From f1c08d14e340180e0ade17b9a44ace3d4d0d4fd7747fba7b025c889ec6dc6227 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 22 Oct 2008 16:50:36 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=9 --- strongswan-4.2.6.tar.bz2 | 3 - strongswan-4.2.6.tar.bz2.sig | 9 -- ....6-rpmlintrc => strongswan-4.2.8-rpmlintrc | 0 strongswan-4.2.6.dif => strongswan-4.2.8.dif | 0 strongswan-4.2.8.tar.bz2 | 3 + strongswan-4.2.8.tar.bz2.sig | 9 ++ strongswan.changes | 17 +++ strongswan.spec | 26 +++-- strongswan_DoS_changeset_r4345.diff | 103 ------------------ strongswan_addr_in_subnet.dif | 43 -------- 10 files changed, 47 insertions(+), 166 deletions(-) delete mode 100644 strongswan-4.2.6.tar.bz2 delete mode 100644 strongswan-4.2.6.tar.bz2.sig rename strongswan-4.2.6-rpmlintrc => strongswan-4.2.8-rpmlintrc (100%) rename strongswan-4.2.6.dif => strongswan-4.2.8.dif (100%) create mode 100644 strongswan-4.2.8.tar.bz2 create mode 100644 strongswan-4.2.8.tar.bz2.sig delete mode 100644 strongswan_DoS_changeset_r4345.diff delete mode 100644 strongswan_addr_in_subnet.dif diff --git a/strongswan-4.2.6.tar.bz2 b/strongswan-4.2.6.tar.bz2 deleted file mode 100644 index 3087932..0000000 --- a/strongswan-4.2.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:30e5acb5913882d1389b0133c3c3e9cfb5c2686058d56b7baf37c0740c0b6791 -size 2894019 diff --git a/strongswan-4.2.6.tar.bz2.sig b/strongswan-4.2.6.tar.bz2.sig deleted file mode 100644 index aa12617..0000000 --- a/strongswan-4.2.6.tar.bz2.sig +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.6 (GNU/Linux) - -iQCVAwUASLUlc9YbDnNAmVNZAQI4ZwP/TmmXOMo6lCUcLD2wJvZvotpCt6Tnrb1n -4ZlUdZrqq2Br1A8t5CqTaqS+T5p3z+nvNU3x8GVTKtSDlPwbK+gGGXVdIrfGMv2O -ToKjuiTU+ws4I74eFG5zjC1zAkavbH/P3zuTwwsZ2ahGWcCR+Wf3mmTH5pSauQM1 -doF73F0F0Ks= -=qSNp ------END PGP SIGNATURE----- diff --git a/strongswan-4.2.6-rpmlintrc b/strongswan-4.2.8-rpmlintrc similarity index 100% rename from strongswan-4.2.6-rpmlintrc rename to strongswan-4.2.8-rpmlintrc diff --git a/strongswan-4.2.6.dif b/strongswan-4.2.8.dif similarity index 100% rename from strongswan-4.2.6.dif rename to strongswan-4.2.8.dif diff --git a/strongswan-4.2.8.tar.bz2 b/strongswan-4.2.8.tar.bz2 new file mode 100644 index 0000000..95de870 --- /dev/null +++ b/strongswan-4.2.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e5a291857d55dfa530d5618e27a9fd17d0fd1e9d24023199a46466f76a6b687 +size 2906030 diff --git a/strongswan-4.2.8.tar.bz2.sig b/strongswan-4.2.8.tar.bz2.sig new file mode 100644 index 0000000..0eeec92 --- /dev/null +++ b/strongswan-4.2.8.tar.bz2.sig @@ -0,0 +1,9 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.6 (GNU/Linux) + +iQCVAwUASPP38NYbDnNAmVNZAQK+AQP9EZ6yw3ru3RpRiR04qH4asitAF/bxGOLb +O5ZZrbdedw4zC9gXZI3zmCgxO8t5RQA3JjtlsUtSkITAVhhxoyQb3LLg+8dtF3EN ++eawBteUG7xRl6Y+y3ESLwQ0Voma6FijN3GpqKFh7TJeFP+gSsV9Q0iZvDBxlCa/ +uVCvhbq+dcc= +=H4YY +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index 6f027c2..4df7e0e 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de + +- Updated to 4.2.8 release: + * IKEv2 charon daemon supports authentication based on raw public + keys stored in the SQL database backend. The ipsec listpubkeys + command lists the available raw public keys via the stroke + interface. + * Several MOBIKE improvements: Detect changes in NAT mappings in + DPD exchanges, handle events if kernel detects NAT mapping changes + in UDP-encapsulated ESP packets (requires kernel patch), reuse old + addesses in MOBIKE updates as long as possible and other fixes. + * Fixed a bug in addr_in_subnet() which caused insertion of wrong + source routes for destination subnets having netwmasks not being a + multiple of 8 bits. Thanks go to Wolfgang Steudel, TU Ilmenau for + reporting this bug. + ------------------------------------------------------------------- Tue Oct 14 16:29:59 CEST 2008 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index a3d389c..21f26e3 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,5 @@ # -# spec file for package strongswan (Version 4.2.6) +# spec file for package strongswan (Version 4.2.8) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,10 +19,10 @@ Name: strongswan -%define upstream_version 4.2.6 +%define upstream_version 4.2.8 %define strongswan_docdir %{_docdir}/%{name} -Version: 4.2.6 -Release: 12 +Version: 4.2.8 +Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security Summary: StrongSwan -- OpenSource IPsec-based VPN Solution @@ -40,8 +40,6 @@ Source3: %{name}-%{version}-rpmlintrc Patch1: %{name}_modprobe_syslog.dif Patch2: %{name}-%{upstream_version}.dif Patch3: %{name}_update-dns-server.dif -Patch4: %{name}_DoS_changeset_r4345.diff -Patch5: %{name}_addr_in_subnet.