forked from pool/strongswan
Accepting request 406438 from home:dkosovic:branches:network:vpn
NetowrkManager-l2tp-1.0.4 is broken with strongswan-5.2.2. The 'ipsec up {connection-name}' command never connects and goes into an infinite loop of failing and trying to re-connect. NetowrkManager-l2tp works fine with earlier and later versions of strongswan, just not with strongswan-5.2.2. OBS-URL: https://build.opensuse.org/request/show/406438 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=97
This commit is contained in:
parent
406171b31d
commit
d3507c65d4
@ -1,166 +0,0 @@
|
|||||||
From 7733b99198111ef1f30a964e15e93cb1e6d27a85 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tobias Brunner <tobias@strongswan.org>
|
|
||||||
Date: Fri, 15 May 2015 11:15:57 +0200
|
|
||||||
References: bsc#931272,CVE-2015-3991
|
|
||||||
Subject: [PATCH] unknown-payload: Use a new private payload type and make
|
|
||||||
original type available
|
|
||||||
|
|
||||||
This fixes a DoS and potential remote code execution vulnerability that was
|
|
||||||
caused because the original payload type that was returned previously was
|
|
||||||
used to cast such payload objects to payloads of the indicated type (e.g.
|
|
||||||
when logging notify payloads with a payload type for the wrong IKE version).
|
|
||||||
|
|
||||||
Fixes CVE-2015-3991.
|
|
||||||
---
|
|
||||||
src/libcharon/encoding/message.c | 2 +-
|
|
||||||
src/libcharon/encoding/payloads/payload.c | 2 ++
|
|
||||||
src/libcharon/encoding/payloads/payload.h | 7 ++++++-
|
|
||||||
src/libcharon/encoding/payloads/unknown_payload.c | 8 ++++++++
|
|
||||||
src/libcharon/encoding/payloads/unknown_payload.h | 8 ++++++++
|
|
||||||
src/libcharon/sa/ikev2/task_manager_v2.c | 18 ++++++++++--------
|
|
||||||
6 files changed, 35 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
|
|
||||||
index 1ee2cf81b035..478f531eae28 100644
|
|
||||||
--- a/src/libcharon/encoding/message.c
|
|
||||||
+++ b/src/libcharon/encoding/message.c
|
|
||||||
@@ -2513,7 +2513,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
|
|
||||||
was_encrypted = "encrypted fragment payload";
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (payload_is_known(type, this->major_version) && !was_encrypted &&
|
|
||||||
+ if (type != PL_UNKNOWN && !was_encrypted &&
|
|
||||||
!is_connectivity_check(this, payload) &&
|
|
||||||
this->exchange_type != AGGRESSIVE)
|
|
||||||
{
|
|
||||||
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
|
|
||||||
index a1cd2f945588..f7c2754e05c3 100644
|
|
||||||
--- a/src/libcharon/encoding/payloads/payload.c
|
|
||||||
+++ b/src/libcharon/encoding/payloads/payload.c
|
|
||||||
@@ -97,6 +97,7 @@ ENUM_NEXT(payload_type_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_FRAGME
|
|
||||||
#endif /* ME */
|
|
||||||
ENUM_NEXT(payload_type_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
|
|
||||||
"HEADER",
|
|
||||||
+ "UNKNOWN",
|
|
||||||
"PROPOSAL_SUBSTRUCTURE",
|
|
||||||
"PROPOSAL_SUBSTRUCTURE_V1",
|
|
||||||
"TRANSFORM_SUBSTRUCTURE",
|
|
||||||
@@ -167,6 +168,7 @@ ENUM_NEXT(payload_type_short_names, PLV1_NAT_D_DRAFT_00_03, PLV1_FRAGMENT, PLV2_
|
|
||||||
#endif /* ME */
|
|
||||||
ENUM_NEXT(payload_type_short_names, PL_HEADER, PLV1_ENCRYPTED, PLV1_FRAGMENT,
|
|
||||||
"HDR",
|
|
||||||
+ "UNKN",
|
|
||||||
"PROP",
|
|
||||||
"PROP",
|
|
||||||
"TRANS",
|
|
||||||
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
|
|
||||||
index 920779bd1032..72003894f307 100644
|
|
||||||
--- a/src/libcharon/encoding/payloads/payload.h
|
|
||||||
+++ b/src/libcharon/encoding/payloads/payload.h
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (C) 2007 Tobias Brunner
|
|
||||||
+ * Copyright (C) 2007-2015 Tobias Brunner
|
|
||||||
* Copyright (C) 2005-2006 Martin Willi
|
|
||||||
* Copyright (C) 2005 Jan Hutter
|
|
||||||
* Hochschule fuer Technik Rapperswil
|
|
||||||
@@ -264,6 +264,11 @@ enum payload_type_t {
|
|
||||||
PL_HEADER = 256,
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * Used to handle unknown or invalid payload types.
