Commit Graph

104 Commits

Author SHA256 Message Date
3ce027ac91 - Update to release 5.9.9
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=140
2023-01-03 13:25:43 +00:00
b632de741c - Update to release 5.9.8
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=138
2022-10-03 23:19:08 +00:00
ae2f35131d heed changelog syntax requirements
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=137
2022-07-30 09:44:05 +00:00
abbd490880 Accepting request 991798 from home:p_conrad:branches
This resolves one issue in particular that caused failures in Tumbleweed, see https://forums.opensuse.org/showthread.php/569960-Latest-strongswan-ipsec-crashes-on-startup .

- Update to release 5.9.7
  * The IKEv2 key derivation is now delayed until the keys are actually needed to process or send the next message.
  * Inbound IKEv2 messages, in particular requests, are now processed differently.
  * The retransmission logic in the dhcp plugin has been fixed (#1154).
  * The connmark plugin now considers configured masks in installed firewall rules (#1087).
  * Child config selection has been fixed as responder in cases where multiple children use transport mode traffic selectors (#1143).
  * The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings (#1041).
  * The openssl plugin supports AES and Camellia in CTR mode (112bb46).
  * The AES-XCBC/CMAC PRFs are demoted in the default proposal (after HMAC-based PRFs) since they were never widely adopted
  * The kdf plugin is now automatically enabled if any of the aesni, cmac or xcbc plugins are enabled, or if none of the plugins that directly provide HMAC-based KDFs are enabled (botan, openssl or wolfssl).
  * The CALLBACK macros (and some other issues) have been fixed when compiling with GCC 12 (#1053).

OBS-URL: https://build.opensuse.org/request/show/991798
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=136
2022-07-30 09:43:14 +00:00
0bed40c9cb - Update to release 5.9.6
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=135
2022-04-30 08:43:01 +00:00
e1b454dc30 Accepting request 962674 from home:msmeissn:branches:network:vpn
resubmit without hacky namespace change


- prf-plus-modularization.patch: updated from upstream branch
  after certifier feedback, SKEYSEED generated via HKDF-Extract.

OBS-URL: https://build.opensuse.org/request/show/962674
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=134
2022-03-21 14:06:21 +00:00
00a00a6acf Accepting request 960489 from home:msmeissn:branches:network:vpn
- Added prf-plus-modularization.patch that outsources the IKE 
  key derivation to openssl. (will be merged to 5.9.6)
- package the kdf config, template and plugin

OBS-URL: https://build.opensuse.org/request/show/960489
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=133
2022-03-09 18:30:05 +00:00
08b9de7ac5 Accepting request 950382 from home:msmeissn:branches:network:vpn
add more references for later sle import

OBS-URL: https://build.opensuse.org/request/show/950382
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=132
2022-02-01 11:40:00 +00:00
61572aaddb - Update to release 5.9.5
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=131
2022-01-26 12:33:44 +00:00
d2eb7d5564 Accepting request 949255 from home:msmeissn:branches:network:vpn
This adds bug references to changes file that are in SLES 15 SP2,
to allow potential reintegration to SLES.

old: network:vpn/strongswan
new: home:msmeissn:branches:network:vpn/strongswan rev None
Index: strongswan.changes
===================================================================
--- strongswan.changes (revision 129)
+++ strongswan.changes (revision 2)
@@ -12,12 +12,12 @@
     was caused by an integer overflow when processing RSASSA-PSS
     signatures with very large salt lengths. This vulnerability has
     been registered as CVE-2021-41990. Please refer to our blog for
-    details.
+    details. (bsc#1191367)
   * Fixed a denial-of-service vulnerability in the in-memory
     certificate cache if certificates are replaced and a very large
     random value caused an integer overflow. This vulnerability has
     been registered as CVE-2021-41991. Please refer to our blog for
-    details.
+    details. (bsc#1191435)
   * Fixed a related flaw that caused the daemon to accept and cache
     an infinite number of versions of a valid certificate by
     modifying the parameters in the signatureAlgorithm field of the
@@ -46,7 +46,7 @@
 - Update to version 5.9.3:
   * Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl
     plugin.
-  * Added AES-CCM support to the openssl plugin (#353).
+  * Added AES-CCM support to the openssl plugin (#353 bsc#1185363).
   * The x509 and the openssl plugins now consider the
     authorityKeyIdentifier, if available, before verifying
     signatures, which avoids unnecessary signature verifications
@@ -70,6 +70,9 @@
 - Replace libsoup-devel with pkgconfig(libsoup-2.4) BuildRequires,
   as this is what really checks for. Needed as libsoup-3.0 is
   released.
+- 5.9.1
+  - README: added a missing " to pki example command (bsc#1167880)
+  - fixed a libgcrypt call in FIPS mode (bsc#1180801)
 