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config %if 0%{?suse_version} >= 1030 @@ -139,8 +137,6 @@ Authors: %patch1 -p0 %patch2 -p0 %patch3 -p0 -%patch4 -p2 -%patch5 -p0 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -273,6 +269,20 @@ fi %{_mandir}/man8/starter.8* %changelog +* Mon Oct 20 2008 mt@suse.de +- Updated to 4.2.8 release: + * IKEv2 charon daemon supports authentication based on raw public + keys stored in the SQL database backend. The ipsec listpubkeys + command lists the available raw public keys via the stroke + interface. + * Several MOBIKE improvements: Detect changes in NAT mappings in + DPD exchanges, handle events if kernel detects NAT mapping changes + in UDP-encapsulated ESP packets (requires kernel patch), reuse old + addesses in MOBIKE updates as long as possible and other fixes. + * Fixed a bug in addr_in_subnet() which caused insertion of wrong + source routes for destination subnets having netwmasks not being a + multiple of 8 bits. Thanks go to Wolfgang Steudel, TU Ilmenau for + reporting this bug. * Tue Oct 14 2008 mt@suse.de - Applied fix for addr_in_subnet() extracted from strongswan-4.2.8 which caused insertion of wrong source routes for destination diff --git a/strongswan_DoS_changeset_r4345.diff b/strongswan_DoS_changeset_r4345.diff deleted file mode 100644 index 0053f06..0000000 --- a/strongswan_DoS_changeset_r4345.diff +++ /dev/null @@ -1,103 +0,0 @@ -Index: /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c -=================================================================== ---- /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c (revision 4317) -+++ /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c (revision 4345) -@@ -94,9 +94,13 @@ - mpz_powm(c, m, this->e, this->n); - -- encrypted.len = this->k; -- encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c); -+ encrypted.len = this->k; -+ encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c); -+ if (encrypted.ptr == NULL) -+ { -+ encrypted.len = 0; -+ } - - mpz_clear(c); -- mpz_clear(m); -+ mpz_clear(m); - - return encrypted; -Index: /trunk/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c -=================================================================== ---- /trunk/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c (revision 3806) -+++ /trunk/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c (revision 4345) -@@ -344,5 +344,5 @@ - */ - mpz_t g; -- -+ - /** - * My private value. -@@ -354,5 +354,5 @@ - */ - mpz_t ya; -- -+ - /** - * Other public value. -@@ -374,5 +374,5 @@ - */ - size_t p_len; -- -+ - /** - * True if shared secret is computed and stored in my_public_value. -@@ -441,5 +441,9 @@ - } - value->len = this->p_len; -- value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb); -+ value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb); -+ if (value->ptr == NULL) -+ { -+ return FAILED; -+ } - return SUCCESS; - } -@@ -452,4 +456,8 @@ - value->len = this->p_len; - value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya); -+ if (value->ptr == NULL) -+ { -+ value->len = 0; -+ } - } - -@@ -464,5 +472,9 @@ - } - secret->len = this->p_len; -- secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz); -+ secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz); -+ if (secret->ptr == NULL) -+ { -+ return FAILED; -+ } - return SUCCESS; - } -Index: /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -=================================================================== ---- /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c (revision 4317) -+++ /trunk/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c (revision 4345) -@@ -192,4 +192,8 @@ - decrypted.len = this->k; - decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1); -+ if (decrypted.ptr == NULL) -+ { -+ decrypted.len = 0; -+ } - - mpz_clear_randomized(t1); -Index: /trunk/src/openac/openac.c -=================================================================== ---- /trunk/src/openac/openac.c (revision 4318) -+++ /trunk/src/openac/openac.c (revision 4345) -@@ -104,4 +104,8 @@ - chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE; - chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number); -+ if (chunk.ptr == NULL) -+ { -+ chunk.len = 0; -+ } - return chunk; - } diff --git a/strongswan_addr_in_subnet.dif b/strongswan_addr_in_subnet.dif deleted file mode 100644 index a282b36..0000000 --- a/strongswan_addr_in_subnet.dif +++ /dev/null @@ -1,43 +0,0 @@ ---- src/charon/kernel/kernel_interface.c -+++ src/charon/kernel/kernel_interface.c 2008/10/14 14:10:13 -@@ -1643,26 +1643,29 @@ static status_t manage_rule(private_kern - */ - static bool addr_in_subnet(chunk_t addr, chunk_t net, int net_len) - { -- int bit, byte; -+ static const u_char mask[] = { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe }; -+ int byte = 0; - -- if (addr.len != net.len) -+ if (addr.len != net.len || net_len > 8 * net.len ) - { - return FALSE; - } -- /* scan through all bits, beginning in the front */ -- for (byte = 0; byte < addr.len; byte++) -+ -+ /* scan through all bytes in network order */ -+ while (net_len > 0) - { -- for (bit = 7; bit >= 0; bit--) -+ if (net_len < 8) - { -- /* check if bits are equal (or we reached the end of the net) */ -- if (bit + byte * 8 > net_len) -- { -- return TRUE; -- } -- if (((1<