From 27260ae183369c903cfc57ca9e12217fb687df75a825123dc2378d72d480f0e7 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Thu, 28 Aug 2008 10:57:23 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=6

---
 strongswan-4.2.1.dif                          | 22 -----
 strongswan-4.2.1.tar.bz2                      |  3 -
 strongswan-4.2.1.tar.bz2.sig                  |  9 --
 ....1-rpmlintrc => strongswan-4.2.6-rpmlintrc |  0
 strongswan-4.2.6.dif                          | 11 +++
 strongswan-4.2.6.tar.bz2                      |  3 +
 strongswan-4.2.6.tar.bz2.sig                  |  9 ++
 strongswan.changes                            | 64 ++++++++++++++
 strongswan.spec                               | 84 +++++++++++++++++--
 strongswan_crash_badcfg_reload.dif            | 21 -----
 strongswan_old-caps-version.diff              | 30 -------
 strongswan_update-dns-server.dif              | 43 ++++++++++
 12 files changed, 205 insertions(+), 94 deletions(-)
 delete mode 100644 strongswan-4.2.1.dif
 delete mode 100644 strongswan-4.2.1.tar.bz2
 delete mode 100644 strongswan-4.2.1.tar.bz2.sig
 rename strongswan-4.2.1-rpmlintrc => strongswan-4.2.6-rpmlintrc (100%)
 create mode 100644 strongswan-4.2.6.dif
 create mode 100644 strongswan-4.2.6.tar.bz2
 create mode 100644 strongswan-4.2.6.tar.bz2.sig
 delete mode 100644 strongswan_crash_badcfg_reload.dif
 delete mode 100644 strongswan_old-caps-version.diff
 create mode 100644 strongswan_update-dns-server.dif

diff --git a/strongswan-4.2.1.dif b/strongswan-4.2.1.dif
deleted file mode 100644
index b26ac72..0000000
--- a/strongswan-4.2.1.dif
+++ /dev/null
@@ -1,22 +0,0 @@
---- src/charon/network/socket-raw.c
-+++ src/charon/network/socket-raw.c	2008/04/23 09:46:10
-@@ -16,6 +16,9 @@
-  *
-  * $Id: socket-raw.c 3589 2008-03-13 14:14:44Z martin $
-  */
-+#ifndef _GNU_SOURCE
-+#define _GNU_SOURCE
-+#endif
- 
- #include <pthread.h>
- #include <sys/types.h>
---- src/charon/plugins/stroke/stroke_cred.c
-+++ src/charon/plugins/stroke/stroke_cred.c	2008/04/23 09:05:26
-@@ -19,6 +19,7 @@
- #include "stroke_shared_key.h"
- 
- #include <sys/stat.h>
-+#include <limits.h>
- 
- #include <credentials/certificates/x509.h>
- #include <credentials/certificates/crl.h>
diff --git a/strongswan-4.2.1.tar.bz2 b/strongswan-4.2.1.tar.bz2
deleted file mode 100644
index 03d30fb..0000000
--- a/strongswan-4.2.1.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:81203cad6e365ac4c5a8203103d75b44916d8f57167e914805000c78912a508f
-size 2346505
diff --git a/strongswan-4.2.1.tar.bz2.sig b/strongswan-4.2.1.tar.bz2.sig
deleted file mode 100644
index 2cb81ba..0000000
--- a/strongswan-4.2.1.tar.bz2.sig
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.6 (GNU/Linux)
-
-iQCVAwUASAmpYdYbDnNAmVNZAQLJYQP+Oa8Eqko/tzGdhHVtasGSdGj9S5gkeRqI
-69mHMB1zTqabicknP4UuZI50G0V6RgAOA18/zilkeuqRfeD9YmYaTnAX1sDFVDRC
-jgYUrSWlrsqaHk+WctShLO8WN88AIXzQZXPTjQ0rAyyhVpH3PKZliLtCQE9hGN1I
-p8qt8BTPwVs=
-=szkI
------END PGP SIGNATURE-----
diff --git a/strongswan-4.2.1-rpmlintrc b/strongswan-4.2.6-rpmlintrc
similarity index 100%
rename from strongswan-4.2.1-rpmlintrc
rename to strongswan-4.2.6-rpmlintrc
diff --git a/strongswan-4.2.6.dif b/strongswan-4.2.6.dif
new file mode 100644
index 0000000..f44b766
--- /dev/null
+++ b/strongswan-4.2.6.dif
@@ -0,0 +1,11 @@
+--- scripts/thread_analysis.c
++++ scripts/thread_analysis.c	2008/08/28 07:41:27
+@@ -102,7 +102,7 @@
+ 	fd = fopen(LOGFILE, "r");
+ 	if (!fd)
+ 	{
+-		printf("could not open log file '%s'\n");
++		printf("could not open log file '%s'\n", LOGFILE);
+ 		return 1;
+ 	}
+ 
diff --git a/strongswan-4.2.6.tar.bz2 b/strongswan-4.2.6.tar.bz2
new file mode 100644
index 0000000..3087932
--- /dev/null
+++ b/strongswan-4.2.6.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30e5acb5913882d1389b0133c3c3e9cfb5c2686058d56b7baf37c0740c0b6791
+size 2894019
diff --git a/strongswan-4.2.6.tar.bz2.sig b/strongswan-4.2.6.tar.bz2.sig
new file mode 100644
index 0000000..aa12617
--- /dev/null
+++ b/strongswan-4.2.6.tar.bz2.sig
