Overview
Request 262598 superseded
- Disabled explicit gpg validation; osc source_validator does it.
- Guarded fipscheck and hmac package in the spec file for >13.1.
- Added generation of fips hmac hash files using fipshmac utility
and a _fipscheck script to verify binaries/libraries/plugings
shipped in the strongswan-hmac package.
With enabled fips in the kernel, the ipsec script will call it
before any action or in a enforced/manual "ipsec _fipscheck" call.
Added config file to load openssl and kernel af-alg plugins, but
not all the other modules which provide further/alternative algs.
Applied a filter disallowing non-approved algorithms in fips mode.
(fate#316931,bnc#856322).
[+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
registration order again as ordering them by identifier caused
weaker algorithms to be proposed first by default (bsc#897512).
[+0001-restore-registration-algorithm-order.bug897512.patch]
- Re-enabled gcrypt plugin and reverted to not enforce fips again
as this breaks gcrypt and openssl plugins when the fips pattern
option is not installed (fate#316931,bnc#856322).
[- fips-disablegcrypt.patch]
- Added empty strongswan-hmac package supposed to provide fips hmac
files and enforce fips compliant operation later (bnc#856322).
- Cleaned up conditional build flags in the rpm spec file.
- Created by mtomaschewski
- In state superseded
- Supersedes 253174
- Superseded by 262968
-
Open review for
factory-staging
Request History
mtomaschewski created request
- Disabled explicit gpg validation; osc source_validator does it.
- Guarded fipscheck and hmac package in the spec file for >13.1.
- Added generation of fips hmac hash files using fipshmac utility
and a _fipscheck script to verify binaries/libraries/plugings
shipped in the strongswan-hmac package.
With enabled fips in the kernel, the ipsec script will call it
before any action or in a enforced/manual "ipsec _fipscheck" call.
Added config file to load openssl and kernel af-alg plugins, but
not all the other modules which provide further/alternative algs.
Applied a filter disallowing non-approved algorithms in fips mode.
(fate#316931,bnc#856322).
[+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
registration order again as ordering them by identifier caused
weaker algorithms to be proposed first by default (bsc#897512).
[+0001-restore-registration-algorithm-order.bug897512.patch]
- Re-enabled gcrypt plugin and reverted to not enforce fips again
as this breaks gcrypt and openssl plugins when the fips pattern
option is not installed (fate#316931,bnc#856322).
[- fips-disablegcrypt.patch]
- Added empty strongswan-hmac package supposed to provide fips hmac
files and enforce fips compliant operation later (bnc#856322).
- Cleaned up conditional build flags in the rpm spec file.
licensedigger accepted review
{"approve": "license and version number unchanged: 5.1.3"}
factory-auto declined review
Output of check script:
A Patch (strongswan-fips-disablegcrypt.patch) is being deleted without this removal being referenced in the changelog.
factory-auto declined request
Output of check script:
A Patch (strongswan-fips-disablegcrypt.patch) is being deleted without this removal being referenced in the changelog.
mtomaschewski superseded request
superseded by 262968
