From 9169873f529e66b217d1c66ea3a3c185151491c34bb4d57aaca656002ac5df6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Sat, 4 May 2024 00:53:11 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main strongswan revision c330aa00148b2c1727e83f27b487a6a9 --- .gitattributes | 23 + ...-retransmit-Aggressive-Mode-response.patch | 27 + README.SUSE | 54 + fips-enforce.conf | 51 + harden_strongswan.service.patch | 22 + strongswan-5.9.12.tar.bz2 | 3 + strongswan-5.9.12.tar.bz2.sig | 14 + strongswan-rpmlintrc | 9 + strongswan.changes | 2220 +++++++++++++++++ strongswan.init.in | 278 +++ strongswan.keyring | 53 + strongswan.spec | 936 +++++++ strongswan_ipsec_service.patch | 9 + 13 files changed, 3699 insertions(+) create mode 100644 .gitattributes create mode 100644 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch create mode 100644 README.SUSE create mode 100644 fips-enforce.conf create mode 100644 harden_strongswan.service.patch create mode 100644 strongswan-5.9.12.tar.bz2 create mode 100644 strongswan-5.9.12.tar.bz2.sig create mode 100644 strongswan-rpmlintrc create mode 100644 strongswan.changes create mode 100644 strongswan.init.in create mode 100644 strongswan.keyring create mode 100644 strongswan.spec create mode 100644 strongswan_ipsec_service.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch b/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch new file mode 100644 index 0000000..9e428b2 --- /dev/null +++ b/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch @@ -0,0 +1,27 @@ +From 4e16732c1c668c27e73574724d2d90537a74f67a Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 17 Jun 2016 18:19:48 +0200 +Subject: [PATCH] ikev1: Don't retransmit Aggressive Mode response + +These could theoretically be used for an amplified DDoS attack. +--- + src/libcharon/sa/ikev1/task_manager_v1.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c +index 48ec3e7..0912555 100644 +--- a/src/libcharon/sa/ikev1/task_manager_v1.c ++++ b/src/libcharon/sa/ikev1/task_manager_v1.c +@@ -770,8 +770,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request) + continue; + case NEED_MORE: + /* processed, but task needs another exchange */ +- if (task->get_type(task) == TASK_QUICK_MODE || +- task->get_type(task) == TASK_AGGRESSIVE_MODE) ++ if (task->get_type(task) == TASK_QUICK_MODE) + { /* we rely on initiator retransmission, except for + * three-message exchanges */ + expect_request = TRUE; +-- +2.13.2 + diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..b0fe2e6 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,54 @@ +Dear Customer, + +please note, that the strongswan release 4.5 changes the keyexchange mode +to IKEv2 as default -- from strongswan-4.5.0/NEWS: +"[...] +IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 +from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the +IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively +come for IKEv1 to go into retirement and to cede its place to the much more +robust, powerful and versatile IKEv2 protocol! +[...]" + +This requires adoption of either the "conn %default" or all other IKEv1 +"conn" sections in the /etc/ipsec.conf to use explicit: + + keyexchange=ikev1 + +The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2, +thus a separate pluto IKEv1 daemon is not needed / not shipped any more. + + +The strongswan package does not provide any files except of this README, +but triggers the installation of the charon daemon and the "traditional" +strongswan-ipsec package providing the "ipsec" script and service. +The ipsec.service is an alias link to the "strongswan.service" systemd +service unit and created by "systemctl enable strongswan.service". + + +There is a new strongswan-nm package with a NetworkManager specific charon-nm +binary controlling the charon daemon through D-Bus and designed to work using +the NetworkManager-strongswan graphical user interface. +It does not depend on the traditional starter scripts, but on the IKEv2 +charon daemon and plugins only. + + +The stongswan-hmac package provides the fips hmac hash files, a _fipscheck +script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file, +which disables all non-openssl algorithm implementations. + +When fips operation mode is enabled in the kernel using the fips=1 boot +parameter, the strongswan fips checks are executed in front of any start +action of the "ipsec" script provided by the "strongswan-ipsec" package +and a verification problem causes a failure as required by fips-140-2. +Further, it is not required to enable the fips_mode in the openssl plugin +(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables +it automatically as needed. + +The "ipsec _fipscheck" command allows to execute the fips checks manually +without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1), +e.g. for testing purposes. + + +Have a lot of fun... + diff --git a/fips-enforce.conf b/fips-enforce.conf new file mode 100644 index 0000000..5e140cc --- /dev/null +++ b/fips-enforce.conf @@ -0,0 +1,51 @@ +# +# When fips is enabled (fips=1 kernel parameter), only certified openssl +# and kernel crypto API (af-alg) algorithms are supported. +# +# The strongswan-hmac package is supposed to be used/installed when fips +# is enabled and provides this blacklist disabling other plugins +# providing further and/or alternative algorithm implementations. +# +gcrypt { + load = no +} +blowfish { + load = no +} +random { + load = no +} +des { + load = no +} +aes { + load = no +} +rc2 { + load = no +} +ctr { + load = no +} +cmac { + load = no +} +xcbc { + load = no +} +md4 { + load = no +} +md5 { + load = no +} +sha1 { + load = no +} +sha2 { + load = no +} +ccm { + load = no +} + diff --git a/harden_strongswan.service.patch b/harden_strongswan.service.patch new file mode 100644 index 0000000..7820dda --- /dev/null +++ b/harden_strongswan.service.patch @@ -0,0 +1,22 @@ +Index: strongswan-5.9.5/init/systemd/strongswan.service.in +=================================================================== +--- strongswan-5.9.5.orig/init/systemd/strongswan.service.in ++++ strongswan-5.9.5/init/systemd/strongswan.service.in +@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2 + After=network-online.target + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++ProtectHostname=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=notify + ExecStart=@SBINDIR@/charon-systemd + ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt diff --git a/strongswan-5.9.12.tar.bz2 b/strongswan-5.9.12.tar.bz2 new file mode 100644 index 0000000..0fe1126 --- /dev/null +++ b/strongswan-5.9.12.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e6018b07cbe9f72c044c129955a13be3e2f799ceb53f53a4459da6a922b95e5 +size 4825696 diff --git a/strongswan-5.9.12.tar.bz2.sig b/strongswan-5.9.12.tar.bz2.sig new file mode 100644 index 0000000..6ccc6e7 --- /dev/null +++ b/strongswan-5.9.12.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- + +iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmVbP3kACgkQ30LBcLNN +uneAygwAomUeLeEAbCSAkr+hVxxV2n8YBhGIoGYC8Ii/vpfD2ZC72gZF13QlUQcR +CizUT7XtvNBqQTTae0aoUlF6avmgqktHnJeLXVk8XATrkqVwW57EtfbBDEmVz1U9 +r1RNVvQWE15buvlT3yYoTu94dzm1jfNpGhB+v1bom9d+0JM+RGhxyl6nTpXgcNvQ +39P7rMQ5KbpdModLXZqBSZsKOX41a6oMWXQE+akfrUakhe/0N9FabpUb76U+R3Hz +Xx2TStOQDV/6QaAtLaaAOvIIjLsc1lHPxcO5Yf2iMbGBEOzldtrA5rPiLWLSwEG8 +chHhweSoD0qAKjRKYfx5umLYzOlsew42fwjFTQye8BXLdYqELdvD6MyCWn51YKO4 +ALhWFWxvBzL9FMQfPyVo+SWoS5IN9pKc4dqCgTMetorn7dZZGRykI8VAfnn5WxwB +CTzAitDVNI6T3dfqiadBrqDNe0wnatlOg2fJ+N3wU1IqoEtfHZ4yoxm/P88AaTBX +ImhWse8k +=6zu/ +-----END PGP SIGNATURE----- diff --git a/strongswan-rpmlintrc b/strongswan-rpmlintrc new file mode 100644 index 0000000..b6f2319 --- /dev/null +++ b/strongswan-rpmlintrc @@ -0,0 +1,9 @@ +### Known warnings: +# - traditional name +addFilter("strongswan.* incoherent-init-script-name ipsec") +# - readme only, triggers full ipsec + ikev1&ikev2 install +addFilter("strongswan.* no-binary") +# - link to init script, covered by service(8) +addFilter("strongswan.* no-manual-page-for-binary rcipsec") +# - no, restating tunnels on update may break the update +addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec") diff --git a/strongswan.changes b/strongswan.changes new file mode 100644 index 0000000..e2ec3c1 --- /dev/null +++ b/strongswan.changes @@ -0,0 +1,2220 @@ +------------------------------------------------------------------- +Mon Nov 20 13:32:59 UTC 2023 - Jan Engelhardt + +- Update to release 5.9.12 + * Fixed a buffer overflow in charon-tkm [CVEV-2023-41913] + * Support for ``nameConstraints`` of type ``iPAddress`` are now + supported by the "x509", "openssl" and "constraints" plugins + * Support for encoding subjectAlternativeName extensions of type + uniformResourceIdentifier in X.509 certificates has been added. + * Make the NetworkManager plugin (charon-nm) actually use the + XFRM interface it creates since 5.9.10. This involves setting + interface IDs on SAs and policies, and installing routes via + the interface. To avoid routing loops if the remote traffic + selectors include the VPN server, IKE and ESP packets are + marked to bypass the routing table that contains the routes via + XFRM interface. + * The kernel-libipsec plugin now always installs routes to remote + networks even if no address is found in the local traffic + selectors, which allows forwarding traffic from networks the + VPN host is not part of. + * Fixed issues while reestablishing multiple CHILD_SAs (e.g. + after a DPD timeout) that could cause a reqid to get assigned + to multiple CHILD_SAs with unrelated traffic selectors. + +------------------------------------------------------------------- +Thu Jun 22 13:24:08 UTC 2023 - Mohd Saquib + +- Removed .hmac files + hmac integrity check logic from strongswan-hmac + package as it is not mandated anymore by FIPS (boo#1185116) +- Removed folliwng files: + [- strongswan_fipscheck.patch] + [- fipscheck.sh.in] + Note: strongswan-hmac package is not removed as it still provides a + config file that doesn't allow non-fips approved algorithms + +------------------------------------------------------------------- +Mon Jun 12 15:54:53 UTC 2023 - Jan Engelhardt + +- Remove pre-SLE15 build logic + +------------------------------------------------------------------- +Mon Jun 12 15:22:09 UTC 2023 - Mohd Saquib + +- Update to release 5.9.11 + * A deadlock in the vici plugin has been fixed + * Per RFC 5280, CRLs now have to be signed by a certificate that + either encodes the cRLSign keyUsage bit (even if it is a CA + certificate), or is a CA certificate without a keyUsage + extension. + * Support for optional CA labels in EST server URIs was added to + the pki --est and pki --estca commands. + * The pkcs7 and openssl plugins now support CMS-style signatures + in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA + signatures. + * Fixed a regression in the server implementation of EAP-TLS when + using TLS <=1.2. + * The EAP-TLS client does now enforce that the TLS handshake is + complete when using TLS <=1.2. + * On Linux, the kernel-libipsec plugin can now optionally handle + ESP packets without UDP encapsulation. + * The dhcp plugin uses an alternative method to determine the + source address when sending unicast DHCP requests. + * ECDSA and EdDSA public keys are supported by the ipseckey + plugin when parsing RFC 4025 IPSECKEY resource records. + +------------------------------------------------------------------- +Wed Apr 5 01:34:28 UTC 2023 - Mohd Saquib + +- Allow to use stroke aka ipsec interface by default instead of + vici aka swanctl interface which is current upstream's default. + strongswan.service which enables swanctl interface is masked to + stop interfering with the ipsec interface (bsc#1184144) +- Removes deprecated SysV support + +------------------------------------------------------------------- +Thu Mar 2 13:34:37 UTC 2023 - Jan Engelhardt + +- Update to release 5.9.10 + * Fixed a vulnerability related to certificate verification in + TLS-based EAP methods that leads to an authentication bypass + followed by an expired pointer dereference that results in a + denial of service but possibly even remote code execution. + [CVE-2023-26463] + * Added support for full packet hardware offload for IPsec SAs + and policies, which has been introduced with the Linux 6.2 + kernel, to the kernel-netlink plugin. Bypass policies for the + IKE ports are automatically offloaded to devices that support + this type of offloading. + * TLS-based EAP methods use the key derivation specified in + draft-ietf-emu-tls-eap-types when used with TLS 1.3. + * Routes via XFRM interfaces can now optionally be installed + automatically by enabling the + charon.plugins.kernel-netlink.install_routes_xfrmi option. +- If connections are missing in `ipsec status`, check that + strongswan-starter.service (rather than strongswan.service) + is active. +- Remove CVE-2023-26463_tls_auth_bypass_exp_pointer.patch + +------------------------------------------------------------------- +Thu Mar 2 12:26:39 UTC 2023 - Mohd Saquib + +- Added patch to fix a vulnerability in incorrectly accepted + untrusted public key with incorrect refcount + (CVE-2023-26463 boo#1208608) + [+ CVE-2023-26463_tls_auth_bypass_exp_pointer.patch] + +------------------------------------------------------------------- +Tue Jan 3 13:22:12 UTC 2023 - Jan Engelhardt + +- Update to release 5.9.9 + * Fixed an issue that could cause OCSP requests to contain an + incorrect serial number if the openssl plugin parsed the + certificate. + * The resolve plugin does not invoke resolvconf(8) with + individual interface names for each name server anymore. + * The kernel-netlink plugin now logs extended ACK error and + warning messages provided by the Linux kernel if e.g. the + installation of an SA or policy fails. + +------------------------------------------------------------------- +Mon Oct 3 20:36:03 UTC 2022 - Jan Engelhardt + +- Update to release 5.9.8 + * Fixed a vulnerability related to online certificate + revocation checking that was caused because the revocation + plugin used potentially untrusted OCSP URIs and CRL + distribution points in certificates. + * The `pki --scep/--scepca` commands implement the HTTP-based + "Simple Certificate Enrollment Protocol" (RFC 8894 SCEP) + replacing the old and long deprecated scepclient that has + been removed. + * The `pki --est|estca` commands implement the HTTPS-based + "Enrollment over Secure Transport" (RFC 7070 EST) protocol. + * The TLS client implementation now sends an empty certificate + payload if a certificate request is received but no + certificate is available. + * The socket plugins don't set the SO_REUSEADDR option anymore + on the IKE UDP sockets, so an error is triggered if e.g. two + daemons (e.g. charon and charon-systemd) are running + concurrently using the same ports. + +------------------------------------------------------------------- +Sat Jul 30 06:48:29 UTC 2022 - Peter Conrad + +- Update to release 5.9.7 + * The IKEv2 key derivation is now delayed until the keys are + actually needed to process or send the next message. + * Inbound IKEv2 messages, in particular requests, are now + processed differently. + * The retransmission logic in the dhcp plugin has been fixed. + * The connmark plugin now considers configured masks in + installed firewall rules. + * Child config selection has been fixed as responder in cases + where multiple children use transport mode traffic selectors. + * The outbound SA/policy is now also removed after IKEv1 + CHILD_SA rekeyings. + * The openssl plugin supports AES and Camellia in CTR mode. + * The AES-XCBC/CMAC PRFs are demoted in the default proposal + (after HMAC-based PRFs) since they were never widely adopted. + * The kdf plugin is now automatically enabled if any of the + aesni, cmac or xcbc plugins are enabled, or if none of the + plugins that directly provide HMAC-based KDFs are enabled. + +------------------------------------------------------------------- +Sat Apr 30 08:21:29 UTC 2022 - Jan Engelhardt + +- Update to release 5.9.6 + * Support for labeled IPsec with IKEv2 + (draft-ietf-ipsecme-labeled-ipsec) has been added. Two modes + are currently supported. + * The secrets used for generating COOKIE payloads are now + switched based on a time limit (2 minutes) and not the + previous usage limit (10'000 generated cookies). + * Actively initiating duplicate CHILD_SAs within the same + IKE_SA is now largely prevented. + * If the source address is unknown when initiating an IKEv2 SA, + a NAT situation is now forced for IPv4 (for IPv6, NAT-T is + disabled) to avoid causing asymmetric enabling of + UDP-encapsulation. + * The main two steps of the IKEv2 key derivation (PRF/prf+) + have been modularized. In particular, prf+ is now provided by + a plugin. +- Drop prf-plus-modularization.patch + +------------------------------------------------------------------- +Wed Mar 16 12:57:46 UTC 2022 - Marcus Meissner + +- prf-plus-modularization.patch: updated from upstream branch + after certifier feedback, SKEYSEED generated via HKDF-Extract. + +------------------------------------------------------------------- +Thu Mar 3 14:49:26 UTC 2022 - Marcus Meissner + +- Added prf-plus-modularization.patch that outsources the IKE + key derivation to openssl. (will be merged to 5.9.6) +- package the kdf config, template and plugin + +------------------------------------------------------------------- +Wed Jan 26 12:25:35 UTC 2022 - Jan Engelhardt + +- Update to release 5.9.5 + * Fixed a vulnerability in the EAP client implementation + (CVE-2021-45079 bsc#1194471). + * libtpmtss may now establish a secure session via RSA OAEP + public key encryption or an ephemeral ECDH key exchange, + respectively. + * When rekeying CHILD_SAs, the old outbound SA is now + uninstalled earlier on the initiator/winner. + * The openssl plugin now only announces the ECDH groups + actually supported by OpenSSL (determined via + EC_get_builtin_curves()). + * Added support for AES-CFB. + +------------------------------------------------------------------- +Wed Nov 24 08:25:29 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_strongswan.service.patch + +------------------------------------------------------------------- +Mon Nov 22 16:19:08 UTC 2021 - Bjørn Lie + +- Update to version 5.9.4: + * Fixed a denial-of-service vulnerability in the gmp plugin that + was caused by an integer overflow when processing RSASSA-PSS + signatures with very large salt lengths. This vulnerability has + been registered as CVE-2021-41990. Please refer to our blog for + details. (bsc#1191367) + * Fixed a denial-of-service vulnerability in the in-memory + certificate cache if certificates are replaced and a very large + random value caused an integer overflow. This vulnerability has + been registered as CVE-2021-41991. Please refer to our blog for + details. (bsc#1191435) + * Fixed a related flaw that caused the daemon to accept and cache + an infinite number of versions of a valid certificate by + modifying the parameters in the signatureAlgorithm field of the + outer X.509 Certificate structure. + * AUTH_LIFETIME notifies are now only sent by a responder if it + can't reauthenticate the IKE_SA itself due to asymmetric + authentication (i.e. EAP) or the use of virtual IPs. + * Several corner cases with reauthentication have been fixed + (48fbe1d, 36161fe, 0d373e2). + * Serial number generation in several pki sub-commands has been + fixed so they don't start with an unintended zero byte. + * Loading SSH public keys via vici has been improved. + * Shared secrets, PEM files, vici messages, PF_KEY messages, + swanctl configs and other data is properly wiped from memory. + * Use a longer dummy key to initialize HMAC instances in the + openssl plugin in case it's used in FIPS-mode. + * The --enable-tpm option now implies --enable-tss-tss2 as the + plugin doesn't do anything without a TSS 2.0. + * libtpmtss is initialized in all programs and libraries that use + it. + * Migrated testing scripts to Python 3. + +------------------------------------------------------------------- +Mon Sep 27 19:01:38 UTC 2021 - Bjørn Lie + +- Update to version 5.9.3: + * Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl + plugin. + * Added AES-CCM support to the openssl plugin (#353 bsc#1185363). + * The x509 and the openssl plugins now consider the + authorityKeyIdentifier, if available, before verifying + signatures, which avoids unnecessary signature verifications + after a CA key rollover if both CA certificates