SHA256
1
0
forked from pool/strongswan

osc copypac from project:openSUSE:Leap:15.2 package:strongswan revision:16

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=117
This commit is contained in:
Madhu Mohan Nelemane 2020-01-30 09:34:36 +00:00 committed by Git OBS Bridge
parent f51dbccc77
commit b84f3a369a
14 changed files with 609 additions and 336 deletions

View File

@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: uintptr_t undeclared (first use in this
src/libstrongswan/utils/utils/memory.h | 2 ++
1 file changed, 2 insertions(+)
Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
===================================================================
--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200
diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h
index b978e7c..55aaaf5 100644
--- a/src/libstrongswan/utils/utils/memory.h
+++ b/src/libstrongswan/utils/utils/memory.h
@@ -22,6 +22,8 @@
#ifndef MEMORY_H_
#define MEMORY_H_
@ -28,3 +28,6 @@ Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
/**
* Helper function that compares two binary blobs for equality
*/
--
2.14.1

View File

@ -0,0 +1,323 @@
From ade8c9c4b73ec43cf43b9c4cd9af6aac5e6f7f9d Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 28 Aug 2018 11:26:24 +0200
Subject: [PATCH] gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them
Instead we generate the expected signature encoding and compare it to the
decrypted value.
Due to the lenient nature of the previous parsing code (minimum padding
length was not enforced, the algorithmIdentifier/OID parser accepts arbitrary
data after OIDs and in the parameters field etc.) it was susceptible to
Daniel Bleichenbacher's low-exponent attack (from 2006!), which allowed
forging signatures for keys that use low public exponents (i.e. e=3).
Since the public exponent is usually set to 0x10001 (65537) since quite a
while, the flaws in the previous code should not have had that much of a
practical impact in recent years.
Fixes: CVE-2018-16151, CVE-2018-16152
---
.../plugins/gmp/gmp_rsa_private_key.c | 66 +++++----
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 158 ++-------------------
2 files changed, 53 insertions(+), 171 deletions(-)
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index 21b420866e2f..025f61a9fa21 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -262,14 +262,15 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
}
/**
- * Build a signature using the PKCS#1 EMSA scheme
+ * Hashes the data and builds the plaintext signature value with EMSA
+ * PKCS#1 v1.5 padding.
+ *
+ * Allocates the signature data.
*/
-static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
- hash_algorithm_t hash_algorithm,
- chunk_t data, chunk_t *signature)
+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
+ chunk_t data, size_t keylen, chunk_t *em)
{
chunk_t digestInfo = chunk_empty;
- chunk_t em;
if (hash_algorithm != HASH_UNKNOWN)
{
@@ -293,43 +294,56 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
/* build DER-encoded digestInfo */
digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
asn1_algorithmIdentifier(hash_oid),
- asn1_simple_object(ASN1_OCTET_STRING, hash)
- );
- chunk_free(&hash);
+ asn1_wrap(ASN1_OCTET_STRING, "m", hash));
+
data = digestInfo;
}
- if (data.len > this->k - 3)
+ if (data.len > keylen - 11)
{
- free(digestInfo.ptr);
- DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
- mpz_sizeinbase(this->n, 2));
+ chunk_free(&digestInfo);
+ DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "
+ "%zu bytes", data.len, keylen);
return FALSE;
}
- /* build chunk to rsa-decrypt:
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
- * PS = 0xFF padding, with length to fill em
+ /* EM = 0x00 || 0x01 || PS || 0x00 || T.
+ * PS = 0xFF padding, with length to fill em (at least 8 bytes)
* T = encoded_hash
*/
- em.len = this->k;
- em.ptr = malloc(em.len);
+ *em = chunk_alloc(keylen);
/* fill em with padding */
- memset(em.ptr, 0xFF, em.len);
+ memset(em->ptr, 0xFF, em->len);
/* set magic bytes */
- *(em.ptr) = 0x00;
- *(em.ptr+1) = 0x01;
- *(em.ptr + em.len - data.len - 1) = 0x00;
- /* set DER-encoded hash */
- memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
+ *(em->ptr) = 0x00;
+ *(em->ptr+1) = 0x01;
+ *(em->ptr + em->len - data.len - 1) = 0x00;
+ /* set encoded hash */
+ memcpy(em->ptr + em->len - data.len, data.ptr, data.len);
+
+ chunk_clear(&digestInfo);
+ return TRUE;
+}
+
+/**
+ * Build a signature using the PKCS#1 EMSA scheme
+ */
+static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
+ hash_algorithm_t hash_algorithm,
+ chunk_t data, chunk_t *signature)
+{
+ chunk_t em;
+
+ if (!gmp_emsa_pkcs1_signature_data(hash_algorithm, data, this->k, &em))
+ {
+ return FALSE;
+ }