 -------------------------------------------------------------------
 Mon Sep  7 08:38:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>

OBS-URL: https://build.opensuse.org/request/show/949255
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=130
2022-01-26 12:24:59 +00:00
0e5610efdc Accepting request 933481 from home:jsegitz:branches:systemdhardening:network:vpn
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/933481
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=129
2021-11-27 14:21:41 +00:00
9d37f89cf7 Accepting request 933151 from home:iznogood:branches:network:vpn
- Update to version 5.9.4:
  * Fixed a denial-of-service vulnerability in the gmp plugin that
    was caused by an integer overflow when processing RSASSA-PSS
    signatures with very large salt lengths. This vulnerability has
    been registered as CVE-2021-41990. Please refer to our blog for
    details.
  * Fixed a denial-of-service vulnerability in the in-memory
    certificate cache if certificates are replaced and a very large
    random value caused an integer overflow. This vulnerability has
    been registered as CVE-2021-41991. Please refer to our blog for
    details.
  * Fixed a related flaw that caused the daemon to accept and cache
    an infinite number of versions of a valid certificate by
    modifying the parameters in the signatureAlgorithm field of the
    outer X.509 Certificate structure.
  * AUTH_LIFETIME notifies are now only sent by a responder if it
    can't reauthenticate the IKE_SA itself due to asymmetric
    authentication (i.e. EAP) or the use of virtual IPs.
  * Several corner cases with reauthentication have been fixed
    (48fbe1d, 36161fe, 0d373e2).
  * Serial number generation in several pki sub-commands has been
    fixed so they don't start with an unintended zero byte.
  * Loading SSH public keys via vici has been improved.
  * Shared secrets, PEM files, vici messages, PF_KEY messages,
    swanctl configs and other data is properly wiped from memory.
  * Use a longer dummy key to initialize HMAC instances in the
    openssl plugin in case it's used in FIPS-mode.
  * The --enable-tpm option now implies --enable-tss-tss2 as the
    plugin doesn't do anything without a TSS 2.0.
  * libtpmtss is initialized in all programs and libraries that use
    it.
  * Migrated testing scripts to Python 3.

OBS-URL: https://build.opensuse.org/request/show/933151
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=128
2021-11-22 20:53:44 +00:00
22be53cdf9 Accepting request 921885 from home:iznogood:branches:network:vpn
- Update to version 5.9.3:
  * Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl
    plugin.
  * Added AES-CCM support to the openssl plugin (#353).
  * The x509 and the openssl plugins now consider the
    authorityKeyIdentifier, if available, before verifying
    signatures, which avoids unnecessary signature verifications
    after a CA key rollover if both CA certificates are loaded.
    The openssl plugin now does the same also for CRLs (the x509
    plugin already did).
  * The pkcs11 plugin better handles optional attributes like
    CKA_TRUSTED, which previously depended on a version check.
  * The NetworkManager backend (charon-nm) now supports using SANs
    as client identities, not only full DNs (#437).
  * charon-tkm now handles IKE encryption.
  * Send a MOBIKE update again if a a change in the NAT mappings is
    detected but the endpoints stay the same (e143a7d).
  * A deadlock in the HA plugin introduced with 5.9.2 has been
    fixed (#456).
  * DSCP values are now also set for NAT keepalives.
  * The ike_derived_keys() hook now receives more keys but in a
    different order (4e29d6f).
  * Converted most of the test case scenarios to the vici
    interface.
- Replace libsoup-devel with pkgconfig(libsoup-2.4) BuildRequires,
  as this is what really checks for. Needed as libsoup-3.0 is
  released.

