2007-12-13 04:49:24 +01:00
|
|
|
#
|
2011-06-28 11:25:23 +02:00
|
|
|
# spec file for package strongswan
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
2023-01-03 14:25:43 +01:00
|
|
|
# Copyright (c) 2023 SUSE LLC
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
2008-08-28 12:57:23 +02:00
|
|
|
# All modifications and additions to the file contributed by third parties
|
|
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
|
|
# upon. The license for this file, and modifications and additions to the
|
|
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
|
|
# license for the pristine package is not an Open Source License, in which
|
|
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
|
|
# published by the Open Source Initiative.
|
|
|
|
|
2020-01-30 16:50:32 +01:00
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
|
|
|
|
2012-02-15 13:52:12 +01:00
|
|
|
|
2007-12-13 04:49:24 +01:00
|
|
|
Name: strongswan
|
2023-06-12 17:41:55 +02:00
|
|
|
Version: 5.9.11
|
2011-12-22 14:01:09 +01:00
|
|
|
Release: 0
|
2014-04-14 09:44:26 +02:00
|
|
|
%define upstream_version %{version}
|
|
|
|
%define strongswan_docdir %{_docdir}/%{name}
|
|
|
|
%define strongswan_libdir %{_libdir}/ipsec
|
|
|
|
%define strongswan_configs %{_sysconfdir}/strongswan.d
|
|
|
|
%define strongswan_datadir %{_datadir}/strongswan
|
2014-04-15 08:12:43 +02:00
|
|
|
%define strongswan_plugins %{strongswan_libdir}/plugins
|
2014-04-14 09:44:26 +02:00
|
|
|
%define strongswan_templates %{strongswan_datadir}/templates
|
2012-10-31 17:08:08 +01:00
|
|
|
%if 0
|
|
|
|
%bcond_without tests
|
|
|
|
%else
|
|
|
|
%bcond_with tests
|
|
|
|
%endif
|
2014-11-21 16:23:47 +01:00
|
|
|
%if 0%{suse_version} > 1310
|
|
|
|
%bcond_without fipscheck
|
|
|
|
%else
|
|
|
|
%bcond_with fipscheck
|
|
|
|
%endif
|
2014-11-21 13:01:59 +01:00
|
|
|
%ifarch %{ix86} ppc64le
|
|
|
|
%bcond_without integrity
|
|
|
|
%else
|
|
|
|
%bcond_with integrity
|
|
|
|
%endif
|
2014-09-26 18:21:04 +02:00
|
|
|
%if 0%{suse_version} > 1110
|
|
|
|
%bcond_without farp
|
|
|
|
%bcond_without afalg
|
2014-09-26 18:35:26 +02:00
|
|
|
%bcond_without mysql
|
|
|
|
%bcond_without sqlite
|
|
|
|
%bcond_without gcrypt
|
2012-10-31 17:08:08 +01:00
|
|
|
%bcond_without nm
|
|
|
|
%else
|
2014-09-26 18:21:04 +02:00
|
|
|
%bcond_with farp
|
|
|
|
%bcond_with afalg
|
2014-09-26 18:35:26 +02:00
|
|
|
%bcond_with mysql
|
|
|
|
%bcond_with sqlite
|
|
|
|
%bcond_with gcrypt
|
2012-10-31 17:08:08 +01:00
|
|
|
%bcond_with nm
|
|
|
|
%endif
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: IPsec-based VPN solution
|
|
|
|
License: GPL-2.0-or-later
|
2011-12-22 14:01:09 +01:00
|
|
|
Group: Productivity/Networking/Security
|
2020-01-30 16:50:32 +01:00
|
|
|
URL: https://www.strongswan.org/
|
2007-12-13 04:49:24 +01:00
|
|
|
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
|
|
|
|
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
|
|
|
Source2: %{name}.init.in
|
2020-01-30 16:50:32 +01:00
|
|
|
Source3: %{name}-rpmlintrc
|
2010-07-02 16:19:28 +02:00
|
|
|
Source4: README.SUSE
|
2012-12-04 11:25:06 +01:00
|
|
|
Source5: %{name}.keyring
|
2014-11-21 16:23:47 +01:00
|
|
|
%if %{with fipscheck}
|
2014-11-21 13:01:59 +01:00
|
|
|
Source6: fipscheck.sh.in
|
|
|
|
Source7: fips-enforce.conf
|
2014-11-21 16:23:47 +01:00
|
|
|
%endif
|
2012-10-31 17:08:08 +01:00
|
|
|
Patch2: %{name}_ipsec_service.patch
|
2014-11-21 16:23:47 +01:00
|
|
|
%if %{with fipscheck}
|
2014-11-21 13:01:59 +01:00
|
|
|
Patch3: %{name}_fipscheck.patch
|
2014-11-21 16:23:47 +01:00
|
|
|
%endif
|
2017-08-01 09:21:05 +02:00
|
|
|
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
2023-01-03 14:25:43 +01:00
|
|
|
Patch6: harden_strongswan.service.patch
|
2011-12-22 14:01:09 +01:00
|
|
|
BuildRequires: bison
|
|
|
|
BuildRequires: curl-devel
|
|
|
|
BuildRequires: flex
|
|
|
|
BuildRequires: gmp-devel
|
|
|
|
BuildRequires: gperf
|
2009-07-14 23:56:37 +02:00
|
|
|
BuildRequires: libcap-devel
|
|
|
|
BuildRequires: libopenssl-devel
|
2007-12-13 04:49:24 +01:00
|
|
|
BuildRequires: openldap2-devel
|
2011-12-22 14:01:09 +01:00
|
|
|
BuildRequires: pam-devel
|
2012-10-30 18:16:52 +01:00
|
|
|
BuildRequires: pcsc-lite-devel
|
2011-12-22 14:01:09 +01:00
|
|
|
BuildRequires: pkg-config
|
2021-09-28 11:20:42 +02:00
|
|
|
BuildRequires: pkgconfig(libsoup-2.4)
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with mysql}
|
2010-11-22 10:10:09 +01:00
|
|
|
BuildRequires: libmysqlclient-devel
|
|
|
|
%endif
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with sqlite}
|
2010-08-10 13:47:44 +02:00
|
|
|
BuildRequires: sqlite3-devel
|
2010-05-31 18:22:37 +02:00
|
|
|
%endif
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with gcrypt}
|
2010-11-22 10:10:09 +01:00
|
|
|
BuildRequires: libgcrypt-devel
|
|
|
|
%endif
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with nm}
|
2020-01-30 16:50:32 +01:00
|
|
|
BuildRequires: pkgconfig(libnm)
|
2010-11-22 10:10:09 +01:00
|
|
|
%endif
|
2014-09-26 18:21:04 +02:00
|
|
|
%{?systemd_requires}
|
2011-12-22 14:01:09 +01:00
|
|
|
BuildRequires: iptables
|
2023-04-05 02:16:41 +02:00
|
|
|
BuildRequires: pkgconfig(libsystemd)
|
2014-06-27 10:04:24 +02:00
|
|
|
%{!?_rundir: %global _rundir /run}
|
|
|
|
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
|
2014-11-21 13:01:59 +01:00
|
|
|
BuildRequires: autoconf
|
|
|
|
BuildRequires: automake
|
2014-11-21 16:23:47 +01:00
|
|
|
%if %{with fipscheck}
|
2014-11-21 13:01:59 +01:00
|
|
|
BuildRequires: fipscheck
|
2014-11-21 16:23:47 +01:00
|
|
|
%endif
|
2014-11-21 13:01:59 +01:00
|
|
|
BuildRequires: libtool
|
2020-01-30 16:50:32 +01:00
|
|
|
Requires: strongswan-ipsec = %{version}
|
2007-12-13 04:49:24 +01:00
|
|
|
|
|
|
|
%description
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an IPsec-based VPN solution for Linux.
