Accepting request 442527 from network:vpn
1 OBS-URL: https://build.opensuse.org/request/show/442527 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=63
This commit is contained in:
commit
253288c928
@ -1,166 +0,0 @@
|
||||
From 7733b99198111ef1f30a964e15e93cb1e6d27a85 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Fri, 15 May 2015 11:15:57 +0200
|
||||
References: bsc#931272,CVE-2015-3991
|
||||
Subject: [PATCH] unknown-payload: Use a new private payload type and make
|
||||
original type available
|
||||
|
||||
This fixes a DoS and potential remote code execution vulnerability that was
|
||||
caused because the original payload type that was returned previously was
|
||||
used to cast such payload objects to payloads of the indicated type (e.g.
|
||||
when logging notify payloads with a payload type for the wrong IKE version).
|
||||
|
||||
Fixes CVE-2015-3991.
|
||||
---
|
||||
src/libcharon/encoding/message.c | 2 +-
|
||||
src/libcharon/encoding/payloads/payload.c | 2 ++
|
||||
src/libcharon/encoding/payloads/payload.h | 7 ++++++-
|
||||
src/libcharon/encoding/payloads/unknown_payload.c | 8 ++++++++
|
||||
src/libcharon/encoding/payloads/unknown_payload.h | 8 ++++++++
|
||||
src/libcharon/sa/ikev2/task_manager_v2.c | 18 ++++++++++--------
|
||||
6 files changed, 35 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
|
||||
index 1ee2cf81b035..478f531eae28 100644
|
||||
--- a/src/libcharon/encoding/message.c
|
||||
+++ b/src/libcharon/encoding/message.c
|
||||
@@ -2513,7 +2513,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
|
||||
was_encrypted = "encrypted fragment payload";
|
||||
}
|
||||
|
||||
- if (payload_is_known(type, this->major_version) && !was_encrypted &&
|
||||
+ if (type != PL_UNKNOWN && !was_encrypted &&
|
||||
!is_connectivity_check(this, payload) &&
|
||||
this->exchange_type != AGGRESSIVE)
|
||||
{
|
||||
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
|
||||
index a1cd2f945588..f7c2754e05c3 100644
|
||||
--- a/src/libcharon/encoding/payloads/payload.c
|
||||
+++ b/src/libcharon/encoding/payloads/payload.c
|
||||
@@ -97,6 +97,7 @@ ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_FRAGME
|
||||
#endif /* ME */
|
||||
ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
|
||||
"HEADER",
|
||||
+ "UNKNOWN",
|
||||
"PROPOSAL_SUBSTRUCTURE",
|
||||
"PROPOSAL_SUBSTRUCTURE_V1",
|
||||
"TRANSFORM_SUBSTRUCTURE",
|
||||
@@ -167,6 +168,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_
|
||||
#endif /* ME */
|
||||
ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
|
||||
"HDR",
|
||||
+ "UNKN",
|
||||
"PROP",
|
||||
"PROP",
|
||||
"TRANS",
|
||||
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
|
||||
index 920779bd1032..72003894f307 100644
|
||||
--- a/src/libcharon/encoding/payloads/payload.h
|
||||
+++ b/src/libcharon/encoding/payloads/payload.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (C) 2007 Tobias Brunner
|
||||
+ * Copyright (C) 2007-2015 Tobias Brunner
|
||||
* Copyright (C) 2005-2006 Martin Willi
|
||||
* Copyright (C) 2005 Jan Hutter
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
@@ -264,6 +264,11 @@ enum payload_type_t {
|
||||
PL_HEADER = 256,
|
||||
|
||||
/**
|
||||
+ * Used to handle unknown or invalid payload types.
|
||||
+ */
|
||||
+ PL_UNKNOWN,
|
||||
+
|
||||
+ /**
|
||||
* PLV2_PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload.