OBS-URL: https://build.opensuse.org/request/show/921885
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=127
2021-09-28 09:20:42 +00:00
2a35cd6ca5 - Update to release 5.9.0
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=126
2020-09-07 08:40:36 +00:00
b9f4a82f2e - Enable bypass-lan strongswan plugin
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=124
2020-09-01 16:31:18 +00:00
29d549ad98 Accepting request 800173 from home:iznogood:branches:network:vpn
- Update to version 5.8.4:
  * In IKEv1 Quick Mode make sure that a proposal exists before
    determining lifetimes (fixes a crash due to a null-pointer
    dereference in 5.8.3).
  * OpenSSL currently doesn't support squeezing bytes out of a
    SHAKE128/256 XOF (support was added with 5.8.3) multiple times.
    Unfortunately, EVP_DigestFinalXOF() completely resets the
    context and later calls not simply fail, they cause a
    null-pointer dereference in libcrypto. c5c1898d73 fixes the
    crash at the cost of repeating initializing the whole state and
    allocating too much data for subsequent calls (hopefully, once
    the OpenSSL issue 7894 is resolved we can implement this more
    efficiently).
  * On 32-bit platforms, reading arbitrary 32-bit integers from
    config files (e.g. for charon.spi_min/max) has been fixed.
  * charon-nm now allows using fixed source ports.
- Changes from version 5.8.3:
  * Updates for the NM plugin (and backend, which has to be updated
    to be compatible):
    + EAP-TLS authentication (#2097)
    + Certificate source (file, agent, smartcard) is selectable
      independently
    + Add support to configure local and remote identities (#2581)
    + Support configuring a custom server port (#625)
    + Show hint regarding password storage policy
    + Replaced the term "gateway" with "server"
    + Fixes build issues due to use of deprecated GLib
      macros/functions
    + Updated Glade file to GTK 3.2
  * The NM backend now supports reauthentication and redirection.
  * Previously used reqids are now reallocated, which works around
    an issue on FreeBSD where the kernel doesn't allow the daemon
    to use reqids > 16383 (#2315).
  * On Linux, throw type routes are installed in table 220 for
    passthrough policies. The kernel will then fall back on routes
    in routing tables with lower priorities for matching traffic.
    This way, they require less information (e.g. no interface or
    source IP) and can be installed earlier and are not affected by
    updates.
  * For IKEv1, the lifetimes of the actually selected transform are
    returned to the initiator, which is an issue if the peer uses
    different lifetimes for different transforms (#3329). We now
    also return the correct transform and proposal IDs (proposal ID
    was always 0, transform ID 1). IKE_SAs are now not
    re-established anymore (e.g. after several retransmits) if a
    deletion has been queued (#3335).
  * Added support for Ed448 keys and certificates via openssl
    plugin and pki tool.
  * Added support for SHA-3 and SHAKE128/256 in the openssl plugin.
  * The use of algorithm IDs from the private use range can now be
    enabled globally, to use them even if no strongSwan vendor ID
    was exchanged (05e373aeb0).
  * Fixed a compiler issue that may have caused invalid keyUsage
    extensions in certificates (#3249).
  * A lot of spelling fixes.
  * Fixed several reported issues.
- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed
  upstream.

OBS-URL: https://build.opensuse.org/request/show/800173
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=122
2020-05-04 22:37:00 +00:00
8b73a0ccc0 Accepting request 790268 from home:mmnelemane:branches:network:vpn
Fix for multiple definitions of swanctl_dir (bsc#1164493)

OBS-URL: https://build.opensuse.org/request/show/790268
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=121
2020-03-31 16:48:51 +00:00
faa4319798 Accepting request 774999 from home:ojkastl_buildservice:branches:network:vpn
move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf to strongswan-nm subpackage, as it is needed for the NetworkManager plugin that uses strongswan-nm, not strongswan-ipsec (upstream issue https://wiki.strongswan.org/issues/3339)

OBS-URL: https://build.opensuse.org/request/show/774999
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=120
2020-02-17 20:41:20 +00:00
2811ed33c6 Accepting request 768830 from home:iznogood:branches:network:vpn
- Drop upstream fixed patches:
  * strongswan_modprobe_syslog.patch
  * strongswan_fipsfilter.patch
  * 0006-fix-compilation-error-by-adding-stdint.h.patch

