forked from pool/strongswan
Accepting request 287701 from network:vpn
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/287701 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=59
This commit is contained in:
commit
d688e99dd5
@ -1,413 +0,0 @@
|
||||
From 76ad8a6f4c83c999b9eb6d1a3506b1a8e593307e Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Fri, 20 Jun 2014 16:22:15 +0200
|
||||
Subject: [PATCH] Merge branch 'algorithm-order'
|
||||
Upstream: yes
|
||||
References: bsc#897512
|
||||
|
||||
Restores the behavior we had before 2e22333fb (except for RNGs), that is,
|
||||
algorithms are stored in the registration order again. Which is not optimal
|
||||
as we must rely on plugins to register them in a sensible order, but ordering
|
||||
them by identifier definitely caused weaker algorithms to be proposed first
|
||||
in the default proposal, which was even worse.
|
||||
---
|
||||
src/libstrongswan/crypto/crypto_factory.c | 18 +-
|
||||
src/libstrongswan/tests/Makefile.am | 1 +
|
||||
.../tests/suites/test_crypto_factory.c | 312 +++++++++++++++++++++
|
||||
src/libstrongswan/tests/tests.h | 1 +
|
||||
4 files changed, 327 insertions(+), 5 deletions(-)
|
||||
create mode 100644 src/libstrongswan/tests/suites/test_crypto_factory.c
|
||||
|
||||
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
|
||||
index 6dea30e..96fbc0d 100644
|
||||
--- a/src/libstrongswan/crypto/crypto_factory.c
|
||||
+++ b/src/libstrongswan/crypto/crypto_factory.c
|
||||
@@ -392,10 +392,10 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*,
|
||||
/**
|
||||
* Insert an algorithm entry to a list
|
||||
*
|
||||
- * Entries are sorted by algorithm identifier (which is important for RNGs)
|
||||
- * while maintaining the order in which algorithms were added, unless they were
|
||||
+ * Entries maintain the order in which algorithms were added, unless they were
|
||||
* benchmarked and speed is provided, which then is used to order entries of
|
||||
* the same algorithm.
|
||||
+ * An exception are RNG entries, which are sorted by algorithm identifier.
|
||||
*/
|
||||
static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
|
||||
int algo, const char *plugin_name,
|
||||
@@ -403,6 +403,7 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
entry_t *entry, *current;
|
||||
+ bool sort = (list == this->rngs), found = FALSE;
|
||||
|
||||
INIT(entry,
|
||||
.algo = algo,
|
||||
@@ -415,12 +416,19 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
|
||||
enumerator = list->create_enumerator(list);
|
||||
while (enumerator->enumerate(enumerator, ¤t))
|
||||
{
|
||||
- if (current->algo > algo)
|
||||
+ if (sort && current->algo > algo)
|
||||
{
|
||||
break;
|
||||
}
|
||||
- else if (current->algo == algo && speed &&
|
||||
- current->speed < speed)
|
||||
+ else if (current->algo == algo)
|
||||
+ {
|
||||
+ if (speed > current->speed)
|
||||
+ {
|
||||
+ break;
|
||||
+ }
|
||||
+ found = TRUE;
|
||||
+ }
|
||||
+ else if (found)
|
||||
{
|
||||
break;
|
||||
}
|
||||
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
|
||||
index 331a548..0bdf2b3 100644
|
||||
--- a/src/libstrongswan/tests/Makefile.am
|
||||
+++ b/src/libstrongswan/tests/Makefile.am
|
||||
@@ -42,6 +42,7 @@ tests_SOURCES = tests.h tests.c \
|
||||
suites/test_host.c \
|
||||
suites/test_hasher.c \
|
||||
suites/test_crypter.c \
|
||||
+ suites/test_crypto_factory.c \
|
||||
suites/test_pen.c \
|
||||
suites/test_asn1.c \
|
||||
suites/test_asn1_parser.c \
|
||||
diff --git a/src/libstrongswan/tests/suites/test_crypto_factory.c b/src/libstrongswan/tests/suites/test_crypto_factory.c
|
||||
new file mode 100644
|
||||
index 0000000..94f45da
|
||||
--- /dev/null
|
||||
+++ b/src/libstrongswan/tests/suites/test_crypto_factory.c
|
||||
@@ -0,0 +1,312 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2014 Tobias Brunner
|
||||
+ * Hochschule fuer Technik Rapperswil
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License as published by the
|
||||
+ * Free Software Foundation; either version 2 of the License, or (at your
|
||||
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||
+ *
|
||||
+ * This program is distributed in the hope that it will be useful, but
|
||||
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * for more details.
