From b84f3a369a27834b953fdef066c157d5379bcc2541c82b0706a5c0b9b1c358fa Mon Sep 17 00:00:00 2001 From: Madhu Mohan Nelemane Date: Thu, 30 Jan 2020 09:34:36 +0000 Subject: [PATCH] osc copypac from project:openSUSE:Leap:15.2 package:strongswan revision:16 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=117 --- ...compilation-error-by-adding-stdint.h.patch | 11 +- ...ongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch | 323 ++++++++++++++++++ ...trongswan-5.1.2-5.6.2_stroke_msg_len.patch | 28 ++ ...strongswan-5.5.0-5.6.2_skeyseed_init.patch | 39 +++ ...gswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch | 38 +++ ...an-rpmlintrc => strongswan-5.6.0-rpmlintrc | 0 strongswan-5.6.0.tar.bz2 | 3 + strongswan-5.6.0.tar.bz2.sig | 14 + strongswan-5.8.2.tar.bz2 | 3 - strongswan-5.8.2.tar.bz2.sig | 14 - strongswan.changes | 203 +---------- strongswan.spec | 245 ++++++------- strongswan_ipsec_service.patch | 8 +- strongswan_modprobe_syslog.patch | 16 +- 14 files changed, 609 insertions(+), 336 deletions(-) create mode 100644 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch create mode 100644 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch create mode 100644 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch create mode 100644 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch rename strongswan-rpmlintrc => strongswan-5.6.0-rpmlintrc (100%) create mode 100644 strongswan-5.6.0.tar.bz2 create mode 100644 strongswan-5.6.0.tar.bz2.sig delete mode 100644 strongswan-5.8.2.tar.bz2 delete mode 100644 strongswan-5.8.2.tar.bz2.sig diff --git a/0006-fix-compilation-error-by-adding-stdint.h.patch b/0006-fix-compilation-error-by-adding-stdint.h.patch index 7e9a923..3f33240 100644 --- a/0006-fix-compilation-error-by-adding-stdint.h.patch +++ b/0006-fix-compilation-error-by-adding-stdint.h.patch @@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this src/libstrongswan/utils/utils/memory.h | 2 ++ 1 file changed, 2 insertions(+) -Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h -=================================================================== ---- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200 -+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200 +diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h +index b978e7c..55aaaf5 100644 +--- a/src/libstrongswan/utils/utils/memory.h ++++ b/src/libstrongswan/utils/utils/memory.h @@ -22,6 +22,8 @@ #ifndef MEMORY_H_ #define MEMORY_H_ @@ -28,3 +28,6 @@ Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h /** * Helper function that compares two binary blobs for equality */ +-- +2.14.1 + diff --git a/0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch b/0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch new file mode 100644 index 0000000..af9bd48 --- /dev/null +++ b/0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch @@ -0,0 +1,323 @@ +From ade8c9c4b73ec43cf43b9c4cd9af6aac5e6f7f9d Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 28 Aug 2018 11:26:24 +0200 +Subject: [PATCH] gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them + +Instead we generate the expected signature encoding and compare it to the +decrypted value. + +Due to the lenient nature of the previous parsing code (minimum padding +length was not enforced, the algorithmIdentifier/OID parser accepts arbitrary +data after OIDs and in the parameters field etc.) it was susceptible to +Daniel Bleichenbacher's low-exponent attack (from 2006!), which allowed +forging signatures for keys that use low public exponents (i.e. e=3). + +Since the public exponent is usually set to 0x10001 (65537) since quite a +while, the flaws in the previous code should not have had that much of a +practical impact in recent years. + +Fixes: CVE-2018-16151, CVE-2018-16152 +--- + .../plugins/gmp/gmp_rsa_private_key.c | 66 +++++---- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 158 ++------------------- + 2 files changed, 53 insertions(+), 171 deletions(-) + +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +index 21b420866e2f..025f61a9fa21 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +@@ -262,14 +262,15 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data) + } + + /** +- * Build a signature using the PKCS#1 EMSA scheme ++ * Hashes the data and builds the plaintext signature value with EMSA ++ * PKCS#1 v1.5 padding. ++ * ++ * Allocates the signature data. + */ +-static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, +- hash_algorithm_t hash_algorithm, +- chunk_t data, chunk_t *signature) ++bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm, ++ chunk_t data, size_t keylen, chunk_t *em) + { + chunk_t digestInfo = chunk_empty; +- chunk_t em; + + if (hash_algorithm != HASH_UNKNOWN) + { +@@ -293,43 +294,56 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, + /* build DER-encoded digestInfo */ + digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_algorithmIdentifier(hash_oid), +- asn1_simple_object(ASN1_OCTET_STRING, hash) +- ); +- chunk_free(&hash); ++ asn1_wrap(ASN1_OCTET_STRING, "m", hash)); ++ + data = digestInfo; + } + +- if (data.len > this->k - 3) ++ if (data.len > keylen - 11) + { +- free(digestInfo.ptr); +- DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len, +- mpz_sizeinbase(this->n, 2)); ++ chunk_free(&digestInfo); ++ DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of " ++ "%zu bytes", data.len, keylen); + return FALSE; + } + +- /* build chunk to rsa-decrypt: +- * EM = 0x00 || 0x01 || PS || 0x00 || T. +- * PS = 0xFF padding, with length to fill em ++ /* EM = 0x00 || 0x01 || PS || 0x00 || T. ++ * PS = 0xFF padding, with length to fill em (at least 8 bytes) + * T = encoded_hash + */ +- em.len = this->k; +- em.ptr = malloc(em.len); ++ *em = chunk_alloc(keylen); + + /* fill em with padding */ +- memset(em.ptr, 0xFF, em.len); ++ memset(em->ptr, 0xFF, em->len); + /* set magic bytes */ +- *(em.ptr) = 0x00; +- *(em.ptr+1) = 0x01; +- *(em.ptr + em.len - data.len - 1) = 0x00; +- /* set DER-encoded hash */ +- memcpy(em.ptr + em.len - data.len, data.ptr, data.len); ++ *(em->ptr) = 0x00; ++ *(em->ptr+1) = 0x01; ++ *(em->ptr + em->len - data.len - 1) = 0x00; ++ /* set encoded hash */ ++ memcpy(em->ptr + em->len - data.len, data.ptr, data.len); ++ ++ chunk_clear(&digestInfo); ++ return TRUE; ++} ++ ++/** ++ * Build a signature using the PKCS#1 EMSA scheme ++ */ ++static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this, ++ hash_algorithm_t hash_algorithm, ++ chunk_t data, chunk_t *signature) ++{ ++ chunk_t em; ++ ++ if (!gmp_emsa_pkcs1_signature_data(hash_algorithm, data, this->k, &em)) ++ { ++ return FALSE; ++ } + + /* build signature */ + *signature = rsasp1(this, em); + +- free(digestInfo.ptr); +- free(em.ptr); +- ++ chunk_free(&em); + return TRUE; + } + +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index 065c88903344..f27b24c6f319 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -68,7 +68,9 @@ struct private_gmp_rsa_public_key_t { + /** + * Shared functions defined in gmp_rsa_private_key.c + */ +-extern chunk_t gmp_mpz_to_chunk(const mpz_t value); ++chunk_t gmp_mpz_to_chunk(const mpz_t value); ++bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm, ++ chunk_t data, size_t keylen, chunk_t *em); + + /** + * RSAEP algorithm specified in PKCS#1. +@@ -113,26 +115,13 @@ static chunk_t rsavp1(private_gmp_rsa_public_key_t *this, chunk_t data) + } + + /** +- * ASN.1 definition of digestInfo +- */ +-static const asn1Object_t digestInfoObjects[] = { +- { 0, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ +- { 1, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 1 */ +- { 1, "digest", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } +-}; +-#define DIGEST_INFO 0 +-#define DIGEST_INFO_ALGORITHM 1 +-#define DIGEST_INFO_DIGEST 2 +- +-/** +- * Verification of an EMPSA PKCS1 signature described in PKCS#1 ++ * Verification of an EMSA PKCS1 signature described in PKCS#1 + */ + static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, + hash_algorithm_t algorithm, + chunk_t data, chunk_t signature) + { +- chunk_t em_ori, em; ++ chunk_t em_expected, em; + bool success = FALSE; + + /* remove any preceding 0-bytes from signature */ +@@ -146,140 +135,19 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, + return FALSE; + } + +- /* unpack signature */ +- em_ori = em = rsavp1(this, signature); +- +- /* result should look like this: +- * EM = 0x00 || 0x01 || PS || 0x00 || T. +- * PS = 0xFF padding, with length to fill em +- * T = oid || hash +- */ +- +- /* check magic bytes */ +- if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) +- { +- goto end; +- } +- em = chunk_skip(em, 2); +- +- /* find magic 0x00 */ +- while (em.len > 0) +- { +- if (*em.ptr == 0x00) +- { +- /* found magic byte, stop */ +- em = chunk_skip(em, 1); +- break; +- } +- else if (*em.ptr != 0xFF) +- { +- /* bad padding, decryption failed ?!*/ +- goto end; +- } +- em = chunk_skip(em, 1); +- } +- +- if (em.len == 0) ++ /* generate expected signature value */ ++ if (!gmp_emsa_pkcs1_signature_data(algorithm, data, this->k, &em_expected)) + { +- /* no digestInfo found */ +- goto end; +- } +- +- if (algorithm == HASH_UNKNOWN) +- { /* IKEv1 signatures without digestInfo */ +- if (em.len != data.len) +- { +- DBG1(DBG_LIB, "hash size in signature is %u bytes instead of" +- " %u bytes", em.len, data.len); +- goto end; +- } +- success = memeq_const(em.ptr, data.ptr, data.len); ++ return FALSE; + } +- else +- { /* IKEv2 and X.509 certificate signatures */ +- asn1_parser_t *parser; +- chunk_t object; +- int objectID; +- hash_algorithm_t hash_algorithm = HASH_UNKNOWN; + +- DBG2(DBG_LIB, "signature verification:"); +- parser = asn1_parser_create(digestInfoObjects, em); +- +- while (parser->iterate(parser, &objectID, &object)) +- { +- switch (objectID) +- { +- case DIGEST_INFO: +- { +- if (em.len > object.len) +- { +- DBG1(DBG_LIB, "digestInfo field in signature is" +- " followed by %u surplus bytes", +- em.len - object.len); +- goto end_parser; +- } +- break; +- } +- case DIGEST_INFO_ALGORITHM: +- { +- int hash_oid = asn1_parse_algorithmIdentifier(object, +- parser->get_level(parser)+1, NULL); +- +- hash_algorithm = hasher_algorithm_from_oid(hash_oid); +- if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm) +- { +- DBG1(DBG_LIB, "expected hash algorithm %N, but found" +- " %N (OID: %#B)", hash_algorithm_names, algorithm, +- hash_algorithm_names, hash_algorithm, &object); +- goto end_parser; +- } +- break; +- } +- case DIGEST_INFO_DIGEST: +- { +- chunk_t hash; +- hasher_t *hasher; +- +- hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm); +- if (hasher == NULL) +- { +- DBG1(DBG_LIB, "hash algorithm %N not supported", +- hash_algorithm_names, hash_algorithm); +- goto end_parser; +- } +- +- if (object.len != hasher->get_hash_size(hasher)) +- { +- DBG1(DBG_LIB, "hash size in signature is %u bytes" +- " instead of %u bytes", object.len, +- hasher->get_hash_size(hasher)); +- hasher->destroy(hasher); +- goto end_parser; +- } +- +- /* build our own hash and compare */ +- if (!hasher->allocate_hash(hasher, data, &hash)) +- { +- hasher->destroy(hasher); +- goto end_parser; +- } +- hasher->destroy(hasher); +- success = memeq_const(object.ptr, hash.ptr, hash.len); +- free(hash.ptr); +- break; +- } +- default: +- break; +- } +- } ++ /* unpack signature */ ++ em = rsavp1(this, signature); + +-end_parser: +- success &= parser->success(parser); +- parser->destroy(parser); +- } ++ success = chunk_equals_const(em_expected, em); + +-end: +- free(em_ori.ptr); ++ chunk_free(&em_expected); ++ chunk_free(&em); + return success; + } + +-- +2.7.4 + diff --git a/0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch b/0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch new file mode 100644 index 0000000..aad6a1b --- /dev/null +++ b/0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch @@ -0,0 +1,28 @@ +From 0acd1ab4d08d53d80393b1a37b8781f6e7b2b996 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 13 Mar 2018 18:54:08 +0100 +Subject: [PATCH] stroke: Ensure a minimum message length + +--- + src/libcharon/plugins/stroke/stroke_socket.