OBS-URL: https://build.opensuse.org/request/show/768830
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=119
2020-02-03 14:33:45 +00:00
Madhu Mohan Nelemane
152d7b558c osc copypac from project:openSUSE:Factory package:strongswan revision:70
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=118
2020-01-30 15:50:32 +00:00
Madhu Mohan Nelemane
b84f3a369a osc copypac from project:openSUSE:Leap:15.2 package:strongswan revision:16
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=117
2020-01-30 09:34:36 +00:00
f51dbccc77 Add note about service name change
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=115
2020-01-26 09:22:43 +00:00
509c30e68d Accepting request 761676 from home:iznogood:branches:network:vpn
- Update to version 5.8.2:
  * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
  * boo#1109845 and boo#1107874.
- Please check included NEWS file for info on what other changes
  that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
  and 5.7.0.
- Rebase strongswan_ipsec_service.patch.
- Disable patches that need rebase or dropping:
  * strongswan_modprobe_syslog.patch
  * 0006-fix-compilation-error-by-adding-stdint.h.patch
- Add conditional pkgconfig(libsystemd) BuildRequires: New
  dependency.

OBS-URL: https://build.opensuse.org/request/show/761676
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=114
2020-01-26 08:50:51 +00:00
Madhu Mohan Nelemane
876d8e4544 Accepting request 614748 from home:iznogood:branches:network:vpn
New stable rel, fix CVS's

OBS-URL: https://build.opensuse.org/request/show/614748
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=112
2018-07-19 15:17:25 +00:00
Madhu Mohan Nelemane
6fe1f53373 Accepting request 597862 from GNOME:Next
New upstream release.

OBS-URL: https://build.opensuse.org/request/show/597862
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=110
2018-06-02 09:22:27 +00:00
Madhu Mohan Nelemane
1857167427 Accepting request 587821 from home:mmnelemane:branches:network:vpn
Removed unused requires and macro calls(bsc#1083261)

OBS-URL: https://build.opensuse.org/request/show/587821
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=108
2018-03-22 11:11:56 +00:00
Dominique Leuenberger
4ee9977c46 Accepting request 534431 from home:jengelh:branches:network:vpn
- Update summaries and descriptions. Trim filler words and
  author list.
- Drop %if..%endif guards that are idempotent and do not affect
  the build result.
- Replace old $RPM_ shell variables.

OBS-URL: https://build.opensuse.org/request/show/534431
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=106
2018-02-06 17:07:40 +00:00
Nirmoy Das
062c69a06d Accepting request 521273 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.6.0 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
    when verifying RSA signatures, which requires decryption with the operation m^e mod n,
    where m is the signature, and e and n are the exponent and modulus of the public key.
    The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
    So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
    This result wasn't handled properly causing a null-pointer dereference.
    This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
    *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
    Draft and has been demonstrated at the IETF 99 Prague Hackathon.
    *The IMV database template has been adapted to achieve full compliance with the
    ISO 19770-2:2015 SWID tag standard.
    *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
    *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
    swanctl.conf file.
    
    *The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
    *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
    *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
    * more on https://wiki.strongswan.org/versions/66

OBS-URL: https://build.opensuse.org/request/show/521273
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=104
2017-09-05 15:38:01 +00:00
Nirmoy Das
e17322a559 Accepting request 521079 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes:

OBS-URL: https://build.opensuse.org/request/show/521079
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=103
2017-09-05 10:08:54 +00:00
Nirmoy Das
5ffb8e04a6 Accepting request 521071 from home:ndas:branches:network:vpn
- fix "uintptr_t’ undeclared" compilation error.
  [+0006-fix-compilation-error-by-adding-stdint.h.patch]

