From 73a1c9e320c166518db74adaa8147b6eca0b456748d152d3347939f1a8974587 Mon Sep 17 00:00:00 2001 From: Mohd Saquib Date: Mon, 12 Jun 2023 15:41:55 +0000 Subject: [PATCH 1/3] Accepting request 1092621 from home:msaquib:branches:network:vpn - Update to release 5.9.11 * A long-standing deadlock in the vici plugin has been fixed that could get triggered when multiple connections were initiated/terminated concurrently and control-log events were raised by the watcher_t component (#566). * In compliance with RFC 5280, CRLs now have to be signed by a certificate that either encodes the cRLSign keyUsage bit (even if it is a CA certificate), or is a CA certificate without a keyUsage extension. strongSwan encodes a keyUsage extension with cRLSign bit set in all CA certificates since 13 years. And before that it didn't encode the extension, so these certificates would also be accepted as CRL issuer in case they are still valid (7dc82de). * Support for optional CA labels in EST server URIs (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/) was added to the pki --est and pki --estca commands (#1614). * The pkcs7 and openssl plugins now support CMS-style signatures in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA signatures (#1615). * Fixed a regression in the server implementation of EAP-TLS when using TLS 1.2 or earlier that was introduced with 5.9.10 (#1613, 3d0d3f5). * The EAP-TLS client does now enforce that the TLS handshake is complete when using TLS 1.2 or earlier. It was possible to shortcut it by sending an early EAP-Success message. Note that this isn't a security issue as the server is authenticated at that point (db87087). * On Linux, the kernel-libipsec plugin can now optionally handle ESP packets without UDP encapsulation (uses RAW sockets, disabled by default, e3cb756). The plugin and libipsec also gained support OBS-URL: https://build.opensuse.org/request/show/1092621 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=149 --- strongswan-5.9.10.tar.bz2 | 3 --- strongswan-5.9.10.tar.bz2.sig | 14 ----------- strongswan-5.9.11.tar.bz2 | 3 +++ strongswan-5.9.11.tar.bz2.sig | 14 +++++++++++ strongswan.changes | 47 +++++++++++++++++++++++++++++++++++ strongswan.spec | 2 +- 6 files changed, 65 insertions(+), 18 deletions(-) delete mode 100644 strongswan-5.9.10.tar.bz2 delete mode 100644 strongswan-5.9.10.tar.bz2.sig create mode 100644 strongswan-5.9.11.tar.bz2 create mode 100644 strongswan-5.9.11.tar.bz2.sig diff --git a/strongswan-5.9.10.tar.bz2 b/strongswan-5.9.10.tar.bz2 deleted file mode 100644 index b7517fe..0000000 --- a/strongswan-5.9.10.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3b72789e243c9fa6f0a01ccaf4f83766eba96a5e5b1e071d36e997572cf34654 -size 4765407 diff --git a/strongswan-5.9.10.tar.bz2.sig b/strongswan-5.9.10.tar.bz2.sig deleted file mode 100644 index 3f018ac..0000000 --- a/strongswan-5.9.10.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmQAZmIACgkQ30LBcLNN -uncmawv8DgoR/EdXdzvqzToiDYREwU5CfIYAPCYmUfw7tdwTZsiN9rdt13lI8+ei -8IqYIrtGvKVtiV3qwNaxxD/spQ+b/jbOk+ifzCQzylD5gv9fFyyKjiYIiLmK3qhr -7sc+tN90HY443qN4JV1rwHP4jN57pmNZ2qg2CbzU/zpePUHj5MlM3kgGd5bO5Q6L -MWmstO/RcjIIsZusqscrOGsaZrkULTeLyrOTLoJcM06b0F4vzeDwhLJjVoqYFVt5 -dPXLXygUfVUr+aAvCfNA03zokt6Ok9aSOBZZ8+nMPLU6wmWjjIdOf0/H9JG3/v6F -SGHVxlB4Z7sCkDzvmB/vmYquGw+gx+0Fx28eEV4E7TnrJrdlqC5n8wrPO9iFQ36y -QEua+S/q7qHSUBr01DW35e70oiJmbOqSH+poPVz2Qwk3ZVgcqIxCUpz6aWPjAicL -7VMYBssX6R5cCD3nIuHSe1+Iyx/AuFP7nuPHQrkIAKsDMVZR8GClNz+M8ZM7Cbar -a6YUUR/D -=FN1F ------END PGP SIGNATURE----- diff --git a/strongswan-5.9.11.tar.bz2 b/strongswan-5.9.11.tar.bz2 new file mode 100644 index 0000000..21e9c61 --- /dev/null +++ b/strongswan-5.9.11.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d +size 4786552 diff --git a/strongswan-5.9.11.tar.bz2.sig b/strongswan-5.9.11.tar.bz2.sig new file mode 100644 index 0000000..1b8068b --- /dev/null +++ b/strongswan-5.9.11.