|
|
||||||
+ */
|
|
||||||
+ PL_UNKNOWN,
|
|
||||||
+
|
|
||||||
+ /**
|
|
||||||
* PLV2_PROPOSAL_SUBSTRUCTURE, IKEv2 proposals in a SA payload.
|
|
||||||
*/
|
|
||||||
PLV2_PROPOSAL_SUBSTRUCTURE,
|
|
||||||
diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c
|
|
||||||
index 45b91fd0b32f..c69254fc008c 100644
|
|
||||||
--- a/src/libcharon/encoding/payloads/unknown_payload.c
|
|
||||||
+++ b/src/libcharon/encoding/payloads/unknown_payload.c
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
/*
|
|
||||||
+ * Copyright (C) 2015 Tobias Brunner
|
|
||||||
* Copyright (C) 2005-2006 Martin Willi
|
|
||||||
* Copyright (C) 2005 Jan Hutter
|
|
||||||
* Hochschule fuer Technik Rapperswil
|
|
||||||
@@ -121,6 +122,12 @@ METHOD(payload_t, get_header_length, int,
|
|
||||||
METHOD(payload_t, get_payload_type, payload_type_t,
|
|
||||||
private_unknown_payload_t *this)
|
|
||||||
{
|
|
||||||
+ return PL_UNKNOWN;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+METHOD(unknown_payload_t, get_type, payload_type_t,
|
|
||||||
+ private_unknown_payload_t *this)
|
|
||||||
+{
|
|
||||||
return this->type;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -181,6 +188,7 @@ unknown_payload_t *unknown_payload_create(payload_type_t type)
|
|
||||||
.destroy = _destroy,
|
|
||||||
},
|
|
||||||
.is_critical = _is_critical,
|
|
||||||
+ .get_type = _get_type,
|
|
||||||
.get_data = _get_data,
|
|
||||||
.destroy = _destroy,
|
|
||||||
},
|
|
||||||
diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h
|
|
||||||
index 326b550cd872..09341bcc79b5 100644
|
|
||||||
--- a/src/libcharon/encoding/payloads/unknown_payload.h
|
|
||||||
+++ b/src/libcharon/encoding/payloads/unknown_payload.h
|
|
||||||
@@ -1,4 +1,5 @@
|
|
||||||
/*
|
|
||||||
+ * Copyright (C) 2015 Tobias Brunner
|
|
||||||
* Copyright (C) 2005-2006 Martin Willi
|
|
||||||
* Copyright (C) 2005 Jan Hutter
|
|
||||||
* Hochschule fuer Technik Rapperswil
|
|
||||||
@@ -42,6 +43,13 @@ struct unknown_payload_t {
|
|
||||||
payload_t payload_interface;
|
|
||||||
|
|
||||||
/**
|
|
||||||
+ * Get the original payload type as sent by the peer.
|
|
||||||
+ *
|
|
||||||
+ * @return type of the original payload
|
|
||||||
+ */
|
|
||||||
+ payload_type_t (*get_type) (unknown_payload_t *this);
|
|
||||||
+
|
|
||||||
+ /**
|
|
||||||
* Get the raw data of this payload, without
|
|
||||||
* the generic payload header.
