SHA256
1
0
forked from pool/strongswan

- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:

* Support of xfrm marks in IPsec SAs and IPsec policies introduced
    with the Linux 2.6.34 kernel.
    For details see the example scenarios ikev2/nat-two-rw-mark,
    ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
  * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
    used in a user-specific updown script to set marks on inbound ESP
    or ESP_IN_UDP packets.
  * The openssl plugin now supports X.509 certificate and CRL functions.
  * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
    enabled by default.
    Plase update manual load directives in strongswan.conf.
  * RFC3779 ipAddrBlock constraint checking has been moved to the
    addrblock plugin, disabled by default. Enable it and update manual
    load directives in strongswan.conf, if required.
  * The pki utility supports CRL generation using the --signcrl command.
  * The ipsec pki --self, --issue and --req commands now support output
    in PEM format using the --outform pem option.
  * The major refactoring of the IKEv1 Mode Config functionality now
    allows the transport and handling of any Mode Config attribute.
  * The RADIUS proxy plugin eap-radius now supports multiple servers.
    Configured servers are chosen randomly, with the option to prefer
    a specific server.  Non-responding servers are degraded by the
    selection process.
  * The ipsec pool tool manages arbitrary configuration attributes
    stored in an SQL database. ipsec pool --help gives the details.
  * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
    EAP-AKA, reading triplets/quintuplets from an SQL database.
  * The High Availability plugin now supports a HA enabled in-memory
    address pool and Node reintegration without IKE_SA rekeying. The
    latter allows clients without IKE_SA rekeying support to keep
    connected during reintegration. Additionally, many other issues
    have been fixed in the ha plugin.
  * Fixed a potential remote code execution vulnerability resulting
    from the misuse of snprintf(). The vulnerability is exploitable
    by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
  eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
  that are packaged into separate mysql,sqlite,tests sub packages.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
This commit is contained in:
Marius Tomaschewski 2010-08-10 11:02:18 +00:00 committed by Git OBS Bridge
parent 5b5f0218e2
commit 60e7ee609f
6 changed files with 147 additions and 112 deletions

View File

@ -1,105 +0,0 @@
From 96e2f9f3a70a7c918772f7dde57c6cb8befbc60e Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Fri, 18 Jun 2010 09:18:27 +0200
Subject: [PATCH] snprintf() fixes, version 4.4.0
---
.../credentials/ietf_attributes/ietf_attributes.c | 13 +++++++++++--
src/libstrongswan/utils/identification.c | 12 ++++++++++++
src/pluto/x509.c | 4 ++++
3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
index ff3ddeb..de5b85b 100644
--- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
@@ -159,7 +159,7 @@ static char* get_string(private_ietf_attributes_t *this)
enumerator = this->list->create_enumerator(this->list);
while (enumerator->enumerate(enumerator, &attr))
{
- int written = 0;
+ int written;
if (first)
{
@@ -168,8 +168,12 @@ static char* get_string(private_ietf_attributes_t *this)
else
{
written = snprintf(pos, len, ", ");
+ if (written < 0 || written >= len)
+ {
+ break;
+ }
pos += written;
- len -= written;
+ len -= written;
}
switch (attr->type)
@@ -194,8 +198,13 @@ static char* get_string(private_ietf_attributes_t *this)
break;
}
default:
+ written = 0;
break;
}
+ if (written < 0 || written >= len)
+ {
+ break;
+ }
pos += written;
len -= written;
}
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 6a3c393..6ccfa19 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -297,18 +297,30 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
{
written = snprintf(buf, len,"%s=", oid_names[oid].name);
}
+ if (written < 0 || written >= len)
+ {
+ break;
+ }
buf += written;
len -= written;
chunk_printable(data, &printable, '?');
written = snprintf(buf, len, "%.*s", printable.len, printable.ptr);
chunk_free(&printable);
+ if (written < 0 || written >= len)
+ {
+ break;
+ }
buf += written;
len -= written;
if (data.ptr + data.len != dn.ptr + dn.len)
{
written = snprintf(buf, len, ", ");
+ if (written < 0 || written >= len)
+ {
+ break;
+ }
buf += written;
len -= written;
}
diff --git a/src/pluto/x509.c b/src/pluto/x509.c
index 0a29830..0abebc6 100644
--- a/src/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -393,6 +393,10 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
{
written = snprintf(pos, len, ", %Y", id);
}
+ if (written < 0 || written >= len)
+ {
+ break;
+ }
pos += written;
len -= written;
}
--
1.7.0.4

