1.146. openswan

Updated openswan packages that fix an issue with NSS passwords being logged at run time are now available.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.

These packages contain the daemons and userland tools for setting up openswan. They support the NETKEY/XFRM IPsec stack in the default Linux kernel. The openswan 2.6.x-series also supports IKEv2 as described in RFC 4309.

This update addresses the following issue:

* when an NSS database is created with a password (either in FIPS or non-FIPS mode), access to a private key (associated with a certificate or a raw public key) requires authentication. At authentication time, openswan passes the database password to NSS. Previously, when this happened, openswan also logged the password to /var/log/secure. The password could also be seen by running "ipsec barf". With this update, openswan still passes the database password at authentication time but no longer logs it in any fashion. (BZ#557688)

All openswan users are advised to upgrade to these updated packages, which resolve this issue.

Updated openswan packages that fix an issue and enable Openswan to pass the TAHI test suite for HMAC-SHA1-96 support are now available.

Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.

These packages contain the daemons and userland tools for setting up Openswan. They support the NETKEY/XFRM IPsec stack in the default Linux kernel. The Openswan 2.6.x-series also supports IKEv2 as described in RFC 4309.

The TAHI Project IPv6 Ready Test Suite, Phase 2, includes an IKE version 2 test category. Support for the HMAC-SHA1-96 message digest algorithm is required by this category and, previously, Openswan did not include such support. With this update, HMAC-SHA1-96 supported has been added to the openswan package. (BZ#533883)

This update fixes the following issue:

* the FIPS-140-2 standard requires cryptographic modules to provide methods to "zeroize" (meaning: to overwrite with zeroes) all plain text secret and private cryptographic keys and Critical Security Parameters (CSPs). With this update, Openswan uses methods supplied by the NSS library to perform zeroization on plain text secret and private cryptographic keys and CSPs.

All users of openswan are advised to upgrade to these updated packages, which resolve this issue.