diff --git a/0006-fix-compilation-error-by-adding-stdint.h.patch b/0006-fix-compilation-error-by-adding-stdint.h.patch index 3f33240..7e9a923 100644 --- a/0006-fix-compilation-error-by-adding-stdint.h.patch +++ b/0006-fix-compilation-error-by-adding-stdint.h.patch @@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this src/libstrongswan/utils/utils/memory.h | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h -index b978e7c..55aaaf5 100644 ---- a/src/libstrongswan/utils/utils/memory.h -+++ b/src/libstrongswan/utils/utils/memory.h +Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h +=================================================================== +--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200 ++++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200 @@ -22,6 +22,8 @@ #ifndef MEMORY_H_ #define MEMORY_H_ @@ -28,6 +28,3 @@ index b978e7c..55aaaf5 100644 /** * Helper function that compares two binary blobs for equality */ --- -2.14.1 - diff --git a/strongswan-5.6.0.tar.bz2 b/strongswan-5.6.0.tar.bz2 deleted file mode 100644 index 45047e3..0000000 --- a/strongswan-5.6.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13 -size 4850722 diff --git a/strongswan-5.6.0.tar.bz2.sig b/strongswan-5.6.0.tar.bz2.sig deleted file mode 100644 index c9ad79b..0000000 --- a/strongswan-5.6.0.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG -kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F -CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da -kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5 -d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M -an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H -dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru -UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ -eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g== -=ZRFr ------END PGP SIGNATURE----- diff --git a/strongswan-5.6.0-rpmlintrc b/strongswan-5.6.2-rpmlintrc similarity index 100% rename from strongswan-5.6.0-rpmlintrc rename to strongswan-5.6.2-rpmlintrc diff --git a/strongswan-5.6.2.tar.bz2 b/strongswan-5.6.2.tar.bz2 new file mode 100644 index 0000000..acb1b03 --- /dev/null +++ b/strongswan-5.6.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e0a60a30ebf3c534c223559e1686497a21ded709a5d605c5123c2f52bcc22e92 +size 4977859 diff --git a/strongswan-5.6.2.tar.bz2.sig b/strongswan-5.6.2.tar.bz2.sig new file mode 100644 index 0000000..6aa1721 --- /dev/null +++ b/strongswan-5.6.2.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJaiq4/AAoJEN9CwXCzTbp3ps8L/0Q5o49SWOozYIGHLsO/9y3B +0rXzGdKlkFyysTNBf8BlrUh6U21D5g9ENO8OFofOAaseTzOwN9uUygiHggfF9WhG +p0vq9kiFtW6i7fYyK2hbfo1GzIPPP5T78dJqqzP3cQp21ycLHskZPMpytUkxn1rb +vA1IFy74GIeMZqB9dbBIyTiXIPGrJjvjeuVAkI5XWu6+sOmHz/utYz17EF4oeTTg +PYJ2mvGQvgZPWh2Y4Vh4riMXFr9RBF+I/aSJ/e0Q4yuwwc2+83TShGyuZQmSG3jI +bMwnBkSGpT2KMIb0PtSzB7zvnll+Dosr3hyWNZ+MaqzIwQpo051IKF0ZaJSpoZnZ +rKVUIMriTa+N4AFkYFC60pJAZ61xUw5Wm/LTfHckHm0n7qK9CzWv2oNj5jboTmw7 +tpx7F27+iDO0/DUaBXuqTDThBXElN+e7p2/GSTnw9Y3N5jWnmgVyZHkhxggNzf4G +0W2UcEgNmpP0gbJ3U0BnKv3CN5VQuxBpz2K2tKiJwg== +=L2B6 +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index fa8c620..069e0f1 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com + +- Update to version 5.6.2: + * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS + signatures that was caused by insufficient input validation. + One of the configurable parameters in algorithm identifier + structures for RSASSA-PSS signatures is the mask generation + function (MGF). Only MGF1 is currently specified for this + purpose. However, this in turn takes itself a parameter that + specifies the underlying hash function. strongSwan's parser did + not correctly handle the case of this parameter being absent, + causing an undefined data read. This vulnerability has been + registered as CVE-2018-6459. + * When rekeying IKEv2 IKE_SAs the