Project

General

Profile

Actions
Copy link

action #100554

closed

[sle][security][backlog][feature][ECO] SLE-21227 - QA: FIPS: implement the IPSEC KDF for strongswan in openssl

Added by bchou over 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
rcai
Category:
New test
Target version:
-
Start date:
2021-10-07
Due date:
% Done:

100%

Estimated time:
40.00 h
Difficulty:

Description

https://jira.suse.com/browse/SLE-21227

OpenSSL in its master branch as a KDF (Key Derivation Function) framework.

As our FIPS strongswan certificate is only for the key derivation function we could save a lot of trouble and effort to move this functionality into openssl.

A similar thing openssl has done with the SSH KDF already, and we could do it for IPSEC too.

Upstream so far does not have it there.

Actions
Copy link
 #1

Updated by bchou almost 2 years ago

  • Subject changed from [sle][security][sle15sp4][feature][manual] SLE-21227 - QA: FIPS: implement the IPSEC KDF for strongswan in openssl to [sle][security][sle15sp4][feature][ECO] SLE-21227 - QA: FIPS: implement the IPSEC KDF for strongswan in openssl
  • Status changed from New to Blocked
  • Estimated time set to 40.00 h

This case will be released after SLE15 SP4 GMC. Set this poo as ECO.

Actions
Copy link
 #2

Updated by llzhao almost 2 years ago

  • Subject changed from [sle][security][sle15sp4][feature][ECO] SLE-21227 - QA: FIPS: implement the IPSEC KDF for strongswan in openssl to [sle][security][backlog][feature][ECO] SLE-21227 - QA: FIPS: implement the IPSEC KDF for strongswan in openssl
Actions
Copy link
 #3

Updated by rfan1 almost 2 years ago

  • Assignee changed from bchou to rcai
Actions
Copy link
 #4

Updated by rcai almost 2 years ago

  • Status changed from Blocked to In Progress

The latest build 151.1 includes bug(1195919) fix as below:

rpm -q strongswan-5.8.2-150400.17.24.x86_64 --changelog | more
Thu Mar 24 2022 meissner@suse.com
0001-Modularize-the-IKEv2-key-derivation-so-it-can-be-pro.patch:
Outsource the IKE key deriviation to openssl for FIPS certification.
(bsc#1195919)
Completed strongswan related test as below:
Test all passed.

x86_64 platform OpenQa automation test, please refer test result.
https://openqa.suse.de/tests/8825402
Function test for HKDF, already integrated into openqa.
please refer test result:
https://openqa.suse.de/tests/8825402#step/strongswan_server/30
More strongswan on different platforms, please refer page: https://confluence.suse.com/pages/viewpage.action?pageId=968033193#SLES15SP4SecurityFIPSRegressionTest(RCphase)-RCphaseTestRuns

Actions
Copy link
 #6

Updated by rcai almost 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF