1
0
forked from pool/strongswan
Commit Graph

153 Commits

Author SHA256 Message Date
Dominique Leuenberger
2e1fd31c95 Accepting request 831324 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/831324
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=75
2020-09-05 21:57:31 +00:00
f54d9f5083 Accepting request 831323 from home:monosoul:branches:network:vpn
Disable bypass-lan strongswan plugin by default, so update to the new version would not change existing strongswan behavior

OBS-URL: https://build.opensuse.org/request/show/831323
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=125
2020-09-01 22:39:10 +00:00
b9f4a82f2e - Enable bypass-lan strongswan plugin
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=124
2020-09-01 16:31:18 +00:00
3babeff858 Accepting request 831234 from home:monosoul:branches:network:vpn
Enable bypass-lan strongswan plugin 
https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan

OBS-URL: https://build.opensuse.org/request/show/831234
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=123
2020-09-01 15:38:16 +00:00
Dominique Leuenberger
b280c57b1d Accepting request 800175 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/800175
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=74
2020-05-07 13:05:48 +00:00
29d549ad98 Accepting request 800173 from home:iznogood:branches:network:vpn
- Update to version 5.8.4:
  * In IKEv1 Quick Mode make sure that a proposal exists before
    determining lifetimes (fixes a crash due to a null-pointer
    dereference in 5.8.3).
  * OpenSSL currently doesn't support squeezing bytes out of a
    SHAKE128/256 XOF (support was added with 5.8.3) multiple times.
    Unfortunately, EVP_DigestFinalXOF() completely resets the
    context and later calls not simply fail, they cause a
    null-pointer dereference in libcrypto. c5c1898d73 fixes the
    crash at the cost of repeating initializing the whole state and
    allocating too much data for subsequent calls (hopefully, once
    the OpenSSL issue 7894 is resolved we can implement this more
    efficiently).
  * On 32-bit platforms, reading arbitrary 32-bit integers from
    config files (e.g. for charon.spi_min/max) has been fixed.
  * charon-nm now allows using fixed source ports.
- Changes from version 5.8.3:
  * Updates for the NM plugin (and backend, which has to be updated
    to be compatible):
    + EAP-TLS authentication (#2097)
    + Certificate source (file, agent, smartcard) is selectable
      independently
    + Add support to configure local and remote identities (#2581)
    + Support configuring a custom server port (#625)
    + Show hint regarding password storage policy
    + Replaced the term "gateway" with "server"
    + Fixes build issues due to use of deprecated GLib
      macros/functions
    + Updated Glade file to GTK 3.2
  * The NM backend now supports reauthentication and redirection.
  * Previously used reqids are now reallocated, which works around
    an issue on FreeBSD where the kernel doesn't allow the daemon
    to use reqids > 16383 (#2315).
  * On Linux, throw type routes are installed in table 220 for
    passthrough policies. The kernel will then fall back on routes
    in routing tables with lower priorities for matching traffic.
    This way, they require less information (e.g. no interface or
    source IP) and can be installed earlier and are not affected by
    updates.
  * For IKEv1, the lifetimes of the actually selected transform are
    returned to the initiator, which is an issue if the peer uses
    different lifetimes for different transforms (#3329). We now
    also return the correct transform and proposal IDs (proposal ID
    was always 0, transform ID 1). IKE_SAs are now not
    re-established anymore (e.g. after several retransmits) if a
    deletion has been queued (#3335).
  * Added support for Ed448 keys and certificates via openssl
    plugin and pki tool.
  * Added support for SHA-3 and SHAKE128/256 in the openssl plugin.
  * The use of algorithm IDs from the private use range can now be
    enabled globally, to use them even if no strongSwan vendor ID
    was exchanged (05e373aeb0).
  * Fixed a compiler issue that may have caused invalid keyUsage
    extensions in certificates (#3249).
  * A lot of spelling fixes.
  * Fixed several reported issues.
- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed
  upstream.