|
2007-12-13 04:49:24 +01:00
|
|
|
|
2020-01-30 16:50:32 +01:00
|
|
|
* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
|
2010-03-05 11:51:28 +01:00
|
|
|
* Fully tested support of IPv6 IPsec tunnel and transport connections
|
2020-01-30 16:50:32 +01:00
|
|
|
* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
|
2010-03-05 11:51:28 +01:00
|
|
|
* Automatic insertion and deletion of IPsec-policy-based firewall rules
|
|
|
|
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
|
2020-01-30 16:50:32 +01:00
|
|
|
* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
|
2007-12-13 04:49:24 +01:00
|
|
|
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
|
2020-01-30 16:50:32 +01:00
|
|
|
* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
|
2010-03-05 11:51:28 +01:00
|
|
|
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
|
|
|
|
* Virtual IP address pool managed by IKE daemon or SQL database
|
|
|
|
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
|
|
|
|
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
|
|
|
|
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
|
2007-12-13 04:49:24 +01:00
|
|
|
* Authentication based on X.509 certificates or preshared keys
|
2010-03-05 11:51:28 +01:00
|
|
|
* Generation of a default self-signed certificate during first strongSwan startup
|
|
|
|
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
|
|
|
|
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
|
2007-12-13 04:49:24 +01:00
|
|
|
* CA management (OCSP and CRL URIs, default LDAP server)
|
|
|
|
* Powerful IPsec policies based on wildcards or intermediate CAs
|
2010-03-05 11:51:28 +01:00
|
|
|
* Group policies based on X.509 attribute certificates (RFC 3281)
|
|
|
|
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
|
|
|
|
* Modular plugins for crypto algorithms and relational database interfaces
|
|
|
|
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
|
|
|
|
* Optional built-in integrity and crypto tests for plugins and libraries
|
2020-01-30 16:50:32 +01:00
|
|
|
* Linux desktop integration via the strongSwan NetworkManager applet
|
2007-12-13 04:49:24 +01:00
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
|
2007-12-13 04:49:24 +01:00
|
|
|
|
|
|
|
%package doc
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: Documentation for strongSwan
|
|
|
|
Group: Documentation/Man
|
2020-01-26 10:22:43 +01:00
|
|
|
BuildArch: noarch
|
2007-12-13 04:49:24 +01:00
|
|
|
|
|
|
|
%description doc
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an IPsec-based VPN solution for Linux.
|
2007-12-13 04:49:24 +01:00
|
|
|
|
|
|
|
This package provides the StrongSwan documentation.
|
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
%package libs0
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: strongSwan core libraries and basic plugins
|
2012-05-10 12:02:51 +02:00
|
|
|
Group: Productivity/Networking/Security
|
2010-05-31 18:22:37 +02:00
|
|
|
Conflicts: strongswan < %{version}
|
|
|
|
|
|
|
|
%description libs0
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an IPsec-based VPN solution for Linux.
|
2010-05-31 18:22:37 +02:00
|
|
|
|
|
|
|
This package provides the strongswan library and plugins.
|
|
|
|
|
2014-09-26 18:21:04 +02:00
|
|
|
%package hmac
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: HMAC files for FIPS-140-2 integrity in strongSwan
|
2014-09-26 18:21:04 +02:00
|
|
|
Group: Productivity/Networking/Security
|
2014-11-21 13:01:59 +01:00
|
|
|
Requires: fipscheck
|
|
|
|
Requires: strongswan-ipsec = %{version}
|
2014-09-26 18:21:04 +02:00
|
|
|
Requires: strongswan-libs0 = %{version}
|
|
|
|
|
|
|
|
%description hmac
|
2014-11-25 12:25:10 +01:00
|
|
|
The package provides HMAC hash files for FIPS-140-2 integrity checks,
|
|
|
|
a config file disabling alternative algorithm implementations and a
|
|
|
|
_fipscheck helper script preforming the integrity checks before e.g.
|
|
|
|
"ipsec start" action is executed, when FIPS-140-2 compliant operation
|
|
|
|
mode is enabled.
|
2014-09-26 18:21:04 +02:00
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
%package ipsec
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: IPsec-based VPN solution
|
2012-05-10 12:02:51 +02:00
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
Requires: strongswan-libs0 = %{version}
|
|
|
|
Provides: VPN
|
|
|
|
Provides: ipsec
|
|
|
|
Provides: strongswan = %{version}
|
2010-05-31 18:22:37 +02:00
|
|
|
Obsoletes: strongswan < %{version}
|
2023-01-03 14:25:43 +01:00
|
|
|
Conflicts: freeswan
|
|
|
|
Conflicts: openswan
|
2010-05-31 18:22:37 +02:00
|
|
|
|
|
|
|
%description ipsec
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an IPsec-based VPN solution for Linux.
|
2010-05-31 18:22:37 +02:00
|
|
|
|
|
|
|
This package provides the /etc/init.d/ipsec service script and allows
|
2020-01-30 16:50:32 +01:00
|
|
|
to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
|
2023-01-03 14:25:43 +01:00
|
|
|
/etc/ipsec.secrets files.
|
2010-05-31 18:22:37 +02:00
|
|
|
|
2010-11-22 10:10:09 +01:00
|
|
|
%package mysql
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: MySQL plugin for strongSwan
|
2012-05-10 12:02:51 +02:00
|
|
|
Group: Productivity/Networking/Security
|
2010-11-22 10:10:09 +01:00
|
|
|
Requires: strongswan-libs0 = %{version}
|
|
|
|
|
|
|
|
%description mysql
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an IPsec-based VPN solution for Linux.
|
2010-05-31 18:22:37 +02:00
|
|
|
|
2010-11-22 10:10:09 +01:00
|
|
|
This package provides the strongswan mysql plugin.
|
|
|
|
|
|
|
|
%package sqlite
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: SQLite plugin for strongSwan
|
2012-05-10 12:02:51 +02:00
|
|
|
Group: Productivity/Networking/Security
|
2010-11-22 10:10:09 +01:00
|
|
|
Requires: strongswan-libs0 = %{version}
|
|
|
|
|
|
|
|
%description sqlite
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
2010-11-22 10:10:09 +01:00
|
|
|
|
|
|
|
This package provides the strongswan sqlite plugin.
|
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
%package nm
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: NetworkManager plugin for strongSwan
|
2012-05-10 12:02:51 +02:00
|
|
|
Group: Productivity/Networking/Security
|
|
|
|
Requires: strongswan-libs0 = %{version}
|
2010-05-31 18:22:37 +02:00
|
|
|
|
|
|
|
%description nm
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
2010-05-31 18:22:37 +02:00
|
|
|
|
|
|
|
This package provides the NetworkManager plugin to control the
|
|
|
|
charon IKEv2 daemon through D-Bus, designed to work using the
|
|
|
|
NetworkManager-strongswan graphical user interface.