|
||||
+ */
|
||||
+
|
||||
+#include "test_suite.h"
|
||||
+
|
||||
+#include <crypto/crypto_factory.h>
|
||||
+
|
||||
+static rng_t *rng_create(rng_quality_t quality)
|
||||
+{
|
||||
+ rng_quality_t *q = malloc_thing(rng_quality_t);
|
||||
+ *q = quality;
|
||||
+ return (rng_t*)q;
|
||||
+}
|
||||
+
|
||||
+static rng_t *rng_create_weak(rng_quality_t quality)
|
||||
+{
|
||||
+ ck_assert(quality == RNG_WEAK);
|
||||
+ return rng_create(RNG_WEAK);
|
||||
+}
|
||||
+
|
||||
+static rng_t *rng_create_strong(rng_quality_t quality)
|
||||
+{
|
||||
+ ck_assert(quality <= RNG_STRONG);
|
||||
+ return rng_create(RNG_STRONG);
|
||||
+}
|
||||
+
|
||||
+static rng_t *rng_create_true(rng_quality_t quality)
|
||||
+{
|
||||
+ ck_assert(quality <= RNG_TRUE);
|
||||
+ return rng_create(RNG_TRUE);
|
||||
+}
|
||||
+
|
||||
+static rng_t *rng_create_true_second(rng_quality_t quality)
|
||||
+{
|
||||
+ fail("should never be called");
|
||||
+ return rng_create(RNG_TRUE);
|
||||
+}
|
||||
+
|
||||
+static rng_quality_t rng_weak = RNG_WEAK;
|
||||
+static rng_quality_t rng_strong = RNG_STRONG;
|
||||
+static rng_quality_t rng_true = RNG_TRUE;
|
||||
+
|
||||
+static struct {
|
||||
+ rng_quality_t *exp_weak;
|
||||
+ rng_quality_t *exp_strong;
|
||||
+ rng_quality_t *exp_true;
|
||||
+ struct {
|
||||
+ rng_quality_t *q;
|
||||
+ rng_constructor_t create;
|
||||
+ } data[4];
|
||||
+} rng_data[] = {
|
||||
+ { NULL, NULL, NULL, {
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+ { &rng_weak, NULL, NULL, {
|
||||
+ { &rng_weak, rng_create_weak },
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+ { &rng_strong, &rng_strong, NULL, {
|
||||
+ { &rng_strong, rng_create_strong },
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+ { &rng_true, &rng_true, &rng_true, {
|
||||
+ { &rng_true, rng_create_true },
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+ { &rng_true, &rng_true, &rng_true, {
|
||||
+ { &rng_true, rng_create_true },
|
||||
+ { &rng_true, rng_create_true_second },
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+ { &rng_weak, &rng_true, &rng_true, {
|
||||
+ { &rng_weak, rng_create_weak },
|
||||
+ { &rng_true, rng_create_true },
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+ { &rng_weak, &rng_strong, &rng_true, {
|
||||
+ { &rng_true, rng_create_true },
|
||||
+ { &rng_strong, rng_create_strong },
|
||||
+ { &rng_weak, rng_create_weak },
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+ { &rng_weak, &rng_strong, &rng_true, {
|
||||
+ { &rng_weak, rng_create_weak },
|
||||
+ { &rng_strong, rng_create_strong },
|
||||
+ { &rng_true, rng_create_true },
|
||||
+ { NULL, NULL }
|
||||
+ }},
|
||||
+};
|
||||
+
|
||||
+static void verify_rng(crypto_factory_t *factory, rng_quality_t request,
|
||||
+ rng_quality_t *expected)
|
||||
+{
|
||||
+ rng_quality_t *res;
|
||||
+
|
||||
+ res = (rng_quality_t*)factory->create_rng(factory, request);
|
||||
+ if (!expected)
|
||||
+ {
|
||||
+ ck_assert(!res);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ ck_assert(res);
|
||||
+ ck_assert_int_eq(*expected, *res);
|
||||
+ free(res);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+START_TEST(test_create_rng)
|
||||
+{
|
||||
+ crypto_factory_t *factory;
|
||||
+ int i;
|
||||
+
|
||||
+ factory = crypto_factory_create();
|
||||
+ for (i = 0; rng_data[_i].data[i].q; i++)
|
||||
+ {
|
||||
+ ck_assert(factory->add_rng(factory, *rng_data[_i].data[i].q, "test",
|
||||
+ rng_data[_i].data[i].create));
|
||||
+ }
|
||||
+ verify_rng(factory, RNG_WEAK, rng_data[_i].exp_weak);
|
||||
+ verify_rng(factory, RNG_STRONG, rng_data[_i].exp_strong);
|
||||
+ verify_rng(factory, RNG_TRUE, rng_data[_i].exp_true);
|
||||
+ for (i = 0; rng_data[_i].data[i].q; i++)
|
||||
+ {
|
||||
+ factory->remove_rng(factory, rng_data[_i].data[i].create);
|
||||
+ }
|
||||
+ factory->destroy(factory);
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+static diffie_hellman_t *dh_create(char *plugin)
|
||||
+{
|
||||
+ return (diffie_hellman_t*)plugin;
|
||||
+}
|
||||
+
|
||||
+static diffie_hellman_t *dh_create_modp1024(diffie_hellman_group_t group, ...)