previously negotiated DH group + will be reused, instead of using the first configured group, + which avoids an additional exchange if the peer previously + selected a different DH group via INVALID_KE_PAYLOAD notify. + The same is also done when rekeying CHILD_SAs except for the + first rekeying of the CHILD_SA that was created with the + IKE_SA, where no DH group was negotiated yet. Also, the + selected DH group is moved to the front in all sent proposals + that contain it and all proposals that don't are moved to the + back in order to convey the preference for this group to the + peer. + * Handling of MOBIKE task queuing has been improved. In + particular, the response to an address update (with NAT-D + payloads) is not ignored anymore if only an address list update + or DPD is queued as that could prevent updating the UDP + encapsulation in the kernel. + * On Linux, roam events may optionally be triggered by changes to + the routing rules, which can be useful if routing rules + (instead of e.g. route metrics) are used to switch from one to + another interface (i.e. from one to another routing table). + Since routing rules are currently not evaluated when doing + route lookups this is only useful if the kernel-based route + lookup is used (4664992f7d). + * The fallback drop policies installed to avoid traffic leaks + when replacing addresses in installed policies are now replaced + by temporary drop policies, which also prevent acquires because + we currently delete and reinstall IPsec SAs to update their + addresses (35ef1b032d). + * Access X.509 certificates held in non-volatile storage of a TPM + 2.0 referenced via the NV index. + * Adding the --keyid parameter to pki --print allows to print + private keys or certificates stored in a smartcard or a TPM + 2.0. + * Fixed proposal selection if a peer incorrectly sends DH groups + in the ESP proposal during IKE_AUTH and also if a DH group is + configured in the local ESP proposal and + charon.prefer_configured_proposals is disabled (d058fd3c32). + * The lookup for PSK secrets for IKEv1 has been improved for + certain scenarios (see #2497 for details). + * MSKs received via RADIUS are now padded to 64 bytes to avoid + compatibility issues with EAP-MSCHAPv2 and PRFs that have a + block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013). + * The tpm_extendpcr command line tool extends a digest into a TPM + PCR. + * Ported the NetworkManager backend from the deprecated + libnm-glib to libnm. + * The save-keys debugging/development plugin saves IKE and/or ESP + keys to files compatible with Wireshark. +- Following upstreams port, replace NetworkManager-devel with + pkgconfig(libnm) BuildRequires. +- Refresh patches with quilt. +- Disable strongswan_fipsfilter.patch, needs rebase or dropping, + the file it patches no longer exists in tarball. + ------------------------------------------------------------------- Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com diff --git a/strongswan.spec b/strongswan.spec index 41764ab..3153cb2 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.6.0 +Version: 5.6.2 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -62,7 +62,7 @@ Release: 0 %bcond_with systemd %endif Summary: IPsec-based VPN solution -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Productivity/Networking/Security Url: http://www.strongswan.org/ Requires: strongswan-ipsec = %{version} @@ -80,6 +80,7 @@ Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch %if %{with fipscheck} Patch3: %{name}_fipscheck.patch +# Patch4 needs rebase, file it patches no longer exists in tarball. Patch4: %{name}_fipsfilter.