diff --git a/0006-fix-compilation-error-by-adding-stdint.h.patch b/0006-fix-compilation-error-by-adding-stdint.h.patch index 3f33240..7e9a923 100644 --- a/0006-fix-compilation-error-by-adding-stdint.h.patch +++ b/0006-fix-compilation-error-by-adding-stdint.h.patch @@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this src/libstrongswan/utils/utils/memory.h | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h -index b978e7c..55aaaf5 100644 ---- a/src/libstrongswan/utils/utils/memory.h -+++ b/src/libstrongswan/utils/utils/memory.h +Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h +=================================================================== +--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200 ++++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200 @@ -22,6 +22,8 @@ #ifndef MEMORY_H_ #define MEMORY_H_ @@ -28,6 +28,3 @@ index b978e7c..55aaaf5 100644 /** * Helper function that compares two binary blobs for equality */ --- -2.14.1 - diff --git a/0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch b/0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch deleted file mode 100644 index af9bd48..0000000 --- a/0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch +++ /dev/null @@ -1,323 +0,0 @@ -From ade8c9c4b73ec43cf43b9c4cd9af6aac5e6f7f9d Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 28 Aug 2018 11:26:24 +0200 -Subject: [PATCH] gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them - -Instead we generate the expected signature encoding and compare it to the -decrypted value. - -Due to the lenient nature of the previous parsing code (minimum padding -length was not enforced, the algorithmIdentifier/OID parser accepts arbitrary -data after OIDs and in the parameters field etc.) it was susceptible to -Daniel Bleichenbacher's low-exponent attack (from 2006!), which allowed -forging signatures for keys that use low public exponents (i.e. e=3). - -Since the public exponent is usually set to 0x10001 (65537) since quite a -while, the flaws in the previous code should not have had that much of a -practical impact in recent years. - -Fixes: CVE-2018-16151, CVE-2018-16152 ---- - .../plugins/gmp/gmp_rsa_private_key.c | 66 +++++---- - src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 158 ++------------------- - 2 files changed, 53 insertions(+), 171 deletions(-) - -diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -index 21b420866e2f..025f61a9fa21 100644 ---- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -@@ -262,14 +262,15 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data) - } - - /** -- * Build a signature using the PKCS#1 EMSA scheme -+ * Hashes the data and builds the plaintext signature value with EMSA -+ * PKCS#1 v1.5 padding. -+ * -+ * Allocates the signature data. - */ --static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, -- hash_algorithm_t hash_algorithm, -- chunk_t data, chunk_t *signature) -+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm, -+ chunk_t data, size_t keylen, chunk_t *em) - { - chunk_t digestInfo = chunk_empty; -- chunk_t em; - - if (hash_algorithm != HASH_UNKNOWN) - { -@@ -293,43 +294,56 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, - /* build DER-encoded digestInfo */ - digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_algorithmIdentifier(hash_oid), -- asn1_simple_object(ASN1_OCTET_STRING, hash) -- ); -- chunk_free(&hash); -+ asn1_wrap(ASN1_OCTET_STRING, "m", hash)); -+ - data = digestInfo; - } - -- if (data.len > this->k - 3) -+ if (data.len > keylen - 11) - { -- free(digestInfo.ptr); -- DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len, -- mpz_sizeinbase(this->n, 2)); -+ chunk_free(&digestInfo); -+ DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of " -+ "%zu bytes", data.len, keylen); - return FALSE; - } - -- /* build chunk to rsa-decrypt: -- * EM = 0x00 || 0x01 || PS || 0x00 || T. -- * PS = 0xFF padding, with length to fill em -+ /* EM = 0x00 || 0x01 || PS || 0x00 || T. -+ * PS = 0xFF padding, with length to fill em (at least 8 bytes) - * T = encoded_hash - */ -- em.len = this->k; -- em.ptr = malloc(em.len); -+ *em = chunk_alloc(keylen); - - /* fill em with padding */ -- memset(em.ptr, 0xFF, em.len); -+ memset(em->ptr, 0xFF, em->len); - /* set magic bytes */ -- *(em.ptr) = 0x00; -- *(em.ptr+1) = 0x01; -- *(em.ptr + em.len - data.len - 1) = 0x00; -- /* set DER-encoded hash */ -- memcpy(em.ptr + em.len - data.len, data.ptr, data.len); -+ *(em->ptr) = 0x00; -+ *(em->ptr+1) = 0x01; -+ *(em->ptr + em->len - data.len - 1) = 0x00; -+ /* set encoded hash */ -+ memcpy(em->ptr + em->len - data.len, data.ptr, data.len); -+ -+ chunk_clear(&digestInfo); -+ return TRUE; -+} -+ -+/** -+ * Build a signature using the PKCS#1 EMSA scheme -+ */ -+static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, -+ hash_algorithm_t hash_algorithm, -+ chunk_t data, chunk_t *signature) -+{ -+ chunk_t em; -+ -+ if (!gmp_emsa_pkcs1_signature_data(hash_algorithm, data, this->k, &em)) -+ { -+ return FALSE; -+ } - - /* build signature */ - *signature = rsasp1(this, em); - -- free(digestInfo.ptr); -- free(em.ptr); -- -+ chunk_free(&em); - return TRUE; - } - -diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c -index 065c88903344..f27b24c6f319 100644 ---- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c -+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c -@@ -68,7 +68,9 @@ struct private_gmp_rsa_public_key_t { - /** - * Shared functions defined in gmp_rsa_private_key.c - */ --extern chunk_t gmp_mpz_to_chunk(const mpz_t value); -+chunk_t gmp_mpz_to_chunk(const mpz_t value); -+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm, -+ chunk_t data, size_t keylen, chunk_t *em); - - /** - * RSAEP algorithm specified in PKCS#1. -@@ -113,26 +115,13 @@ static chunk_t