Accepting request 597862 from GNOME:Next

New upstream release. OBS-URL: https://build.opensuse.org/request/show/597862 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=110
2018-06-02 09:22:27 +00:00 · 2018-06-02 09:22:27 +00:00 · 6fe1f53373
commit 6fe1f53373
parent 1857167427
10 changed files with 118 additions and 39 deletions
--- a/0006-fix-compilation-error-by-adding-stdint.h.patch
+++ b/0006-fix-compilation-error-by-adding-stdint.h.patch
@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this
 src/libstrongswan/utils/utils/memory.h | 2 ++
 1 file changed, 2 insertions(+)

-diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h
-index b978e7c..55aaaf5 100644
--- a/src/libstrongswan/utils/utils/memory.h
-+++ b/src/libstrongswan/utils/utils/memory.h
+Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
+===================================================================
+--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h	2017-08-14 08:48:41.000000000 +0200
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h	2018-04-17 16:53:57.590335103 +0200
@@ -22,6 +22,8 @@
 #ifndef MEMORY_H_
 #define MEMORY_H_
@ -28,6 +28,3 @@ index b978e7c..55aaaf5 100644
 /**
  * Helper function that compares two binary blobs for equality
  */
-- 
-2.14.1
-
--- a/strongswan-5.6.0.tar.bz2
+++ b/strongswan-5.6.0.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
-size 4850722
--- a/strongswan-5.6.0.tar.bz2.sig
+++ b/strongswan-5.6.0.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
-kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
-CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
-kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
-d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
-an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
-dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
-UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
-eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
-=ZRFr
-----END PGP SIGNATURE-----
--- a/strongswan-5.6.2-rpmlintrc
+++ b/strongswan-5.6.2-rpmlintrc
--- a/strongswan-5.6.2.tar.bz2
+++ b/strongswan-5.6.2.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e0a60a30ebf3c534c223559e1686497a21ded709a5d605c5123c2f52bcc22e92
+size 4977859
--- a/strongswan-5.6.2.tar.bz2.sig
+++ b/strongswan-5.6.2.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJaiq4/AAoJEN9CwXCzTbp3ps8L/0Q5o49SWOozYIGHLsO/9y3B
+0rXzGdKlkFyysTNBf8BlrUh6U21D5g9ENO8OFofOAaseTzOwN9uUygiHggfF9WhG
+p0vq9kiFtW6i7fYyK2hbfo1GzIPPP5T78dJqqzP3cQp21ycLHskZPMpytUkxn1rb
+vA1IFy74GIeMZqB9dbBIyTiXIPGrJjvjeuVAkI5XWu6+sOmHz/utYz17EF4oeTTg
+PYJ2mvGQvgZPWh2Y4Vh4riMXFr9RBF+I/aSJ/e0Q4yuwwc2+83TShGyuZQmSG3jI
+bMwnBkSGpT2KMIb0PtSzB7zvnll+Dosr3hyWNZ+MaqzIwQpo051IKF0ZaJSpoZnZ
+rKVUIMriTa+N4AFkYFC60pJAZ61xUw5Wm/LTfHckHm0n7qK9CzWv2oNj5jboTmw7
+tpx7F27+iDO0/DUaBXuqTDThBXElN+e7p2/GSTnw9Y3N5jWnmgVyZHkhxggNzf4G
+0W2UcEgNmpP0gbJ3U0BnKv3CN5VQuxBpz2K2tKiJwg==
+=L2B6
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,71 @@
+-------------------------------------------------------------------
+Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
+
+- Update to version 5.6.2:
+  * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
+    signatures that was caused by insufficient input validation.
+    One of the configurable parameters in algorithm identifier
+    structures for RSASSA-PSS signatures is the mask generation
+    function (MGF). Only MGF1 is currently specified for this