are loaded. + The openssl plugin now does the same also for CRLs (the x509 + plugin already did). + * The pkcs11 plugin better handles optional attributes like + CKA_TRUSTED, which previously depended on a version check. + * The NetworkManager backend (charon-nm) now supports using SANs + as client identities, not only full DNs (#437). + * charon-tkm now handles IKE encryption. + * Send a MOBIKE update again if a a change in the NAT mappings is + detected but the endpoints stay the same (e143a7d). + * A deadlock in the HA plugin introduced with 5.9.2 has been + fixed (#456). + * DSCP values are now also set for NAT keepalives. + * The ike_derived_keys() hook now receives more keys but in a + different order (4e29d6f). + * Converted most of the test case scenarios to the vici + interface. +- Replace libsoup-devel with pkgconfig(libsoup-2.4) BuildRequires, + as this is what really checks for. Needed as libsoup-3.0 is + released. +- 5.9.1 + - README: added a missing " to pki example command (bsc#1167880) + - fixed a libgcrypt call in FIPS mode (bsc#1180801) + +------------------------------------------------------------------- +Mon Sep 7 08:38:01 UTC 2020 - Jan Engelhardt + +- Update to release 5.9.0 + * Prefer AEAD algorithms for ESP; this puts AES-GCM in a default + AEAD proposal in front of the previous default proposal. + * If a connection fails after getting redirected, we now + restart connecting to the original host, not the one + redirected to. + * For peers that don't send the EAP_ONLY_AUTHENTICATION notify + but still expect to use EAP-only authentication, the + charon.force_eap_only_authentication option can be enabled to + force this type of authentication even on non-compliant + peers. + * IPv6 virtual IPs are now always enumerated, ignoring the + charon.prefer_temporary_addrs setting, which should fix route + installation if the latter is enabled. + +------------------------------------------------------------------- +Tue Sep 1 16:31:02 UTC 2020 - Jan Engelhardt + +- Enable bypass-lan strongswan plugin + +------------------------------------------------------------------- +Fri May 1 09:39:42 UTC 2020 - Bjørn Lie + +- Update to version 5.8.4: + * In IKEv1 Quick Mode make sure that a proposal exists before + determining lifetimes (fixes a crash due to a null-pointer + dereference in 5.8.3). + * OpenSSL currently doesn't support squeezing bytes out of a + SHAKE128/256 XOF (support was added with 5.8.3) multiple times. + Unfortunately, EVP_DigestFinalXOF() completely resets the + context and later calls not simply fail, they cause a + null-pointer dereference in libcrypto. c5c1898d73 fixes the + crash at the cost of repeating initializing the whole state and + allocating too much data for subsequent calls (hopefully, once + the OpenSSL issue 7894 is resolved we can implement this more + efficiently). + * On 32-bit platforms, reading arbitrary 32-bit integers from + config files (e.g. for charon.spi_min/max) has been fixed. + * charon-nm now allows using fixed source ports. +- Changes from version 5.8.3: + * Updates for the NM plugin (and backend, which has to be updated + to be compatible): + + EAP-TLS authentication (#2097) + + Certificate source (file, agent, smartcard) is selectable + independently + + Add support to configure local and remote identities (#2581) + + Support configuring a custom server port (#625) + + Show hint regarding password storage policy + + Replaced the term "gateway" with "server" + + Fixes build issues due to use of deprecated GLib + macros/functions + + Updated Glade file to GTK 3.2 + * The NM backend now supports reauthentication and redirection. + * Previously used reqids are now reallocated, which works around + an issue on FreeBSD where the kernel doesn't allow the daemon + to use reqids > 16383 (#2315). + * On Linux, throw type routes are installed in table 220 for + passthrough policies. The kernel will then fall back on routes + in routing tables with lower priorities for matching traffic. + This way, they require less information (e.g. no interface or + source IP) and can be installed earlier and are not affected by + updates. + * For IKEv1, the lifetimes of the actually selected transform are + returned to the initiator, which is an issue if the peer uses + different lifetimes for different transforms (#3329). We now + also return the correct transform and proposal IDs (proposal ID + was always 0, transform ID 1). IKE_SAs are now not + re-established anymore (e.g. after several retransmits) if a + deletion has been queued (#3335). + * Added support for Ed448 keys and certificates via openssl + plugin and pki tool. + * Added support for SHA-3 and SHAKE128/256 in the openssl plugin. + * The use of algorithm IDs from the private use range can now be + enabled globally, to use them even if no strongSwan vendor ID + was exchanged (05e373aeb0). + * Fixed a compiler issue that may have caused invalid keyUsage + extensions in certificates (#3249). + * A lot of spelling fixes. + * Fixed several reported issues. +- Drop 0006-Resolve-multiple-definition-of-swanctl_dir.patch: Fixed + upstream. + +------------------------------------------------------------------- +Tue Mar 31 16:42:23 UTC 2020 - Madhu Mohan Nelemane + +- Fix to resolve multiple definitions for swanctl_dir (bsc#1164493) + [+ 0006-Resolve-multiple-definition-of-swanctl_dir.patch ] + +------------------------------------------------------------------- +Mon Feb 17 20:26:37 UTC 2020 - Johannes Kastl + +- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf + to strongswan-nm subpackage, as it is needed for the + NetworkManager plugin that uses strongswan-nm, not + strongswan-ipsec + This fixes the following error: + ``` + Failed to initialize a plugin instance: Connection ":1.153" is not + allowed to own the service "org.freedesktop.NetworkManager.strongswan" + due to security policies in the configuration file + ``` + +------------------------------------------------------------------- +Thu Jan 30 13:43:50 UTC 2020 - Bjørn Lie + +- Drop upstream fixed patches: + * strongswan_modprobe_syslog.patch + * strongswan_fipsfilter.patch + * 0006-fix-compilation-error-by-adding-stdint.h.patch + +------------------------------------------------------------------- +Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt + +- Replace %__-type macro indirections. Update homepage URL to https. + +------------------------------------------------------------------- +Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie + +- Update to version 5.8.2 (jsc#SLE-11370): + * The systemd service units have changed their name. + "strongswan" is now "strongswan-starter", and + "strongswan-swanctl" is now "strongswan". + After installation, you need to `systemctl disable` the old + name and `systemctl enable`+start the new one. + * Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152. + * boo#1109845 and boo#1107874. +- Please check included NEWS file for info on what other changes + that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1 + and 5.7.0. +- Rebase strongswan_ipsec_service.patch. +- Disable patches that need rebase or dropping: + * strongswan_modprobe_syslog.patch + * 0006-fix-compilation-error-by-adding-stdint.h.patch +- Add conditional pkgconfig(libsystemd) BuildRequires: New + dependency. + +------------------------------------------------------------------- +Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com + +- Update to version 5.6.3 (CVE-2018-10811, boo#1093536, + CVE-2018-5388, boo#1094462): + * Fixed a DoS vulnerability in the IKEv2 key derivation if the + openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated + as PRF. This vulnerability has been registered as + CVE-2018-10811, boo#1093536. + * Fixed a vulnerability in the stroke plugin, which did not check + the received length before reading a message from the socket. + Unless a group is configured, root privileges are required to + access that socket, so in the default configuration this + shouldn't be an issue. This vulnerability has been registered + as CVE-2018-5388, boo#1094462. + * CRLs that are not yet valid are now ignored to avoid problems + in scenarios where expired certificates are removed from new + CRLs and the clock on the host doing the revocation check is + trailing behind that of the host issuing CRLs. Not doing this + could result in accepting a revoked and expired certificate, if + it's still valid according to the trailing clock but not + contained anymore in not yet valid CRLs. + * The issuer of fetched CRLs is now compared to the issuer of the + checked certificate (#2608). + * CRL validation results other than revocation (e.g. a skipped + check because the CRL couldn't be fetched) are now stored also + for intermediate CA certificates and not only for end-entity + certificates, so a strict CRL policy can be enforced in such + cases. + * In compliance with RFC 4945, section 5.1.3.2, certificates used + for IKE must now either not contain a keyUsage extension (like + the ones generated by pki), or have at least one of the + digitalSignature or nonRepudiation bits set. + * New options for vici/swanctl allow forcing the local + termination of an IKE_SA. This might be useful in situations + where it's known the other end is not reachable anymore, or + that it already removed the IKE_SA, so retransmitting a DELETE + and waiting for a response would be pointless. + * Waiting only a certain amount of time for a response (i.e. + shorter than all retransmits would be) before destroying the + IKE_SA is also possible by additionally specifying a timeout in + the forced termination request. + * When removing routes, the kernel-netlink plugin now checks if + it tracks other routes for the same destination and replaces + the installed route instead of just removing it. Same during + installation, where existing routes previously weren't + replaced. This should allow using traps with virtual IPs on + Linux (#2162). + * The dhcp plugin now only sends the client identifier DHCP + option if the identity_lease setting is enabled (7b660944b6). + It can also send identities of up to 255 bytes length, instead + of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server + address is configured, DHCP requests are now sent from port 67 + instead of 68 to avoid ICMP port unreachables (becf027cd9). + * The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one + containing a DH group that wasn't proposed) during + CREATE_CHILD_SA exchanges has been improved (#2536). + * Roam events are now completely ignored for IKEv1 SAs (there is + no MOBIKE to handle such changes properly). + * ChaCha20/Poly1305 is now correctly proposed without key length + (#2614). For compatibility with older releases the + chacha20poly1305compat keyword may be included in proposals to + also propose the algorithm with a key length (c58434aeff). + * Configuration of hardware offload of IPsec SAs is now more + flexible and allows a new setting (auto), which automatically + uses it if the kernel and device both support it. If hw_offload + is set to yes and offloading is not supported, the CHILD_SA + installation now fails. + * The kernel-pfkey plugin optionally installs routes via internal + interface (one with an IP in the local traffic selector). On + FreeBSD, enabling this selects the correct source IP when + sending packets from the gateway itself (e811659323). + * SHA-2 based PRFs are supported in PKCS#8 files as generated by + OpenSSL 1.1 (#2574). + * The pki --verify tool may load CA certificates and CRLs from + directories. + * The IKE daemon now also switches to port 4500 if the remote + port is not 500 (e.g. because the remote maps the response to a + different port, as might happen on Azure), as long as the local + port is 500 (85bfab621d). + * Fixed an issue with DNS servers passed to NetworkManager in + charon-nm (ee8c25516a). + * Logged traffic selectors now always contain the protocol if + either protocol or port are set (a36d8097ed). + * Only the inbound SA/policy will be updated as reaction to IP + address changes for rekeyed CHILD_SAs that are kept around. + * The parser for strongswan.conf/swanctl.conf now accepts = + characters in values without having to put the value in quotes + (e.g. for Base64 encoded shared secrets). +- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc, + changing the version string on every version update makes no + sense. + +------------------------------------------------------------------- +Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com + +- Update to version 5.6.2: + * Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS + signatures that was caused by insufficient input validation. + One of the configurable parameters in algorithm identifier + structures for RSASSA-PSS signatures is the mask generation + function (MGF). Only MGF1 is currently specified for this + purpose. However, this in turn takes itself a parameter that + specifies the underlying hash function. strongSwan's parser did + not correctly handle the case of this parameter being absent, + causing an undefined data read. This vulnerability has been + registered as CVE-2018-6459. + * When rekeying IKEv2 IKE_SAs the previously negotiated DH group + will be reused, instead of using the first configured group, + which avoids an additional exchange if the peer previously + selected a different DH group via INVALID_KE_PAYLOAD notify. + The same is also done when rekeying CHILD_SAs except for the + first rekeying of the CHILD_SA that was created with the + IKE_SA, where no DH group was negotiated yet. Also, the + selected DH group is moved to the front in all sent proposals + that contain it and all proposals that don't are moved to the + back in order to convey the preference for this group to the + peer. + * Handling of MOBIKE task queuing has been improved. In + particular, the response to an address update (with NAT-D + payloads) is not ignored anymore if only an address list update + or DPD is queued as that could prevent updating the UDP + encapsulation in the kernel. + * On Linux, roam events may optionally be triggered by changes to + the routing rules, which can be useful if routing rules + (instead of e.g. route metrics) are used to switch from one to + another interface (i.e. from one to another routing table). + Since routing rules are currently not evaluated when doing + route lookups this is only useful if the kernel-based route + lookup is used (4664992f7d). + * The fallback drop policies installed to avoid traffic leaks + when replacing addresses in installed policies are now replaced + by temporary drop policies, which also prevent acquires because + we currently delete and reinstall IPsec SAs to update their + addresses (35ef1b032d). + * Access X.509 certificates held in non-volatile storage of a TPM + 2.0 referenced via the NV index. + * Adding the --keyid parameter to pki --print allows to print + private keys or certificates stored in a smartcard or a TPM + 2.0. + * Fixed proposal selection if a peer incorrectly sends DH groups + in the ESP proposal during IKE_AUTH and also if a DH group is + configured in the local ESP proposal and + charon.prefer_configured_proposals is disabled (d058fd3c32). + * The lookup for PSK secrets for IKEv1 has been improved for + certain scenarios (see #2497 for details). + * MSKs received via RADIUS are now padded to 64 bytes to avoid + compatibility issues with EAP-MSCHAPv2 and PRFs that have a + block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013). + * The tpm_extendpcr command line tool extends a digest into a TPM + PCR. + * Ported the NetworkManager backend from the deprecated + libnm-glib to libnm. + * The save-keys debugging/development plugin saves IKE and/or ESP + keys to files compatible with Wireshark. +- Following upstreams port, replace NetworkManager-devel with + pkgconfig(libnm) BuildRequires. +- Refresh patches with quilt. +- Disable strongswan_fipsfilter.patch, needs rebase or dropping, + the file it patches no longer exists in tarball. + +------------------------------------------------------------------- +Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com + +- Removed unused requires and macro calls(bsc#1083261) + +------------------------------------------------------------------- +Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de + +- Update summaries and descriptions. Trim filler words and + author list. +- Drop %if..%endif guards that are idempotent and do not affect + the build result. +- Replace old $RPM_ shell variables. + +------------------------------------------------------------------- +Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de + +- Updated to strongSwan 5.6.0 providing the following changes: + *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation + when verifying RSA signatures, which requires decryption with the operation m^e mod n, + where m is the signature, and e and n are the exponent and modulus of the public key. + The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this. + So if m equals n the calculation results in 0, in which case mpz_export() returns NULL. + This result wasn't handled properly causing a null-pointer dereference. + This vulnerability has been registered as CVE-2017-11185. (bsc#1051222) + + *New SWIMA IMC/IMV pair implements the draft-ietf-sacm-nea-swima-patnc Internet + Draft and has been demonstrated at the IETF 99 Prague Hackathon. + + *The IMV database template has been adapted to achieve full compliance with the + ISO 19770-2:2015 SWID tag standard. + + *The pt-tls-client can attach and use TPM 2.0 protected private keys via the --keyid parameter. + + *By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default + swanctl.conf file. + + *The curl plugin now follows HTTP redirects (configurable via strongswan.conf). + + *The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3 + + *libtpmtss supports Intel's TSS2 Architecture Broker and Resource Manager interface (tcti-tabrmd). + + * more on https://wiki.strongswan.org/versions/66 + +------------------------------------------------------------------- +Tue Sep 5 11:33:01 CEST 2017 - ndas@suse.de + +- fix "uintptr_t’ undeclared" compilation error. + [+0006-fix-compilation-error-by-adding-stdint.h.patch] + +------------------------------------------------------------------- +Mon Jul 31 18:30:28 CEST 2017 - ndas@suse.de + +- Updated to strongSwan 5.3.5(bsc#1050691) providing the following changes: + *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input + validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two + requirements regarding the passed exponent and modulus that the plugin did not + enforce, if these are not met the calculation will result in a floating point exception + that crashes the whole process. + This vulnerability has been registered as CVE-2017-9022. + Please refer to our blog for details. + + *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser + didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when + parsing X.509 extensions that use such types. + This vulnerability has been registered as CVE-2017-9023. + Please refer to our blog for details. + + *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid + traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA + the responder already has everything available to install and use the new CHILD_SA. + However, this could lead to lost traffic as the initiator won't be able to process + inbound packets until it processed the CREATE_CHILD_SA response and updated the + inbound SA. To avoid this the responder now only installs the new inbound SA and + delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. + + *The messages transporting these DELETEs could reach the peer before packets sent + with the deleted outbound SAs reach it. To reduce the chance of traffic loss due + to this the inbound SA of the replaced CHILD_SA is not removed for a configurable + amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed. + + *The code base has been ported to Apple's ARM64 iOS platform, which required several + changes regarding the use of variadic functions. This was necessary because the calling + conventions for variadic and regular functions are different there. + This means that assigning a non-variadic function to a variadic function pointer, as we + did with our enumerator_t::enumerate() implementations and several callbacks, will + result in crashes as the called function accesses the arguments differently than the + caller provided them. To avoid this