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmSGsnAACgkQ30LBcLNN +unfqXQv/Rfi3bcaIaULwNXnBgW2mWrsUFFUzQN/PB9fdPK/u0JUBWufUV/1/LUc9 +yA1S3ESubQMOYkPmSrQRfXwkrdGTQ3DwApuFL/42Q/TOk8jpTVaPM28Gs6D+77YC +QjB3JYcR2VxvgsEFZatqFgUaGyety1dB1P364EPnzzb7L0+7HBWT0IVkdpvPT/zX +5tQ6M4czD2cqv1fi8+Tjaq3mpw0PdyZSIoLuD7kL6AeWcrtzhfhr1vXQKwo0K5wh +5uuUbxPZIrmxLGk1vkoMuEKZ7XVvs3ulFFK9EvJXWM9USce0Br0irGEdO2sDAxWA +20jFzsW2wL5mkVLvLfQQrNC1qwsYKq3s3PInZEoUICE4zNC6zWS8tTtaq5Ul8X1J +AFhcrdy6cVs87LDyvEWiMcSwLpYk1egWwmF9acuMUE6bYSNUnYMkYwS7CjWQUXix +JMf3b60Ztm+r8RfitpWHp+N1pAGZCNJ3ZXTV0/4d65HB4GA1dWZuubRvUXbV7Ayb +oYKPlR2G +=+d5Q +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index 9fb22db..4b21ed9 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib + +- Update to release 5.9.11 + * A long-standing deadlock in the vici plugin has been fixed that + could get triggered when multiple connections were + initiated/terminated concurrently and control-log events were + raised by the watcher_t component (#566). + * In compliance with RFC 5280, CRLs now have to be signed by a + certificate that either encodes the cRLSign keyUsage bit + (even if it is a CA certificate), or is a CA certificate without + a keyUsage extension. strongSwan encodes a keyUsage extension + with cRLSign bit set in all CA certificates since 13 years. And + before that it didn't encode the extension, so these certificates + would also be accepted as CRL issuer in case they are still valid + (7dc82de). + * Support for optional CA labels in EST server URIs + (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/) + was added to the pki --est and pki --estca commands (#1614). + * The pkcs7 and openssl plugins now support CMS-style signatures in + PKCS#7 containers, which allows verifying RSA-PSS and ECDSA + signatures (#1615). + * Fixed a regression in the server implementation of EAP-TLS when + using TLS 1.2 or earlier that was introduced with 5.9.10 + (#1613, 3d0d3f5). + * The EAP-TLS client does now enforce that the TLS handshake is + complete when using TLS 1.2 or earlier. It was possible to + shortcut it by sending an early EAP-Success message. Note that + this isn't a security issue as the server is authenticated at + that point (db87087). + * On Linux, the kernel-libipsec plugin can now optionally handle + ESP packets without UDP encapsulation (uses RAW sockets, disabled + by default, e3cb756). The plugin and libipsec also gained support + trap policies (23d20bb). + * The dhcp plugin uses an alternative method to determine the source + address when sending unicast DHCP requests, which is not affected + by interface filtering that might be employed for the IKE sockets + (#1573). + * The selection of certificates and trust chains as initiator has + been improved if the local trust chain is incomplete (i.e. the + root CA certificate for the local certificate is not loaded) + while a certificate request for a known but unrelated CA is + received, which caused any local intermediate CA certificates not + to get sent (efdcbd1). + * ECDSA and EdDSA public keys are supported by the ipseckey plugin + when parsing RFC 4025 IPSECKEY resource records (7be55ad). + ------------------------------------------------------------------- Wed Apr 5 01:34:28 UTC 2023 - Mohd Saquib diff --git a/strongswan.spec b/strongswan.spec index 300bec1..70e505f 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.9.10 +Version: 5.9.11 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} From a937e6040b5133a912f2ee28b77895b329c0f7b987a3b5d021c0793466cd3c0d Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 12 Jun 2023 15:55:07 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=150 --- strongswan.changes | 5 +++++ strongswan.spec | 14 +------------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/strongswan.changes b/strongswan.changes index 4b21ed9..ec29cee 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt + +- Remove pre-SLE15 build logic + ------------------------------------------------------------------- Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib diff --git a/strongswan.spec b/strongswan.spec index 70e505f..7410a41 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -31,31 +31,19 @@ Release: 0 %else %bcond_with tests %endif -%if 0%{suse_version} > 1310 %bcond_without fipscheck -%else -%bcond_with fipscheck -%endif %ifarch %{ix86} ppc64le %bcond_without integrity %else %bcond_with integrity %endif -%if 0%{suse_version} > 1110 %bcond_without farp %bcond_without afalg %bcond_without mysql %bcond_without sqlite %bcond_without gcrypt %bcond_without