|
|
|
|
|
2010-11-22 10:10:09 +01:00
|
|
|
%package tests
|
2020-01-30 16:50:32 +01:00
|
|
|
Summary: Testing plugins for strongSwan
|
2012-05-10 12:02:51 +02:00
|
|
|
Group: Productivity/Networking/Security
|
2010-11-22 10:10:09 +01:00
|
|
|
Requires: strongswan-libs0 = %{version}
|
|
|
|
|
|
|
|
%description tests
|
2020-01-30 16:50:32 +01:00
|
|
|
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
2010-11-22 10:10:09 +01:00
|
|
|
|
2020-01-30 16:50:32 +01:00
|
|
|
This package provides the strongswan crypto test vectors plugin
|
2010-11-22 10:10:09 +01:00
|
|
|
and the load testing plugin for IKEv2 daemon.
|
|
|
|
|
2007-12-13 04:49:24 +01:00
|
|
|
%prep
|
|
|
|
%setup -q -n %{name}-%{upstream_version}
|
2020-01-30 16:50:32 +01:00
|
|
|
%patch2 -p1
|
2014-11-21 16:26:23 +01:00
|
|
|
%if %{with fipscheck}
|
2017-08-01 09:21:05 +02:00
|
|
|
%patch3 -p1
|
2014-11-21 16:26:23 +01:00
|
|
|
%endif
|
2017-08-01 09:21:05 +02:00
|
|
|
%patch5 -p1
|
2007-12-13 04:49:24 +01:00
|
|
|
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
2020-01-30 16:50:32 +01:00
|
|
|
< %{_sourcedir}/strongswan.init.in \
|
2007-12-13 04:49:24 +01:00
|
|
|
> strongswan.init
|
2014-11-21 16:23:47 +01:00
|
|
|
%if %{with fipscheck}
|
2014-11-21 13:01:59 +01:00
|
|
|
sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
|
|
|
|
-e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
|
|
|
|
-e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
|
|
|
|
-e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
|
2020-01-30 16:50:32 +01:00
|
|
|
< %{_sourcedir}/fipscheck.sh.in \
|
2014-11-21 13:01:59 +01:00
|
|
|
> _fipscheck
|
2014-11-21 16:23:47 +01:00
|
|
|
%endif
|
2021-11-27 15:21:41 +01:00
|
|
|
%patch6 -p1
|
2007-12-13 04:49:24 +01:00
|
|
|
|
|
|
|
%build
|
2020-01-30 16:50:32 +01:00
|
|
|
CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
|
|
|
|
export CFLAGS
|
2014-11-21 13:01:59 +01:00
|
|
|
autoreconf --force --install
|
2007-12-13 04:49:24 +01:00
|
|
|
%configure \
|
2014-11-21 13:01:59 +01:00
|
|
|
%if %{with integrity}
|
2009-07-30 23:00:09 +02:00
|
|
|
--enable-integrity-test \
|
2014-11-21 13:01:59 +01:00
|
|
|
%endif
|
2009-07-14 23:56:37 +02:00
|
|
|
--with-capabilities=libcap \
|
2010-05-31 18:22:37 +02:00
|
|
|
--with-plugindir=%{strongswan_plugins} \
|
2014-06-27 10:04:24 +02:00
|
|
|
--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
|
|
|
|
--with-piddir=%{_rundir}/%{name} \
|
2020-01-30 16:50:32 +01:00
|
|
|
--enable-systemd \
|
2014-11-21 16:23:47 +01:00
|
|
|
--with-systemdsystemunitdir=%{_unitdir} \
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-pkcs11 \
|
2009-07-14 23:56:37 +02:00
|
|
|
--enable-openssl \
|
2010-05-31 18:22:37 +02:00
|
|
|
--enable-agent \
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with gcrypt}
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-gcrypt \
|
2014-09-26 18:21:04 +02:00
|
|
|
%else
|
|
|
|
--disable-gcrypt \
|
|
|
|
%endif
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
--enable-blowfish \
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-ctr \
|
|
|
|
--enable-ccm \
|
|
|
|
--enable-gcm \
|
|
|
|
--enable-unity \
|
|
|
|
--enable-md4 \
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with afalg}
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-af-alg \
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
--enable-eap-sim \
|
|
|
|
--enable-eap-sim-file \
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-eap-sim-pcsc \
|
|
|
|
--enable-eap-aka \
|
|
|
|
--enable-eap-aka-3gpp2 \
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
--enable-eap-simaka-sql \
|
|
|
|
--enable-eap-simaka-pseudonym \
|
|
|
|
--enable-eap-simaka-reauth \
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-eap-identity \
|
2010-05-31 18:22:37 +02:00
|
|
|
--enable-eap-md5 \
|
|
|
|
--enable-eap-gtc \
|
|
|
|
--enable-eap-mschapv2 \
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-eap-tls \
|
|
|
|
--enable-eap-ttls \
|
|
|
|
--enable-eap-peap \
|
|
|
|
--enable-eap-tnc \
|
|
|
|
--enable-eap-dynamic \
|
|
|
|
--enable-eap-radius \
|
|
|
|
--enable-xauth-eap \
|
|
|
|
--enable-xauth-pam \
|
2012-10-31 17:08:08 +01:00
|
|
|
--enable-tnc-pdp \
|
|
|
|
--enable-tnc-imc \
|
|
|
|
--enable-tnc-imv \
|
|
|
|
--enable-tnccs-11 \
|
|
|
|
--enable-tnccs-20 \
|
|
|
|
--enable-tnccs-dynamic \
|
|
|
|
--enable-imc-test \
|
|
|
|
--enable-imv-test \
|
|
|
|
--enable-imc-scanner \
|
|
|
|
--enable-imv-scanner \
|
2010-05-31 18:22:37 +02:00
|
|
|
--enable-ha \
|
|
|
|
--enable-dhcp \
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with farp}
|
2010-05-31 18:22:37 +02:00
|
|
|
--enable-farp \
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-smp \
|
2010-05-31 18:22:37 +02:00
|
|
|
--enable-sql \
|
|
|
|
--enable-attr-sql \
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
--enable-addrblock \
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-radattr \
|
|
|
|
--enable-mediation \
|
|
|
|
--enable-led \
|
|
|
|
--enable-certexpire \
|
|
|
|
--enable-duplicheck \
|
|
|
|
--enable-coupling \
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with mysql}
|
2010-11-22 10:10:09 +01:00
|
|
|
--enable-mysql \
|
|
|
|
%endif
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with sqlite}
|
2010-11-22 10:10:09 +01:00
|
|
|
--enable-sqlite \
|
|
|
|
%endif
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with nm}
|
2010-05-31 18:22:37 +02:00
|
|
|
--enable-nm \
|
2013-04-30 15:10:58 +02:00
|
|
|
%else
|
|
|
|
