forked from pool/strongswan
Accepting request 613646 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/613646 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=68
This commit is contained in:
commit
d48e33c256
@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this
|
||||
src/libstrongswan/utils/utils/memory.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h
|
||||
index b978e7c..55aaaf5 100644
|
||||
--- a/src/libstrongswan/utils/utils/memory.h
|
||||
+++ b/src/libstrongswan/utils/utils/memory.h
|
||||
Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200
|
||||
@@ -22,6 +22,8 @@
|
||||
#ifndef MEMORY_H_
|
||||
#define MEMORY_H_
|
||||
@ -28,6 +28,3 @@ index b978e7c..55aaaf5 100644
|
||||
/**
|
||||
* Helper function that compares two binary blobs for equality
|
||||
*/
|
||||
--
|
||||
2.14.1
|
||||
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
|
||||
size 4850722
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
|
||||
kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
|
||||
CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
|
||||
kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
|
||||
d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
|
||||
an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
|
||||
dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
|
||||
UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
|
||||
eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
|
||||
=ZRFr
|
||||
-----END PGP SIGNATURE-----
|
3
strongswan-5.6.2.tar.bz2
Normal file
3
strongswan-5.6.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e0a60a30ebf3c534c223559e1686497a21ded709a5d605c5123c2f52bcc22e92
|
||||
size 4977859
|
14
strongswan-5.6.2.tar.bz2.sig
Normal file
14
strongswan-5.6.2.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJaiq4/AAoJEN9CwXCzTbp3ps8L/0Q5o49SWOozYIGHLsO/9y3B
|
||||
0rXzGdKlkFyysTNBf8BlrUh6U21D5g9ENO8OFofOAaseTzOwN9uUygiHggfF9WhG
|
||||
p0vq9kiFtW6i7fYyK2hbfo1GzIPPP5T78dJqqzP3cQp21ycLHskZPMpytUkxn1rb
|
||||
vA1IFy74GIeMZqB9dbBIyTiXIPGrJjvjeuVAkI5XWu6+sOmHz/utYz17EF4oeTTg
|
||||
PYJ2mvGQvgZPWh2Y4Vh4riMXFr9RBF+I/aSJ/e0Q4yuwwc2+83TShGyuZQmSG3jI
|
||||
bMwnBkSGpT2KMIb0PtSzB7zvnll+Dosr3hyWNZ+MaqzIwQpo051IKF0ZaJSpoZnZ
|
||||
rKVUIMriTa+N4AFkYFC60pJAZ61xUw5Wm/LTfHckHm0n7qK9CzWv2oNj5jboTmw7
|
||||
tpx7F27+iDO0/DUaBXuqTDThBXElN+e7p2/GSTnw9Y3N5jWnmgVyZHkhxggNzf4G
|
||||
0W2UcEgNmpP0gbJ3U0BnKv3CN5VQuxBpz2K2tKiJwg==
|
||||
=L2B6
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,71 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
|
||||
|
||||
- Update to version 5.6.2:
|
||||
* Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
|
||||
signatures that was caused by insufficient input validation.
|
||||
One of the configurable parameters in algorithm identifier
|
||||
structures for RSASSA-PSS signatures is the mask generation
|
||||
function (MGF). Only MGF1 is currently specified for this
|
||||
purpose. However, this in turn takes itself a parameter that
|
||||
specifies the underlying hash function. strongSwan's parser did
|
||||
not correctly handle the case of this parameter being absent,
|
||||
causing an undefined data read. This vulnerability has been
|
||||
registered as CVE-2018-6459.
|
||||
* When rekeying IKEv2 IKE_SAs the previously negotiated DH group
|
||||
will be reused, instead of using the first configured group,
|
||||
which avoids an additional exchange if the peer previously
|
||||
selected a different DH group via INVALID_KE_PAYLOAD notify.
|
||||
The same is also done when rekeying CHILD_SAs except for the
|
||||
first rekeying of the CHILD_SA that was created with the
|
||||
IKE_SA, where no DH group was negotiated yet. Also, the
|
||||
selected DH group is moved to the front in all sent proposals
|
||||
that contain it and all proposals that don't are moved to the
|
||||
back in order to convey the preference for this group to the
|
||||
peer.