+    purpose. However, this in turn takes itself a parameter that
+    specifies the underlying hash function. strongSwan's parser did
+    not correctly handle the case of this parameter being absent,
+    causing an undefined data read. This vulnerability has been
+    registered as CVE-2018-6459.
+  * When rekeying IKEv2 IKE_SAs the previously negotiated DH group
+    will be reused, instead of using the first configured group,
+    which avoids an additional exchange if the peer previously
+    selected a different DH group via INVALID_KE_PAYLOAD notify.
+    The same is also done when rekeying CHILD_SAs except for the
+    first rekeying of the CHILD_SA that was created with the
+    IKE_SA, where no DH group was negotiated yet. Also, the
+    selected DH group is moved to the front in all sent proposals
+    that contain it and all proposals that don't are moved to the
+    back in order to convey the preference for this group to the
+    peer.
+  * Handling of MOBIKE task queuing has been improved. In
+    particular, the response to an address update (with NAT-D
+    payloads) is not ignored anymore if only an address list update
+    or DPD is queued as that could prevent updating the UDP
+    encapsulation in the kernel.
+  * On Linux, roam events may optionally be triggered by changes to
+    the routing rules, which can be useful if routing rules
+    (instead of e.g. route metrics) are used to switch from one to
+    another interface (i.e. from one to another routing table).
+    Since routing rules are currently not evaluated when doing
+    route lookups this is only useful if the kernel-based route
+    lookup is used (4664992f7d).
+  * The fallback drop policies installed to avoid traffic leaks
+    when replacing addresses in installed policies are now replaced
+    by temporary drop policies, which also prevent acquires because
+    we currently delete and reinstall IPsec SAs to update their
+    addresses (35ef1b032d).
+  * Access X.509 certificates held in non-volatile storage of a TPM
+    2.0 referenced via the NV index.
+  * Adding the --keyid parameter to pki --print allows to print
+    private keys or certificates stored in a smartcard or a TPM
+    2.0.
+  * Fixed proposal selection if a peer incorrectly sends DH groups
+    in the ESP proposal during IKE_AUTH and also if a DH group is
+    configured in the local ESP proposal and
+    charon.prefer_configured_proposals is disabled (d058fd3c32).
+  * The lookup for PSK secrets for IKEv1 has been improved for
+    certain scenarios (see #2497 for details).
+  * MSKs received via RADIUS are now padded to 64 bytes to avoid
+    compatibility issues with EAP-MSCHAPv2 and PRFs that have a
+    block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
+  * The tpm_extendpcr command line tool extends a digest into a TPM
+    PCR.
+  * Ported the NetworkManager backend from the deprecated
+    libnm-glib to libnm.
+  * The save-keys debugging/development plugin saves IKE and/or ESP
+    keys to files compatible with Wireshark.
+- Following upstreams port, replace NetworkManager-devel with
+  pkgconfig(libnm) BuildRequires.
+- Refresh patches with quilt.
+- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
+  the file it patches no longer exists in tarball.
+
 -------------------------------------------------------------------
 Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com