issue the enumerator_t interface has been changed + and the signature of the callback functions for enumerator_create_filter() and two + methods on linked_list_t have been changed. Refer to the developer notes below + for details. + + *Adds support for fuzzing the certificate parser provided by the default plugins + (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with + libFuzzer). Several issues found while fuzzing these plugins were fixed. + + *Two new options have been added to charon's retransmission settings: + retransmit_limit and retransmit_jitter. The former adds an upper limit to the + calculated retransmission timeout, the latter randomly reduces it. + Refer to Retransmission for details. + + *A bug in swanctl's --load-creds command was fixed that caused unencrypted + private keys to get unloaded if the command was called multiple times. + The load-key VICI command now returns the key ID of the loaded key on success. + + *The credential manager now enumerates local credential sets before global ones. + This means certificates supplied by the peer will now be preferred over certificates + with the same identity that may be locally stored (e.g. in the certificate cache). + + *Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for + specific hardware that supports this. + + *The pki tool loads the curve25519 plugin by default. + [- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, + - 0007-asn1-parser-Fix-CHOICE-parsing.patch] +- libhydra is removed as all kernel plugins moved to libcharon + +------------------------------------------------------------------- +Tue May 23 14:25:32 CEST 2017 - ndas@suse.de + +- Applied patch for "Don't retransmit Aggressive Mode response" + bsc#985012. +- Applied upstream patch for "Insufficient Input Validation in gmp Plugin" + bsc#1039514(CVE-2017-9022). +- Applied upstream patch for "Incorrect x509 ASN.1 parser error handling" + bsc#1039515(CVE-2017-9023). + [+0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch, + +0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, + +0007-asn1-parser-Fix-CHOICE-parsing.patch] + +------------------------------------------------------------------- +Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au + +- Updated to strongSwan 5.3.5 providing the following changes: + Changes in version 5.3.5: + * Properly handle potential EINTR errors in sigwaitinfo(2) calls + that replaced sigwait(3) calls with 5.3.4. + * RADIUS retransmission timeouts are now configurable, courtesy + of Thom Troy. + Changes in version 5.3.4: + * Fixed an authentication bypass vulnerability in the + eap-mschapv2 plugin that was caused by insufficient + verification of the internal state when handling MSCHAPv2 + Success messages received by the client. This vulnerability + has been registered as CVE-2015-8023. + * The sha3 plugin implements the SHA3 Keccak-F1600 hash + algorithm family. Within the strongSwan framework SHA3 is + currently used for BLISS signatures only because the OIDs for + other signature algorithms haven't been defined yet. Also the + use of SHA3 for IKEv2 has not been standardized yet. + Changes in version 5.3.3: + * Added support for the ChaCha20/Poly1305 AEAD cipher specified + in RFC 7539 and RFC 7634 using the chacha20poly1305 ike/esp + proposal keyword. The new chapoly plugin implements the + cipher, if possible SSE-accelerated on x86/x64 architectures. + It is usable both in IKEv2 and the strongSwan libipsec ESP + backend. On Linux 4.2 or newer the kernel-netlink plugin can + configure the cipher for ESP SAs. + * The vici interface now supports the configuration of auxiliary + certification authority information as CRL and OCSP URIs. + * In the bliss plugin the c_indices derivation using a SHA-512 + based random oracle has been fixed, generalized and + standardized by employing the MGF1 mask generation function + with SHA-512. As a consequence BLISS signatures unsing the + improved oracle are not compatible with the earlier + implementation. + * Support for auto=route with right=%any for transport mode + connections has been added (the ikev2/trap-any scenario + provides examples). + * The starter daemon does not flush IPsec policies and SAs + anymore when it is stopped. Already existing duplicate + policies are now overwritten by the IKE daemon when it + installs its policies. + * Init limits (like charon.init_limit_half_open) can now + optionally be enforced when initiating SAs via VICI. For this, + IKE_SAs initiated by the daemon are now also counted as half + open SAs, which, as a side-effect, fixes the status output + while connecting (e.g. in ipsec status). + * Symmetric configuration of EAP methods in left|rightauth is + now possible when mutual EAP-only authentication is used + (previously, the client had to configure rightauth=eap or + rightauth=any, which prevented it from using this same config + as responder). + * The initiator flag in the IKEv2 header is compared again + (wasn't the case since 5.0.0) and packets that have the flag + set incorrectly are again ignored. + * Implemented a demo Hardcopy Device IMC/IMV pair based on the + "Hardcopy Device Health Assessment Trusted Network Connect + Binding" (HCD-TNC) document drafted by the IEEE Printer + Working Group (PWG). + * Fixed IF-M segmentation which failed in the presence of + multiple small attributes in front of a huge attribute to be + segmented. + Changes in version 5.3.2: + * Fixed a vulnerability that allowed rogue servers with a valid + certificate accepted by the client to trick it into disclosing + its username and even password (if the client accepts + EAP-GTC). This was caused because constraints against the + responder's authentication were enforced too late. This + vulnerability has been registered as CVE-2015-4171. + Changes in version 5.3.1: + * Fixed a denial-of-service and potential remote code execution + vulnerability triggered by IKEv1/IKEv2 messages that contain + payloads for the respective other IKE version. Such payload + are treated specially since 5.2.2 but because they were still + identified by their original payload type they were used as + such in some places causing invalid function pointer + dereferences. The vulnerability has been registered as + CVE-2015-3991. + * The new aesni plugin provides CBC, CTR, XCBC, CMAC, CCM and + GCM crypto primitives for AES-128/192/256. The plugin requires + AES-NI and PCLMULQDQ instructions and works on both x86 and + x64 architectures. It provides superior crypto performance in + userland without any external libraries. + Changes in version 5.3.0: + * Added support for IKEv2 make-before-break reauthentication. By + using a global CHILD_SA reqid allocation mechanism, charon + supports overlapping CHILD_SAs. This allows the use of + make-before-break instead of the previously supported + break-before-make reauthentication, avoiding connectivity gaps + during that procedure. As the new mechanism may fail with peers + not supporting it (such as any previous strongSwan release) it + must be explicitly enabled using the charon.make_before_break + strongswan.conf option. + * Support for "Signature Authentication in IKEv2" (RFC 7427) has + been added. This allows the use of stronger hash algorithms + for public key authentication. By default, signature schemes + are chosen based on the strength of the signature key, but + specific hash algorithms may be configured in leftauth. + * Key types and hash algorithms specified in rightauth are now + also checked against IKEv2 signature schemes. If such + constraints are used for certificate chain validation in + existing configurations, in particular with peers that don't + support RFC 7427, it may be necessary to disable this feature + with the charon.signature_authentication_constraints setting, + because the signature scheme used in classic IKEv2 public key + authentication may not be strong enough. + * The new connmark plugin allows a host to bind conntrack flows + to a specific CHILD_SA by applying and restoring the SA mark + to conntrack entries. This allows a peer to handle multiple + transport mode connections coming over the same NAT device for + client-initiated flows. A common use case is to protect + L2TP/IPsec, as supported by some systems. + * The forecast plugin can forward broadcast and multicast + messages between connected clients and a LAN. For CHILD_SA + using unique marks, it sets up the required Netfilter rules + and uses a multicast/broadcast listener that forwards such + messages to all connected clients. This plugin is designed for + Windows 7 IKEv2 clients, which announces its services over the + tunnel if the negotiated IPsec policy allows it. + * For the vici plugin a Python Egg has been added to allow + Python applications to control or monitor the IKE daemon using + the VICI interface, similar to the existing ruby gem. The + Python library has been contributed by Björn Schuberg. + * EAP server methods now can fulfill public key constraints, + such as rightcert or rightca. Additionally, public key and + signature constraints can be specified for EAP methods in the + rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods + provide verification details to constraints checking. + * Upgrade of the BLISS post-quantum signature algorithm to the + improved BLISS-B variant. Can be used in conjunction with the + SHA256, SHA384 and SHA512 hash algorithms with SHA512 being + the default. + * The IF-IMV 1.4 interface now makes the IP address of the TNC + access requestor as seen by the TNC server available to all + IMVs. This information can be forwarded to policy enforcement + points (e.g. firewalls or routers). + * The new mutual tnccs-20 plugin parameter activates mutual TNC + measurements in PB-TNC half-duplex mode between two endpoints + over either a PT-EAP or PT-TLS transport medium. +- Adjusted file lists and removed obsolete patches + [- 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch, + - 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch, + - 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch] + +------------------------------------------------------------------- +Fri Nov 13 10:25:59 UTC 2015 - mt@suse.de + +- Applied upstream fix for a authentication bypass vulnerability + in the eap-mschapv2 plugin (CVE-2015-8023,bsc#953817). + [+ 0007-strongswan-4.4.0-5.3.3_eap_mschapv2_state.patch] + +------------------------------------------------------------------- +Thu Jun 4 10:54:29 UTC 2015 - mt@suse.de + +- Applied upstream fix for a rogue servers vulnerability, that may + enable rogue servers able to authenticate itself with certificate + issued by any CA the client trusts, to gain user credentials from + a client in certain IKEv2 setups (bsc#933591,CVE-2015-4171). + [+ 0006-strongswan-5.1.0-5.3.1_enforce_remote_auth.patch] +- Fix to apply unknown_payload patch if fips is disabled (<= 13.1) + and renamed it to use number prefix corresponding with patch nr. + [- strongswan-5.2.2-5.3.0_unknown_payload.patch, + + 0005-strongswan-5.2.2-5.3.0_unknown_payload.patch] + +------------------------------------------------------------------- +Mon Jun 1 16:18:35 UTC 2015 - mt@suse.de + +- Applied upstream fix for a DoS and potential remote code execution + vulnerability through payload type (bsc#931272,CVE-2015-3991) + [+ strongswan-5.2.2-5.3.0_unknown_payload.patch] + +------------------------------------------------------------------- +Mon Jan 5 14:38:46 UTC 2015 - mt@suse.de + +- Updated to strongSwan 5.2.2 providing the following changes: + Changes in version 5.2.2: + * Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange + payload that contains the Diffie-Hellman group 1025. This identifier was + used internally for DH groups with custom generator and prime. Because + these arguments are missing when creating DH objects based on the KE + payload an invalid pointer dereference occurred. This allowed an attacker + to crash the IKE daemon with a single IKE_SA_INIT message containing such + a KE payload. The vulnerability has been registered as CVE-2014-9221. + * The left/rightid options in ipsec.conf, or any other identity in + strongSwan, now accept prefixes to enforce an explicit type, such as + email: or fqdn:. Note that no conversion is done for the remaining string, + refer to ipsec.conf(5) for details. + * The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as + an IKEv2 public key authentication method. The pki tool offers full + support for the generation of BLISS key pairs and certificates. + * Fixed mapping of integrity algorithms negotiated for AH via IKEv1. + This could cause interoperability issues when connecting to older versions + of charon. + Changes in version 5.2.1: + * The new charon-systemd IKE daemon implements an IKE daemon tailored for + use with systemd. It avoids the dependency on ipsec starter and uses + swanctl as configuration backend, building a simple and lightweight + solution. It supports native systemd journal logging. + * Support for IKEv2 fragmentation as per RFC 7383 has been added. Like IKEv1 + fragmentation it can be enabled by setting fragmentation=yes in ipsec.conf. + * Support of the TCG TNC IF-M Attribute Segmentation specification proposal. + All attributes can be segmented. Additionally TCG/SWID Tag, TCG/SWID Tag ID + and IETF/Installed Packages attributes can be processed incrementally on a + per segment basis. + * The new ext-auth plugin calls an external script to implement custom IKE_SA + authorization logic, courtesy of Vyronas Tsingaras. + * For the vici plugin a ruby gem has been added to allow ruby applications to + control or monitor the IKE daemon. The vici documentation has been updated + to include a description of the available operations and some simple + examples using both the libvici C interface and the ruby gem. + Changes in version 5.2.0: + * strongSwan has been ported to the Windows platform. Using a MinGW toolchain, + many parts of the strongSwan codebase run natively on Windows 7 / 2008 R2 + and newer releases. charon-svc implements a Windows IKE service based on + libcharon, the kernel-iph and kernel-wfp plugins act as networking and IPsec + backend on the Windows platform. socket-win provides a native IKE socket + implementation, while winhttp fetches CRL and OCSP information using the + WinHTTP API. + * The new vici plugin provides a Versatile IKE Configuration Interface for + charon. Using the stable IPC interface, external applications can configure, + control and monitor the IKE daemon. Instead of scripting the ipsec tool + and generating ipsec.conf, third party applications can use the new interface + for more control and better reliability. + * Built upon the libvici client library, swanctl implements the first user of + the VICI interface. Together with a swanctl.conf configuration file, + connections can be defined, loaded and managed. swanctl provides a portable, + complete IKE configuration and control interface for the command line. + The first six swanctl example scenarios have been added. + * The SWID IMV implements a JSON-based REST API which allows the exchange + of SWID tags and Software IDs with the strongTNC policy manager. + * The SWID IMC can extract all installed packages from the dpkg (Debian, + Ubuntu, Linux Mint etc.), rpm (Fedora, RedHat, OpenSUSE, etc.), or + pacman (Arch Linux, Manjaro, etc.) package managers, respectively, using + the swidGenerator (https://github.com/strongswan/swidGenerator) which + generates SWID tags according to the new ISO/IEC 19770-2:2014 standard. + * All IMVs now share the access requestor ID, device ID and product info + of an access requestor via a common imv_session object. + * The Attestation IMC/IMV pair supports the IMA-NG measurement format + introduced with the Linux 3.13 kernel. + * The aikgen tool generates an Attestation Identity Key bound to a TPM. + * Implemented the PT-EAP transport protocol (RFC 7171) for Trusted Network + Connect. + * The ipsec.conf replay_window option defines connection specific IPsec + replay windows. Original patch courtesy of Zheng Zhong and Christophe + Gouault from 6Wind. +- Adjusted file lists and removed obsolete patches + [- 0005-restore-registration-algorithm-order.bug897512.patch, + - 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] +- Adopted/Merged fipscheck patches + [* strongswan_fipscheck.patch, strongswan_fipsfilter.patch] + +------------------------------------------------------------------- +Wed Dec 17 10:15:23 UTC 2014 - mt@suse.de + +- Disallow brainpool elliptic curve groups in fips mode (bnc#856322). + [* strongswan_fipsfilter.patch] + +------------------------------------------------------------------- +Thu Dec 11 10:21:01 UTC 2014 - mt@suse.de + +- Applied an upstream fix for a denial-of-service vulnerability, + which can be triggered by an IKEv2 Key Exchange payload, that + contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221). + [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] +- Adjusted whilelist of approved algorithms in fips mode (bsc#856322). + [* strongswan_fipsfilter.patch] +- Renamed patch file to match it's patch number: + [- 0001-restore-registration-algorithm-order.bug897512.patch, + + 0005-restore-registration-algorithm-order.bug897512.patch] + +------------------------------------------------------------------- +Tue Nov 25 11:22:06 UTC 2014 - mt@suse.de + +- Updated strongswan-hmac package description (bsc#856322). + +------------------------------------------------------------------- +Fri Nov 21 12:03:59 UTC 2014 - mt@suse.de + +- Disabled explicit gpg validation; osc source_validator does it. +- Guarded fipscheck and hmac package in the spec file for >13.1. + +------------------------------------------------------------------- +Thu Nov 20 07:43:43 UTC 2014 - mt@suse.de + +- Added generation of fips hmac hash files using fipshmac utility + and a _fipscheck script to verify binaries/libraries/plugings + shipped in the strongswan-hmac package. + With enabled fips in the kernel, the ipsec script will call it + before any action or in a enforced/manual "ipsec _fipscheck" call. + Added config file to load openssl and kernel af-alg plugins, but + not all the other modules which provide further/alternative algs. + Applied a filter disallowing non-approved algorithms in fips mode. + (fate#316931,bnc#856322). + [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] +- Fixed file list in the optional (disabled) strongswan-test package. +- Fixed build of the strongswan built-in integrity checksum library + and enabled building it only on architectures tested to work. +- Fix to use bug number 897048 instead 856322 in last changes entry. +- Applied an upstream patch reverting to store algorithms in the + registration order again as ordering them by identifier caused + weaker algorithms to be proposed first by default (bsc#897512). + [+0001-restore-registration-algorithm-order.bug897512.patch] + +------------------------------------------------------------------- +Fri Sep 26 16:02:09 UTC 2014 - mt@suse.de + +- Re-enabled gcrypt plugin and reverted to not enforce fips again + as this breaks gcrypt and openssl plugins when the fips pattern + option is not installed (fate#316931,bnc#856322). + [- strongswan-fips-disablegcrypt.patch] +- Added empty strongswan-hmac package supposed to provide fips hmac + files and enforce fips compliant operation later (bnc#856322). +- Cleaned up conditional build flags in the rpm spec file. + +------------------------------------------------------------------- +Thu Jul 3 13:39:45 UTC 2014 - meissner@suse.com + +- disable gcrypt plugin by default, so it will only use openssl + fate#316931 [+strongswan-fips-disablegcrypt.patch] +- enable fips mode 2 + +------------------------------------------------------------------- +Fri Jun 20 17:38:07 UTC 2014 - crrodriguez@opensuse.org + +- Fix build in factory +* Do not include var/run directories in package +* Move runtime data to /run and provide tmpfiles.d snippet +* Add proper systemd macros to rpm scriptlets. +* Do not buildRequire library package libnl1, it is not used. + +------------------------------------------------------------------- +Mon Apr 14 23:36:07 UTC 2014 - mt@suse.de + +- Updated to strongSwan 5.1.3 providing the following changes: + - Fixed an authentication bypass vulnerability triggered by rekeying + an unestablished IKEv2 SA while it gets actively initiated. This + allowed an attacker to trick a peer's IKE_SA state to established, + without the need to provide any valid authentication