Security
@@ -244,7 +254,6 @@ and the load testing plugin for IKEv2 daemon.
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
-%patch3 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -255,24 +264,28 @@ export RPM_OPT_FLAGS CFLAGS
 #libtoolize --force
 #autoreconf
 %configure \
-	--enable-conftest \
 	--enable-integrity-test \
 	--with-capabilities=libcap \
 	--with-plugindir=%{strongswan_plugins} \
-	--with-fips=2 \
 	--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
 	--with-piddir=%{_rundir}/%{name} \
 	--enable-pkcs11 \
 	--enable-openssl \
 	--enable-agent \
+%if %{with gcrypt}
 	--enable-gcrypt \
+%else
+	--disable-gcrypt \
+%endif
 	--enable-blowfish \
 	--enable-ctr \
 	--enable-ccm \
 	--enable-gcm \
 	--enable-unity \
 	--enable-md4 \
+%if %{with afalg}
 	--enable-af-alg \
+%endif
 	--enable-eap-sim \
 	--enable-eap-sim-file \
 	--enable-eap-sim-pcsc \
@@ -305,7 +318,9 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-imv-scanner \
 	--enable-ha \
 	--enable-dhcp \
+%if %{with farp}
 	--enable-farp \
+%endif
 	--enable-smp \
 	--enable-sql \
 	--enable-attr-sql \
@@ -322,15 +337,13 @@ export RPM_OPT_FLAGS CFLAGS
 %if %{with sqlite}
 	--enable-sqlite \
 %endif
-%if %{with gcrypt}
-	--enable-gcrypt \
-%endif
 %if %{with nm}
 	--enable-nm \
 %else
 	--disable-nm \
 %endif
 %if %{with tests}
+	--enable-conftest \
 	--enable-load-tester \
 	--enable-test-vectors \
 %endif
@@ -344,7 +357,9 @@ make %{?_smp_mflags:%_smp_mflags}
 export RPM_BUILD_ROOT
 install -d -m755              ${RPM_BUILD_ROOT}%{_sbindir}/
 install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
-%if ! %{with systemd}
+%if %{with systemd}
+ln -sf %_sbindir/service      ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan
+%else
 install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
 install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
 ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
@@ -362,6 +377,12 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
 #
 EOT
 #
+%if ! %{with mysql}
+rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql
+%endif
+%if ! %{with sqlite}
+rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql
+%endif
 rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
 rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
 find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete
@@ -372,26 +393,37 @@ install -c -m644 TODO NEWS README COPYING LICENSE \
 		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
 install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
 		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
-
+%if %{with systemd}
 %{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir}
 echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
+%endif
 
-%post libs0 -p /sbin/ldconfig
+%post libs0
+/sbin/ldconfig
+%if %{with systemd}
+%{?tmpfiles_create: %tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
+%else
+test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}
+%endif
 
 %postun libs0 -p /sbin/ldconfig
 
 %pre ipsec
+%if %{with systemd}
 %service_add_pre %{name}.service
+%endif
 
 %post ipsec
-%if ! %{with systemd}
+%if %{with systemd}
+%service_add_post %{name}.service
+%else
 %{fillup_and_insserv ipsec}
 %endif
-%{?tmpfiles_create: %tmpfiles_create %{_tmpfilesdir}/%{name}.conf }
-%service_add_post %{name}.service
 
 %preun ipsec
-%if ! %{with systemd}
+%if %{with systemd}
+%service_del_preun %{name}.service
+%else
 %{stop_on_removal ipsec}
 %endif
 if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then
@@ -402,20 +434,22 @@ if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then
 	cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \
 	                        %{_sysconfdir}/ipsec.conf.rpmsave.old
 fi
-%service_del_preun %{name}.service
 
 %postun ipsec
-%if ! %{with systemd}
+%if %{with systemd}
+%service_del_postun %{name}.service
+%else
 %{insserv_cleanup}
 %endif
 