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch @@ -107,7 +108,7 @@ BuildRequires: sqlite3-devel BuildRequires: libgcrypt-devel %endif %if %{with nm} -BuildRequires: NetworkManager-devel +BuildRequires: pkgconfig(libnm) %endif %if %{with systemd} %{?systemd_requires} @@ -253,11 +254,12 @@ and the load testing plugin for IKEv2 daemon. %prep %setup -q -n %{name}-%{upstream_version} -%patch1 -p0 -%patch2 -p0 +%patch1 -p1 +%patch2 -p1 %if %{with fipscheck} %patch3 -p1 -%patch4 -p1 +# Needs rebase, file it patches no longer exists. +#patch4 -p1 %endif %patch5 -p1 %patch6 -p1 @@ -617,6 +619,7 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} @@ -671,6 +674,7 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf @@ -742,6 +746,7 @@ fi %{strongswan_plugins}/libstrongswan-ccm.so %{strongswan_plugins}/libstrongswan-certexpire.so %{strongswan_plugins}/libstrongswan-cmac.so +%{strongswan_plugins}/libstrongswan-counters.so %{strongswan_plugins}/libstrongswan-constraints.so %{strongswan_plugins}/libstrongswan-coupling.so %{strongswan_plugins}/libstrongswan-ctr.so @@ -784,6 +789,7 @@ fi %{strongswan_plugins}/libstrongswan-led.so %{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so +%{strongswan_plugins}/libstrongswan-mgf1.so %{strongswan_plugins}/libstrongswan-nonce.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so @@ -842,6 +848,7 @@ fi %{strongswan_templates}/config/plugins/ccm.conf %{strongswan_templates}/config/plugins/certexpire.conf %{strongswan_templates}/config/plugins/cmac.conf +%{strongswan_templates}/config/plugins/counters.conf %{strongswan_templates}/config/plugins/constraints.conf %{strongswan_templates}/config/plugins/coupling.conf %{strongswan_templates}/config/plugins/ctr.conf @@ -884,6 +891,7 @@ fi %{strongswan_templates}/config/plugins/led.conf %{strongswan_templates}/config/plugins/md4.conf %{strongswan_templates}/config/plugins/md5.conf +%{strongswan_templates}/config/plugins/mgf1.conf %{strongswan_templates}/config/plugins/nonce.conf %{strongswan_templates}/config/plugins/openssl.conf %{strongswan_templates}/config/plugins/pem.conf diff --git a/strongswan_ipsec_service.patch b/strongswan_ipsec_service.patch index ab8b13b..2e7f569 100644 --- a/strongswan_ipsec_service.patch +++ b/strongswan_ipsec_service.patch @@ -1,6 +1,8 @@ ---- init/systemd/strongswan.service.in -+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11 -@@ -8,3 +8,4 @@ StandardOutput=syslog +Index: strongswan-5.6.2/init/systemd/strongswan.service.in +=================================================================== +--- strongswan-5.6.2.orig/init/systemd/strongswan.service.in 2017-02-07 08:04:04.000000000 +0100 ++++ strongswan-5.6.2/init/systemd/strongswan.service.in 2018-04-17 16:53:57.546334751 +0200 +@@ -9,3 +9,4 @@ Restart=on-abnormal [Install] WantedBy=multi-user.target diff --git a/strongswan_modprobe_syslog.patch b/strongswan_modprobe_syslog.patch index 9e71673..30c021c 100644 --- a/strongswan_modprobe_syslog.patch +++ b/strongswan_modprobe_syslog.patch @@ -1,5 +1,7 @@ ---- src/starter/klips.c -+++ src/starter/klips.c 2012/10/30 17:07:23 +Index: strongswan-5.6.2/src/starter/klips.c +=================================================================== +--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200 ++++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200 @@ -30,7 +30,7 @@ bool starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) @@ -22,9 +24,11 @@ DBG2(DBG_APP, "found KLIPS IPsec stack"); return TRUE; ---- src/starter/netkey.c -+++ src/starter/netkey.c 2012/10/30 17:07:02 -@@ -31,7 +31,7 @@ bool starter_netkey_init(void) +Index: strongswan-5.6.2/src/starter/netkey.c +=================================================================== +--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200 ++++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200 +@@ -30,7 +30,7 @@ bool starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { @@ -33,7 +37,7 @@ } /* now test again */ -@@ -45,11 +45,11 @@ bool starter_netkey_init(void) +@@ -44,11 +44,11 @@ bool starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) {