credentials. + (CVE-2014-2338, bnc#870572). + - The acert plugin evaluates X.509 Attribute Certificates. Group + membership information encoded as strings can be used to fulfill + authorization checks defined with the rightgroups option. + Attribute Certificates can be loaded locally or get exchanged in + IKEv2 certificate payloads. + - The pki command gained support to generate X.509 Attribute + Certificates using the --acert subcommand, while the --print + command supports the ac type. The openac utility has been removed + in favor of the new pki functionality. + - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other + protocols has been extended by AEAD mode support, currently limited + to AES-GCM. + - Fixed an issue where CRL/OCSP trustchain validation broke enforcing + CA constraints + - Limited OCSP signing to specific certificates to improve performance + - authKeyIdentifier is not added to self-signed certificates anymore + - Fixed the comparison of IKE configs if only the cipher suites were + different + +------------------------------------------------------------------- +Wed Apr 2 05:53:21 UTC 2014 - mt@suse.de + +- Updated to strongSwan 5.1.2 providing the following changes: + - A new default configuration file layout is introduced. The new + default strongswan.conf file mainly includes config snippets from + the strongswan.d and strongswan.d/charon directories (the latter + containing snippets for all plugins). The snippets, with commented + defaults, are automatically generated and installed, if they don't + exist yet. Also installed in $prefix/share/strongswan/templates so + existing files can be compared to the current defaults. + - As an alternative to the non-extensible charon.load setting, the + plugins to load in charon (and optionally other applications) can + now be determined via the charon.plugins..load setting for + each plugin (enabled in the new default strongswan.conf file via the + charon.load_modular option). The load setting optionally takes a + numeric priority value that allows reordering the plugins (otherwise + the default plugin order is preserved). + - All strongswan.conf settings that were formerly defined in library + specific "global" sections are now application specific (e.g. + settings for plugins in libstrongswan.plugins can now be set only + for charon in charon.plugins). The old options are still supported, + which now allows to define defaults for all applications in the + libstrongswan section. + - The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum + computer IKE key exchange mechanism. The implementation is based on + the ntru-crypto library from the NTRUOpenSourceProject. + The supported security strengths are ntru112, ntru128, ntru192, and + ntru256. Since the private DH group IDs 1030..1033 have been + assigned, the strongSwan Vendor ID must be sent in order to use NTRU + (charon.send_vendor_id = yes). + - Defined a TPMRA remote attestation workitem and added support for it + to the Attestation IMV. + - Compatibility issues between IPComp (compress=yes) and + leftfirewall=yes as well as multiple subnets in left|rightsubnet + have been fixed. + - When enabling its "session" strongswan.conf option, the xauth-pam + plugin opens and closes a PAM session for each established IKE_SA. + Patch courtesy of Andrea Bonomi. + - The strongSwan unit testing framework has been rewritten without the + "check" dependency for improved flexibility and portability. It now + properly supports multi-threaded and memory leak testing and brings + a bunch of new test cases. + +------------------------------------------------------------------- +Fri Nov 1 12:28:39 UTC 2013 - mt@suse.de + +- Updated to strongSwan 5.1.1 minor release addressing two security + fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): + - Fixed a denial-of-service vulnerability and potential authorization + bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause + is an insufficient length check when comparing such identities. The + vulnerability has been registered as CVE-2013-6075. + - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 + fragmentation payload. The cause is a NULL pointer dereference. The + vulnerability has been registered as CVE-2013-6076. + - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS + session with a strongSwan policy enforcement point which uses the + tnc-pdp charon plugin. + - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests + for either full SWID Tag or concise SWID Tag ID inventories. + - The XAuth backend in eap-radius now supports multiple XAuth + exchanges for different credential types and display messages. + All user input gets concatenated and verified with a single + User-Password RADIUS attribute on the AAA. With an AAA supporting + it, one for example can implement Password+Token authentication with + proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode + Config exchange in push mode. The ipsec.conf modeconfig=push option + enables it for both client and server, the same way as pluto used it. + - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 + connections, charon can negotiate and install Security Associations + integrity-protected by the Authentication Header protocol. Supported + are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style + ESP+AH bundles. + - The generation of initialization vectors for IKE and ESP (when using + libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly + allocated sequentially, while other algorithms like AES-CBC still + use random IVs. + - The left and right options in ipsec.conf can take multiple address + ranges and subnets. This allows connection matching against a larger + set of addresses, for example to use a different connection for clients + connecting from a internal network. + - For all those who have a queasy feeling about the NIST elliptic curve + set, the Brainpool curves introduced for use with IKE by RFC 6932 might + be a more trustworthy alternative. + - The kernel-libipsec userland IPsec backend now supports usage + statistics, volume based rekeying and accepts ESPv3 style TFC padded + packets. + - With two new strongswan.conf options fwmarks can be used to implement + host-to-host tunnels with kernel-libipsec. + - load-tester supports transport mode connections and more complex + traffic selectors, including such using unique ports for each tunnel. + - The new dnscert plugin provides support for authentication via CERT + RRs that are protected via DNSSEC. The plugin was created by Ruslan + N. Marchenko. + - The eap-radius plugin supports forwarding of several Cisco Unity + specific RADIUS attributes in corresponding configuration payloads. + - Database transactions are now abstracted and implemented by the two + backends. If you use MySQL make sure all tables use the InnoDB engine. + - libstrongswan now can provide an experimental custom implementation + of the printf family functions based on klibc if neither Vstr nor + glibc style printf hooks are available. This can avoid the Vstr + dependency on some systems at the cost of slower and less complete + printf functions. +- Adjusted file lists: this version installs the pki utility and manuals + in common /usr directories and additional ipsec/pt-tls-client helper. + +------------------------------------------------------------------- +Mon Aug 5 13:48:11 UTC 2013 - mt@suse.de + +- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018): + - Fixed a denial-of-service vulnerability triggered by specific XAuth + usernames and EAP identities (since 5.0.3), and PEM files (since + 4.1.11). The crash was caused by insufficient error handling in the + is_asn1() function. The vulnerability has been registered as + CVE-2013-5018. + - The new charon-cmd command line IKE client can establish road + warrior connections using IKEv1 or IKEv2 with different + authentication profiles. It does not depend on any configuration + files and can be configured using a few simple command line options. + - The kernel-pfroute networking backend has been greatly improved. + It now can install virtual IPs on TUN devices on OS X and FreeBSD, + allowing these systems to act as a client in common road warrior + scenarios. + - The new kernel-libipsec plugin uses TUN devices and libipsec to + provide IPsec processing in userland on Linux, FreeBSD and Mac OS X. + - The eap-radius plugin can now serve as an XAuth backend called + xauth-radius, directly verifying XAuth credentials using RADIUS + User-Name/User-Password attributes. This is more efficient than the + existing xauth-eap+eap-radius combination, and allows RADIUS servers + without EAP support to act as AAA backend for IKEv1. + - The new osx-attr plugin installs configuration attributes (currently + DNS servers) via SystemConfiguration on Mac OS X. The keychain + plugin provides certificates from the OS X keychain service. + - The sshkey plugin parses SSH public keys, which, together with the + --agent option for charon-cmd, allows the use of ssh-agent for + authentication. To configure SSH keys in ipsec.conf the + left|rightrsasigkey options are replaced with left|rightsigkey, + which now take public keys in one of three formats: SSH (RFC 4253, + ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and PKCS#1 (the + default, no prefix). + - Extraction of certificates and private keys from PKCS#12 files is + now provided by the new pkcs12 plugin or the openssl plugin. + charon-cmd (--p12) as well as charon (via P12 token in + ipsec.secrets) can make use of this. + - IKEv2 can now negotiate transport mode and IPComp in NAT situations. + - IKEv2 exchange initiators now properly close an established IKE or + CHILD_SA on error conditions using an additional exchange, keeping + state in sync between peers. + - Using a SQL database interface a Trusted Network Connect (TNC) + Policy Manager can generate specific measurement workitems for an + arbitrary number of Integrity Measurement Verifiers (IMVs) based on + the history of the VPN user and/or device. + - Several core classes in libstrongswan are now tested with unit + tests. These can be enabled with --enable-unit-tests and run with + 'make check'. + Coverage reports can be generated with --enable-coverage and 'make + coverage' (this disables any optimization, so it should not be + enabled when building production releases). + - The leak-detective developer tool has been greatly improved. It + works much faster/stabler with multiple threads, does not use + deprecated malloc hooks anymore and has been ported to OS X. + - chunk_hash() is now based on SipHash-2-4 with a random key. This + provides better distribution and prevents hash flooding attacks + when used with hashtables. + - All default plugins implement the get_features() method to define + features and their dependencies. The plugin loader has been + improved, so that plugins in a custom load statement can be ordered + freely or to express preferences without being affected by + dependencies between plugin features. + - A centralized thread can take care for watching multiple file + descriptors concurrently. This removes the need for a dedicated + listener threads in various plugins. The number of "reserved" + threads for such tasks has been reduced to about five, depending on + the plugin configuration. + - Plugins that can be controlled by a UNIX socket IPC mechanism gained + network transparency. Third party applications querying these + plugins now can use TCP connections from a different host. + - libipsec now supports AES-GCM. + +------------------------------------------------------------------- +Tue Apr 30 12:48:44 UTC 2013 - mt@suse.de + +- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944): + - Fixed a security vulnerability in the openssl plugin which was + reported by Kevin Wojtysiak. The vulnerability has been registered + as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA + signature verification was used, due to a misinterpretation of the + error code returned by the OpenSSL ECDSA_verify() function, an empty + or zeroed signature was accepted as a legitimate one. Refer to our + blog for details. + - The handling of a couple of other non-security relevant OpenSSL + return codes was fixed as well. + - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses + via its TCG TNC IF-MAP 2.1 interface. + - The charon.initiator_only strongswan.conf option causes charon to + ignore IKE initiation requests. + - The openssl plugin can now use the openssl-fips library. + The version 5.0.3 provides new ipseckey plugin, enabling authentication + based on trustworthy public keys stored as IPSECKEY resource records in + the DNS and protected by DNSSEC and new openssl plugin using the AES-NI + accelerated version of AES-GCM if the hardware supports it. + See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 + for a list of all changes since the 5.0.1 release. + +------------------------------------------------------------------- +Thu Nov 29 19:13:40 CET 2012 - sbrabec@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Fri Nov 16 04:02:32 UTC 2012 - crrodriguez@opensuse.org + +- Fix systemd unit dir + +------------------------------------------------------------------- +Wed Oct 31 15:25:16 UTC 2012 - mt@suse.de + +- Updated to strongSwan 5.0.1 release. Changes digest: + - Introduced the sending of the standard IETF Assessment Result + PA-TNC attribute by all strongSwan Integrity Measurement Verifiers. + - Extended PTS Attestation IMC/IMV pair to provide full evidence of + the Linux IMA measurement process. All pertinent file information + of a Linux OS can be collected and stored in an SQL database. + - The PA-TNC and PB-TNC protocols can now process huge data payloads. + - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid + authenticated clients against any PAM service. + - The new unity plugin brings support for some parts of the IKEv1 + Cisco Unity Extensions. + - The kernel-netlink plugin supports the new strongswan.conf option + charon.install_virtual_ip_on. + - Job handling in controller_t was fixed, which occasionally caused + crashes on ipsec up/down. + - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain + part. + Changes digest from strongSwan 5.0.0 version: + * The charon IKE daemon gained experimental support for the IKEv1 + protocol. Pluto has been removed from the 5.x series. + * The NetworkManager charon plugin of previous releases is now + provided by a separate executable (charon-nm) and it should work + again with NM 0.9. + * scepclient was updated and it now works fine with Windows Server + 2008 R2. + For full list of the changes, please read the NEWS file shipped + in the strongswan-doc package or online: + http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 +- Adopted spec file, enabled several plugins, e.g.: ccm, certexpire, + coupling, ctr, duplicheck, eap-dynamic, eap-peap, eap-tls, eap-tnc, + eap-ttls, gcm, nonce, radattr, tnc, tnccs, unity, xauth-eap and pam. +- Changed to install strongswan.service with alias to ipsec.service + instead of the /etc/init.d/ipsec init script on openSUSE > 12.2. + +------------------------------------------------------------------- +Fri Sep 7 08:36:57 UTC 2012 - mt@suse.de + +- Applied upstream patch adjusting an internal thread id causing + charon keying daemon start failure (bnc#779038,strongswan#198): + openssl: Ensure the thread ID is never zero + This might otherwise cause problems because OpenSSL tries to + lock mutexes recursively if it assumes the lock is held by a + different thread e.g. during FIPS initialization. + See http://wiki.strongswan.org/issues/198 for more informations. + +------------------------------------------------------------------- +Thu May 31 16:08:43 UTC 2012 - mt@suse.com + +- Updated to strongSwan 4.6.4 release: + - Fixed a security vulnerability in the gmp plugin. If this + plugin was used for RSA signature verification an empty or + zeroed signature was handled as a legitimate one + (bnc#761325, CVE-2012-2388). + - Fixed several issues with reauthentication and address updates. + +------------------------------------------------------------------- +Thu May 10 09:15:38 UTC 2012 - mt@suse.com + +- Updated to strongSwan 4.6.3 release: + - The tnc-pdp plugin implements a RADIUS server interface allowing + a strongSwan TNC server to act as a Policy Decision Point. + - The eap-radius authentication backend enforces Session-Timeout + attributes using RFC4478 repeated authentication and acts upon + RADIUS Dynamic Authorization extensions, RFC 5176. Currently + supported are disconnect requests and CoA messages containing + a Session-Timeout. + - The eap-radius plugin can forward arbitrary RADIUS attributes + from and to clients using custom IKEv2 notify payloads. The new + radattr plugin reads attributes to include from files and prints + received attributes to the console. + - Added support for untruncated MD5 and SHA1 HMACs in ESP as used + in RFC 4595. + - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 + algorithms as defined in RFC 4494 and RFC 4615, respectively. + - The resolve plugin automatically installs nameservers via + resolvconf(8), if it is installed, instead of modifying + /etc/resolv.conf directly. + - The IKEv2 charon daemon supports now raw RSA public keys in RFC + 3110 DNSKEY and PKCS#1 file format. + - The farp plugin sends ARP responses for any tunneled address, + not only virtual IPs. + - Charon resolves hosts again during additional keying tries. + - Fixed switching back to original address pair during MOBIKE. + - When resending IKE_SA_INIT with a COOKIE charon reuses the previous + DH value, as specified in RFC 5996. + This has an effect on the lifecycle of diffie_hellman_t, see + source:src/libcharon/sa/keymat.h#39 for details. + - COOKIEs are now kept enabled a bit longer to avoid certain race + conditions the commit message to 1b7debcc has some details. + - The new stroke user-creds command allows to set username/password + for a connection. + - strongswan.conf option added to set identifier for syslog(3) logging. + - Added a workaround for null-terminated XAuth secrets (as sent by + Android 4). + +------------------------------------------------------------------- +Sat Mar 3 00:10:34 UTC 2012 - tabraham@novell.com + +- Updated to strongSwan 4.6.2 release: + Changes in 4.6.2: + - Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3 + which supports IF-TNCCS 2.0 long message types, the exclusive flags + and multiple IMC/IMV IDs. Both the TNC Client and Server as well as + the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated. + - Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M" + standard (TLV-based messages only). TPM-based remote attestation of + Linux IMA (Integrity Measurement Architecture) possible. Measurement + reference values are automatically stored in an SQLite database. + - The EAP-RADIUS authentication backend supports RADIUS accounting. It sends + start/stop messages containing Username, Framed-IP and Input/Output-Octets + attributes and has been tested against FreeRADIUS and Microsoft NPS. + - Added support for PKCS#8 encoded private keys via the libstrongswan + pkcs8 plugin. This is the default format used by some OpenSSL tools since + version 1.0.0 (e.g. openssl req with -keyout). + - Added session resumption support to the strongSwan TLS stack. + +------------------------------------------------------------------- +Wed Feb 15 13:31:40 UTC 2012 - mt@suse.com + +- Updated to strongSwan 4.6.1 release: + Changes in 4.6.1: + - Because of changing checksums before and after installation which caused + the integrity tests to fail we avoided directly linking libsimaka, + libtls and libtnccs to those libcharon plugins which make use of these + dynamiclibraries. + Instead we linked the libraries to the charon daemon. Unfortunately + Ubuntu 11.10 activated the --as-needed ld option which discards explicit + links to dynamic libraries that are not actually used by the charon + daemon itself, thus causing failures during the loading of the plugins + which depend on these libraries for resolving external symbols. + - Therefore our approach of computing integrity checksums for plugins had + to be changed radically by moving the hash generation from the + compilation to the post-installation phase. + Changes in 4.6.0: + - The new libstrongswan certexpire plugin collects expiration information + of all used certificates and exports them to CSV files. It either + directly exports them or uses cron style scheduling for batch exports. + - Starter