Revisions of strongswan
Stephan Kulow (coolo)
accepted
request 241746
from
Marius Tomaschewski (mtomaschewski)
(revision 56)
- disable gcrypt plugin by default, so it will only use openssl fate#316931 [+strongswan-fips-disablegcrypt.patch] - enable fips mode 2
Stephan Kulow (coolo)
accepted
request 238850
from
Tomáš Chvátal (scarabeus_factory)
(revision 55)
1
Tomáš Chvátal (scarabeus_factory)
accepted
request 230123
from
Marius Tomaschewski (mtomaschewski)
(revision 54)
- Updated to strongSwan 5.1.3 providing the following changes: - Fixed an authentication bypass vulnerability triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. This allowed an attacker to trick a peer's IKE_SA state to established, without the need to provide any valid authentication credentials. (CVE-2014-2338, bnc#870572). - The acert plugin evaluates X.509 Attribute Certificates. Group membership information encoded as strings can be used to fulfill authorization checks defined with the rightgroups option. Attribute Certificates can be loaded locally or get exchanged in IKEv2 certificate payloads. - The pki command gained support to generate X.509 Attribute Certificates using the --acert subcommand, while the --print command supports the ac type. The openac utility has been removed in favor of the new pki functionality. - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols has been extended by AEAD mode support, currently limited to AES-GCM. - Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints - Limited OCSP signing to specific certificates to improve performance - authKeyIdentifier is not added to self-signed certificates anymore - Fixed the comparison of IKE configs if only the cipher suites were different - Updated to strongSwan 5.1.2 providing the following changes: - A new default configuration file layout is introduced. The new default strongswan.conf file mainly includes config snippets from the strongswan.d and strongswan.d/charon directories (the latter containing snippets for all plugins). The snippets, with commented defaults, are automatically generated and installed, if they don't exist yet. Also installed in $prefix/share/strongswan/templates so existing files can be compared to the current defaults.
Tomáš Chvátal (scarabeus_factory)
accepted
request 205541
from
Marius Tomaschewski (mtomaschewski)
(revision 53)
- Updated to strongSwan 5.1.1 minor release addressing two security fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): - Fixed a denial-of-service vulnerability and potential authorization bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause is an insufficient length check when comparing such identities. The vulnerability has been registered as CVE-2013-6075. - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 fragmentation payload. The cause is a NULL pointer dereference. The vulnerability has been registered as CVE-2013-6076. - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session with a strongSwan policy enforcement point which uses the tnc-pdp charon plugin. - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either full SWID Tag or concise SWID Tag ID inventories. - The XAuth backend in eap-radius now supports multiple XAuth exchanges for different credential types and display messages. All user input gets concatenated and verified with a single User-Password RADIUS attribute on the AAA. With an AAA supporting it, one for example can implement Password+Token authentication with proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf modeconfig=push option enables it for both client and server, the same way as pluto used it. - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 connections, charon can negotiate and install Security Associations integrity-protected by the Authentication Header protocol. Supported are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style ESP+AH bundles. [...] - Adjusted file lists: this version installs the pki utility and manuals in common /usr directories and additional ipsec/pt-tls-client helper.
Adrian Schröter (adrianSuSE)
committed
(revision 52)
Split 13.1 from Factory
Stephan Kulow (coolo)
accepted
request 185964
from
Marius Tomaschewski (mtomaschewski)
(revision 51)
- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018)
Stephan Kulow (coolo)
accepted
request 173989
from
Marius Tomaschewski (mtomaschewski)
(revision 50)
- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944): - Fixed a security vulnerability in the openssl plugin which was reported by Kevin Wojtysiak. The vulnerability has been registered as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA signature verification was used, due to a misinterpretation of the error code returned by the OpenSSL ECDSA_verify() function, an empty or zeroed signature was accepted as a legitimate one. Refer to our blog for details. - The handling of a couple of other non-security relevant OpenSSL return codes was fixed as well. - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses via its TCG TNC IF-MAP 2.1 interface. - The charon.initiator_only strongswan.conf option causes charon to ignore IKE initiation requests. - The openssl plugin can now use the openssl-fips library. The version 5.0.3 provides new ipseckey plugin, enabling authentication based on trustworthy public keys stored as IPSECKEY resource records in the DNS and protected by DNSSEC and new openssl plugin using the AES-NI accelerated version of AES-GCM if the hardware supports it. See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 for a list of all changes since the 5.0.1 release.