|
||||
*/
|
||||
PLV2_PROPOSAL_SUBSTRUCTURE,
|
||||
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
|
||||
index 45b91fd0b32f..c69254fc008c 100644
|
||||
--- a/src/libcharon/encoding/payloads/unknown_payload.c
|
||||
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
|
||||
@@ -1,4 +1,5 @@
|
||||
/*
|
||||
+ * Copyright (C) 2015 Tobias Brunner
|
||||
* Copyright (C) 2005-2006 Martin Willi
|
||||
* Copyright (C) 2005 Jan Hutter
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
@@ -121,6 +122,12 @@ METHOD(payload_t, get_header_length, int,
|
||||
METHOD(payload_t, get_payload_type, payload_type_t,
|
||||
private_unknown_payload_t *this)
|
||||
{
|
||||
+ return PL_UNKNOWN;
|
||||
+}
|
||||
+
|
||||
+METHOD(unknown_payload_t, get_type, payload_type_t,
|
||||
+ private_unknown_payload_t *this)
|
||||
+{
|
||||
return this->type;
|
||||
}
|
||||
|
||||
@@ -181,6 +188,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type)
|
||||
.destroy = _destroy,
|
||||
},
|
||||
.is_critical = _is_critical,
|
||||
+ .get_type = _get_type,
|
||||
.get_data = _get_data,
|
||||
.destroy = _destroy,
|
||||
},
|
||||
diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h
|
||||
index 326b550cd872..09341bcc79b5 100644
|
||||
--- a/src/libcharon/encoding/payloads/unknown_payload.h
|
||||
+++ b/src/libcharon/encoding/payloads/unknown_payload.h
|
||||
@@ -1,4 +1,5 @@
|
||||
/*
|
||||
+ * Copyright (C) 2015 Tobias Brunner
|
||||
* Copyright (C) 2005-2006 Martin Willi
|
||||
* Copyright (C) 2005 Jan Hutter
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
@@ -42,6 +43,13 @@ struct unknown_payload_t {
|
||||
payload_t payload_interface;
|
||||
|
||||
/**
|
||||
+ * Get the original payload type as sent by the peer.
|
||||
+ *
|
||||
+ * @return type of the original payload
|
||||
+ */
|
||||
+ payload_type_t (*get_type) (unknown_payload_t *this);
|
||||
+
|
||||
+ /**
|
||||
* Get the raw data of this payload, without
|
||||
* the generic payload header.
|
||||
*
|
||||
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
index 298167703cbf..4676867dfec2 100644
|
||||
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
|
||||
@@ -1184,15 +1184,17 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
|
||||
enumerator = msg->create_payload_enumerator(msg);
|
||||
while (enumerator->enumerate(enumerator, &payload))
|
||||
{
|
||||
- unknown = (unknown_payload_t*)payload;
|
||||
- type = payload->get_type(payload);
|
||||
- if (!payload_is_known(type, msg->get_major_version(msg)) &&
|
||||
- unknown->is_critical(unknown))
|
||||
+ if (payload->get_type(payload) == PL_UNKNOWN)
|
||||
{
|
||||
- DBG1(DBG_ENC, "payload type %N is not supported, "
|
||||
- "but its critical!", payload_type_names, type);
|
||||
- status = NOT_SUPPORTED;
|
||||
- break;
|
||||
+ unknown = (unknown_payload_t*)payload;
|
||||
+ if (unknown->is_critical(unknown))
|
||||
+ {
|
||||
+ type = unknown->get_type(unknown);
|
||||
+ DBG1(DBG_ENC, "payload type %N is not supported, "
|
||||
+ "but its critical!", payload_type_names, type);
|
||||
+ status = NOT_SUPPORTED;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
--
|
||||
1.9.1
|
||||
|
@ -1,102 +0,0 @@
|
||||
From ca1a65cc6aef2e037b529574783b7c571d1d82a9 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Willi <martin@strongswan.org>
|
||||
Date: Wed, 3 Jun 2015 10:52:34 +0200
|
||||
References: bsc#933591,CVE-2015-4171
|
||||
Subject: [PATCH] ikev2: Enforce remote authentication config before proceeding
|
||||
with own authentication
|
||||
|
||||
Previously the constraints in the authentication configuration of an
|
||||
initiator were enforced only after all authentication rounds were
|
||||
complete. This posed a problem if an initiator used EAP or PSK
|
||||
authentication while the responder was authenticated with a certificate
|
||||
and if a rogue server was able to authenticate itself with a valid
|
||||
certificate issued by any CA the initiator trusted.