-%service_del_postun %{name}.service
-
 %files
 %defattr(-,root,root)
 %dir %{strongswan_docdir}
 %{strongswan_docdir}/README.SUSE
 
+%files hmac
+%defattr(-,root,root)
+
 %files ipsec
 %defattr(-,root,root)
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
@@ -431,6 +465,7 @@ fi
 %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
 %if %{with systemd}
 %{_unitdir}/strongswan.service
+%{_sbindir}/rcstrongswan
 %else
 %config %{_sysconfdir}/init.d/ipsec
 %{_sbindir}/rcipsec
@@ -446,7 +481,9 @@ fi
 %{_libexecdir}/ipsec/_copyright
 %{_libexecdir}/ipsec/_updown
 %{_libexecdir}/ipsec/_updown_espmark
+%if %{with test}
 %{_libexecdir}/ipsec/conftest
+%endif
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/pt-tls-client
@@ -459,7 +496,6 @@ fi
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-stroke.so
 %{strongswan_plugins}/libstrongswan-updown.so
-%{_tmpfilesdir}/%{name}.conf
 
 %files doc
 %defattr(-,root,root)
@@ -477,6 +513,9 @@ fi
 
 %files libs0
 %defattr(-,root,root)
+%if %{with systemd}
+%{_tmpfilesdir}/%{name}.conf
+%endif
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
 %dir %{strongswan_configs}
 %dir %{strongswan_configs}/charon
@@ -489,7 +528,9 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
+%if %{with afalg}
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
+%endif
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf
@@ -523,10 +564,14 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf
+%if %{with farp}
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf
+%endif
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf
+%if %{with gcrypt}
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf
+%endif
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
@@ -591,7 +636,9 @@ fi
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-addrblock.so
 %{strongswan_plugins}/libstrongswan-aes.so
+%if %{with afalg}
 %{strongswan_plugins}/libstrongswan-af-alg.so
+%endif
 %{strongswan_plugins}/libstrongswan-agent.so
 %{strongswan_plugins}/libstrongswan-attr.so
 %{strongswan_plugins}/libstrongswan-attr-sql.so
@@ -625,7 +672,9 @@ fi
 %{strongswan_plugins}/libstrongswan-eap-tls.so
 %{strongswan_plugins}/libstrongswan-eap-tnc.so
 %{strongswan_plugins}/libstrongswan-eap-ttls.so
+%if %{with farp}
 %{strongswan_plugins}/libstrongswan-farp.so
+%endif
 %{strongswan_plugins}/libstrongswan-fips-prf.so
 %{strongswan_plugins}/libstrongswan-gcm.so
 %if %{with gcrypt}
@@ -685,7 +734,9 @@ fi
 %{strongswan_templates}/config/strongswan.conf
 %{strongswan_templates}/config/plugins/addrblock.conf
 %{strongswan_templates}/config/plugins/aes.conf
+%if %{with afalg}
 %{strongswan_templates}/config/plugins/af-alg.conf
+%endif
 %{strongswan_templates}/config/plugins/agent.conf
 %{strongswan_templates}/config/plugins/attr-sql.conf
 %{strongswan_templates}/config/plugins/attr.conf
@@ -719,10 +770,14 @@ fi
 %{strongswan_templates}/config/plugins/eap-tls.conf
 %{strongswan_templates}/config/plugins/eap-tnc.conf
 %{strongswan_templates}/config/plugins/eap-ttls.conf
+%if %{with farp}
 %{strongswan_templates}/config/plugins/farp.conf
+%endif
 %{strongswan_templates}/config/plugins/fips-prf.conf
 %{strongswan_templates}/config/plugins/gcm.conf
+%if %{with gcrypt}
 %{strongswan_templates}/config/plugins/gcrypt.conf
+%endif
 %{strongswan_templates}/config/plugins/gmp.conf
 %{strongswan_templates}/config/plugins/ha.conf
 %{strongswan_templates}/config/plugins/hmac.conf