/* build signature */
*signature = rsasp1(this, em);
- free(digestInfo.ptr);
- free(em.ptr);
-
+ chunk_free(&em);
return TRUE;
}
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 065c88903344..f27b24c6f319 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -68,7 +68,9 @@ struct private_gmp_rsa_public_key_t {
/**
* Shared functions defined in gmp_rsa_private_key.c
*/
-extern chunk_t gmp_mpz_to_chunk(const mpz_t value);
+chunk_t gmp_mpz_to_chunk(const mpz_t value);
+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
+ chunk_t data, size_t keylen, chunk_t *em);
/**
* RSAEP algorithm specified in PKCS#1.
@@ -113,26 +115,13 @@ static chunk_t rsavp1(private_gmp_rsa_public_key_t *this, chunk_t data)
}
/**
- * ASN.1 definition of digestInfo
- */
-static const asn1Object_t digestInfoObjects[] = {
- { 0, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
- { 1, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 1 */
- { 1, "digest", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-};
-#define DIGEST_INFO 0
-#define DIGEST_INFO_ALGORITHM 1
-#define DIGEST_INFO_DIGEST 2
-
-/**
- * Verification of an EMPSA PKCS1 signature described in PKCS#1
+ * Verification of an EMSA PKCS1 signature described in PKCS#1
*/
static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
hash_algorithm_t algorithm,
chunk_t data, chunk_t signature)
{
- chunk_t em_ori, em;
+ chunk_t em_expected, em;
bool success = FALSE;
/* remove any preceding 0-bytes from signature */
@@ -146,140 +135,19 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
return FALSE;
}
- /* unpack signature */
- em_ori = em = rsavp1(this, signature);
-
- /* result should look like this:
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
- * PS = 0xFF padding, with length to fill em
- * T = oid || hash
- */
-
- /* check magic bytes */
- if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
- {
- goto end;
- }
- em = chunk_skip(em, 2);
-
- /* find magic 0x00 */
- while (em.len > 0)
- {
- if (*em.ptr == 0x00)
- {
- /* found magic byte, stop */
- em = chunk_skip(em, 1);
- break;
- }
- else if (*em.ptr != 0xFF)
- {
- /* bad padding, decryption failed ?!*/
- goto end;
- }
- em = chunk_skip(em, 1);
- }
-
- if (em.len == 0)
+ /* generate expected signature value */
+ if (!gmp_emsa_pkcs1_signature_data(algorithm, data, this->k, &em_expected))
{
- /* no digestInfo found */
- goto end;
- }
-
- if (algorithm == HASH_UNKNOWN)
- { /* IKEv1 signatures without digestInfo */
- if (em.len != data.len)
- {
- DBG1(DBG_LIB, "hash size in signature is %u bytes instead of"
- " %u bytes", em.len, data.len);
- goto end;
- }
- success = memeq_const(em.ptr, data.ptr, data.len);
+ return FALSE;
}
- else
- { /* IKEv2 and X.509 certificate signatures */
- asn1_parser_t *parser;
- chunk_t object;
- int objectID;
- hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
- DBG2(DBG_LIB, "signature verification:");
- parser = asn1_parser_create(digestInfoObjects, em);
-
- while (parser->iterate(parser, &objectID, &object))
- {
- switch (objectID)
- {
- case DIGEST_INFO:
- {
- if (em.len > object.len)
- {
- DBG1(DBG_LIB, "digestInfo field in signature is"
- " followed by %u surplus bytes",
- em.len - object.len);
- goto end_parser;
- }
- break;
- }
- case DIGEST_INFO_ALGORITHM:
- {
- int hash_oid = asn1_parse_algorithmIdentifier(object,
- parser->get_level(parser)+1, NULL);
-
- hash_algorithm = hasher_algorithm_from_oid(hash_oid);
- if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm)
- {
- DBG1(DBG_LIB, "expected hash algorithm %N, but found"
- " %N (OID: %#B)", hash_algorithm_names, algorithm,
- hash_algorithm_names, hash_algorithm, &object);
- goto end_parser;
- }
- break;
- }
- case DIGEST_INFO_DIGEST:
- {
- chunk_t hash;
- hasher_t *hasher;
-
- hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
- if (hasher == NULL)
- {
- DBG1(DBG_LIB, "hash algorithm %N not supported",
- hash_algorithm_names, hash_algorithm);
- goto end_parser;
- }
-
- if (object.len != hasher->get_hash_size(hasher))
- {
- DBG1(DBG_LIB, "hash size in signature is %u bytes"
- " instead of %u bytes", object.len,
- hasher->get_hash_size(hasher));
- hasher->destroy(hasher);
- goto end_parser;
- }
-
- /* build our own hash and compare */
- if (!hasher->allocate_hash(hasher, data, &hash))
- {
- hasher->destroy(hasher);
- goto end_parser;
- }
- hasher->destroy(hasher);
- success = memeq_const(object.ptr, hash.ptr, hash.len);
- free(hash.ptr);
- break;
- }
- default:
- break;
- }
- }
+ /* unpack signature */
+ em = rsavp1(this, signature);
-end_parser:
- success &= parser->success(parser);
- parser->destroy(parser);
- }
+ success = chunk_equals_const(em_expected, em);
-end:
- free(em_ori.ptr);
+ chunk_free(&em_expected);
+ chunk_free(&em);
return success;
}
--
2.7.4