--- a/strongswan.spec
+++ b/strongswan.spec
@ -17,7 +17,7 @@


 Name:           strongswan
-Version:        5.6.0
+Version:        5.6.2
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@ -62,7 +62,7 @@ Release:        0
 %bcond_with     systemd
 %endif
 Summary:        IPsec-based VPN solution
-License:        GPL-2.0+
+License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
 Url:            http://www.strongswan.org/
 Requires:       strongswan-ipsec = %{version}
@ -80,6 +80,7 @@ Patch1:         %{name}_modprobe_syslog.patch
 Patch2:         %{name}_ipsec_service.patch
 %if %{with fipscheck}
 Patch3:         %{name}_fipscheck.patch
+# Patch4 needs rebase, file it patches no longer exists in tarball.
 Patch4:         %{name}_fipsfilter.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
@ -107,7 +108,7 @@ BuildRequires:  sqlite3-devel
 BuildRequires:  libgcrypt-devel
 %endif
 %if %{with nm}
-BuildRequires:  NetworkManager-devel
+BuildRequires:  pkgconfig(libnm)
 %endif
 %if %{with systemd}
 %{?systemd_requires}
@ -253,11 +254,12 @@ and the load testing plugin for IKEv2 daemon.

 %prep
 %setup -q -n %{name}-%{upstream_version}
-%patch1 -p0
-%patch2 -p0
+%patch1 -p1
+%patch2 -p1
 %if %{with fipscheck}
 %patch3 -p1
-%patch4 -p1
+# Needs rebase, file it patches no longer exists.
+#patch4 -p1
 %endif
 %patch5 -p1
 %patch6 -p1
@ -617,6 +619,7 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
 %if %{with afalg}
@ -671,6 +674,7 @@ fi
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
+%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
 %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
@ -742,6 +746,7 @@ fi
 %{strongswan_plugins}/libstrongswan-ccm.so
 %{strongswan_plugins}/libstrongswan-certexpire.so
 %{strongswan_plugins}/libstrongswan-cmac.so
+%{strongswan_plugins}/libstrongswan-counters.so
 %{strongswan_plugins}/libstrongswan-constraints.so
 %{strongswan_plugins}/libstrongswan-coupling.so
 %{strongswan_plugins}/libstrongswan-ctr.so
@ -784,6 +789,7 @@ fi
 %{strongswan_plugins}/libstrongswan-led.so
 %{strongswan_plugins}/libstrongswan-md4.so
 %{strongswan_plugins}/libstrongswan-md5.so
+%{strongswan_plugins}/libstrongswan-mgf1.so
 %{strongswan_plugins}/libstrongswan-nonce.so
 %{strongswan_plugins}/libstrongswan-openssl.so
 %{strongswan_plugins}/libstrongswan-pem.so
@ -842,6 +848,7 @@ fi
 %{strongswan_templates}/config/plugins/ccm.conf
 %{strongswan_templates}/config/plugins/certexpire.conf
 %{strongswan_templates}/config/plugins/cmac.conf
+%{strongswan_templates}/config/plugins/counters.conf
 %{strongswan_templates}/config/plugins/constraints.conf
 %{strongswan_templates}/config/plugins/coupling.conf
 %{strongswan_templates}/config/plugins/ctr.conf
@ -884,6 +891,7 @@ fi
 %{strongswan_templates}/config/plugins/led.conf
 %{strongswan_templates}/config/plugins/md4.conf
 %{strongswan_templates}/config/plugins/md5.conf
+%{strongswan_templates}/config/plugins/mgf1.conf
 %{strongswan_templates}/config/plugins/nonce.conf
 %{strongswan_templates}/config/plugins/openssl.conf
 %{strongswan_templates}/config/plugins/pem.conf
--- a/strongswan_ipsec_service.patch
+++ b/strongswan_ipsec_service.patch
@ -1,6 +1,8 @@
--- init/systemd/strongswan.service.in
-+++ init/systemd/strongswan.service.in	2012/10/31 15:21:11
-@@ -8,3 +8,4 @@ StandardOutput=syslog
+Index: strongswan-5.6.2/init/systemd/strongswan.service.in
+===================================================================
+--- strongswan-5.6.2.orig/init/systemd/strongswan.service.in	2017-02-07 08:04:04.000000000 +0100
+++ strongswan-5.6.2/init/systemd/strongswan.service.in	2018-04-17 16:53:57.546334751 +0200
+@@ -9,3 +9,4 @@ Restart=on-abnormal
 
 [Install]
 WantedBy=multi-user.target
--- a/strongswan_modprobe_syslog.patch
+++ b/strongswan_modprobe_syslog.patch
@ -1,5 +1,7 @@
--- src/starter/klips.c
-+++ src/starter/klips.c	2012/10/30 17:07:23
+Index: strongswan-5.6.2/src/starter/klips.c
+===================================================================
+--- strongswan-5.6.2.orig/src/starter/klips.c	2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/klips.c	2018-04-17 16:53:57.534334655 +0200
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
 		/* ipsec module makes the pf_key proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)
@ -22,9 +24,11 @@
 
 	DBG2(DBG_APP, "found KLIPS IPsec stack");
 	return TRUE;
--- src/starter/netkey.c
-+++ src/starter/netkey.c	2012/10/30 17:07:02
-@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
+Index: strongswan-5.6.2/src/starter/netkey.c
+===================================================================
+--- strongswan-5.6.2.orig/src/starter/netkey.c	2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/netkey.c	2018-04-17 16:53:57.534334655 +0200
+@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
 		/* af_key module makes the netkey proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)
 		{
@ -33,7 +37,7 @@
 		}
 
 		/* now test again */
-@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
+@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
 	/* make sure that all required IPsec modules are loaded */
 	if (stat(PROC_MODULES, &stb) == 0)
 	{