View File

@ -0,0 +1,5 @@
### Known warnings:
# - traditional name
addFilter("strongswan.* incoherent-init-script-name ipsec")
# - readme only, triggers full ipsec + ikev1&ikev2 install
addFilter("strongswan.* no-binary")

3
strongswan-4.4.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2bee6fb9f43c251827f530cd629af1195a566cf99e9d0320c338f1497cbf99c2
size 2982652

View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQGcBAABAgAGBQJMUuERAAoJEN9CwXCzTbp3oqYL/3Gg3EDh4ZhMAvJunRK40JUI
Sw8Ekp3XNFASLDDAOTjZAOOfd/ZAtC3zLDxaT9vRfq4mmWmhtKBHcnAnURDtNees
fraJiv/flvmJ4enZbXp3R3NgIQcXNGDrOi2P7XSydzqq80pW1P4v8JZcMf+glFJO
sdzMgnL2Tg9/TTiivBFtymtknf+yqT4cDKNNolzIuKWPzJ1dR+hSoLlVZ+4efUAS
qGK8EsqTDawZ5AsEvx7BVfusn38wMgQehKV5DhyhM29sm9hYj6nfO99NEfXq8VhG
eYTWU4uJNH5ghTOllc3s9zA8jK49aG+ITIlpqn9xUi41uRlr3DdvMINDBETjGL8E
eKd8AkV0NCDWRsia2mHJLBW9/W107/w3BPKMCm23avMtiRRezsSB0OQ2XpzgDjEH
iPLj0xY4cK6Ratd9qfApfafU1sJSll/Hj0XOiv/UEoIgZUaStVKOO+5d5SrljTlp
hIGJFjWcK262L+aDTGrckDqEpQ/1xHc8KLGF/XiKFg==
=TTSf
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,48 @@
-------------------------------------------------------------------
Tue Aug 10 10:56:34 UTC 2010 - mt@suse.de
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
-------------------------------------------------------------------
Fri Jul 2 15:40:17 UTC 2010 - mt@suse.de

