openswan bug fix update

An updated openswan package that resolves several issues and provides
FIPS-1402-2 compliance is now available.

Openswan is a free implementation of IPsec & IKE for Linux. IPsec is the
Internet Protocol Security and uses strong cryptography to provide both
authentication and encryption services. These services allow you to build
secure tunnels through untrusted networks. Everything passing through the
untrusted net is encrypted by the ipsec gateway machine and decrypted by
the gateway at the other end of the tunnel. The resulting tunnel is a
virtual private network or VPN.

This package contains the daemons and userland tools for setting up
Openswan. It optionally also builds the Openswan KLIPS IPsec stack that is
an alternative for the NETKEY/XFRM IPsec stack that exists in the default
Linux kernel.

Openswan 2.6.x also supports IKEv2 (RFC 4309)

Bugs fixed in these updated packages include:

* Openswan would not allow IPsec connections between a physical IP on one
system and a virtual IP on another system if the physical IP on the first
system was already connected to the physical IP on the second system that
was associated with that virtual IP. Now, Openswan creates a new route if a
route already exists. This allows simultaneous IPsec connections to a
physical IP and the virtual IP associated with it. (BZ#438998)

* the parser in lib/libipsecconf/ does not correctly interpret values
supplied in manual keyring, and the use of the manual keyring could
therefore result in a segmentation fault in Openswan. Because the manual
keyring is no longer supported, Openswan will now exit with an error when
ipsec manual up <connection-name> is used. (BZ#449725)

* the ipsec.conf file included any .conf files placed in /etc/ipsec.d but
Openswan's default installation did not place any files in this directory.
Therefore, error messages similar to "could not open include filename:
'/etc/ipsec.d/*.conf'" would appear when starting or stopping the IPsec
service. Although the service operated correctly, the appearance of these
error messages could mislead a user to think that there was a problem with
IPsec. The ipsec.conf file now comments out the include of /etc/ipsec.d and
contains a note suggesting that users uncomment the line and use
/etc/ipsec.d for their customized configuration files. (BZ#463931)

* Openswan did not close file decriptors on exec. The resulting file
descriptor leaks would then cause AVC denial warnings on systems set to
enforce SELinux policy. Openswan now closes file descriptors on exec, both
for sockets that it has opened and for sockets that it has accepted.
Because Openswan does not now leak these file descriptors, the
corresponding AVC denial warnings do not appear. (BZ#466861)

* Openswan's cryptographic methods did not meet the standards for FIPS
140-2 certification, therefore precluding the use of Openswan in
environments that require this certification. Openswan now uses the NSS
library and includes:

- encryption/decryption algorithms (AES, 3DES)
- hash and data integrity algorithm (MD5, SHA1, SHA2(256, 384, 512))
- HMAC mechanisms for the above hash algorithms.
- authentication with signature (without certificates) (DS_AUTH).
Specifically, it uses RSA signatures.
- authentication with signature (with x.509 certificates ) (DS_AUTH).
- Oakley Diffie-Hellman (DH) related cryptographic operations.
- random number generation through NSS.
- support for NSS DB without and with password.
- FIPS integrity check using fipscheck library
- support for old (dbm) and new (sql) NSS databases (dbm)

* Openswan now meets the FIPS 140-2 standard. (BZ#444801, BZ#469763)

* previously, the package description included a reference to a "freeswan
enabled kernel". This reference could have mislead users into thinking that
Openswan required some special kernel, when no such kernel exists. The
reference has therefore been removed, eliminating the potential for
confusion. (BZ#487708)

All users of openswan are advised to upgrade to this updated package, which
resolves these issues.

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

439771 - [IPv6-DoD] openswan and strongswan fail to interoperate with IKEv2
441383 - IPV6DOD: openswan should negotiate CCM algorithm.
442955 - [IPv6-DoD] openswan doesn't accept null esp auth alg
442956 - openswan logging segfault when phase2alg=null
443626 - Pluto segfault with host-to-host config and other host down
443646 - AVC errors when openswan attempts to start up
444166 - [IPv6-DoD] openswan IKEv2 crashes when interoperating with racoon2
444575 - openswan doesn't delete expired SA's
449382 - openswan segv using RSA PKIX (x.509) mode
449725 - Openswan seg fault using manual keying.
463931 - /etc/ipsec.conf includes /etc/ipsec.d/*.conf which is missing
466861 - avc: denied { write } for pid=2193 comm="ip" path="/var/run/pluto/ipsec_setup.out"
487708 - Misleading package description
507844 - PSK support with Openswan-NSS in non-fips mode and fixing several warnings during compilation

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

http://www.ietf.org/rfc/rfc4309.txt