rsavp1(private_gmp_rsa_public_key_t *this, chunk_t data) - } - - /** -- * ASN.1 definition of digestInfo -- */ --static const asn1Object_t digestInfoObjects[] = { -- { 0, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ -- { 1, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 1 */ -- { 1, "digest", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */ -- { 0, "exit", ASN1_EOC, ASN1_EXIT } --}; --#define DIGEST_INFO 0 --#define DIGEST_INFO_ALGORITHM 1 --#define DIGEST_INFO_DIGEST 2 -- --/** -- * Verification of an EMPSA PKCS1 signature described in PKCS#1 -+ * Verification of an EMSA PKCS1 signature described in PKCS#1 - */ - static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, - hash_algorithm_t algorithm, - chunk_t data, chunk_t signature) - { -- chunk_t em_ori, em; -+ chunk_t em_expected, em; - bool success = FALSE; - - /* remove any preceding 0-bytes from signature */ -@@ -146,140 +135,19 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, - return FALSE; - } - -- /* unpack signature */ -- em_ori = em = rsavp1(this, signature); -- -- /* result should look like this: -- * EM = 0x00 || 0x01 || PS || 0x00 || T. -- * PS = 0xFF padding, with length to fill em -- * T = oid || hash -- */ -- -- /* check magic bytes */ -- if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) -- { -- goto end; -- } -- em = chunk_skip(em, 2); -- -- /* find magic 0x00 */ -- while (em.len > 0) -- { -- if (*em.ptr == 0x00) -- { -- /* found magic byte, stop */ -- em = chunk_skip(em, 1); -- break; -- } -- else if (*em.ptr != 0xFF) -- { -- /* bad padding, decryption failed ?!*/ -- goto end; -- } -- em = chunk_skip(em, 1); -- } -- -- if (em.len == 0) -+ /* generate expected signature value */ -+ if (!gmp_emsa_pkcs1_signature_data(algorithm, data, this->k, &em_expected)) - { -- /* no digestInfo found */ -- goto end; -- } -- -- if (algorithm == HASH_UNKNOWN) -- { /* IKEv1 signatures without digestInfo */ -- if (em.len != data.len) -- { -- DBG1(DBG_LIB, "hash size in signature is %u bytes instead of" -- " %u bytes", em.len, data.len); -- goto end; -- } -- success = memeq_const(em.ptr, data.ptr, data.len); -+ return FALSE; - } -- else -- { /* IKEv2 and X.509 certificate signatures */ -- asn1_parser_t *parser; -- chunk_t object; -- int objectID; -- hash_algorithm_t hash_algorithm = HASH_UNKNOWN; - -- DBG2(DBG_LIB, "signature verification:"); -- parser = asn1_parser_create(digestInfoObjects, em); -- -- while (parser->iterate(parser, &objectID, &object)) -- { -- switch (objectID) -- { -- case DIGEST_INFO: -- { -- if (em.len > object.len) -- { -- DBG1(DBG_LIB, "digestInfo field in signature is" -- " followed by %u surplus bytes", -- em.len - object.len); -- goto end_parser; -- } -- break; -- } -- case DIGEST_INFO_ALGORITHM: -- { -- int hash_oid = asn1_parse_algorithmIdentifier(object, -- parser->get_level(parser)+1, NULL); -- -- hash_algorithm = hasher_algorithm_from_oid(hash_oid); -- if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm) -- { -- DBG1(DBG_LIB, "expected hash algorithm %N, but found" -- " %N (OID: %#B)", hash_algorithm_names, algorithm, -- hash_algorithm_names, hash_algorithm, &object); -- goto end_parser; -- } -- break; -- } -- case DIGEST_INFO_DIGEST: -- { -- chunk_t hash; -- hasher_t *hasher; -- -- hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm); -- if (hasher == NULL) -- { -- DBG1(DBG_LIB, "hash algorithm %N not supported", -- hash_algorithm_names, hash_algorithm); -- goto end_parser; -- } -- -- if (object.len != hasher->get_hash_size(hasher)) -- { -- DBG1(DBG_LIB, "hash size in signature is %u bytes" -- " instead of %u bytes", object.len, -- hasher->get_hash_size(hasher)); -- hasher->destroy(hasher); -- goto end_parser; -- } -- -- /* build our own hash and compare */ -- if (!hasher->allocate_hash(hasher, data, &hash)) -- { -- hasher->destroy(hasher); -- goto end_parser; -- } -- hasher->destroy(hasher); -- success = memeq_const(object.ptr, hash.ptr, hash.len); -- free(hash.ptr); -- break; -- } -- default: -- break; -- } -- } -+ /* unpack signature */ -+ em = rsavp1(this, signature); - --end_parser: -- success &= parser->success(parser); -- parser->destroy(parser); -- } -+ success = chunk_equals_const(em_expected, em); - --end: -- free(em_ori.ptr); -+ chunk_free(&em_expected); -+ chunk_free(&em); - return success; - } - --- -2.7.4 - diff --git a/0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch b/0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch deleted file mode 100644 index aad6a1b..0000000 --- a/0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 0acd1ab4d08d53d80393b1a37b8781f6e7b2b996 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 13 Mar 2018 18:54:08 +0100 -Subject: [PATCH] stroke: Ensure a minimum message length - ---- - src/libcharon/plugins/stroke/stroke_socket.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c -index c568440b7ae2..1e7f210e940a 100644 ---- a/src/libcharon/plugins/stroke/stroke_socket.c -+++ b/src/libcharon/plugins/stroke/stroke_socket.c -@@ -627,6 +627,11 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream) - } - return FALSE; - } -+ if (len < offsetof(stroke_msg_t, buffer)) -+ { -+ DBG1(DBG_CFG, "invalid stroke message length %d", len); -+ return FALSE; -+ } - - /* read message (we need an additional byte to terminate the buffer) */ - msg = malloc(len + 1); --- -2.7.4 - diff --git a/0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch b/0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch deleted file mode 100644 index e5b6da1..0000000 --- a/0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b450318c15496f89e7c93392c9b5d2c6045c7de9 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 19 Mar 2018 17:03:05 +0100 -Subject: [PATCH] ikev2: Initialize variable in case set_key() or - allocate_bytes() fails - -In case the PRF's set_key() or allocate_bytes() method failed, skeyseed -was not initialized and the chunk_clear() call later caused a crash. - -This could have happened with OpenSSL in FIPS mode when MD5 was -negotiated (and test vectors were not checked, in which case the PRF -couldn't be instantiated as the test vectors would have failed). -MD5 is not included in the default proposal anymore since 5.6.1, so -with recent versions this could only happen with configs that are not -valid in FIPS mode anyway. - -Fixes: CVE-2018-10811 ---- - src/libcharon/sa/ikev2/keymat_v2.