forked from pool/strongswan
062c69a06d
- Updated to strongSwan 5.6.0 providing the following changes:
*Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
when verifying RSA signatures, which requires decryption with the operation m^e mod n,
where m is the signature, and e and n are the exponent and modulus of the public key.
The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
This result wasn't handled properly causing a null-pointer dereference.
This vulnerability has been registered as CVE-2017-11185. (bsc#1051222)
*New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet
Draft and has been demonstrated at the IETF 99 Prague Hackathon.
*The IMV database template has been adapted to achieve full compliance with the
ISO 19770-2:2015 SWID tag standard.
*The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter.
*By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
swanctl.conf file.
*The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
*The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
*libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd).
* more on https://wiki.strongswan.org/versions/66
OBS-URL: https://build.opensuse.org/request/show/521273
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=104
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch | ||
| 0006-fix-compilation-error-by-adding-stdint.h.patch | ||
| fips-enforce.conf | ||
| fipscheck.sh.in | ||
| README.SUSE | ||
| strongswan_fipscheck.patch | ||
| strongswan_fipsfilter.patch | ||
| strongswan_ipsec_service.patch | ||
| strongswan_modprobe_syslog.patch | ||
| strongswan-5.6.0-rpmlintrc | ||
| strongswan-5.6.0.tar.bz2 | ||
| strongswan-5.6.0.tar.bz2.sig | ||
| strongswan.changes | ||
| strongswan.init.in | ||
| strongswan.keyring | ||
| strongswan.spec | ||
Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2, thus a separate pluto IKEv1 daemon is not needed / not shipped any more. The strongswan package does not provide any files except of this README, but triggers the installation of the charon daemon and the "traditional" strongswan-ipsec package providing the "ipsec" script and service. The ipsec.service is an alias link to the "strongswan.service" systemd service unit and created by "systemctl enable strongswan.service". There is a new strongswan-nm package with a NetworkManager specific charon-nm binary controlling the charon daemon through D-Bus and designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. The stongswan-hmac package provides the fips hmac hash files, a _fipscheck script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file, which disables all non-openssl algorithm implementations. When fips operation mode is enabled in the kernel using the fips=1 boot parameter, the strongswan fips checks are executed in front of any start action of the "ipsec" script provided by the "strongswan-ipsec" package and a verification problem causes a failure as required by fips-140-2. Further, it is not required to enable the fips_mode in the openssl plugin (/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables it automatically as needed. The "ipsec _fipscheck" command allows to execute the fips checks manually without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1), e.g. for testing purposes. Have a lot of fun...