OBS-URL: https://build.opensuse.org/request/show/521071
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=102
2017-09-05 09:57:57 +00:00
Nirmoy Das
339326d8bc Accepting request 514548 from home:ndas:branches:network:vpn
OBS-URL: https://build.opensuse.org/request/show/514548
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=100
2017-08-04 11:47:37 +00:00
Nirmoy Das
8cfc35877a Accepting request 513652 from home:ndas:branches:network:vpn
- Updated to strongSwan 5.3.5 providing the following changes:
    *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input
    validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two
    requirements regarding the passed exponent and modulus that the plugin did not
    enforce, if these are not met the calculation will result in a floating point exception
    that crashes the whole process.
    This vulnerability has been registered as CVE-2017-9022.
    Please refer to our blog for details.
    *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser
    didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when
    parsing X.509 extensions that use such types.
    This vulnerability has been registered as CVE-2017-9023.
    Please refer to our blog for details.
    *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid
    traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA
    the responder already has everything available to install and use the new CHILD_SA.
    However, this could lead to lost traffic as the initiator won't be able to process
    inbound packets until it processed the CREATE_CHILD_SA response and updated the
    inbound SA. To avoid this the responder now only installs the new inbound SA and
    delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA.
    *The messages transporting these DELETEs could reach the peer before packets sent
    with the deleted outbound SAs reach it. To reduce the chance of traffic loss due
    to this the inbound SA of the replaced CHILD_SA is not removed for a configurable
    amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed.
    *The code base has been ported to Apple's ARM64 iOS platform, which required several
    changes regarding the use of variadic functions. This was necessary because the calling
    conventions for variadic and regular functions are different there.
    This means that assigning a non-variadic function to a variadic function pointer, as we
    did with our enumerator_t::enumerate() implementations and several callbacks, will
    result in crashes as the called function accesses the arguments differently than the

OBS-URL: https://build.opensuse.org/request/show/513652
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=99
2017-08-01 07:21:05 +00:00
d3507c65d4 Accepting request 406438 from home:dkosovic:branches:network:vpn
NetowrkManager-l2tp-1.0.4 is broken with strongswan-5.2.2. The 'ipsec up {connection-name}' command never connects and goes into an infinite loop of failing and trying to re-connect.

NetowrkManager-l2tp works fine with earlier and later versions of strongswan, just not with strongswan-5.2.2.

OBS-URL: https://build.opensuse.org/request/show/406438
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=97
2016-11-29 08:32:29 +00:00
406171b31d - Applied upstream fix for a authentication bypass vulnerability
in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817).
  [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=95
2015-11-16 15:23:01 +00:00
cfde0c0ea7 - Applied upstream fix for a rogue servers vulnerability, that may
enable rogue servers able to authenticate itself with certificate
  issued by any CA the client trusts, to gain user credentials from
  a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171).
  [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch]
- Fix to apply unknown_payload patch if fips is disabled (<= 13.1)
  and renamed it to use number prefix corresponding with patch nr.
  [- strongswan-5.2.2-5.3.0_unknown_payload.patch,
   + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=93
2015-06-08 13:41:42 +00:00
288621ec30 - Applied upstream fix for a DoS and potential remote code execution
vulnerability through payload type (bsc#931272,CVE-2015-3991)
  [+ strongswan-5.2.2-5.3.0_unknown_payload.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=90
2015-06-01 16:25:25 +00:00
4a7fa03a80 - reverted last commit, not needed here
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=89
2015-03-09 09:28:29 +00:00
b401bc1d51 - Applied a fix by Marcus Meissner for a loop check in ipsec pki
causing a segfault on attempt to create certificates when fips
  is enabled (bsc#918474,https://wiki.strongswan.org/issues/881)
  [+ 0006-strongswan-pkifix.918474.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=88
2015-03-09 09:02:18 +00:00
055879bc1c - Updated to strongSwan 5.2.2 providing the following changes:
Changes in version 5.2.2:
  * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
    payload that contains the Diffie-Hellman group 1025. This identifier was
    used internally for DH groups with custom generator and prime. Because
    these arguments are missing when creating DH objects based on the KE
    payload an invalid pointer dereference occurred.  This allowed an attacker
    to crash the IKE daemon with a single IKE_SA_INIT message containing such
    a KE payload. The vulnerability has been registered as CVE-2014-9221.
  * The left/rightid options in ipsec.conf, or any other identity in
    strongSwan, now accept prefixes to enforce an explicit type, such as
    email: or fqdn:. Note that no conversion is done for the remaining string,
    refer to ipsec.conf(5) for details.
  * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
    an IKEv2 public key authentication method. The pki tool offers full
    support for the generation of BLISS key pairs and certificates.
  * Fixed mapping of integrity algorithms negotiated for AH via IKEv1.
    This could cause interoperability issues when connecting to older versions
    of charon.
  Changes in version 5.2.1:
  * The new charon-systemd IKE daemon implements an IKE daemon tailored for
    use with systemd. It avoids the dependency on ipsec starter and uses
    swanctl as configuration backend, building a simple and lightweight
    solution. It supports native systemd journal logging.
  * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
    fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
  * Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
    All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
    and IETF/Installed Packages attributes can be processed incrementally on a
    per segment basis.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=85
2015-01-05 14:41:37 +00:00
fadffa6d60 - Disallow brainpool elliptic curve groups in fips mode (bnc#856322).
[* strongswan_fipsfilter.patch]