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c -index 0c41c68d0118..8b20d1ce986f 100644 ---- a/src/libcharon/sa/ikev2/keymat_v2.c -+++ b/src/libcharon/sa/ikev2/keymat_v2.c -@@ -303,8 +303,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, - chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, - pseudo_random_function_t rekey_function, chunk_t rekey_skd) - { -- chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed; -- chunk_t spi_i, spi_r; -+ chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce; -+ chunk_t prf_plus_seed, spi_i, spi_r; - prf_plus_t *prf_plus = NULL; - uint16_t alg, key_size, int_alg; - prf_t *rekey_prf = NULL; --- -2.7.4 - diff --git a/0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch b/0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch deleted file mode 100644 index 26f17f6..0000000 --- a/0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Tue, 25 Sep 2018 14:50:08 +0200 -Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys - -Because `keylen` is unsigned the subtraction results in an integer -underflow if the key length is < 11 bytes. - -This is only a problem when verifying signatures with a public key (for -private keys the plugin enforces a minimum modulus length) and to do so -we usually only use trusted keys. However, the x509 plugin actually -calls issued_by() on a parsed certificate to check if it is self-signed, -which is the reason this issue was found by OSS-Fuzz in the first place. -So, unfortunately, this can be triggered by sending an invalid client -cert to a peer. - -Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them") -Fixes: CVE-2018-17540 ---- - src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -index e9a83fdf49a1..a255a40abce2 100644 ---- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c -@@ -301,7 +301,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm, - data = digestInfo; - } - -- if (data.len > keylen - 11) -+ if (keylen < 11 || data.len > keylen - 11) - { - chunk_free(&digestInfo); - DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of " --- -2.7.4 - diff --git a/strongswan-5.6.0.tar.bz2 b/strongswan-5.6.0.tar.bz2 deleted file mode 100644 index 45047e3..0000000 --- a/strongswan-5.6.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13 -size 4850722 diff --git a/strongswan-5.6.0.tar.bz2.sig b/strongswan-5.6.0.tar.bz2.sig deleted file mode 100644 index c9ad79b..0000000 --- a/strongswan-5.6.0.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG -kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F -CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da -kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5 -d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M -an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H -dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru -UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ -eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g== -=ZRFr ------END PGP SIGNATURE----- diff --git a/strongswan-5.8.2.tar.bz2 b/strongswan-5.8.2.tar.bz2 new file mode 100644 index 0000000..42edc4e --- /dev/null +++ b/strongswan-5.8.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e +size 4533402 diff --git a/strongswan-5.8.2.tar.bz2.sig b/strongswan-5.8.2.tar.bz2.sig new file mode 100644 index 0000000..f025402 --- /dev/null +++ b/strongswan-5.8.2.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt +S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m +wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v +iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE +CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC +zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77 +DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN +bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ +tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw== +=VHUc +-----END PGP SIGNATURE----- diff --git a/strongswan-5.6.0-rpmlintrc b/strongswan-rpmlintrc similarity index 100% rename from strongswan-5.6.0-rpmlintrc rename to strongswan-rpmlintrc diff --git a/strongswan.changes b/strongswan.changes index a34f85c..476e2b0 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,34 +1,203 @@ ------------------------------------------------------------------- -Thu Nov 14 12:56:01 UTC 2019 - Madhu Mohan Nelemane +Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt -- Added patch to fix vulnerability: CVE-2018-17540 (bsc#1109845) - [+ 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch] +- Replace %__-type macro indirections. Update homepage URL to https. ------------------------------------------------------------------- -Wed Nov 13 16:43:52 UTC 2019 - Madhu Mohan Nelemane +Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie -- Added patch to fix vulnerability: CVE-2018-10811 (bsc#1093536) - - denial-of-service vulnerability - [+ 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch] +- Update to version 5.8.2: + * The systemd service units have changed their name. + "strongswan" is now "strongswan-starter", and + "strongswan-swanctl" is now "strongswan". + After installation, you need to `systemctl disable` the old + name and `systemctl enable`+start the new one. + * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152. + * boo#1109845 and boo#1107874. +- Please check included NEWS file for info on what other changes + that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1 + and 5.7.0. +- Rebase strongswan_ipsec_service.patch. +- Disable patches that need rebase or dropping: + * strongswan_modprobe_syslog.patch + * 0006-fix-compilation-error-by-adding-stdint.h.patch +- Add conditional pkgconfig(libsystemd) BuildRequires: New + dependency. ------------------------------------------------------------------- -Wed Nov 13 15:41:29 UTC 2019 - Madhu Mohan Nelemane +Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com - - Added patch to fix vulnerability: CVE-2018-5388 (bsc#1094462) - - Buffer Underflow in stroke_socket.c - [+ 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch] +- Update to version 5.6.3 (CVE-2018-10811, boo#1093536, + CVE-2018-5388, boo#1094462): + * Fixed a DoS vulnerability in the IKEv2 key derivation if the + openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated + as PRF. This vulnerability has been registered as + CVE-2018-10811, boo#1093536. + * Fixed a vulnerability in the stroke plugin, which did not check + the received length before reading a message from the socket. + Unless a group is configured, root privileges are required to + access that socket, so in the default configuration this + shouldn't be an issue. This vulnerability has been registered + as CVE-2018-5388, boo#1094462. + * CRLs that are not yet valid are now ignored to avoid problems + in scenarios where expired certificates are removed from new + CRLs and the clock on the host doing the revocation check is + trailing behind that of the host issuing CRLs. Not doing this + could result in accepting a revoked and expired certificate, if + it's still valid according to the trailing clock but not + contained anymore in not yet valid CRLs. + * The issuer of fetched CRLs is now compared to the issuer of the + checked certificate (#2608). + * CRL validation results other than revocation (e.g. a skipped + check because the CRL couldn't be fetched) are now stored also + for intermediate CA certificates and not only for end-entity + certificates, so a strict CRL policy can be enforced in such + cases. + * In compliance with RFC 4945, section 5.1.3.2, certificates used + for IKE must now either not contain a keyUsage extension (like + the ones generated by pki), or have at least one of the + digitalSignature or nonRepudiation bits set. + * New options for vici/swanctl allow forcing the local + termination of an IKE_SA. This might be useful in situations + where it's known the other end is not reachable anymore, or + that it already removed the IKE_SA, so retransmitting a DELETE + and waiting for a response would be pointless. + * Waiting only a certain amount of time for a response (i.e. + shorter than all retransmits would be) before destroying the + IKE_SA is also possible by additionally specifying a timeout in + the forced termination request. + * When removing routes, the kernel-netlink plugin now checks if + it tracks other routes for the same destination and replaces + the installed route instead of just removing it. Same during + installation, where existing routes previously weren't + replaced. This should allow using traps with virtual IPs on + Linux (#2162). + * The dhcp plugin now only sends the client identifier DHCP + option if the identity_lease setting is enabled (7b660944b6). + It can also send identities of up to 255 bytes length, instead + of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server + address is configured, DHCP requests are now sent from port 67 + instead of 68 to avoid ICMP port unreachables (becf027cd9). + * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one + containing a DH group that wasn't proposed) during + CREATE_CHILD_SA exchanges has been improved (#2536). + * Roam events are now completely ignored for IKEv1 SAs (there is + no MOBIKE to handle such changes properly). + * ChaCha20/Poly1305 is now correctly proposed without key length + (#2614). For compatibility with older releases the + chacha20poly1305compat keyword may be included in proposals to + also propose the algorithm with a key length (c58434aeff). + * Configuration of hardware offload of IPsec SAs is now more + flexible and allows a new setting (auto), which automatically + uses it if the kernel and device both support it. If hw_offload + is set to yes and offloading is not supported, the CHILD_SA + installation now fails. + * The kernel-pfkey plugin optionally installs routes via internal + interface (one with an IP in the local traffic selector). On + FreeBSD, enabling this selects the correct source IP when + sending packets from the gateway itself (e811659323). + * SHA-2 based PRFs are supported in PKCS#8 files as generated by + OpenSSL 1.1 (#2574). + * The pki --verify tool may load CA certificates and CRLs from + directories. + * The IKE daemon now also switches to port 4500 if the remote + port is not 500 (e.g. because the remote maps the response to a + different port, as might happen on Azure), as long as the local + port is 500 (85bfab621d). + * Fixed an issue with DNS servers passed to NetworkManager in + charon-nm (ee8c25516a). + * Logged traffic selectors now always contain the protocol if + either protocol or port are set (a36d8097ed). + * Only the inbound SA/policy will be updated as reaction to IP + address changes for rekeyed CHILD_SAs that are kept around. + * The parser for strongswan.conf/swanctl.conf now accepts = + characters in values without having to put the value in quotes + (e.g. for Base64 encoded shared secrets). +- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc, + changing the version string on every version update