From d3507c65d4fbb489be2aea783f8fba1abe5b9ce2756c0300cb928f132ec7ae89 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Tue, 29 Nov 2016 08:32:29 +0000 Subject: [PATCH] Accepting request 406438 from home:dkosovic:branches:network:vpn NetowrkManager-l2tp-1.0.4 is broken with strongswan-5.2.2. The 'ipsec up {connection-name}' command never connects and goes into an infinite loop of failing and trying to re-connect. NetowrkManager-l2tp works fine with earlier and later versions of strongswan, just not with strongswan-5.2.2. OBS-URL: https://build.opensuse.org/request/show/406438 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=97 --- ...rongswan-5.2.2-5.3.0_unknown_payload.patch | 166 ------------------ ...swan-5.1.0-5.3.1_enforce_remote_auth.patch | 102 ----------- ...gswan-4.4.0-5.3.3_eap_mschapv2_state.patch | 35 ---- strongswan-5.2.2.tar.bz2 | 3 - strongswan-5.2.2.tar.bz2.sig | 14 -- ....2-rpmlintrc => strongswan-5.3.5-rpmlintrc | 0 strongswan-5.3.5.tar.bz2 | 3 + strongswan-5.3.5.tar.bz2.sig | 14 ++ strongswan.changes | 145 +++++++++++++++ strongswan.spec | 13 +- 10 files changed, 164 insertions(+), 331 deletions(-) delete mode 100644 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch delete mode 100644 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch delete mode 100644 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch delete mode 100644 strongswan-5.2.2.tar.bz2 delete mode 100644 strongswan-5.2.2.tar.bz2.sig rename strongswan-5.2.2-rpmlintrc => strongswan-5.3.5-rpmlintrc (100%) create mode 100644 strongswan-5.3.5.tar.bz2 create mode 100644 strongswan-5.3.5.tar.bz2.sig diff --git a/0005-strongswan-5.2.2-5.3.0_unknown_payload.patch b/0005-strongswan-5.2.2-5.3.0_unknown_payload.patch deleted file mode 100644 index 671db54..0000000 --- a/0005-strongswan-5.2.2-5.3.0_unknown_payload.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 7733b99198111ef1f30a964e15e93cb1e6d27a85 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 15 May 2015 11:15:57 +0200 -References: bsc#931272,CVE-2015-3991 -Subject: [PATCH] unknown-payload: Use a new private payload type and make - original type available - -This fixes a DoS and potential remote code execution vulnerability that was -caused because the original payload type that was returned previously was -used to cast such payload objects to payloads of the indicated type (e.g. -when logging notify payloads with a payload type for the wrong IKE version). - -Fixes CVE-2015-3991. ---- - src/libcharon/encoding/message.c | 2 +- - src/libcharon/encoding/payloads/payload.c | 2 ++ - src/libcharon/encoding/payloads/payload.h | 7 ++++++- - src/libcharon/encoding/payloads/unknown_payload.c | 8 ++++++++ - src/libcharon/encoding/payloads/unknown_payload.h | 8 ++++++++ - src/libcharon/sa/ikev2/task_manager_v2.c | 18 ++++++++++-------- - 6 files changed, 35 insertions(+), 10 deletions(-) - -diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c -index 1ee2cf81b035..478f531eae28 100644 ---- a/src/libcharon/encoding/message.c -+++ b/src/libcharon/encoding/message.c -@@ -2513,7 +2513,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat) - was_encrypted = "encrypted fragment payload"; - } - -- if (payload_is_known(type, this->major_version) && !was_encrypted && -+ if (type != PL_UNKNOWN && !was_encrypted && - !is_connectivity_check(this, payload) && - this->exchange_type != AGGRESSIVE) - { -diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c -index a1cd2f945588..f7c2754e05c3 100644 ---- a/src/libcharon/encoding/payloads/payload.c -+++ b/src/libcharon/encoding/payloads/payload.c -@@ -97,6 +97,7 @@ ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_FRAGME - #endif /* ME */ - ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT, - "HEADER", -+ "UNKNOWN", - "PROPOSAL_SUBSTRUCTURE", - "PROPOSAL_SUBSTRUCTURE_V1", - "TRANSFORM_SUBSTRUCTURE", -@@ -167,6 +168,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_ - #endif /* ME */ - ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT, - "HDR", -+ "UNKN", - "PROP", - "PROP", - "TRANS", -diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h -index 920779bd1032..72003894f307 100644 ---- a/src/libcharon/encoding/payloads/payload.h -+++ b/src/libcharon/encoding/payloads/payload.