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c +index c568440b7ae2..1e7f210e940a 100644 +--- a/src/libcharon/plugins/stroke/stroke_socket.c ++++ b/src/libcharon/plugins/stroke/stroke_socket.c +@@ -627,6 +627,11 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream) + } + return FALSE; + } ++ if (len < offsetof(stroke_msg_t, buffer)) ++ { ++ DBG1(DBG_CFG, "invalid stroke message length %d", len); ++ return FALSE; ++ } + + /* read message (we need an additional byte to terminate the buffer) */ + msg = malloc(len + 1); +-- +2.7.4 + diff --git a/0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch b/0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch new file mode 100644 index 0000000..e5b6da1 --- /dev/null +++ b/0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch @@ -0,0 +1,39 @@ +From b450318c15496f89e7c93392c9b5d2c6045c7de9 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 19 Mar 2018 17:03:05 +0100 +Subject: [PATCH] ikev2: Initialize variable in case set_key() or + allocate_bytes() fails + +In case the PRF's set_key() or allocate_bytes() method failed, skeyseed +was not initialized and the chunk_clear() call later caused a crash. + +This could have happened with OpenSSL in FIPS mode when MD5 was +negotiated (and test vectors were not checked, in which case the PRF +couldn't be instantiated as the test vectors would have failed). +MD5 is not included in the default proposal anymore since 5.6.1, so +with recent versions this could only happen with configs that are not +valid in FIPS mode anyway. + +Fixes: CVE-2018-10811 +--- + src/libcharon/sa/ikev2/keymat_v2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c +index 0c41c68d0118..8b20d1ce986f 100644 +--- a/src/libcharon/sa/ikev2/keymat_v2.c ++++ b/src/libcharon/sa/ikev2/keymat_v2.c +@@ -303,8 +303,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, + pseudo_random_function_t rekey_function, chunk_t rekey_skd) + { +- chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed; +- chunk_t spi_i, spi_r; ++ chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce; ++ chunk_t prf_plus_seed, spi_i, spi_r; + prf_plus_t *prf_plus = NULL; + uint16_t alg, key_size, int_alg; + prf_t *rekey_prf = NULL; +-- +2.7.4 + diff --git a/0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch b/0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch new file mode 100644 index 0000000..26f17f6 --- /dev/null +++ b/0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch @@ -0,0 +1,38 @@ +From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 25 Sep 2018 14:50:08 +0200 +Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys + +Because `keylen` is unsigned the subtraction results in an integer +underflow if the key length is < 11 bytes. + +This is only a problem when verifying signatures with a public key (for +private keys the plugin enforces a minimum modulus length) and to do so +we usually only use trusted keys. However, the x509 plugin actually +calls issued_by() on a parsed certificate to check if it is self-signed, +which is the reason this issue was found by OSS-Fuzz in the first place. +So, unfortunately, this can be triggered by sending an invalid client +cert to a peer. + +Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them") +Fixes: CVE-2018-17540 +--- + src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +index e9a83fdf49a1..a255a40abce2 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +@@ -301,7 +301,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm, + data = digestInfo; + } + +- if (data.len > keylen - 11) ++ if (keylen < 11 || data.len > keylen - 11) + { + chunk_free(&digestInfo); + DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of " +-- +2.7.4 + diff --git a/strongswan-rpmlintrc b/strongswan-5.6.0-rpmlintrc similarity index 100% rename from strongswan-rpmlintrc rename to strongswan-5.6.0-rpmlintrc diff --git a/strongswan-5.6.0.tar.bz2 b/strongswan-5.6.0.tar.bz2 new file mode 100644 index 0000000..45047e3 --- /dev/null +++ b/strongswan-5.6.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13 +size 4850722 diff --git a/strongswan-5.6.0.tar.bz2.sig b/strongswan-5.6.0.tar.bz2.sig new file mode 100644 index 0000000..c9ad79b --- /dev/null +++ b/strongswan-5.6.0.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG +kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F +CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da +kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5 +d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M +an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H +dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru +UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ +eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g== +=ZRFr +-----END PGP SIGNATURE----- diff --git a/strongswan-5.8.2.tar.bz2 b/strongswan-5.8.2.tar.bz2 deleted file mode 100644 index 42edc4e..0000000 --- a/strongswan-5.8.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e -size 4533402 diff --git a/strongswan-5.8.2.tar.bz2.sig b/strongswan-5.8.2.tar.bz2.sig deleted file mode 100644 index f025402..0000000 --- a/strongswan-5.8.2.