1
0
forked from pool/strongswan
Commit Graph

112 Commits

Author SHA256 Message Date
47ab1ca770 rename -hmac subpackage to -fips 2024-11-26 12:56:30 +02:00
233d1d3c87 - Update description of ipsec package: no longer mention
/etc/init.d, which is not there for a long time anymore.
- Drop legacy rc* -> sbin/service symlink. This was compatibilty
  boilerplate to transparently move between SySV and systemd
  [jsc#PED-264].

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=163
2024-06-20 17:00:41 +00:00
f66e3493f1 - Update to release 5.9.14
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=161
2024-03-19 15:09:14 +00:00
Mohd Saquib
a9e9a1d03f Accepting request 1151555 from home:dimstar:rpm4.20:s
Prepare for RPM 4.20

OBS-URL: https://build.opensuse.org/request/show/1151555
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=159
2024-02-26 14:21:48 +00:00
83fb9474bf - Update to release 5.9.13
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=157
2023-12-01 10:34:18 +00:00
f19225222f - Update to release 5.9.12
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=155
2023-11-20 13:44:45 +00:00
Mohd Saquib
26fbd0f033 Accepting request 1094809 from home:msaquib:branches:network:vpn
- Removed .hmac files + hmac integrity check logic from strongswan-hmac
  package as it is not mandated anymore by FIPS (boo#1185116)
- Removed folliwng files:
  [- strongswan_fipscheck.patch]
  [- fipscheck.sh.in]
  Note: strongswan-hmac package is not removed as it still provides a
  config file that doesn't allow non-fips approved algorithms

OBS-URL: https://build.opensuse.org/request/show/1094809
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=153
2023-06-23 09:01:07 +00:00
a937e6040b OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=150 2023-06-12 15:55:07 +00:00
Mohd Saquib
73a1c9e320 Accepting request 1092621 from home:msaquib:branches:network:vpn
- Update to release 5.9.11
  * A long-standing deadlock in the vici plugin has been fixed that
    could get triggered when multiple connections were
    initiated/terminated concurrently and control-log events were
    raised by the watcher_t component (#566). 
  * In compliance with RFC 5280, CRLs now have to be signed by a
    certificate that either encodes the cRLSign keyUsage bit
    (even if it is a CA certificate), or is a CA certificate without
    a keyUsage extension. strongSwan encodes a keyUsage extension
    with cRLSign bit set in all CA certificates since 13 years. And
    before that it didn't encode the extension, so these certificates
    would also be accepted as CRL issuer in case they are still valid
    (7dc82de).
  * Support for optional CA labels in EST server URIs
    (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>)
    was added to the pki --est and pki --estca commands (#1614).
  * The pkcs7 and openssl plugins now support CMS-style signatures in
    PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
    signatures (#1615).
  * Fixed a regression in the server implementation of EAP-TLS when
    using TLS 1.2 or earlier that was introduced with 5.9.10
    (#1613, 3d0d3f5).
  * The EAP-TLS client does now enforce that the TLS handshake is
    complete when using TLS 1.2 or earlier. It was possible to
    shortcut it by sending an early EAP-Success message. Note that
    this isn't a security issue as the server is authenticated at
    that point (db87087).
  * On Linux, the kernel-libipsec plugin can now optionally handle
    ESP packets without UDP encapsulation (uses RAW sockets, disabled
    by default, e3cb756). The plugin and libipsec also gained support

OBS-URL: https://build.opensuse.org/request/show/1092621
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=149
2023-06-12 15:41:55 +00:00
Mohd Saquib
8148349f08 Accepting request 1077377 from home:msaquib:branches:network:vpn
- Allow to use stroke aka ipsec interface by default instead of
  vici aka swanctl interface which is current upstream's default.
  strongswan.service which enables swanctl interface is masked to
  stop interfering with the ipsec interface (bsc#1184144)
- Removes deprecated SysV support

OBS-URL: https://build.opensuse.org/request/show/1077377
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=147
2023-04-05 00:16:41 +00:00
016cf7b1e8 - Update to release 5.9.10
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=144
2023-03-02 13:42:24 +00:00
Mohd Saquib
fe861579d5 Accepting request 1068689 from home:msaquib:branches:network:vpn
- Fixed a vulnerability in incorrectly accepted untrusted public key
  with incorrect refcount (CVE-2023-26463 boo#1208608).