|
||||
* Handling of MOBIKE task queuing has been improved. In
|
||||
particular, the response to an address update (with NAT-D
|
||||
payloads) is not ignored anymore if only an address list update
|
||||
or DPD is queued as that could prevent updating the UDP
|
||||
encapsulation in the kernel.
|
||||
* On Linux, roam events may optionally be triggered by changes to
|
||||
the routing rules, which can be useful if routing rules
|
||||
(instead of e.g. route metrics) are used to switch from one to
|
||||
another interface (i.e. from one to another routing table).
|
||||
Since routing rules are currently not evaluated when doing
|
||||
route lookups this is only useful if the kernel-based route
|
||||
lookup is used (4664992f7d).
|
||||
* The fallback drop policies installed to avoid traffic leaks
|
||||
when replacing addresses in installed policies are now replaced
|
||||
by temporary drop policies, which also prevent acquires because
|
||||
we currently delete and reinstall IPsec SAs to update their
|
||||
addresses (35ef1b032d).
|
||||
* Access X.509 certificates held in non-volatile storage of a TPM
|
||||
2.0 referenced via the NV index.
|
||||
* Adding the --keyid parameter to pki --print allows to print
|
||||
private keys or certificates stored in a smartcard or a TPM
|
||||
2.0.
|
||||
* Fixed proposal selection if a peer incorrectly sends DH groups
|
||||
in the ESP proposal during IKE_AUTH and also if a DH group is
|
||||
configured in the local ESP proposal and
|
||||
charon.prefer_configured_proposals is disabled (d058fd3c32).
|
||||
* The lookup for PSK secrets for IKEv1 has been improved for
|
||||
certain scenarios (see #2497 for details).
|
||||
* MSKs received via RADIUS are now padded to 64 bytes to avoid
|
||||
compatibility issues with EAP-MSCHAPv2 and PRFs that have a
|
||||
block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
|
||||
* The tpm_extendpcr command line tool extends a digest into a TPM
|
||||
PCR.
|
||||
* Ported the NetworkManager backend from the deprecated
|
||||
libnm-glib to libnm.
|
||||
* The save-keys debugging/development plugin saves IKE and/or ESP
|
||||
keys to files compatible with Wireshark.
|
||||
- Following upstreams port, replace NetworkManager-devel with
|
||||
pkgconfig(libnm) BuildRequires.
|
||||
- Refresh patches with quilt.
|
||||
- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
|
||||
the file it patches no longer exists in tarball.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.6.0
|
||||
Version: 5.6.2
|
||||
Release: 0
|
||||
%define upstream_version %{version}
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
@ -62,7 +62,7 @@ Release: 0
|
||||
%bcond_with systemd
|
||||
%endif
|
||||
Summary: IPsec-based VPN solution
|
||||
License: GPL-2.0+
|
||||
License: GPL-2.0-or-later
|
||||
Group: Productivity/Networking/Security
|
||||
Url: http://www.strongswan.org/
|
||||
Requires: strongswan-ipsec = %{version}
|
||||
@ -80,6 +80,7 @@ Patch1: %{name}_modprobe_syslog.patch
|
||||
Patch2: %{name}_ipsec_service.patch
|
||||
%if %{with fipscheck}
|
||||
Patch3: %{name}_fipscheck.patch
|
||||
# Patch4 needs rebase, file it patches no longer exists in tarball.
|
||||
Patch4: %{name}_fipsfilter.patch
|
||||
%endif
|
||||
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
||||
@ -107,7 +108,7 @@ BuildRequires: sqlite3-devel
|
||||
BuildRequires: libgcrypt-devel
|
||||
%endif
|
||||
%if %{with nm}
|
||||
BuildRequires: NetworkManager-devel
|
||||
BuildRequires: pkgconfig(libnm)
|
||||
%endif
|
||||
%if %{with systemd}
|
||||
%{?systemd_requires}
|
||||
@ -253,11 +254,12 @@ and the load testing plugin for IKEv2 daemon.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