--disable-nm \
|
2010-05-14 21:20:22 +02:00
|
|
|
%endif
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with tests}
|
2014-09-26 18:21:04 +02:00
|
|
|
--enable-conftest \
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
--enable-load-tester \
|
2010-11-22 10:10:09 +01:00
|
|
|
--enable-test-vectors \
|
|
|
|
%endif
|
|
|
|
--enable-ldap \
|
2012-10-30 18:16:52 +01:00
|
|
|
--enable-soup \
|
2014-06-27 10:04:24 +02:00
|
|
|
--enable-curl \
|
2020-09-01 17:38:16 +02:00
|
|
|
--enable-bypass-lan \
|
2014-06-27 10:04:24 +02:00
|
|
|
--disable-static
|
2022-04-30 10:43:01 +02:00
|
|
|
%make_build
|
2007-12-13 04:49:24 +01:00
|
|
|
|
|
|
|
%install
|
2020-01-30 16:50:32 +01:00
|
|
|
install -d -m755 %{buildroot}/%{_sbindir}/
|
|
|
|
install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/
|
|
|
|
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan
|
2023-04-05 02:16:41 +02:00
|
|
|
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan-starter
|
|
|
|
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcipsec
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
2014-11-21 13:01:59 +01:00
|
|
|
# Ensure, plugin -> library dependencies can be resolved
|
|
|
|
# (e.g. libtls) to avoid plugin segment checksum errors.
|
|
|
|
#
|
2020-01-30 16:50:32 +01:00
|
|
|
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
|
|
|
%make_install
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
2014-11-21 13:01:59 +01:00
|
|
|
# checksums are calculated during make install using the
|
|
|
|
# installed binaries/libraries... but find-debuginfo.sh
|
|
|
|
# extracts debuginfo/debugsource breaking file checksums.
|
|
|
|
# let find-debuginfo.sh run on a build root copy and then
|
|
|
|
# calculate the checksums.
|
|
|
|
#
|
|
|
|
%if %{with integrity}
|
|
|
|
%{?__debug_package:
|
|
|
|
if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then
|
2020-01-30 16:50:32 +01:00
|
|
|
cp -a "%{buildroot}" "%{buildroot}-$$"
|
|
|
|
RPM_BUILD_ROOT="%{buildroot}-$$" \
|
2014-11-21 13:01:59 +01:00
|
|
|
%{_rpmconfigdir}/find-debuginfo.sh \
|
2020-01-30 16:50:32 +01:00
|
|
|
%{?_find_debuginfo_opts} "%{buildroot}-$$"
|
2014-11-21 13:01:59 +01:00
|
|
|
make -C src/checksum clean
|
|
|
|
rm -f src/checksum/checksum_builder
|
2020-01-30 16:50:32 +01:00
|
|
|
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
|
|
|
make -C src/checksum install DESTDIR="%{buildroot}-$$"
|
|
|
|
mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
|
|
|
|
"%{buildroot}/%{strongswan_libdir}/libchecksum.so"
|
|
|
|
rm -rf "%{buildroot}-$$"
|
2014-11-21 13:01:59 +01:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
%endif
|
|
|
|
#
|
2020-01-30 16:50:32 +01:00
|
|
|
rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
|
|
|
cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
|
|
|
# ipsec.secrets
|
|
|
|
#
|
|
|
|
# This file holds the RSA private keys or the PSK preshared secrets for
|
|
|
|
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
|
|
|
|
#
|
|
|
|
EOT
|
|
|
|
#
|
2014-09-26 18:21:04 +02:00
|
|
|
%if ! %{with mysql}
|
2020-01-30 16:50:32 +01:00
|
|
|
rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
|
|
|
%if ! %{with sqlite}
|
2020-01-30 16:50:32 +01:00
|
|
|
rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2020-01-30 16:50:32 +01:00
|
|
|
rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
|
|
|
|
rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
|
|
|
|
find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
|
2007-12-13 04:49:24 +01:00
|
|
|
#
|
2020-01-30 16:50:32 +01:00
|
|
|
install -d -m755 %{buildroot}/%{strongswan_docdir}/
|
2012-10-31 17:08:08 +01:00
|
|
|
install -c -m644 TODO NEWS README COPYING LICENSE \
|
|
|
|
AUTHORS ChangeLog \
|
2020-01-30 16:50:32 +01:00
|
|
|
%{buildroot}/%{strongswan_docdir}/
|
|
|
|
install -c -m644 %{_sourcedir}/README.SUSE \
|
|
|
|
%{buildroot}/%{strongswan_docdir}/
|
|
|
|
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
2014-06-27 10:04:24 +02:00
|
|
|
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
2014-11-21 16:23:47 +01:00
|
|
|
%if %{with fipscheck}
|
2014-11-21 13:01:59 +01:00
|
|
|
#
|
|
|
|
# note: keep the following, _fipscheck's and file lists in sync
|
|
|
|
#
|
2020-01-30 16:50:32 +01:00
|
|
|
install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
|
|
|
|
install -c -m644 %{_sourcedir}/fips-enforce.conf \
|
2023-01-03 14:25:43 +01:00
|
|
|
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
|
2020-09-02 00:39:10 +02:00
|
|
|
# disable bypass-lan plugin by default
|
|
|
|
sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
|
2014-11-21 13:01:59 +01:00
|
|
|
# create fips hmac hashes _after_ install post run
|
|
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
2020-01-30 16:50:32 +01:00
|
|
|
for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
|
|
|
|
%{buildroot}/%{strongswan_libdir}/imcvs/*.so \
|
|
|
|
%{buildroot}/%{strongswan_plugins}/*.so \
|
|
|
|
%{buildroot}/%{_libexecdir}/ipsec/charon \
|
|
|
|
%{buildroot}/%{_libexecdir}/ipsec/charon-nm \
|
|
|
|
%{buildroot}/%{_libexecdir}/ipsec/stroke \
|
|
|
|
%{buildroot}/%{_libexecdir}/ipsec/starter \
|
|
|
|
%{buildroot}/%{_libexecdir}/ipsec/pool \
|
|
|
|
%{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
|
|
|
|
%{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
|
|
|
|
%{buildroot}/%{_bindir}/pt-tls-client \
|
|
|
|
%{buildroot}/%{_sbindir}/ipsec \
|
2014-11-21 13:01:59 +01:00
|
|
|
;
|
|
|
|
do
|
|
|
|
/usr/bin/fipshmac "$f"
