SHA256
1
0
forked from pool/strongswan
Dominique Leuenberger 2018-06-08 21:13:27 +00:00 committed by Git OBS Bridge
commit d48e33c256
10 changed files with 118 additions and 39 deletions

View File

@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: uintptr_t undeclared (first use in this
src/libstrongswan/utils/utils/memory.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h
index b978e7c..55aaaf5 100644
--- a/src/libstrongswan/utils/utils/memory.h
+++ b/src/libstrongswan/utils/utils/memory.h
Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
===================================================================
--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200
@@ -22,6 +22,8 @@
#ifndef MEMORY_H_
#define MEMORY_H_
@ -28,6 +28,3 @@ index b978e7c..55aaaf5 100644
/**
* Helper function that compares two binary blobs for equality
*/
--
2.14.1

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
size 4850722

View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
=ZRFr
-----END PGP SIGNATURE-----

3
strongswan-5.6.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e0a60a30ebf3c534c223559e1686497a21ded709a5d605c5123c2f52bcc22e92
size 4977859

View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAABAgAGBQJaiq4/AAoJEN9CwXCzTbp3ps8L/0Q5o49SWOozYIGHLsO/9y3B
0rXzGdKlkFyysTNBf8BlrUh6U21D5g9ENO8OFofOAaseTzOwN9uUygiHggfF9WhG
p0vq9kiFtW6i7fYyK2hbfo1GzIPPP5T78dJqqzP3cQp21ycLHskZPMpytUkxn1rb
vA1IFy74GIeMZqB9dbBIyTiXIPGrJjvjeuVAkI5XWu6+sOmHz/utYz17EF4oeTTg
PYJ2mvGQvgZPWh2Y4Vh4riMXFr9RBF+I/aSJ/e0Q4yuwwc2+83TShGyuZQmSG3jI
bMwnBkSGpT2KMIb0PtSzB7zvnll+Dosr3hyWNZ+MaqzIwQpo051IKF0ZaJSpoZnZ
rKVUIMriTa+N4AFkYFC60pJAZ61xUw5Wm/LTfHckHm0n7qK9CzWv2oNj5jboTmw7
tpx7F27+iDO0/DUaBXuqTDThBXElN+e7p2/GSTnw9Y3N5jWnmgVyZHkhxggNzf4G
0W2UcEgNmpP0gbJ3U0BnKv3CN5VQuxBpz2K2tKiJwg==
=L2B6
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,71 @@
-------------------------------------------------------------------
Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
- Update to version 5.6.2:
* Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this
purpose. However, this in turn takes itself a parameter that
specifies the underlying hash function. strongSwan's parser did
not correctly handle the case of this parameter being absent,
causing an undefined data read. This vulnerability has been
registered as CVE-2018-6459.
* When rekeying IKEv2 IKE_SAs the previously negotiated DH group
will be reused, instead of using the first configured group,
which avoids an additional exchange if the peer previously
selected a different DH group via INVALID_KE_PAYLOAD notify.
The same is also done when rekeying CHILD_SAs except for the
first rekeying of the CHILD_SA that was created with the
IKE_SA, where no DH group was negotiated yet. Also, the
selected DH group is moved to the front in all sent proposals
that contain it and all proposals that don't are moved to the
back in order to convey the preference for this group to the
peer.
* Handling of MOBIKE task queuing has been improved. In
particular, the response to an address update (with NAT-D
payloads) is not ignored anymore if only an address list update
or DPD is queued as that could prevent updating the UDP
encapsulation in the kernel.
* On Linux, roam events may optionally be triggered by changes to
the routing rules, which can be useful if routing rules
(instead of e.g. route metrics) are used to switch from one to
another interface (i.e. from one to another routing table).
Since routing rules are currently not evaluated when doing
route lookups this is only useful if the kernel-based route
lookup is used (4664992f7d).
* The fallback drop policies installed to avoid traffic leaks
when replacing addresses in installed policies are now replaced
by temporary drop policies, which also prevent acquires because
we currently delete and reinstall IPsec SAs to update their
addresses (35ef1b032d).
* Access X.509 certificates held in non-volatile storage of a TPM
2.0 referenced via the NV index.
* Adding the --keyid parameter to pki --print allows to print
private keys or certificates stored in a smartcard or a TPM
2.0.
* Fixed proposal selection if a peer incorrectly sends DH groups
in the ESP proposal during IKE_AUTH and also if a DH group is
configured in the local ESP proposal and
charon.prefer_configured_proposals is disabled (d058fd3c32).
* The lookup for PSK secrets for IKEv1 has been improved for
certain scenarios (see #2497 for details).
* MSKs received via RADIUS are now padded to 64 bytes to avoid
compatibility issues with EAP-MSCHAPv2 and PRFs that have a
block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
* The tpm_extendpcr command line tool extends a digest into a TPM
PCR.
* Ported the NetworkManager backend from the deprecated
libnm-glib to libnm.
* The save-keys debugging/development plugin saves IKE and/or ESP
keys to files compatible with Wireshark.
- Following upstreams port, replace NetworkManager-devel with
pkgconfig(libnm) BuildRequires.
- Refresh patches with quilt.
- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
the file it patches no longer exists in tarball.
-------------------------------------------------------------------
Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com

