From 60e7ee609f96548ec6257ba326c06570f748c076c824eeae88d5d62d7209768d Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Tue, 10 Aug 2010 11:02:18 +0000 Subject: [PATCH] - Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: * Support of xfrm marks in IPsec SAs and IPsec policies introduced with the Linux 2.6.34 kernel. For details see the example scenarios ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used in a user-specific updown script to set marks on inbound ESP or ESP_IN_UDP packets. * The openssl plugin now supports X.509 certificate and CRL functions. * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled by default. Plase update manual load directives in strongswan.conf. * RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives in strongswan.conf, if required. * The pki utility supports CRL generation using the --signcrl command. * The ipsec pki --self, --issue and --req commands now support output in PEM format using the --outform pem option. * The major refactoring of the IKEv1 Mode Config functionality now allows the transport and handling of any Mode Config attribute. * The RADIUS proxy plugin eap-radius now supports multiple servers. Configured servers are chosen randomly, with the option to prefer a specific server. Non-responding servers are degraded by the selection process. * The ipsec pool tool manages arbitrary configuration attributes stored in an SQL database. ipsec pool --help gives the details. * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, reading triplets/quintuplets from an SQL database. * The High Availability plugin now supports a HA enabled in-memory address pool and Node reintegration without IKE_SA rekeying. The latter allows clients without IKE_SA rekeying support to keep connected during reintegration. Additionally, many other issues have been fixed in the ha plugin. * Fixed a potential remote code execution vulnerability resulting from the misuse of snprintf(). The vulnerability is exploitable by unauthenticated users. - Removed obsolete snprintf security fix, adopted spec file - Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. - Enabled the mysql, sqlite, load-tester and test-vectors plugins, that are packaged into separate mysql,sqlite,tests sub packages. OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18 --- strongswan-4.4.0-snprintf-fix.diff | 105 ----------------------------- strongswan-4.4.1-rpmlintrc | 5 ++ strongswan-4.4.1.tar.bz2 | 3 + strongswan-4.4.1.tar.bz2.sig | 14 ++++ strongswan.changes | 45 +++++++++++++ strongswan.spec | 87 ++++++++++++++++++++++-- 6 files changed, 147 insertions(+), 112 deletions(-) delete mode 100644 strongswan-4.4.0-snprintf-fix.diff create mode 100644 strongswan-4.4.1-rpmlintrc create mode 100644 strongswan-4.4.1.tar.bz2 create mode 100644 strongswan-4.4.1.tar.bz2.sig diff --git a/strongswan-4.4.0-snprintf-fix.diff b/strongswan-4.4.0-snprintf-fix.diff deleted file mode 100644 index 4b08b80..0000000 --- a/strongswan-4.4.0-snprintf-fix.diff +++ /dev/null @@ -1,105 +0,0 @@ -From 96e2f9f3a70a7c918772f7dde57c6cb8befbc60e Mon Sep 17 00:00:00 2001 -From: Martin Willi -Date: Fri, 18 Jun 2010 09:18:27 +0200 -Subject: [PATCH] snprintf() fixes, version 4.4.0 - ---- - .../credentials/ietf_attributes/ietf_attributes.c | 13 +++++++++++-- - src/libstrongswan/utils/identification.c | 12 ++++++++++++ - src/pluto/x509.c | 4 ++++ - 3 files changed, 27 insertions(+), 2 deletions(-) - -diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c -index ff3ddeb..de5b85b 100644 ---- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c -+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c -@@ -159,7 +159,7 @@ static char* get_string(private_ietf_attributes_t *this) - enumerator = this->list->create_enumerator(this->list); - while (enumerator->enumerate(enumerator, &attr)) - { -- int written = 0; -+ int written; - - if (first) - { -@@ -168,8 +168,12 @@ static char* get_string(private_ietf_attributes_t *this) - else - { - written = snprintf(pos, len, ", "); -+ if (written < 0 || written >= len) -+ { -+ break; -+ } - pos += written; -- len -= written; -+ len -= written; - } - - switch (attr->type) -@@ -194,8 +198,13 @@ static char* get_string(private_ietf_attributes_t *this) - break; - } - default: -+ written = 0; - break; - } -+ if (written < 0 || written >= len) -+ { -+ break; -+ } - pos += written; - len -= written; - } -diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c -index 6a3c393..6ccfa19 100644 ---- a/src/libstrongswan/utils/identification.c -+++ b/src/libstrongswan/utils/identification.c -@@ -297,18 +297,30 @@ static void dntoa(chunk_t dn, char *buf, size_t len) - { - written = snprintf(buf, len,"%s=", oid_names[oid].name); - } -+ if (written < 0 || written >= len) -+ { -+ break; -+ } - buf += written; - len -= written; - - chunk_printable(data, &printable, '?'); - written = snprintf(buf, len, "%.*s", printable.len, printable.ptr); - chunk_free(&printable); -+ if (written < 0 || written >= len) -+ { -+ break; -+ } - buf += written; - len -= written; - - if (data.ptr + data.len != dn.ptr + dn.len) - { - written = snprintf(buf, len, ", "); -+ if (written < 0 || written >= len) -+ { -+ break; -+ } - buf += written; - len -= written; - } -diff --git a/src/pluto/x509.c b/src/pluto/x509.c -index 0a29830..0abebc6 100644 ---- a/src/pluto/x509.c -+++ b/src/pluto/x509.c -@@ -393,6 +393,10 @@ void list_x509cert_chain(const char *caption, cert_t* cert, - { - written = snprintf(pos, len, ", %Y", id); - } -+ if (written < 0 || written >= len) -+ { -+ break; -+ } - pos += written; - len -= written; - } --- -1.7.0.4 - diff --git a/strongswan-4.4.1-rpmlintrc b/strongswan-4.4.1-rpmlintrc new file mode 100644 index 0000000..1a4d703 --- /dev/null +++ b/strongswan-4.4.1-rpmlintrc @@ -0,0 +1,5 @@ +### Known warnings: +# - traditional name +addFilter("strongswan.* incoherent-init-script-name ipsec") +# - readme only, triggers full ipsec + ikev1&ikev2 install +addFilter("strongswan.* no-binary") diff --git a/strongswan-4.4.1.tar.bz2 b/strongswan-4.4.1.tar.bz2 new file mode 100644 index 0000000..ae192f3 --- /dev/null +++ b/strongswan-4.4.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2bee6fb9f43c251827f530cd629af1195a566cf99e9d0320c338f1497cbf99c2 +size 2982652 diff --git a/strongswan-4.4.1.tar.bz2.sig b/strongswan-4.4.1.tar.bz2.sig new file mode 100644 index 0000000..f96e554 --- /dev/null +++ b/strongswan-4.4.1.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.10 (GNU/Linux) + +iQGcBAABAgAGBQJMUuERAAoJEN9CwXCzTbp3oqYL/3Gg3EDh4ZhMAvJunRK40JUI +Sw8Ekp3XNFASLDDAOTjZAOOfd/ZAtC3zLDxaT9vRfq4mmWmhtKBHcnAnURDtNees +fraJiv/flvmJ4enZbXp3R3NgIQcXNGDrOi2P7XSydzqq80pW1P4v8JZcMf+glFJO +sdzMgnL2Tg9/TTiivBFtymtknf+yqT4cDKNNolzIuKWPzJ1dR+hSoLlVZ+4efUAS +qGK8EsqTDawZ5AsEvx7BVfusn38wMgQehKV5DhyhM29sm9hYj6nfO99NEfXq8VhG +eYTWU4uJNH5ghTOllc3s9zA8jK49aG+ITIlpqn9xUi41uRlr3DdvMINDBETjGL8E +eKd8AkV0NCDWRsia2mHJLBW9/W107/w3BPKMCm23avMtiRRezsSB0OQ2XpzgDjEH +iPLj0xY4cK6Ratd9qfApfafU1sJSll/Hj0XOiv/UEoIgZUaStVKOO+5d5SrljTlp +hIGJFjWcK262L+aDTGrckDqEpQ/1xHc8KLGF/XiKFg== +=TTSf +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index b09707f..804a3fe 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Tue Aug 10 10:56:34 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: + * Support of xfrm marks in IPsec SAs and IPsec policies introduced + with the Linux 2.6.34 kernel. + For details see the example scenarios ikev2/nat-two-rw-mark, + ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. + * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be + used in a