Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at 2023-06-24 20:13:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/strongswan (Old)
and /work/SRC/openSUSE:Factory/.strongswan.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan"
Sat Jun 24 20:13:38 2023 rev:91 rq:1094810 version:5.9.11
Changes:
--------
--- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2023-06-14
16:28:42.062232793 +0200
+++ /work/SRC/openSUSE:Factory/.strongswan.new.15902/strongswan.changes
2023-06-24 20:13:51.396113555 +0200
@@ -1,0 +2,11 @@
+Thu Jun 22 13:24:08 UTC 2023 - Mohd Saquib <mohd.saq...@suse.com>
+
+- Removed .hmac files + hmac integrity check logic from strongswan-hmac
+ package as it is not mandated anymore by FIPS (boo#1185116)
+- Removed folliwng files:
+ [- strongswan_fipscheck.patch]
+ [- fipscheck.sh.in]
+ Note: strongswan-hmac package is not removed as it still provides a
+ config file that doesn't allow non-fips approved algorithms
+
+-------------------------------------------------------------------
Old:
----
fipscheck.sh.in
strongswan_fipscheck.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.aR7zE8/_old 2023-06-24 20:13:54.256130442 +0200
+++ /var/tmp/diff_new_pack.aR7zE8/_new 2023-06-24 20:13:54.264130489 +0200
@@ -55,13 +55,9 @@
Source4: README.SUSE
Source5: %{name}.keyring
%if %{with fipscheck}
-Source6: fipscheck.sh.in
Source7: fips-enforce.conf
%endif
Patch2: %{name}_ipsec_service.patch
-%if %{with fipscheck}
-Patch3: %{name}_fipscheck.patch
-%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: harden_strongswan.service.patch
BuildRequires: bison
@@ -95,9 +91,6 @@
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
BuildRequires: autoconf
BuildRequires: automake
-%if %{with fipscheck}
-BuildRequires: fipscheck
-%endif
BuildRequires: libtool
Requires: strongswan-ipsec = %{version}
@@ -153,18 +146,14 @@
This package provides the strongswan library and plugins.
%package hmac
-Summary: HMAC files for FIPS-140-2 integrity in strongSwan
+Summary: Config file to disable non FIPS-140-2 algos in strongSwan
Group: Productivity/Networking/Security
-Requires: fipscheck
Requires: strongswan-ipsec = %{version}
Requires: strongswan-libs0 = %{version}
%description hmac
-The package provides HMAC hash files for FIPS-140-2 integrity checks,
-a config file disabling alternative algorithm implementations and a
-_fipscheck helper script preforming the integrity checks before e.g.
-"ipsec start" action is executed, when FIPS-140-2 compliant operation
-mode is enabled.
+The package provides a config file disabling alternative algorithm
+implementation when FIPS-140-2 compliant operation mode is enabled.
%package ipsec
Summary: IPsec-based VPN solution
@@ -230,21 +219,10 @@
%prep
%setup -q -n %{name}-%{upstream_version}
%patch2 -p1
-%if %{with fipscheck}
-%patch3 -p1
-%endif
%patch5 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
> strongswan.init
-%if %{with fipscheck}
-sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
- -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
- -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
- -e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
- < %{_sourcedir}/fipscheck.sh.in \
- > _fipscheck
-%endif
%patch6 -p1
%build
@@ -412,33 +390,10 @@
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
echo 'd %{_rundir}/%{name} 0770 root root' >
%{buildroot}%{_tmpfilesdir}/%{name}.conf
%if %{with fipscheck}
-#
-# note: keep the following, _fipscheck's and file lists in sync
-#
-install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
install -c -m644 %{_sourcedir}/fips-enforce.conf \
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
# disable bypass-lan plugin by default
sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g'
%{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
-# create fips hmac hashes _after_ install post run
-%{expand:%%global __os_install_post {%__os_install_post
- for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
- %{buildroot}/%{strongswan_libdir}/imcvs/*.so \
- %{buildroot}/%{strongswan_plugins}/*.so \
- %{buildroot}/%{_libexecdir}/ipsec/charon \
- %{buildroot}/%{_libexecdir}/ipsec/charon-nm \
- %{buildroot}/%{_libexecdir}/ipsec/stroke \
- %{buildroot}/%{_libexecdir}/ipsec/starter \
- %{buildroot}/%{_libexecdir}/ipsec/pool \
- %{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
- %{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
- %{buildroot}/%{_bindir}/pt-tls-client \
- %{buildroot}/%{_sbindir}/ipsec \
- ;
- do
- /usr/bin/fipshmac "$f"
- done
-}}
%endif
%post libs0
@@ -498,16 +453,6 @@
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root)
%{strongswan_configs}/charon/zzz_fips-enforce.conf
-%dir %{strongswan_libdir}
-%{strongswan_libdir}/.*.hmac
-%{strongswan_libdir}/imcvs/.*.hmac
-%dir %{strongswan_plugins}
-%{strongswan_plugins}/.*.hmac
-%dir %{_libexecdir}/ipsec
-%{_libexecdir}/ipsec/_fipscheck
-%{_libexecdir}/ipsec/.*.hmac
-%{_sbindir}/.ipsec.hmac
-%{_bindir}/.pt-tls-client.hmac
%endif
%files ipsec
++++++ fips-enforce.conf ++++++
--- /var/tmp/diff_new_pack.aR7zE8/_old 2023-06-24 20:13:54.316130796 +0200
+++ /var/tmp/diff_new_pack.aR7zE8/_new 2023-06-24 20:13:54.316130796 +0200
@@ -3,8 +3,7 @@
# and kernel crypto API (af-alg) algorithms are supported.
#
# The strongswan-hmac package is supposed to be used/installed when fips
-# is enabled and provides the hmac hashes, a "ipsec _fipscheck" script
-# verifying the components and this blacklist disabling other plugins
+# is enabled and provides this blacklist disabling other plugins
# providing further and/or alternative algorithm implementations.
#
gcrypt {