|
|
||||||
*
|
|
||||||
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
|
|
||||||
index 298167703cbf..4676867dfec2 100644
|
|
||||||
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
|
|
||||||
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
|
|
||||||
@@ -1184,15 +1184,17 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
|
|
||||||
enumerator = msg->create_payload_enumerator(msg);
|
|
||||||
while (enumerator->enumerate(enumerator, &payload))
|
|
||||||
{
|
|
||||||
- unknown = (unknown_payload_t*)payload;
|
|
||||||
- type = payload->get_type(payload);
|
|
||||||
- if (!payload_is_known(type, msg->get_major_version(msg)) &&
|
|
||||||
- unknown->is_critical(unknown))
|
|
||||||
+ if (payload->get_type(payload) == PL_UNKNOWN)
|
|
||||||
{
|
|
||||||
- DBG1(DBG_ENC, "payload type %N is not supported, "
|
|
||||||
- "but its critical!", payload_type_names, type);
|
|
||||||
- status = NOT_SUPPORTED;
|
|
||||||
- break;
|
|
||||||
+ unknown = (unknown_payload_t*)payload;
|
|
||||||
+ if (unknown->is_critical(unknown))
|
|
||||||
+ {
|
|
||||||
+ type = unknown->get_type(unknown);
|
|
||||||
+ DBG1(DBG_ENC, "payload type %N is not supported, "
|
|
||||||
+ "but its critical!", payload_type_names, type);
|
|
||||||
+ status = NOT_SUPPORTED;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
enumerator->destroy(enumerator);
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
@ -1,102 +0,0 @@
|
|||||||
From ca1a65cc6aef2e037b529574783b7c571d1d82a9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Martin Willi <martin@strongswan.org>
|
|
||||||
Date: Wed, 3 Jun 2015 10:52:34 +0200
|
|
||||||
References: bsc#933591,CVE-2015-4171
|
|
||||||
Subject: [PATCH] ikev2: Enforce remote authentication config before proceeding
|
|
||||||
with own authentication
|
|
||||||
|
|
||||||
Previously the constraints in the authentication configuration of an
|
|
||||||
initiator were enforced only after all authentication rounds were
|
|
||||||
complete. This posed a problem if an initiator used EAP or PSK
|
|
||||||
authentication while the responder was authenticated with a certificate
|
|
||||||
and if a rogue server was able to authenticate itself with a valid
|
|
||||||
certificate issued by any CA the initiator trusted.
|
|
||||||
|
|
||||||
Because any constraints for the responder's identity (rightid) or other
|
|
||||||
aspects of the authentication (e.g. rightca) the initiator had were not
|
|
||||||
enforced until the initiator itself finished its authentication such a rogue
|
|
||||||
responder was able to acquire usernames and password hashes from the client.
|
|
||||||
And if a client supported EAP-GTC it was even possible to trick it into
|
|
||||||
sending plaintext passwords.
|
|
||||||
|
|
||||||
This patch enforces the configured constraints right after the responder's
|
|
||||||
authentication successfully finished for each round and before the initiator
|
|
||||||
starts with its own authentication.
|
|
||||||
|
|
||||||
Fixes CVE-2015-4171.
|
|
||||||
---
|
|
||||||
src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 +++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 44 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
|
|
||||||
index bf747a49edde..2554496c1916 100644
|
|
||||||
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
|
|
||||||
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
|
|
||||||
@@ -112,6 +112,11 @@ struct private_ike_auth_t {
|
|
||||||
* received an INITIAL_CONTACT?
|
|
||||||
*/
|
|
||||||
bool initial_contact;
|
|
||||||
+
|
|
||||||
+ /**
|
|
||||||
+ * Is EAP acceptable, did we strictly authenticate peer?
|
|
||||||
+ */
|
|
||||||
+ bool eap_acceptable;
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this,
|
|
||||||
message->destroy(message);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Check if strict constraint fullfillment required to continue current auth
|
|
||||||
+ */
|
|
||||||
+static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
|
|
||||||
+{
|
|
||||||
+ auth_cfg_t *cfg;
|
|
||||||
+
|
|
||||||
+ if (this->eap_acceptable)
|
|
||||||
+ {
|
|
||||||
+ return FALSE;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
|
|
||||||
+ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
|
|
||||||
+ {
|
|
||||||
+ case AUTH_CLASS_EAP:
|
|
||||||
+ if (mutual_eap && this->my_auth)
|
|
||||||
+ {
|
|
||||||
+ this->eap_acceptable = TRUE;
|
|
||||||
+ return !this->my_auth->is_mutual(this->my_auth);
|
|
||||||
+ }
|
|
||||||
+ return TRUE;
|
|
||||||
+ case AUTH_CLASS_PSK:
|
|
||||||
+ return TRUE;
|
|
||||||
+ case AUTH_CLASS_PUBKEY:
|
|
||||||
+ case AUTH_CLASS_ANY:
|
|
||||||
+ default:
|
|
||||||
+ return FALSE;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
METHOD(task_t, process_i, status_t,
|
|
||||||
private_ike_auth_t *this, message_t *message)
|
|
||||||
{
|
|
||||||
@@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (require_strict(this, mutual_eap))
|
|
||||||
+ {
|
|
||||||
+ if (!update_cfg_candidates(this, TRUE))
|
|
||||||
+ {
|
|
||||||
+ goto peer_auth_failed;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (this->my_auth)
|
|
||||||
{
|
|
||||||
switch (this->my_auth->process(this->my_auth, message))
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From 91762f11e223e33b82182150d7c4cf7c2ec3cefa Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tobias Brunner <tobias@strongswan.org>
|
|
||||||
Date: Thu, 29 Oct 2015 11:18:27 +0100
|
|
||||||
References: CVE-2015-8023, bsc#953817
|
|
||||||
Subject: [PATCH] eap-mschapv2: Only succeed authentication if MSK was
|
|
||||||
established
|
|
||||||
|
|
||||||
An MSK is only established if the client successfully authenticated
|
|
||||||
itself and only then must we accept an MSCHAPV2_SUCCESS message.