user-specific updown script to set marks on inbound ESP + or ESP_IN_UDP packets. + * The openssl plugin now supports X.509 certificate and CRL functions. + * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, + enabled by default. + Plase update manual load directives in strongswan.conf. + * RFC3779 ipAddrBlock constraint checking has been moved to the + addrblock plugin, disabled by default. Enable it and update manual + load directives in strongswan.conf, if required. + * The pki utility supports CRL generation using the --signcrl command. + * The ipsec pki --self, --issue and --req commands now support output + in PEM format using the --outform pem option. + * The major refactoring of the IKEv1 Mode Config functionality now + allows the transport and handling of any Mode Config attribute. + * The RADIUS proxy plugin eap-radius now supports multiple servers. + Configured servers are chosen randomly, with the option to prefer + a specific server. Non-responding servers are degraded by the + selection process. + * The ipsec pool tool manages arbitrary configuration attributes + stored in an SQL database. ipsec pool --help gives the details. + * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and + EAP-AKA, reading triplets/quintuplets from an SQL database. + * The High Availability plugin now supports a HA enabled in-memory + address pool and Node reintegration without IKE_SA rekeying. The + latter allows clients without IKE_SA rekeying support to keep + connected during reintegration. Additionally, many other issues + have been fixed in the ha plugin. + * Fixed a potential remote code execution vulnerability resulting + from the misuse of snprintf(). The vulnerability is exploitable + by unauthenticated users. +- Removed obsolete snprintf security fix, adopted spec file +- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, + eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. +- Enabled the mysql, sqlite, load-tester and test-vectors plugins, + that are packaged into separate mysql,sqlite,tests sub packages. + ------------------------------------------------------------------- Fri Jul 2 15:40:17 UTC 2010 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index f068f3e..dbb2b2d 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,5 @@ # -# spec file for package strongswan (Version 4.4.0) +# spec file for package strongswan (Version 4.4.1) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,11 +19,11 @@ Name: strongswan -%define upstream_version 4.4.0 +%define upstream_version 4.4.1 %define strongswan_docdir %{_docdir}/%{name} %define strongswan_plugins %{_libexecdir}/ipsec/plugins -Version: 4.4.0 -Release: 4. +Version: 4.4.1 +Release: 0 License: GPLv2+ Group: Productivity/Networking/Security Summary: OpenSource IPsec-based VPN Solution @@ -38,7 +38,6 @@ Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Patch1: %{name}_modprobe_syslog.patch -Patch2: %{name}-4.4.0-snprintf-fix.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: libcap-devel @@ -50,6 +49,7 @@ BuildRequires: curl-devel pam-devel BuildRequires: libuuid-devel BuildRequires: NetworkManager-devel %endif +BuildRequires: libmysqlclient-devel sqlite3-devel %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -116,6 +116,40 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan library and plugins. +%package mysql +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description mysql +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the strongswan mysql plugin. + +%package sqlite +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description sqlite +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the strongswan sqlite plugin. + +%package tests +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description tests +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the strongswan crypto test-vectors plugin +and the load testing plugin for IKEv2 daemon. + %package ikev1 License: GPLv2+ Summary: OpenSource IPsec-based VPN Solution @@ -190,7 +224,6 @@ NetworkManager-strongswan graphical user interface. %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 -%patch2 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -211,24 +244,37 @@ export RPM_OPT_FLAGS CFLAGS --enable-cisco-quirks \ --enable-openssl \ --enable-agent \ + --enable-md4 \ + --enable-blowfish \ + --enable-eap-sim \ + --enable-eap-sim-file \ + --enable-eap-simaka-sql \ + --enable-eap-simaka-pseudonym \ + --enable-eap-simaka-reauth \ --enable-eap-md5 \ --enable-eap-gtc \ --enable-eap-aka \ --enable-eap-radius \ --enable-eap-identity \ --enable-eap-mschapv2 \ + --enable-eap-aka-3gpp2 \ --enable-ha \ --enable-dhcp \ --enable-farp \ --enable-sql \ --enable-attr-sql \ + --enable-addrblock \ --enable-socket-dynamic \ %if 0%{suse_version} >= 1110 --enable-gcrypt \ --enable-nm \ %endif --enable-ldap \ - --enable-curl + --enable-curl \ + --enable-mysql \ + --enable-sqlite \ + --enable-load-tester \ + --enable-test-vectors make %{?_smp_mflags:%_smp_mflags} %install @@ -390,20 +436,28 @@ fi %dir %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/libchecksum.so %dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-addrblock.so %{strongswan_plugins}/libstrongswan-aes.so %{strongswan_plugins}/libstrongswan-agent.so %{strongswan_plugins}/libstrongswan-attr.so %{strongswan_plugins}/libstrongswan-attr-sql.so +%{strongswan_plugins}/libstrongswan-blowfish.so %{strongswan_plugins}/libstrongswan-curl.so %{strongswan_plugins}/libstrongswan-des.so %{strongswan_plugins}/libstrongswan-dhcp.so %{strongswan_plugins}/libstrongswan-dnskey.so +%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so %{strongswan_plugins}/libstrongswan-eap-aka.so %{strongswan_plugins}/libstrongswan-eap-gtc.so %{strongswan_plugins}/libstrongswan-eap-identity.so %{strongswan_plugins}/libstrongswan-eap-md5.so %{strongswan_plugins}/libstrongswan-eap-mschapv2.so %{strongswan_plugins}/libstrongswan-eap-radius.so +%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so +%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so +%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so +%{strongswan_plugins}/libstrongswan-eap-sim-file.so +%{strongswan_plugins}/libstrongswan-eap-sim.so %{strongswan_plugins}/libstrongswan-farp.so %{strongswan_plugins}/libstrongswan-fips-prf.so %if 0%{suse_version} >= 1110 @@ -414,6 +468,7 @@ fi %{strongswan_plugins}/libstrongswan-hmac.so %{strongswan_plugins}/libstrongswan-kernel-netlink.so %{strongswan_plugins}/libstrongswan-ldap.so +%{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so @@ -422,13 +477,31 @@ fi %{strongswan_plugins}/libstrongswan-pubkey.so %{strongswan_plugins}/libstrongswan-random.so %{strongswan_plugins}/libstrongswan-resolve.so +%{strongswan_plugins}/libstrongswan-revocation.so %{strongswan_plugins}/libstrongswan-sha1.so %{strongswan_plugins}/libstrongswan-sha2.so %{strongswan_plugins}/libstrongswan-socket-dynamic.so %{strongswan_plugins}/libstrongswan-socket-raw.so %{strongswan_plugins}/libstrongswan-sql.so %{strongswan_plugins}/libstrongswan-x509.so +%{strongswan_plugins}/libstrongswan-xauth.so %{strongswan_plugins}/libstrongswan-xcbc.so %dir %ghost %{_localstatedir}/run/strongswan +%files mysql +%defattr(-,root,root) +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-mysql.so + +%files sqlite +%defattr(-,root,root) +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-sqlite.so + +%files tests +%defattr(-,root,root) +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-load-tester.so +%{strongswan_plugins}/libstrongswan-test-vectors.so + %changelog