diff --git a/strongswan-5.1.3.tar.bz2 b/strongswan-5.1.3.tar.bz2 deleted file mode 100644 index b52ba2d..0000000 --- a/strongswan-5.1.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:84e46d5ce801e1b874e2bfba8d21dbd78b432e23b7fb1f4f2d637359e7a183a8 -size 3807212 diff --git a/strongswan-5.1.3.tar.bz2.sig b/strongswan-5.1.3.tar.bz2.sig deleted file mode 100644 index 7884d97..0000000 --- a/strongswan-5.1.3.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iQGcBAABAgAGBQJTS9jUAAoJEN9CwXCzTbp3E3cMAJuQv7IsG5XDNQB/Wcb66hLQ -2DSZN2zXRI2Ku5ONXDqnzCzyGRO84SOsGVzX9AQTHactr29B0n9rZxSCKZrm+ZRX -lMKu6UNsS+jSKhXkXfmDSilFnM7ap7tAlFUuH/7uz8LcG34643W5BOJH0oMq7Rx3 -WN/7/TbrYf1aE0s3C8tcJXc5OghkvAfsE0jBPWhwT7dwi5eczluPMyYYdGxg8zNP -LdBdoHTfnFRnMcL18SGwUYl09hj2YkZMoo+2Qt4I6WNy3yIINRIQluPSl2f91HHG -VXyzGLpC3W63WYxXhPmjdmkpaT9+kulF6WVhgt3i6VMOv6nSNitHs5/X0W6N5xuX -BhPmJRFmT0Oej3MJVxSKqUy89Ny3DyRmai5bERAFe+FOt9HN1UWqpK+qYFI+YQw/ -dMS9kviW2UhSq4BM9F9F+QrL66Bz0gc5+jXolm971FII62cV4i6n9U6veGPY9qkg -+Jcn6XpKOe2JXLsIeIMQgc0GitIaEHq/zdST/pn2Gw== -=NZ/K ------END PGP SIGNATURE----- diff --git a/strongswan-5.1.3-rpmlintrc b/strongswan-5.2.2-rpmlintrc similarity index 100% rename from strongswan-5.1.3-rpmlintrc rename to strongswan-5.2.2-rpmlintrc diff --git a/strongswan-5.2.2.tar.bz2 b/strongswan-5.2.2.tar.bz2 new file mode 100644 index 0000000..83aec16 --- /dev/null +++ b/strongswan-5.2.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4 +size 4169095 diff --git a/strongswan-5.2.2.tar.bz2.sig b/strongswan-5.2.2.tar.bz2.sig new file mode 100644 index 0000000..93fa0e0 --- /dev/null +++ b/strongswan-5.2.2.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJUn/PYAAoJEN9CwXCzTbp3+PML/2IJQEI240BwPOpXEGrJ0jnR +Mmq7qXD3QLnUtpyX2/dXVV6X6PzdXiCubOj9m59VNSD6Qsr5W3d44rg90Vf9VxX6 +5nwAWP9fWl1L8xKtC93dyPAe8eet9tMqIf6QY5LYCmKRXi9aotoARiyEjKRUsWdy +O+nDS43PrwjcgHcV+dVbpA1FyFSwoX2zoDu0d1MMzOb+b8np9+2SdtsNVKaIqW5c +39PphkQgpqBqM1nkO0LUydsdCpE+/Xq4yNP77eSio7b6b2eyAjD9gBlNsE4FHoU0 +gyDKgdcOIPYmS8VD2J4efxQDjGpj6VV4wvXAo9tE7x/joIFT+Eg9LsD42l7yReaY +G/G87HVgA0DH67lBjoMfkhZcHCSTofM4cm7eOC7s48PF4HvnAM1L5bH7UzoehV9c +YvIUO/Q+7on6nvnW4AYUVXc/fAq7IUB6hYYCX6CHsb1U7gkEa7NseLwcoLmbMIfB +QaziGo6KHG4XFTdlu1LrQBip8NdJZh7v7fYJd/sFjA== +=bacU +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index cfb2771..84ad58f 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,83 @@ +------------------------------------------------------------------- +Mon Jan 5 14:38:46 UTC 2015 - mt@suse.de + +- Updated to strongSwan 5.2.2 providing the following changes: + Changes in version 5.2.2: + * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange + payload that contains the Diffie-Hellman group 1025. This identifier was + used internally for DH groups with custom generator and prime. Because + these arguments are missing when creating DH objects based on the KE + payload an invalid pointer dereference occurred. This allowed an attacker + to crash the IKE daemon with a single IKE_SA_INIT message containing such + a KE payload. The vulnerability has been registered as CVE-2014-9221. + * The left/rightid options in ipsec.conf, or any other identity in + strongSwan, now accept prefixes to enforce an explicit type, such as + email: or fqdn:. Note that no conversion is done for the remaining string, + refer to ipsec.conf(5) for details. + * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as + an IKEv2 public key authentication method. The pki tool offers full + support for the generation of BLISS key pairs and certificates. + * Fixed mapping of integrity algorithms negotiated for AH via IKEv1. + This could cause interoperability issues when connecting to older versions + of charon. + Changes in version 5.2.1: + * The new charon-systemd IKE daemon implements an IKE daemon tailored for + use with systemd. It avoids the dependency on ipsec starter and uses + swanctl as configuration backend, building a simple and lightweight + solution. It supports native systemd journal logging. + * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1 + fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf. + * Support of the TCG TNC IF-M Attribute Segmentation specification proposal. + All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID + and IETF/Installed Packages attributes can be processed incrementally on a + per segment basis. + * The new ext-auth plugin calls an external script to implement custom IKE_SA + authorization logic, courtesy of Vyronas Tsingaras. + * For the vici plugin a ruby gem has been added to allow ruby applications to + control or monitor the IKE daemon. The vici documentation has been updated + to include a description of the available operations and some simple + examples using both the libvici C interface and the ruby gem. + Changes in version 5.2.0: + * strongSwan has been