OBS-URL: https://build.opensuse.org/request/show/1068689
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=142
2023-03-02 12:45:07 +00:00
3ce027ac91 - Update to release 5.9.9
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=140
2023-01-03 13:25:43 +00:00
b632de741c - Update to release 5.9.8
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=138
2022-10-03 23:19:08 +00:00
abbd490880 Accepting request 991798 from home:p_conrad:branches
This resolves one issue in particular that caused failures in Tumbleweed, see https://forums.opensuse.org/showthread.php/569960-Latest-strongswan-ipsec-crashes-on-startup .

- Update to release 5.9.7
  * The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message.
  * Inbound IKEv2 messages, in particular requests, are now processed differently.
  * The retransmission logic in the dhcp plugin has been fixed (#1154).
  * The connmark plugin now considers configured masks in installed firewall rules (#1087).
  * Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
  * The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
  * The openssl plugin supports AES and Camellia in CTR mode (112bb46).
  * The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted
  * The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
  * The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).

OBS-URL: https://build.opensuse.org/request/show/991798
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=136
2022-07-30 09:43:14 +00:00
0bed40c9cb - Update to release 5.9.6
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=135
2022-04-30 08:43:01 +00:00
00a00a6acf Accepting request 960489 from home:msmeissn:branches:network:vpn
- Added prf-plus-modularization.patch that outsources the IKE 
  key derivation to openssl. (will be merged to 5.9.6)
- package the kdf config, template and plugin

OBS-URL: https://build.opensuse.org/request/show/960489
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=133
2022-03-09 18:30:05 +00:00
08b9de7ac5 Accepting request 950382 from home:msmeissn:branches:network:vpn
add more references for later sle import

OBS-URL: https://build.opensuse.org/request/show/950382
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=132
2022-02-01 11:40:00 +00:00
61572aaddb - Update to release 5.9.5
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=131
2022-01-26 12:33:44 +00:00
0e5610efdc Accepting request 933481 from home:jsegitz:branches:systemdhardening:network:vpn
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933481
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=129
2021-11-27 14:21:41 +00:00
9d37f89cf7 Accepting request 933151 from home:iznogood:branches:network:vpn
- Update to version 5.9.4:
  * Fixed a denial-of-service vulnerability in the gmp plugin that
    was caused by an integer overflow when processing RSASSA-PSS
    signatures with very large salt lengths. This vulnerability has
    been registered as CVE-2021-41990. Please refer to our blog for
    details.
  * Fixed a denial-of-service vulnerability in the in-memory
    certificate cache if certificates are replaced and a very large
    random value caused an integer overflow. This vulnerability has
    been registered as CVE-2021-41991. Please refer to our blog for
    details.
  * Fixed a related flaw that caused the daemon to accept and cache
    an infinite number of versions of a valid certificate by
    modifying the parameters in the signatureAlgorithm field of the
    outer X.509 Certificate structure.
  * AUTH_LIFETIME notifies are now only sent by a responder if it
    can't reauthenticate the IKE_SA itself due to asymmetric
    authentication (i.e. EAP) or the use of virtual IPs.
  * Several corner cases with reauthentication have been fixed
    (48fbe1d, 36161fe, 0d373e2).
  * Serial number generation in several pki sub-commands has been
    fixed so they don't start with an unintended zero byte.
  * Loading SSH public keys via vici has been improved.
  * Shared secrets, PEM files, vici messages, PF_KEY messages,
    swanctl configs and other data is properly wiped from memory.
  * Use a longer dummy key to initialize HMAC instances in the
    openssl plugin in case it's used in FIPS-mode.
  * The --enable-tpm option now implies --enable-tss-tss2 as the
    plugin doesn't do anything without a TSS 2.0.
  * libtpmtss is initialized in all programs and libraries that use
    it.
  * Migrated testing scripts to Python 3.