makes no + sense. ------------------------------------------------------------------- -Wed Nov 13 13:51:38 UTC 2019 - Madhu Mohan Nelemane +Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com -- Added patch to fix vulnerability: CVE-2018-16151,CVE-2018-16152 (bsc#1107874) - - Insufficient input validation in gmp plugin - [+ 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch] +- Update to version 5.6.2: + * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS + signatures that was caused by insufficient input validation. + One of the configurable parameters in algorithm identifier + structures for RSASSA-PSS signatures is the mask generation + function (MGF). Only MGF1 is currently specified for this + purpose. However, this in turn takes itself a parameter that + specifies the underlying hash function. strongSwan's parser did + not correctly handle the case of this parameter being absent, + causing an undefined data read. This vulnerability has been + registered as CVE-2018-6459. + * When rekeying IKEv2 IKE_SAs the previously negotiated DH group + will be reused, instead of using the first configured group, + which avoids an additional exchange if the peer previously + selected a different DH group via INVALID_KE_PAYLOAD notify. + The same is also done when rekeying CHILD_SAs except for the + first rekeying of the CHILD_SA that was created with the + IKE_SA, where no DH group was negotiated yet. Also, the + selected DH group is moved to the front in all sent proposals + that contain it and all proposals that don't are moved to the + back in order to convey the preference for this group to the + peer. + * Handling of MOBIKE task queuing has been improved. In + particular, the response to an address update (with NAT-D + payloads) is not ignored anymore if only an address list update + or DPD is queued as that could prevent updating the UDP + encapsulation in the kernel. + * On Linux, roam events may optionally be triggered by changes to + the routing rules, which can be useful if routing rules + (instead of e.g. route metrics) are used to switch from one to + another interface (i.e. from one to another routing table). + Since routing rules are currently not evaluated when doing + route lookups this is only useful if the kernel-based route + lookup is used (4664992f7d). + * The fallback drop policies installed to avoid traffic leaks + when replacing addresses in installed policies are now replaced + by temporary drop policies, which also prevent acquires because + we currently delete and reinstall IPsec SAs to update their + addresses (35ef1b032d). + * Access X.509 certificates held in non-volatile storage of a TPM + 2.0 referenced via the NV index. + * Adding the --keyid parameter to pki --print allows to print + private keys or certificates stored in a smartcard or a TPM + 2.0. + * Fixed proposal selection if a peer incorrectly sends DH groups + in the ESP proposal during IKE_AUTH and also if a DH group is + configured in the local ESP proposal and + charon.prefer_configured_proposals is disabled (d058fd3c32). + * The lookup for PSK secrets for IKEv1 has been improved for + certain scenarios (see #2497 for details). + * MSKs received via RADIUS are now padded to 64 bytes to avoid + compatibility issues with EAP-MSCHAPv2 and PRFs that have a + block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013). + * The tpm_extendpcr command line tool extends a digest into a TPM + PCR. + * Ported the NetworkManager backend from the deprecated + libnm-glib to libnm. + * The save-keys debugging/development plugin saves IKE and/or ESP + keys to files compatible with Wireshark. +- Following upstreams port, replace NetworkManager-devel with + pkgconfig(libnm) BuildRequires. +- Refresh patches with quilt. +- Disable strongswan_fipsfilter.patch, needs rebase or dropping, + the file it patches no longer exists in tarball. ------------------------------------------------------------------- -Wed Mar 14 15:43:42 UTC 2018 - mmnelemane@suse.com +Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com -- Removed unused requires and macro calls(bsc#1083261) +- Removed unused requires and macro calls(bsc#1083261) + +------------------------------------------------------------------- +Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de + +- Update summaries and descriptions. Trim filler words and + author list. +- Drop %if..%endif guards that are idempotent and do not affect + the build result. +- Replace old $RPM_ shell variables. ------------------------------------------------------------------- Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de diff --git a/strongswan.spec b/strongswan.spec index 3745bc6..d4a0ca6 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: strongswan -Version: 5.6.0 +Version: 5.8.2 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -61,33 +61,31 @@ Release: 0 %else %bcond_with systemd %endif -Summary: OpenSource IPsec-based VPN Solution -License: GPL-2.0+ +Summary: IPsec-based VPN solution +License: GPL-2.0-or-later Group: Productivity/Networking/Security -Url: http://www.strongswan.org/ -Requires: strongswan-ipsec = %{version} +URL: https://www.strongswan.org/ Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in -Source3: %{name}-%{version}-rpmlintrc +Source3: %{name}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring %if %{with fipscheck} Source6: fipscheck.sh.in Source7: fips-enforce.conf %endif +# Needs rebase Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch %if %{with fipscheck} Patch3: %{name}_fipscheck.patch +# Patch4 needs rebase, file it patches no longer exists in tarball. Patch4: %{name}_fipsfilter.