|
|
||||||
|
|
||||||
Fixes CVE-2015-8023
|
|
||||||
---
|
|
||||||
src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 +++++-
|
|
||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
|
||||||
index f7f39f9841d2..931e3c41dde4 100644
|
|
||||||
--- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
|
||||||
+++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c
|
|
||||||
@@ -1145,7 +1145,11 @@ METHOD(eap_method_t, process_server, status_t,
|
|
||||||
}
|
|
||||||
case MSCHAPV2_SUCCESS:
|
|
||||||
{
|
|
||||||
- return SUCCESS;
|
|
||||||
+ if (this->msk.ptr)
|
|
||||||
+ {
|
|
||||||
+ return SUCCESS;
|
|
||||||
+ }
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
case MSCHAPV2_FAILURE:
|
|
||||||
{
|
|
||||||
--
|
|
||||||
1.9.1
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4
|
|
||||||
size 4169095
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iQGcBAABAgAGBQJUn/PYAAoJEN9CwXCzTbp3+PML/2IJQEI240BwPOpXEGrJ0jnR
|
|
||||||
Mmq7qXD3QLnUtpyX2/dXVV6X6PzdXiCubOj9m59VNSD6Qsr5W3d44rg90Vf9VxX6
|
|
||||||
5nwAWP9fWl1L8xKtC93dyPAe8eet9tMqIf6QY5LYCmKRXi9aotoARiyEjKRUsWdy
|
|
||||||
O+nDS43PrwjcgHcV+dVbpA1FyFSwoX2zoDu0d1MMzOb+b8np9+2SdtsNVKaIqW5c
|
|
||||||
39PphkQgpqBqM1nkO0LUydsdCpE+/Xq4yNP77eSio7b6b2eyAjD9gBlNsE4FHoU0
|
|
||||||
gyDKgdcOIPYmS8VD2J4efxQDjGpj6VV4wvXAo9tE7x/joIFT+Eg9LsD42l7yReaY
|
|
||||||
G/G87HVgA0DH67lBjoMfkhZcHCSTofM4cm7eOC7s48PF4HvnAM1L5bH7UzoehV9c
|
|
||||||
YvIUO/Q+7on6nvnW4AYUVXc/fAq7IUB6hYYCX6CHsb1U7gkEa7NseLwcoLmbMIfB
|
|
||||||
QaziGo6KHG4XFTdlu1LrQBip8NdJZh7v7fYJd/sFjA==
|
|
||||||
=bacU
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
strongswan-5.3.5.tar.bz2
Normal file
3
strongswan-5.3.5.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350
|
||||||
|
size 4415297
|
14
strongswan-5.3.5.tar.bz2.sig
Normal file
14
strongswan-5.3.5.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1
|
||||||
|
|
||||||
|
iQGcBAABAgAGBQJWVtUVAAoJEN9CwXCzTbp3dpUL/j5Dio8w6LbKtCf4QRItnG2/
|
||||||
|
3U6apa56nxDWD3rpnN20OjSUzgulMIOjv/ZtRuruRPGWoFwrG6WzrsY/0ZrV929J
|
||||||
|
hSmEVuu6qgt/2i/OJdBUHfNGbhJ9JbTXGMxnWUp38mr4SasZlzHZAxbiKmnKXKtO
|
||||||
|
H5XebtVFR0/yNBPkv6wcJID/vFhJxfWpU2dblvVfSVo9VgV7lXkD0W+S++LJDTVo
|
||||||
|
PgV/a8NZEFswLIZCPct4i3QBYCDkCiS5MGlGCa+xltPYdLpwQUqhEBUkvF8yur7K
|
||||||
|
hnpT9cLk/gMSfFQmSOoN/31yx+ZSHTGR75QEh0pXRvo+oLJse7tw5/MJOHEJu+Hp
|
||||||
|
c/0iVL7qSIXbX5DBF3c03nG3ZdWcVQW32VEp//mC5yEpqFz28dlNSpVwWHLMym/D
|
||||||
|
kddiJjkZGCm7jBaPWTHSq2l8y9zdQzyHNNQ0HUpchUcpCn7B2nQO4tDSz3AFBECT
|
||||||
|
32LKSXnpRb7BAnIW/TZhZqWs1WzbQHogUF+wx+Rl6w==
|
||||||
|
=+fm3
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,148 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
|
||||||
|
|
||||||
|
- Updated to strongSwan 5.3.5 providing the following changes:
|
||||||
|
Changes in version 5.3.5:
|
||||||
|
* Properly handle potential EINTR errors in sigwaitinfo(2) calls
|
||||||
|
that replaced sigwait(3) calls with 5.3.4.