View File

@ -0,0 +1,28 @@
From 0acd1ab4d08d53d80393b1a37b8781f6e7b2b996 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 13 Mar 2018 18:54:08 +0100
Subject: [PATCH] stroke: Ensure a minimum message length
---
src/libcharon/plugins/stroke/stroke_socket.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index c568440b7ae2..1e7f210e940a 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -627,6 +627,11 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
}
return FALSE;
}
+ if (len < offsetof(stroke_msg_t, buffer))
+ {
+ DBG1(DBG_CFG, "invalid stroke message length %d", len);
+ return FALSE;
+ }
/* read message (we need an additional byte to terminate the buffer) */
msg = malloc(len + 1);
--
2.7.4

View File

@ -0,0 +1,39 @@
From b450318c15496f89e7c93392c9b5d2c6045c7de9 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 19 Mar 2018 17:03:05 +0100
Subject: [PATCH] ikev2: Initialize variable in case set_key() or
allocate_bytes() fails
In case the PRF's set_key() or allocate_bytes() method failed, skeyseed
was not initialized and the chunk_clear() call later caused a crash.
This could have happened with OpenSSL in FIPS mode when MD5 was
negotiated (and test vectors were not checked, in which case the PRF
couldn't be instantiated as the test vectors would have failed).
MD5 is not included in the default proposal anymore since 5.6.1, so
with recent versions this could only happen with configs that are not
valid in FIPS mode anyway.
Fixes: CVE-2018-10811
---
src/libcharon/sa/ikev2/keymat_v2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 0c41c68d0118..8b20d1ce986f 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -303,8 +303,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
pseudo_random_function_t rekey_function, chunk_t rekey_skd)
{
- chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
- chunk_t spi_i, spi_r;
+ chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce;
+ chunk_t prf_plus_seed, spi_i, spi_r;
prf_plus_t *prf_plus = NULL;
uint16_t alg, key_size, int_alg;
prf_t *rekey_prf = NULL;
--
2.7.4

View File

@ -0,0 +1,38 @@
From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 25 Sep 2018 14:50:08 +0200
Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys
Because `keylen` is unsigned the subtraction results in an integer
underflow if the key length is < 11 bytes.
This is only a problem when verifying signatures with a public key (for
private keys the plugin enforces a minimum modulus length) and to do so
we usually only use trusted keys. However, the x509 plugin actually
calls issued_by() on a parsed certificate to check if it is self-signed,
which is the reason this issue was found by OSS-Fuzz in the first place.
So, unfortunately, this can be triggered by sending an invalid client
cert to a peer.
Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them")
Fixes: CVE-2018-17540
---
src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index e9a83fdf49a1..a255a40abce2 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -301,7 +301,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
data = digestInfo;
}
- if (data.len > keylen - 11)
+ if (keylen < 11 || data.len > keylen - 11)
{
chunk_free(&digestInfo);
DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "
--
2.7.4

3
strongswan-5.6.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
size 4850722

View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
=ZRFr
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e
size 4533402

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt
S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m
wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v
iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE
CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC
zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77
DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN
bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ
tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw==
=VHUc
-----END PGP SIGNATURE-----