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch +# Needs rebase Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch -Patch7: 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch -Patch8: 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch -Patch9: 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch -Patch10: 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -111,10 +109,11 @@ BuildRequires: sqlite3-devel BuildRequires: libgcrypt-devel %endif %if %{with nm} -BuildRequires: NetworkManager-devel +BuildRequires: pkgconfig(libnm) %endif %if %{with systemd} %{?systemd_requires} +BuildRequires: pkgconfig(libsystemd) %endif BuildRequires: iptables %if %{with systemd} @@ -129,19 +128,19 @@ BuildRequires: automake BuildRequires: fipscheck %endif BuildRequires: libtool +Requires: strongswan-ipsec = %{version} %description -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an IPsec-based VPN solution for Linux. -* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels -* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols +* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections -* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) +* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support -* NAT-Traversal via UDP encapsulation and port floating (RFC 3947) +* NAT Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels -* Static virtual IPs and IKEv1 ModeConfig pull and push modes +* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) @@ -158,46 +157,32 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries -* Smooth Linux desktop integration via the strongSwan NetworkManager applet +* Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons. -Authors: --------- - Andreas Steffen - and others - %package doc +Summary: Documentation for strongSwan +Group: Documentation/Man BuildArch: noarch -Summary: OpenSource IPsec-based VPN Solution -Group: Productivity/Networking/Security %description doc -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an IPsec-based VPN solution for Linux. This package provides the StrongSwan documentation. - - -Authors: --------- - Andreas Steffen - and others - %package libs0 -Summary: OpenSource IPsec-based VPN Solution +Summary: strongSwan core libraries and basic plugins Group: Productivity/Networking/Security Conflicts: strongswan < %{version} %description libs0 -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an IPsec-based VPN solution for Linux. This package provides the strongswan library and plugins. -%if %{with fipscheck} - %package hmac -Summary: HMAC files for FIPS-140-2 integrity +Summary: HMAC files for FIPS-140-2 integrity in strongSwan Group: Productivity/Networking/Security Requires: fipscheck Requires: strongswan-ipsec = %{version} @@ -210,10 +195,8 @@ _fipscheck helper script preforming the integrity checks before e.g. "ipsec start" action is executed, when FIPS-140-2 compliant operation mode is enabled. -%endif - %package ipsec -Summary: OpenSource IPsec-based VPN Solution +Summary: IPsec-based VPN solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} Provides: VPN @@ -223,101 +206,83 @@ Obsoletes: strongswan < %{version} Conflicts: freeswan openswan %description ipsec -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an IPsec-based VPN solution for Linux. This package provides the /etc/init.d/ipsec service script and allows -to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the +to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the /etc/ipsec.sectes files. -%if %{with mysql} - %package mysql -Summary: OpenSource IPsec-based VPN Solution +Summary: MySQL plugin for strongSwan Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description mysql -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an IPsec-based VPN solution for Linux. This package provides the strongswan mysql plugin. -%endif - -%if %{with sqlite} - %package sqlite -Summary: OpenSource IPsec-based VPN Solution +Summary: SQLite plugin for strongSwan Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description sqlite -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an OpenSource IPsec-based VPN solution for Linux. This package provides the strongswan sqlite plugin. -%endif - -%if %{with nm} - %package nm -Summary: OpenSource IPsec-based VPN Solution +Summary: NetworkManager plugin for strongSwan Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description nm -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an OpenSource IPsec-based VPN solution for Linux. This package provides the NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. -%endif - -%if %{with tests} - %package tests - -Summary: OpenSource IPsec-based VPN Solution +Summary: Testing plugins for strongSwan Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description tests -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux +StrongSwan is an OpenSource IPsec-based VPN solution for Linux. -This package provides the strongswan crypto test-vectors plugin +This package provides the strongswan crypto test vectors plugin and the load testing plugin for IKEv2 daemon. -%endif - %prep %setup -q -n %{name}-%{upstream_version} -%patch1 -p0 -%patch2 -p0 +# Needs rebase, file it patches no longer exists. +#patch1 -p1 +%patch2 -p1 %if %{with fipscheck} %patch3 -p1 -%patch4 -p1 +# Needs rebase, file it patches no longer exists. +#patch4 -p1 %endif %patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 +# Needs rebase. +#patch6 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ - < $RPM_SOURCE_DIR/strongswan.init.in \ + < %{_sourcedir}/strongswan.init.in \ > strongswan.init %if %{with fipscheck} sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \ -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \ -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \ -e 's|@IPSEC_BINDIR@|%{_bindir}|g' \ - < $RPM_SOURCE_DIR/fipscheck.sh.in \ + < %{_sourcedir}/fipscheck.sh.in \ > _fipscheck %endif %build -CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" -export RPM_OPT_FLAGS CFLAGS +CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" +export CFLAGS autoreconf --force --install %configure \ %if %{with integrity} @@ -328,6 +293,7 @@ autoreconf --force --install --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \ --with-piddir=%{_rundir}/%{name} \ %if %{with systemd} + --enable-systemd \ --with-systemdsystemunitdir=%{_unitdir} \ %endif --enable-pkcs11 \ @@ -412,25 +378,24 @@ autoreconf --force --install --enable-soup \ --enable-curl \ --disable-static -make %{?