jengelh/strongswan
SHA256
1
0
Fork 0
forked from pool/strongswan
Code Pull Requests Activity

- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:

Browse Source 
* IMPORTANT: the default keyexchange mode 'ike' is changing with
  release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
  year anniversary of the IKEv2 RFC 4306 and its mature successor
  RFC 5996. The time has definitively come for IKEv1 to go into
  retirement and to cede its place to the much more robust, powerful
  and versatile IKEv2 protocol!
  * Added new ctr, ccm and gcm plugins providing Counter, Counter
  with CBC-MAC and Galois/Counter Modes based on existing CBC
  implementations. These new plugins bring support for AES and
  Camellia Counter and CCM algorithms and the AES GCM algorithms
  for use in IKEv2.
  * The new pkcs11 plugin brings full Smartcard support to the IKEv2
  daemon and the pki utility using one or more PKCS#11 libraries. It
  currently supports RSA private and public key operations and loads
  X.509 certificates from tokens.
  * Implemented a general purpose TLS stack based on crypto and
  credential primitives of libstrongswan. libtls supports TLS
  versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
  exchange algorithms and RSA/ECDSA based client authentication.
  * Based on libtls, the eap-tls plugin brings certificate based EAP
  authentication for client and server. It is compatible to Windows
  7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
  EAP-TLS backend.
  * Implemented the TNCCS 1.1 Trusted Network Connect protocol using
  the libtnc library on the strongSwan client and server side via
  the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
  FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
  strongSwan clients are granted access to a network behind a
  strongSwan gateway (allow), are put into a remediation zone (isolate)
  or are blocked (none), respectively.
  Any number of Integrity Measurement Collector/Verifier pairs can be
  attached via the tnc-imc and tnc-imv charon plugins.
  * The IKEv1 daemon pluto now uses the same kernel interfaces as the
  IKEv2 daemon charon. As a result of this, pluto now supports xfrm
  marks which were introduced in charon with 4.4.1.
  * The RADIUS plugin eap-radius now supports multiple RADIUS servers
  for redundant setups. Servers are selected by a defined priority,
  server load and availability.
  * The simple led plugin controls hardware LEDs through the Linux LED
  subsystem. It currently shows activity of the IKE daemon and is a
  good example how to implement a simple event listener.
  * Improved MOBIKE behavior in several corner cases, for instance,
  if the initial responder moves to a different address.
  * Fixed left-/rightnexthop option, which was broken since 4.4.0.
  * Fixed a bug not releasing a virtual IP address to a pool if the
  XAUTH identity was different from the IKE identity.
  * Fixed the alignment of ModeConfig messages on 4-byte boundaries
  in the case where the attributes are not a multiple of 4 bytes
  (e.g. Cisco's UNITY_BANNER).
  * Fixed the interoperability of the socket_raw and socket_default
  charon plugins.
  * Added man page for strongswan.conf
- Adopted spec file, removed obsolete error range patch.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
This commit is contained in:
Marius Tomaschewski 2010-11-16 12:10:30 +00:00 committed by Git OBS Bridge
parent eb65a0d190
commit 12e8dea6e7
9 changed files with 105 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
README.SUSE
View File

@ -1,14 +1,30 @@
Dear Customer,
this package does no provide any files any more, but triggers the
installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and
the traditional starter scripts inclusive of the /etc/init.d/ipsec
init script and /etc/ipsec.conf file.
please note, that the strongswan release 4.5 changes the keyexchange mode
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
"[...]
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
come for IKEv1 to go into retirement and to cede its place to the much more
robust, powerful and versatile IKEv2 protocol!
[...]"
There is a new strongswan-nm package with a NetworkManager plugin
to control the charon IKEv2 daemon through D-Bus, designed to work
using the NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the
IKEv2 charon daemon and plugins only.
This requires adoption of either the "conn %default" or all other IKEv1
"conn" sections in the /etc/ipsec.conf to use explicit:
keyexchange=ikev1
The strongswan package does no provide any files any more, but triggers
the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the
traditional starter scripts inclusive of the /etc/init.d/ipsec init script
and /etc/ipsec.conf file.
There is a new strongswan-nm package with a NetworkManager plugin to
control the charon IKEv2 daemon through D-Bus, designed to work using the
NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the IKEv2
charon daemon and plugins only.
Have a lot of fun...

