Accepting request 521289 from network:vpn

1

OBS-URL: https://build.opensuse.org/request/show/521289
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=65

0006-fix-compilation-error-by-adding-stdint.h.patch

@@ -0,0 +1,33 @@
+From 831a9ea232f128c13c36066a704f6ccafa335244 Mon Sep 17 00:00:00 2001
+From: Nirmoy Das <ndas@suse.de>
+Date: Tue, 5 Sep 2017 11:17:16 +0200
+Subject: [PATCH] fix compilation error by adding stdint.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+error:
+utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this function); did you mean ‘__intptr_t’?
+  for (i = 0; (uintptr_t)&c[i] % sizeof(long) && i < n; i++)
+               ^~~~~~~~~
+               __intptr_t
+---
+ src/libstrongswan/utils/utils/memory.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h
+index b978e7c..55aaaf5 100644
+--- a/src/libstrongswan/utils/utils/memory.h
++++ b/src/libstrongswan/utils/utils/memory.h
+@@ -22,6 +22,8 @@
+ #ifndef MEMORY_H_
+ #define MEMORY_H_
+ 
++#include <stdint.h>
++
+ /**
+  * Helper function that compares two binary blobs for equality
+  */
+-- 
+2.14.1
+

strongswan-5.5.3.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5ea54b199174708de11af9b8f4ecf28b5b0743d4bc0e380e741f25b28c0f8d4
-size 4768820

strongswan-5.5.3.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQGcBAABAgAGBQJZK+1/AAoJEN9CwXCzTbp3vvAMAJ6SQBu+q41eol6inaXmD1k2
-pwLgBYgMa/TG3dhvX2PxkpypratmYLY96GOy8WFP58/7z2gJL63SjCjN8MaNSZ7V
-UemJD5sEqu3lKGhR+q3Vsz/7xTBWYJSNoE1m/AdwftR6oF0CcIQLgrkjQa1OiU71
-SNqb2KFOafsSFicmhW44tdG9YFx56pzuoOgZhfDNEC9kMBKf7/rMpUeqAxsZah1I
-fETj26gYKPMZAzFdZJvcVLMT70WaHkDU3Oo3/UfIKrucLm+uvYjcrzQnP00laLvx
-LdgjuHXjXixrV92XzWCsa9Bbc39kmz2cBYlm6JPLfyON1x/DtUBdIoRcuO9y8nek
-HAiO8rLG0vyQsbhiaW5TJ6wfR/uyNGhKCIyabU90Nmo0dzVMlb5ro/1q0XcQM5Dl
-D4+FGErM3UdeDu0gj2klr1TyXwdOF6ZdlOtRBwRVH69mFz7o22Q6eGiw9o3Yf+9b
-cJCpzSQXEgZybV8XSYOzGnY9cVeD4Il4FxgYuxViXg==
-=9WTk
------END PGP SIGNATURE-----

strongswan-5.6.0.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
+size 4850722

strongswan-5.6.0.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
+kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
+CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
+kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
+d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
+an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
+dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
+UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
+eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
+=ZRFr
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,7 +1,44 @@
+-------------------------------------------------------------------
+Tue Sep  5 17:10:11 CEST 2017 - ndas@suse.de
+
+- Updated to strongSwan 5.6.0 providing the following changes:
+    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
+    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
+    where m is the signature, and e and n are the exponent and modulus of the public key.
+    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
+    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
+    This result wasn't handled properly causing a null-pointer dereference.
+    This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
+
+    *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
+    Draft and has been demonstrated at the IETF 99 Prague Hackathon.
+
+    *The IMV database template has been adapted to achieve full compliance with the
+    ISO 19770-2:2015 SWID tag standard.
+
+    *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
+
+    *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
+    swanctl.conf file.
+    
+    *The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
+
+    *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
+
+    *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
+
+    * more on https://wiki.strongswan.org/versions/66
+
+-------------------------------------------------------------------
+Tue Sep  5 11:33:01 CEST 2017 - ndas@suse.de
+
+- fix "uintptr_t’ undeclared" compilation error.
+  [+0006-fix-compilation-error-by-adding-stdint.h.patch]
+
 -------------------------------------------------------------------
 Mon Jul 31 18:30:28 CEST 2017 - ndas@suse.de
 
-- Updated to strongSwan 5.3.5 providing the following changes:
+- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes:
     *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
     validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
     requirements regarding the passed exponent and modulus that the plugin did not

strongswan.spec

@@ -17,7 +17,7 @@
 
 
 Name:           strongswan
-Version:        5.5.3
+Version:        5.6.0
 Release:        0
 %define         upstream_version     %{version}
 %define         strongswan_docdir    %{_docdir}/%{name}
@@ -83,6 +83,7 @@ Patch3:         %{name}_fipscheck.patch
 Patch4:         %{name}_fipsfilter.patch
 %endif
 Patch5:         0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
+Patch6:         0006-fix-compilation-error-by-adding-stdint.h.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@@ -294,6 +295,7 @@ and the load testing plugin for IKEv2 daemon.
 %patch4 -p1
 %endif
 %patch5 -p1
+%patch6 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -495,9 +497,9 @@ install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \
-		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pt-tls-client \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \
 		 $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \
+		 $RPM_BUILD_ROOT%{_bindir}/pt-tls-client \
 		 $RPM_BUILD_ROOT%{_sbindir}/ipsec \
 		;
 	do
@@ -568,6 +570,7 @@ fi
 %{_libexecdir}/ipsec/_fipscheck
 %{_libexecdir}/ipsec/.*.hmac
 %{_sbindir}/.ipsec.hmac
+%{_bindir}/.pt-tls-client.hmac
 %endif
 
 %files ipsec
@@ -594,9 +597,11 @@ fi
 %{_sbindir}/rcipsec
 %endif
 %{_bindir}/pki
+%{_bindir}/pt-tls-client
 %{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_mandir}/man1/pki*.1*
+%{_mandir}/man1/pt-tls-client.1*
 %{_mandir}/man8/ipsec.8*
 %{_mandir}/man5/ipsec.conf.5*
 %{_mandir}/man5/ipsec.secrets.5*
@@ -609,7 +614,6 @@ fi
 %endif
 %{_libexecdir}/ipsec/duplicheck
 %{_libexecdir}/ipsec/pool
-%{_libexecdir}/ipsec/pt-tls-client
 %{_libexecdir}/ipsec/scepclient
 %{_libexecdir}/ipsec/starter
 %{_libexecdir}/ipsec/stroke