|
||||
|
||||
Because any constraints for the responder's identity (rightid) or other
|
||||
aspects of the authentication (e.g. rightca) the initiator had were not
|
||||
enforced until the initiator itself finished its authentication such a rogue
|
||||
responder was able to acquire usernames and password hashes from the client.
|
||||
And if a client supported EAP-GTC it was even possible to trick it into
|
||||
sending plaintext passwords.
|
||||
|
||||
This patch enforces the configured constraints right after the responder's
|
||||
authentication successfully finished for each round and before the initiator
|
||||
starts with its own authentication.
|
||||
|
||||
Fixes CVE-2015-4171.
|
||||
---
|
||||
src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 +++++++++++++++++++++++++++++++++
|
||||
1 file changed, 44 insertions(+)
|
||||
|
||||
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
|
||||
index bf747a49edde..2554496c1916 100644
|
||||
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
|
||||
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
|
||||
@@ -112,6 +112,11 @@ struct private_ike_auth_t {
|
||||
* received an INITIAL_CONTACT?
|
||||
*/
|
||||
bool initial_contact;
|
||||
+
|
||||
+ /**
|
||||
+ * Is EAP acceptable, did we strictly authenticate peer?
|
||||
+ */
|
||||
+ bool eap_acceptable;
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this,
|
||||
message->destroy(message);
|
||||
}
|
||||
|
||||
+/**
|
||||
+ * Check if strict constraint fullfillment required to continue current auth
|
||||
+ */
|
||||
+static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
|
||||
+{
|
||||
+ auth_cfg_t *cfg;
|
||||
+
|
||||
+ if (this->eap_acceptable)
|
||||
+ {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+
|
||||
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
||||
+ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
|
||||
+ {
|
||||
+ case AUTH_CLASS_EAP:
|
||||
+ if (mutual_eap && this->my_auth)
|
||||
+ {
|
||||
+ this->eap_acceptable = TRUE;
|
||||
+ return !this->my_auth->is_mutual(this->my_auth);
|
||||
+ }
|
||||
+ return TRUE;
|
||||
+ case AUTH_CLASS_PSK:
|
||||
+ return TRUE;
|
||||
+ case AUTH_CLASS_PUBKEY:
|
||||
+ case AUTH_CLASS_ANY:
|
||||
+ default:
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
METHOD(task_t, process_i, status_t,
|
||||
private_ike_auth_t *this, message_t *message)
|
||||
{
|
||||
@@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (require_strict(this, mutual_eap))
|
||||
+ {
|
||||
+ if (!update_cfg_candidates(this, TRUE))
|
||||
+ {
|
||||
+ goto peer_auth_failed;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (this->my_auth)
|
||||
{
|
||||
switch (this->my_auth->process(this->my_auth, message))
|
||||
--
|
||||
1.9.1
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Thu, 29 Oct 2015 11:18:27 +0100
|
||||
References: CVE-2015-8023, bsc#953817
|
||||
Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
|
||||
established
|
||||
|
||||
An MSK is only established if the client successfully authenticated
|
||||
itself and only then must we accept an MSCHAPV2_SUCCESS message.