_smp_mflags:%_smp_mflags} +make %{?_smp_mflags} %install -export RPM_BUILD_ROOT -install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/ -install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ +install -d -m755 %{buildroot}/%{_sbindir}/ +install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/ %if %{with systemd} -ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan %else -install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ -install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec -ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec +install -d -m755 %{buildroot}/%{_sysconfdir}/init.d/ +install -m755 strongswan.init %{buildroot}/%{_sysconfdir}/init.d/ipsec +ln -s %{_sysconfdir}/init.d/ipsec %{buildroot}/%{_sbindir}/rcipsec %endif # # Ensure, plugin -> library dependencies can be resolved # (e.g. libtls) to avoid plugin segment checksum errors. # -LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ -make install DESTDIR="$RPM_BUILD_ROOT" +LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ +%make_install # # checksums are calculated during make install using the # installed binaries/libraries... but find-debuginfo.sh @@ -441,23 +406,23 @@ make install DESTDIR="$RPM_BUILD_ROOT" %if %{with integrity} %{?__debug_package: if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then - cp -a "${RPM_BUILD_ROOT}" "${RPM_BUILD_ROOT}-$$" - RPM_BUILD_ROOT="$RPM_BUILD_ROOT-$$" \ + cp -a "%{buildroot}" "%{buildroot}-$$" + RPM_BUILD_ROOT="%{buildroot}-$$" \ %{_rpmconfigdir}/find-debuginfo.sh \ - %{?_find_debuginfo_opts} "${RPM_BUILD_ROOT}-$$" + %{?_find_debuginfo_opts} "%{buildroot}-$$" make -C src/checksum clean rm -f src/checksum/checksum_builder - LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ - make -C src/checksum install DESTDIR="$RPM_BUILD_ROOT-$$" - mv "$RPM_BUILD_ROOT-$$%{strongswan_libdir}/libchecksum.so" \ - "$RPM_BUILD_ROOT%{strongswan_libdir}/libchecksum.so" - rm -rf "${RPM_BUILD_ROOT}-$$" + LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ + make -C src/checksum install DESTDIR="%{buildroot}-$$" + mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \ + "%{buildroot}/%{strongswan_libdir}/libchecksum.so" + rm -rf "%{buildroot}-$$" fi } %endif # -rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets -cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets +rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets +cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets # # ipsec.secrets # @@ -467,47 +432,47 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets EOT # %if ! %{with mysql} -rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql +rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql %endif %if ! %{with sqlite} -rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql +rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql %endif -rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so -rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so -find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete +rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so +rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so +find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete # -install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/ +install -d -m755 %{buildroot}/%{strongswan_docdir}/ install -c -m644 TODO NEWS README COPYING LICENSE \ AUTHORS ChangeLog \ - ${RPM_BUILD_ROOT}%{strongswan_docdir}/ -install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \ - ${RPM_BUILD_ROOT}%{strongswan_docdir}/ + %{buildroot}/%{strongswan_docdir}/ +install -c -m644 %{_sourcedir}/README.SUSE \ + %{buildroot}/%{strongswan_docdir}/ %if %{with systemd} -%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -d -m 0755 %{buildroot}%{_tmpfilesdir} echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf %endif %if %{with fipscheck} # # note: keep the following, _fipscheck's and file lists in sync # -install -c -m750 _fipscheck ${RPM_BUILD_ROOT}%{_libexecdir}/ipsec/ -install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \ - ${RPM_BUILD_ROOT}%{strongswan_configs}/charon/zzz_fips-enforce.conf +install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/ +install -c -m644 %{_sourcedir}/fips-enforce.conf \ + %{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf # create fips hmac hashes _after_ install post run %{expand:%%global __os_install_post {%__os_install_post - for f in $RPM_BUILD_ROOT%{strongswan_libdir}/lib*.so.*.*.