View File

@ -1,204 +1,35 @@
-------------------------------------------------------------------
Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
Thu Nov 14 12:56:01 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
- Replace %__-type macro indirections. Update homepage URL to https.
- Added patch to fix vulnerability: CVE-2018-17540 (bsc#1109845)
[+ 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch]
-------------------------------------------------------------------
Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
Wed Nov 13 16:43:52 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
- Update to version 5.8.2:
* The systemd service units have changed their name.
"strongswan" is now "strongswan-starter", and
"strongswan-swanctl" is now "strongswan".
After installation, you need to `systemctl disable` the old
name and `systemctl enable`+start the new one.
* Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
* boo#1109845 and boo#1107874.
- Please check included NEWS file for info on what other changes
that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
and 5.7.0.
- Rebase strongswan_ipsec_service.patch.
- Disable patches that need rebase or dropping:
* strongswan_modprobe_syslog.patch
* 0006-fix-compilation-error-by-adding-stdint.h.patch
- Add conditional pkgconfig(libsystemd) BuildRequires: New
dependency.
- Added patch to fix vulnerability: CVE-2018-10811 (bsc#1093536)
- denial-of-service vulnerability
[+ 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch]
-------------------------------------------------------------------
Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com
Wed Nov 13 15:41:29 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
- Update to version 5.6.3 (CVE-2018-10811, boo#1093536,
CVE-2018-5388, boo#1094462):
* Fixed a DoS vulnerability in the IKEv2 key derivation if the
openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated
as PRF. This vulnerability has been registered as
CVE-2018-10811, boo#1093536.
* Fixed a vulnerability in the stroke plugin, which did not check
the received length before reading a message from the socket.
Unless a group is configured, root privileges are required to
access that socket, so in the default configuration this
shouldn't be an issue. This vulnerability has been registered
as CVE-2018-5388, boo#1094462.
* CRLs that are not yet valid are now ignored to avoid problems
in scenarios where expired certificates are removed from new
CRLs and the clock on the host doing the revocation check is
trailing behind that of the host issuing CRLs. Not doing this
could result in accepting a revoked and expired certificate, if
it's still valid according to the trailing clock but not
contained anymore in not yet valid CRLs.
* The issuer of fetched CRLs is now compared to the issuer of the
checked certificate (#2608).
* CRL validation results other than revocation (e.g. a skipped
check because the CRL couldn't be fetched) are now stored also
for intermediate CA certificates and not only for end-entity
certificates, so a strict CRL policy can be enforced in such
cases.
* In compliance with RFC 4945, section 5.1.3.2, certificates used
for IKE must now either not contain a keyUsage extension (like
the ones generated by pki), or have at least one of the
digitalSignature or nonRepudiation bits set.
* New options for vici/swanctl allow forcing the local
termination of an IKE_SA. This might be useful in situations
where it's known the other end is not reachable anymore, or
that it already removed the IKE_SA, so retransmitting a DELETE
and waiting for a response would be pointless.
* Waiting only a certain amount of time for a response (i.e.
shorter than all retransmits would be) before destroying the
IKE_SA is also possible by additionally specifying a timeout in
the forced termination request.
* When removing routes, the kernel-netlink plugin now checks if
it tracks other routes for the same destination and replaces
the installed route instead of just removing it. Same during
installation, where existing routes previously weren't
replaced. This should allow using traps with virtual IPs on
Linux (#2162).
* The dhcp plugin now only sends the client identifier DHCP
option if the identity_lease setting is enabled (7b660944b6).
It can also send identities of up to 255 bytes length, instead
of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server
address is configured, DHCP requests are now sent from port 67
instead of 68 to avoid ICMP port unreachables (becf027cd9).
* The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
containing a DH group that wasn't proposed) during
CREATE_CHILD_SA exchanges has been improved (#2536).
* Roam events are now completely ignored for IKEv1 SAs (there is
no MOBIKE to handle such changes properly).
* ChaCha20/Poly1305 is now correctly proposed without key length
(#2614). For compatibility with older releases the
chacha20poly1305compat keyword may be included in proposals to
also propose the algorithm with a key length (c58434aeff).
* Configuration of hardware offload of IPsec SAs is now more
flexible and allows a new setting (auto), which automatically
uses it if the kernel and device both support it. If hw_offload
is set to yes and offloading is not supported, the CHILD_SA
installation now fails.
* The kernel-pfkey plugin optionally installs routes via internal
