Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2015-02-27 10:59:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "strongswan" Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2014-11-26 10:33:58.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2015-02-27 11:00:10.000000000 +0100 @@ -1,0 +2,99 @@ +Mon Jan 5 14:38:46 UTC 2015 - mt@suse.de + +- Updated to strongSwan 5.2.2 providing the following changes: + Changes in version 5.2.2: + * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange + payload that contains the Diffie-Hellman group 1025. This identifier was + used internally for DH groups with custom generator and prime. Because + these arguments are missing when creating DH objects based on the KE + payload an invalid pointer dereference occurred. This allowed an attacker + to crash the IKE daemon with a single IKE_SA_INIT message containing such + a KE payload. The vulnerability has been registered as CVE-2014-9221. + * The left/rightid options in ipsec.conf, or any other identity in + strongSwan, now accept prefixes to enforce an explicit type, such as + email: or fqdn:. Note that no conversion is done for the remaining string, + refer to ipsec.conf(5) for details. + * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as + an IKEv2 public key authentication method. The pki tool offers full + support for the generation of BLISS key pairs and certificates. + * Fixed mapping of integrity algorithms negotiated for AH via IKEv1. + This could cause interoperability issues when connecting to older versions + of charon. + Changes in version 5.2.1: + * The new charon-systemd IKE daemon implements an IKE daemon tailored for + use with systemd. It avoids the dependency on ipsec starter and uses + swanctl as configuration backend, building a simple and lightweight + solution. It supports native systemd journal logging. + * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1 + fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf. + * Support of the TCG TNC IF-M Attribute Segmentation specification proposal. + All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID + and IETF/Installed Packages attributes can be processed incrementally on a + per segment basis. + * The new ext-auth plugin calls an external script to implement custom IKE_SA + authorization logic, courtesy of Vyronas Tsingaras. + * For the vici plugin a ruby gem has been added to allow ruby applications to + control or monitor the IKE daemon. The vici documentation has been updated + to include a description of the available operations and some simple + examples using both the libvici C interface and the ruby gem. + Changes in version 5.2.0: + * strongSwan has been ported to the Windows platform. Using a MinGW toolchain, + many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 + and newer releases. charon-svc implements a Windows IKE service based on + libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec + backend on the Windows platform. socket-win provides a native IKE socket + implementation, while winhttp fetches CRL and OCSP information using the + WinHTTP API. + * The new vici plugin provides a Versatile IKE Configuration Interface for + charon. Using the stable IPC interface, external applications can configure, + control and monitor the IKE daemon. Instead of scripting the ipsec tool + and generating ipsec.conf, third party applications can use the new interface + for more control and better reliability. + * Built upon the libvici client library, swanctl implements the first user of + the VICI interface. Together with a swanctl.conf configuration file, + connections can be defined, loaded and managed. swanctl provides a portable, + complete IKE configuration and control interface for the command line. + The first six swanctl example scenarios have been added. + * The SWID IMV implements a JSON-based REST API which allows the exchange + of SWID tags and Software IDs with the strongTNC policy manager. + * The SWID IMC can extract all installed packages from the dpkg (Debian, + Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or + pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using + the swidGenerator (https://github.com/strongswan/swidGenerator) which + generates SWID tags according to the new ISO/IEC 19770-2:2014 standard. + * All IMVs now share the access requestor ID, device ID and product info + of an access requestor via a common imv_session object. + * The Attestation IMC/IMV pair supports the IMA-NG measurement format + introduced with the Linux 3.13 kernel. + * The aikgen tool generates an Attestation Identity Key bound to a TPM. + * Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network + Connect. + * The ipsec.conf replay_window option defines connection specific