|
||||
+{
|
||||
+ ck_assert(group == MODP_1024_BIT);
|
||||
+ return dh_create("plugin1");
|
||||
+}
|
||||
+
|
||||
+static diffie_hellman_t *dh_create_modp1024_second(diffie_hellman_group_t group,
|
||||
+ ...)
|
||||
+{
|
||||
+ ck_assert(group == MODP_1024_BIT);
|
||||
+ return dh_create("plugin2");
|
||||
+}
|
||||
+
|
||||
+static diffie_hellman_t *dh_create_modp2048(diffie_hellman_group_t group, ...)
|
||||
+{
|
||||
+ ck_assert(group == MODP_2048_BIT);
|
||||
+ return dh_create("plugin1");
|
||||
+}
|
||||
+
|
||||
+static diffie_hellman_t *dh_create_modp2048_second(diffie_hellman_group_t group,
|
||||
+ ...)
|
||||
+{
|
||||
+ ck_assert(group == MODP_2048_BIT);
|
||||
+ return dh_create("plugin2");
|
||||
+}
|
||||
+
|
||||
+static struct {
|
||||
+ char *exp1024;
|
||||
+ char *exp2048;
|
||||
+ struct {
|
||||
+ diffie_hellman_group_t g;
|
||||
+ dh_constructor_t create;
|
||||
+ char *plugin;
|
||||
+ } data[4];
|
||||
+} dh_data[] = {
|
||||
+ { NULL, NULL, {
|
||||
+ { MODP_NONE, NULL, NULL }
|
||||
+ }},
|
||||
+ { "plugin1", NULL, {
|
||||
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
|
||||
+ { MODP_NONE, NULL, NULL }
|
||||
+ }},
|
||||
+ { "plugin1", NULL, {
|
||||
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
|
||||
+ { MODP_1024_BIT, dh_create_modp1024_second, "plugin2" },
|
||||
+ { MODP_NONE, NULL, NULL }
|
||||
+ }},
|
||||
+ { "plugin2", NULL, {
|
||||
+ { MODP_1024_BIT, dh_create_modp1024_second, "plugin2" },
|
||||
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
|
||||
+ { MODP_NONE, NULL, NULL }
|
||||
+ }},
|
||||
+ { "plugin1", "plugin1", {
|
||||
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
|
||||
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
|
||||
+ { MODP_NONE, NULL }
|
||||
+ }},
|
||||
+ { "plugin1", "plugin1", {
|
||||
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
|
||||
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
|
||||
+ { MODP_NONE, NULL }
|
||||
+ }},
|
||||
+ { "plugin1", "plugin1", {
|
||||
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
|
||||
+ { MODP_2048_BIT, dh_create_modp2048_second, "plugin2" },
|
||||
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
|
||||
+ { MODP_NONE, NULL }
|
||||
+ }},
|
||||
+ { "plugin1", "plugin2", {
|
||||
+ { MODP_2048_BIT, dh_create_modp2048_second, "plugin2" },
|
||||
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
|
||||
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
|
||||
+ { MODP_NONE, NULL }
|
||||
+ }},
|
||||
+};
|
||||
+
|
||||
+static void verify_dh(crypto_factory_t *factory, diffie_hellman_group_t request,
|
||||
+ char *expected)
|
||||
+{
|
||||
+ char *plugin;
|
||||
+
|
||||
+ plugin = (char*)factory->create_dh(factory, request);
|
||||
+ if (!expected)
|
||||
+ {
|
||||
+ ck_assert(!plugin);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ ck_assert(plugin);
|
||||
+ ck_assert_str_eq(expected, plugin);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+START_TEST(test_create_dh)
|
||||
+{
|
||||
+ enumerator_t *enumerator;
|
||||
+ crypto_factory_t *factory;
|
||||
+ diffie_hellman_group_t group;
|
||||
+ char *plugin;
|
||||
+ int i, len = 0;
|
||||
+
|
||||
+
|
||||
+ factory = crypto_factory_create();
|
||||
+ for (i = 0; dh_data[_i].data[i].g != MODP_NONE; i++)
|
||||
+ {
|
||||