interface (one with an IP in the local traffic selector). On
FreeBSD, enabling this selects the correct source IP when
sending packets from the gateway itself (e811659323).
* SHA-2 based PRFs are supported in PKCS#8 files as generated by
OpenSSL 1.1 (#2574).
* The pki --verify tool may load CA certificates and CRLs from
directories.
* The IKE daemon now also switches to port 4500 if the remote
port is not 500 (e.g. because the remote maps the response to a
different port, as might happen on Azure), as long as the local
port is 500 (85bfab621d).
* Fixed an issue with DNS servers passed to NetworkManager in
charon-nm (ee8c25516a).
* Logged traffic selectors now always contain the protocol if
either protocol or port are set (a36d8097ed).
* Only the inbound SA/policy will be updated as reaction to IP
address changes for rekeyed CHILD_SAs that are kept around.
* The parser for strongswan.conf/swanctl.conf now accepts =
characters in values without having to put the value in quotes
(e.g. for Base64 encoded shared secrets).
- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc,
changing the version string on every version update makes no
sense.
- Added patch to fix vulnerability: CVE-2018-5388 (bsc#1094462)
- Buffer Underflow in stroke_socket.c
[+ 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch]
-------------------------------------------------------------------
Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
Wed Nov 13 13:51:38 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
- Update to version 5.6.2:
* Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this
purpose. However, this in turn takes itself a parameter that
specifies the underlying hash function. strongSwan's parser did
not correctly handle the case of this parameter being absent,
causing an undefined data read. This vulnerability has been
registered as CVE-2018-6459.
* When rekeying IKEv2 IKE_SAs the previously negotiated DH group
will be reused, instead of using the first configured group,
which avoids an additional exchange if the peer previously
selected a different DH group via INVALID_KE_PAYLOAD notify.
The same is also done when rekeying CHILD_SAs except for the
first rekeying of the CHILD_SA that was created with the
IKE_SA, where no DH group was negotiated yet. Also, the
selected DH group is moved to the front in all sent proposals
that contain it and all proposals that don't are moved to the
back in order to convey the preference for this group to the
peer.
* Handling of MOBIKE task queuing has been improved. In
particular, the response to an address update (with NAT-D
payloads) is not ignored anymore if only an address list update
or DPD is queued as that could prevent updating the UDP
encapsulation in the kernel.
* On Linux, roam events may optionally be triggered by changes to
the routing rules, which can be useful if routing rules
(instead of e.g. route metrics) are used to switch from one to
another interface (i.e. from one to another routing table).
Since routing rules are currently not evaluated when doing
route lookups this is only useful if the kernel-based route
lookup is used (4664992f7d).
* The fallback drop policies installed to avoid traffic leaks
when replacing addresses in installed policies are now replaced
by temporary drop policies, which also prevent acquires because
we currently delete and reinstall IPsec SAs to update their
addresses (35ef1b032d).
* Access X.509 certificates held in non-volatile storage of a TPM
2.0 referenced via the NV index.
* Adding the --keyid parameter to pki --print allows to print
private keys or certificates stored in a smartcard or a TPM
2.0.
* Fixed proposal selection if a peer incorrectly sends DH groups
in the ESP proposal during IKE_AUTH and also if a DH group is
configured in the local ESP proposal and
charon.prefer_configured_proposals is disabled (d058fd3c32).
* The lookup for PSK secrets for IKEv1 has been improved for
certain scenarios (see #2497 for details).
* MSKs received via RADIUS are now padded to 64 bytes to avoid
compatibility issues with EAP-MSCHAPv2 and PRFs that have a
block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
* The tpm_extendpcr command line tool extends a digest into a TPM
PCR.
* Ported the NetworkManager backend from the deprecated
libnm-glib to libnm.
* The save-keys debugging/development plugin saves IKE and/or ESP
keys to files compatible with Wireshark.
- Following upstreams port, replace NetworkManager-devel with
pkgconfig(libnm) BuildRequires.
- Refresh patches with quilt.
- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
the file it patches no longer exists in tarball.
- Added patch to fix vulnerability: CVE-2018-16151,CVE-2018-16152 (bsc#1107874)
- Insufficient input validation in gmp plugin
[+ 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch]
-------------------------------------------------------------------
Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com
Wed Mar 14 15:43:42 UTC 2018 - mmnelemane@suse.com
- Removed unused requires and macro calls(bsc#1083261)
-------------------------------------------------------------------
Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de
- Update summaries and descriptions. Trim filler words and
author list.
- Drop %if..%endif guards that are idempotent and do not affect
the build result.