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2007 Tobias Brunner -+ * Copyright (C) 2007-2015 Tobias Brunner - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil -@@ -264,6 +264,11 @@ enum payload_type_t { - PL_HEADER = 256, - - /** -+ * Used to handle unknown or invalid payload types. -+ */ -+ PL_UNKNOWN, -+ -+ /** - * PLV2_PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload. - */ - PLV2_PROPOSAL_SUBSTRUCTURE, -diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c -index 45b91fd0b32f..c69254fc008c 100644 ---- a/src/libcharon/encoding/payloads/unknown_payload.c -+++ b/src/libcharon/encoding/payloads/unknown_payload.c -@@ -1,4 +1,5 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil -@@ -121,6 +122,12 @@ METHOD(payload_t, get_header_length, int, - METHOD(payload_t, get_payload_type, payload_type_t, - private_unknown_payload_t *this) - { -+ return PL_UNKNOWN; -+} -+ -+METHOD(unknown_payload_t, get_type, payload_type_t, -+ private_unknown_payload_t *this) -+{ - return this->type; - } - -@@ -181,6 +188,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type) - .destroy = _destroy, - }, - .is_critical = _is_critical, -+ .get_type = _get_type, - .get_data = _get_data, - .destroy = _destroy, - }, -diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h -index 326b550cd872..09341bcc79b5 100644 ---- a/src/libcharon/encoding/payloads/unknown_payload.h -+++ b/src/libcharon/encoding/payloads/unknown_payload.h -@@ -1,4 +1,5 @@ - /* -+ * Copyright (C) 2015 Tobias Brunner - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil -@@ -42,6 +43,13 @@ struct unknown_payload_t { - payload_t payload_interface; - - /** -+ * Get the original payload type as sent by the peer. -+ * -+ * @return type of the original payload -+ */ -+ payload_type_t (*get_type) (unknown_payload_t *this); -+ -+ /** - * Get the raw data of this payload, without - * the generic payload header. - * -diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c -index 298167703cbf..4676867dfec2 100644 ---- a/src/libcharon/sa/ikev2/task_manager_v2.c -+++ b/src/libcharon/sa/ikev2/task_manager_v2.c -@@ -1184,15 +1184,17 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg) - enumerator = msg->create_payload_enumerator(msg); - while (enumerator->enumerate(enumerator, &payload)) - { -- unknown = (unknown_payload_t*)payload; -- type = payload->get_type(payload); -- if (!payload_is_known(type, msg->get_major_version(msg)) && -- unknown->is_critical(unknown)) -+ if (payload->get_type(payload) == PL_UNKNOWN) - { -- DBG1(DBG_ENC, "payload type %N is not supported, " -- "but its critical!", payload_type_names, type); -- status = NOT_SUPPORTED; -- break; -+ unknown = (unknown_payload_t*)payload; -+ if (unknown->is_critical(unknown)) -+ { -+ type = unknown->get_type(unknown); -+ DBG1(DBG_ENC, "payload type %N is not supported, " -+ "but its critical!", payload_type_names, type); -+ status = NOT_SUPPORTED; -+ break; -+ } - } - } - enumerator->destroy(enumerator); --- -1.9.1 - diff --git a/0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch b/0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch deleted file mode 100644 index 2d35f9c..0000000 --- a/0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch +++ /dev/null @@ -1,102 +0,0 @@ -From ca1a65cc6aef2e037b529574783b7c571d1d82a9 Mon Sep 17 00:00:00 2001 -From: Martin Willi -Date: Wed, 3 Jun 2015 10:52:34 +0200 -References: bsc#933591,CVE-2015-4171 -Subject: [PATCH] ikev2: Enforce remote authentication config before proceeding - with own authentication - -Previously the constraints in the authentication configuration of an -initiator were enforced only after all authentication rounds were -complete. This posed a problem if an initiator used EAP or PSK -authentication while the responder was authenticated with a certificate -and if a rogue server was able to authenticate itself with a valid -certificate issued by any CA the initiator trusted. - -Because any constraints for the responder's identity (rightid) or other -aspects of the authentication (e.g. rightca) the initiator had were not -enforced until the initiator itself finished its authentication such a rogue -responder was able to acquire usernames and password hashes from the client. -And if a client supported EAP-GTC it was even possible to trick it into -sending plaintext passwords. - -This patch enforces the configured constraints right after the responder's -authentication successfully finished for each round and before the initiator -starts with its own authentication. - -Fixes CVE-2015-4171. ---- - src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 +++++++++++++++++++++++++++++++++ - 1 file changed, 44 insertions(+) - -diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c -index bf747a49edde..2554496c1916 100644 ---- a/src/libcharon/sa/ikev2/tasks/ike_auth.c -+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c -@@ -112,6 +112,11 @@ struct private_ike_auth_t { - * received an INITIAL_CONTACT? - */ - bool initial_contact; -+ -+ /** -+ * Is EAP acceptable, did we strictly authenticate peer? -+ */ -+ bool eap_acceptable; - }; - - /** -@@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this, - message->destroy(message); - } - -+/** -+ * Check if strict constraint fullfillment required to continue current auth -+ */ -+static bool require_strict(private_ike_auth_t *this, bool mutual_eap) -+{ -+ auth_cfg_t *cfg; -+ -+ if (this->eap_acceptable) -+ { -+ return FALSE; -+ } -+ -+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); -+ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) -+ { -+ case AUTH_CLASS_EAP: -+ if (mutual_eap && this->my_auth) -+ { -+ this->eap_acceptable = TRUE; -+ return !this->my_auth->is_mutual(this->my_auth); -+ } -+ return TRUE; -+ case AUTH_CLASS_PSK: -+ return TRUE; -+ case AUTH_CLASS_PUBKEY: -+ case AUTH_CLASS_ANY: -+ default: -+ return FALSE; -+ } -+} -+ - METHOD(task_t, process_i, status_t, - private_ike_auth_t *this, message_t *message) - { -@@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t, - } - } - -+ if (require_strict(this, mutual_eap)) -+ { -+ if (!update_cfg_candidates(this, TRUE)) -+ { -+ goto peer_auth_failed; -+ } -+ } -+ - if (this->my_auth) - { - switch (this->my_auth->process(this->my_auth, message)) --- -1.9.1 - diff --git a/0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch b/0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch deleted file mode 100644 index b1968ff..0000000 --- a/0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Thu, 29 Oct 2015 11:18:27 +0100 -References: CVE-2015-8023, bsc#953817 -Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was - established - -An MSK is only established if the client successfully authenticated -itself and only then must we accept an MSCHAPV2_SUCCESS message. - -Fixes CVE-2015-8023 ---- - src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c -index f7f39f9841d2..931e3c41dde4 100644 ---- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c -+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c -@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t, - } - case MSCHAPV2_SUCCESS: - { -- return SUCCESS; -+ if (this->msk.ptr) -+ { -+ return SUCCESS; -+ } -+ break; - } - case MSCHAPV2_FAILURE: - { --- -1.9.1 - diff --git a/strongswan-5.2.2.tar.bz2 b/strongswan-5.2.2.tar.bz2 deleted file mode 100644 index 83aec16..0000000 --- a/strongswan-5.2.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4 -size 4169095 diff --git a/strongswan-5.2.2.tar.bz2.sig b/strongswan-5.2.2.tar.bz2.sig deleted file mode 100644 index 93fa0e0..0000000 --- a/strongswan-5.2.2.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJUn/PYAAoJEN9CwXCzTbp3+PML/2IJQEI240BwPOpXEGrJ0jnR -Mmq7qXD3QLnUtpyX2/dXVV6X6PzdXiCubOj9m59VNSD6Qsr5W3d44rg90Vf9VxX6 -5nwAWP9fWl1L8xKtC93dyPAe8eet9tMqIf6QY5LYCmKRXi9aotoARiyEjKRUsWdy -O+nDS43PrwjcgHcV+dVbpA1FyFSwoX2zoDu0d1MMzOb+b8np9+2SdtsNVKaIqW5c -39PphkQgpqBqM1nkO0LUydsdCpE+/Xq4yNP77eSio7b6b2eyAjD9gBlNsE4FHoU0 -gyDKgdcOIPYmS8VD2J4efxQDjGpj6VV4wvXAo9tE7x/joIFT+Eg9LsD42l7yReaY -G/G87HVgA0DH67lBjoMfkhZcHCSTofM4cm7eOC7s48PF4HvnAM1L5bH7UzoehV9c -YvIUO/Q+7on6nvnW4AYUVXc/fAq7IUB6hYYCX6CHsb1U7gkEa7NseLwcoLmbMIfB -QaziGo6KHG4XFTdlu1LrQBip8NdJZh7v7fYJd/sFjA== -=bacU ------END PGP SIGNATURE----- diff --git a/strongswan-5.2.2-rpmlintrc b/strongswan-5.3.5-rpmlintrc similarity index 100% rename from strongswan-5.2.2-rpmlintrc rename to strongswan-5.3.5-rpmlintrc diff --git a/strongswan-5.3.5.tar.bz2 b/strongswan-5.3.5.tar.bz2 new file mode 100644 index 0000000..4bf4c4b --- /dev/null +++ b/strongswan-5.3.5.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 +size 4415297 diff --git a/strongswan-5.3.5.tar.bz2.sig b/strongswan-5.3.5.tar.bz2.sig new file mode 100644 index 0000000..d4209df --- /dev/null +++ b/strongswan-5.3.5.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJWVtUVAAoJEN9CwXCzTbp3dpUL/j5Dio8w6LbKtCf4QRItnG2/ +3U6apa56nxDWD3rpnN20OjSUzgulMIOjv/ZtRuruRPGWoFwrG6WzrsY/0ZrV929J +hSmEVuu6qgt/2i/OJdBUHfNGbhJ9JbTXGMxnWUp38mr4SasZlzHZAxbiKmnKXKtO +H5XebtVFR0/yNBPkv6wcJID/vFhJxfWpU2dblvVfSVo9VgV7lXkD0W+S++LJDTVo +PgV/a8NZEFswLIZCPct4i3QBYCDkCiS5MGlGCa+xltPYdLpwQUqhEBUkvF8yur7K +hnpT9cLk/gMSfFQmSOoN/31yx+ZSHTGR75QEh0pXRvo+oLJse7tw5/MJOHEJu+Hp +c/0iVL7qSIXbX5DBF3c03nG3ZdWcVQW32VEp//mC5yEpqFz28dlNSpVwWHLMym/D +kddiJjkZGCm7jBaPWTHSq2l8y9zdQzyHNNQ0HUpchUcpCn7B2nQO4tDSz3AFBECT +32LKSXnpRb7BAnIW/TZhZqWs1WzbQHogUF+wx+Rl6w== +=+fm3 +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index 9be0191..a484b60 