rpm/strongswan
SHA256
1
0
Fork 0
forked from pool/strongswan
Code Pull Requests Activity

Accepting request 800173 from home:iznogood:branches:network:vpn

Browse Source 
- Update to version 5.8.4:
  * In IKEv1 Quick Mode make sure that a proposal exists before
    determining lifetimes (fixes a crash due to a null-pointer
    dereference in 5.8.3).
  * OpenSSL currently doesn't support squeezing bytes out of a
    SHAKE128/256 XOF (support was added with 5.8.3) multiple times.
    Unfortunately, EVP_DigestFinalXOF() completely resets the
    context and later calls not simply fail, they cause a
    null-pointer dereference in libcrypto. c5c1898d73 fixes the
    crash at the cost of repeating initializing the whole state and
    allocating too much data for subsequent calls (hopefully, once
    the OpenSSL issue 7894 is resolved we can implement this more
    efficiently).
  * On 32-bit platforms, reading arbitrary 32-bit integers from
    config files (e.g. for charon.spi_min/max) has been fixed.
  * charon-nm now allows using fixed source ports.
- Changes from version 5.8.3:
  * Updates for the NM plugin (and backend, which has to be updated
    to be compatible):
    + EAP-TLS authentication (#2097)
    + Certificate source (file, agent, smartcard) is selectable
      independently
    + Add support to configure local and remote identities (#2581)
    + Support configuring a custom server port (#625)
    + Show hint regarding password storage policy
    + Replaced the term "gateway" with "server"
    + Fixes build issues due to use of deprecated GLib
      macros/functions
    + Updated Glade file to GTK 3.2
  * The NM backend now supports reauthentication and redirection.
  * Previously used reqids are now reallocated, which works around
    an issue on FreeBSD where the kernel doesn't allow the daemon
    to use reqids > 16383 (#2315).
  * On Linux, throw type routes are installed in table 220 for
    passthrough policies. The kernel will then fall back on routes
    in routing tables with lower priorities for matching traffic.
    This way, they require less information (e.g. no interface or
    source IP) and can be installed earlier and are not affected by
    updates.
  * For IKEv1, the lifetimes of the actually selected transform are
    returned to the initiator, which is an issue if the peer uses
    different lifetimes for different transforms (#3329). We now
    also return the correct transform and proposal IDs (proposal ID
    was always 0, transform ID 1). IKE_SAs are now not
    re-established anymore (e.g. after several retransmits) if a
    deletion has been queued (#3335).
  * Added support for Ed448 keys and certificates via openssl
    plugin and pki tool.
  * Added support for SHA-3 and SHAKE128/256 in the openssl plugin.
  * The use of algorithm IDs from the private use range can now be
    enabled globally, to use them even if no strongSwan vendor ID
    was exchanged (05e373aeb0).
  * Fixed a compiler issue that may have caused invalid keyUsage
    extensions in certificates (#3249).
  * A lot of spelling fixes.
  * Fixed several reported issues.
- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed
  upstream.

OBS-URL: https://build.opensuse.org/request/show/800173
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=122
This commit is contained in:
Jan Engelhardt 2020-05-04 22:37:00 +00:00 committed by Git OBS Bridge
parent 8b73a0ccc0
commit 29d549ad98
7 changed files with 80 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
0006-Resolve-multiple-definition-of-swanctl_dir.patch
View File

@ -1,12 +0,0 @@
diff -Naur strongswan-5.8.2.orig/src/swanctl/swanctl.h strongswan-5.8.2/src/swanctl/swanctl.h
--- strongswan-5.8.2.orig/src/swanctl/swanctl.h 2018-12-14 16:48:24.000000000 +0100
+++ strongswan-5.8.2/src/swanctl/swanctl.h 2020-03-26 07:54:21.876224209 +0100
@@ -30,7 +30,7 @@
/**
* Base directory for credentials and config
*/
-char *swanctl_dir;
+extern char *swanctl_dir;
/**
* Configuration file for connections, etc.