- Replace old $RPM_ shell variables.
-------------------------------------------------------------------
Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -12,12 +12,12 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: strongswan
Version: 5.8.2
Version: 5.6.0
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@ -61,31 +61,33 @@ Release: 0
%else
%bcond_with systemd
%endif
Summary: IPsec-based VPN solution
License: GPL-2.0-or-later
Summary: OpenSource IPsec-based VPN Solution
License: GPL-2.0+
Group: Productivity/Networking/Security
URL: https://www.strongswan.org/
Url: http://www.strongswan.org/
Requires: strongswan-ipsec = %{version}
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
Source2: %{name}.init.in
Source3: %{name}-rpmlintrc
Source3: %{name}-%{version}-rpmlintrc
Source4: README.SUSE
Source5: %{name}.keyring
%if %{with fipscheck}
Source6: fipscheck.sh.in
Source7: fips-enforce.conf
%endif
# Needs rebase
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
%if %{with fipscheck}
Patch3: %{name}_fipscheck.patch
# Patch4 needs rebase, file it patches no longer exists in tarball.
Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
# Needs rebase
Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
Patch7: 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch
Patch8: 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch
Patch9: 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch
Patch10: 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: curl-devel
@ -109,11 +111,10 @@ BuildRequires: sqlite3-devel
BuildRequires: libgcrypt-devel
%endif
%if %{with nm}
BuildRequires: pkgconfig(libnm)
BuildRequires: NetworkManager-devel
%endif
%if %{with systemd}
%{?systemd_requires}
BuildRequires: pkgconfig(libsystemd)
%endif
BuildRequires: iptables
%if %{with systemd}
@ -128,19 +129,19 @@ BuildRequires: automake
BuildRequires: fipscheck
%endif
BuildRequires: libtool
Requires: strongswan-ipsec = %{version}
%description
StrongSwan is an IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
@ -157,32 +158,46 @@ StrongSwan is an IPsec-based VPN solution for Linux.
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Optional built-in integrity and crypto tests for plugins and libraries
* Linux desktop integration via the strongSwan NetworkManager applet
* Smooth Linux desktop integration via the strongSwan NetworkManager applet
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
Authors:
--------
Andreas Steffen
and others
%package doc
Summary: Documentation for strongSwan
Group: Documentation/Man
BuildArch: noarch
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
%description doc
StrongSwan is an IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the StrongSwan documentation.
Authors:
--------
Andreas Steffen
and others
%package libs0
Summary: strongSwan core libraries and basic plugins
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Conflicts: strongswan < %{version}
%description libs0
StrongSwan is an IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan library and plugins.
%if %{with fipscheck}
%package hmac
Summary: HMAC files for FIPS-140-2 integrity in strongSwan
Summary: HMAC files for FIPS-140-2 integrity
Group: Productivity/Networking/Security
Requires: fipscheck
Requires: strongswan-ipsec = %{version}
@ -195,8 +210,10 @@ _fipscheck helper script preforming the integrity checks before e.g.
"ipsec start" action is executed, when FIPS-140-2 compliant operation
mode is enabled.
%endif
%package ipsec
Summary: IPsec-based VPN solution
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
Provides: VPN
@ -206,83 +223,101 @@ Obsoletes: strongswan < %{version}
Conflicts: freeswan openswan
%description ipsec
StrongSwan is an IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the /etc/init.d/ipsec service script and allows
to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the
/etc/ipsec.sectes files.
%if %{with mysql}
%package mysql
Summary: MySQL plugin for strongSwan
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description mysql
StrongSwan is an IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan mysql plugin.
%endif
%if %{with sqlite}
%package sqlite
Summary: SQLite plugin for strongSwan
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description sqlite
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan sqlite plugin.
%endif
%if %{with nm}
%package nm
Summary: NetworkManager plugin for strongSwan
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description nm
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the NetworkManager plugin to control the
charon IKEv2 daemon through D-Bus, designed to work using the
NetworkManager-strongswan graphical user interface.
%endif
%if %{with tests}
%package tests
Summary: Testing plugins for strongSwan
Summary: OpenSource IPsec-based VPN Solution
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
%description tests
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
This package provides the strongswan crypto test vectors plugin
This package provides the strongswan crypto test-vectors plugin
and the load testing plugin for IKEv2 daemon.
%endif
%prep
%setup -q -n %{name}-%{upstream_version}
# Needs rebase, file it patches no longer exists.
#patch1 -p1
%patch2 -p1
%patch1 -p0
%patch2 -p0
%if %{with fipscheck}
%patch3 -p1
# Needs rebase, file it patches no longer exists.
#patch4 -p1