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt -S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m -wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v -iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE -CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC -zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77 -DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN -bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ -tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw== -=VHUc ------END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index 476e2b0..a34f85c 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,203 +1,34 @@ ------------------------------------------------------------------- -Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt +Thu Nov 14 12:56:01 UTC 2019 - Madhu Mohan Nelemane -- Replace %__-type macro indirections. Update homepage URL to https. +- Added patch to fix vulnerability: CVE-2018-17540 (bsc#1109845) + [+ 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch] ------------------------------------------------------------------- -Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie +Wed Nov 13 16:43:52 UTC 2019 - Madhu Mohan Nelemane -- Update to version 5.8.2: - * The systemd service units have changed their name. - "strongswan" is now "strongswan-starter", and - "strongswan-swanctl" is now "strongswan". - After installation, you need to `systemctl disable` the old - name and `systemctl enable`+start the new one. - * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152. - * boo#1109845 and boo#1107874. -- Please check included NEWS file for info on what other changes - that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1 - and 5.7.0. -- Rebase strongswan_ipsec_service.patch. -- Disable patches that need rebase or dropping: - * strongswan_modprobe_syslog.patch - * 0006-fix-compilation-error-by-adding-stdint.h.patch -- Add conditional pkgconfig(libsystemd) BuildRequires: New - dependency. +- Added patch to fix vulnerability: CVE-2018-10811 (bsc#1093536) + - denial-of-service vulnerability + [+ 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch] ------------------------------------------------------------------- -Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com +Wed Nov 13 15:41:29 UTC 2019 - Madhu Mohan Nelemane -- Update to version 5.6.3 (CVE-2018-10811, boo#1093536, - CVE-2018-5388, boo#1094462): - * Fixed a DoS vulnerability in the IKEv2 key derivation if the - openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated - as PRF. This vulnerability has been registered as - CVE-2018-10811, boo#1093536. - * Fixed a vulnerability in the stroke plugin, which did not check - the received length before reading a message from the socket. - Unless a group is configured, root privileges are required to - access that socket, so in the default configuration this - shouldn't be an issue. This vulnerability has been registered - as CVE-2018-5388, boo#1094462. - * CRLs that are not yet valid are now ignored to avoid problems - in scenarios where expired certificates are removed from new - CRLs and the clock on the host doing the revocation check is - trailing behind that of the host issuing CRLs. Not doing this - could result in accepting a revoked and expired certificate, if - it's still valid according to the trailing clock but not - contained anymore in not yet valid CRLs. - * The issuer of fetched CRLs is now compared to the issuer of the - checked certificate (#2608). - * CRL validation results other than revocation (e.g. a skipped - check because the CRL couldn't be fetched) are now stored also - for intermediate CA certificates and not only for end-entity - certificates, so a strict CRL policy can be enforced in such - cases. - * In compliance with RFC 4945, section 5.1.3.2, certificates used - for IKE must now either not contain a keyUsage extension (like - the ones generated by pki), or have at least one of the - digitalSignature or nonRepudiation bits set. - * New options for vici/swanctl allow forcing the local - termination of an IKE_SA. This might be useful in situations - where it's known the other end is not reachable anymore, or - that it already removed the IKE_SA, so retransmitting a DELETE - and waiting for a response would be pointless. - * Waiting only a certain amount of time for a response (i.e. - shorter than all retransmits would be) before destroying the - IKE_SA is also possible by additionally specifying a timeout in - the forced termination request. - * When removing routes, the kernel-netlink plugin now checks if - it tracks other routes for the same destination and replaces - the installed route instead of just removing it. Same during - installation, where existing routes previously weren't - replaced. This should allow using traps with virtual IPs on - Linux (#2162). - * The dhcp plugin now only sends the client identifier DHCP - option if the identity_lease setting is enabled (7b660944b6). - It can also send identities of up to 255 bytes length, instead - of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server - address is configured, DHCP requests are now sent from port 67 - instead of 68 to avoid ICMP port unreachables (becf027cd9). - * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one - containing a DH group that wasn't proposed) during - CREATE_CHILD_SA exchanges has been improved (#2536). - * Roam events are now completely ignored for IKEv1 SAs (there is - no MOBIKE to handle such changes properly). - * ChaCha20/Poly1305 is now correctly proposed without key length - (#2614). For compatibility with older releases the - chacha20poly1305compat keyword may be included in proposals to - also propose the algorithm with a key length (c58434aeff). - * Configuration of hardware offload of IPsec SAs is now more - flexible and allows a new setting (auto), which automatically - uses it if the kernel and device both support it. If hw_offload - is set to yes and offloading is not supported, the CHILD_SA - installation now fails. - * The kernel-pfkey plugin optionally installs routes via internal - interface (one with an IP in the local traffic selector). On - FreeBSD, enabling this selects the correct source IP when - sending packets from the gateway itself (e811659323). - * SHA-2 based PRFs are supported in PKCS#8 files as generated by - OpenSSL 1.1 (#2574). - * The pki --verify tool may load CA certificates and CRLs from - directories. - * The IKE daemon now also switches to