+ ck_assert(factory->add_dh(factory, dh_data[_i].data[i].g,
|
||||
+ dh_data[_i].data[i].plugin,
|
||||
+ dh_data[_i].data[i].create));
|
||||
+ }
|
||||
+ verify_dh(factory, MODP_1024_BIT, dh_data[_i].exp1024);
|
||||
+ verify_dh(factory, MODP_2048_BIT, dh_data[_i].exp2048);
|
||||
+
|
||||
+ len = countof(dh_data[_i].data);
|
||||
+ enumerator = factory->create_dh_enumerator(factory);
|
||||
+ for (i = 0; enumerator->enumerate(enumerator, &group, &plugin) && i < len;)
|
||||
+ {
|
||||
+ ck_assert_int_eq(dh_data[_i].data[i].g, group);
|
||||
+ while (dh_data[_i].data[i].g == group)
|
||||
+ { /* skip other entries by the same group */
|
||||
+ i++;
|
||||
+ }
|
||||
+ switch (group)
|
||||
+ {
|
||||
+ case MODP_1024_BIT:
|
||||
+ ck_assert(dh_data[_i].exp1024);
|
||||
+ ck_assert_str_eq(dh_data[_i].exp1024, plugin);
|
||||
+ break;
|
||||
+ case MODP_2048_BIT:
|
||||
+ ck_assert(dh_data[_i].exp2048);
|
||||
+ ck_assert_str_eq(dh_data[_i].exp2048, plugin);
|
||||
+ break;
|
||||
+ default:
|
||||
+ fail("unexpected DH group");
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ ck_assert(!enumerator->enumerate(enumerator));
|
||||
+ ck_assert_int_eq(dh_data[_i].data[i].g, MODP_NONE);
|
||||
+ enumerator->destroy(enumerator);
|
||||
+
|
||||
+ for (i = 0; dh_data[_i].data[i].g != MODP_NONE; i++)
|
||||
+ {
|
||||
+ factory->remove_dh(factory, dh_data[_i].data[i].create);
|
||||
+ }
|
||||
+ factory->destroy(factory);
|
||||
+}
|
||||
+END_TEST
|
||||
+
|
||||
+Suite *crypto_factory_suite_create()
|
||||
+{
|
||||
+ Suite *s;
|
||||
+ TCase *tc;
|
||||
+
|
||||
+ s = suite_create("crypto-factory");
|
||||
+
|
||||
+ tc = tcase_create("create_rng");
|
||||
+ tcase_add_loop_test(tc, test_create_rng, 0, countof(rng_data));
|
||||
+ suite_add_tcase(s, tc);
|
||||
+
|
||||
+ tc = tcase_create("create_dh");
|
||||
+ tcase_add_loop_test(tc, test_create_dh, 0, countof(dh_data));
|
||||
+ suite_add_tcase(s, tc);
|
||||
+
|
||||
+ return s;
|
||||
+}
|
||||
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
|
||||
index 82a5137..ab0f642 100644
|
||||
--- a/src/libstrongswan/tests/tests.h
|
||||
+++ b/src/libstrongswan/tests/tests.h
|
||||
@@ -35,6 +35,7 @@ TEST_SUITE(host_suite_create)
|
||||
TEST_SUITE(printf_suite_create)
|
||||
TEST_SUITE(hasher_suite_create)
|
||||
TEST_SUITE(crypter_suite_create)
|
||||
+TEST_SUITE(crypto_factory_suite_create)
|
||||
TEST_SUITE(pen_suite_create)
|
||||
TEST_SUITE(asn1_suite_create)
|
||||
TEST_SUITE(asn1_parser_suite_create)
|
||||
--
|
||||
2.1.2
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:84e46d5ce801e1b874e2bfba8d21dbd78b432e23b7fb1f4f2d637359e7a183a8
|
||||
size 3807212
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.11 (GNU/Linux)
|
||||
|
||||
iQGcBAABAgAGBQJTS9jUAAoJEN9CwXCzTbp3E3cMAJuQv7IsG5XDNQB/Wcb66hLQ
|
||||
2DSZN2zXRI2Ku5ONXDqnzCzyGRO84SOsGVzX9AQTHactr29B0n9rZxSCKZrm+ZRX
|
||||
lMKu6UNsS+jSKhXkXfmDSilFnM7ap7tAlFUuH/7uz8LcG34643W5BOJH0oMq7Rx3
|
||||
WN/7/TbrYf1aE0s3C8tcJXc5OghkvAfsE0jBPWhwT7dwi5eczluPMyYYdGxg8zNP
|
||||
LdBdoHTfnFRnMcL18SGwUYl09hj2YkZMoo+2Qt4I6WNy3yIINRIQluPSl2f91HHG
|
||||
VXyzGLpC3W63WYxXhPmjdmkpaT9+kulF6WVhgt3i6VMOv6nSNitHs5/X0W6N5xuX
|
||||
BhPmJRFmT0Oej3MJVxSKqUy89Ny3DyRmai5bERAFe+FOt9HN1UWqpK+qYFI+YQw/
|
||||
dMS9kviW2UhSq4BM9F9F+QrL66Bz0gc5+jXolm971FII62cV4i6n9U6veGPY9qkg
|
||||