IPsec + replay windows. Original patch courtesy of Zheng Zhong and Christophe + Gouault from 6Wind. +- Adjusted file lists and removed obsolete patches + [- 0005-restore-registration-algorithm-order.bug897512.patch, + - 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] +- Adopted/Merged fipscheck patches + [* strongswan_fipscheck.patch, strongswan_fipsfilter.patch] + +------------------------------------------------------------------- +Wed Dec 17 10:15:23 UTC 2014 - mt@suse.de + +- Disallow brainpool elliptic curve groups in fips mode (bnc#856322). + [* strongswan_fipsfilter.patch] + +------------------------------------------------------------------- +Thu Dec 11 10:21:01 UTC 2014 - mt@suse.de + +- Applied an upstream fix for a denial-of-service vulnerability, + which can be triggered by an IKEv2 Key Exchange payload, that + contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221). + [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] +- Adjusted whilelist of approved algorithms in fips mode (bsc#856322). + [* strongswan_fipsfilter.patch] +- Renamed patch file to match it's patch number: + [- 0001-restore-registration-algorithm-order.bug897512.patch, + + 0005-restore-registration-algorithm-order.bug897512.patch] + +------------------------------------------------------------------- Old: ---- 0001-restore-registration-algorithm-order.bug897512.patch strongswan-5.1.3-rpmlintrc strongswan-5.1.3.tar.bz2 strongswan-5.1.3.tar.bz2.sig New: ---- strongswan-5.2.2-rpmlintrc strongswan-5.2.2.tar.bz2 strongswan-5.2.2.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.wkO8yA/_old 2015-02-27 11:00:12.000000000 +0100 +++ /var/tmp/diff_new_pack.wkO8yA/_new 2015-02-27 11:00:12.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.1.3 +Version: 5.2.2 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -82,7 +82,6 @@ Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif -Patch5: 0001-restore-registration-algorithm-order.bug897512.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -293,7 +292,6 @@ %patch3 -p0 %patch4 -p1 %endif -%patch5 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -643,10 +641,11 @@ %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf -%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf %if %{with afalg} @@ -949,10 +948,11 @@ %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf +%{strongswan_templates}/config/strongswan.d/pki.conf %{strongswan_templates}/config/strongswan.d/pool.conf +%{strongswan_templates}/config/strongswan.d/scepclient.conf %{strongswan_templates}/config/strongswan.d/starter.conf %{strongswan_templates}/config/strongswan.d/tnc.conf -%{strongswan_templates}/config/strongswan.d/tools.conf %{strongswan_templates}/database/imv/data.sql %{strongswan_templates}/database/imv/tables.sql @@ -982,6 +982,7 @@ %dir %{strongswan_templates}/database %dir %{strongswan_templates}/database/sql %{strongswan_templates}/config/plugins/mysql.conf +%{strongswan_templates}/database/imv/tables-mysql.sql %{strongswan_templates}/database/sql/mysql.sql %endif ++++++ strongswan-5.1.3-rpmlintrc -> strongswan-5.2.2-rpmlintrc ++++++ ++++++ strongswan-5.1.3.tar.bz2 -> strongswan-5.2.2.tar.bz2 ++++++ ++++ 249224 lines of diff (skipped) ++++++ strongswan_fipscheck.patch ++++++ --- /var/tmp/diff_new_pack.wkO8yA/_old 2015-02-27 11:00:18.000000000 +0100 +++ /var/tmp/diff_new_pack.wkO8yA/_new 2015-02-27 11:00:18.000000000 +0100 @@ -1,6 +1,6 @@ --- src/ipsec/_ipsec.in -+++ src/ipsec/_ipsec.in 2014/11/07 11:28:25 -@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBIN ++++ src/ipsec/_ipsec.in +@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland" @@ -26,8 +26,8 @@ + case "$1" in '') - echo "Usage: $IPSEC_SCRIPT command argument ..." -@@ -166,6 +186,7 @@ rereadall|purgeocsp|listcounters|resetco + echo "$IPSEC_SCRIPT command [arguments]" +@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters) shift if [ -e $IPSEC_CHARON_PID ] then @@ -35,7 +35,7 @@ $IPSEC_STROKE "$op" "$@" rc="$?" fi -@@ -175,6 +196,7 @@ purgeike|purgecrls|purgecerts) +@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -43,7 +43,7 @@ $IPSEC_STROKE "$1" rc="$?" fi -@@ -208,6 +230,7 @@ route|unroute) +@@ -197,6 +219,7 @@ route|unroute) fi if [ -e $IPSEC_CHARON_PID ] then @@ -51,7 +51,7 @@ $IPSEC_STROKE "$op" "$1" rc="$?" fi -@@ -217,6 +240,7 @@ secrets) +@@ -206,6 +229,7 @@ secrets) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -59,7 +59,7 @@ $IPSEC_STROKE rereadsecrets rc="$?" fi -@@ -224,6 +248,7 @@ secrets) +@@ -213,6 +237,7 @@ secrets) ;; start) shift @@ -67,7 +67,7 @@ if [ -d /var/lock/subsys ]; then touch /var/lock/subsys/ipsec fi -@@ -297,6 +322,7 @@ up) +@@ -286,6 +311,7 @@ up) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -75,7 +75,7 @@ $IPSEC_STROKE up "$1" rc="$?" fi -@@ -332,6 +358,11 @@ esac +@@ -325,6 +351,11 @@ esac cmd="$1" shift ++++++ strongswan_fipsfilter.patch ++++++ --- /var/tmp/diff_new_pack.wkO8yA/_old 2015-02-27 11:00:18.000000000 +0100 +++ /var/tmp/diff_new_pack.wkO8yA/_new 2015-02-27 11:00:18.000000000 +0100 @@ -1,5 +1,12 @@ +From 8f3f1bd6907df8221a93c849ed4b43474444e13b Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski <mt@suse.de> +Date: Mon, 5 Jan 2015 14:57:39 +0100 +Subject: [PATCH] strongswan: filter algorithms for fips mode + +References: fate#316931,bnc#856322 + diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c -index 2ecdb4f..85767ab 100644 +index e59dcd9..f07f4a2 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -26,6 +26,11 @@ @@ -14,7 +21,7 @@ ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP, "PROTO_NONE", -@@ -185,6 +190,130 @@ METHOD(proposal_t, strip_dh, void, +@@ -185,6 +190,122 @@ METHOD(proposal_t, strip_dh, void, enumerator->destroy(enumerator); } @@ -104,24 +111,16 @@ + case DIFFIE_HELLMAN_GROUP: + switch (alg) + { -+ case MODP_1024_BIT: -+ case MODP_1536_BIT: + case MODP_2048_BIT: + case MODP_3072_BIT: + case MODP_4096_BIT: + case MODP_8192_BIT: -+ case MODP_1024_160: + case MODP_2048_224: + case MODP_2048_256: -+ case ECP_192_BIT: + case ECP_224_BIT: + case ECP_256_BIT: + case ECP_384_BIT: + case ECP_521_BIT: -+ case ECP_224_BP: -+ case ECP_256_BP: -+ case ECP_384_BP: -+ case ECP_512_BP: + return TRUE; + default: + break; @@ -145,7 +144,7 @@ /** * Select a matching proposal from this and other, insert into selected. */ -@@ -500,6 +629,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) +@@ -502,6 +623,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) return FALSE; } @@ -157,63 +156,69 @@ add_algorithm(this, token->type, token->algorithm, token->keysize); return TRUE; -@@ -639,6 +773,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) - enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { -+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) -+ continue; - switch (encryption) +@@ -643,6 +769,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + enumerator = lib->crypto->create_aead_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - case ENCR_AES_CBC: -@@ -665,6 +801,9 @@ static void proposal_add_supported_ike(private_proposal_t *this) - enumerator = lib->crypto->create_aead_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) - { -+ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) -+ continue; ++ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) ++ continue; + - switch (encryption) + switch (encryption) + { + case ENCR_AES_CCM_ICV8: +@@ -675,6 +804,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - case ENCR_AES_CCM_ICV8: -@@ -690,6 +829,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) - enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) - { -+ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity)) -+ continue; - switch (integrity) ++ if (!fips_filter(PROTO_IKE, ENCRYPTION_ALGORITHM, encryption)) ++ continue; ++ + switch (encryption) + { + case ENCR_AES_CBC: +@@ -706,6 +838,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + enumerator = lib->crypto->create_signer_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { - case AUTH_HMAC_SHA1_96: -@@ -710,6 +851,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) ++ if (!fips_filter(PROTO_IKE, INTEGRITY_ALGORITHM, integrity)) ++ continue; ++ + switch (integrity) + { + case AUTH_HMAC_SHA1_96: +@@ -727,6 +862,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_prf_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { + if (!fips_filter(PROTO_IKE, PSEUDO_RANDOM_FUNCTION, prf)) + continue; ++ switch (prf) { case PRF_HMAC_SHA1: -@@ -730,6 +873,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) +@@ -747,6 +885,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_dh_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &group, &plugin_name)) { + if (!fips_filter(PROTO_IKE, DIFFIE_HELLMAN_GROUP, group)) + continue; ++ switch (group) { case MODP_NULL: -@@ -776,31 +921,35 @@ proposal_t *proposal_create_default(protocol_id_t protocol) +@@ -795,6 +936,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol) { private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); +#define fips_add_algorithm(this, type, alg, len) \ + if (fips_filter(this->protocol, type, alg)) \ + add_algorithm(this, type, alg, len); ++ switch (protocol) { case PROTO_IKE: - proposal_add_supported_ike(this); +@@ -805,25 +950,28 @@ proposal_t *proposal_create_default(protocol_id_t protocol) + } break; case PROTO_ESP: - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); @@ -248,7 +253,12 @@ default: break; } ++ +#undef fips_add_algorithm ++ return &this->public; } +-- +2.2.1 + -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org