JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

strongswan: 5.9.8 -> 5.9.10

Browse Source 
Fixes CVE-2023-26463: https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-%28cve-2023-26463%29.html

Release notes:
https://www.strongswan.org/blog/2023/03/02/strongswan-5.9.10-released.html
https://www.strongswan.org/blog/2023/01/03/strongswan-5.9.9-released.html
This commit is contained in:
Thomas Gerbet 2023-04-26 01:08:29 +02:00
parent 8c5e16581c
commit b4e503a783
2 changed files with 35 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
View File

@ -225,20 +225,22 @@ in {
irrespective of the value of this option (even when set to no). irrespective of the value of this option (even when set to no).
''; '';
childless = mkEnumParam [ "allow" "force" "never" ] "allow" '' childless = mkEnumParam [ "allow" "prefer" "force" "never" ] "allow" ''
Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values Use childless IKE_SA initiation (_allow_, _prefer_, _force_ or _never_).
are `allow` (the default), `force` and
`never`. If set to `allow`, responders Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first
CHILD_SA created with a separate CREATE_CHILD_SA exchange (e.g. to use an
independent DH exchange for all CHILD_SAs). Acceptable values are `allow`
(the default), `prefer`, `force` and `never`. If set to `allow`, responders
will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT
response) while initiators continue to create regular IKE_SAs with the response) while initiators continue to create regular IKE_SAs with the first
first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly
explicitly without any children (which will fail if the responder does not without any children (which will fail if the responder does not support or
support or has disabled this extension). If set to has disabled this extension). The effect of `prefer` is the same as `allow`
`force`, only childless initiation is accepted and the on responders, but as initiator a childless IKE_SA is initiated if the
first CHILD_SA is created with a separate CREATE_CHILD_SA exchange responder supports it. If set to `force`, only childless initiation is
(e.g. to use an independent DH exchange for all CHILD_SAs). Finally, accepted in either role. Finally, setting the option to `never` disables
setting the option to `never` disables support for support for childless IKE_SAs as responder.
childless IKE_SAs as responder.
''; '';
send_certreq = mkYesNoParam yes '' send_certreq = mkYesNoParam yes ''
@ -357,11 +359,22 @@ in {
if_id_in = mkStrParam "0" '' if_id_in = mkStrParam "0" ''
XFRM interface ID set on inbound policies/SA, can be overridden by child XFRM interface ID set on inbound policies/SA, can be overridden by child
config, see there for details. config, see there for details.
The special value `%unique` allocates a unique interface ID per IKE_SA,
which is inherited by all its CHILD_SAs (unless overridden there), beyond
that the value `%unique-dir` assigns a different unique interface ID for
each direction (in/out).
''; '';
if_id_out = mkStrParam "0" '' if_id_out = mkStrParam "0" ''
XFRM interface ID set on outbound policies/SA, can be overridden by child XFRM interface ID set on outbound policies/SA, can be overridden by child
config, see there for details. config, see there for details.
The special value `%unique` allocates a unique interface ID per IKE_SA,
which is inherited by all its CHILD_SAs (unless overridden there), beyond
that the value `%unique-dir` assigns a different unique interface ID for
each direction (in/out).
''; '';
mediation = mkYesNoParam no '' mediation = mkYesNoParam no ''
@ -985,12 +998,14 @@ in {
protection. protection.
''; '';
hw_offload = mkEnumParam ["yes" "no" "auto"] "no" '' hw_offload = mkEnumParam ["yes" "no" "auto" "crypto" "packet"] "no" ''
Enable hardware offload for this CHILD_SA, if supported by the IPsec Enable hardware offload for this CHILD_SA, if supported by the IPsec
implementation. The value `yes` enforces offloading implementation. The values `crypto` or `packet` enforce crypto or full
and the installation will fail if it's not supported by either kernel or packet offloading and the installation will fail if the selected mode is not
device. The value `auto` enables offloading, if it's supported by either kernel or device. On Linux, `packet` also offloads
supported, but the installation does not fail otherwise. policies, including trap policies. The value `auto` enables full packet
or crypto offloading, if either is supported, but the installation does not
fail otherwise.
''; '';
copy_df = mkYesNoParam yes '' copy_df = mkYesNoParam yes ''

4
pkgs/tools/networking/strongswan/default.nix
View File

@ -16,13 +16,13 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "strongswan"; pname = "strongswan";
version = "5.9.8"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading! version = "5.9.10"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading!
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "strongswan"; owner = "strongswan";
repo = "strongswan"; repo = "strongswan";
rev = version; rev = version;
sha256 = "sha256-RRvMQhDVoXF3Uok/Huq20RhqSsMnAsXHKOWfrXypDOk="; hash = "sha256-vYM3RVS6/yDNbY6X8lZT0GK0dczjw8hs3NplFEzq0fg=";
}; };
dontPatchELF = true; dontPatchELF = true;