passes unresolved hostnames to charon, allowing it to do name + resolution not before the connection attempt. This is especially useful + with connections between hosts using dynamic IP addresses. + Thanks to Mirko Parthey for the initial patch. + - The android plugin can now be used without the Android frontend patch + and provides DNS server registration and logging to logcat. + - Pluto and starter (plus stroke and whack) have been ported to Android. + - Support for ECDSA private and public key operations has been added to + the pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 + and can use tokens as random number generators (RNG). By default only + private key operations are enabled, more advanced features have to be + enabled by their option in strongswan.conf. This also applies to public + key operations (even for keys not stored on the token) which were + enabled by default before. + - The libstrongswan plugin system now supports detailed plugin + dependencies. Many plugins have been extended to export its capabilities + and requirements. This allows the plugin loader to resolve plugin + loading order automatically, and in future releases, to dynamically load + the required features on demand. + Existing third party plugins are source (but not binary) compatible if + they properly initialize the new get_features() plugin function to NULL. + - The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can + deliver metadata about IKE_SAs via a SOAP interface to a MAP server. + The tnc-ifmap plugin requires the Apache Axis2/C library. +- Merged patches, changed strongswan-doc to be a noarch package. +- Fixed rpmlint runlevel & fsf warnings, updated rpmlintrc + +------------------------------------------------------------------- +Mon Feb 6 10:27:00 UTC 2012 - aj@suse.de + +- Only glib.h can be included, fix compilation. + +------------------------------------------------------------------- +Wed Dec 21 10:31:49 UTC 2011 - coolo@suse.com + +- remove call to suse_update_config (very old work around) + +------------------------------------------------------------------- +Mon Sep 12 09:26:51 UTC 2011 - coolo@suse.com + +- remove _service file, too fragile + +------------------------------------------------------------------- +Mon Sep 12 08:24:36 UTC 2011 - mt@suse.com + +- Fixed version in last changelog entry + +------------------------------------------------------------------- +Thu Sep 8 16:06:46 UTC 2011 - mt@suse.com + +- Updated to strongSwan 4.5.3 release, changes overview since 4.5.2: + * Our private libraries (e.g. libstrongswan) are not installed directly in + prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by + default). The plugins directory is also moved from libexec/ipsec/ to that + directory. + * The dynamic IMC/IMV libraries were moved from the plugins directory to + a new imcvs directory in the prefix/lib/ipsec/ subdirectory. + * Job priorities were introduced to prevent thread starvation caused by too + many threads handling blocking operations (such as CRL fetching). + * Two new strongswan.conf options allow to fine-tune performance on IKEv2 + gateways by dropping IKE_SA_INIT requests on high load. + * IKEv2 charon daemon supports PASS and DROP shunt policies + preventing traffic to go through IPsec connections. Installation of the + shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel + interfaces. + * The history of policies installed in the kernel is now tracked so that e.g. + trap policies are correctly updated when reauthenticated SAs are terminated. + * IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol. + Using "netstat -l" the IMC scans open listening ports on the TNC client + and sends a port list to the IMV which based on a port policy decides if + the client is admitted to the network. + * IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol. + * The IKEv2 close action does not use the same value as the ipsec.conf dpdaction + setting, but the value defined by its own closeaction keyword. The action + is triggered if the remote peer closes a CHILD_SA unexpectedly. +- Fixed some fmt warnings in libchecksum, adopted paths in the spec file + +------------------------------------------------------------------- +Sun May 29 16:37:00 UTC 2011 - jcnengel@googlemail.com + +- Updated to strongSwan 4.5.2 release, changes overview since 4.5.1: + * The whitelist plugin for the IKEv2 daemon maintains an in-memory identity + whitelist. Any connection attempt of peers not whitelisted will get rejected. + The 'ipsec whitelist' utility provides a simple command line frontend for + whitelist administration. + * The duplicheck plugin provides a specialized form of duplicate checking, + doing a liveness check on the old SA and optionally notify a third party + application about detected duplicates. + * The coupling plugin permanently couples two or more devices by limiting + authentication to previously used certificates. + * In the case that the peer config and child config don't have the same name + (usually in SQL database defined connections), ipsec up|route + starts|routes all associated child configs and ipsec up|route + only starts|routes the specific child config. + * fixed the encoding and parsing of X.509 certificate policy statements (CPS). + * Duncan Salerno contributed the eap-sim-pcsc plugin implementing a + pcsc-lite based SIM card backend. + * The eap-peap plugin implements the EAP PEAP protocol. Interoperates + successfully with a FreeRADIUS server and Windows 7 Agile VPN clients. + * The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and instructs + all plugins to reload. Currently only the eap-radius and the attr plugins + support configuration reloading. + * Added userland support to the IKEv2 daemon for Extended Sequence Numbers + support coming with Linux 2.6.39. To enable ESN on a connection, add + the 'esn' keyword to the proposal. The default proposal uses 32-bit sequence + numbers only ('noesn'), and the same value is used if no ESN mode is + specified. To negotiate ESN support with the peer, include both, e.g. + esp=aes128-sha1-esn-noesn. + * In addition to ESN, Linux 2.6.39 gained support for replay windows larger + than 32 packets. The new global strongswan.conf option 'charon.replay_window' + configures the size of the replay window, in packets. + +------------------------------------------------------------------- +Mon Mar 14 10:59:32 UTC 2011 - mt@suse.de + +- Updated to strongSwan 4.5.1 release, changes overview since 4.5.0: + * Implements RFC 5793 Posture Broker Protocol (BP) + * Re-implemented TNCCS 1.1 protocol + * Allows to store IKE and ESP proposals in an SQL database + * Allows to store CRL and OCSP cert points in an SQL database + * New 'include' statement in strongswan.conf allows recursions + * Modifications of strongswan.conf parser, cause syntax attr plugin + syntax changes. + * ipsec listalgs now appends the plugin registering an algo + * Adds support for Traffic Flow Confidentiality with Linux 2.6.38 + * New af-alg plugin allows to use new primitives in 2.6.38 crypto api + and removes the need for additional userland implementations. + * IKEv2 daemon supports the INITIAL_CONTACT notify + * conftest conformance testing framework + * new constraints plugin provides advanced X.509 constraint checking + * left/rightauth ipsec.conf keywords accept minimum strengths + * basic support for delta CRLs + See the NEWS file or http://download.strongswan.org/CHANGES4.txt + for a detailed description of the changes. + +------------------------------------------------------------------- +Mon Nov 22 09:05:30 UTC 2010 - mt@suse.de + +- Cleaned up spec file; use with_mysql,sqlite,gcrypt,nm flags +- Disabled tests sub-package with load-tester and test-vectors + plugins by default using a with_tests flag (causes load error + in "ipsec pki" when enabled but the package is not installed). + +------------------------------------------------------------------- +Tue Nov 16 12:01:46 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are: + * IMPORTANT: the default keyexchange mode 'ike' is changing with + release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five + year anniversary of the IKEv2 RFC 4306 and its mature successor + RFC 5996. The time has definitively come for IKEv1 to go into + retirement and to cede its place to the much more robust, powerful + and versatile IKEv2 protocol! + * Added new ctr, ccm and gcm plugins providing Counter, Counter + with CBC-MAC and Galois/Counter Modes based on existing CBC + implementations. These new plugins bring support for AES and + Camellia Counter and CCM algorithms and the AES GCM algorithms + for use in IKEv2. + * The new pkcs11 plugin brings full Smartcard support to the IKEv2 + daemon and the pki utility using one or more PKCS#11 libraries. It + currently supports RSA private and public key operations and loads + X.509 certificates from tokens. + * Implemented a general purpose TLS stack based on crypto and + credential primitives of libstrongswan. libtls supports TLS + versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key + exchange algorithms and RSA/ECDSA based client authentication. + * Based on libtls, the eap-tls plugin brings certificate based EAP + authentication for client and server. It is compatible to Windows + 7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS + EAP-TLS backend. + * Implemented the TNCCS 1.1 Trusted Network Connect protocol using + the libtnc library on the strongSwan client and server side via + the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced + FreeRADIUS AAA server. Depending on the resulting TNC Recommendation, + strongSwan clients are granted access to a network behind a + strongSwan gateway (allow), are put into a remediation zone (isolate) + or are blocked (none), respectively. + Any number of Integrity Measurement Collector/Verifier pairs can be + attached via the tnc-imc and tnc-imv charon plugins. + * The IKEv1 daemon pluto now uses the same kernel interfaces as the + IKEv2 daemon charon. As a result of this, pluto now supports xfrm + marks which were introduced in charon with 4.4.1. + * The RADIUS plugin eap-radius now supports multiple RADIUS servers + for redundant setups. Servers are selected by a defined priority, + server load and availability. + * The simple led plugin controls hardware LEDs through the Linux LED + subsystem. It currently shows activity of the IKE daemon and is a + good example how to implement a simple event listener. + * Improved MOBIKE behavior in several corner cases, for instance, + if the initial responder moves to a different address. + * Fixed left-/rightnexthop option, which was broken since 4.4.0. + * Fixed a bug not releasing a virtual IP address to a pool if the + XAUTH identity was different from the IKE identity. + * Fixed the alignment of ModeConfig messages on 4-byte boundaries + in the case where the attributes are not a multiple of 4 bytes + (e.g. Cisco's UNITY_BANNER). + * Fixed the interoperability of the socket_raw and socket_default + charon plugins. + * Added man page for strongswan.conf +- Adopted spec file, removed obsolete error range patch. + +------------------------------------------------------------------- +Tue Aug 10 11:43:38 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: + * Support of xfrm marks in IPsec SAs and IPsec policies introduced + with the Linux 2.6.34 kernel. + For details see the example scenarios ikev2/nat-two-rw-mark, + ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. + * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be + used in a user-specific updown script to set marks on inbound ESP + or ESP_IN_UDP packets. + * The openssl plugin now supports X.509 certificate and CRL functions. + * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, + enabled by default. + Plase update manual load directives in strongswan.conf. + * RFC3779 ipAddrBlock constraint checking has been moved to the + addrblock plugin, disabled by default. Enable it and update manual + load directives in strongswan.conf, if required. + * The pki utility supports CRL generation using the --signcrl command. + * The ipsec pki --self, --issue and --req commands now support output + in PEM format using the --outform pem option. + * The major refactoring of the IKEv1 Mode Config functionality now + allows the transport and handling of any Mode Config attribute. + * The RADIUS proxy plugin eap-radius now supports multiple servers. + Configured servers are chosen randomly, with the option to prefer + a specific server. Non-responding servers are degraded by the + selection process. + * The ipsec pool tool manages arbitrary configuration attributes + stored in an SQL database. ipsec pool --help gives the details. + * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and + EAP-AKA, reading triplets/quintuplets from an SQL database. + * The High Availability plugin now supports a HA enabled in-memory + address pool and Node reintegration without IKE_SA rekeying. The + latter allows clients without IKE_SA rekeying support to keep + connected during reintegration. Additionally, many other issues + have been fixed in the ha plugin. + * Fixed a potential remote code execution vulnerability resulting + from the misuse of snprintf(). The vulnerability is exploitable + by unauthenticated users. +- Removed obsolete snprintf security fix, adopted spec file +- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, + eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. +- Enabled the mysql, sqlite, load-tester and test-vectors plugins, + that are packaged into separate mysql,sqlite,tests sub packages. +- Disabled sqlite plugin on SLE-10 -- sqlite3 lib is too old there. +- Applied patch by Jiri Bohac fixing error-type range in parsing of + NOTIFY payloads (RFC 4306, section 3.10.1). + +------------------------------------------------------------------- +Fri Jul 2 15:40:17 UTC 2010 - mt@suse.de + +- Applied upstream patch fixing snprintf flaws in the strongSwan + IKE daemons exploitable by unauthenticated attackers using a + crafted certificate or identification payload (bnc#615915). + +------------------------------------------------------------------- +Fri Jul 2 14:16:18 UTC 2010 - mt@suse.de + +- Added README.SUSE to source list in the spec file. + +------------------------------------------------------------------- +Fri May 14 19:19:04 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.4.0 release, changes since 4.3.6 are: + * The IKEv2 High Availability plugin has been integrated. It + provides load sharing and failover capabilities in a cluster of + currently two nodes, based on an extend ClusterIP kernel module. + More information is available at + http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability. + The development of the High Availability functionality was sponsored + by secunet Security Networks AG. + * Added IKEv1 and IKEv2 configuration support for the AES-GMAC + authentication-only ESP cipher. Our aes_gmac kernel patch or a Linux + 2.6.34 kernel is required to make AES-GMAC available via the XFRM + kernel interface. + * Added support for Diffie-Hellman groups 22, 23 and 24 to the gmp, + gcrypt and openssl plugins, usable by both pluto and charon. The new + proposal keywords are modp1024s160, modp2048s224 and modp2048s256. + Thanks to Joy Latten from IBM for her contribution. + * The IKEv1 pluto daemon supports RAM-based virtual IP pools using + the rightsourceip directive with a subnet from which addresses + are allocated. + * The ipsec pki --gen and --pub commands now allow the output of + private and public keys in PEM format using the --outform pem + command line option. + * The new DHCP plugin queries virtual IP addresses for clients from + a DHCP server using broadcasts, or a defined server using the + charon.plugins.dhcp.server strongswan.conf option. DNS/WINS server + information is additionally served to clients if the DHCP server + provides such information. The plugin is used in ipsec.conf + configurations having rightsourceip set to %dhcp. + * A new plugin called farp fakes ARP responses for virtual IP + addresses handed out to clients from the IKEv2 daemon charon. The + plugin lets a road-warrior act as a client on the local LAN if it + uses a virtual IP from the responders subnet, e.g. acquired using + the DHCP plugin. + * The existing IKEv2 socket implementations have been migrated to + the socket-default and the socket-raw plugins. The new + socket-dynamic plugin binds sockets dynamically to ports configured + via the left-/rightikeport ipsec.conf connection parameters. + * The android charon plugin stores received DNS server information + as "net.dns" system properties, as used by the Android platform. +- Splitted package into strongswan-ipsec, that install the traditional + ipsec service starter scripts, -ikev1 and -ikev2 installing daemons + and -libs0, that contains the library and plugins. +- Enabled dhcp, farp, ha, socket-dynamic, agent, eap and sql plugins. +- Enabled NetworkManager nm plugin in a separate strongswan-nm package. + +------------------------------------------------------------------- +Tue Mar 2 21:42:10 CET 2010 - mt@suse.de + +- Updated to strongSwan 4.3.6 release, changes since 4.3.4 are: + * The IKEv2 daemon supports RFC 3779 IP address block constraints + carried as a critical X.509v3 extension in the peer certificate. + * The ipsec pool --add|del dns|nbns command manages DNS and NBNS + name server entries that are sent via the IKEv1 Mode Config or + IKEv2 Configuration Payload to remote clients. + * The Camellia cipher can be used as an IKEv1 encryption algorithm. + * The IKEv1 and IKEV2 daemons now check certificate path length + constraints. + * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if + no traffic was sent or received within the given interval. To close + the complete IKE_SA if its only CHILD_SA was inactive, set the + global strongswan.conf option "charon.inactivity_close_ike" to yes. + * More detailed IKEv2 EAP payload information in debug output + * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library + * Added required userland changes for proper SHA256 and SHA384/512 + in ESP that will be introduced with Linux 2.6.33. + The "sha256"/"sha2_256" keyword now configures the kernel with 128 + bit truncation, not the non-standard 96 bit truncation used by + previous releases. To use the old 96 bit truncation scheme, the new + "sha256_96" proposal keyword has been introduced. + * Fixed IPComp in tunnel mode, stripping out the duplicated outer + header. This change makes IPcomp tunnel mode connections + incompatible with previous releases; disable compression on such + tunnels. + * Fixed BEET mode connections on recent kernels by installing SAs + with appropriate traffic selectors, based on a patch by Michael + Rossberg. + * Using extensions (such as BEET mode) and crypto algorithms (such + as twofish, serpent, sha256_96) allocated in the private use space + now require that we know its meaning, i.e. we are talking to + strongSwan. Use the new "charon.send_vendor_id" option in + strongswan.conf to let the remote peer know this is the case. + * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where + the responder omits public key authentication in favor of a mutual + authentication method. To enable EAP-only authentication, set + rightauth=eap on the responder to rely only on the MSK constructed + AUTH payload. This not-yet standardized extension requires the + strongSwan vendor ID introduced above. + * The IKEv1 daemon ignores the Juniper SRX notification type 40001, + thus allowing interoperability. + * The IKEv1 pluto daemon can now use SQL-based address pools to + deal out virtual IP addresses as a Mode Config server. The pool + capability has been migrated from charon's sql plugin to a new + attr-sql plugin which is loaded by libstrongswan and which can be + used by both daemons either with a SQLite or MySQL database and the + corresponding plugin. + * Plugin names have been streamlined: EAP plugins now have a dash + after eap (e.g. eap-sim), as it is used with the --enable-eap-sim + ./configure option. + Plugin configuration sections in strongswan.conf now use the same + name as the plugin itself (i.e. with a dash). Make sure to update + "load" directives and the affected plugin sections in existing + strongswan.conf files. + * The private/public key parsing and encoding has been split up + into separate pkcs1, pgp, pem and dnskey plugins. The public key + implementation plugins gmp, gcrypt