+Jcn6XpKOe2JXLsIeIMQgc0GitIaEHq/zdST/pn2Gw==
|
||||
=NZ/K
|
||||
-----END PGP SIGNATURE-----
|
3
strongswan-5.2.2.tar.bz2
Normal file
3
strongswan-5.2.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:cf2fbfdf200a5eced796f00dc11fea67ce477d38c54d5f073ac6c51618b172f4
|
||||
size 4169095
|
14
strongswan-5.2.2.tar.bz2.sig
Normal file
14
strongswan-5.2.2.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJUn/PYAAoJEN9CwXCzTbp3+PML/2IJQEI240BwPOpXEGrJ0jnR
|
||||
Mmq7qXD3QLnUtpyX2/dXVV6X6PzdXiCubOj9m59VNSD6Qsr5W3d44rg90Vf9VxX6
|
||||
5nwAWP9fWl1L8xKtC93dyPAe8eet9tMqIf6QY5LYCmKRXi9aotoARiyEjKRUsWdy
|
||||
O+nDS43PrwjcgHcV+dVbpA1FyFSwoX2zoDu0d1MMzOb+b8np9+2SdtsNVKaIqW5c
|
||||
39PphkQgpqBqM1nkO0LUydsdCpE+/Xq4yNP77eSio7b6b2eyAjD9gBlNsE4FHoU0
|
||||
gyDKgdcOIPYmS8VD2J4efxQDjGpj6VV4wvXAo9tE7x/joIFT+Eg9LsD42l7yReaY
|
||||
G/G87HVgA0DH67lBjoMfkhZcHCSTofM4cm7eOC7s48PF4HvnAM1L5bH7UzoehV9c
|
||||
YvIUO/Q+7on6nvnW4AYUVXc/fAq7IUB6hYYCX6CHsb1U7gkEa7NseLwcoLmbMIfB
|
||||
QaziGo6KHG4XFTdlu1LrQBip8NdJZh7v7fYJd/sFjA==
|
||||
=bacU
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,102 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 5 14:38:46 UTC 2015 - mt@suse.de
|
||||
|
||||
- Updated to strongSwan 5.2.2 providing the following changes:
|
||||
Changes in version 5.2.2:
|
||||
* Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
|
||||
payload that contains the Diffie-Hellman group 1025. This identifier was
|
||||
used internally for DH groups with custom generator and prime. Because
|
||||
these arguments are missing when creating DH objects based on the KE
|
||||
payload an invalid pointer dereference occurred. This allowed an attacker
|
||||
to crash the IKE daemon with a single IKE_SA_INIT message containing such
|
||||
a KE payload. The vulnerability has been registered as CVE-2014-9221.
|
||||
* The left/rightid options in ipsec.conf, or any other identity in
|
||||
strongSwan, now accept prefixes to enforce an explicit type, such as
|
||||
email: or fqdn:. Note that no conversion is done for the remaining string,
|
||||
refer to ipsec.conf(5) for details.
|
||||
* The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
|
||||
an IKEv2 public key authentication method. The pki tool offers full
|
||||
support for the generation of BLISS key pairs and certificates.
|
||||
* Fixed mapping of integrity algorithms negotiated for AH via IKEv1.
|
||||
This could cause interoperability issues when connecting to older versions
|
||||
of charon.
|
||||
Changes in version 5.2.1:
|
||||
* The new charon-systemd IKE daemon implements an IKE daemon tailored for
|
||||
use with systemd. It avoids the dependency on ipsec starter and uses
|
||||
swanctl as configuration backend, building a simple and lightweight
|
||||
solution. It supports native systemd journal logging.
|
||||
* Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1
|
||||
fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf.
|
||||
* Support of the TCG TNC IF-M Attribute Segmentation specification proposal.
|
||||
All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID
|
||||
and IETF/Installed Packages attributes can be processed incrementally on a
|
||||
per segment basis.
|
||||
* The new ext-auth plugin calls an external script to implement custom IKE_SA
|
||||
authorization logic, courtesy of Vyronas Tsingaras.