nm -%else -%bcond_with farp -%bcond_with afalg -%bcond_with mysql -%bcond_with sqlite -%bcond_with gcrypt -%bcond_with nm -%endif +%bcond_without systemd Summary: IPsec-based VPN solution License: GPL-2.0-or-later Group: Productivity/Networking/Security From 8c5539213caa942274d2386042febdf4ba340470d0ed1e79be6072cb4dee64f6 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Mon, 12 Jun 2023 15:57:20 +0000 Subject: [PATCH 3/3] compact/trim changelog - https://en.opensuse.org/openSUSE:Creating_a_changes_file_(RPM) OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=151 --- strongswan.changes | 56 ++++++++++++++-------------------------------- 1 file changed, 17 insertions(+), 39 deletions(-) diff --git a/strongswan.changes b/strongswan.changes index ec29cee..c67e46f 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -7,48 +7,26 @@ Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib - Update to release 5.9.11 - * A long-standing deadlock in the vici plugin has been fixed that - could get triggered when multiple connections were - initiated/terminated concurrently and control-log events were - raised by the watcher_t component (#566). - * In compliance with RFC 5280, CRLs now have to be signed by a - certificate that either encodes the cRLSign keyUsage bit - (even if it is a CA certificate), or is a CA certificate without - a keyUsage extension. strongSwan encodes a keyUsage extension - with cRLSign bit set in all CA certificates since 13 years. And - before that it didn't encode the extension, so these certificates - would also be accepted as CRL issuer in case they are still valid - (7dc82de). - * Support for optional CA labels in EST server URIs - (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/) - was added to the pki --est and pki --estca commands (#1614). - * The pkcs7 and openssl plugins now support CMS-style signatures in - PKCS#7 containers, which allows verifying RSA-PSS and ECDSA - signatures (#1615). + * A deadlock in the vici plugin has been fixed + * Per RFC 5280, CRLs now have to be signed by a certificate that + either encodes the cRLSign keyUsage bit (even if it is a CA + certificate), or is a CA certificate without a keyUsage + extension. + * Support for optional CA labels in EST server URIs was added to + the pki --est and pki --estca commands. + * The pkcs7 and openssl plugins now support CMS-style signatures + in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA + signatures. * Fixed a regression in the server implementation of EAP-TLS when - using TLS 1.2 or earlier that was introduced with 5.9.10 - (#1613, 3d0d3f5). + using TLS <=1.2. * The EAP-TLS client does now enforce that the TLS handshake is - complete when using TLS 1.2 or earlier. It was possible to - shortcut it by sending an early EAP-Success message. Note that - this isn't a security issue as the server is authenticated at - that point (db87087). + complete when using TLS <=1.2. * On Linux, the kernel-libipsec plugin can now optionally handle - ESP packets without UDP encapsulation (uses RAW sockets, disabled - by default, e3cb756). The plugin and libipsec also gained support - trap policies (23d20bb). - * The dhcp plugin uses an alternative method to determine the source - address when sending unicast DHCP requests, which is not affected - by interface filtering that might be employed for the IKE sockets - (#1573). - * The selection of certificates and trust chains as initiator has - been improved if the local trust chain is incomplete (i.e. the - root CA certificate for the local certificate is not loaded) - while a certificate request for a known but unrelated CA is - received, which caused any local intermediate CA certificates not - to get sent (efdcbd1). - * ECDSA and EdDSA public keys are supported by the ipseckey plugin - when parsing RFC 4025 IPSECKEY resource records (7be55ad). + ESP packets without UDP encapsulation. + * The dhcp plugin uses an alternative method to determine the + source address when sending unicast DHCP requests. + * ECDSA and EdDSA public keys are supported by the ipseckey + plugin when parsing RFC 4025 IPSECKEY resource records. ------------------------------------------------------------------- Wed Apr 5 01:34:28 UTC 2023 - Mohd Saquib