and openssl can all make use + of them. + * The EAP-AKA plugin can use different backends for USIM/quintuplet + calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 + software implementation has been migrated to a separate plugin. + * The IKEv2 daemon charon gained basic PGP support. It can use + locally installed peer certificates and can issue signatures based + on RSA private keys. + * The new 'ipsec pki' tool provides a set of commands to maintain a + public key infrastructure. It currently supports operations to + create RSA and ECDSA private/public keys, calculate fingerprints and + issue or verify certificates. + * Charon uses a monotonic time source for statistics and job + queueing, behaving correctly if the system time changes (e.g. when + using NTP). + * In addition to time based rekeying, charon supports IPsec SA + lifetimes based on processed volume or number of packets. + They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'), + 'lifebytes' and 'lifepackets' handle SA timeouts, while the + parameters 'margintime' (an alias to rekeymargin), 'marginbytes' + and 'marginpackets' trigger the rekeying before a SA expires. + The existing parameter 'rekeyfuzz' affects all margins. + * If no CA/Gateway certificate is specified in the NetworkManager + plugin, charon uses a set of trusted root certificates preinstalled + by distributions. The directory containing CA certificates can be + specified using the --with-nm-ca-dir=path configure option. + * Fixed the encoding of the Email relative distinguished name in + left|rightid statements. + * Fixed the broken parsing of PKCS#7 wrapped certificates by the + pluto daemon. + * Fixed smartcard-based authentication in the pluto daemon which + was broken by the ECDSA support introduced with the 4.3.2 release. + * A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and + vice versa tunnels established with the IKEv1 pluto daemon. + * The pluto daemon now uses the libstrongswan x509 plugin for + certificates and CRls and the struct id type was replaced by + identification_t used by charon and the libstrongswan library. +- Removed obsolete load_secrets patches, refreshed modprobe patch. +- Corrected a time_t cast reported by rpmlint (timer.c:51) +- Disabled libtoolize call and the gcrypt plugin on SLE 10. + +------------------------------------------------------------------- +Fri Sep 4 12:56:59 CEST 2009 - mt@suse.de + +- Fixed open failure debug message in load_secrets + +------------------------------------------------------------------- +Thu Sep 3 23:44:37 CEST 2009 - mt@suse.de + +- Applied patch fixing locking in ipsec.secrets inclusion. + +------------------------------------------------------------------- +Mon Aug 31 16:06:13 CEST 2009 - mt@suse.de + +- Updated to strongSwan 4.3.4 release: + * IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation + details can be found on wiki.strongswan.org. + * ipsec statusall shows the number of bytes transmitted and received + over ESP connections configured by the IKEv2 charon daemon. + * The IKEv2 charon daemon supports include files in ipsec.secrets. +- Removed obsolete ipsec.secrets include patch (bnc#524799) + and patch to avoid libchecksum version. + +------------------------------------------------------------------- +Fri Aug 7 11:44:30 CEST 2009 - mt@suse.de + +- Applied patch implementing ipsec.secrets "include" directive + support in charon (http://wiki.strongswan.org/issues/show/82, + bnc#524799). + +------------------------------------------------------------------- +Mon Jul 27 13:40:57 CEST 2009 - mt@suse.de + +- Updated to strongSwan 4.3.3 release: + * The configuration option --enable-integrity-test plus the + strongswan.conf option libstrongswan.integrity_test = yes + activate integrity tests of the IKE daemons charon and pluto, + libstrongswan and all loaded plugins. Thus dynamic library + misconfigurations and non-malicious file manipulations can be + reliably detected. + * The new default setting libstrongswan.ecp_x_coordinate_only=yes + allows IKEv1 interoperability with MS Windows using the ECP DH + groups 19 and 20. + * The IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP + authenticated encryption algorithms. + * The IKEv1 pluto daemon now supports V4 OpenPGP keys. + * The RDN parser vulnerability discovered by Orange Labs research + team was not completely fixed in version 4.3.2. Some more + modifications had to be applied to the asn1_length() function to + make it robust. +- Enabled --enable-integrity-test configure option (new feature). +- Removed patch to avoid plugin versions (accepted by upstream) + and added patch to avoid version for new libchecksum library. +- Added -Wno-pointer-sign -Wno-strict-aliasing CFLAGS in the spec. + +------------------------------------------------------------------- +Wed Jun 10 11:04:44 CEST 2009 - mt@suse.de + +- Updated to strongSwan 4.3.2 release, that fixes two asn1 parser + DoS vulnerabilities and provides several new features, e.g.: + * The new gcrypt plugin provides symmetric cipher, hasher, RNG, + Diffie-Hellman and RSA crypto primitives using the LGPL licensed + GNU gcrypt library. + * libstrongswan features an integrated crypto selftest framework + for registered algorithms. The test-vector plugin provides a first + set of test vectors and allows pluto and charon to rely on tested + crypto algorithms. + * pluto can now use all libstrongswan plugins with the exception + of x509 and xcbc. Thanks to the openssl plugin, the ECP Diffie- + Hellman groups 19, 20, 21, 25, and 26 as well as ECDSA-256, + ECDSA-384, and ECDSA-521 authentication can be used with IKEv1. + * Applying their fuzzing tool, the Orange Labs vulnerability + research team found another two DoS vulnerabilities, one in the + rather old ASN.1 parser of Relative Distinguished Names (RDNs) + and a second one in the conversion of ASN.1 UTCTIME and + GENERALIZEDTIME strings to a time_t value. + * The nm plugin now passes DNS/NBNS server information to + NetworkManager, allowing a gateway administrator to set DNS/NBNS + configuration on clients dynamically. + * The nm plugin also accepts CA certificates for gateway + authentication. If a CA certificate is configured, strongSwan uses + the entered gateway address as its idenitity, requiring the gateways + certificate to contain the same as subjectAltName. + This allows a gateway administrator to deploy the same + certificates to Windows 7 and NetworkManager clients. + * The command ipsec purgeike deletes IKEv2 SAs that don't have a + CHILD SA. + The command ipsec down {n} deletes CHILD SA instance n of + connection whereas ipsec down {*} deletes all CHILD + SA instances. + The command ipsec down [n] deletes IKE SA instance n of + connection plus dependent CHILD SAs whereas ipsec down + [*] deletes all IKE SA instances of connection . + * Fixed a regression introduced in 4.3.0 where EAP authentication + calculated the AUTH payload incorrectly. Further, the EAP-MSCHAPv2 + MSK key derivation has been updated to be compatible with the + Windows 7 Release Candidate. + * Refactored installation of triggering policies. Routed policies + are handled outside of IKE_SAs to keep them installed in any case. + A tunnel gets established only once, even if initiation is delayed + due network outages. + * Improved the handling of multiple acquire signals triggered by + the kernel. + * Fixed two DoS vulnerabilities in the charon daemon that were + discovered by fuzzing techniques: + 1) Sending a malformed IKE_SA_INIT request leaved an incomplete + state which caused a null pointer dereference if a subsequent + CREATE_CHILD_SA request was sent. + 2) Sending an IKE_AUTH request with either a missing TSi or TSr + payload caused a null pointer derefence because the checks for + TSi and TSr were interchanged. + The IKEv2 fuzzer used was developped by the Orange Labs + vulnerability research team. The tool was initially written + by Gabriel Campana and is now maintained by Laurent Butti. + * Added support for AES counter mode in ESP in IKEv2 using the + proposal keywords aes128ctr, aes192ctr and aes256ctr. + * Further progress in refactoring pluto: Use of the curl and ldap + plugins for fetching crls and OCSP. Use of the random plugin to + get keying material from /dev/random or /dev/urandom. Use of the + openssl plugin as an alternative to the aes, des, sha1, sha2, and + md5 plugins. The blowfish, twofish, and serpent encryption plugins + are now optional and are not enabled by default. +- Enabled new gcrypt plugin +- Adopted spec file and modprobe to syslog patch +- Removed obsolete getline glibc collision patch +- Added patch to avoid library version for plugins (rpmlint). +- Replaced update-dns-server patch with a --with-resolv-conf. +- Removed restart_on_update from spec file (see bnc#450390). + +------------------------------------------------------------------- +Mon Jun 8 00:21:13 CEST 2009 - ro@suse.de + +- rename getline to my_getline to avoid collision with function + from glibc + +------------------------------------------------------------------- +Tue Jun 2 09:56:16 CEST 2009 - mt@suse.de + +- Applied fix for a Denial-of-Service vulnerability where receiving + a malformed IKE_SA_INIT request leaves an incomplete state which + causes a crash of the IKEv2 charon while dereferencing a NULL + pointer if a subsequent CREATE_CHILD_SA is received (bnc#507742). +- Applied fix for a Denial-of-Service vulnerability where receiving + a malformed IKE_AUTH request with either a missing TSi or TSr + traffic selector payload causes a crash of the IKEv2 charon while + dereferencing a NULL pointer because the NULL pointer checks of + TSi and TSr before destruction were erroneously swapped + (bnc#507742). + +------------------------------------------------------------------- +Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de + +- Updated to strongSwan 4.2.14 release that fixes a grave DPD + denial of service vulnerability registered as CVE-2009-0790, + that had been slumbering in the code for many years: + * A vulnerability in the Dead Peer Detection (RFC 3706) code + was found by Gerd v. Egidy of + Intra2net AG affecting all Openswan and strongSwan releases. + A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK + Dead Peer Detection packet can cause the pluto IKE daemon to + crash and restart. No authentication or encryption is required + to trigger this bug. One spoofed UDP packet can cause the pluto + IKE daemon to restart and be unresponsive for a few seconds + while restarting. This DPD null state vulnerability has been + officially registered as CVE-2009-0790 and is fixed by this + release. + * The new server-side EAP RADIUS plugin (--enable-eap-radius) + relays EAP messages to and from a RADIUS server. Succesfully + tested with with a freeradius server using EAP-MD5 and EAP-SIM. + * ASN.1 to time_t conversion caused a time wrap-around for dates + after Jan 18 03:14:07 UTC 2038 on 32-bit platforms. + As a workaround such dates are set to the maximum representable + time, i.e. Jan 19 03:14:07 UTC 2038. + * Distinguished Names containing wildcards (*) are not sent in the + IDr payload anymore. + +------------------------------------------------------------------- +Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de + +- Updated to 4.2.8 release: + * IKEv2 charon daemon supports authentication based on raw public + keys stored in the SQL database backend. The ipsec listpubkeys + command lists the available raw public keys via the stroke + interface. + * Several MOBIKE improvements: Detect changes in NAT mappings in + DPD exchanges, handle events if kernel detects NAT mapping changes + in UDP-encapsulated ESP packets (requires kernel patch), reuse old + addesses in MOBIKE updates as long as possible and other fixes. + * Fixed a bug in addr_in_subnet() which caused insertion of wrong + source routes for destination subnets having netwmasks not being a + multiple of 8 bits. Thanks go to Wolfgang Steudel, TU Ilmenau for + reporting this bug. + +------------------------------------------------------------------- +Tue Oct 14 16:29:59 CEST 2008 - mt@suse.de + +- Applied fix for addr_in_subnet() extracted from strongswan-4.2.8 + which caused insertion of wrong source routes for destination + subnets having netwmasks not being a multiple of 8 bits. + Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug. + (bnc#435200) + +------------------------------------------------------------------- +Fri Oct 10 08:08:35 CEST 2008 - mt@suse.de + +- Applied fix for a Denial-of-Service vulnerability where an + IKE_SA_INIT message with a KE payload containing zeroes only can + cause a crash of the IKEv2 charon daemon due to a NULL pointer + returned by the mpz_export() function of the GNU Multi Precision + (GMP) library. Thanks go to Mu Dynamics Research Labs for making + us aware of this problem. (bnc#435194) + +------------------------------------------------------------------- +Thu Aug 28 14:31:49 CEST 2008 - mt@suse.de + +- Fixed to use --enable-curl instead of --enable-http as before +- Enabled the OpenSSL crypto plugin in the spec file. + +------------------------------------------------------------------- +Thu Aug 28 09:48:14 CEST 2008 - mt@suse.de + +- Updated to 4.2.6 release, fixing bugs and offering a lot of new + features comparing to the last version provided by this package. + Most important are: + * A NetworkManager plugin allows GUI-based configuration of + road-warrior clients in a simple way. It features X509 based + gateway authentication and EAP client authentication, tunnel + setup/teardown and storing passwords in the Gnome Keyring. + * A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt + and allows username/password authentication against any PAM + service on the gateway. The new EAP method interacts nicely with + the NetworkManager plugin and allows client authentication against + e.g. LDAP. + * Improved support for the EAP-Identity method. The new ipsec.conf + eap_identity parameter defines an additional identity to pass to + the server in EAP authentication. + * Fixed two multithreading deadlocks occurring when starting up + several hundred tunnels concurrently. + * Fixed the --enable-integrity-test configure option which + computes a SHA-1 checksum over the libstrongswan library. + * Consistent logging of IKE and CHILD SAs at the audit (AUD) level. + * Improved the performance of the SQL-based virtual IP address pool + by introducing an additional addresses table. The leases table + storing only history information has become optional and can be + disabled by setting charon.plugins.sql.lease_history = no in + strongswan.conf. + * The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6 + and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels. + * management of different virtual IP pools for different network + interfaces have become possible. + * fixed a bug which prevented the assignment of more than 256 + virtual IP addresses from a pool managed by an sql database. + * fixed a bug which did not delete own IPCOMP SAs in the kernel. + * The openssl plugin supports the elliptic curve Diffie-Hellman + groups 19, 20, 21, 25, and 26 and ECDSA authentication using + elliptic curve X.509 certificates. + * Fixed a bug in stroke which caused multiple charon threads to + close the file descriptors during packet transfers over the stroke + socket. + * ESP sequence numbers are now migrated in IPsec SA updates handled + by MOBIKE. Works only with Linux kernels >= 2.6.17. + * Fixed a number of minor bugs that where discovered during the 4th + IKEv2 interoperability workshop in San Antonio, TX. + * Plugins for libstrongswan and charon can optionally be loaded + according to a configuration in strongswan.conf. Most components + provide a "load = " option followed by a space separated list of + plugins to load. This allows e.g. the fallback from a hardware + crypto accelerator to to software-based crypto plugins. + * Charons SQL plugin has been extended by a virtual IP address pool. + Configurations with a rightsourceip=%poolname setting query a + SQLite or MySQL database for leases. The "ipsec pool" command helps + in administrating the pool database. See ipsec pool --help for the + available options + * The Authenticated Encryption Algorithms AES-CCM-8/12/16 and + AES-GCM-8/12/16 for ESP are now supported starting with the Linux + 2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16. +- Added patch disabling direct modifications of resolv.conf; has to + be replaced by a netconfig call. +- Added patch adding a missed file name argument in printf call in the + scripts/thread_analysis.c file -- resulting binary is not installed. +- Removed obsolete patches crash_badcfg_reload and old-caps-version. + +------------------------------------------------------------------- +Mon Jun 30 22:40:31 CEST 2008 - mt@suse.de + +- Added fix that explicitly enables version 1 linux capabilities + on version 2 systems to aviod that the charon and pluto daemons + exit because of failed capset call (bnc#404989). + +------------------------------------------------------------------- +Mon May 19 16:17:16 CEST 2008 - mt@suse.de + +- Applied fix (strongswan_crash_badcfg_reload.dif) to avoid + a crash after reloading with bad config (bnc#392062). + +------------------------------------------------------------------- +Wed Apr 23 14:28:41 CEST 2008 - mt@suse.de + +- Updated to 4.2.1 release. A lot of code refactoring in the 4.2 + release provides much more modularity and therefore much more + extensiblity and offers the following new features: + * libstrongswan has been modularized to attach crypto algorithms, + credential implementations (secret and private keys, certificates) + and http/ldap fetchers dynamically through plugins. + * A relational database API that uses pluggable database providers + was added to libstrongswan including plugins for MySQL and SQLite. + * The IKEv2 keying charon daemon has become more extensible. Generic + plugins can provide arbitrary interfaces to credential stores and + connection management interfaces. Also any EAP method can be added. + * The authentication and credential framework in charon has been + heavily refactored to support modular credential providers, proper + CERTREQ/CERT payload exchanges and extensible authorization rules. + * Support for "Hash and URL" encoded certificate payloads has been + implemented in the IKEv2 daemon charon. + * The IKEv2 daemon charon now supports the "uniqueids" option to + close multiple IKE_SAs with the same peer. + * The crypto factory in libstrongswan additionally supports random + number generators. Plugins may provide other sources of randomness. + * Extended the credential framework by a caching option to allow + plugins persistent caching of fetched credentials. + * The new trust chain verification introduced in 4.2.0 has been + parallelized. Threads fetching CRL or OCSP information no longer + block other threads. + * A new IKEv2 configuration attribute framework has been introduced + allowing plugins to provide virtual IP addresses, and in the future, + other configuration attribute services (e.g. DNS/WINS servers). + * The stroke plugin has been extended to provide virtual IP addresses + from a simple pool defined in ipsec.conf. + * Fixed compilation on uClibc and a couple of other minor bugs. + * The IKEv1 pluto daemon now supports the ESP encryption algorithm + CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the + authentication algorithm AES_XCBC_MAC. +- Applied a small patch defining _GNU_SOURCE for struct in6_pktinfo + and adding inclusion of limits.h for PATH_MAX availability. +- Added rpmlintrc file and a libtoolize call to the spec file. + +------------------------------------------------------------------- +Tue Feb 19 11:44:03 CET 2008 - mt@suse.de + +- Updated to 4.1.11 maintenance release, providing following fixes: + * IKE rekeying in NAT situations did not inherit the NAT conditions + to the rekeyed IKE_SA so that the UDP encapsulation was lost with + the next CHILD_SA rekeying. + * Wrong type definition of the next_payload variable in id_payload.c + caused an INVALID_SYNTAX error on PowerPC platforms. + * Implemented IKEv2 EAP-SIM server and client test modules that use + triplets stored in a file. For details on the configuration see + the scenario 'ikev2/rw-eap-sim-rsa'. +- The 4.1.10 final version, declared upstream as "Fully tested support + of IPv6 IPsec tunnel connections", fixes ordering error in oscp cache, + IPv6 defaults of the nexthop parameter, adds support for new EAP + modules [disabled in this build] and obsoletes our strongswan_path + and strongswan_ipsec_script_msg patches. +- Removed a sed call from init script. + +------------------------------------------------------------------- +Sat Dec 8 13:03:42 CET 2007 - mt@suse.de + +- Updated to 4.1.9 final, including all our patches. +- Changed init script to use ipsec cmd using LSB codes now. +- Added strongswan_path.dif setting a PATH in scripts (updown). +- Added strongswan_ipsec_script_msg.dif for consistent look of + ipsec script messages. +- Added strongswan_modprobe_syslog.dif redirecting modprobe + output to syslog. + +------------------------------------------------------------------- +Mon Nov 26 10:19:40 CET 2007 - mt@suse.de + +- Renamed charon plugins to avoid rpm conflicts with existing + libraries (libstroke). Patch: strongswan-libconflicts.dif +- Added init script. Template file: strongswan.init.in + +------------------------------------------------------------------- +Thu Nov 22 10:25:56 CET 2007 - mt@suse.de + +- Initial, unfinished package + diff --git a/strongswan.init.in b/strongswan.init.in new file mode 100644 index 0000000..15a7e60 --- /dev/null +++ b/strongswan.init.in @@ -0,0 +1,278 @@ +#!