|
||||||
|
* RADIUS retransmission timeouts are now configurable, courtesy
|
||||||
|
of Thom Troy.
|
||||||
|
Changes in version 5.3.4:
|
||||||
|
* Fixed an authentication bypass vulnerability in the
|
||||||
|
eap-mschapv2 plugin that was caused by insufficient
|
||||||
|
verification of the internal state when handling MSCHAPv2
|
||||||
|
Success messages received by the client. This vulnerability
|
||||||
|
has been registered as CVE-2015-8023.
|
||||||
|
* The sha3 plugin implements the SHA3 Keccak-F1600 hash
|
||||||
|
algorithm family. Within the strongSwan framework SHA3 is
|
||||||
|
currently used for BLISS signatures only because the OIDs for
|
||||||
|
other signature algorithms haven't been defined yet. Also the
|
||||||
|
use of SHA3 for IKEv2 has not been standardized yet.
|
||||||
|
Changes in version 5.3.3:
|
||||||
|
* Added support for the ChaCha20/Poly1305 AEAD cipher specified
|
||||||
|
in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp
|
||||||
|
proposal keyword. The new chapoly plugin implements the
|
||||||
|
cipher, if possible SSE-accelerated on x86/x64 architectures.
|
||||||
|
It is usable both in IKEv2 and the strongSwan libipsec ESP
|
||||||
|
backend. On Linux 4.2 or newer the kernel-netlink plugin can
|
||||||
|
configure the cipher for ESP SAs.
|
||||||
|
* The vici interface now supports the configuration of auxiliary
|
||||||
|
certification authority information as CRL and OCSP URIs.
|
||||||
|
* In the bliss plugin the c_indices derivation using a SHA-512
|
||||||
|
based random oracle has been fixed, generalized and
|
||||||
|
standardized by employing the MGF1 mask generation function
|
||||||
|
with SHA-512. As a consequence BLISS signatures unsing the
|
||||||
|
improved oracle are not compatible with the earlier
|
||||||
|
implementation.
|
||||||
|
* Support for auto=route with right=%any for transport mode
|
||||||
|
connections has been added (the ikev2/trap-any scenario
|
||||||
|
provides examples).
|
||||||
|
* The starter daemon does not flush IPsec policies and SAs
|
||||||
|
anymore when it is stopped. Already existing duplicate
|
||||||
|
policies are now overwritten by the IKE daemon when it
|
||||||
|
installs its policies.
|
||||||
|
* Init limits (like charon.init_limit_half_open) can now
|
||||||
|
optionally be enforced when initiating SAs via VICI. For this,
|
||||||
|
IKE_SAs initiated by the daemon are now also counted as half
|
||||||
|
open SAs, which, as a side-effect, fixes the status output
|
||||||
|
while connecting (e.g. in ipsec status).
|
||||||
|
* Symmetric configuration of EAP methods in left|rightauth is
|
||||||
|
now possible when mutual EAP-only authentication is used
|
||||||
|
(previously, the client had to configure rightauth=eap or
|
||||||
|
rightauth=any, which prevented it from using this same config
|
||||||
|
as responder).