OBS-URL: https://build.opensuse.org/request/show/800173
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=122
2020-05-04 22:37:00 +00:00
Dominique Leuenberger
e87376d36d Accepting request 790269 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/790269
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=73
2020-04-02 15:42:30 +00:00
8b73a0ccc0 Accepting request 790268 from home:mmnelemane:branches:network:vpn
Fix for multiple definitions of swanctl_dir (bsc#1164493)

OBS-URL: https://build.opensuse.org/request/show/790268
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=121
2020-03-31 16:48:51 +00:00
Dominique Leuenberger
e110a9611f Accepting request 775000 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/775000
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=72
2020-02-22 17:59:49 +00:00
faa4319798 Accepting request 774999 from home:ojkastl_buildservice:branches:network:vpn
move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf to strongswan-nm subpackage, as it is needed for the NetworkManager plugin that uses strongswan-nm, not strongswan-ipsec (upstream issue https://wiki.strongswan.org/issues/3339)

OBS-URL: https://build.opensuse.org/request/show/774999
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=120
2020-02-17 20:41:20 +00:00
Dominique Leuenberger
12fdfc6265 Accepting request 769616 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/769616
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=71
2020-02-06 12:18:28 +00:00
2811ed33c6 Accepting request 768830 from home:iznogood:branches:network:vpn
- Drop upstream fixed patches:
  * strongswan_modprobe_syslog.patch
  * strongswan_fipsfilter.patch
  * 0006-fix-compilation-error-by-adding-stdint.h.patch

OBS-URL: https://build.opensuse.org/request/show/768830
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=119
2020-02-03 14:33:45 +00:00
Madhu Mohan Nelemane
152d7b558c osc copypac from project:openSUSE:Factory package:strongswan revision:70
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=118
2020-01-30 15:50:32 +00:00
Madhu Mohan Nelemane
b84f3a369a osc copypac from project:openSUSE:Leap:15.2 package:strongswan revision:16
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=117
2020-01-30 09:34:36 +00:00
Dominique Leuenberger
f840ebb27d Accepting request 767305 from network:vpn
- Update to version 5.8.2:
  * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
  * boo#1109845 and boo#1107874.

OBS-URL: https://build.opensuse.org/request/show/767305
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=70
2020-01-29 12:10:50 +00:00
f51dbccc77 Add note about service name change
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=115
2020-01-26 09:22:43 +00:00
509c30e68d Accepting request 761676 from home:iznogood:branches:network:vpn
- Update to version 5.8.2:
  * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
  * boo#1109845 and boo#1107874.
- Please check included NEWS file for info on what other changes
  that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
  and 5.7.0.
- Rebase strongswan_ipsec_service.patch.
- Disable patches that need rebase or dropping:
  * strongswan_modprobe_syslog.patch
  * 0006-fix-compilation-error-by-adding-stdint.h.patch
- Add conditional pkgconfig(libsystemd) BuildRequires: New
  dependency.

OBS-URL: https://build.opensuse.org/request/show/761676
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=114
2020-01-26 08:50:51 +00:00
Dominique Leuenberger
a348ee0611 Accepting request 624096 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/624096
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=69
2018-07-21 08:25:06 +00:00
Madhu Mohan Nelemane
876d8e4544 Accepting request 614748 from home:iznogood:branches:network:vpn
New stable rel, fix CVS's

OBS-URL: https://build.opensuse.org/request/show/614748
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=112
2018-07-19 15:17:25 +00:00
Dominique Leuenberger
d48e33c256 Accepting request 613646 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/613646
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=68
2018-06-08 21:13:27 +00:00
Madhu Mohan Nelemane
6fe1f53373 Accepting request 597862 from GNOME:Next
New upstream release.