/bin/bash +# +# SUSE/LSB system startup script for strongswan ipsec +# +# Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc. +# based on /etc/init.d/skeleton.compat by Kurt Garloff. +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or (at +# your option) any later version. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. +# +# /etc/init.d/ipsec +# and its symbolic link +# /usr/sbin/rcipsec +# +# LSB compatible service control script; see http://www.linuxbase.org/spec/ +# Please send feedback to http://www.suse.de/feedback/ +# +# Note: This script uses functions rc_XXX defined in /etc/rc.status on +# UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule +# work on other distributions as well, by using the LSB (Linux Standard +# Base) or RH functions or by open coding the needed functions. +# +# chkconfig: 345 99 00 +# description: StrongSwan IPsec +# +### BEGIN INIT INFO +# Provides: ipsec +# Required-Start: $syslog $remote_fs $named +# Should-Start: $time +# Required-Stop: $syslog $remote_fs $named +# Should-Stop: $time +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: StrongSwan IPsec +# Description: StrongSwan IPsec provides encrypted and authenticated +# communication via a unsafe network, such as the internet. +# This scripts loads the kernel modules and starts the user-space setup. +### END INIT INFO + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +IPSEC_CMD="/usr/sbin/ipsec" +test -x $IPSEC_CMD || { + echo "$IPSEC_CMD not installed"; + if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; +} +IPSEC_STARTER="@libexecdir@/ipsec/starter" +test -x $IPSEC_STARTER || { + echo "$IPSEC_STARTER not installed"; + if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; +} + +# The pid file of the ipsec starter +IPSEC_PIDFILE="/var/run/starter.pid" + +# Check for existence of needed config files +IPSEC_CONFIG="/etc/ipsec.conf" +test -r $IPSEC_CONFIG || { + echo "$IPSEC_CONFIG not existing"; + if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; +} +IPSEC_SECRET="/etc/ipsec.secrets" +test -r $IPSEC_SECRET || { + echo "$IPSEC_SECRET not existing"; + if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; +} + +# Source LSB init functions +# providing start_daemon, killproc, pidofproc, +# log_success_msg, log_failure_msg and log_warning_msg. +# This is currently not used by UnitedLinux based distributions and +# not needed for init scripts for UnitedLinux only. If it is used, +# the functions from rc.status should not be sourced or used. +#. /lib/lsb/init-functions + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v be verbose in local rc status and clear it afterwards +# rc_status -v -r ditto and clear both the local and overall rc status +# rc_status -s display "skipped" and exit with status 3 +# rc_status -u display "unused" and exit with status 3 +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear both the local and overall rc status +# rc_exit exit appropriate to overall rc status +# rc_active checks whether a service is activated by symlinks + +# Use the SUSE rc_ init script functions; +# emulate them on LSB, RH and other systems + +# Default: Assume sysvinit binaries exist +start_daemon() { /sbin/start_daemon ${1+"$@"}; } +killproc() { /sbin/killproc ${1+"$@"}; } +pidofproc() { /sbin/pidofproc ${1+"$@"}; } +checkproc() { /sbin/checkproc ${1+"$@"}; } +if test -e /etc/rc.status; then + # SUSE rc script library + . /etc/rc.status +else + export LC_ALL=POSIX + _cmd=$1 + declare -a _SMSG + if test "${_cmd}" = "status"; then + _SMSG=(running dead dead unused unknown reserved) + _RC_UNUSED=3 + else + _SMSG=(done failed failed missed failed skipped unused failed failed reserved) + _RC_UNUSED=6 + fi + if test -e /lib/lsb/init-functions; then + # LSB + . /lib/lsb/init-functions + echo_rc() + { + if test ${_RC_RV} = 0; then + log_success_msg " [${_SMSG[${_RC_RV}]}] " + else + log_failure_msg " [${_SMSG[${_RC_RV}]}] " + fi + } + # TODO: Add checking for lockfiles + checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; } + elif test -e /etc/init.d/functions; then + # RHAT + . /etc/init.d/functions + echo_rc() + { + #echo -n " [${_SMSG[${_RC_RV}]}] " + if test ${_RC_RV} = 0; then + success " [${_SMSG[${_RC_RV}]}] " + else + failure " [${_SMSG[${_RC_RV}]}] " + fi + } + checkproc() { status ${1+"$@"}; } + start_daemon() { daemon ${1+"$@"}; } + else + # emulate it + echo_rc() { echo " [${_SMSG[${_RC_RV}]}] "; } + fi + rc_reset() { _RC_RV=0; } + rc_failed() + { + if test -z "$1"; then + _RC_RV=1; + elif test "$1" != "0"; then + _RC_RV=$1; + fi + return ${_RC_RV} + } + rc_check() + { + rc_failed $? + } + rc_status() + { + rc_failed $? + if test "$1" = "-r"; then _RC_RV=0; shift; fi + if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi + if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi + if test "$1" = "-v"; then echo_rc; shift; fi + if test "$1" = "-r"; then _RC_RV=0; shift; fi + return ${_RC_RV} + } + rc_exit() { exit ${_RC_RV}; } + rc_active() + { + local x + for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do + test -e $x && return 0 || break + done + return 1 + } +fi + +# Reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - user had insufficient privileges +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signaling is not supported) are +# considered a success. + +case "$1" in + start) + $IPSEC_CMD start 2>&1 + rc_status -v1 + ;; + stop) + $IPSEC_CMD stop 2>&1 + rc_status -v1 + ;; + try-restart|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + if test "$1" = "condrestart"; then + echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + fi + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + sleep 2 + $0 start + + # Remember status and be quiet + rc_status + ;; + reload|force-reload) + $IPSEC_CMD reload + rc_status -v1 + ;; + status) + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + + echo -n "Checking for service strongSwan IPsec " + #checkproc $IPSEC_STARTER + $IPSEC_CMD status 2>&1 >/dev/null + + # NOTE: rc_status knows that we called this init script with + # "status" option and adapts its messages accordingly. + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, print out the + ## argument to this init script which is required for a reload. + ## Note: probe is not (yet) part of LSB (as of 1.9) + + test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \ + test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/strongswan.keyring b/strongswan.keyring new file mode 100644 index 0000000..a71b817 --- /dev/null +++ b/strongswan.keyring @@ -0,0 +1,53 @@ +pub 3072R/B34DBA77 2009-06-12 +uid Andreas Steffen +sub 3072g/0E10E91A 2009-08-20 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A +ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX +C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v +hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU +SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF +Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7 +iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I +oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6 +pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm +ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII +AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A +GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr +wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn +1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb +thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D +fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh +/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR +MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3 +iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3 +KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ +8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI +wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg +IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB +R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa +pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl +56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4 +w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA +Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV +xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP +jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+ +lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6 +lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E +ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7 +TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay +M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E +GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki +kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al +W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4 +MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU +Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM ++M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf +u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS +CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF +b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS +=ze82 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/strongswan.spec b/strongswan.spec new file mode 100644 index 0000000..8894f62 --- /dev/null +++ b/strongswan.spec @@ -0,0 +1,936 @@ +# +# spec file for package strongswan +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: strongswan +Version: 5.9.12 +Release: 0 +%define upstream_version %{version} +%define strongswan_docdir %{_docdir}/%{name} +%define strongswan_libdir %{_libdir}/ipsec +%define strongswan_configs %{_sysconfdir}/strongswan.d +%define strongswan_datadir %{_datadir}/strongswan +%define strongswan_plugins %{strongswan_libdir}/plugins +%define strongswan_templates %{strongswan_datadir}/templates +%if 0 +%bcond_without tests +%else +%bcond_with tests +%endif +%bcond_without fipscheck +%ifarch %{ix86} ppc64le +%bcond_without integrity +%else +%bcond_with integrity +%endif +%bcond_without farp +%bcond_without afalg +%bcond_without mysql +%bcond_without sqlite +%bcond_without gcrypt +%bcond_without nm +%bcond_without systemd +Summary: IPsec-based VPN solution +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +URL: https://www.strongswan.org/ +Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 +Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig +Source2: %{name}.init.in +Source3: %{name}-rpmlintrc +Source4: README.SUSE +Source5: %{name}.keyring +%if %{with fipscheck} +Source7: fips-enforce.conf +%endif +Patch2: %{name}_ipsec_service.patch +Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch +Patch6: harden_strongswan.service.patch +BuildRequires: bison +BuildRequires: curl-devel +BuildRequires: flex +BuildRequires: gmp-devel +BuildRequires: gperf +BuildRequires: libcap-devel +BuildRequires: libopenssl-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pcsc-lite-devel +BuildRequires: pkg-config +BuildRequires: pkgconfig(libsoup-2.4) +%if %{with mysql} +BuildRequires: libmysqlclient-devel +%endif +%if %{with sqlite} +BuildRequires: sqlite3-devel +%endif +%if %{with gcrypt} +BuildRequires: libgcrypt-devel +%endif +%if %{with nm} +BuildRequires: pkgconfig(libnm) +%endif +%{?systemd_requires} +BuildRequires: iptables +BuildRequires: pkgconfig(libsystemd) +%{!?_rundir: %global _rundir /run} +%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d} +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +Requires: strongswan-ipsec = %{version} + +%description +StrongSwan is an IPsec-based VPN solution for Linux. + +* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols +* Fully tested support of IPv6 IPsec tunnel and transport connections +* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555) +* Automatic insertion and deletion of IPsec-policy-based firewall rules +* Strong 128/192/256 bit AES or Camellia encryption, 3DES support +* NAT Traversal via UDP encapsulation and port floating (RFC 3947) +* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels +* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes +* XAUTH server and client functionality on top of IKEv1 Main Mode authentication +* Virtual IP address pool managed by IKE daemon or SQL database +* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) +* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin +* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) +* Authentication based on X.509 certificates or preshared keys +* Generation of a default self-signed certificate during first strongSwan startup +* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP +* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). +* CA management (OCSP and CRL URIs, default LDAP server) +* Powerful IPsec policies based on wildcards or intermediate CAs +* Group policies based on X.509 attribute certificates (RFC 3281) +* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) +* Modular plugins for crypto algorithms and relational database interfaces +* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) +* Optional built-in integrity and crypto tests for plugins and libraries +* Linux desktop integration via the strongSwan NetworkManager applet + +This package triggers the installation of both, IKEv1 and IKEv2 daemons. + +%package doc +Summary: Documentation for strongSwan +Group: Documentation/Man +BuildArch: noarch + +%description doc +StrongSwan is an IPsec-based VPN solution for Linux. + +This package provides the StrongSwan documentation. + +%package libs0 +Summary: strongSwan core libraries and basic plugins +Group: Productivity/Networking/Security +Conflicts: strongswan < %{version} + +%description libs0 +StrongSwan is an IPsec-based VPN solution for Linux. + +This package provides the strongswan library and plugins. + +%package hmac +Summary: Config file to disable non FIPS-140-2 algos in strongSwan +Group: Productivity/Networking/Security +Requires: strongswan-ipsec = %{version} +Requires: strongswan-libs0 = %{version} + +%description hmac +The package provides a config file disabling alternative algorithm +implementation when FIPS-140-2 compliant operation mode is enabled. + +%package ipsec +Summary: IPsec-based VPN solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} +Provides: VPN +Provides: ipsec +Provides: strongswan = %{version} +Obsoletes: strongswan < %{version} +Conflicts: freeswan +Conflicts: openswan + +%description ipsec +StrongSwan is an IPsec-based VPN solution for Linux. + +This package provides the /etc/init.d/ipsec service script and allows +to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the +/etc/ipsec.secrets files. + +%package mysql +Summary: MySQL plugin for strongSwan +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description mysql +StrongSwan is an IPsec-based VPN solution for Linux. + +This package provides the strongswan mysql plugin. + +%package sqlite +Summary: SQLite plugin for strongSwan +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description sqlite +StrongSwan is an OpenSource IPsec-based VPN solution for Linux. + +This package provides the strongswan sqlite plugin. + +%package nm +Summary: NetworkManager plugin for strongSwan +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description nm +StrongSwan is an OpenSource IPsec-based VPN solution for Linux. + +This package provides the NetworkManager plugin to control the +charon IKEv2 daemon through D-Bus, designed to work using the +NetworkManager-strongswan graphical user interface. + +%package tests +Summary: Testing plugins for strongSwan +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description tests +StrongSwan is an OpenSource IPsec-based VPN solution for Linux. + +This package provides the strongswan crypto test vectors plugin +and the load testing plugin for IKEv2 daemon. + +%prep +%setup -q -n %{name}-%{upstream_version} +%patch2 -p1 +%patch5 -p1 +sed -e 's|@libexecdir@|%_libexecdir|g' \ + < %{_sourcedir}/strongswan.init.in \ + > strongswan.init +%patch6 -p1 + +%build +CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" +export CFLAGS +autoreconf --force --install +%configure \ +%if %{with integrity} + --enable-integrity-test \ +%endif + --with-capabilities=libcap \ + --with-plugindir=%{strongswan_plugins} \ + --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \ + --with-piddir=%{_rundir}/%{name} \ + --enable-systemd \ + --with-systemdsystemunitdir=%{_unitdir} \ + --enable-pkcs11 \ + --enable-openssl \ + --enable-agent \ +%if %{with gcrypt} + --enable-gcrypt \ +%else + --disable-gcrypt \ +%endif + --enable-blowfish \ + --enable-ctr \ + --enable-ccm \ + --enable-gcm \ + --enable-unity \ + --enable-md4 \ +%if %{with afalg} + --enable-af-alg \ +%endif + --enable-eap-sim \ + --enable-eap-sim-file \ + --enable-eap-sim-pcsc \ + --enable-eap-aka \ + --enable-eap-aka-3gpp2 \ + --enable-eap-simaka-sql \ + --enable-eap-simaka-pseudonym \ + --enable-eap-simaka-reauth \ + --enable-eap-identity \ + --enable-eap-md5 \ + --enable-eap-gtc \ + --enable-eap-mschapv2 \ + --enable-eap-tls \ + --enable-eap-ttls \ + --enable-eap-peap \ + --enable-eap-tnc \ + --enable-eap-dynamic \ + --enable-eap-radius \ + --enable-xauth-eap \ + --enable-xauth-pam \ + --enable-tnc-pdp \ + --enable-tnc-imc \ + --enable-tnc-imv \ + --enable-tnccs-11 \ + --enable-tnccs-20 \ + --enable-tnccs-dynamic \ + --enable-imc-test \ + --enable-imv-test \ + --enable-imc-scanner \ + --enable-imv-scanner \ + --enable-ha \ + --enable-dhcp \ +%if %{with farp} + --enable-farp \ +%endif + --enable-smp \ + --enable-sql \ + --enable-attr-sql \ + --enable-addrblock \ + --enable-radattr \ + --enable-mediation \ + --enable-led \ + --enable-certexpire \ + --enable-duplicheck \ + --enable-coupling \ +%if %{with mysql} + --enable-mysql \ +%endif +%if %{with sqlite} + --enable-sqlite \ +%endif +%if %{with nm} + --enable-nm \ +%else + --disable-nm \ +%endif +%if %{with tests} + --enable-conftest \ + --enable-load-tester \ + --enable-test-vectors \ +%endif + --enable-ldap \ + --enable-soup \ + --enable-curl \ + --enable-bypass-lan \ + --disable-static +%make_build + +%install +install -d -m755 %{buildroot}/%{_sbindir}/ +install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/ +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan-starter +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcipsec +# +# Ensure, plugin -> library dependencies can be resolved +# (e.g. libtls) to avoid plugin segment checksum errors. +# +LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ +%make_install +# +# checksums are calculated during make install using the +# installed binaries/libraries... but find-debuginfo.sh +# extracts debuginfo/debugsource breaking file checksums. +# let find-debuginfo.sh run on a build root copy and then +# calculate the checksums. +# +%if %{with integrity} +%{?__debug_package: + if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then + cp -a "%{buildroot}" "%{buildroot}-$$" + RPM_BUILD_ROOT="%{buildroot}-$$" \ + %{_rpmconfigdir}/find-debuginfo.sh \ + %{?