Adrian Schröter (adrianSuSE)
committed
(revision 49)
Split 12.3 from Factory
Stephan Kulow (coolo)
accepted
request 144037
from
Marius Tomaschewski (mtomaschewski)
(revision 48)
Verify GPG signature: Perform build-time offline GPG verification. Please verify that included keyring matches your needs. For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System. See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO. If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO: you can link or aggregate gpg-offline from devel:tools:building or use following trick with "osc meta prjconf": --- Cut here ---- %if 0%{?suse_version} <= 1220 Substitute: gpg-offline %endif Macros: %gpg_verify(dnf) \ %if 0%{?suse_version} > 1220\ echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\ gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\ %else\ echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\ %endif\ %nil ----------------- (forwarded request 143934 from sbrabec)
Ismail Dönmez (namtrac)
accepted
request 141625
from
Andreas Jaeger (a_jaeger)
(revision 47)
- Fix systemd unit dir (forwarded request 141529 from elvigia)
Ismail Dönmez (namtrac)
accepted
request 139871
from
Marius Tomaschewski (mtomaschewski)
(revision 46)
- Updated to strongSwan 5.0.1 release. Changes digest: - Introduced the sending of the standard IETF Assessment Result PA-TNC attribute by all strongSwan Integrity Measurement Verifiers. - Extended PTS Attestation IMC/IMV pair to provide full evidence of the Linux IMA measurement process. All pertinent file information of a Linux OS can be collected and stored in an SQL database. - The PA-TNC and PB-TNC protocols can now process huge data payloads. - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated clients against any PAM service. - The new unity plugin brings support for some parts of the IKEv1 Cisco Unity Extensions. - The kernel-netlink plugin supports the new strongswan.conf option charon.install_virtual_ip_on. - Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down. - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part. Changes digest from strongSwan 5.0.0 version: * The charon IKE daemon gained experimental support for the IKEv1 protocol. Pluto has been removed from the 5.x series. * The NetworkManager charon plugin of previous releases is now provided by a separate executable (charon-nm) and it should work again with NM 0.9. * scepclient was updated and it now works fine with Windows Server 2008 R2. - Adopted spec file, enabled several plugins, e.g.: ccm, certexpire, coupling, ctr, duplicheck, eap-dynamic, eap-peap, eap-tls, eap-tnc, eap-ttls, gcm, nonce, radattr, tnc, tnccs, unity, xauth-eap and pam. - Changed to install strongswan.service with alias to ipsec.service instead of the /etc/init.d/ipsec init script on openSUSE > 12.2.
Stephan Kulow (coolo)
accepted
request 133236
from
Marius Tomaschewski (mtomaschewski)
(revision 45)
charon keying daemon start failure with openssl (bnc#779038)
Adrian Schröter (adrianSuSE)
committed
(revision 44)
branched from openSUSE:Factory
Stephan Kulow (coolo)
accepted
request 123120
from
Marius Tomaschewski (mtomaschewski)
(revision 43)
update to 4.6.4 / bnc#761325, CVE-2012-2388
Stephan Kulow (coolo)
accepted
request 120579
from
Marius Tomaschewski (mtomaschewski)
(revision 42)
update to strongswan-4.6.3
Stephan Kulow (coolo)
accepted
request 109123
from
Marius Tomaschewski (mtomaschewski)
(revision 41)
update to 4.6.2 (fwd of rq 107821)
Stephan Kulow (coolo)
accepted
request 105223
from
Marius Tomaschewski (mtomaschewski)
(revision 40)
update to 4.6.1, fixed glib.h build error
Stephan Kulow (coolo)
accepted
request 97889
from
Andreas Jaeger (a_jaeger)
(revision 39)
- remove call to suse_update_config (very old work around) (forwarded request 97737 from coolo)
Stephan Kulow (coolo)
committed
(revision 38)
replace license with spdx.org variant
Adrian Schröter (adrianSuSE)
committed
(revision 37)
Displaying revisions 41 - 60 of 96