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,148 @@ +------------------------------------------------------------------- +Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au + +- Updated to strongSwan 5.3.5 providing the following changes: + Changes in version 5.3.5: + * Properly handle potential EINTR errors in sigwaitinfo(2) calls + that replaced sigwait(3) calls with 5.3.4. + * RADIUS retransmission timeouts are now configurable, courtesy + of Thom Troy. + Changes in version 5.3.4: + * Fixed an authentication bypass vulnerability in the + eap-mschapv2 plugin that was caused by insufficient + verification of the internal state when handling MSCHAPv2 + Success messages received by the client. This vulnerability + has been registered as CVE-2015-8023. + * The sha3 plugin implements the SHA3 Keccak-F1600 hash + algorithm family. Within the strongSwan framework SHA3 is + currently used for BLISS signatures only because the OIDs for + other signature algorithms haven't been defined yet. Also the + use of SHA3 for IKEv2 has not been standardized yet. + Changes in version 5.3.3: + * Added support for the ChaCha20/Poly1305 AEAD cipher specified + in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp + proposal keyword. The new chapoly plugin implements the + cipher, if possible SSE-accelerated on x86/x64 architectures. + It is usable both in IKEv2 and the strongSwan libipsec ESP + backend. On Linux 4.2 or newer the kernel-netlink plugin can + configure the cipher for ESP SAs. + * The vici interface now supports the configuration of auxiliary + certification authority information as CRL and OCSP URIs. + * In the bliss plugin the c_indices derivation using a SHA-512 + based random oracle has been fixed, generalized and + standardized by employing the MGF1 mask generation function + with SHA-512. As a consequence BLISS signatures unsing the + improved oracle are not compatible with the earlier + implementation. + * Support for auto=route with right=%any for transport mode + connections has been added (the ikev2/trap-any scenario + provides examples). + * The starter daemon does not flush IPsec policies and SAs + anymore when it is stopped. Already existing duplicate + policies are now overwritten by the IKE daemon when it + installs its policies. + * Init limits (like charon.init_limit_half_open) can now + optionally be enforced when initiating SAs via VICI. For this, + IKE_SAs initiated by the daemon are now also counted as half + open SAs, which, as a side-effect, fixes the status output + while connecting (e.g. in ipsec status). + * Symmetric configuration of EAP methods in left|rightauth is + now possible when mutual EAP-only authentication is used + (previously, the client had to configure rightauth=eap or + rightauth=any, which prevented it from using this same config + as responder). + * The initiator flag in the IKEv2 header is compared again + (wasn't the case since 5.0.0) and packets that have the flag + set incorrectly are again ignored. + * Implemented a demo Hardcopy Device IMC/IMV pair based on the + "Hardcopy Device Health Assessment Trusted Network Connect + Binding" (HCD-TNC) document drafted by the IEEE Printer + Working Group (PWG). + * Fixed IF-M segmentation which failed in the presence of + multiple small attributes in front of a huge attribute to be + segmented. + Changes in version 5.3.2: + * Fixed a vulnerability that allowed rogue servers with a valid + certificate accepted by the client to trick it into disclosing + its username and even password (if the client accepts + EAP-GTC). This was caused because constraints against the + responder's authentication were enforced too late. This + vulnerability has been registered as CVE-2015-4171. + Changes in version 5.3.1: + * Fixed a denial-of-service and potential remote code execution + vulnerability triggered by IKEv1/IKEv2 messages that contain + payloads for the respective other IKE version. Such payload + are treated specially since 5.2.2 but because they were still + identified by their original payload type they were used as + such in some places causing invalid function pointer + dereferences. The vulnerability has been registered as + CVE-2015-3991. + * The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and + GCM crypto primitives for AES-128/192/256. The plugin requires + AES-NI and PCLMULQDQ instructions and works on both x86 and + x64 architectures. It provides superior crypto performance in + userland without any external libraries. + Changes in version 5.3.0: + * Added support for IKEv2 