OBS-URL: https://build.opensuse.org/request/show/597862
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=110
2018-06-02 09:22:27 +00:00
Dominique Leuenberger
ea65466835 Accepting request 590079 from network:vpn
OBS-URL: https://build.opensuse.org/request/show/590079
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=67
2018-03-24 15:15:16 +00:00
Madhu Mohan Nelemane
1857167427 Accepting request 587821 from home:mmnelemane:branches:network:vpn
Removed unused requires and macro calls(bsc#1083261)

OBS-URL: https://build.opensuse.org/request/show/587821
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=108
2018-03-22 11:11:56 +00:00
Dominique Leuenberger
adcc79ae6b Accepting request 573411 from network:vpn
- Update summaries and descriptions. Trim filler words and
  author list.
- Drop %if..%endif guards that are idempotent and do not affect
  the build result.
- Replace old $RPM_ shell variables. (forwarded request 534431 from jengelh)

OBS-URL: https://build.opensuse.org/request/show/573411
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=66
2018-02-07 17:41:10 +00:00
Dominique Leuenberger
4ee9977c46 Accepting request 534431 from home:jengelh:branches:network:vpn
- Update summaries and descriptions. Trim filler words and
  author list.
- Drop %if..%endif guards that are idempotent and do not affect
  the build result.
- Replace old $RPM_ shell variables.

OBS-URL: https://build.opensuse.org/request/show/534431
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=106
2018-02-06 17:07:40 +00:00
Dominique Leuenberger
a848a3d65d Accepting request 521289 from network:vpn
1

OBS-URL: https://build.opensuse.org/request/show/521289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=65
2017-09-07 20:15:13 +00:00
Nirmoy Das
062c69a06d Accepting request 521273 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.6.0 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
    where m is the signature, and e and n are the exponent and modulus of the public key.
    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
    This result wasn't handled properly causing a null-pointer dereference.
    This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
    *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
    Draft and has been demonstrated at the IETF 99 Prague Hackathon.
    *The IMV database template has been adapted to achieve full compliance with the
    ISO 19770-2:2015 SWID tag standard.
    *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
    *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
    swanctl.conf file.
    
    *The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
    *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
    *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
    * more on https://wiki.strongswan.org/versions/66

OBS-URL: https://build.opensuse.org/request/show/521273
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=104
2017-09-05 15:38:01 +00:00
Nirmoy Das
e17322a559 Accepting request 521079 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes:

OBS-URL: https://build.opensuse.org/request/show/521079
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=103
2017-09-05 10:08:54 +00:00
Nirmoy Das
5ffb8e04a6 Accepting request 521071 from home:ndas:branches:network:vpn
- fix "uintptr_t’ undeclared" compilation error.
  [+0006-fix-compilation-error-by-adding-stdint.h.patch]

OBS-URL: https://build.opensuse.org/request/show/521071
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=102
2017-09-05 09:57:57 +00:00
Dominique Leuenberger
ce390f0920 Accepting request 514549 from network:vpn
1

OBS-URL: https://build.opensuse.org/request/show/514549
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=64
2017-08-24 16:45:53 +00:00
Nirmoy Das
339326d8bc Accepting request 514548 from home:ndas:branches:network:vpn
OBS-URL: https://build.opensuse.org/request/show/514548
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=100
2017-08-04 11:47:37 +00:00
Nirmoy Das
8cfc35877a Accepting request 513652 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.3.5 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
    validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
    requirements regarding the passed exponent and modulus that the plugin did not
    enforce, if these are not met the calculation will result in a floating point exception
    that crashes the whole process.
    This vulnerability has been registered as CVE-2017-9022.
    Please refer to our blog for details.
    *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
    didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
    parsing X.509 extensions that use such types.
    This vulnerability has been registered as CVE-2017-9023.
    Please refer to our blog for details.
    *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
    traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
    the responder already has everything available to install and use the new CHILD_SA.
    However, this could lead to lost traffic as the initiator won't be able to process
    inbound packets until it processed the CREATE_CHILD_SA response and updated the
    inbound SA. To avoid this the responder now only installs the new inbound SA and
    delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.
    *The messages transporting these DELETEs could reach the peer before packets sent
    with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
    to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
    amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.
    *The code base has been ported to Apple's ARM64 iOS platform, which required several
    changes regarding the use of variadic functions. This was necessary because the calling
    conventions for variadic and regular functions are different there.
    This means that assigning a non-variadic function to a variadic function pointer, as we
    did with our enumerator_t::enumerate() implementations and several callbacks, will
    result in crashes as the called function accesses the arguments differently than the