@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (GNU/Linux)
+
+iQCVAwUASLUlc9YbDnNAmVNZAQI4ZwP/TmmXOMo6lCUcLD2wJvZvotpCt6Tnrb1n
+4ZlUdZrqq2Br1A8t5CqTaqS+T5p3z+nvNU3x8GVTKtSDlPwbK+gGGXVdIrfGMv2O
+ToKjuiTU+ws4I74eFG5zjC1zAkavbH/P3zuTwwsZ2ahGWcCR+Wf3mmTH5pSauQM1
+doF73F0F0Ks=
+=qSNp
+-----END PGP SIGNATURE-----
diff --git a/strongswan.changes b/strongswan.changes
index 82f439f..aff20f3 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,67 @@
+-------------------------------------------------------------------
+Thu Aug 28 09:48:14 CEST 2008 - mt@suse.de
+
+- Updated to 4.2.6 release, fixing bugs and offering a lot of new
+  features comparing to the last version provided by this package.
+  Most important are:
+  * A NetworkManager plugin allows GUI-based configuration of
+  road-warrior clients in a simple way. It features X509 based
+  gateway authentication and EAP client authentication, tunnel
+  setup/teardown and storing passwords in the Gnome Keyring.
+  * A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt
+  and allows username/password authentication against any PAM
+  service on the gateway. The new EAP method interacts nicely with
+  the NetworkManager plugin and allows client authentication against
+  e.g. LDAP.
+  * Improved support for the EAP-Identity method. The new ipsec.conf
+  eap_identity parameter defines an additional identity to pass to
+  the server in EAP authentication.
+  * Fixed two multithreading deadlocks occurring when starting up
+  several hundred tunnels concurrently.
+  * Fixed the --enable-integrity-test configure option which
+  computes a SHA-1 checksum over the libstrongswan library.
+  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level. 
+  * Improved the performance of the SQL-based virtual IP address pool
+  by introducing an additional addresses table. The leases table
+  storing only history information has become optional and can be
+  disabled by setting charon.plugins.sql.lease_history = no in
+  strongswan.conf.
+  * The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
+  and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
+  * management of different virtual IP pools for different network
+  interfaces have become possible.
+  * fixed a bug which prevented the assignment of more than 256
+  virtual IP addresses from a pool managed by an sql database.
+  * fixed a bug which did not delete own IPCOMP SAs in the kernel.
+  * The openssl plugin supports the elliptic curve Diffie-Hellman
+  groups 19, 20, 21, 25, and 26 and ECDSA authentication using
+  elliptic curve X.509 certificates.
+  * Fixed a bug in stroke which caused multiple charon threads to
+  close the file descriptors during packet transfers over the stroke
+  socket.
+  * ESP sequence numbers are now migrated in IPsec SA updates handled
+  by MOBIKE. Works only with Linux kernels >= 2.6.17.
+  * Fixed a number of minor bugs that where discovered during the 4th
+  IKEv2 interoperability workshop in San Antonio, TX.
+  * Plugins for libstrongswan and charon can optionally be loaded
+  according to a configuration in strongswan.conf. Most components
+  provide a "load = " option followed by a space separated list of
+  plugins to load. This allows e.g. the fallback from a hardware
+  crypto accelerator to to software-based crypto plugins.
+  * Charons SQL plugin has been extended by a virtual IP address pool.
+  Configurations with a rightsourceip=%poolname setting query a
+  SQLite or MySQL database for leases. The "ipsec pool" command helps
+  in administrating the pool database. See ipsec pool --help for the
+  available options
+  * The Authenticated Encryption Algorithms AES-CCM-8/12/16 and
+  AES-GCM-8/12/16 for ESP are now supported starting with the Linux
+  2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
+- Added patch disabling direct modifications of resolv.conf; has to
+  be replaced by a netconfig call.
+- Added patch adding a missed file name argument in printf call in the
+  scripts/thread_analysis.c file -- resulting binary is not installed.