|
||||
|
||||
Fixes CVE-2015-8023
|
||||
---
|
||||
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
index f7f39f9841d2..931e3c41dde4 100644
|
||||
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
||||
@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
|
||||
}
|
||||
case MSCHAPV2_SUCCESS:
|
||||
{
|
||||
- return SUCCESS;
|
||||
+ if (this->msk.ptr)
|
||||
+ {
|
||||
+ return SUCCESS;
|
||||
+ }
|
||||
+ break;
|
||||
}
|
||||
case MSCHAPV2_FAILURE:
|
||||
{
|
||||
--
|
||||
1.9.1
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4
|
||||
size 4169095
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJUn/PYAAoJEN9CwXCzTbp3+PML/2IJQEI240BwPOpXEGrJ0jnR
|
||||
Mmq7qXD3QLnUtpyX2/dXVV6X6PzdXiCubOj9m59VNSD6Qsr5W3d44rg90Vf9VxX6
|
||||
5nwAWP9fWl1L8xKtC93dyPAe8eet9tMqIf6QY5LYCmKRXi9aotoARiyEjKRUsWdy
|
||||
O+nDS43PrwjcgHcV+dVbpA1FyFSwoX2zoDu0d1MMzOb+b8np9+2SdtsNVKaIqW5c
|
||||
39PphkQgpqBqM1nkO0LUydsdCpE+/Xq4yNP77eSio7b6b2eyAjD9gBlNsE4FHoU0
|
||||
gyDKgdcOIPYmS8VD2J4efxQDjGpj6VV4wvXAo9tE7x/joIFT+Eg9LsD42l7yReaY
|
||||
G/G87HVgA0DH67lBjoMfkhZcHCSTofM4cm7eOC7s48PF4HvnAM1L5bH7UzoehV9c
|
||||
YvIUO/Q+7on6nvnW4AYUVXc/fAq7IUB6hYYCX6CHsb1U7gkEa7NseLwcoLmbMIfB
|
||||
QaziGo6KHG4XFTdlu1LrQBip8NdJZh7v7fYJd/sFjA==
|
||||
=bacU
|
||||
-----END PGP SIGNATURE-----
|
3
strongswan-5.3.5.tar.bz2
Normal file
3
strongswan-5.3.5.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350
|
||||
size 4415297
|
14
strongswan-5.3.5.tar.bz2.sig
Normal file
14
strongswan-5.3.5.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJWVtUVAAoJEN9CwXCzTbp3dpUL/j5Dio8w6LbKtCf4QRItnG2/
|
||||
3U6apa56nxDWD3rpnN20OjSUzgulMIOjv/ZtRuruRPGWoFwrG6WzrsY/0ZrV929J
|
||||
hSmEVuu6qgt/2i/OJdBUHfNGbhJ9JbTXGMxnWUp38mr4SasZlzHZAxbiKmnKXKtO
|
||||
H5XebtVFR0/yNBPkv6wcJID/vFhJxfWpU2dblvVfSVo9VgV7lXkD0W+S++LJDTVo
|
||||
PgV/a8NZEFswLIZCPct4i3QBYCDkCiS5MGlGCa+xltPYdLpwQUqhEBUkvF8yur7K
|
||||
hnpT9cLk/gMSfFQmSOoN/31yx+ZSHTGR75QEh0pXRvo+oLJse7tw5/MJOHEJu+Hp
|
||||
c/0iVL7qSIXbX5DBF3c03nG3ZdWcVQW32VEp//mC5yEpqFz28dlNSpVwWHLMym/D
|
||||
kddiJjkZGCm7jBaPWTHSq2l8y9zdQzyHNNQ0HUpchUcpCn7B2nQO4tDSz3AFBECT
|
||||
32LKSXnpRb7BAnIW/TZhZqWs1WzbQHogUF+wx+Rl6w==
|
||||
=+fm3
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,148 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
|
||||
|
||||
- Updated to strongSwan 5.3.5 providing the following changes:
|
||||
Changes in version 5.3.5:
|
||||
* Properly handle potential EINTR errors in sigwaitinfo(2) calls
|
||||
that replaced sigwait(3) calls with 5.3.4.
|
||||
* RADIUS retransmission timeouts are now configurable, courtesy
|
||||
of Thom Troy.
|
||||
Changes in version 5.3.4:
|
||||
* Fixed an authentication bypass vulnerability in the
|
||||
eap-mschapv2 plugin that was caused by insufficient
|
||||
verification of the internal state when handling MSCHAPv2
|
||||
Success messages received by the client. This vulnerability
|
||||
has been registered as CVE-2015-8023.
|
||||
* The sha3 plugin implements the SHA3 Keccak-F1600 hash
|
||||
algorithm family. Within the strongSwan framework SHA3 is
|
||||
currently used for BLISS signatures only because the OIDs for
|
||||
other signature algorithms haven't been defined yet. Also the
|
||||
use of SHA3 for IKEv2 has not been standardized yet.
|
||||
Changes in version 5.3.3:
|
||||
* Added support for the ChaCha20/Poly1305 AEAD cipher specified
|
||||
in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp
|
||||
proposal keyword. The new chapoly plugin implements the
|
||||
cipher, if possible SSE-accelerated on x86/x64 architectures.
|
||||
It is usable both in IKEv2 and the strongSwan libipsec ESP
|
||||
backend. On Linux 4.2 or newer the kernel-netlink plugin can
|
||||
configure the cipher for ESP SAs.