ported to the Windows platform. Using a MinGW toolchain, + many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 + and newer releases. charon-svc implements a Windows IKE service based on + libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec + backend on the Windows platform. socket-win provides a native IKE socket + implementation, while winhttp fetches CRL and OCSP information using the + WinHTTP API. + * The new vici plugin provides a Versatile IKE Configuration Interface for + charon. Using the stable IPC interface, external applications can configure, + control and monitor the IKE daemon. Instead of scripting the ipsec tool + and generating ipsec.conf, third party applications can use the new interface + for more control and better reliability. + * Built upon the libvici client library, swanctl implements the first user of + the VICI interface. Together with a swanctl.conf configuration file, + connections can be defined, loaded and managed. swanctl provides a portable, + complete IKE configuration and control interface for the command line. + The first six swanctl example scenarios have been added. + * The SWID IMV implements a JSON-based REST API which allows the exchange + of SWID tags and Software IDs with the strongTNC policy manager. + * The SWID IMC can extract all installed packages from the dpkg (Debian, + Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or + pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using + the swidGenerator (https://github.com/strongswan/swidGenerator) which + generates SWID tags according to the new ISO/IEC 19770-2:2014 standard. + * All IMVs now share the access requestor ID, device ID and product info + of an access requestor via a common imv_session object. + * The Attestation IMC/IMV pair supports the IMA-NG measurement format + introduced with the Linux 3.13 kernel. + * The aikgen tool generates an Attestation Identity Key bound to a TPM. + * Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network + Connect. + * The ipsec.conf replay_window option defines connection specific IPsec + replay windows. Original patch courtesy of Zheng Zhong and Christophe + Gouault from 6Wind. +- Adjusted file lists and removed obsolete patches + [- 0005-restore-registration-algorithm-order.bug897512.patch, + - 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] +- Adopted/Merged fipscheck patches + [* strongswan_fipscheck.patch, strongswan_fipsfilter.patch] + ------------------------------------------------------------------- Wed Dec 17 10:15:23 UTC 2014 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index e99aee5..7e6acc0 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.1.3 +Version: 5.2.2 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -82,8 +82,6 @@ Patch2: %{name}_ipsec_service.patch Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif -Patch5: 0005-restore-registration-algorithm-order.bug897512.patch -Patch6: 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -294,8 +292,6 @@ and the load testing plugin for IKEv2 daemon. %patch3 -p0 %patch4 -p1 %endif -%patch5 -p1 -%patch6 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -645,10 +641,11 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf %if %{with afalg} @@ -951,10 +948,11 @@ fi %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf +%{strongswan_templates}/config/strongswan.d/pki.conf %{strongswan_templates}/config/strongswan.d/pool.conf +%{strongswan_templates}/config/strongswan.d/scepclient.conf %{strongswan_templates}/config/strongswan.d/starter.conf %{strongswan_templates}/config/strongswan.d/tnc.conf -%{strongswan_templates}/config/strongswan.d/tools.conf %{strongswan_templates}/database/imv/data.sql %{strongswan_templates}/database/imv/tables.sql @@ -984,6 +982,7 @@ fi %dir %{strongswan_templates}/database %dir %{strongswan_templates}/database/sql %{strongswan_templates}/config/plugins/mysql.conf +%{strongswan_templates}/database/imv/tables-mysql.sql %{strongswan_templates}/database/sql/mysql.sql %endif diff --git a/strongswan_fipscheck.patch b/strongswan_fipscheck.patch index b49cbd0..18839be 100644 --- a/strongswan_fipscheck.patch +++ b/strongswan_fipscheck.patch @@ -1,6 +1,6 @@ --- src/ipsec/_ipsec.in -+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25 -@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN ++++ src/ipsec/_ipsec.in +@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland" @@ -26,8 +26,8 @@ + case "$1" in '') - echo "Usage: $IPSEC_SCRIPT command argument ..." -@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco + echo "$IPSEC_SCRIPT command [arguments]" +@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters) shift if [ -e $IPSEC_CHARON_PID ] then @@ -35,7 +35,7 @@ $IPSEC_STROKE "$op" "$@" rc="$?" fi -@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts) +@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -43,7 +43,7 @@ $IPSEC_STROKE "$1" rc="$?" fi -@@ -208,6 +230,7 @@ route|unroute) +@@ -197,6 +219,7 @@ route|unroute) fi if [ -e $IPSEC_CHARON_PID ] then @@ -51,7 +51,7 @@ $IPSEC_STROKE "$op" "$1" rc="$?" fi -@@ -217,6 +240,7 @@ secrets) +@@ -206,6 +229,7 @@ secrets) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -59,7 +59,7 @@ $IPSEC_STROKE rereadsecrets rc="$?" fi -@@ -224,6 +248,7 @@ secrets) +@@ -213,6 +237,7 @@ secrets) ;; start) shift @@ -67,7 +67,7 @@ if [ -d /var/lock/subsys ]; then touch /var/lock/subsys/ipsec fi -@@ -297,6 +322,7 @@ up) +@@ -286,6 +311,7 @@ up) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -75,7 +75,7 @@ $IPSEC_STROKE up "$1" rc="$?" fi -@@ -332,6 +358,11 @@ esac +@@ -325,6 +351,11 @@ esac cmd="$1" shift diff --git a/strongswan_fipsfilter.patch b/strongswan_fipsfilter.patch index 3e4a2bd..94b5db0 100644 --- a/strongswan_fipsfilter.patch +++ b/strongswan_fipsfilter.patch @@ -1,12 +1,12 @@ -From aa709f291994a74271271b6dd61563cc3844e3ad Mon Sep 17 00:00:00 2001 +From 8f3f1bd6907df8221a93c849ed4b43474444e13b Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski -Date: Tue, 16 Dec 2014 23:19:20 +0100 +Date: Mon, 5 Jan 2015 14:57:39 +0100 Subject: [PATCH] strongswan: filter algorithms for fips mode References: fate#316931,bnc#856322 diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c -index 2ecdb4f..a858162 100644 +index e59dcd9..f07f4a2 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -26,6 +26,11 @@ @@ -144,7 +144,7 @@ index 2ecdb4f..a858162 100644 /** * Select a matching proposal from this and other, insert into selected. */ -@@ -500,6 +621,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) +@@ -502,6 +623,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) return FALSE; } @@ -156,63 +156,69 @@ index 2ecdb4f..a858162 100644 add_algorithm(this, token->type, token->algorithm, token->keysize); return TRUE; -@@ -639,6 +765,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) - enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { -+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) -+ continue; - switch (encryption) +@@ -643,6 +769,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - case ENCR_AES_CBC: -@@ -665,6 +793,9 @@ static void proposal_add_supported_ike(private_proposal_t *this) - enumerator = lib->crypto->create_aead_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { -+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) -+ continue; ++ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) ++ continue; + - switch (encryption) + switch (encryption) + { + case ENCR_AES_CCM_ICV8: +@@ -675,6 +804,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - case ENCR_AES_CCM_ICV8: -@@ -690,6 +821,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) - enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) - { -+ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity)) -+ continue; - switch (integrity) ++ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) ++ continue; ++ + switch (encryption) + { + case ENCR_AES_CBC: +@@ -706,6 +838,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + enumerator = lib->crypto->create_signer_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { - case AUTH_HMAC_SHA1_96: -@@ -710,6 +843,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) ++ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity)) ++ continue; ++ + switch (integrity) + { + case AUTH_HMAC_SHA1_96: +@@ -727,6 +862,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_prf_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { + if (!fips_filter(PROTO_IKE, PSEUDO_RANDOM_FUNCTION, prf)) + continue; ++ switch (prf) { case PRF_HMAC_SHA1: -@@ -730,6 +865,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) +@@ -747,6 +885,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_dh_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &group, &plugin_name)) { + if (!fips_filter(PROTO_IKE, DIFFIE_HELLMAN_GROUP, group)) + continue; ++ switch (group) { case MODP_NULL: -@@ -776,31 +913,35 @@ proposal_t *proposal_create_default(protocol_id_t protocol) +@@ -795,6 +936,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol) { private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); +#define fips_add_algorithm(this, type, alg, len) \ + if (fips_filter(this->protocol, type, alg)) \ + add_algorithm(this, type, alg, len); ++ switch (protocol) { case PROTO_IKE: - proposal_add_supported_ike(this); +@@ -805,25 +950,28 @@ proposal_t *proposal_create_default(protocol_id_t protocol) + } break; case PROTO_ESP: - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); @@ -247,10 +253,12 @@ index 2ecdb4f..a858162 100644 default: break; } ++ +#undef fips_add_algorithm ++ return &this->public; } -- -2.2.0 +2.2.1