%patch4 -p1
%endif
%patch5 -p1
# Needs rebase.
#patch6 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
%if %{with fipscheck}
sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
-e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
-e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
-e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
< %{_sourcedir}/fipscheck.sh.in \
< $RPM_SOURCE_DIR/fipscheck.sh.in \
> _fipscheck
%endif
%build
CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
export CFLAGS
CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
export RPM_OPT_FLAGS CFLAGS
autoreconf --force --install
%configure \
%if %{with integrity}
@ -293,7 +328,6 @@ autoreconf --force --install
--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
--with-piddir=%{_rundir}/%{name} \
%if %{with systemd}
--enable-systemd \
--with-systemdsystemunitdir=%{_unitdir} \
%endif
--enable-pkcs11 \
@ -378,24 +412,25 @@ autoreconf --force --install
--enable-soup \
--enable-curl \
--disable-static
make %{?_smp_mflags}
make %{?_smp_mflags:%_smp_mflags}
%install
install -d -m755 %{buildroot}/%{_sbindir}/
install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/
export RPM_BUILD_ROOT
install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/
install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
%if %{with systemd}
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan
ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan
%else
install -d -m755 %{buildroot}/%{_sysconfdir}/init.d/
install -m755 strongswan.init %{buildroot}/%{_sysconfdir}/init.d/ipsec
ln -s %{_sysconfdir}/init.d/ipsec %{buildroot}/%{_sbindir}/rcipsec
install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
%endif
#
# Ensure, plugin -> library dependencies can be resolved
# (e.g. libtls) to avoid plugin segment checksum errors.
#
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
%make_install
LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \
make install DESTDIR="$RPM_BUILD_ROOT"
#
# checksums are calculated during make install using the
# installed binaries/libraries... but find-debuginfo.sh
@ -406,23 +441,23 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
%if %{with integrity}
%{?__debug_package:
if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then
cp -a "%{buildroot}" "%{buildroot}-$$"
RPM_BUILD_ROOT="%{buildroot}-$$" \
cp -a "${RPM_BUILD_ROOT}" "${RPM_BUILD_ROOT}-$$"
RPM_BUILD_ROOT="$RPM_BUILD_ROOT-$$" \
%{_rpmconfigdir}/find-debuginfo.sh \
%{?_find_debuginfo_opts} "%{buildroot}-$$"
%{?_find_debuginfo_opts} "${RPM_BUILD_ROOT}-$$"
make -C src/checksum clean
rm -f src/checksum/checksum_builder
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
make -C src/checksum install DESTDIR="%{buildroot}-$$"
mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
"%{buildroot}/%{strongswan_libdir}/libchecksum.so"
rm -rf "%{buildroot}-$$"
LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \
make -C src/checksum install DESTDIR="$RPM_BUILD_ROOT-$$"
mv "$RPM_BUILD_ROOT-$$%{strongswan_libdir}/libchecksum.so" \
"$RPM_BUILD_ROOT%{strongswan_libdir}/libchecksum.so"
rm -rf "${RPM_BUILD_ROOT}-$$"
fi
}
%endif
#
rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
#
# ipsec.secrets
#
@ -432,47 +467,47 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
EOT
#
%if ! %{with mysql}
rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql
%endif
%if ! %{with sqlite}
rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql
%endif
rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete
#
install -d -m755 %{buildroot}/%{strongswan_docdir}/
install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -c -m644 TODO NEWS README COPYING LICENSE \
AUTHORS ChangeLog \
%{buildroot}/%{strongswan_docdir}/
install -c -m644 %{_sourcedir}/README.SUSE \
%{buildroot}/%{strongswan_docdir}/
${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
${RPM_BUILD_ROOT}%{strongswan_docdir}/
%if %{with systemd}
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir}
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
%endif
%if %{with fipscheck}
#
# note: keep the following, _fipscheck's and file lists in sync
#
install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
install -c -m644 %{_sourcedir}/fips-enforce.conf \
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
install -c -m750 _fipscheck ${RPM_BUILD_ROOT}%{_libexecdir}/ipsec/
install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \
${RPM_BUILD_ROOT}%{strongswan_configs}/charon/zzz_fips-enforce.conf
# create fips hmac hashes _after_ install post run
%{expand:%%global __os_install_post {%__os_install_post
for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
%{buildroot}/%{strongswan_libdir}/imcvs/*.so \
%{buildroot}/%{strongswan_plugins}/*.so \
%{buildroot}/%{_libexecdir}/ipsec/charon \
%{buildroot}/%{_libexecdir}/ipsec/charon-nm \
%{buildroot}/%{_libexecdir}/ipsec/stroke \
%{buildroot}/%{_libexecdir}/ipsec/starter \
%{buildroot}/%{_libexecdir}/ipsec/pool \
%{buildroot}/%{_libexecdir}/ipsec/scepclient \
%{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
%{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
%{buildroot}/%{_bindir}/pt-tls-client \
%{buildroot}/%{_sbindir}/ipsec \
for f in $RPM_BUILD_ROOT%{strongswan_libdir}/lib*.so.*.*.* \
$RPM_BUILD_ROOT%{strongswan_libdir}/imcvs/*.so \