|
||||
* For the vici plugin a ruby gem has been added to allow ruby applications to
|
||||
control or monitor the IKE daemon. The vici documentation has been updated
|
||||
to include a description of the available operations and some simple
|
||||
examples using both the libvici C interface and the ruby gem.
|
||||
Changes in version 5.2.0:
|
||||
* strongSwan has been ported to the Windows platform. Using a MinGW toolchain,
|
||||
many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2
|
||||
and newer releases. charon-svc implements a Windows IKE service based on
|
||||
libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec
|
||||
backend on the Windows platform. socket-win provides a native IKE socket
|
||||
implementation, while winhttp fetches CRL and OCSP information using the
|
||||
WinHTTP API.
|
||||
* The new vici plugin provides a Versatile IKE Configuration Interface for
|
||||
charon. Using the stable IPC interface, external applications can configure,
|
||||
control and monitor the IKE daemon. Instead of scripting the ipsec tool
|
||||
and generating ipsec.conf, third party applications can use the new interface
|
||||
for more control and better reliability.
|
||||
* Built upon the libvici client library, swanctl implements the first user of
|
||||
the VICI interface. Together with a swanctl.conf configuration file,
|
||||
connections can be defined, loaded and managed. swanctl provides a portable,
|
||||
complete IKE configuration and control interface for the command line.
|
||||
The first six swanctl example scenarios have been added.
|
||||
* The SWID IMV implements a JSON-based REST API which allows the exchange
|
||||
of SWID tags and Software IDs with the strongTNC policy manager.
|
||||
* The SWID IMC can extract all installed packages from the dpkg (Debian,
|
||||
Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or
|
||||
pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using
|
||||
the swidGenerator (https://github.com/strongswan/swidGenerator) which
|
||||
generates SWID tags according to the new ISO/IEC 19770-2:2014 standard.
|
||||
* All IMVs now share the access requestor ID, device ID and product info
|
||||
of an access requestor via a common imv_session object.
|
||||
* The Attestation IMC/IMV pair supports the IMA-NG measurement format
|
||||
introduced with the Linux 3.13 kernel.
|
||||
* The aikgen tool generates an Attestation Identity Key bound to a TPM.
|
||||
* Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network
|
||||
Connect.
|
||||
* The ipsec.conf replay_window option defines connection specific IPsec
|
||||
replay windows. Original patch courtesy of Zheng Zhong and Christophe
|
||||
Gouault from 6Wind.
|
||||
- Adjusted file lists and removed obsolete patches
|
||||
[- 0005-restore-registration-algorithm-order.bug897512.patch,
|
||||
- 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch]
|
||||
- Adopted/Merged fipscheck patches
|
||||
[* strongswan_fipscheck.patch, strongswan_fipsfilter.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 17 10:15:23 UTC 2014 - mt@suse.de
|
||||
|
||||
- Disallow brainpool elliptic curve groups in fips mode (bnc#856322).
|
||||
[* strongswan_fipsfilter.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 11 10:21:01 UTC 2014 - mt@suse.de
|
||||
|
||||
- Applied an upstream fix for a denial-of-service vulnerability,
|
||||
which can be triggered by an IKEv2 Key Exchange payload, that
|
||||
contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221).
|
||||
[+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch]
|
||||
- Adjusted whilelist of approved algorithms in fips mode (bsc#856322).
|
||||
[* strongswan_fipsfilter.patch]
|
||||
- Renamed patch file to match it's patch number:
|
||||
[- 0001-restore-registration-algorithm-order.bug897512.patch,
|
||||
+ 0005-restore-registration-algorithm-order.bug897512.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 25 11:22:06 UTC 2014 - mt@suse.de
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package strongswan
|
||||
#
|
||||
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.1.3
|
||||
Version: 5.2.2
|
||||
Release: 0
|
||||
%define upstream_version %{version}
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
@ -82,7 +82,6 @@ Patch2: %{name}_ipsec_service.patch
|
||||
Patch3: %{name}_fipscheck.patch
|
||||
Patch4: %{name}_fipsfilter.patch
|
||||
%endif
|
||||
Patch5: 0001-restore-registration-algorithm-order.bug897512.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
@ -293,7 +292,6 @@ and the load testing plugin for IKEv2 daemon.