port 4500 if the remote - port is not 500 (e.g. because the remote maps the response to a - different port, as might happen on Azure), as long as the local - port is 500 (85bfab621d). - * Fixed an issue with DNS servers passed to NetworkManager in - charon-nm (ee8c25516a). - * Logged traffic selectors now always contain the protocol if - either protocol or port are set (a36d8097ed). - * Only the inbound SA/policy will be updated as reaction to IP - address changes for rekeyed CHILD_SAs that are kept around. - * The parser for strongswan.conf/swanctl.conf now accepts = - characters in values without having to put the value in quotes - (e.g. for Base64 encoded shared secrets). -- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc, - changing the version string on every version update makes no - sense. + - Added patch to fix vulnerability: CVE-2018-5388 (bsc#1094462) + - Buffer Underflow in stroke_socket.c + [+ 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch] ------------------------------------------------------------------- -Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com +Wed Nov 13 13:51:38 UTC 2019 - Madhu Mohan Nelemane -- Update to version 5.6.2: - * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS - signatures that was caused by insufficient input validation. - One of the configurable parameters in algorithm identifier - structures for RSASSA-PSS signatures is the mask generation - function (MGF). Only MGF1 is currently specified for this - purpose. However, this in turn takes itself a parameter that - specifies the underlying hash function. strongSwan's parser did - not correctly handle the case of this parameter being absent, - causing an undefined data read. This vulnerability has been - registered as CVE-2018-6459. - * When rekeying IKEv2 IKE_SAs the previously negotiated DH group - will be reused, instead of using the first configured group, - which avoids an additional exchange if the peer previously - selected a different DH group via INVALID_KE_PAYLOAD notify. - The same is also done when rekeying CHILD_SAs except for the - first rekeying of the CHILD_SA that was created with the - IKE_SA, where no DH group was negotiated yet. Also, the - selected DH group is moved to the front in all sent proposals - that contain it and all proposals that don't are moved to the - back in order to convey the preference for this group to the - peer. - * Handling of MOBIKE task queuing has been improved. In - particular, the response to an address update (with NAT-D - payloads) is not ignored anymore if only an address list update - or DPD is queued as that could prevent updating the UDP - encapsulation in the kernel. - * On Linux, roam events may optionally be triggered by changes to - the routing rules, which can be useful if routing rules - (instead of e.g. route metrics) are used to switch from one to - another interface (i.e. from one to another routing table). - Since routing rules are currently not evaluated when doing - route lookups this is only useful if the kernel-based route - lookup is used (4664992f7d). - * The fallback drop policies installed to avoid traffic leaks - when replacing addresses in installed policies are now replaced - by temporary drop policies, which also prevent acquires because - we currently delete and reinstall IPsec SAs to update their - addresses (35ef1b032d). - * Access X.509 certificates held in non-volatile storage of a TPM - 2.0 referenced via the NV index. - * Adding the --keyid parameter to pki --print allows to print - private keys or certificates stored in a smartcard or a TPM - 2.0. - * Fixed proposal selection if a peer incorrectly sends DH groups - in the ESP proposal during IKE_AUTH and also if a DH group is - configured in the local ESP proposal and - charon.prefer_configured_proposals is disabled (d058fd3c32). - * The lookup for PSK secrets for IKEv1 has been improved for - certain scenarios (see #2497 for details). - * MSKs received via RADIUS are now padded to 64 bytes to avoid - compatibility issues with EAP-MSCHAPv2 and PRFs that have a - block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013). - * The tpm_extendpcr command line tool extends a digest into a TPM - PCR. - * Ported the NetworkManager backend from the deprecated - libnm-glib to libnm. - * The save-keys debugging/development plugin saves IKE and/or ESP - keys to files compatible with Wireshark. -- Following upstreams port, replace NetworkManager-devel with - pkgconfig(libnm) BuildRequires. -- Refresh patches with quilt. -- Disable strongswan_fipsfilter.patch, needs rebase or dropping, - the file it patches no longer exists in tarball. +- Added patch to fix vulnerability: CVE-2018-16151,CVE-2018-16152 (bsc#1107874) + - Insufficient input validation in gmp plugin + [+ 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch] ------------------------------------------------------------------- -Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com +Wed Mar 14 15:43:42 UTC 2018 - mmnelemane@suse.com -- Removed unused requires and macro calls(bsc#1083261) - -------------------------------------------------------------------- -Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de - -- Update summaries and descriptions. Trim filler words and - author list. -- Drop %if..