_find_debuginfo_opts} "%{buildroot}-$$" + make -C src/checksum clean + rm -f src/checksum/checksum_builder + LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ + make -C src/checksum install DESTDIR="%{buildroot}-$$" + mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \ + "%{buildroot}/%{strongswan_libdir}/libchecksum.so" + rm -rf "%{buildroot}-$$" + fi +} +%endif +# +rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets +cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets +# +# ipsec.secrets +# +# This file holds the RSA private keys or the PSK preshared secrets for +# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page. +# +EOT +# +%if ! %{with mysql} +rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql +%endif +%if ! %{with sqlite} +rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql +%endif +rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so +rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so +find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete +# +install -d -m755 %{buildroot}/%{strongswan_docdir}/ +install -c -m644 TODO NEWS README COPYING LICENSE \ + AUTHORS ChangeLog \ + %{buildroot}/%{strongswan_docdir}/ +install -c -m644 %{_sourcedir}/README.SUSE \ + %{buildroot}/%{strongswan_docdir}/ +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf +%if %{with fipscheck} +install -c -m644 %{_sourcedir}/fips-enforce.conf \ + %{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf +# disable bypass-lan plugin by default +sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf +%endif + +%post libs0 +/sbin/ldconfig +%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf} +%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}} + +%postun libs0 -p /sbin/ldconfig + +%pre ipsec +%service_add_pre %{name}-starter.service + +%post ipsec +# Following code does the migration from strongwan.service (ver < 5.8.0) to +# strongswan-starter.service (ver >= 5.8.0) during update. The systemd service +# units have been renamed. The modern unit, which was called strongswan-swanctl, +# is now called strongswan (the previous name is configured as alias in the unit, +# for which a symlink is created when the unit is enabled). The legacy unit is now +# called strongswan-starter. +_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || : +_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || : +_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || : +_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || : +if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then + /usr/bin/systemctl disable --now %{name}.service || : + /usr/bin/systemctl mask %{name}.service || : +fi +if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then + /usr/bin/systemctl daemon-reload + /usr/bin/systemctl enable %{name}-starter.service || : +fi +if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then + /usr/bin/systemctl start %{name}-starter.service || : +fi + +%preun ipsec +%service_del_preun %{name}-starter.service +if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then + cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \ + %{_sysconfdir}/ipsec.secrets.rpmsave.old +fi +if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then + cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \ + %{_sysconfdir}/ipsec.conf.rpmsave.old +fi + +%postun ipsec +%service_del_postun %{name}-starter.service + +%files +%dir %{strongswan_docdir} +%{strongswan_docdir}/README.SUSE + +%if %{with fipscheck} + +%files hmac +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf +%endif + +%files ipsec +%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf +%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets +%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf +%dir %{_sysconfdir}/swanctl +%dir %{_sysconfdir}/ipsec.d +%dir %{_sysconfdir}/ipsec.d/crls +%dir %{_sysconfdir}/ipsec.d/reqs +%dir %{_sysconfdir}/ipsec.d/certs +%dir %{_sysconfdir}/ipsec.d/acerts +%dir %{_sysconfdir}/ipsec.d/aacerts +%dir %{_sysconfdir}/ipsec.d/cacerts +%dir %{_sysconfdir}/ipsec.d/ocspcerts +%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private +%{_unitdir}/strongswan-starter.service +%{_unitdir}/strongswan.service +%{_sbindir}/rcstrongswan +%{_sbindir}/rcstrongswan-starter +%{_sbindir}/charon-systemd +%{_sbindir}/rcipsec +%{_bindir}/pki +%{_bindir}/pt-tls-client +%{_bindir}/tpm_extendpcr +%{_sbindir}/ipsec +%{_sbindir}/swanctl +%{_mandir}/man1/pki*.1* +%{_mandir}/man1/pt-tls-client.1* +%{_mandir}/man8/ipsec.8* +%{_mandir}/man5/ipsec.conf.5* +%{_mandir}/man5/ipsec.secrets.5* +%{_mandir}/man5/strongswan.conf.5* +%dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/_updown +%if %{with test} +%{_libexecdir}/ipsec/conftest +%endif +%{_libexecdir}/ipsec/xfrmi +%{_libexecdir}/ipsec/duplicheck +%{_libexecdir}/ipsec/pool +%{_libexecdir}/ipsec/starter +%{_libexecdir}/ipsec/stroke +%{_libexecdir}/ipsec/charon +%{_libexecdir}/ipsec/_imv_policy +%{_libexecdir}/ipsec/imv_policy_manager +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-drbg.so +%{strongswan_plugins}/libstrongswan-stroke.so +%{strongswan_plugins}/libstrongswan-updown.so + +%files doc +%dir %{strongswan_docdir} +%{strongswan_docdir}/TODO +%{strongswan_docdir}/NEWS +%{strongswan_docdir}/README +%{strongswan_docdir}/COPYING +%{strongswan_docdir}/LICENSE +%{strongswan_docdir}/AUTHORS +%{strongswan_docdir}/ChangeLog +%{_mandir}/man5/swanctl.conf.5.* +%{_mandir}/man8/swanctl.8.* + +%files libs0 +%{_tmpfilesdir}/%{name}.conf +%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf +%if %{with afalg} +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf +%endif +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/blowfish.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ccm.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/certexpire.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/cmac.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/constraints.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka-3gpp2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-dynamic.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-gtc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-identity.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-md5.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-mschapv2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-peap.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-radius.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-pseudonym.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-reauth.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-sql.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-file.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-pcsc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf +%if %{with farp} +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf +%endif +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf +%if %{with gcrypt} +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf +%endif +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imv.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-pdp.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-tnccs.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/unity.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/updown.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/x509.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-eap.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-generic.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-pam.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/bypass-lan.conf +%dir %{strongswan_libdir} +%if %{with integrity} +%{strongswan_libdir}/libchecksum.so +%endif +%{strongswan_libdir}/libcharon.so.* +%{strongswan_libdir}/libtpmtss.so.* +%{strongswan_libdir}/libtpmtss.so +%{strongswan_libdir}/libvici.so +%{strongswan_libdir}/libvici.so.* +%{strongswan_libdir}/libpttls.so.* +%{strongswan_libdir}/libradius.so.* +%{strongswan_libdir}/libsimaka.so.* +%{strongswan_libdir}/libstrongswan.so.* +%{strongswan_libdir}/libtls.so.* +%{strongswan_libdir}/libtnccs.so.* +%{strongswan_libdir}/libimcv.so.* +%dir %{strongswan_libdir}/imcvs +%{strongswan_libdir}/imcvs/imc-scanner.so +%{strongswan_libdir}/imcvs/imc-test.so +%{strongswan_libdir}/imcvs/imv-scanner.so +%{strongswan_libdir}/imcvs/imv-test.so +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-addrblock.so +%{strongswan_plugins}/libstrongswan-aes.so +%if %{with afalg} +%{strongswan_plugins}/libstrongswan-af-alg.so +%endif +%{strongswan_plugins}/libstrongswan-agent.so +%{strongswan_plugins}/libstrongswan-attr.so +%{strongswan_plugins}/libstrongswan-attr-sql.so +%{strongswan_plugins}/libstrongswan-blowfish.so +%{strongswan_plugins}/libstrongswan-ccm.so +%{strongswan_plugins}/libstrongswan-certexpire.so +%{strongswan_plugins}/libstrongswan-cmac.so +%{strongswan_plugins}/libstrongswan-counters.so +%{strongswan_plugins}/libstrongswan-constraints.so +%{strongswan_plugins}/libstrongswan-coupling.so +%{strongswan_plugins}/libstrongswan-ctr.so +%{strongswan_plugins}/libstrongswan-curl.so +%{strongswan_plugins}/libstrongswan-des.so +%{strongswan_plugins}/libstrongswan-dhcp.so +%{strongswan_plugins}/libstrongswan-dnskey.so +%{strongswan_plugins}/libstrongswan-duplicheck.so +%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so +%{strongswan_plugins}/libstrongswan-eap-aka.so +%{strongswan_plugins}/libstrongswan-eap-dynamic.so +%{strongswan_plugins}/libstrongswan-eap-gtc.so +%{strongswan_plugins}/libstrongswan-eap-identity.so +%{strongswan_plugins}/libstrongswan-eap-md5.so +%{strongswan_plugins}/libstrongswan-eap-mschapv2.so +%{strongswan_plugins}/libstrongswan-eap-peap.so +%{strongswan_plugins}/libstrongswan-eap-radius.so +%{strongswan_plugins}/libstrongswan-eap-sim-file.so +%{strongswan_plugins}/libstrongswan-eap-sim-pcsc.so +%{strongswan_plugins}/libstrongswan-eap-sim.so +%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so +%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so +%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so +%{strongswan_plugins}/libstrongswan-eap-tls.so +%{strongswan_plugins}/libstrongswan-eap-tnc.so +%{strongswan_plugins}/libstrongswan-eap-ttls.so +%if %{with farp} +%{strongswan_plugins}/libstrongswan-farp.so +%endif +%{strongswan_plugins}/libstrongswan-fips-prf.so +%{strongswan_plugins}/libstrongswan-gcm.so +%if %{with gcrypt} +%{strongswan_plugins}/libstrongswan-gcrypt.so +%endif +%{strongswan_plugins}/libstrongswan-gmp.so +%{strongswan_plugins}/libstrongswan-ha.so +%{strongswan_plugins}/libstrongswan-hmac.so +%{strongswan_plugins}/libstrongswan-kdf.so +%{strongswan_plugins}/libstrongswan-kernel-netlink.so +%{strongswan_plugins}/libstrongswan-ldap.so +%{strongswan_plugins}/libstrongswan-led.so +%{strongswan_plugins}/libstrongswan-md4.so +%{strongswan_plugins}/libstrongswan-md5.so +%{strongswan_plugins}/libstrongswan-mgf1.so +%{strongswan_plugins}/libstrongswan-nonce.so +%{strongswan_plugins}/libstrongswan-openssl.so +%{strongswan_plugins}/libstrongswan-pem.so +%{strongswan_plugins}/libstrongswan-pgp.so +%{strongswan_plugins}/libstrongswan-pkcs1.so +%{strongswan_plugins}/libstrongswan-pkcs11.so +%{strongswan_plugins}/libstrongswan-pkcs12.so +%{strongswan_plugins}/libstrongswan-pkcs7.so +%{strongswan_plugins}/libstrongswan-pkcs8.so +%{strongswan_plugins}/libstrongswan-pubkey.so +%{strongswan_plugins}/libstrongswan-radattr.so +%{strongswan_plugins}/libstrongswan-random.so +%{strongswan_plugins}/libstrongswan-rc2.so +%{strongswan_plugins}/libstrongswan-resolve.so +%{strongswan_plugins}/libstrongswan-revocation.so +%{strongswan_plugins}/libstrongswan-sha1.so +%{strongswan_plugins}/libstrongswan-sha2.so +%{strongswan_plugins}/libstrongswan-smp.so +%{strongswan_plugins}/libstrongswan-socket-default.so +%{strongswan_plugins}/libstrongswan-soup.so +%{strongswan_plugins}/libstrongswan-sql.so +%{strongswan_plugins}/libstrongswan-sshkey.so +%{strongswan_plugins}/libstrongswan-tnc-imc.so +%{strongswan_plugins}/libstrongswan-tnc-imv.so +%{strongswan_plugins}/libstrongswan-tnc-pdp.so +%{strongswan_plugins}/libstrongswan-tnc-tnccs.so +%{strongswan_plugins}/libstrongswan-tnccs-11.so +%{strongswan_plugins}/libstrongswan-tnccs-20.so +%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so +%{strongswan_plugins}/libstrongswan-unity.so +%{strongswan_plugins}/libstrongswan-x509.so +%{strongswan_plugins}/libstrongswan-xauth-eap.so +%{strongswan_plugins}/libstrongswan-xauth-generic.so +%{strongswan_plugins}/libstrongswan-xauth-pam.so +%{strongswan_plugins}/libstrongswan-xcbc.so +%{strongswan_plugins}/libstrongswan-curve25519.so +%{strongswan_plugins}/libstrongswan-vici.so +%{strongswan_plugins}/libstrongswan-bypass-lan.so +%dir %{strongswan_datadir} +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%dir %{strongswan_templates}/config/strongswan.d +%dir %{strongswan_templates}/database +%dir %{strongswan_templates}/database/imv +%dir %{strongswan_templates}/database/sql +%{strongswan_templates}/config/strongswan.conf +%{strongswan_templates}/config/plugins/addrblock.conf +%{strongswan_templates}/config/plugins/aes.conf +%if %{with afalg} +%{strongswan_templates}/config/plugins/af-alg.conf +%endif +%{strongswan_templates}/config/plugins/agent.conf +%{strongswan_templates}/config/plugins/attr-sql.conf +%{strongswan_templates}/config/plugins/attr.conf +%{strongswan_templates}/config/plugins/blowfish.conf +%{strongswan_templates}/config/plugins/ccm.conf +%{strongswan_templates}/config/plugins/certexpire.conf +%{strongswan_templates}/config/plugins/cmac.conf +%{strongswan_templates}/config/plugins/counters.conf +%{strongswan_templates}/config/plugins/constraints.conf +%{strongswan_templates}/config/plugins/coupling.conf +%{strongswan_templates}/config/plugins/ctr.conf +%{strongswan_templates}/config/plugins/curl.conf +%{strongswan_templates}/config/plugins/des.conf +%{strongswan_templates}/config/plugins/dhcp.conf +%{strongswan_templates}/config/plugins/dnskey.conf +%{strongswan_templates}/config/plugins/drbg.conf +%{strongswan_templates}/config/plugins/duplicheck.conf +%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf +%{strongswan_templates}/config/plugins/eap-aka.conf +%{strongswan_templates}/config/plugins/eap-dynamic.conf +%{strongswan_templates}/config/plugins/eap-gtc.conf +%{strongswan_templates}/config/plugins/eap-identity.conf +%{strongswan_templates}/config/plugins/eap-md5.conf +%{strongswan_templates}/config/plugins/eap-mschapv2.conf +%{strongswan_templates}/config/plugins/eap-peap.conf +%{strongswan_templates}/config/plugins/eap-radius.conf +%{strongswan_templates}/config/plugins/eap-sim-file.conf +%{strongswan_templates}/config/plugins/eap-sim-pcsc.conf +%{strongswan_templates}/config/plugins/eap-sim.conf +%{strongswan_templates}/config/plugins/eap-simaka-pseudonym.conf +%{strongswan_templates}/config/plugins/eap-simaka-reauth.conf +%{strongswan_templates}/config/plugins/eap-simaka-sql.conf +%{strongswan_templates}/config/plugins/eap-tls.conf +%{strongswan_templates}/config/plugins/eap-tnc.conf +%{strongswan_templates}/config/plugins/eap-ttls.conf +%if %{with farp} +%{strongswan_templates}/config/plugins/farp.conf +%endif +%{strongswan_templates}/config/plugins/fips-prf.conf +%{strongswan_templates}/config/plugins/gcm.conf +%if %{with gcrypt} +%{strongswan_templates}/config/plugins/gcrypt.conf +%endif +%{strongswan_templates}/config/plugins/gmp.conf +%{strongswan_templates}/config/plugins/ha.conf +%{strongswan_templates}/config/plugins/hmac.conf +%{strongswan_templates}/config/plugins/kdf.conf +%{strongswan_templates}/config/plugins/kernel-netlink.conf +%{strongswan_templates}/config/plugins/ldap.conf +%{strongswan_templates}/config/plugins/led.conf +%{strongswan_templates}/config/plugins/md4.conf +%{strongswan_templates}/config/plugins/md5.conf +%{strongswan_templates}/config/plugins/mgf1.conf +%{strongswan_templates}/config/plugins/nonce.conf +%{strongswan_templates}/config/plugins/openssl.conf +%{strongswan_templates}/config/plugins/pem.conf +%{strongswan_templates}/config/plugins/pgp.conf +%{strongswan_templates}/config/plugins/pkcs1.conf +%{strongswan_templates}/config/plugins/pkcs11.conf +%{strongswan_templates}/config/plugins/pkcs12.conf +%{strongswan_templates}/config/plugins/pkcs7.conf +%{strongswan_templates}/config/plugins/pkcs8.conf +%{strongswan_templates}/config/plugins/pubkey.conf +%{strongswan_templates}/config/plugins/radattr.conf +%{strongswan_templates}/config/plugins/random.conf +%{strongswan_templates}/config/plugins/rc2.conf +%{strongswan_templates}/config/plugins/resolve.conf +%{strongswan_templates}/config/plugins/revocation.conf +%{strongswan_templates}/config/plugins/sha1.conf +%{strongswan_templates}/config/plugins/sha2.conf +%{strongswan_templates}/config/plugins/smp.conf +%{strongswan_templates}/config/plugins/socket-default.conf +%{strongswan_templates}/config/plugins/soup.conf +%{strongswan_templates}/config/plugins/sql.conf +%{strongswan_templates}/config/plugins/sshkey.conf +%{strongswan_templates}/config/plugins/stroke.conf +%{strongswan_templates}/config/plugins/tnc-imc.conf +%{strongswan_templates}/config/plugins/tnc-imv.conf +%{strongswan_templates}/config/plugins/tnc-pdp.conf +%{strongswan_templates}/config/plugins/tnc-tnccs.conf +%{strongswan_templates}/config/plugins/tnccs-11.conf +%{strongswan_templates}/config/plugins/tnccs-20.conf +%{strongswan_templates}/config/plugins/tnccs-dynamic.conf +%{strongswan_templates}/config/plugins/unity.conf +%{strongswan_templates}/config/plugins/updown.conf +%{strongswan_templates}/config/plugins/x509.conf +%{strongswan_templates}/config/plugins/xauth-eap.conf +%{strongswan_templates}/config/plugins/xauth-generic.conf +%{strongswan_templates}/config/plugins/xauth-pam.conf +%{strongswan_templates}/config/plugins/xcbc.conf +%{strongswan_templates}/config/plugins/curve25519.conf +%{strongswan_templates}/config/plugins/vici.conf +%{strongswan_templates}/config/plugins/bypass-lan.conf +%{strongswan_templates}/config/strongswan.d/charon-systemd.conf +%{strongswan_templates}/config/strongswan.d/charon-logging.conf +%{strongswan_templates}/config/strongswan.d/charon.conf +%{strongswan_templates}/config/strongswan.d/imcv.conf +%{strongswan_templates}/config/strongswan.d/pki.conf +%{strongswan_templates}/config/strongswan.d/pool.conf +%{strongswan_templates}/config/strongswan.d/starter.conf +%{strongswan_templates}/config/strongswan.d/tnc.conf +%{strongswan_templates}/config/strongswan.d/swanctl.conf +%{strongswan_templates}/database/imv/data.sql +%{strongswan_templates}/database/imv/tables.sql + +%if %{with nm} + +%files nm +%dir %{_libexecdir}/ipsec +%dir %{strongswan_plugins} +%{_libexecdir}/ipsec/charon-nm +%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf +%endif + +%if %{with mysql} + +%files mysql +%dir %{strongswan_libdir} +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-mysql.so +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mysql.conf +%dir %{strongswan_datadir} +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%dir %{strongswan_templates}/database +%dir %{strongswan_templates}/database/sql +%{strongswan_templates}/config/plugins/mysql.conf +%{strongswan_templates}/database/imv/tables-mysql.sql +%{strongswan_templates}/database/sql/mysql.sql +%endif + +%if %{with sqlite} + +%files sqlite +%dir %{strongswan_libdir} +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-sqlite.so +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sqlite.conf +%dir %{strongswan_datadir} +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%dir %{strongswan_templates}/database +%dir %{strongswan_templates}/database/sql +%{strongswan_templates}/config/plugins/sqlite.conf +%{strongswan_templates}/database/sql/sqlite.sql +%endif + +%if %{with tests} + +%files tests +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%{strongswan_configs}/charon/load-tester.conf +%{strongswan_configs}/charon/test-vectors.conf +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%{strongswan_templates}/config/plugins/load-tester.conf +%{strongswan_templates}/config/plugins/test-vectors.conf +%dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/conftest +%{_libexecdir}/ipsec/load-tester +%dir %{strongswan_libdir} +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-load-tester.so +%{strongswan_plugins}/libstrongswan-test-vectors.so +%endif + +%changelog diff --git a/strongswan_ipsec_service.patch b/strongswan_ipsec_service.patch new file mode 100644 index 0000000..cd9b08a --- /dev/null +++ b/strongswan_ipsec_service.patch @@ -0,0 +1,9 @@ +Index: strongswan-5.6.2/init/systemd/strongswan.service.in +=================================================================== +--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100 ++++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200 +@@ -9,3 +9,4 @@ Restart=on-abnormal + + [Install] + WantedBy=multi-user.target ++Alias=ipsec.service