OBS-URL: https://build.opensuse.org/request/show/513652
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=99
2017-08-01 07:21:05 +00:00
Dominique Leuenberger
253288c928 Accepting request 442527 from network:vpn
1

OBS-URL: https://build.opensuse.org/request/show/442527
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=63
2016-11-29 11:50:28 +00:00
d3507c65d4 Accepting request 406438 from home:dkosovic:branches:network:vpn
NetowrkManager-l2tp-1.0.4 is broken with strongswan-5.2.2. The 'ipsec up {connection-name}' command never connects and goes into an infinite loop of failing and trying to re-connect.

NetowrkManager-l2tp works fine with earlier and later versions of strongswan, just not with strongswan-5.2.2.

OBS-URL: https://build.opensuse.org/request/show/406438
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=97
2016-11-29 08:32:29 +00:00
Dominique Leuenberger
f3a0b7cca7 Accepting request 344762 from network:vpn
- Applied upstream fix for a authentication bypass vulnerability
  in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
  [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]

OBS-URL: https://build.opensuse.org/request/show/344762
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=62
2015-11-17 13:23:11 +00:00
406171b31d - Applied upstream fix for a authentication bypass vulnerability
in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
  [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=95
2015-11-16 15:23:01 +00:00
Dominique Leuenberger
ba2bed6a95 Accepting request 311158 from network:vpn
- Applied upstream fix for a rogue servers vulnerability, that may
  enable rogue servers able to authenticate itself with certificate
  issued by any CA the client trusts, to gain user credentials from
  a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171).
  [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch]
- Fix to apply unknown_payload patch if fips is disabled (<= 13.1)
  and renamed it to use number prefix corresponding with patch nr.
  [- strongswan-5.2.2-5.3.0_unknown_payload.patch,
   + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/request/show/311158
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=61
2015-06-09 06:49:35 +00:00
cfde0c0ea7 - Applied upstream fix for a rogue servers vulnerability, that may
enable rogue servers able to authenticate itself with certificate
  issued by any CA the client trusts, to gain user credentials from
  a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171).
  [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch]
- Fix to apply unknown_payload patch if fips is disabled (<= 13.1)
  and renamed it to use number prefix corresponding with patch nr.
  [- strongswan-5.2.2-5.3.0_unknown_payload.patch,
   + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=93
2015-06-08 13:41:42 +00:00
Dominique Leuenberger
a596ccdfc9 Accepting request 309675 from network:vpn
- Applied upstream fix for a DoS and potential remote code execution
  vulnerability through payload type (bsc#931272,CVE-2015-3991)
  [+ strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/request/show/309675
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=60
2015-06-02 08:12:05 +00:00
76b52dda20 added references to patch file
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=91
2015-06-01 16:28:51 +00:00
288621ec30 - Applied upstream fix for a DoS and potential remote code execution
vulnerability through payload type (bsc#931272,CVE-2015-3991)
  [+ strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=90
2015-06-01 16:25:25 +00:00
4a7fa03a80 - reverted last commit, not needed here
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=89
2015-03-09 09:28:29 +00:00
b401bc1d51 - Applied a fix by Marcus Meissner for a loop check in ipsec pki
causing a segfault on attempt to create certificates when fips
  is enabled (bsc#918474,https://wiki.strongswan.org/issues/881)
  [+ 0006-strongswan-pkifix.918474.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=88
2015-03-09 09:02:18 +00:00
Dominique Leuenberger
d688e99dd5 Accepting request 287701 from network:vpn
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/287701
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=59
2015-02-27 09:59:38 +00:00
8a2afb449d removed obsolete patch files [deletion noted in changelog already]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=86
2015-02-18 12:24:33 +00:00
055879bc1c - Updated to strongSwan 5.2.2 providing the following changes:
Changes in version 5.2.2:
  * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
    payload that contains the Diffie-Hellman group 1025. This identifier was
    used internally for DH groups with custom generator and prime. Because
    these arguments are missing when creating DH objects based on the KE
    payload an invalid pointer dereference occurred.  This allowed an attacker
    to crash the IKE daemon with a single IKE_SA_INIT message containing such
    a KE payload. The vulnerability has been registered as CVE-2014-9221.
  * The left/rightid options in ipsec.conf, or any other identity in
    strongSwan, now accept prefixes to enforce an explicit type, such as
    email: or fqdn:. Note that no conversion is done for the remaining string,
    refer to ipsec.conf(5) for details.
  * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
    an IKEv2 public key authentication method. The pki tool offers full
    support for the generation of BLISS key pairs and certificates.
  * Fixed mapping of integrity algorithms negotiated for AH via IKEv1.
    This could cause interoperability issues when connecting to older versions
    of charon.
  Changes in version 5.2.1:
  * The new charon-systemd IKE daemon implements an IKE daemon tailored for
    use with systemd. It avoids the dependency on ipsec starter and uses
    swanctl as configuration backend, building a simple and lightweight
    solution. It supports native systemd journal logging.
  * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
    fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
  * Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
    All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
    and IETF/Installed Packages attributes can be processed incrementally on a
    per segment basis.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=85
2015-01-05 14:41:37 +00:00
fadffa6d60 - Disallow brainpool elliptic curve groups in fips mode (bnc#856322).
[* strongswan_fipsfilter.patch]