%endif guards that are idempotent and do not affect - the build result. -- Replace old $RPM_ shell variables. +- Removed unused requires and macro calls(bsc#1083261) ------------------------------------------------------------------- Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de diff --git a/strongswan.spec b/strongswan.spec index d4a0ca6..3745bc6 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: strongswan -Version: 5.8.2 +Version: 5.6.0 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -61,31 +61,33 @@ Release: 0 %else %bcond_with systemd %endif -Summary: IPsec-based VPN solution -License: GPL-2.0-or-later +Summary: OpenSource IPsec-based VPN Solution +License: GPL-2.0+ Group: Productivity/Networking/Security -URL: https://www.strongswan.org/ +Url: http://www.strongswan.org/ +Requires: strongswan-ipsec = %{version} Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in -Source3: %{name}-rpmlintrc +Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring %if %{with fipscheck} Source6: fipscheck.sh.in Source7: fips-enforce.conf %endif -# Needs rebase Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch %if %{with fipscheck} Patch3: %{name}_fipscheck.patch -# Patch4 needs rebase, file it patches no longer exists in tarball. Patch4: %{name}_fipsfilter.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch -# Needs rebase Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch +Patch7: 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch +Patch8: 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch +Patch9: 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch +Patch10: 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -109,11 +111,10 @@ BuildRequires: sqlite3-devel BuildRequires: libgcrypt-devel %endif %if %{with nm} -BuildRequires: pkgconfig(libnm) +BuildRequires: NetworkManager-devel %endif %if %{with systemd} %{?systemd_requires} -BuildRequires: pkgconfig(libsystemd) %endif BuildRequires: iptables %if %{with systemd} @@ -128,19 +129,19 @@ BuildRequires: automake BuildRequires: fipscheck %endif BuildRequires: libtool -Requires: strongswan-ipsec = %{version} %description -StrongSwan is an IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux -* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols +* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels +* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections -* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555) +* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support -* NAT Traversal via UDP encapsulation and port floating (RFC 3947) +* NAT-Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels -* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes +* Static virtual IPs and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) @@ -157,32 +158,46 @@ StrongSwan is an IPsec-based VPN solution for Linux. * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries -* Linux desktop integration via the strongSwan NetworkManager applet +* Smooth Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons. +Authors: +-------- + Andreas Steffen + and others + %package doc -Summary: Documentation for strongSwan -Group: Documentation/Man BuildArch: noarch +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security %description doc -StrongSwan is an IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the StrongSwan documentation. + + +Authors: +-------- + Andreas Steffen + and others + %package libs0 -Summary: strongSwan core libraries and basic plugins +Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Conflicts: strongswan < %{version} %description libs0 -StrongSwan is an IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan library and plugins. +%if %{with fipscheck} + %package hmac -Summary: HMAC files for FIPS-140-2 integrity in strongSwan +Summary: HMAC files for FIPS-140-2 integrity Group: Productivity/Networking/Security Requires: fipscheck Requires: strongswan-ipsec = %{version} @@ -195,8 +210,10 @@ _fipscheck helper script preforming the integrity checks before e.g. "ipsec start" action is executed, when FIPS-140-2 compliant operation mode is enabled. +%endif + %package ipsec -Summary: IPsec-based VPN solution +Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} Provides: VPN @@ -206,83 +223,101 @@ Obsoletes: strongswan < %{version} Conflicts: freeswan openswan %description ipsec -StrongSwan is an IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the /etc/init.d/ipsec service script and allows -to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the +to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the /etc/ipsec.sectes files. +%if %{with mysql} + %package mysql -Summary: MySQL plugin for strongSwan +Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description mysql -StrongSwan is an IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan mysql plugin. +%endif + +%if %{with sqlite} + %package sqlite -Summary: SQLite plugin for strongSwan +Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description sqlite -StrongSwan is an OpenSource IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan sqlite plugin. +%endif + +%if %{with nm} + %package nm -Summary: NetworkManager plugin for strongSwan +Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description nm -StrongSwan is an OpenSource IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. +%endif + +%if %{with tests} + %package tests -Summary: Testing plugins for strongSwan + +Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security Requires: strongswan-libs0 = %{version} %description tests -StrongSwan is an OpenSource IPsec-based VPN solution for Linux. +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux -This package provides the strongswan crypto test vectors plugin +This package provides the strongswan crypto test-vectors plugin and the load testing plugin for IKEv2 daemon. +%endif + %prep %setup -q -n %{name}-%{upstream_version} -# Needs rebase, file it patches no longer exists. -#patch1 -p1 -%patch2 -p1 +%patch1 -p0 +%patch2 -p0 %if %{with fipscheck} %patch3 -p1 -# Needs rebase, file it patches no longer exists. -#patch4 -p1 +%patch4 -p1 %endif %patch5 -p1 -# Needs rebase. -#patch6 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ - < %{_sourcedir}/strongswan.init.in \ + < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init %if %{with fipscheck} sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \ -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \ -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \ -e 's|@IPSEC_BINDIR@|%{_bindir}|g' \ - < %{_sourcedir}/fipscheck.sh.in \ + < $RPM_SOURCE_DIR/fipscheck.sh.in \ > _fipscheck %endif %build -CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" -export CFLAGS +CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" +export RPM_OPT_FLAGS CFLAGS autoreconf --force --install %configure \ %if %{with integrity} @@ -293,7 +328,6 @@ autoreconf --force --install --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \ --with-piddir=%{_rundir}/%{name} \ %if %{with systemd} - --enable-systemd \ --with-systemdsystemunitdir=%{_unitdir} \ %endif --enable-pkcs11 \ @@ -378,24 +412,25 @@ autoreconf --force --install --enable-soup \ --enable-curl \ --disable-static -make %{?