View File

@ -17,7 +17,7 @@
Name: strongswan
Version: 5.6.0
Version: 5.6.2
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
@ -62,7 +62,7 @@ Release: 0
%bcond_with systemd
%endif
Summary: IPsec-based VPN solution
License: GPL-2.0+
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Url: http://www.strongswan.org/
Requires: strongswan-ipsec = %{version}
@ -80,6 +80,7 @@ Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}_ipsec_service.patch
%if %{with fipscheck}
Patch3: %{name}_fipscheck.patch
# Patch4 needs rebase, file it patches no longer exists in tarball.
Patch4: %{name}_fipsfilter.patch
%endif
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
@ -107,7 +108,7 @@ BuildRequires: sqlite3-devel
BuildRequires: libgcrypt-devel
%endif
%if %{with nm}
BuildRequires: NetworkManager-devel
BuildRequires: pkgconfig(libnm)
%endif
%if %{with systemd}
%{?systemd_requires}
@ -253,11 +254,12 @@ and the load testing plugin for IKEv2 daemon.
%prep
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p0
%patch1 -p1
%patch2 -p1
%if %{with fipscheck}
%patch3 -p1
%patch4 -p1
# Needs rebase, file it patches no longer exists.
#patch4 -p1
%endif
%patch5 -p1
%patch6 -p1
@ -617,6 +619,7 @@ fi
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
%if %{with afalg}
@ -671,6 +674,7 @@ fi
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
@ -742,6 +746,7 @@ fi
%{strongswan_plugins}/libstrongswan-ccm.so
%{strongswan_plugins}/libstrongswan-certexpire.so
%{strongswan_plugins}/libstrongswan-cmac.so
%{strongswan_plugins}/libstrongswan-counters.so
%{strongswan_plugins}/libstrongswan-constraints.so
%{strongswan_plugins}/libstrongswan-coupling.so
%{strongswan_plugins}/libstrongswan-ctr.so
@ -784,6 +789,7 @@ fi
%{strongswan_plugins}/libstrongswan-led.so
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
%{strongswan_plugins}/libstrongswan-mgf1.so
%{strongswan_plugins}/libstrongswan-nonce.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
@ -842,6 +848,7 @@ fi
%{strongswan_templates}/config/plugins/ccm.conf
%{strongswan_templates}/config/plugins/certexpire.conf
%{strongswan_templates}/config/plugins/cmac.conf
%{strongswan_templates}/config/plugins/counters.conf
%{strongswan_templates}/config/plugins/constraints.conf
%{strongswan_templates}/config/plugins/coupling.conf
%{strongswan_templates}/config/plugins/ctr.conf
@ -884,6 +891,7 @@ fi
%{strongswan_templates}/config/plugins/led.conf
%{strongswan_templates}/config/plugins/md4.conf
%{strongswan_templates}/config/plugins/md5.conf
%{strongswan_templates}/config/plugins/mgf1.conf
%{strongswan_templates}/config/plugins/nonce.conf
%{strongswan_templates}/config/plugins/openssl.conf
%{strongswan_templates}/config/plugins/pem.conf

View File

@ -1,6 +1,8 @@
--- init/systemd/strongswan.service.in
+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11
@@ -8,3 +8,4 @@ StandardOutput=syslog
Index: strongswan-5.6.2/init/systemd/strongswan.service.in
===================================================================
--- strongswan-5.6.2.orig/init/systemd/strongswan.service.in 2017-02-07 08:04:04.000000000 +0100
+++ strongswan-5.6.2/init/systemd/strongswan.service.in 2018-04-17 16:53:57.546334751 +0200
@@ -9,3 +9,4 @@ Restart=on-abnormal
[Install]
WantedBy=multi-user.target

View File

@ -1,5 +1,7 @@
--- src/starter/klips.c
+++ src/starter/klips.c 2012/10/30 17:07:23
Index: strongswan-5.6.2/src/starter/klips.c
===================================================================
--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
/* ipsec module makes the pf_key proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
@ -22,9 +24,11 @@
DBG2(DBG_APP, "found KLIPS IPsec stack");
return TRUE;
--- src/starter/netkey.c
+++ src/starter/netkey.c 2012/10/30 17:07:02
@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
Index: strongswan-5.6.2/src/starter/netkey.c
===================================================================
--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200
+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
@ -33,7 +37,7 @@
}
/* now test again */
@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{