|
||||
%patch3 -p0
|
||||
%patch4 -p1
|
||||
%endif
|
||||
%patch5 -p1
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||
> strongswan.init
|
||||
@ -643,10 +641,11 @@ fi
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
|
||||
%if %{with afalg}
|
||||
@ -949,10 +948,11 @@ fi
|
||||
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
|
||||
%{strongswan_templates}/config/strongswan.d/charon.conf
|
||||
%{strongswan_templates}/config/strongswan.d/imcv.conf
|
||||
%{strongswan_templates}/config/strongswan.d/pki.conf
|
||||
%{strongswan_templates}/config/strongswan.d/pool.conf
|
||||
%{strongswan_templates}/config/strongswan.d/scepclient.conf
|
||||
%{strongswan_templates}/config/strongswan.d/starter.conf
|
||||
%{strongswan_templates}/config/strongswan.d/tnc.conf
|
||||
%{strongswan_templates}/config/strongswan.d/tools.conf
|
||||
%{strongswan_templates}/database/imv/data.sql
|
||||
%{strongswan_templates}/database/imv/tables.sql
|
||||
|
||||
@ -982,6 +982,7 @@ fi
|
||||
%dir %{strongswan_templates}/database
|
||||
%dir %{strongswan_templates}/database/sql
|
||||
%{strongswan_templates}/config/plugins/mysql.conf
|
||||
%{strongswan_templates}/database/imv/tables-mysql.sql
|
||||
%{strongswan_templates}/database/sql/mysql.sql
|
||||
%endif
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
--- src/ipsec/_ipsec.in
|
||||
+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25
|
||||
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN
|
||||
+++ src/ipsec/_ipsec.in
|
||||
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR
|
||||
|
||||
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
|
||||
|
||||
@ -26,8 +26,8 @@
|
||||
+
|
||||
case "$1" in
|
||||
'')
|
||||
echo "Usage: $IPSEC_SCRIPT command argument ..."
|
||||
@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco
|
||||
echo "$IPSEC_SCRIPT command [arguments]"
|
||||
@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
|
||||
shift
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -35,7 +35,7 @@
|
||||
$IPSEC_STROKE "$op" "$@"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts)
|
||||
@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -43,7 +43,7 @@
|
||||
$IPSEC_STROKE "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -208,6 +230,7 @@ route|unroute)
|
||||
@@ -197,6 +219,7 @@ route|unroute)
|
||||
fi
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -51,7 +51,7 @@
|
||||
$IPSEC_STROKE "$op" "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -217,6 +240,7 @@ secrets)
|
||||
@@ -206,6 +229,7 @@ secrets)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -59,7 +59,7 @@
|
||||
$IPSEC_STROKE rereadsecrets
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -224,6 +248,7 @@ secrets)
|
||||
@@ -213,6 +237,7 @@ secrets)
|
||||
;;
|
||||
start)
|
||||
shift
|
||||
@ -67,7 +67,7 @@
|
||||
if [ -d /var/lock/subsys ]; then
|
||||
touch /var/lock/subsys/ipsec
|
||||
fi
|
||||
@@ -297,6 +322,7 @@ up)
|
||||
@@ -286,6 +311,7 @@ up)
|
||||
rc=7
|
||||
if [ -e $IPSEC_CHARON_PID ]
|
||||
then
|
||||
@ -75,7 +75,7 @@
|
||||
$IPSEC_STROKE up "$1"
|
||||
rc="$?"
|
||||
fi
|
||||
@@ -332,6 +358,11 @@ esac
|
||||
@@ -325,6 +351,11 @@ esac
|
||||
cmd="$1"
|
||||
shift
|
||||
|
||||
|
@ -1,5 +1,12 @@
|
||||
From 8f3f1bd6907df8221a93c849ed4b43474444e13b Mon Sep 17 00:00:00 2001
|
||||
From: Marius Tomaschewski <mt@suse.de>
|
||||
Date: Mon, 5 Jan 2015 14:57:39 +0100
|
||||
Subject: [PATCH] strongswan: filter algorithms for fips mode
|
||||
|
||||
References: fate#316931,bnc#856322
|
||||
|
||||
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
|
||||
index 2ecdb4f..85767ab 100644
|
||||
index e59dcd9..f07f4a2 100644
|
||||
--- a/src/libcharon/config/proposal.c
|
||||
+++ b/src/libcharon/config/proposal.c
|
||||
@@ -26,6 +26,11 @@
|
||||
@ -14,7 +21,7 @@ index 2ecdb4f..85767ab 100644
|
||||
|
||||
ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP,
|
||||
"PROTO_NONE",
|
||||
@@ -185,6 +190,130 @@ METHOD(proposal_t, strip_dh, void,
|
||||
@@ -185,6 +190,122 @@ METHOD(proposal_t, strip_dh, void,
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
@ -104,24 +111,16 @@ index 2ecdb4f..85767ab 100644
|
||||
+ case DIFFIE_HELLMAN_GROUP:
|
||||
+ switch (alg)
|
||||
+ {
|
||||
+ case MODP_1024_BIT:
|
||||
+ case MODP_1536_BIT:
|
||||
+ case MODP_2048_BIT:
|
||||
+ case MODP_3072_BIT:
|
||||
+ case MODP_4096_BIT:
|
||||
+ case MODP_8192_BIT:
|
||||
+ case MODP_1024_160:
|
||||
+ case MODP_2048_224:
|
||||
+ case MODP_2048_256:
|
||||
+ case ECP_192_BIT:
|
||||
+ case ECP_224_BIT:
|
||||
+ case ECP_256_BIT:
|
||||
+ case ECP_384_BIT:
|
||||
+ case ECP_521_BIT:
|
||||
+ case ECP_224_BP:
|
||||
+ case ECP_256_BP:
|
||||
+ case ECP_384_BP:
|
||||
+ case ECP_512_BP:
|
||||
+ return TRUE;
|
||||
+ default:
|
||||
+ break;
|
||||
@ -145,7 +144,7 @@ index 2ecdb4f..85767ab 100644
|
||||
/**
|
||||
* Select a matching proposal from this and other, insert into selected.