_smp_mflags} +make %{?_smp_mflags:%_smp_mflags} %install -install -d -m755 %{buildroot}/%{_sbindir}/ -install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/ +export RPM_BUILD_ROOT +install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/ +install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ %if %{with systemd} -ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan +ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan %else -install -d -m755 %{buildroot}/%{_sysconfdir}/init.d/ -install -m755 strongswan.init %{buildroot}/%{_sysconfdir}/init.d/ipsec -ln -s %{_sysconfdir}/init.d/ipsec %{buildroot}/%{_sbindir}/rcipsec +install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ +install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec +ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec %endif # # Ensure, plugin -> library dependencies can be resolved # (e.g. libtls) to avoid plugin segment checksum errors. # -LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ -%make_install +LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ +make install DESTDIR="$RPM_BUILD_ROOT" # # checksums are calculated during make install using the # installed binaries/libraries... but find-debuginfo.sh @@ -406,23 +441,23 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ %if %{with integrity} %{?__debug_package: if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then - cp -a "%{buildroot}" "%{buildroot}-$$" - RPM_BUILD_ROOT="%{buildroot}-$$" \ + cp -a "${RPM_BUILD_ROOT}" "${RPM_BUILD_ROOT}-$$" + RPM_BUILD_ROOT="$RPM_BUILD_ROOT-$$" \ %{_rpmconfigdir}/find-debuginfo.sh \ - %{?_find_debuginfo_opts} "%{buildroot}-$$" + %{?_find_debuginfo_opts} "${RPM_BUILD_ROOT}-$$" make -C src/checksum clean rm -f src/checksum/checksum_builder - LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ - make -C src/checksum install DESTDIR="%{buildroot}-$$" - mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \ - "%{buildroot}/%{strongswan_libdir}/libchecksum.so" - rm -rf "%{buildroot}-$$" + LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ + make -C src/checksum install DESTDIR="$RPM_BUILD_ROOT-$$" + mv "$RPM_BUILD_ROOT-$$%{strongswan_libdir}/libchecksum.so" \ + "$RPM_BUILD_ROOT%{strongswan_libdir}/libchecksum.so" + rm -rf "${RPM_BUILD_ROOT}-$$" fi } %endif # -rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets -cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets +rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets +cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets # # ipsec.secrets # @@ -432,47 +467,47 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets EOT # %if ! %{with mysql} -rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql +rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql %endif %if ! %{with sqlite} -rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql +rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql %endif -rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so -rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so -find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete +rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so +rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so +find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete # -install -d -m755 %{buildroot}/%{strongswan_docdir}/ +install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -c -m644 TODO NEWS README COPYING LICENSE \ AUTHORS ChangeLog \ - %{buildroot}/%{strongswan_docdir}/ -install -c -m644 %{_sourcedir}/README.SUSE \ - %{buildroot}/%{strongswan_docdir}/ + ${RPM_BUILD_ROOT}%{strongswan_docdir}/ +install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \ + ${RPM_BUILD_ROOT}%{strongswan_docdir}/ %if %{with systemd} -install -d -m 0755 %{buildroot}%{_tmpfilesdir} +%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir} echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf %endif %if %{with fipscheck} # # note: keep the following, _fipscheck's and file lists in sync # -install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/ -install -c -m644 %{_sourcedir}/fips-enforce.conf \ - %{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf +install -c -m750 _fipscheck ${RPM_BUILD_ROOT}%{_libexecdir}/ipsec/ +install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \ + ${RPM_BUILD_ROOT}%{strongswan_configs}/charon/zzz_fips-enforce.conf # create fips hmac hashes _after_ install post run %{expand:%%global __os_install_post {%__os_install_post - for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \ - %{buildroot}/%{strongswan_libdir}/imcvs/*.so \ - %{buildroot}/%{strongswan_plugins}/*.so \ - %{buildroot}/%{_libexecdir}/ipsec/charon \ - %{buildroot}/%{_libexecdir}/ipsec/charon-nm \ - %{buildroot}/%{_libexecdir}/ipsec/stroke \ - %{buildroot}/%{_libexecdir}/ipsec/starter \ - %{buildroot}/%{_libexecdir}/ipsec/pool \ - %{buildroot}/%{_libexecdir}/ipsec/scepclient \ - %{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \ - %{buildroot}/%{_libexecdir}/ipsec/_fipscheck \ - %{buildroot}/%{_bindir}/pt-tls-client \ - %{buildroot}/%{_sbindir}/ipsec \ + for f in $RPM_BUILD_ROOT%{strongswan_libdir}/lib*.so.*.*.