22
strongswan-4.4.1-fix_notify_error_range.patch
View File

@ -1,22 +0,0 @@
From 30d8e8d04d132e046a19b6a29439e6efb8ff3e06 Mon Sep 17 00:00:00 2001
From: Jiri Bohac <jbohac@suse.cz>
Date: Thu, 5 Aug 2010 17:13:38 +0200
Subject: [PATCH] fix error-type range in parsing of NOTIFY payloads
diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c
index 38fb572..dd4a5f5 100644
--- a/src/libcharon/sa/tasks/ike_init.c
+++ b/src/libcharon/sa/tasks/ike_init.c
@@ -468,7 +468,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
}
default:
{
- if (type < 16383)
+ if (type <= 16383)
{
DBG1(DBG_IKE, "received %N notify error",
notify_type_names, type);
--
1.7.1

3
strongswan-4.4.1.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2bee6fb9f43c251827f530cd629af1195a566cf99e9d0320c338f1497cbf99c2
size 2982652

14
strongswan-4.4.1.tar.bz2.sig
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQGcBAABAgAGBQJMUuERAAoJEN9CwXCzTbp3oqYL/3Gg3EDh4ZhMAvJunRK40JUI
Sw8Ekp3XNFASLDDAOTjZAOOfd/ZAtC3zLDxaT9vRfq4mmWmhtKBHcnAnURDtNees
fraJiv/flvmJ4enZbXp3R3NgIQcXNGDrOi2P7XSydzqq80pW1P4v8JZcMf+glFJO
sdzMgnL2Tg9/TTiivBFtymtknf+yqT4cDKNNolzIuKWPzJ1dR+hSoLlVZ+4efUAS
qGK8EsqTDawZ5AsEvx7BVfusn38wMgQehKV5DhyhM29sm9hYj6nfO99NEfXq8VhG
eYTWU4uJNH5ghTOllc3s9zA8jK49aG+ITIlpqn9xUi41uRlr3DdvMINDBETjGL8E
eKd8AkV0NCDWRsia2mHJLBW9/W107/w3BPKMCm23avMtiRRezsSB0OQ2XpzgDjEH
iPLj0xY4cK6Ratd9qfApfafU1sJSll/Hj0XOiv/UEoIgZUaStVKOO+5d5SrljTlp
hIGJFjWcK262L+aDTGrckDqEpQ/1xHc8KLGF/XiKFg==
=TTSf
-----END PGP SIGNATURE-----

0
strongswan-4.4.1-rpmlintrc → strongswan-4.5.0-rpmlintrc
View File

3
strongswan-4.5.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:108b0fbbf119011b24eb6ccabc3d9f8888f4036382dd3aad011dec04100ad559
size 3154064

14
strongswan-4.5.0.tar.bz2.sig Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQGcBAABAgAGBQJMykZ7AAoJEN9CwXCzTbp36BYL/A9q4F2n7EHvVW7HTmG6ogMw
are1n1ZYRdqUmrdk2woCqJPfkzihHMa1nc7u6hgucRDi7wJfJBXoAT0Rvd9AN8qw
bKuaajKRvXFA14qtORvkX4z+Se+/nqL3+ZlvlnPS6rgpdBD+kZY+sFNdSAhJxShJ
zbJ4U+jnO74pyzp8I9hp1HccPKJjt/ljlCB7izPqJ1bQAbrNTQr90JHPNz9BSQkq
BIF5T+nsRWE1p2tWzz6IAjvbC3ghc2lmVy5FGKjItMXWxsyCYuira4MlbGp2ObKE
1aa9QbNYxJ0aD0vsX+r8usXvpdq5QLQotp1bLG2m2XYWdzC4yBwRHj2pS8JHIENP
y9o4za9finsG1Ahb661+2Pw7xO/R2blLDDQyhxH5e6AO7p4Pz050yiicCxVKEwG0
mJM6c5TbAerBCH2ovgwNeGV3hsOt9ng7e63SMIBkYtN41uQV8hqUjZbtYcvpsER2
bB/Jdp14aR1F9jMgEmt/I6tNHizJWvB5FFGLqH2cTQ==
=o5iz
-----END PGP SIGNATURE-----