+- Removed obsolete patches crash_badcfg_reload and old-caps-version.
+
 -------------------------------------------------------------------
 Mon Jun 30 22:40:31 CEST 2008 - mt@suse.de
 
diff --git a/strongswan.spec b/strongswan.spec
index 7a69cd6..2eff870 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,10 +1,17 @@
 #
-# spec file for package strongswan (Version 4.2.1)
+# spec file for package strongswan (Version 4.2.6)
 #
 # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
-# This file and all modifications and additions to the pristine
-# package are under the same license as the package itself.
 #
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
@@ -12,10 +19,10 @@
 
 
 Name:           strongswan
-%define         upstream_version 4.2.1
+%define         upstream_version 4.2.6
 %define         strongswan_docdir %{_docdir}/%{name}
-Version:        4.2.1
-Release:        16
+Version:        4.2.6
+Release:        1
 License:        GPL v2 or later
 Group:          Productivity/Networking/Security
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
@@ -32,8 +39,7 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Patch1:         %{name}_modprobe_syslog.dif
 Patch2:         %{name}-%{upstream_version}.dif
-Patch3:         %{name}_crash_badcfg_reload.dif
-Patch4:         %{name}_old-caps-version.diff
+Patch3:         %{name}_update-dns-server.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 %if 0%{?suse_version} >= 1030
@@ -131,7 +137,6 @@ Authors:
 %patch1 -p0
 %patch2 -p0
 %patch3 -p0
-%patch4 -p2
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -262,6 +267,67 @@ fi
 %{_mandir}/man8/starter.8*
 
 %changelog
+* Thu Aug 28 2008 mt@suse.de
+- Updated to 4.2.6 release, fixing bugs and offering a lot of new
+  features comparing to the last version provided by this package.
+  Most important are:
+  * A NetworkManager plugin allows GUI-based configuration of
+  road-warrior clients in a simple way. It features X509 based
+  gateway authentication and EAP client authentication, tunnel
+  setup/teardown and storing passwords in the Gnome Keyring.
+  * A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt
+  and allows username/password authentication against any PAM
+  service on the gateway. The new EAP method interacts nicely with
+  the NetworkManager plugin and allows client authentication against
+  e.g. LDAP.
+  * Improved support for the EAP-Identity method. The new ipsec.conf
+  eap_identity parameter defines an additional identity to pass to
+  the server in EAP authentication.
+  * Fixed two multithreading deadlocks occurring when starting up
+  several hundred tunnels concurrently.
+  * Fixed the --enable-integrity-test configure option which
+  computes a SHA-1 checksum over the libstrongswan library.
+  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
+  * Improved the performance of the SQL-based virtual IP address pool
+  by introducing an additional addresses table. The leases table
+  storing only history information has become optional and can be
+  disabled by setting charon.plugins.sql.lease_history = no in
+  strongswan.conf.
+  * The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
+  and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
+  * management of different virtual IP pools for different network
+  interfaces have become possible.
+  * fixed a bug which prevented the assignment of more than 256
+  virtual IP addresses from a pool managed by an sql database.
+  * fixed a bug which did not delete own IPCOMP SAs in the kernel.
+  * The openssl plugin supports the elliptic curve Diffie-Hellman
+  groups 19, 20, 21, 25, and 26 and ECDSA authentication using
+  elliptic curve X.509 certificates.
+  * Fixed a bug in stroke which caused multiple charon threads to
+  close the file descriptors during packet transfers over the stroke
+  socket.
+  * ESP sequence numbers are now migrated in IPsec SA updates handled
+  by MOBIKE. Works only with Linux kernels >= 2.6.17.
+  * Fixed a number of minor bugs that where discovered during the 4th
+  IKEv2 interoperability workshop in San Antonio, TX.
+  * Plugins for libstrongswan and charon can optionally be loaded
+  according to a configuration in strongswan.conf. Most components
+  provide a "load = " option followed by a space separated list of
+  plugins to load. This allows e.g. the fallback from a hardware
+  crypto accelerator to to software-based crypto plugins.
+  * Charons SQL plugin has been extended by a virtual IP address pool.
+  Configurations with a rightsourceip=%%poolname setting query a
+  SQLite or MySQL database for leases. The "ipsec pool" command helps
+  in administrating the pool database. See ipsec pool --help for the
+  available options
+  * The Authenticated Encryption Algorithms AES-CCM-8/12/16 and
+  AES-GCM-8/12/16 for ESP are now supported starting with the Linux
+  2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
+- Added patch disabling direct modifications of resolv.conf; has to
+  be replaced by a netconfig call.