* \ + $RPM_BUILD_ROOT%{strongswan_libdir}/imcvs/*.so \ + $RPM_BUILD_ROOT%{strongswan_plugins}/*.so \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon-nm \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/stroke \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \ + $RPM_BUILD_ROOT%{_bindir}/pt-tls-client \ + $RPM_BUILD_ROOT%{_sbindir}/ipsec \ ; do /usr/bin/fipshmac "$f" @@ -483,7 +518,7 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \ %post libs0 /sbin/ldconfig %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf} -%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}} +%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}} %postun libs0 -p /sbin/ldconfig @@ -557,11 +592,9 @@ fi %dir %{_sysconfdir}/ipsec.d/ocspcerts %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} -%{_unitdir}/strongswan-starter.service %{_unitdir}/strongswan.service -%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf +%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf %{_sbindir}/rcstrongswan -%{_sbindir}/charon-systemd %else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec @@ -582,7 +615,6 @@ fi %if %{with test} %{_libexecdir}/ipsec/conftest %endif -%{_libexecdir}/ipsec/xfrmi %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/scepclient @@ -592,7 +624,6 @@ fi %{_libexecdir}/ipsec/_imv_policy %{_libexecdir}/ipsec/imv_policy_manager %dir %{strongswan_plugins} -%{strongswan_plugins}/libstrongswan-drbg.so %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so @@ -619,9 +650,6 @@ fi %dir %{strongswan_configs} %dir %{strongswan_configs}/charon %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf -%if %{with systemd} -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf -%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf @@ -632,9 +660,7 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf @@ -688,7 +714,6 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf @@ -760,7 +785,6 @@ fi %{strongswan_plugins}/libstrongswan-ccm.so %{strongswan_plugins}/libstrongswan-certexpire.so %{strongswan_plugins}/libstrongswan-cmac.so -%{strongswan_plugins}/libstrongswan-counters.so %{strongswan_plugins}/libstrongswan-constraints.so %{strongswan_plugins}/libstrongswan-coupling.so %{strongswan_plugins}/libstrongswan-ctr.so @@ -803,7 +827,6 @@ fi %{strongswan_plugins}/libstrongswan-led.so %{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so -%{strongswan_plugins}/libstrongswan-mgf1.so %{strongswan_plugins}/libstrongswan-nonce.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so @@ -862,7 +885,6 @@ fi %{strongswan_templates}/config/plugins/ccm.conf %{strongswan_templates}/config/plugins/certexpire.conf %{strongswan_templates}/config/plugins/cmac.conf -%{strongswan_templates}/config/plugins/counters.conf %{strongswan_templates}/config/plugins/constraints.conf %{strongswan_templates}/config/plugins/coupling.conf %{strongswan_templates}/config/plugins/ctr.conf @@ -870,7 +892,6 @@ fi %{strongswan_templates}/config/plugins/des.conf %{strongswan_templates}/config/plugins/dhcp.conf %{strongswan_templates}/config/plugins/dnskey.conf -%{strongswan_templates}/config/plugins/drbg.conf %{strongswan_templates}/config/plugins/duplicheck.conf %{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf %{strongswan_templates}/config/plugins/eap-aka.conf @@ -906,7 +927,6 @@ fi %{strongswan_templates}/config/plugins/led.conf %{strongswan_templates}/config/plugins/md4.conf %{strongswan_templates}/config/plugins/md5.conf -%{strongswan_templates}/config/plugins/mgf1.conf %{strongswan_templates}/config/plugins/nonce.conf %{strongswan_templates}/config/plugins/openssl.conf %{strongswan_templates}/config/plugins/pem.conf @@ -946,9 +966,6 @@ fi %{strongswan_templates}/config/plugins/xcbc.conf %{strongswan_templates}/config/plugins/curve25519.conf %{strongswan_templates}/config/plugins/vici.conf -%if %{with systemd} -%{strongswan_templates}/config/strongswan.d/charon-systemd.conf -%endif %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf diff --git a/strongswan_ipsec_service.patch b/strongswan_ipsec_service.patch index cd9b08a..ab8b13b 100644 --- a/strongswan_ipsec_service.patch +++ b/strongswan_ipsec_service.patch @@ -1,8 +1,6 @@ -Index: strongswan-5.6.2/init/systemd/strongswan.service.in -=================================================================== ---- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100 -+++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200 -@@ -9,3 +9,4 @@ Restart=on-abnormal +--- init/systemd/strongswan.service.in ++++ init/systemd/strongswan.service.in 2012/10/31 15:21:11 +@@ -8,3 +8,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target diff --git a/strongswan_modprobe_syslog.patch b/strongswan_modprobe_syslog.patch index 30c021c..9e71673 100644 --- a/strongswan_modprobe_syslog.patch +++ b/strongswan_modprobe_syslog.patch @@ -1,7 +1,5 @@ -Index: strongswan-5.6.2/src/starter/klips.c -=================================================================== ---- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200 -+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200 +--- src/starter/klips.c ++++ src/starter/klips.c 2012/10/30 17:07:23 @@ -30,7 +30,7 @@ bool starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) @@ -24,11 +22,9 @@ Index: strongswan-5.6.2/src/starter/klips.c DBG2(DBG_APP, "found KLIPS IPsec stack"); return TRUE; -Index: strongswan-5.6.2/src/starter/netkey.c -=================================================================== ---- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200 -+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200 -@@ -30,7 +30,7 @@ bool starter_netkey_init(void) +--- src/starter/netkey.c ++++ src/starter/netkey.c 2012/10/30 17:07:02 +@@ -31,7 +31,7 @@ bool starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { @@ -37,7 +33,7 @@ Index: strongswan-5.6.2/src/starter/netkey.c } /* now test again */ -@@ -44,11 +44,11 @@ bool starter_netkey_init(void) +@@ -45,11 +45,11 @@ bool starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) {