58
strongswan.changes
View File

@ -1,3 +1,61 @@
-------------------------------------------------------------------
Tue Nov 16 12:01:46 UTC 2010 - mt@suse.de
- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
* IMPORTANT: the default keyexchange mode 'ike' is changing with
release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
year anniversary of the IKEv2 RFC 4306 and its mature successor
RFC 5996. The time has definitively come for IKEv1 to go into
retirement and to cede its place to the much more robust, powerful
and versatile IKEv2 protocol!
* Added new ctr, ccm and gcm plugins providing Counter, Counter
with CBC-MAC and Galois/Counter Modes based on existing CBC
implementations. These new plugins bring support for AES and
Camellia Counter and CCM algorithms and the AES GCM algorithms
for use in IKEv2.
* The new pkcs11 plugin brings full Smartcard support to the IKEv2
daemon and the pki utility using one or more PKCS#11 libraries. It
currently supports RSA private and public key operations and loads
X.509 certificates from tokens.
* Implemented a general purpose TLS stack based on crypto and
credential primitives of libstrongswan. libtls supports TLS
versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
exchange algorithms and RSA/ECDSA based client authentication.
* Based on libtls, the eap-tls plugin brings certificate based EAP
authentication for client and server. It is compatible to Windows
7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
EAP-TLS backend.
* Implemented the TNCCS 1.1 Trusted Network Connect protocol using
the libtnc library on the strongSwan client and server side via
the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
strongSwan clients are granted access to a network behind a
strongSwan gateway (allow), are put into a remediation zone (isolate)
or are blocked (none), respectively.
Any number of Integrity Measurement Collector/Verifier pairs can be
attached via the tnc-imc and tnc-imv charon plugins.
* The IKEv1 daemon pluto now uses the same kernel interfaces as the
IKEv2 daemon charon. As a result of this, pluto now supports xfrm
marks which were introduced in charon with 4.4.1.
* The RADIUS plugin eap-radius now supports multiple RADIUS servers
for redundant setups. Servers are selected by a defined priority,
server load and availability.
* The simple led plugin controls hardware LEDs through the Linux LED
subsystem. It currently shows activity of the IKE daemon and is a
good example how to implement a simple event listener.
* Improved MOBIKE behavior in several corner cases, for instance,
if the initial responder moves to a different address.
* Fixed left-/rightnexthop option, which was broken since 4.4.0.
* Fixed a bug not releasing a virtual IP address to a pool if the
XAUTH identity was different from the IKE identity.
* Fixed the alignment of ModeConfig messages on 4-byte boundaries
in the case where the attributes are not a multiple of 4 bytes
(e.g. Cisco's UNITY_BANNER).
* Fixed the interoperability of the socket_raw and socket_default
charon plugins.
* Added man page for strongswan.conf
- Adopted spec file, removed obsolete error range patch.
-------------------------------------------------------------------
Tue Aug 10 11:43:38 UTC 2010 - mt@suse.de

13
strongswan.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package strongswan (Version 4.4.1)
# spec file for package strongswan (Version 4.5.0)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -19,10 +19,10 @@
Name: strongswan
%define upstream_version 4.4.1
%define upstream_version 4.5.0
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_plugins %{_libexecdir}/ipsec/plugins
Version: 4.4.1
Version: 4.5.0
Release: 0
License: GPLv2+
Group: Productivity/Networking/Security
@ -38,7 +38,6 @@ Source2: %{name}.init.in
Source3: %{name}-%{version}-rpmlintrc
Source4: README.SUSE
Patch1: %{name}_modprobe_syslog.patch
Patch2: %{name}-4.4.1-fix_notify_error_range.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison flex gmp-devel gperf pkg-config
BuildRequires: libcap-devel
@ -230,7 +229,6 @@ NetworkManager-strongswan graphical user interface.
%prep
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@ -271,7 +269,6 @@ export RPM_OPT_FLAGS CFLAGS
--enable-sql \
--enable-attr-sql \
--enable-addrblock \
--enable-socket-dynamic \
%if 0%{suse_version} >= 1110
--enable-gcrypt \
--enable-nm \
@ -361,6 +358,7 @@ fi
%{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5*
%{_mandir}/man5/ipsec.secrets.5*
%{_mandir}/man5/strongswan.conf.5*
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_updown
%{_libexecdir}/ipsec/_updown_espmark
@ -487,8 +485,7 @@ fi
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-sha1.so
%{strongswan_plugins}/libstrongswan-sha2.so
%{strongswan_plugins}/libstrongswan-socket-dynamic.so
%{strongswan_plugins}/libstrongswan-socket-raw.so
%{strongswan_plugins}/libstrongswan-socket*.so
%{strongswan_plugins}/libstrongswan-sql.so
%{strongswan_plugins}/libstrongswan-x509.so
%{strongswan_plugins}/libstrongswan-xauth.so