+- Added patch adding a missed file name argument in printf call in the
+  scripts/thread_analysis.c file -- resulting binary is not installed.
+- Removed obsolete patches crash_badcfg_reload and old-caps-version.
 * Tue Jul 01 2008 mt@suse.de
 - Added fix that explicitly enables version 1 linux capabilities
   on version 2 systems to aviod that the charon and pluto daemons
diff --git a/strongswan_crash_badcfg_reload.dif b/strongswan_crash_badcfg_reload.dif
deleted file mode 100644
index 4480567..0000000
--- a/strongswan_crash_badcfg_reload.dif
+++ /dev/null
@@ -1,21 +0,0 @@
---- src/starter/starter.c
-+++ src/starter/starter.c	2008/05/20 08:42:39
-@@ -390,7 +390,7 @@
- 	       );
- 	    new_cfg = confread_load(CONFIG_FILE);
- 
--	    if (new_cfg->err + new_cfg->non_fatal_err == 0)
-+	    if (new_cfg && new_cfg->err + new_cfg->non_fatal_err == 0)
- 	    {
- 		/* Switch to new config. New conn will be loaded below */
- 		if (!starter_cmp_defaultroute(&new_cfg->defaultroute
-@@ -484,7 +484,8 @@
- 	    else
- 	    {
- 		plog("can't reload config file due to errors -- keeping old one");
--		confread_free(new_cfg);
-+		if(new_cfg)
-+			confread_free(new_cfg);
- 	    }
- 	    _action_ &= ~FLAG_ACTION_UPDATE;
- 	    last_reload = time(NULL);
diff --git a/strongswan_old-caps-version.diff b/strongswan_old-caps-version.diff
deleted file mode 100644
index 1cb2b3d..0000000
--- a/strongswan_old-caps-version.diff
+++ /dev/null
@@ -1,30 +0,0 @@
-Index: /trunk/src/charon/daemon.c
-===================================================================
---- /trunk/src/charon/daemon.c (revision 3825)
-+++ /trunk/src/charon/daemon.c (revision 3908)
-@@ -267,5 +267,11 @@
- 	}
- 
-+	/* we use the old capset version for now. For systems with version 2
-+	 * available, we specifiy version 1 excplicitly. */
-+#ifdef _LINUX_CAPABILITY_VERSION_1
-+	hdr.version = _LINUX_CAPABILITY_VERSION_1;
-+#else
- 	hdr.version = _LINUX_CAPABILITY_VERSION;
-+#endif
- 	hdr.pid = 0;
- 	data.inheritable = data.effective = data.permitted = keep;
-Index: /trunk/src/pluto/plutomain.c
-===================================================================
---- /trunk/src/pluto/plutomain.c (revision 3253)
-+++ /trunk/src/pluto/plutomain.c (revision 3914)
-@@ -618,5 +620,9 @@
- 
-     /* drop unneeded capabilities and change UID/GID */
-+#ifdef _LINUX_CAPABILITY_VERSION_1
-+    hdr.version = _LINUX_CAPABILITY_VERSION_1;
-+#else
-     hdr.version = _LINUX_CAPABILITY_VERSION;
-+#endif
-     hdr.pid = 0;
-     data.inheritable = data.effective = data.permitted = 
diff --git a/strongswan_update-dns-server.dif b/strongswan_update-dns-server.dif
new file mode 100644
index 0000000..50d225e
--- /dev/null
+++ b/strongswan_update-dns-server.dif
@@ -0,0 +1,43 @@
+--- src/charon/sa/ike_sa.c
++++ src/charon/sa/ike_sa.c	2008/08/28 07:31:59
+@@ -2316,6 +2316,11 @@
+  */
+ static void remove_dns_servers(private_ike_sa_t *this)
+ {
++	(void)this;
++#if 0
++	/*
++	** TODO: don't change resolv.conf => use netconfig
++	*/
+ 	FILE *file;
+ 	struct stat stats;
+ 	chunk_t contents, line, orig_line, token;
+@@ -2391,6 +2396,7 @@
+ 	}
+ 	iterator->destroy(iterator);
+ 	fclose(file);
++#endif
+ }
+ 
+ /**
+@@ -2398,6 +2404,12 @@
+  */
+ static void add_dns_server(private_ike_sa_t *this, host_t *dns)
+ {
++	(void)this;
++	(void)dns;
++#if 0
++	/*
++	** TODO: don't change resolv.conf => use netconfig 
++	*/
+ 	FILE *file;
+ 	struct stat stats;
+ 	chunk_t contents;
+@@ -2442,6 +2454,7 @@
+ 	fwrite(contents.ptr, contents.len, 1, file);
+ 	
+ 	fclose(file);	
++#endif
+ }
+ 
+ /**