SHA256
1
0
forked from pool/strongswan
Go to file
Jan Engelhardt 29d549ad98 Accepting request 800173 from home:iznogood:branches:network:vpn
- Update to version 5.8.4:
  * In IKEv1 Quick Mode make sure that a proposal exists before
    determining lifetimes (fixes a crash due to a null-pointer
    dereference in 5.8.3).
  * OpenSSL currently doesn't support squeezing bytes out of a
    SHAKE128/256 XOF (support was added with 5.8.3) multiple times.
    Unfortunately, EVP_DigestFinalXOF() completely resets the
    context and later calls not simply fail, they cause a
    null-pointer dereference in libcrypto. c5c1898d73 fixes the
    crash at the cost of repeating initializing the whole state and
    allocating too much data for subsequent calls (hopefully, once
    the OpenSSL issue 7894 is resolved we can implement this more
    efficiently).
  * On 32-bit platforms, reading arbitrary 32-bit integers from
    config files (e.g. for charon.spi_min/max) has been fixed.
  * charon-nm now allows using fixed source ports.
- Changes from version 5.8.3:
  * Updates for the NM plugin (and backend, which has to be updated
    to be compatible):
    + EAP-TLS authentication (#2097)
    + Certificate source (file, agent, smartcard) is selectable
      independently
    + Add support to configure local and remote identities (#2581)
    + Support configuring a custom server port (#625)
    + Show hint regarding password storage policy
    + Replaced the term "gateway" with "server"
    + Fixes build issues due to use of deprecated GLib
      macros/functions
    + Updated Glade file to GTK 3.2
  * The NM backend now supports reauthentication and redirection.
  * Previously used reqids are now reallocated, which works around
    an issue on FreeBSD where the kernel doesn't allow the daemon
    to use reqids > 16383 (#2315).
  * On Linux, throw type routes are installed in table 220 for
    passthrough policies. The kernel will then fall back on routes
    in routing tables with lower priorities for matching traffic.
    This way, they require less information (e.g. no interface or
    source IP) and can be installed earlier and are not affected by
    updates.
  * For IKEv1, the lifetimes of the actually selected transform are
    returned to the initiator, which is an issue if the peer uses
    different lifetimes for different transforms (#3329). We now
    also return the correct transform and proposal IDs (proposal ID
    was always 0, transform ID 1). IKE_SAs are now not
    re-established anymore (e.g. after several retransmits) if a
    deletion has been queued (#3335).
  * Added support for Ed448 keys and certificates via openssl
    plugin and pki tool.
  * Added support for SHA-3 and SHAKE128/256 in the openssl plugin.
  * The use of algorithm IDs from the private use range can now be
    enabled globally, to use them even if no strongSwan vendor ID
    was exchanged (05e373aeb0).
  * Fixed a compiler issue that may have caused invalid keyUsage
    extensions in certificates (#3249).
  * A lot of spelling fixes.
  * Fixed several reported issues.
- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed
  upstream.

OBS-URL: https://build.opensuse.org/request/show/800173
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=122
2020-05-04 22:37:00 +00:00
.gitattributes OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1 2007-12-13 03:49:24 +00:00
.gitignore OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=1 2007-12-13 03:49:24 +00:00
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch Accepting request 513652 from home:ndas:branches:network:vpn 2017-08-01 07:21:05 +00:00
fips-enforce.conf - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
fipscheck.sh.in - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
README.SUSE - Added generation of fips hmac hash files using fipshmac utility 2014-11-21 12:01:59 +00:00
strongswan_fipscheck.patch Accepting request 513652 from home:ndas:branches:network:vpn 2017-08-01 07:21:05 +00:00
strongswan_ipsec_service.patch osc copypac from project:openSUSE:Factory package:strongswan revision:70 2020-01-30 15:50:32 +00:00
strongswan-5.8.4.tar.bz2 Accepting request 800173 from home:iznogood:branches:network:vpn 2020-05-04 22:37:00 +00:00
strongswan-5.8.4.tar.bz2.sig Accepting request 800173 from home:iznogood:branches:network:vpn 2020-05-04 22:37:00 +00:00
strongswan-rpmlintrc osc copypac from project:openSUSE:Factory package:strongswan revision:70 2020-01-30 15:50:32 +00:00
strongswan.changes Accepting request 800173 from home:iznogood:branches:network:vpn 2020-05-04 22:37:00 +00:00
strongswan.init.in - Fixed rpmlint runlevel & fsf warnings, updated rpmlintrc 2012-02-15 13:48:10 +00:00
strongswan.keyring Accepting request 143934 from home:sbrabec:gpg-offline-verify 2012-12-04 10:25:06 +00:00
strongswan.spec Accepting request 800173 from home:iznogood:branches:network:vpn 2020-05-04 22:37:00 +00:00

Dear Customer,

please note, that the strongswan release 4.5 changes the keyexchange mode
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
"[...]
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
come for IKEv1 to go into retirement and to cede its place to the much more
robust, powerful and versatile IKEv2 protocol!
[...]"

This requires adoption of either the "conn %default" or all other IKEv1
"conn" sections in the /etc/ipsec.conf to use explicit:

	keyexchange=ikev1

The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.


The strongswan package does not provide any files except of this README,
but triggers the installation of the charon daemon and the "traditional"
strongswan-ipsec package providing the "ipsec" script and service.
The ipsec.service is an alias link to the "strongswan.service" systemd
service unit and created by "systemctl enable strongswan.service".


There is a new strongswan-nm package with a NetworkManager specific charon-nm
binary controlling the charon daemon through D-Bus and designed to work using
the NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the IKEv2
charon daemon and plugins only. 


The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
which disables all non-openssl algorithm implementations.

When fips operation mode is enabled in the kernel using the fips=1 boot
parameter, the strongswan fips checks are executed in front of any start
action of the "ipsec" script provided by the "strongswan-ipsec" package
and a verification problem causes a failure as required by fips-140-2.
Further, it is not required to enable the fips_mode in the openssl plugin
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
it automatically as needed.

The "ipsec _fipscheck" command allows to execute the fips checks manually
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
e.g. for testing purposes.


Have a lot of fun...