OBS-URL: https://build.opensuse.org/request/show/933151
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=128
2021-11-22 20:53:44 +00:00
22be53cdf9 Accepting request 921885 from home:iznogood:branches:network:vpn
- Update to version 5.9.3:
  * Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl
    plugin.
  * Added AES-CCM support to the openssl plugin (#353).
  * The x509 and the openssl plugins now consider the
    authorityKeyIdentifier, if available, before verifying
    signatures, which avoids unnecessary signature verifications
    after a CA key rollover if both CA certificates are loaded.
    The openssl plugin now does the same also for CRLs (the x509
    plugin already did).
  * The pkcs11 plugin better handles optional attributes like
    CKA_TRUSTED, which previously depended on a version check.
  * The NetworkManager backend (charon-nm) now supports using SANs
    as client identities, not only full DNs (#437).
  * charon-tkm now handles IKE encryption.
  * Send a MOBIKE update again if a a change in the NAT mappings is
    detected but the endpoints stay the same (e143a7d).
  * A deadlock in the HA plugin introduced with 5.9.2 has been
    fixed (#456).
  * DSCP values are now also set for NAT keepalives.
  * The ike_derived_keys() hook now receives more keys but in a
    different order (4e29d6f).
  * Converted most of the test case scenarios to the vici
    interface.
- Replace libsoup-devel with pkgconfig(libsoup-2.4) BuildRequires,
  as this is what really checks for. Needed as libsoup-3.0 is
  released.

OBS-URL: https://build.opensuse.org/request/show/921885
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=127
2021-09-28 09:20:42 +00:00
2a35cd6ca5 - Update to release 5.9.0
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=126
2020-09-07 08:40:36 +00:00
f54d9f5083 Accepting request 831323 from home:monosoul:branches:network:vpn
Disable bypass-lan strongswan plugin by default, so update to the new version would not change existing strongswan behavior

OBS-URL: https://build.opensuse.org/request/show/831323
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=125
2020-09-01 22:39:10 +00:00
3babeff858 Accepting request 831234 from home:monosoul:branches:network:vpn
Enable bypass-lan strongswan plugin 
https://wiki.strongswan.org/projects/strongswan/wiki/Bypass-lan