|
|
|
|
done
|
|
|
|
}}
|
2014-11-21 16:23:47 +01:00
|
|
|
%endif
|
2010-05-31 18:22:37 +02:00
|
|
|
|
2014-09-26 18:21:04 +02:00
|
|
|
%post libs0
|
|
|
|
/sbin/ldconfig
|
2014-09-26 19:17:56 +02:00
|
|
|
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
|
2020-01-30 16:50:32 +01:00
|
|
|
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
|
2014-06-27 10:04:24 +02:00
|
|
|
|
|
|
|
%postun libs0 -p /sbin/ldconfig
|
|
|
|
|
2020-09-07 10:40:36 +02:00
|
|
|
%pre ipsec
|
2023-04-05 02:16:41 +02:00
|
|
|
%service_add_pre %{name}-starter.service
|
2010-05-31 18:22:37 +02:00
|
|
|
|
2020-09-07 10:40:36 +02:00
|
|
|
%post ipsec
|
2023-04-05 02:16:41 +02:00
|
|
|
# Following code does the migration from strongwan.service (ver < 5.8.0) to
|
|
|
|
# strongswan-starter.service (ver >= 5.8.0) during update. The systemd service
|
|
|
|
# units have been renamed. The modern unit, which was called strongswan-swanctl,
|
|
|
|
# is now called strongswan (the previous name is configured as alias in the unit,
|
|
|
|
# for which a symlink is created when the unit is enabled). The legacy unit is now
|
|
|
|
# called strongswan-starter.
|
|
|
|
_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || :
|
|
|
|
_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || :
|
|
|
|
_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || :
|
|
|
|
_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || :
|
|
|
|
if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then
|
|
|
|
/usr/bin/systemctl disable --now %{name}.service || :
|
|
|
|
/usr/bin/systemctl mask %{name}.service || :
|
|
|
|
fi
|
|
|
|
if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then
|
|
|
|
/usr/bin/systemctl daemon-reload
|
|
|
|
/usr/bin/systemctl enable %{name}-starter.service || :
|
|
|
|
fi
|
|
|
|
if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then
|
|
|
|
/usr/bin/systemctl start %{name}-starter.service || :
|
|
|
|
fi
|
2007-12-13 04:49:24 +01:00
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
%preun ipsec
|
2023-04-05 02:16:41 +02:00
|
|
|
%service_del_preun %{name}-starter.service
|
2012-10-30 18:16:52 +01:00
|
|
|
if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then
|
|
|
|
cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \
|
|
|
|
%{_sysconfdir}/ipsec.secrets.rpmsave.old
|
2007-12-13 04:49:24 +01:00
|
|
|
fi
|
2012-10-30 18:16:52 +01:00
|
|
|
if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then
|
|
|
|
cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \
|
|
|
|
%{_sysconfdir}/ipsec.conf.rpmsave.old
|
2007-12-13 04:49:24 +01:00
|
|
|
fi
|
|
|
|
|
2020-09-07 10:40:36 +02:00
|
|
|
%postun ipsec
|
2023-04-05 02:16:41 +02:00
|
|
|
%service_del_postun %{name}-starter.service
|
2007-12-13 04:49:24 +01:00
|
|
|
|
|
|
|
%files
|
2010-05-31 18:22:37 +02:00
|
|
|
%dir %{strongswan_docdir}
|
|
|
|
%{strongswan_docdir}/README.SUSE
|
|
|
|
|
2014-11-21 16:23:47 +01:00
|
|
|
%if %{with fipscheck}
|
|
|
|
|
2014-09-26 18:21:04 +02:00
|
|
|
%files hmac
|
2014-11-21 13:01:59 +01:00
|
|
|
%dir %{strongswan_configs}
|
|
|
|
%dir %{strongswan_configs}/charon
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
|
|
|
|
%dir %{strongswan_libdir}
|
|
|
|
%{strongswan_libdir}/.*.hmac
|
|
|
|
%{strongswan_libdir}/imcvs/.*.hmac
|
|
|
|
%dir %{strongswan_plugins}
|
|
|
|
%{strongswan_plugins}/.*.hmac
|
|
|
|
%dir %{_libexecdir}/ipsec
|
|
|
|
%{_libexecdir}/ipsec/_fipscheck
|
|
|
|
%{_libexecdir}/ipsec/.*.hmac
|
|
|
|
%{_sbindir}/.ipsec.hmac
|
2017-09-05 17:38:01 +02:00
|
|
|
%{_bindir}/.pt-tls-client.hmac
|
2014-11-21 16:23:47 +01:00
|
|
|
%endif
|
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
%files ipsec
|
2007-12-13 04:49:24 +01:00
|
|
|
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
|
2017-08-01 09:21:05 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
|
|
|
|
%dir %{_sysconfdir}/swanctl
|
2007-12-13 04:49:24 +01:00
|
|
|
%dir %{_sysconfdir}/ipsec.d
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/crls
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/reqs
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/certs
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/acerts
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/aacerts
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/cacerts
|
|
|
|
%dir %{_sysconfdir}/ipsec.d/ocspcerts
|
|
|
|
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
|
2020-01-30 16:50:32 +01:00
|
|
|
%{_unitdir}/strongswan-starter.service
|
2012-11-17 11:53:37 +01:00
|
|
|
%{_unitdir}/strongswan.service
|
2014-09-26 18:21:04 +02:00
|
|
|
%{_sbindir}/rcstrongswan
|
2023-04-05 02:16:41 +02:00
|
|
|
%{_sbindir}/rcstrongswan-starter
|
2020-01-30 16:50:32 +01:00
|
|
|
%{_sbindir}/charon-systemd
|
2007-12-13 04:49:24 +01:00
|
|
|
%{_sbindir}/rcipsec
|
2013-11-01 13:47:59 +01:00
|
|
|
%{_bindir}/pki
|
2017-09-05 17:38:01 +02:00
|
|
|
%{_bindir}/pt-tls-client
|
2021-11-22 21:53:44 +01:00
|
|
|
%{_bindir}/tpm_extendpcr
|
2007-12-13 04:49:24 +01:00
|
|
|
%{_sbindir}/ipsec
|
2017-08-01 09:21:05 +02:00
|
|
|
%{_sbindir}/swanctl
|
2013-11-01 13:47:59 +01:00
|
|
|
%{_mandir}/man1/pki*.1*
|
2017-09-05 17:38:01 +02:00
|
|
|
%{_mandir}/man1/pt-tls-client.1*
|
2010-05-31 18:22:37 +02:00
|
|
|
%{_mandir}/man8/ipsec.8*
|
2007-12-13 04:49:24 +01:00
|
|
|
%{_mandir}/man5/ipsec.conf.5*
|
|
|
|
%{_mandir}/man5/ipsec.secrets.5*
|
- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
* IMPORTANT: the default keyexchange mode 'ike' is changing with
release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
year anniversary of the IKEv2 RFC 4306 and its mature successor
RFC 5996. The time has definitively come for IKEv1 to go into
retirement and to cede its place to the much more robust, powerful
and versatile IKEv2 protocol!
* Added new ctr, ccm and gcm plugins providing Counter, Counter
with CBC-MAC and Galois/Counter Modes based on existing CBC
implementations. These new plugins bring support for AES and
Camellia Counter and CCM algorithms and the AES GCM algorithms
for use in IKEv2.
* The new pkcs11 plugin brings full Smartcard support to the IKEv2
daemon and the pki utility using one or more PKCS#11 libraries. It
currently supports RSA private and public key operations and loads
X.509 certificates from tokens.
* Implemented a general purpose TLS stack based on crypto and
credential primitives of libstrongswan. libtls supports TLS
versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
exchange algorithms and RSA/ECDSA based client authentication.
* Based on libtls, the eap-tls plugin brings certificate based EAP
authentication for client and server. It is compatible to Windows
7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend.
* Implemented the TNCCS 1.1 Trusted Network Connect protocol using
the libtnc library on the strongSwan client and server side via
the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
strongSwan clients are granted access to a network behind a
strongSwan gateway (allow), are put into a remediation zone (isolate)
or are blocked (none), respectively.