make-before-break reauthentication. By + using a global CHILD_SA reqid allocation mechanism, charon + supports overlapping CHILD_SAs. This allows the use of + make-before-break instead of the previously supported + break-before-make reauthentication, avoiding connectivity gaps + during that procedure. As the new mechanism may fail with peers + not supporting it (such as any previous strongSwan release) it + must be explicitly enabled using the charon.make_before_break + strongswan.conf option. + * Support for "Signature Authentication in IKEv2" (RFC 7427) has + been added. This allows the use of stronger hash algorithms + for public key authentication. By default, signature schemes + are chosen based on the strength of the signature key, but + specific hash algorithms may be configured in leftauth. + * Key types and hash algorithms specified in rightauth are now + also checked against IKEv2 signature schemes. If such + constraints are used for certificate chain validation in + existing configurations, in particular with peers that don't + support RFC 7427, it may be necessary to disable this feature + with the charon.signature_authentication_constraints setting, + because the signature scheme used in classic IKEv2 public key + authentication may not be strong enough. + * The new connmark plugin allows a host to bind conntrack flows + to a specific CHILD_SA by applying and restoring the SA mark + to conntrack entries. This allows a peer to handle multiple + transport mode connections coming over the same NAT device for + client-initiated flows. A common use case is to protect + L2TP/IPsec, as supported by some systems. + * The forecast plugin can forward broadcast and multicast + messages between connected clients and a LAN. For CHILD_SA + using unique marks, it sets up the required Netfilter rules + and uses a multicast/broadcast listener that forwards such + messages to all connected clients. This plugin is designed for + Windows 7 IKEv2 clients, which announces its services over the + tunnel if the negotiated IPsec policy allows it. + * For the vici plugin a Python Egg has been added to allow + Python applications to control or monitor the IKE daemon using + the VICI interface, similar to the existing ruby gem. The + Python library has been contributed by Björn Schuberg. + * EAP server methods now can fulfill public key constraints, + such as rightcert or rightca. Additionally, public key and + signature constraints can be specified for EAP methods in the + rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods + provide verification details to constraints checking. + * Upgrade of the BLISS post-quantum signature algorithm to the + improved BLISS-B variant. Can be used in conjunction with the + SHA256, SHA384 and SHA512 hash algorithms with SHA512 being + the default. + * The IF-IMV 1.4 interface now makes the IP address of the TNC + access requestor as seen by the TNC server available to all + IMVs. This information can be forwarded to policy enforcement + points (e.g. firewalls or routers). + * The new mutual tnccs-20 plugin parameter activates mutual TNC + measurements in PB-TNC half-duplex mode between two endpoints + over either a PT-EAP or PT-TLS transport medium. +- Adjusted file lists and removed obsolete patches + [- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch, + - 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch, + - 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch] + ------------------------------------------------------------------- Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index 341531f..93050d9 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.2.2 +Version: 5.3.5 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -82,9 +82,6 @@ Patch2: %{name}_ipsec_service.patch Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif -Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch -Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch -Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -295,9 +292,6 @@ and the load testing plugin for IKEv2 daemon. %patch3 -p0 %patch4 -p1 %endif -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -605,7 +599,6 @@ fi %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/_copyright %{_libexecdir}/ipsec/_updown -%{_libexecdir}/ipsec/_updown_espmark %if %{with test} %{_libexecdir}/ipsec/conftest %endif @@ -632,8 +625,6 @@ fi %{strongswan_docdir}/LICENSE %{strongswan_docdir}/AUTHORS %{strongswan_docdir}/ChangeLog -%{_mandir}/man8/_updown.8* -%{_mandir}/man8/_updown_espmark.8* %{_mandir}/man8/scepclient.8* %files libs0