OBS-URL: https://build.opensuse.org/request/show/831234
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=123
2020-09-01 15:38:16 +00:00
29d549ad98 Accepting request 800173 from home:iznogood:branches:network:vpn
- Update to version 5.8.4:
  * In IKEv1 Quick Mode make sure that a proposal exists before
    determining lifetimes (fixes a crash due to a null-pointer
    dereference in 5.8.3).
  * OpenSSL currently doesn't support squeezing bytes out of a
    SHAKE128/256 XOF (support was added with 5.8.3) multiple times.
    Unfortunately, EVP_DigestFinalXOF() completely resets the
    context and later calls not simply fail, they cause a
    null-pointer dereference in libcrypto. c5c1898d73 fixes the
    crash at the cost of repeating initializing the whole state and
    allocating too much data for subsequent calls (hopefully, once
    the OpenSSL issue 7894 is resolved we can implement this more
    efficiently).
  * On 32-bit platforms, reading arbitrary 32-bit integers from
    config files (e.g. for charon.spi_min/max) has been fixed.
  * charon-nm now allows using fixed source ports.
- Changes from version 5.8.3:
  * Updates for the NM plugin (and backend, which has to be updated
    to be compatible):
    + EAP-TLS authentication (#2097)
    + Certificate source (file, agent, smartcard) is selectable
      independently
    + Add support to configure local and remote identities (#2581)
    + Support configuring a custom server port (#625)
    + Show hint regarding password storage policy
    + Replaced the term "gateway" with "server"
    + Fixes build issues due to use of deprecated GLib
      macros/functions
    + Updated Glade file to GTK 3.2
  * The NM backend now supports reauthentication and redirection.
  * Previously used reqids are now reallocated, which works around
    an issue on FreeBSD where the kernel doesn't allow the daemon
    to use reqids > 16383 (#2315).
  * On Linux, throw type routes are installed in table 220 for
    passthrough policies. The kernel will then fall back on routes
    in routing tables with lower priorities for matching traffic.
    This way, they require less information (e.g. no interface or
    source IP) and can be installed earlier and are not affected by
    updates.
  * For IKEv1, the lifetimes of the actually selected transform are
    returned to the initiator, which is an issue if the peer uses
    different lifetimes for different transforms (#3329). We now
    also return the correct transform and proposal IDs (proposal ID
    was always 0, transform ID 1). IKE_SAs are now not
    re-established anymore (e.g. after several retransmits) if a
    deletion has been queued (#3335).
  * Added support for Ed448 keys and certificates via openssl
    plugin and pki tool.
  * Added support for SHA-3 and SHAKE128/256 in the openssl plugin.
  * The use of algorithm IDs from the private use range can now be
    enabled globally, to use them even if no strongSwan vendor ID
    was exchanged (05e373aeb0).
  * Fixed a compiler issue that may have caused invalid keyUsage
    extensions in certificates (#3249).
  * A lot of spelling fixes.
  * Fixed several reported issues.
- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed
  upstream.

OBS-URL: https://build.opensuse.org/request/show/800173
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=122
2020-05-04 22:37:00 +00:00
8b73a0ccc0 Accepting request 790268 from home:mmnelemane:branches:network:vpn
Fix for multiple definitions of swanctl_dir (bsc#1164493)

OBS-URL: https://build.opensuse.org/request/show/790268
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=121
2020-03-31 16:48:51 +00:00
faa4319798 Accepting request 774999 from home:ojkastl_buildservice:branches:network:vpn
move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf to strongswan-nm subpackage, as it is needed for the NetworkManager plugin that uses strongswan-nm, not strongswan-ipsec (upstream issue https://wiki.strongswan.org/issues/3339)

OBS-URL: https://build.opensuse.org/request/show/774999
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=120
2020-02-17 20:41:20 +00:00
2811ed33c6 Accepting request 768830 from home:iznogood:branches:network:vpn
- Drop upstream fixed patches:
  * strongswan_modprobe_syslog.patch
  * strongswan_fipsfilter.patch
  * 0006-fix-compilation-error-by-adding-stdint.h.patch

OBS-URL: https://build.opensuse.org/request/show/768830
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=119
2020-02-03 14:33:45 +00:00
Madhu Mohan Nelemane
152d7b558c osc copypac from project:openSUSE:Factory package:strongswan revision:70
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=118
2020-01-30 15:50:32 +00:00
Madhu Mohan Nelemane
b84f3a369a osc copypac from project:openSUSE:Leap:15.2 package:strongswan revision:16
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=117
2020-01-30 09:34:36 +00:00
f51dbccc77 Add note about service name change
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=115
2020-01-26 09:22:43 +00:00
509c30e68d Accepting request 761676 from home:iznogood:branches:network:vpn
- Update to version 5.8.2:
  * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
  * boo#1109845 and boo#1107874.
- Please check included NEWS file for info on what other changes
  that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
  and 5.7.0.
- Rebase strongswan_ipsec_service.patch.
- Disable patches that need rebase or dropping:
  * strongswan_modprobe_syslog.patch
  * 0006-fix-compilation-error-by-adding-stdint.h.patch
- Add conditional pkgconfig(libsystemd) BuildRequires: New
  dependency.

