Page MenuHomeSolus

Update libreswan to 3.32 and fix a runtime error with libnss
ClosedPublic

Authored by xulongwu4 on Tue, Jul 21, 2:10 AM.

Details

Summary

Update libreswan to 3.32 and fix a runtime error with libnss. Resolves T9186.

Changelog:

  • SECURITY: Fixes CVE-2020-1763
  • FIPS: ECDSA keys were mistakenly rejected as "too weak"
  • FIPS: Minimum RSA key size is 2048, not 3072
  • FIPS: Use NSS to check FIPS mode instead of manually checking fips=1
  • IKEv1: Add NSS KDF support for the Quick Mode KDF
  • libipsecconf: support old-style ",," to mean "\," in specifying id
  • libipsecconf: left/rightinterface-ip= are not kt_obsolete
  • whack: Add missing ecdsa/sha2 and compat rsa policy options to whack
  • Fix left=%iface syntax due to string length miscalculation
  • X509: don't try to match up ID on SAN when ID type is ID_DER_ASN1_DN

Packaging Notes:

  • Mark as conflicts with strongswan
Test Plan

ipsec.service was started successfully.

Diff Detail

Repository
R4665 libreswan
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.