* \ - $RPM_BUILD_ROOT%{strongswan_libdir}/imcvs/*.so \ - $RPM_BUILD_ROOT%{strongswan_plugins}/*.so \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon-nm \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/stroke \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \ - $RPM_BUILD_ROOT%{_bindir}/pt-tls-client \ - $RPM_BUILD_ROOT%{_sbindir}/ipsec \ + for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \ + %{buildroot}/%{strongswan_libdir}/imcvs/*.so \ + %{buildroot}/%{strongswan_plugins}/*.so \ + %{buildroot}/%{_libexecdir}/ipsec/charon \ + %{buildroot}/%{_libexecdir}/ipsec/charon-nm \ + %{buildroot}/%{_libexecdir}/ipsec/stroke \ + %{buildroot}/%{_libexecdir}/ipsec/starter \ + %{buildroot}/%{_libexecdir}/ipsec/pool \ + %{buildroot}/%{_libexecdir}/ipsec/scepclient \ + %{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \ + %{buildroot}/%{_libexecdir}/ipsec/_fipscheck \ + %{buildroot}/%{_bindir}/pt-tls-client \ + %{buildroot}/%{_sbindir}/ipsec \ ; do /usr/bin/fipshmac "$f" @@ -518,7 +483,7 @@ install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \ %post libs0 /sbin/ldconfig %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf} -%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}} +%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}} %postun libs0 -p /sbin/ldconfig @@ -592,9 +557,11 @@ fi %dir %{_sysconfdir}/ipsec.d/ocspcerts %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} +%{_unitdir}/strongswan-starter.service %{_unitdir}/strongswan.service -%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf +%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf %{_sbindir}/rcstrongswan +%{_sbindir}/charon-systemd %else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec @@ -615,6 +582,7 @@ fi %if %{with test} %{_libexecdir}/ipsec/conftest %endif +%{_libexecdir}/ipsec/xfrmi %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/scepclient @@ -624,6 +592,7 @@ fi %{_libexecdir}/ipsec/_imv_policy %{_libexecdir}/ipsec/imv_policy_manager %dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-drbg.so %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so @@ -650,6 +619,9 @@ fi %dir %{strongswan_configs} %dir %{strongswan_configs}/charon %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf +%if %{with systemd} +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf @@ -660,7 +632,9 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf @@ -714,6 +688,7 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf @@ -785,6 +760,7 @@ fi %{strongswan_plugins}/libstrongswan-ccm.so %{strongswan_plugins}/libstrongswan-certexpire.so %{strongswan_plugins}/libstrongswan-cmac.so +%{strongswan_plugins}/libstrongswan-counters.so %{strongswan_plugins}/libstrongswan-constraints.so %{strongswan_plugins}/libstrongswan-coupling.so %{strongswan_plugins}/libstrongswan-ctr.so @@ -827,6 +803,7 @@ fi %{strongswan_plugins}/libstrongswan-led.so %{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so +%{strongswan_plugins}/libstrongswan-mgf1.so %{strongswan_plugins}/libstrongswan-nonce.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so @@ -885,6 +862,7 @@ fi %{strongswan_templates}/config/plugins/ccm.conf %{strongswan_templates}/config/plugins/certexpire.conf %{strongswan_templates}/config/plugins/cmac.conf +%{strongswan_templates}/config/plugins/counters.conf %{strongswan_templates}/config/plugins/constraints.conf %{strongswan_templates}/config/plugins/coupling.conf %{strongswan_templates}/config/plugins/ctr.conf @@ -892,6 +870,7 @@ fi %{strongswan_templates}/config/plugins/des.conf %{strongswan_templates}/config/plugins/dhcp.conf %{strongswan_templates}/config/plugins/dnskey.conf +%{strongswan_templates}/config/plugins/drbg.conf %{strongswan_templates}/config/plugins/duplicheck.conf %{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf %{strongswan_templates}/config/plugins/eap-aka.conf @@ -927,6 +906,7 @@ fi %{strongswan_templates}/config/plugins/led.conf %{strongswan_templates}/config/plugins/md4.conf %{strongswan_templates}/config/plugins/md5.conf +%{strongswan_templates}/config/plugins/mgf1.conf %{strongswan_templates}/config/plugins/nonce.conf %{strongswan_templates}/config/plugins/openssl.conf %{strongswan_templates}/config/plugins/pem.conf @@ -966,6 +946,9 @@ fi %{strongswan_templates}/config/plugins/xcbc.conf %{strongswan_templates}/config/plugins/curve25519.conf %{strongswan_templates}/config/plugins/vici.conf +%if %{with systemd} +%{strongswan_templates}/config/strongswan.d/charon-systemd.conf +%endif %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf diff --git a/strongswan_ipsec_service.patch b/strongswan_ipsec_service.patch index ab8b13b..cd9b08a 100644 --- a/strongswan_ipsec_service.patch +++ b/strongswan_ipsec_service.patch @@ -1,6 +1,8 @@ ---- init/systemd/strongswan.service.in -+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11 -@@ -8,3 +8,4 @@ StandardOutput=syslog +Index: strongswan-5.6.2/init/systemd/strongswan.service.in +=================================================================== +--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100 ++++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200 +@@ -9,3 +9,4 @@ Restart=on-abnormal [Install] WantedBy=multi-user.target diff --git a/strongswan_modprobe_syslog.patch b/strongswan_modprobe_syslog.patch index 9e71673..30c021c 100644 --- a/strongswan_modprobe_syslog.patch +++ b/strongswan_modprobe_syslog.patch @@ -1,5 +1,7 @@ ---- src/starter/klips.c -+++ src/starter/klips.c 2012/10/30 17:07:23 +Index: strongswan-5.6.2/src/starter/klips.c +=================================================================== +--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200 ++++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200 @@ -30,7 +30,7 @@ bool starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) @@ -22,9 +24,11 @@ DBG2(DBG_APP, "found KLIPS IPsec stack"); return TRUE; ---- src/starter/netkey.c -+++ src/starter/netkey.c 2012/10/30 17:07:02 -@@ -31,7 +31,7 @@ bool starter_netkey_init(void) +Index: strongswan-5.6.2/src/starter/netkey.c +=================================================================== +--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200 ++++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200 +@@ -30,7 +30,7 @@ bool starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { @@ -33,7 +37,7 @@ } /* now test again */ -@@ -45,11 +45,11 @@ bool starter_netkey_init(void) +@@ -44,11 +44,11 @@ bool starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) {