OBS-URL: https://build.opensuse.org/request/show/761676
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=114
2020-01-26 08:50:51 +00:00
Madhu Mohan Nelemane
876d8e4544 Accepting request 614748 from home:iznogood:branches:network:vpn
New stable rel, fix CVS's

OBS-URL: https://build.opensuse.org/request/show/614748
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=112
2018-07-19 15:17:25 +00:00
Madhu Mohan Nelemane
6fe1f53373 Accepting request 597862 from GNOME:Next
New upstream release.

OBS-URL: https://build.opensuse.org/request/show/597862
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=110
2018-06-02 09:22:27 +00:00
Madhu Mohan Nelemane
1857167427 Accepting request 587821 from home:mmnelemane:branches:network:vpn
Removed unused requires and macro calls(bsc#1083261)

OBS-URL: https://build.opensuse.org/request/show/587821
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=108
2018-03-22 11:11:56 +00:00
Dominique Leuenberger
4ee9977c46 Accepting request 534431 from home:jengelh:branches:network:vpn
- Update summaries and descriptions. Trim filler words and
  author list.
- Drop %if..%endif guards that are idempotent and do not affect
  the build result.
- Replace old $RPM_ shell variables.

OBS-URL: https://build.opensuse.org/request/show/534431
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=106
2018-02-06 17:07:40 +00:00
Nirmoy Das
062c69a06d Accepting request 521273 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.6.0 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
    where m is the signature, and e and n are the exponent and modulus of the public key.
    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
    This result wasn't handled properly causing a null-pointer dereference.
    This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
    *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
    Draft and has been demonstrated at the IETF 99 Prague Hackathon.
    *The IMV database template has been adapted to achieve full compliance with the
    ISO 19770-2:2015 SWID tag standard.
    *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
    *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
    swanctl.conf file.
    
    *The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
    *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
    *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
    * more on https://wiki.strongswan.org/versions/66

OBS-URL: https://build.opensuse.org/request/show/521273
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=104
2017-09-05 15:38:01 +00:00
Nirmoy Das
5ffb8e04a6 Accepting request 521071 from home:ndas:branches:network:vpn
- fix "uintptr_t’ undeclared" compilation error.
  [+0006-fix-compilation-error-by-adding-stdint.h.patch]

OBS-URL: https://build.opensuse.org/request/show/521071
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=102
2017-09-05 09:57:57 +00:00
Nirmoy Das
339326d8bc Accepting request 514548 from home:ndas:branches:network:vpn
OBS-URL: https://build.opensuse.org/request/show/514548
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=100
2017-08-04 11:47:37 +00:00
Nirmoy Das
8cfc35877a Accepting request 513652 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.3.5 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
    validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
    requirements regarding the passed exponent and modulus that the plugin did not
    enforce, if these are not met the calculation will result in a floating point exception
    that crashes the whole process.
    This vulnerability has been registered as CVE-2017-9022.
    Please refer to our blog for details.
    *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
    didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
    parsing X.509 extensions that use such types.
    This vulnerability has been registered as CVE-2017-9023.
    Please refer to our blog for details.
    *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
    traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
    the responder already has everything available to install and use the new CHILD_SA.
    However, this could lead to lost traffic as the initiator won't be able to process
    inbound packets until it processed the CREATE_CHILD_SA response and updated the
    inbound SA. To avoid this the responder now only installs the new inbound SA and
    delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.
    *The messages transporting these DELETEs could reach the peer before packets sent
    with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
    to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
    amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.
    *The code base has been ported to Apple's ARM64 iOS platform, which required several
    changes regarding the use of variadic functions. This was necessary because the calling
    conventions for variadic and regular functions are different there.
    This means that assigning a non-variadic function to a variadic function pointer, as we
    did with our enumerator_t::enumerate() implementations and several callbacks, will
    result in crashes as the called function accesses the arguments differently than the

OBS-URL: https://build.opensuse.org/request/show/513652
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=99
2017-08-01 07:21:05 +00:00
d3507c65d4 Accepting request 406438 from home:dkosovic:branches:network:vpn
NetowrkManager-l2tp-1.0.4 is broken with strongswan-5.2.2. The 'ipsec up {connection-name}' command never connects and goes into an infinite loop of failing and trying to re-connect.