- Applied an upstream fix for a denial-of-service vulnerability,
  which can be triggered by an IKEv2 Key Exchange payload, that
  contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221).
  [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch]
- Adjusted whilelist of approved algorithms in fips mode (bsc#856322).
  [* strongswan_fipsfilter.patch]
- Renamed patch file to match it's patch number:
  [- 0001-restore-registration-algorithm-order.bug897512.patch,
   + 0005-restore-registration-algorithm-order.bug897512.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=84
2015-01-05 13:04:19 +00:00
Dominique Leuenberger
1902611f9f Accepting request 262968 from network:vpn
- Updated strongswan-hmac package description (bsc#856322).

- Disabled explicit gpg validation; osc source_validator does it.
- Guarded fipscheck and hmac package in the spec file for >13.1.

- Added generation of fips hmac hash files using fipshmac utility
  and a _fipscheck script to verify binaries/libraries/plugings
  shipped in the strongswan-hmac package.
  With enabled fips in the kernel, the ipsec script will call it
  before any action or in a enforced/manual "ipsec _fipscheck" call.
  Added config file to load openssl and kernel af-alg plugins, but
  not all the other modules which provide further/alternative algs.
  Applied a filter disallowing non-approved algorithms in fips mode.
  (fate#316931,bnc#856322).
  [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
  and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
  registration order again as ordering them by identifier caused
  weaker algorithms to be proposed first by default (bsc#897512).
  [+0001-restore-registration-algorithm-order.bug897512.patch]

- Re-enabled gcrypt plugin and reverted to not enforce fips again
  as this breaks gcrypt and openssl plugins when the fips pattern
  option is not installed (fate#316931,bnc#856322).
  [- strongswan-fips-disablegcrypt.patch]
- Added empty strongswan-hmac package supposed to provide fips hmac
  files and enforce fips compliant operation later (bnc#856322).

OBS-URL: https://build.opensuse.org/request/show/262968
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=58
2014-11-26 09:33:53 +00:00
820c7f86b7 [- strongswan-fips-disablegcrypt.patch]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=82
2014-11-25 11:29:20 +00:00
e05aebd3de - Updated strongswan-hmac package description (bsc#856322).
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=81
2014-11-25 11:25:10 +00:00