Any number of Integrity Measurement Collector/Verifier pairs can be
attached via the tnc-imc and tnc-imv charon plugins.
* The IKEv1 daemon pluto now uses the same kernel interfaces as the
IKEv2 daemon charon. As a result of this, pluto now supports xfrm
marks which were introduced in charon with 4.4.1.
* The RADIUS plugin eap-radius now supports multiple RADIUS servers
for redundant setups. Servers are selected by a defined priority,
server load and availability.
* The simple led plugin controls hardware LEDs through the Linux LED
subsystem. It currently shows activity of the IKE daemon and is a
good example how to implement a simple event listener.
* Improved MOBIKE behavior in several corner cases, for instance,
if the initial responder moves to a different address.
* Fixed left-/rightnexthop option, which was broken since 4.4.0.
* Fixed a bug not releasing a virtual IP address to a pool if the
XAUTH identity was different from the IKE identity.
* Fixed the alignment of ModeConfig messages on 4-byte boundaries
in the case where the attributes are not a multiple of 4 bytes
(e.g. Cisco's UNITY_BANNER).
* Fixed the interoperability of the socket_raw and socket_default
charon plugins.
* Added man page for strongswan.conf
- Adopted spec file, removed obsolete error range patch.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
2010-11-16 13:10:30 +01:00
|
|
|
%{_mandir}/man5/strongswan.conf.5*
|
2010-05-31 18:22:37 +02:00
|
|
|
%dir %{_libexecdir}/ipsec
|
|
|
|
%{_libexecdir}/ipsec/_updown
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with test}
|
2012-10-30 18:16:52 +01:00
|
|
|
%{_libexecdir}/ipsec/conftest
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2020-01-30 16:50:32 +01:00
|
|
|
%{_libexecdir}/ipsec/xfrmi
|
2012-10-30 18:16:52 +01:00
|
|
|
%{_libexecdir}/ipsec/duplicheck
|
|
|
|
%{_libexecdir}/ipsec/pool
|
2010-05-31 18:22:37 +02:00
|
|
|
%{_libexecdir}/ipsec/starter
|
|
|
|
%{_libexecdir}/ipsec/stroke
|
2012-10-31 17:08:08 +01:00
|
|
|
%{_libexecdir}/ipsec/charon
|
2013-08-05 16:58:33 +02:00
|
|
|
%{_libexecdir}/ipsec/_imv_policy
|
|
|
|
%{_libexecdir}/ipsec/imv_policy_manager
|
2010-05-31 18:22:37 +02:00
|
|
|
%dir %{strongswan_plugins}
|
2020-01-30 16:50:32 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-drbg.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-stroke.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-updown.so
|
|
|
|
|
2007-12-13 04:49:24 +01:00
|
|
|
%files doc
|
|
|
|
%dir %{strongswan_docdir}
|
2012-10-31 17:08:08 +01:00
|
|
|
%{strongswan_docdir}/TODO
|
|
|
|
%{strongswan_docdir}/NEWS
|
|
|
|
%{strongswan_docdir}/README
|
|
|
|
%{strongswan_docdir}/COPYING
|
|
|
|
%{strongswan_docdir}/LICENSE
|
|
|
|
%{strongswan_docdir}/AUTHORS
|
|
|
|
%{strongswan_docdir}/ChangeLog
|
2017-08-01 09:21:05 +02:00
|
|
|
%{_mandir}/man5/swanctl.conf.5.*
|
|
|
|
%{_mandir}/man8/swanctl.8.*
|
2008-02-19 14:17:02 +01:00
|
|
|
|
2010-05-31 18:22:37 +02:00
|
|
|
%files libs0
|
2014-09-26 18:21:04 +02:00
|
|
|
%{_tmpfilesdir}/%{name}.conf
|
2010-05-31 18:22:37 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%dir %{strongswan_configs}
|
|
|
|
%dir %{strongswan_configs}/charon
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
|
2015-01-05 15:41:37 +01:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
|
2017-08-01 09:21:05 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
|
2017-08-01 09:21:05 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
|
2017-08-01 09:21:05 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with afalg}
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/blowfish.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ccm.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/certexpire.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/cmac.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/constraints.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka-3gpp2.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-dynamic.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-gtc.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-identity.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-md5.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-mschapv2.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-peap.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-radius.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-pseudonym.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-reauth.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-sql.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-file.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-pcsc.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with farp}
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with gcrypt}
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
|
2022-03-09 19:30:05 +01:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imc.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imv.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-pdp.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-tnccs.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/unity.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/updown.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/x509.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-eap.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-generic.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-pam.conf
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf
|
2020-09-01 17:38:16 +02:00
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/bypass-lan.conf
|
2011-09-08 18:07:15 +02:00
|
|
|
%dir %{strongswan_libdir}
|
2014-11-21 13:01:59 +01:00
|
|
|
%if %{with integrity}
|
2011-09-08 18:07:15 +02:00
|
|
|
%{strongswan_libdir}/libchecksum.so
|
2014-11-21 13:01:59 +01:00
|
|
|
%endif
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_libdir}/libcharon.so.*
|
2017-08-01 09:21:05 +02:00
|
|
|
%{strongswan_libdir}/libtpmtss.so.*
|
|
|
|
%{strongswan_libdir}/libtpmtss.so
|
|
|
|
%{strongswan_libdir}/libvici.so
|
|
|
|
%{strongswan_libdir}/libvici.so.*
|
2013-04-30 15:10:58 +02:00
|
|
|
%{strongswan_libdir}/libpttls.so.*
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_libdir}/libradius.so.*
|
|
|
|
%{strongswan_libdir}/libsimaka.so.*
|
|
|
|
%{strongswan_libdir}/libstrongswan.so.*
|
|
|
|
%{strongswan_libdir}/libtls.so.*
|
|
|
|
%{strongswan_libdir}/libtnccs.so.*
|
2012-10-31 17:08:08 +01:00
|
|
|
%{strongswan_libdir}/libimcv.so.*
|
|
|
|
%dir %{strongswan_libdir}/imcvs
|
|
|
|
%{strongswan_libdir}/imcvs/imc-scanner.so
|
|
|
|
%{strongswan_libdir}/imcvs/imc-test.so
|
|
|
|
%{strongswan_libdir}/imcvs/imv-scanner.so
|
|
|
|
%{strongswan_libdir}/imcvs/imv-test.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%dir %{strongswan_plugins}
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-addrblock.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-aes.so
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with afalg}
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-af-alg.so
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-agent.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-attr.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-attr-sql.so
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-blowfish.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-ccm.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-certexpire.so
|
2012-05-10 12:02:51 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-cmac.so
|
2020-01-30 16:50:32 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-counters.so
|
2011-03-14 12:31:45 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-constraints.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-coupling.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-ctr.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-curl.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-des.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-dhcp.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-dnskey.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-duplicheck.so