|
||||||
|
* The initiator flag in the IKEv2 header is compared again
|
||||||
|
(wasn't the case since 5.0.0) and packets that have the flag
|
||||||
|
set incorrectly are again ignored.
|
||||||
|
* Implemented a demo Hardcopy Device IMC/IMV pair based on the
|
||||||
|
"Hardcopy Device Health Assessment Trusted Network Connect
|
||||||
|
Binding" (HCD-TNC) document drafted by the IEEE Printer
|
||||||
|
Working Group (PWG).
|
||||||
|
* Fixed IF-M segmentation which failed in the presence of
|
||||||
|
multiple small attributes in front of a huge attribute to be
|
||||||
|
segmented.
|
||||||
|
Changes in version 5.3.2:
|
||||||
|
* Fixed a vulnerability that allowed rogue servers with a valid
|
||||||
|
certificate accepted by the client to trick it into disclosing
|
||||||
|
its username and even password (if the client accepts
|
||||||
|
EAP-GTC). This was caused because constraints against the
|
||||||
|
responder's authentication were enforced too late. This
|
||||||
|
vulnerability has been registered as CVE-2015-4171.
|
||||||
|
Changes in version 5.3.1:
|
||||||
|
* Fixed a denial-of-service and potential remote code execution
|
||||||
|
vulnerability triggered by IKEv1/IKEv2 messages that contain
|
||||||
|
payloads for the respective other IKE version. Such payload
|
||||||
|
are treated specially since 5.2.2 but because they were still
|
||||||
|
identified by their original payload type they were used as
|
||||||
|
such in some places causing invalid function pointer
|
||||||
|
dereferences. The vulnerability has been registered as
|
||||||
|
CVE-2015-3991.
|
||||||
|
* The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and
|
||||||
|
GCM crypto primitives for AES-128/192/256. The plugin requires
|
||||||
|
AES-NI and PCLMULQDQ instructions and works on both x86 and
|
||||||
|
x64 architectures. It provides superior crypto performance in
|
||||||
|
userland without any external libraries.
|
||||||
|
Changes in version 5.3.0:
|
||||||
|
* Added support for IKEv2 make-before-break reauthentication. By
|
||||||
|
using a global CHILD_SA reqid allocation mechanism, charon
|
||||||
|
supports overlapping CHILD_SAs. This allows the use of
|
||||||
|
make-before-break instead of the previously supported
|
||||||
|
break-before-make reauthentication, avoiding connectivity gaps
|
||||||
|
during that procedure. As the new mechanism may fail with peers
|
||||||
|
not supporting it (such as any previous strongSwan release) it
|
||||||
|
must be explicitly enabled using the charon.make_before_break
|
||||||
|
strongswan.conf option.
|
||||||
|
* Support for "Signature Authentication in IKEv2" (RFC 7427) has
|
||||||
|
been added. This allows the use of stronger hash algorithms
|
||||||
|
for public key authentication. By default, signature schemes
|
||||||
|
are chosen based on the strength of the signature key, but
|
||||||
|
specific hash algorithms may be configured in leftauth.
|
||||||
|
* Key types and hash algorithms specified in rightauth are now
|
||||||
|
also checked against IKEv2 signature schemes. If such
|
||||||
|
constraints are used for certificate chain validation in
|
||||||
|
existing configurations, in particular with peers that don't
|
||||||
|
support RFC 7427, it may be necessary to disable this feature
|
||||||
|
with the charon.signature_authentication_constraints setting,
|
||||||
|
because the signature scheme used in classic IKEv2 public key
|
||||||
|
authentication may not be strong enough.
|
||||||
|
* The new connmark plugin allows a host to bind conntrack flows
|
||||||
|
to a specific CHILD_SA by applying and restoring the SA mark
|
||||||
|
to conntrack entries. This allows a peer to handle multiple
|
||||||
|
transport mode connections coming over the same NAT device for
|
||||||
|
client-initiated flows. A common use case is to protect
|
||||||
|
L2TP/IPsec, as supported by some systems.
|
||||||
|
* The forecast plugin can forward broadcast and multicast
|
||||||
|
messages between connected clients and a LAN. For CHILD_SA
|
||||||
|
using unique marks, it sets up the required Netfilter rules
|
||||||
|
and uses a multicast/broadcast listener that forwards such
|
||||||
|
messages to all connected clients. This plugin is designed for
|
||||||
|
Windows 7 IKEv2 clients, which announces its services over the
|
||||||
|
tunnel if the negotiated IPsec policy allows it.
