strongSwan

h1. OpenSSL packages for the Testing Environment

The [[TestingEnvironment|testing environment]] uses FIPS-enabled OpenSSL packages based on the original Debian packages. These packages are automatically installed in the root image when the environment is built.

The following steps may be used to rebuild the packages.  This how-to uses *Ubuntu 14.04*, but it's similar on Debian or other Ubuntu releases.

*Note:* This how-to does not exactly follow the "instructions":https://www.openssl.org/docs/fips.html provided by the OpenSSL project. For FIPS compliance these have to be followed to the letter, but we ignore that for our test environment.

h2. sbuild

The packages are built using "sbuild":https://wiki.debian.org/sbuild in chroot environments managed with "schroot":https://wiki.debian.org/Schroot. This build environment can be installed as follows.

<pre>

sudo apt-get install sbuild debian-archive-keyring

sudo sbuild-createchroot <release> /path/to/chroot http://httpredir.debian.org/debian --keyring=/usr/share/keyrings/debian-archive-keyring.gpg

</pre>

_<release>_ is e.g. _jessie_. On Ubuntu 14.04 the line @profile=sbuild@ has to get removed from the file @/etc/schroot/chroot.d/<release>-amd64-sbuild-XXXX@, otherwise entering the chroot won't work correctly.

The following command provides a list of all schroot environments:

<pre>

sudo schroot -l

</pre>

A schroot environment may be entered with:

<pre>

sudo schroot -c <release>-amd64-sbuild

</pre>

h3. Only required with versions of sbuild < 0.67.0

To self-sign the binary packages a key pair has to be generated with:

<pre>

sudo sbuild-update --keygen

</pre>

h2. OpenSSL FIPS canister

Before the package can be built the sources for the FIPS canister have to be prepared:

<pre>

mkdir -p ~/openssl-fips/canister

cd ~/openssl-fips/canister

wget https://www.openssl.org/source/openssl-fips-x.x.x.tar.gz

tar xf openssl-fips-x.x.x.tar.gz

cd openssl-fips-x.x.x/

</pre>

and built and installed in the schroot environment created above (note that in newer versions the @source:@ prefix is required to make persistent changes):

<pre>

sudo schroot -c source:<release>-amd64-sbuild

</pre>

Then in the schroot:

<pre>

# ./config

# make install

# logout

</pre>

h2. FIPS-enabled OpenSSL

*Note:* The current FIPS module (2.0) is not compatible with OpenSSL 1.1.0 and newer

The sources for the current packages can easily be obtained using the corresponding ".dsc file":https://wiki.debian.org/dsc from Debian's "package tracker":https://packages.qa.debian.org/o/openssl.html.

<pre>

mkdir -p ~/openssl-fips/openssl

cd ~/openssl-fips/openssl

dget -u http://http.debian.net/debian/pool/main/o/openssl/openssl_xxx.dsc

cd openssl-xxx/

</pre>

To build the packages with FIPS support the @debian/rules@ file has to be modified:

* Add _fips_ and _no-speed_ to @CONFARGS@. _no-speed_ is required because the @speed@ utility somehow does not link to the FIPS-enabled library and then does not find some symbols during the package build.  Unfortunately, the @speed.c@ source file is not actually able to follow the @OPENSSL_NO_SPEED@ option, so a patch is required.  In order to build a proper source package this has to be done with quilt (see below).

* Remove all @make test@ calls (or @build* test@ in newer releases) as these test stuff that is disabled in FIPS mode. It might also be possible to add @nocheck@ to @DEB_BUILD_OPTIONS@.

To patch the speed utility quilt is required:

<pre>

sudo apt-get install quilt

export QUILT_PATCHES=debian/patches

export QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index"

quilt new speed-opensslconf.patch

quilt add apps/speed.c

</pre>

Add the following in @apps/speed.c@ right before the @#ifndef OPENSSL_NO_SPEED@ line. So it looks like this:

<pre>

#include <openssl/opensslconf.h>

#ifndef OPENSSL_NO_SPEED

</pre>

Update the patch:

<pre>

quilt refresh

</pre>

To update the changelog use the following (the values are examples, i.e. what we currently use):

<pre>

export DEBFULLNAME="strongSwan Testing"

export DEBEMAIL=debian@strongswan.org

dch --local strongswan --distribution <release>

</pre>

The version number doesn't really matter as the local repository is pinned in the testing environment so even if there is a newer version in the main repository our version should get installed. But it could still get set to a value that is always higher than minor revisions of the packages (e.g. instead of @1.0.1e-2+deb7u17@ use @1.0.1e-strongswan1~2+deb7u17@).

Now a new source package may be built:

<pre>

debuild --no-lintian -S -sa -us -uc -I -i

cd ..

</pre>

Based on that the binary packages can be built using sbuild:

<pre>

sudo sbuild -d <release> openssl_xxx-strongswan1-xxx.dsc

</pre>

h2. APT Repository

"Our custom repository"://download.strongswan.org/testing/repos/ is currently managed with @reprepro@. To add the new binary packages something like the following may be used:

<pre>

reprepro -b /path/to/debian/repo includedeb <release> <debfile>

</pre>