forked from pool/strongswan
Marius Tomaschewski
055879bc1c
Changes in version 5.2.2:
* Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
payload that contains the Diffie-Hellman group 1025. This identifier was
used internally for DH groups with custom generator and prime. Because
these arguments are missing when creating DH objects based on the KE
payload an invalid pointer dereference occurred. This allowed an attacker
to crash the IKE daemon with a single IKE_SA_INIT message containing such
a KE payload. The vulnerability has been registered as CVE-2014-9221.
* The left/rightid options in ipsec.conf, or any other identity in
strongSwan, now accept prefixes to enforce an explicit type, such as
email: or fqdn:. Note that no conversion is done for the remaining string,
refer to ipsec.conf(5) for details.
* The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
an IKEv2 public key authentication method. The pki tool offers full
support for the generation of BLISS key pairs and certificates.
* Fixed mapping of integrity algorithms negotiated for AH via IKEv1.
This could cause interoperability issues when connecting to older versions
of charon.
Changes in version 5.2.1:
* The new charon-systemd IKE daemon implements an IKE daemon tailored for
use with systemd. It avoids the dependency on ipsec starter and uses
swanctl as configuration backend, building a simple and lightweight
solution. It supports native systemd journal logging.
* Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
* Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
and IETF/Installed Packages attributes can be processed incrementally on a
per segment basis.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=85
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| 0005-restore-registration-algorithm-order.bug897512.patch | ||
| 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch | ||
| fips-enforce.conf | ||
| fipscheck.sh.in | ||
| README.SUSE | ||
| strongswan_fipscheck.patch | ||
| strongswan_fipsfilter.patch | ||
| strongswan_ipsec_service.patch | ||
| strongswan_modprobe_syslog.patch | ||
| strongswan-5.2.2-rpmlintrc | ||
| strongswan-5.2.2.tar.bz2 | ||
| strongswan-5.2.2.tar.bz2.sig | ||
| strongswan.changes | ||
| strongswan.init.in | ||
| strongswan.keyring | ||
| strongswan.spec | ||
Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2, thus a separate pluto IKEv1 daemon is not needed / not shipped any more. The strongswan package does not provide any files except of this README, but triggers the installation of the charon daemon and the "traditional" strongswan-ipsec package providing the "ipsec" script and service. The ipsec.service is an alias link to the "strongswan.service" systemd service unit and created by "systemctl enable strongswan.service". There is a new strongswan-nm package with a NetworkManager specific charon-nm binary controlling the charon daemon through D-Bus and designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. The stongswan-hmac package provides the fips hmac hash files, a _fipscheck script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file, which disables all non-openssl algorithm implementations. When fips operation mode is enabled in the kernel using the fips=1 boot parameter, the strongswan fips checks are executed in front of any start action of the "ipsec" script provided by the "strongswan-ipsec" package and a verification problem causes a failure as required by fips-140-2. Further, it is not required to enable the fips_mode in the openssl plugin (/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables it automatically as needed. The "ipsec _fipscheck" command allows to execute the fips checks manually without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1), e.g. for testing purposes. Have a lot of fun...