3
strongswan-5.8.2.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e
size 4533402

14
strongswan-5.8.2.tar.bz2.sig
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt
S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m
wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v
iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE
CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC
zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77
DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN
bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ
tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw==
=VHUc
-----END PGP SIGNATURE-----

3
strongswan-5.8.4.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2d9a57e33813b62d58cba07531c4d5a35c6b823dfe9b8ff7c623b6571f02553c
size 4546240

14
strongswan-5.8.4.tar.bz2.sig Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJegIHmAAoJEN9CwXCzTbp3onEL/iwMScWYL6KgjQCJp2acqFZf
R+aVc18W/Pb4z6Qc8YghcVPlXG1L9cyfHTCHV3jNPXAX3qB+EMSG+DVfY7INdOfg
3It6rVLwMLMYiPmmsMUoZpOfM4Fpw5rM6fjWPI3KogUpjF814TN1JJNIXC0e5jA0
AxzLczzhhNbG+YnSdSDd/XhjG816QDYAv1WdoFvgP65QSVBKmQPzZz+ons6Ivjl5
Il3Tly5IJnOeDfe/K0bsnNBXomjIWnQDtlwG4wfAFJV6YwTtJEvwMErQg9W9iVHY
tndOdn/C8CfPXVnaBAbnkX3Vk9MWhLP+pFMF56Xojga8gPkqTD15zLubVlx8Gzal
dW3s7qi0bmca10JwzOpuDePhzziemcqpsexdlhOuffaz+GZ2wHfupeixVXuFoV+F
b3/htxfibnU8IqQl0YCdYh4vwKYwr6cz07TphmQBhrsLy8SjVr/EngPreDVDCgJ4
tip0FJvV6yU7RTyNHqJOvKfwz9AEbo1ZRsfEEi6Qxw==
=Xj8F
-----END PGP SIGNATURE-----

62
strongswan.changes
View File

@ -1,3 +1,65 @@
-------------------------------------------------------------------
Fri May 1 09:39:42 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 5.8.4:
* In IKEv1 Quick Mode make sure that a proposal exists before
determining lifetimes (fixes a crash due to a null-pointer
dereference in 5.8.3).
* OpenSSL currently doesn't support squeezing bytes out of a
SHAKE128/256 XOF (support was added with 5.8.3) multiple times.
Unfortunately, EVP_DigestFinalXOF() completely resets the
context and later calls not simply fail, they cause a
null-pointer dereference in libcrypto. c5c1898d73 fixes the
crash at the cost of repeating initializing the whole state and
allocating too much data for subsequent calls (hopefully, once
the OpenSSL issue 7894 is resolved we can implement this more
efficiently).
* On 32-bit platforms, reading arbitrary 32-bit integers from
config files (e.g. for charon.spi_min/max) has been fixed.
* charon-nm now allows using fixed source ports.
- Changes from version 5.8.3:
* Updates for the NM plugin (and backend, which has to be updated
to be compatible):
+ EAP-TLS authentication (#2097)
+ Certificate source (file, agent, smartcard) is selectable
independently
+ Add support to configure local and remote identities (#2581)
+ Support configuring a custom server port (#625)
+ Show hint regarding password storage policy
+ Replaced the term "gateway" with "server"
+ Fixes build issues due to use of deprecated GLib
macros/functions
+ Updated Glade file to GTK 3.2
* The NM backend now supports reauthentication and redirection.
* Previously used reqids are now reallocated, which works around
an issue on FreeBSD where the kernel doesn't allow the daemon
to use reqids > 16383 (#2315).
* On Linux, throw type routes are installed in table 220 for
passthrough policies. The kernel will then fall back on routes
in routing tables with lower priorities for matching traffic.
This way, they require less information (e.g. no interface or
source IP) and can be installed earlier and are not affected by
updates.
* For IKEv1, the lifetimes of the actually selected transform are
returned to the initiator, which is an issue if the peer uses
different lifetimes for different transforms (#3329). We now
also return the correct transform and proposal IDs (proposal ID
was always 0, transform ID 1). IKE_SAs are now not
re-established anymore (e.g. after several retransmits) if a
deletion has been queued (#3335).
* Added support for Ed448 keys and certificates via openssl
plugin and pki tool.
* Added support for SHA-3 and SHAKE128/256 in the openssl plugin.
* The use of algorithm IDs from the private use range can now be
enabled globally, to use them even if no strongSwan vendor ID
was exchanged (05e373aeb0).
* Fixed a compiler issue that may have caused invalid keyUsage
extensions in certificates (#3249).
* A lot of spelling fixes.
* Fixed several reported issues.
- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed
upstream.
-------------------------------------------------------------------
Tue Mar 31 16:42:23 UTC 2020 - Madhu Mohan Nelemane <mmnelemane@suse.com>

4
strongswan.spec
View File

@ -17,7 +17,7 @@
Name: strongswan
Version: 5.8.2
Version: 5.8.4
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@ -80,7 +80,6 @@ Patch2: %{name}_ipsec_service.patch
Patch3: %{name}_fipscheck.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: 0006-Resolve-multiple-definition-of-swanctl_dir.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@ -257,7 +256,6 @@ and the load testing plugin for IKEv2 daemon.
%patch3 -p1
%endif
%patch5 -p1
%patch6 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
> strongswan.init