|
||||
* The vici interface now supports the configuration of auxiliary
|
||||
certification authority information as CRL and OCSP URIs.
|
||||
* In the bliss plugin the c_indices derivation using a SHA-512
|
||||
based random oracle has been fixed, generalized and
|
||||
standardized by employing the MGF1 mask generation function
|
||||
with SHA-512. As a consequence BLISS signatures unsing the
|
||||
improved oracle are not compatible with the earlier
|
||||
implementation.
|
||||
* Support for auto=route with right=%any for transport mode
|
||||
connections has been added (the ikev2/trap-any scenario
|
||||
provides examples).
|
||||
* The starter daemon does not flush IPsec policies and SAs
|
||||
anymore when it is stopped. Already existing duplicate
|
||||
policies are now overwritten by the IKE daemon when it
|
||||
installs its policies.
|
||||
* Init limits (like charon.init_limit_half_open) can now
|
||||
optionally be enforced when initiating SAs via VICI. For this,
|
||||
IKE_SAs initiated by the daemon are now also counted as half
|
||||
open SAs, which, as a side-effect, fixes the status output
|
||||
while connecting (e.g. in ipsec status).
|
||||
* Symmetric configuration of EAP methods in left|rightauth is
|
||||
now possible when mutual EAP-only authentication is used
|
||||
(previously, the client had to configure rightauth=eap or
|
||||
rightauth=any, which prevented it from using this same config
|
||||
as responder).
|
||||
* The initiator flag in the IKEv2 header is compared again
|
||||
(wasn't the case since 5.0.0) and packets that have the flag
|
||||
set incorrectly are again ignored.
|
||||
* Implemented a demo Hardcopy Device IMC/IMV pair based on the
|
||||
"Hardcopy Device Health Assessment Trusted Network Connect
|
||||
Binding" (HCD-TNC) document drafted by the IEEE Printer
|
||||
Working Group (PWG).
|
||||
* Fixed IF-M segmentation which failed in the presence of
|
||||
multiple small attributes in front of a huge attribute to be
|
||||
segmented.
|
||||
Changes in version 5.3.2:
|
||||
* Fixed a vulnerability that allowed rogue servers with a valid
|
||||
certificate accepted by the client to trick it into disclosing
|
||||
its username and even password (if the client accepts
|
||||
EAP-GTC). This was caused because constraints against the
|
||||
responder's authentication were enforced too late. This
|
||||
vulnerability has been registered as CVE-2015-4171.
|
||||
Changes in version 5.3.1:
|
||||
* Fixed a denial-of-service and potential remote code execution
|
||||
vulnerability triggered by IKEv1/IKEv2 messages that contain
|
||||
payloads for the respective other IKE version. Such payload
|
||||
are treated specially since 5.2.2 but because they were still
|
||||
identified by their original payload type they were used as
|
||||
such in some places causing invalid function pointer
|
||||
dereferences. The vulnerability has been registered as
|
||||
CVE-2015-3991.
|
||||
* The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and
|
||||
GCM crypto primitives for AES-128/192/256. The plugin requires
|
||||
AES-NI and PCLMULQDQ instructions and works on both x86 and
|
||||
x64 architectures. It provides superior crypto performance in
|
||||
userland without any external libraries.
|
||||
Changes in version 5.3.0:
|
||||
* Added support for IKEv2 make-before-break reauthentication. By
|
||||
using a global CHILD_SA reqid allocation mechanism, charon
|
||||
supports overlapping CHILD_SAs. This allows the use of
|
||||
make-before-break instead of the previously supported
|
||||
break-before-make reauthentication, avoiding connectivity gaps
|
||||
during that procedure. As the new mechanism may fail with peers
|
||||
not supporting it (such as any previous strongSwan release) it
|
||||
must be explicitly enabled using the charon.make_before_break
|
||||
strongswan.conf option.
|
||||
* Support for "Signature Authentication in IKEv2" (RFC 7427) has
|
||||
been added. This allows the use of stronger hash algorithms
|
||||
for public key authentication. By default, signature schemes
|
||||
are chosen based on the strength of the signature key, but
|
||||
specific hash algorithms may be configured in leftauth.