NetowrkManager-l2tp works fine with earlier and later versions of strongswan, just not with strongswan-5.2.2.

OBS-URL: https://build.opensuse.org/request/show/406438
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=97
2016-11-29 08:32:29 +00:00
406171b31d - Applied upstream fix for a authentication bypass vulnerability
in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
  [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=95
2015-11-16 15:23:01 +00:00
cfde0c0ea7 - Applied upstream fix for a rogue servers vulnerability, that may
enable rogue servers able to authenticate itself with certificate
  issued by any CA the client trusts, to gain user credentials from
  a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171).
  [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch]
- Fix to apply unknown_payload patch if fips is disabled (<= 13.1)
  and renamed it to use number prefix corresponding with patch nr.
  [- strongswan-5.2.2-5.3.0_unknown_payload.patch,
   + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=93
2015-06-08 13:41:42 +00:00
288621ec30 - Applied upstream fix for a DoS and potential remote code execution
vulnerability through payload type (bsc#931272,CVE-2015-3991)
  [+ strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=90
2015-06-01 16:25:25 +00:00
4a7fa03a80 - reverted last commit, not needed here
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=89
2015-03-09 09:28:29 +00:00
b401bc1d51 - Applied a fix by Marcus Meissner for a loop check in ipsec pki
causing a segfault on attempt to create certificates when fips
  is enabled (bsc#918474,https://wiki.strongswan.org/issues/881)
  [+ 0006-strongswan-pkifix.918474.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=88
2015-03-09 09:02:18 +00:00
055879bc1c - Updated to strongSwan 5.2.2 providing the following changes:
Changes in version 5.2.2:
  * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
    payload that contains the Diffie-Hellman group 1025. This identifier was
    used internally for DH groups with custom generator and prime. Because
    these arguments are missing when creating DH objects based on the KE
    payload an invalid pointer dereference occurred.  This allowed an attacker
    to crash the IKE daemon with a single IKE_SA_INIT message containing such
    a KE payload. The vulnerability has been registered as CVE-2014-9221.
  * The left/rightid options in ipsec.conf, or any other identity in
    strongSwan, now accept prefixes to enforce an explicit type, such as
    email: or fqdn:. Note that no conversion is done for the remaining string,
    refer to ipsec.conf(5) for details.
  * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
    an IKEv2 public key authentication method. The pki tool offers full
    support for the generation of BLISS key pairs and certificates.
  * Fixed mapping of integrity algorithms negotiated for AH via IKEv1.
    This could cause interoperability issues when connecting to older versions
    of charon.
  Changes in version 5.2.1:
  * The new charon-systemd IKE daemon implements an IKE daemon tailored for
    use with systemd. It avoids the dependency on ipsec starter and uses
    swanctl as configuration backend, building a simple and lightweight
    solution. It supports native systemd journal logging.
  * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
    fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
  * Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
    All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
    and IETF/Installed Packages attributes can be processed incrementally on a
    per segment basis.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=85
2015-01-05 14:41:37 +00:00
fadffa6d60 - Disallow brainpool elliptic curve groups in fips mode (bnc#856322).
[* strongswan_fipsfilter.patch]

- Applied an upstream fix for a denial-of-service vulnerability,
  which can be triggered by an IKEv2 Key Exchange payload, that
  contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221).
  [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch]
- Adjusted whilelist of approved algorithms in fips mode (bsc#856322).
  [* strongswan_fipsfilter.patch]
- Renamed patch file to match it's patch number:
  [- 0001-restore-registration-algorithm-order.bug897512.patch,
   + 0005-restore-registration-algorithm-order.bug897512.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=84
2015-01-05 13:04:19 +00:00
e05aebd3de - Updated strongswan-hmac package description (bsc#856322).
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=81
2014-11-25 11:25:10 +00:00