|
||||||
|
* For the vici plugin a Python Egg has been added to allow
|
||||||
|
Python applications to control or monitor the IKE daemon using
|
||||||
|
the VICI interface, similar to the existing ruby gem. The
|
||||||
|
Python library has been contributed by Björn Schuberg.
|
||||||
|
* EAP server methods now can fulfill public key constraints,
|
||||||
|
such as rightcert or rightca. Additionally, public key and
|
||||||
|
signature constraints can be specified for EAP methods in the
|
||||||
|
rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods
|
||||||
|
provide verification details to constraints checking.
|
||||||
|
* Upgrade of the BLISS post-quantum signature algorithm to the
|
||||||
|
improved BLISS-B variant. Can be used in conjunction with the
|
||||||
|
SHA256, SHA384 and SHA512 hash algorithms with SHA512 being
|
||||||
|
the default.
|
||||||
|
* The IF-IMV 1.4 interface now makes the IP address of the TNC
|
||||||
|
access requestor as seen by the TNC server available to all
|
||||||
|
IMVs. This information can be forwarded to policy enforcement
|
||||||
|
points (e.g. firewalls or routers).
|
||||||
|
* The new mutual tnccs-20 plugin parameter activates mutual TNC
|
||||||
|
measurements in PB-TNC half-duplex mode between two endpoints
|
||||||
|
over either a PT-EAP or PT-TLS transport medium.
|
||||||
|
- Adjusted file lists and removed obsolete patches
|
||||||
|
[- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch,
|
||||||
|
- 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch,
|
||||||
|
- 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de
|
Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package strongswan
|
# spec file for package strongswan
|
||||||
#
|
#
|
||||||
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: strongswan
|
Name: strongswan
|
||||||
Version: 5.2.2
|
Version: 5.3.5
|
||||||
Release: 0
|
Release: 0
|
||||||
%define upstream_version %{version}
|
%define upstream_version %{version}
|
||||||
%define strongswan_docdir %{_docdir}/%{name}
|
%define strongswan_docdir %{_docdir}/%{name}
|
||||||
@ -82,9 +82,6 @@ Patch2: %{name}_ipsec_service.patch
|
|||||||
Patch3: %{name}_fipscheck.patch
|
Patch3: %{name}_fipscheck.patch
|
||||||
Patch4: %{name}_fipsfilter.patch
|
Patch4: %{name}_fipsfilter.patch
|
||||||
%endif
|
%endif
|
||||||
Patch5: 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch
|
|
||||||
Patch6: 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch
|
|
||||||
Patch7: 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: curl-devel
|
BuildRequires: curl-devel
|
||||||
@ -295,9 +292,6 @@ and the load testing plugin for IKEv2 daemon.
|
|||||||
%patch3 -p0
|
%patch3 -p0
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%endif
|
%endif
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
|
||||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||||
> strongswan.init
|
> strongswan.init
|
||||||
@ -605,7 +599,6 @@ fi
|
|||||||
%dir %{_libexecdir}/ipsec
|
%dir %{_libexecdir}/ipsec
|
||||||
%{_libexecdir}/ipsec/_copyright
|
%{_libexecdir}/ipsec/_copyright
|
||||||
%{_libexecdir}/ipsec/_updown
|
%{_libexecdir}/ipsec/_updown
|
||||||
%{_libexecdir}/ipsec/_updown_espmark
|
|
||||||
%if %{with test}
|
%if %{with test}
|
||||||
%{_libexecdir}/ipsec/conftest
|
%{_libexecdir}/ipsec/conftest
|
||||||
%endif
|
%endif
|
||||||
@ -632,8 +625,6 @@ fi
|
|||||||
%{strongswan_docdir}/LICENSE
|
%{strongswan_docdir}/LICENSE
|
||||||
%{strongswan_docdir}/AUTHORS
|
%{strongswan_docdir}/AUTHORS
|
||||||
%{strongswan_docdir}/ChangeLog
|
%{strongswan_docdir}/ChangeLog
|
||||||
%{_mandir}/man8/_updown.8*
|
|
||||||
%{_mandir}/man8/_updown_espmark.8*
|
|
||||||
%{_mandir}/man8/scepclient.8*
|
%{_mandir}/man8/scepclient.8*
|
||||||
|
|
||||||
%files libs0
|
%files libs0
|
||||||
|
Loading…
Reference in New Issue
Block a user