|
||||
* Key types and hash algorithms specified in rightauth are now
|
||||
also checked against IKEv2 signature schemes. If such
|
||||
constraints are used for certificate chain validation in
|
||||
existing configurations, in particular with peers that don't
|
||||
support RFC 7427, it may be necessary to disable this feature
|
||||
with the charon.signature_authentication_constraints setting,
|
||||
because the signature scheme used in classic IKEv2 public key
|
||||
authentication may not be strong enough.
|
||||
* The new connmark plugin allows a host to bind conntrack flows
|
||||
to a specific CHILD_SA by applying and restoring the SA mark
|
||||
to conntrack entries. This allows a peer to handle multiple
|
||||
transport mode connections coming over the same NAT device for
|
||||
client-initiated flows. A common use case is to protect
|
||||
L2TP/IPsec, as supported by some systems.
|
||||
* The forecast plugin can forward broadcast and multicast
|
||||
messages between connected clients and a LAN. For CHILD_SA
|
||||
using unique marks, it sets up the required Netfilter rules
|
||||
and uses a multicast/broadcast listener that forwards such
|
||||
messages to all connected clients. This plugin is designed for
|
||||
Windows 7 IKEv2 clients, which announces its services over the
|
||||
tunnel if the negotiated IPsec policy allows it.
|
||||
* For the vici plugin a Python Egg has been added to allow
|
||||
Python applications to control or monitor the IKE daemon using
|
||||
the VICI interface, similar to the existing ruby gem. The
|
||||
Python library has been contributed by Björn Schuberg.
|
||||
* EAP server methods now can fulfill public key constraints,
|
||||
such as rightcert or rightca. Additionally, public key and
|
||||
signature constraints can be specified for EAP methods in the
|
||||
rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods
|
||||
provide verification details to constraints checking.
|
||||
* Upgrade of the BLISS post-quantum signature algorithm to the
|
||||
improved BLISS-B variant. Can be used in conjunction with the
|
||||
SHA256, SHA384 and SHA512 hash algorithms with SHA512 being
|
||||
the default.
|
||||
* The IF-IMV 1.4 interface now makes the IP address of the TNC
|
||||
access requestor as seen by the TNC server available to all
|
||||
IMVs. This information can be forwarded to policy enforcement
|
||||
points (e.g. firewalls or routers).
|
||||
* The new mutual tnccs-20 plugin parameter activates mutual TNC
|
||||
measurements in PB-TNC half-duplex mode between two endpoints
|
||||
over either a PT-EAP or PT-TLS transport medium.
|
||||
- Adjusted file lists and removed obsolete patches
|
||||
[- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch,
|
||||
- 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch,
|
||||
- 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package strongswan
|
||||
#
|
||||
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.2.2
|
||||
Version: 5.3.5
|
||||
Release: 0
|
||||
%define upstream_version %{version}
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
@ -82,9 +82,6 @@ Patch2: %{name}_ipsec_service.patch
|
||||
Patch3: %{name}_fipscheck.patch
|
||||
Patch4: %{name}_fipsfilter.patch
|
||||
%endif
|
||||
Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
|
||||
Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
|
||||
Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
@ -295,9 +292,6 @@ and the load testing plugin for IKEv2 daemon.
|
||||
%patch3 -p0
|
||||
%patch4 -p1
|
||||
%endif
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||
> strongswan.init
|
||||
@ -605,7 +599,6 @@ fi
|
||||
%dir %{_libexecdir}/ipsec
|
||||
%{_libexecdir}/ipsec/_copyright
|
||||
%{_libexecdir}/ipsec/_updown
|
||||
%{_libexecdir}/ipsec/_updown_espmark
|
||||
%if %{with test}
|
||||
%{_libexecdir}/ipsec/conftest
|
||||
%endif
|
||||
@ -632,8 +625,6 @@ fi
|
||||
%{strongswan_docdir}/LICENSE
|
||||
%{strongswan_docdir}/AUTHORS
|
||||
%{strongswan_docdir}/ChangeLog
|
||||
%{_mandir}/man8/_updown.8*
|
||||
%{_mandir}/man8/_updown_espmark.8*
|
||||
%{_mandir}/man8/scepclient.8*
|
||||
|
||||
%files libs0
|
||||
|
Loading…
Reference in New Issue
Block a user