%patch1 -p0
|
||||
%patch2 -p0
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%if %{with fipscheck}
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
# Needs rebase, file it patches no longer exists.
|
||||
#patch4 -p1
|
||||
%endif
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
@ -617,6 +619,7 @@ fi
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
|
||||
%if %{with afalg}
|
||||
@ -671,6 +674,7 @@ fi
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
|
||||
@ -742,6 +746,7 @@ fi
|
||||
%{strongswan_plugins}/libstrongswan-ccm.so
|
||||
%{strongswan_plugins}/libstrongswan-certexpire.so
|
||||
%{strongswan_plugins}/libstrongswan-cmac.so
|
||||
%{strongswan_plugins}/libstrongswan-counters.so
|
||||
%{strongswan_plugins}/libstrongswan-constraints.so
|
||||
%{strongswan_plugins}/libstrongswan-coupling.so
|
||||
%{strongswan_plugins}/libstrongswan-ctr.so
|
||||
@ -784,6 +789,7 @@ fi
|
||||
%{strongswan_plugins}/libstrongswan-led.so
|
||||
%{strongswan_plugins}/libstrongswan-md4.so
|
||||
%{strongswan_plugins}/libstrongswan-md5.so
|
||||
%{strongswan_plugins}/libstrongswan-mgf1.so
|
||||
%{strongswan_plugins}/libstrongswan-nonce.so
|
||||
%{strongswan_plugins}/libstrongswan-openssl.so
|
||||
%{strongswan_plugins}/libstrongswan-pem.so
|
||||
@ -842,6 +848,7 @@ fi
|
||||
%{strongswan_templates}/config/plugins/ccm.conf
|
||||
%{strongswan_templates}/config/plugins/certexpire.conf
|
||||
%{strongswan_templates}/config/plugins/cmac.conf
|
||||
%{strongswan_templates}/config/plugins/counters.conf
|
||||
%{strongswan_templates}/config/plugins/constraints.conf
|
||||
%{strongswan_templates}/config/plugins/coupling.conf
|
||||
%{strongswan_templates}/config/plugins/ctr.conf
|
||||
@ -884,6 +891,7 @@ fi
|
||||
%{strongswan_templates}/config/plugins/led.conf
|
||||
%{strongswan_templates}/config/plugins/md4.conf
|
||||
%{strongswan_templates}/config/plugins/md5.conf
|
||||
%{strongswan_templates}/config/plugins/mgf1.conf
|
||||
%{strongswan_templates}/config/plugins/nonce.conf
|
||||
%{strongswan_templates}/config/plugins/openssl.conf
|
||||
%{strongswan_templates}/config/plugins/pem.conf
|
||||
|
@ -1,6 +1,8 @@
|
||||
--- init/systemd/strongswan.service.in
|
||||
+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11
|
||||
@@ -8,3 +8,4 @@ StandardOutput=syslog
|
||||
Index: strongswan-5.6.2/init/systemd/strongswan.service.in
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/init/systemd/strongswan.service.in 2017-02-07 08:04:04.000000000 +0100
|
||||
+++ strongswan-5.6.2/init/systemd/strongswan.service.in 2018-04-17 16:53:57.546334751 +0200
|
||||
@@ -9,3 +9,4 @@ Restart=on-abnormal
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -1,5 +1,7 @@
|
||||
--- src/starter/klips.c
|
||||
+++ src/starter/klips.c 2012/10/30 17:07:23
|
||||
Index: strongswan-5.6.2/src/starter/klips.c
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200
|
||||
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
|
||||
/* ipsec module makes the pf_key proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
@ -22,9 +24,11 @@
|
||||
|
||||
DBG2(DBG_APP, "found KLIPS IPsec stack");
|
||||
return TRUE;
|
||||
--- src/starter/netkey.c
|
||||
+++ src/starter/netkey.c 2012/10/30 17:07:02
|
||||
@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
|
||||
Index: strongswan-5.6.2/src/starter/netkey.c
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200
|
||||
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
|
||||
/* af_key module makes the netkey proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
@ -33,7 +37,7 @@
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
|
||||
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
|
||||
/* make sure that all required IPsec modules are loaded */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user