$RPM_BUILD_ROOT%{strongswan_plugins}/*.so \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon-nm \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/stroke \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \
$RPM_BUILD_ROOT%{_bindir}/pt-tls-client \
$RPM_BUILD_ROOT%{_sbindir}/ipsec \
;
do
/usr/bin/fipshmac "$f"
@ -483,7 +518,7 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
%post libs0
/sbin/ldconfig
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}}
%postun libs0 -p /sbin/ldconfig
@ -557,11 +592,9 @@ fi
%dir %{_sysconfdir}/ipsec.d/ocspcerts
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
%if %{with systemd}
%{_unitdir}/strongswan-starter.service
%{_unitdir}/strongswan.service
%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
%{_sbindir}/rcstrongswan
%{_sbindir}/charon-systemd
%else
%config %{_sysconfdir}/init.d/ipsec
%{_sbindir}/rcipsec
@ -582,7 +615,6 @@ fi
%if %{with test}
%{_libexecdir}/ipsec/conftest
%endif
%{_libexecdir}/ipsec/xfrmi
%{_libexecdir}/ipsec/duplicheck
%{_libexecdir}/ipsec/pool
%{_libexecdir}/ipsec/scepclient
@ -592,7 +624,6 @@ fi
%{_libexecdir}/ipsec/_imv_policy
%{_libexecdir}/ipsec/imv_policy_manager
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-drbg.so
%{strongswan_plugins}/libstrongswan-stroke.so
%{strongswan_plugins}/libstrongswan-updown.so
@ -619,9 +650,6 @@ fi
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
%if %{with systemd}
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
%endif
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
@ -632,9 +660,7 @@ fi
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
%if %{with afalg}
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
@ -688,7 +714,6 @@ fi
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
@ -760,7 +785,6 @@ fi
%{strongswan_plugins}/libstrongswan-ccm.so
%{strongswan_plugins}/libstrongswan-certexpire.so
%{strongswan_plugins}/libstrongswan-cmac.so
%{strongswan_plugins}/libstrongswan-counters.so
%{strongswan_plugins}/libstrongswan-constraints.so
%{strongswan_plugins}/libstrongswan-coupling.so
%{strongswan_plugins}/libstrongswan-ctr.so
@ -803,7 +827,6 @@ fi
%{strongswan_plugins}/libstrongswan-led.so
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
%{strongswan_plugins}/libstrongswan-mgf1.so
%{strongswan_plugins}/libstrongswan-nonce.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
@ -862,7 +885,6 @@ fi
%{strongswan_templates}/config/plugins/ccm.conf
%{strongswan_templates}/config/plugins/certexpire.conf
%{strongswan_templates}/config/plugins/cmac.conf
%{strongswan_templates}/config/plugins/counters.conf
%{strongswan_templates}/config/plugins/constraints.conf
%{strongswan_templates}/config/plugins/coupling.conf
%{strongswan_templates}/config/plugins/ctr.conf
@ -870,7 +892,6 @@ fi
%{strongswan_templates}/config/plugins/des.conf
%{strongswan_templates}/config/plugins/dhcp.conf
%{strongswan_templates}/config/plugins/dnskey.conf
%{strongswan_templates}/config/plugins/drbg.conf
%{strongswan_templates}/config/plugins/duplicheck.conf
%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
%{strongswan_templates}/config/plugins/eap-aka.conf
@ -906,7 +927,6 @@ fi
%{strongswan_templates}/config/plugins/led.conf
%{strongswan_templates}/config/plugins/md4.conf
%{strongswan_templates}/config/plugins/md5.conf
%{strongswan_templates}/config/plugins/mgf1.conf
%{strongswan_templates}/config/plugins/nonce.conf
%{strongswan_templates}/config/plugins/openssl.conf
%{strongswan_templates}/config/plugins/pem.conf
@ -946,9 +966,6 @@ fi
%{strongswan_templates}/config/plugins/xcbc.conf
%{strongswan_templates}/config/plugins/curve25519.conf
%{strongswan_templates}/config/plugins/vici.conf
%if %{with systemd}
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
%endif
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
%{strongswan_templates}/config/strongswan.d/charon.conf
%{strongswan_templates}/config/strongswan.d/imcv.conf

View File

@ -1,8 +1,6 @@
Index: strongswan-5.6.2/init/systemd/strongswan.service.in
===================================================================
--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100
+++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200
@@ -9,3 +9,4 @@ Restart=on-abnormal
--- init/systemd/strongswan.service.in
+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11
@@ -8,3 +8,4 @@ StandardOutput=syslog
[Install]
WantedBy=multi-user.target

View File

@ -1,7 +1,5 @@
Index: strongswan-5.6.2/src/starter/klips.c
===================================================================
--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200
--- src/starter/klips.c
+++ src/starter/klips.c 2012/10/30 17:07:23
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
/* ipsec module makes the pf_key proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
@ -24,11 +22,9 @@ Index: strongswan-5.6.2/src/starter/klips.c
DBG2(DBG_APP, "found KLIPS IPsec stack");
return TRUE;
Index: strongswan-5.6.2/src/starter/netkey.c
===================================================================
--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
--- src/starter/netkey.c
+++ src/starter/netkey.c 2012/10/30 17:07:02
@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
@ -37,7 +33,7 @@ Index: strongswan-5.6.2/src/starter/netkey.c
}
/* now test again */
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{