View File

@ -1,5 +1,5 @@
#
# spec file for package strongswan (Version 4.4.0)
# spec file for package strongswan (Version 4.4.1)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -19,11 +19,11 @@
Name: strongswan
%define upstream_version 4.4.0
%define upstream_version 4.4.1
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_plugins %{_libexecdir}/ipsec/plugins
Version: 4.4.0
Release: 4.<RELEASE1>
Version: 4.4.1
Release: 0
License: GPLv2+
Group: Productivity/Networking/Security
Summary: OpenSource IPsec-based VPN Solution
@ -38,7 +38,6 @@ Source2: %{name}.init.in
Source3: %{name}-%{version}-rpmlintrc
Source4: README.SUSE
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}-4.4.0-snprintf-fix.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison flex gmp-devel gperf pkg-config
BuildRequires: libcap-devel
@ -50,6 +49,7 @@ BuildRequires: curl-devel pam-devel
BuildRequires: libuuid-devel
BuildRequires: NetworkManager-devel
%endif
BuildRequires: libmysqlclient-devel sqlite3-devel
%description
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@ -116,6 +116,40 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan library and plugins.
%package mysql
License: GPLv2+
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description mysql
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan mysql plugin.
%package sqlite
License: GPLv2+
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description sqlite
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan sqlite plugin.
%package tests
License: GPLv2+
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description tests
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan crypto test-vectors plugin
and the load testing plugin for IKEv2 daemon.
%package ikev1
License: GPLv2+
Summary: OpenSource IPsec-based VPN Solution
@ -190,7 +224,6 @@ NetworkManager-strongswan graphical user interface.
%prep
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@ -211,24 +244,37 @@ export RPM_OPT_FLAGS CFLAGS
--enable-cisco-quirks \
--enable-openssl \
--enable-agent \
--enable-md4 \
--enable-blowfish \
--enable-eap-sim \
--enable-eap-sim-file \
--enable-eap-simaka-sql \
--enable-eap-simaka-pseudonym \
--enable-eap-simaka-reauth \
--enable-eap-md5 \
--enable-eap-gtc \
--enable-eap-aka \
--enable-eap-radius \
--enable-eap-identity \
--enable-eap-mschapv2 \
--enable-eap-aka-3gpp2 \
--enable-ha \
--enable-dhcp \
--enable-farp \
--enable-sql \
--enable-attr-sql \
--enable-addrblock \
--enable-socket-dynamic \
%if 0%{suse_version} >= 1110
--enable-gcrypt \
--enable-nm \
%endif
--enable-ldap \
--enable-curl
--enable-curl \
--enable-mysql \
--enable-sqlite \
--enable-load-tester \
--enable-test-vectors
make %{?_smp_mflags:%_smp_mflags}
%install
@ -390,20 +436,28 @@ fi
%dir %{_libexecdir}/ipsec/pool
%{_libexecdir}/ipsec/libchecksum.so
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-addrblock.so
%{strongswan_plugins}/libstrongswan-aes.so
%{strongswan_plugins}/libstrongswan-agent.so
%{strongswan_plugins}/libstrongswan-attr.so
%{strongswan_plugins}/libstrongswan-attr-sql.so
%{strongswan_plugins}/libstrongswan-blowfish.so
%{strongswan_plugins}/libstrongswan-curl.so
%{strongswan_plugins}/libstrongswan-des.so
%{strongswan_plugins}/libstrongswan-dhcp.so
%{strongswan_plugins}/libstrongswan-dnskey.so
%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
%{strongswan_plugins}/libstrongswan-eap-aka.so
%{strongswan_plugins}/libstrongswan-eap-gtc.so
%{strongswan_plugins}/libstrongswan-eap-identity.so
%{strongswan_plugins}/libstrongswan-eap-md5.so
%{strongswan_plugins}/libstrongswan-eap-mschapv2.so
%{strongswan_plugins}/libstrongswan-eap-radius.so
%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
%{strongswan_plugins}/libstrongswan-eap-sim-file.so
%{strongswan_plugins}/libstrongswan-eap-sim.so
%{strongswan_plugins}/libstrongswan-farp.so
%{strongswan_plugins}/libstrongswan-fips-prf.so
%if 0%{suse_version} >= 1110
@ -414,6 +468,7 @@ fi
%{strongswan_plugins}/libstrongswan-hmac.so
%{strongswan_plugins}/libstrongswan-kernel-netlink.so
%{strongswan_plugins}/libstrongswan-ldap.so
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
@ -422,13 +477,31 @@ fi
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-random.so
%{strongswan_plugins}/libstrongswan-resolve.so
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-sha1.so
%{strongswan_plugins}/libstrongswan-sha2.so
%{strongswan_plugins}/libstrongswan-socket-dynamic.so
%{strongswan_plugins}/libstrongswan-socket-raw.so
%{strongswan_plugins}/libstrongswan-sql.so
%{strongswan_plugins}/libstrongswan-x509.so
%{strongswan_plugins}/libstrongswan-xauth.so
%{strongswan_plugins}/libstrongswan-xcbc.so
%dir %ghost %{_localstatedir}/run/strongswan
%files mysql
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-mysql.so
%files sqlite
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-sqlite.so
%files tests
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-load-tester.so
%{strongswan_plugins}/libstrongswan-test-vectors.so
%changelog