- Applied an upstream fix for a denial-of-service vulnerability,
  which can be triggered by an IKEv2 Key Exchange payload, that
  contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221).
  [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch]
- Adjusted whilelist of approved algorithms in fips mode (bsc#856322).
  [* strongswan_fipsfilter.patch]
- Renamed patch file to match it's patch number:
  [- 0001-restore-registration-algorithm-order.bug897512.patch,
   + 0005-restore-registration-algorithm-order.bug897512.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=84
2015-01-05 13:04:19 +00:00
820c7f86b7 [- strongswan-fips-disablegcrypt.patch]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=82
2014-11-25 11:29:20 +00:00
e05aebd3de - Updated strongswan-hmac package description (bsc#856322).
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=81
2014-11-25 11:25:10 +00:00
c104e3b9c7 - Guarded fipscheck and hmac package in the spec file for >13.1.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=79
2014-11-21 15:23:47 +00:00
e33043a5bd - Disabled explicit gpg validation; osc source_validator does it.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=78
2014-11-21 12:04:54 +00:00
9463c65a84 - Added generation of fips hmac hash files using fipshmac utility
and a _fipscheck script to verify binaries/libraries/plugings
  shipped in the strongswan-hmac package.
  With enabled fips in the kernel, the ipsec script will call it
  before any action or in a enforced/manual "ipsec _fipscheck" call.
  Added config file to load openssl and kernel af-alg plugins, but
  not all the other modules which provide further/alternative algs.
  Applied a filter disallowing non-approved algorithms in fips mode.
  (fate#316931,bnc#856322).
  [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
- Fixed file list in the optional (disabled) strongswan-test package.
- Fixed build of the strongswan built-in integrity checksum library
  and enabled building it only on architectures tested to work.
- Fix to use bug number 897048 instead 856322 in last changes entry.
- Applied an upstream patch reverting to store algorithms in the
  registration order again as ordering them by identifier caused
  weaker algorithms to be proposed first by default (bsc#897512).
  [+0001-restore-registration-algorithm-order.bug897512.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=77
2014-11-21 12:01:59 +00:00
ee9ed2353d [- fips-disablegcrypt.patch]
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=76
2014-09-30 10:53:59 +00:00
809353c19b - Re-enabled gcrypt plugin and reverted to not enforce fips again
as this breaks gcrypt and openssl plugins when the fips pattern
  option is not installed (fate#316931,bnc#856322).
- Added empty strongswan-hmac package supposed to provide fips hmac
  files and enforce fips compliant operation later (bnc#856322).
- Cleaned up conditional build flags in the rpm spec file.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=73
2014-09-26 16:21:04 +00:00
95de379704 Fixed patch <-> changelog references
fate#316931 [+strongswan-fips-disablegcrypt.patch]

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=71
2014-07-21 13:18:22 +00:00
Tomáš Chvátal
3645b48ec5 Accepting request 239460 from home:msmeissn:branches:network:vpn
- disable gcrypt plugin by default, so it will only use openssl
  FATE#316931
- enable fips mode 2

OBS-URL: https://build.opensuse.org/request/show/239460
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=70
2014-07-10 12:59:35 +00:00
Tomáš Chvátal
ff86b72d5b Accepting request 238193 from home:elvigia:branches:network:vpn
- Fix build in factory 
* Do not include var/run directories in package
* Move runtime data to /run and provide tmpfiles.d snippet
* Add proper systemd macros to rpm scriptlets.
* Do not buildRequire library package libnl1, it is not used.

OBS-URL: https://build.opensuse.org/request/show/238193
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=68
2014-06-27 08:04:24 +00:00