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-aka.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-dynamic.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-gtc.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-identity.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-md5.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-mschapv2.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-peap.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-radius.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-sim-file.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-sim-pcsc.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-sim.so
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-eap-tls.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-tnc.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-eap-ttls.so
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with farp}
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-farp.so
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-fips-prf.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-gcm.so
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with gcrypt}
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-gcrypt.so
|
|
|
|
%endif
|
|
|
|
%{strongswan_plugins}/libstrongswan-gmp.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-ha.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-hmac.so
|
2022-03-09 19:30:05 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-kdf.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-kernel-netlink.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-ldap.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-led.so
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-md4.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-md5.so
|
2020-01-30 16:50:32 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-mgf1.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-nonce.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-openssl.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-pem.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-pgp.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-pkcs1.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-pkcs11.so
|
2013-08-05 16:58:33 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-pkcs12.so
|
2013-04-30 15:10:58 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-pkcs7.so
|
2012-03-13 12:32:40 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-pkcs8.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-pubkey.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-radattr.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-random.so
|
2013-08-05 16:58:33 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-rc2.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-resolve.so
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-revocation.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-sha1.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-sha2.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-smp.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-socket-default.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-soup.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-sql.so
|
2013-08-05 16:58:33 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-sshkey.so
|
2012-10-31 17:08:08 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-tnc-imc.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-tnc-imv.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-tnc-pdp.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-tnc-tnccs.so
|
2012-10-31 17:08:08 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-tnccs-11.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-tnccs-20.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-unity.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-x509.so
|
2012-10-30 18:16:52 +01:00
|
|
|
%{strongswan_plugins}/libstrongswan-xauth-eap.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-xauth-generic.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-xauth-pam.so
|
2010-05-31 18:22:37 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-xcbc.so
|
2017-08-01 09:21:05 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-curve25519.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-vici.so
|
2020-09-01 17:38:16 +02:00
|
|
|
%{strongswan_plugins}/libstrongswan-bypass-lan.so
|
2014-04-14 09:44:26 +02:00
|
|
|
%dir %{strongswan_datadir}
|
|
|
|
%dir %{strongswan_templates}
|
|
|
|
%dir %{strongswan_templates}/config
|
|
|
|
%dir %{strongswan_templates}/config/plugins
|
|
|
|
%dir %{strongswan_templates}/config/strongswan.d
|
|
|
|
%dir %{strongswan_templates}/database
|
|
|
|
%dir %{strongswan_templates}/database/imv
|
|
|
|
%dir %{strongswan_templates}/database/sql
|
|
|
|
%{strongswan_templates}/config/strongswan.conf
|
|
|
|
%{strongswan_templates}/config/plugins/addrblock.conf
|
|
|
|
%{strongswan_templates}/config/plugins/aes.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with afalg}
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/af-alg.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/agent.conf
|
|
|
|
%{strongswan_templates}/config/plugins/attr-sql.conf
|
|
|
|
%{strongswan_templates}/config/plugins/attr.conf
|
|
|
|
%{strongswan_templates}/config/plugins/blowfish.conf
|
|
|
|
%{strongswan_templates}/config/plugins/ccm.conf
|
|
|
|
%{strongswan_templates}/config/plugins/certexpire.conf
|
|
|
|
%{strongswan_templates}/config/plugins/cmac.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%{strongswan_templates}/config/plugins/counters.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/constraints.conf
|
|
|
|
%{strongswan_templates}/config/plugins/coupling.conf
|
|
|
|
%{strongswan_templates}/config/plugins/ctr.conf
|
|
|
|
%{strongswan_templates}/config/plugins/curl.conf
|
|
|
|
%{strongswan_templates}/config/plugins/des.conf
|
|
|
|
%{strongswan_templates}/config/plugins/dhcp.conf
|
|
|
|
%{strongswan_templates}/config/plugins/dnskey.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%{strongswan_templates}/config/plugins/drbg.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/duplicheck.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-aka.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-dynamic.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-gtc.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-identity.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-md5.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-mschapv2.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-peap.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-radius.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-sim-file.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-sim-pcsc.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-sim.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-simaka-pseudonym.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-simaka-reauth.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-simaka-sql.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-tls.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-tnc.conf
|
|
|
|
%{strongswan_templates}/config/plugins/eap-ttls.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with farp}
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/farp.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/fips-prf.conf
|
|
|
|
%{strongswan_templates}/config/plugins/gcm.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%if %{with gcrypt}
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/gcrypt.conf
|
2014-09-26 18:21:04 +02:00
|
|
|
%endif
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/gmp.conf
|
|
|
|
%{strongswan_templates}/config/plugins/ha.conf
|
|
|
|
%{strongswan_templates}/config/plugins/hmac.conf
|
2022-03-09 19:30:05 +01:00
|
|
|
%{strongswan_templates}/config/plugins/kdf.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/kernel-netlink.conf
|
|
|
|
%{strongswan_templates}/config/plugins/ldap.conf
|
|
|
|
%{strongswan_templates}/config/plugins/led.conf
|
|
|
|
%{strongswan_templates}/config/plugins/md4.conf
|
|
|
|
%{strongswan_templates}/config/plugins/md5.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%{strongswan_templates}/config/plugins/mgf1.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/plugins/nonce.conf
|
|
|
|
%{strongswan_templates}/config/plugins/openssl.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pem.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pgp.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pkcs1.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pkcs11.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pkcs12.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pkcs7.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pkcs8.conf