|
||||
*/
|
||||
@@ -500,6 +629,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
|
||||
@@ -502,6 +623,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -157,63 +156,69 @@ index 2ecdb4f..85767ab 100644
|
||||
add_algorithm(this, token->type, token->algorithm, token->keysize);
|
||||
|
||||
return TRUE;
|
||||
@@ -639,6 +773,8 @@ static void proposal_add_supported_ike(private_proposal_t *this)
|
||||
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
|
||||
+ continue;
|
||||
switch (encryption)
|
||||
@@ -643,6 +769,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
case ENCR_AES_CBC:
|
||||
@@ -665,6 +801,9 @@ static void proposal_add_supported_ike(private_proposal_t *this)
|
||||
enumerator = lib->crypto->create_aead_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
|
||||
+ continue;
|
||||
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
|
||||
+ continue;
|
||||
+
|
||||
switch (encryption)
|
||||
switch (encryption)
|
||||
{
|
||||
case ENCR_AES_CCM_ICV8:
|
||||
@@ -675,6 +804,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &encryption, &plugin_name))
|
||||
{
|
||||
case ENCR_AES_CCM_ICV8:
|
||||
@@ -690,6 +829,8 @@ static void proposal_add_supported_ike(private_proposal_t *this)
|
||||
enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity))
|
||||
+ continue;
|
||||
switch (integrity)
|
||||
+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption))
|
||||
+ continue;
|
||||
+
|
||||
switch (encryption)
|
||||
{
|
||||
case ENCR_AES_CBC:
|
||||
@@ -706,6 +838,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_signer_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &integrity, &plugin_name))
|
||||
{
|
||||
case AUTH_HMAC_SHA1_96:
|
||||
@@ -710,6 +851,8 @@ static void proposal_add_supported_ike(private_proposal_t *this)
|
||||
+ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity))
|
||||
+ continue;
|
||||
+
|
||||
switch (integrity)
|
||||
{
|
||||
case AUTH_HMAC_SHA1_96:
|
||||
@@ -727,6 +862,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_prf_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &prf, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, PSEUDO_RANDOM_FUNCTION, prf))
|
||||
+ continue;
|
||||
+
|
||||
switch (prf)
|
||||
{
|
||||
case PRF_HMAC_SHA1:
|
||||
@@ -730,6 +873,8 @@ static void proposal_add_supported_ike(private_proposal_t *this)
|
||||
@@ -747,6 +885,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
|
||||
enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
|
||||
while (enumerator->enumerate(enumerator, &group, &plugin_name))
|
||||
{
|
||||
+ if (!fips_filter(PROTO_IKE, DIFFIE_HELLMAN_GROUP, group))
|
||||
+ continue;
|
||||
+
|
||||
switch (group)
|
||||
{
|
||||
case MODP_NULL:
|
||||
@@ -776,31 +921,35 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
@@ -795,6 +936,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
{
|
||||
private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0);
|
||||
|
||||
+#define fips_add_algorithm(this, type, alg, len) \
|
||||
+ if (fips_filter(this->protocol, type, alg)) \
|
||||
+ add_algorithm(this, type, alg, len);
|
||||
+
|
||||
switch (protocol)
|
||||
{
|
||||
case PROTO_IKE:
|
||||
proposal_add_supported_ike(this);
|
||||
@@ -805,25 +950,28 @@ proposal_t *proposal_create_default(protocol_id_t protocol)
|
||||
}
|
||||
break;
|
||||
case PROTO_ESP:
|
||||
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
|
||||
@ -248,7 +253,12 @@ index 2ecdb4f..85767ab 100644
|
||||
default:
|
||||
break;
|
||||
}
|
||||
+
|
||||
+#undef fips_add_algorithm
|
||||
+
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
--
|
||||
2.2.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user