|
|
|
|
%{strongswan_templates}/config/plugins/pubkey.conf
|
|
|
|
%{strongswan_templates}/config/plugins/radattr.conf
|
|
|
|
%{strongswan_templates}/config/plugins/random.conf
|
|
|
|
%{strongswan_templates}/config/plugins/rc2.conf
|
|
|
|
%{strongswan_templates}/config/plugins/resolve.conf
|
|
|
|
%{strongswan_templates}/config/plugins/revocation.conf
|
|
|
|
%{strongswan_templates}/config/plugins/sha1.conf
|
|
|
|
%{strongswan_templates}/config/plugins/sha2.conf
|
|
|
|
%{strongswan_templates}/config/plugins/smp.conf
|
|
|
|
%{strongswan_templates}/config/plugins/socket-default.conf
|
|
|
|
%{strongswan_templates}/config/plugins/soup.conf
|
|
|
|
%{strongswan_templates}/config/plugins/sql.conf
|
|
|
|
%{strongswan_templates}/config/plugins/sshkey.conf
|
|
|
|
%{strongswan_templates}/config/plugins/stroke.conf
|
|
|
|
%{strongswan_templates}/config/plugins/tnc-imc.conf
|
|
|
|
%{strongswan_templates}/config/plugins/tnc-imv.conf
|
|
|
|
%{strongswan_templates}/config/plugins/tnc-pdp.conf
|
|
|
|
%{strongswan_templates}/config/plugins/tnc-tnccs.conf
|
|
|
|
%{strongswan_templates}/config/plugins/tnccs-11.conf
|
|
|
|
%{strongswan_templates}/config/plugins/tnccs-20.conf
|
|
|
|
%{strongswan_templates}/config/plugins/tnccs-dynamic.conf
|
|
|
|
%{strongswan_templates}/config/plugins/unity.conf
|
|
|
|
%{strongswan_templates}/config/plugins/updown.conf
|
|
|
|
%{strongswan_templates}/config/plugins/x509.conf
|
|
|
|
%{strongswan_templates}/config/plugins/xauth-eap.conf
|
|
|
|
%{strongswan_templates}/config/plugins/xauth-generic.conf
|
|
|
|
%{strongswan_templates}/config/plugins/xauth-pam.conf
|
|
|
|
%{strongswan_templates}/config/plugins/xcbc.conf
|
2017-08-01 09:21:05 +02:00
|
|
|
%{strongswan_templates}/config/plugins/curve25519.conf
|
|
|
|
%{strongswan_templates}/config/plugins/vici.conf
|
2020-09-01 17:38:16 +02:00
|
|
|
%{strongswan_templates}/config/plugins/bypass-lan.conf
|
2020-01-30 16:50:32 +01:00
|
|
|
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
|
|
|
|
%{strongswan_templates}/config/strongswan.d/charon.conf
|
|
|
|
%{strongswan_templates}/config/strongswan.d/imcv.conf
|
2015-01-05 15:41:37 +01:00
|
|
|
%{strongswan_templates}/config/strongswan.d/pki.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/config/strongswan.d/pool.conf
|
|
|
|
%{strongswan_templates}/config/strongswan.d/starter.conf
|
|
|
|
%{strongswan_templates}/config/strongswan.d/tnc.conf
|
2017-08-01 09:21:05 +02:00
|
|
|
%{strongswan_templates}/config/strongswan.d/swanctl.conf
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/database/imv/data.sql
|
|
|
|
%{strongswan_templates}/database/imv/tables.sql
|
2010-05-31 18:22:37 +02:00
|
|
|
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with nm}
|
2011-03-14 12:31:45 +01:00
|
|
|
|
2010-11-22 10:10:09 +01:00
|
|
|
%files nm
|
|
|
|
%dir %{_libexecdir}/ipsec
|
|
|
|
%dir %{strongswan_plugins}
|
2012-10-30 18:16:52 +01:00
|
|
|
%{_libexecdir}/ipsec/charon-nm
|
2020-02-17 21:41:20 +01:00
|
|
|
%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
|
2010-11-22 10:10:09 +01:00
|
|
|
%endif
|
|
|
|
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with mysql}
|
2011-03-14 12:31:45 +01:00
|
|
|
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%files mysql
|
2014-04-14 09:44:26 +02:00
|
|
|
%dir %{strongswan_libdir}
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%dir %{strongswan_plugins}
|
|
|
|
%{strongswan_plugins}/libstrongswan-mysql.so
|
2014-04-14 09:44:26 +02:00
|
|
|
%dir %{strongswan_configs}
|
|
|
|
%dir %{strongswan_configs}/charon
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mysql.conf
|
|
|
|
%dir %{strongswan_datadir}
|
|
|
|
%dir %{strongswan_templates}
|
|
|
|
%dir %{strongswan_templates}/config
|
|
|
|
%dir %{strongswan_templates}/config/plugins
|
|
|
|
%dir %{strongswan_templates}/database
|
|
|
|
%dir %{strongswan_templates}/database/sql
|
|
|
|
%{strongswan_templates}/config/plugins/mysql.conf
|
2015-01-05 15:41:37 +01:00
|
|
|
%{strongswan_templates}/database/imv/tables-mysql.sql
|
2014-04-14 09:44:26 +02:00
|
|
|
%{strongswan_templates}/database/sql/mysql.sql
|
2010-11-22 10:10:09 +01:00
|
|
|
%endif
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with sqlite}
|
2011-03-14 12:31:45 +01:00
|
|
|
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%files sqlite
|
2014-04-14 09:44:26 +02:00
|
|
|
%dir %{strongswan_libdir}
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%dir %{strongswan_plugins}
|
|
|
|
%{strongswan_plugins}/libstrongswan-sqlite.so
|
2014-04-14 09:44:26 +02:00
|
|
|
%dir %{strongswan_configs}
|
|
|
|
%dir %{strongswan_configs}/charon
|
|
|
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sqlite.conf
|
|
|
|
%dir %{strongswan_datadir}
|
|
|
|
%dir %{strongswan_templates}
|
|
|
|
%dir %{strongswan_templates}/config
|
|
|
|
%dir %{strongswan_templates}/config/plugins
|
|
|
|
%dir %{strongswan_templates}/database
|
|
|
|
%dir %{strongswan_templates}/database/sql
|
|
|
|
%{strongswan_templates}/config/plugins/sqlite.conf
|
|
|
|
%{strongswan_templates}/database/sql/sqlite.sql
|
2010-08-10 13:47:44 +02:00
|
|
|
%endif
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
|
2012-10-31 17:08:08 +01:00
|
|
|
%if %{with tests}
|
2011-03-14 12:31:45 +01:00
|
|
|
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%files tests
|
2014-11-21 13:01:59 +01:00
|
|
|
%dir %{strongswan_configs}
|
|
|
|
%dir %{strongswan_configs}/charon
|
|
|
|
%{strongswan_configs}/charon/load-tester.conf
|
|
|
|
%{strongswan_configs}/charon/test-vectors.conf
|
|
|
|
%dir %{strongswan_templates}
|
|
|
|
%dir %{strongswan_templates}/config
|
|
|
|
%dir %{strongswan_templates}/config/plugins
|
|
|
|
%{strongswan_templates}/config/plugins/load-tester.conf
|
|
|
|
%{strongswan_templates}/config/plugins/test-vectors.conf
|
|
|
|
%dir %{_libexecdir}/ipsec
|
|
|
|
%{_libexecdir}/ipsec/conftest
|
|
|
|
%{_libexecdir}/ipsec/load-tester
|
2014-04-14 09:44:26 +02:00
|
|
|
%dir %{strongswan_libdir}
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
%dir %{strongswan_plugins}
|
|
|
|
%{strongswan_plugins}/libstrongswan-load-tester.so
|
|
|
|
%{strongswan_plugins}/libstrongswan-test-vectors.so
|
2010-11-22 10:10:09 +01:00
|
|
|
%endif
|
- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
* Support of xfrm marks in IPsec SAs and IPsec policies introduced
with the Linux 2.6.34 kernel.
For details see the example scenarios ikev2/nat-two-rw-mark,
ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
* The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
used in a user-specific updown script to set marks on inbound ESP
or ESP_IN_UDP packets.
* The openssl plugin now supports X.509 certificate and CRL functions.
* OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default.
Plase update manual load directives in strongswan.conf.
* RFC3779 ipAddrBlock constraint checking has been moved to the
addrblock plugin, disabled by default. Enable it and update manual
load directives in strongswan.conf, if required.
* The pki utility supports CRL generation using the --signcrl command.
* The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
* The major refactoring of the IKEv1 Mode Config functionality now
allows the transport and handling of any Mode Config attribute.
* The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are degraded by the
selection process.
* The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
* The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
EAP-AKA, reading triplets/quintuplets from an SQL database.
* The High Availability plugin now supports a HA enabled in-memory
address pool and Node reintegration without IKE_SA rekeying. The
latter allows clients without IKE_SA rekeying support to keep
connected during reintegration. Additionally, many other issues
have been fixed in the ha plugin.
* Fixed a potential remote code execution vulnerability resulting
from the misuse of snprintf(). The vulnerability is exploitable
by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
that are packaged into separate mysql,sqlite,tests sub packages.
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18
2010-08-10 13:02:18 +02:00
|
|
|
|
2007-12-13 04:49:24 +01:00
|
|
|
%changelog
|