1
0
forked from pool/strongswan
OBS User unknown 2008-08-28 10:57:23 +00:00 committed by Git OBS Bridge
parent 288f1b2851
commit 27260ae183
12 changed files with 205 additions and 94 deletions

View File

@ -1,22 +0,0 @@
--- src/charon/network/socket-raw.c
+++ src/charon/network/socket-raw.c 2008/04/23 09:46:10
@@ -16,6 +16,9 @@
*
* $Id: socket-raw.c 3589 2008-03-13 14:14:44Z martin $
*/
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
#include <pthread.h>
#include <sys/types.h>
--- src/charon/plugins/stroke/stroke_cred.c
+++ src/charon/plugins/stroke/stroke_cred.c 2008/04/23 09:05:26
@@ -19,6 +19,7 @@
#include "stroke_shared_key.h"
#include <sys/stat.h>
+#include <limits.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/crl.h>

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:81203cad6e365ac4c5a8203103d75b44916d8f57167e914805000c78912a508f
size 2346505

View File

@ -1,9 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQCVAwUASAmpYdYbDnNAmVNZAQLJYQP+Oa8Eqko/tzGdhHVtasGSdGj9S5gkeRqI
69mHMB1zTqabicknP4UuZI50G0V6RgAOA18/zilkeuqRfeD9YmYaTnAX1sDFVDRC
jgYUrSWlrsqaHk+WctShLO8WN88AIXzQZXPTjQ0rAyyhVpH3PKZliLtCQE9hGN1I
p8qt8BTPwVs=
=szkI
-----END PGP SIGNATURE-----

11
strongswan-4.2.6.dif Normal file
View File

@ -0,0 +1,11 @@
--- scripts/thread_analysis.c
+++ scripts/thread_analysis.c 2008/08/28 07:41:27
@@ -102,7 +102,7 @@
fd = fopen(LOGFILE, "r");
if (!fd)
{
- printf("could not open log file '%s'\n");
+ printf("could not open log file '%s'\n", LOGFILE);
return 1;
}

3
strongswan-4.2.6.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:30e5acb5913882d1389b0133c3c3e9cfb5c2686058d56b7baf37c0740c0b6791
size 2894019

View File

@ -0,0 +1,9 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQCVAwUASLUlc9YbDnNAmVNZAQI4ZwP/TmmXOMo6lCUcLD2wJvZvotpCt6Tnrb1n
4ZlUdZrqq2Br1A8t5CqTaqS+T5p3z+nvNU3x8GVTKtSDlPwbK+gGGXVdIrfGMv2O
ToKjuiTU+ws4I74eFG5zjC1zAkavbH/P3zuTwwsZ2ahGWcCR+Wf3mmTH5pSauQM1
doF73F0F0Ks=
=qSNp
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,67 @@
-------------------------------------------------------------------
Thu Aug 28 09:48:14 CEST 2008 - mt@suse.de
- Updated to 4.2.6 release, fixing bugs and offering a lot of new
features comparing to the last version provided by this package.
Most important are:
* A NetworkManager plugin allows GUI-based configuration of
road-warrior clients in a simple way. It features X509 based
gateway authentication and EAP client authentication, tunnel
setup/teardown and storing passwords in the Gnome Keyring.
* A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt
and allows username/password authentication against any PAM
service on the gateway. The new EAP method interacts nicely with
the NetworkManager plugin and allows client authentication against
e.g. LDAP.
* Improved support for the EAP-Identity method. The new ipsec.conf
eap_identity parameter defines an additional identity to pass to
the server in EAP authentication.
* Fixed two multithreading deadlocks occurring when starting up
several hundred tunnels concurrently.
* Fixed the --enable-integrity-test configure option which
computes a SHA-1 checksum over the libstrongswan library.
* Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
* Improved the performance of the SQL-based virtual IP address pool
by introducing an additional addresses table. The leases table
storing only history information has become optional and can be
disabled by setting charon.plugins.sql.lease_history = no in
strongswan.conf.
* The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
* management of different virtual IP pools for different network
interfaces have become possible.
* fixed a bug which prevented the assignment of more than 256
virtual IP addresses from a pool managed by an sql database.
* fixed a bug which did not delete own IPCOMP SAs in the kernel.
* The openssl plugin supports the elliptic curve Diffie-Hellman
groups 19, 20, 21, 25, and 26 and ECDSA authentication using
elliptic curve X.509 certificates.
* Fixed a bug in stroke which caused multiple charon threads to
close the file descriptors during packet transfers over the stroke
socket.
* ESP sequence numbers are now migrated in IPsec SA updates handled
by MOBIKE. Works only with Linux kernels >= 2.6.17.
* Fixed a number of minor bugs that where discovered during the 4th
IKEv2 interoperability workshop in San Antonio, TX.
* Plugins for libstrongswan and charon can optionally be loaded
according to a configuration in strongswan.conf. Most components
provide a "load = " option followed by a space separated list of
plugins to load. This allows e.g. the fallback from a hardware
crypto accelerator to to software-based crypto plugins.
* Charons SQL plugin has been extended by a virtual IP address pool.
Configurations with a rightsourceip=%poolname setting query a
SQLite or MySQL database for leases. The "ipsec pool" command helps
in administrating the pool database. See ipsec pool --help for the
available options
* The Authenticated Encryption Algorithms AES-CCM-8/12/16 and
AES-GCM-8/12/16 for ESP are now supported starting with the Linux
2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
- Added patch disabling direct modifications of resolv.conf; has to
be replaced by a netconfig call.
- Added patch adding a missed file name argument in printf call in the
scripts/thread_analysis.c file -- resulting binary is not installed.
- Removed obsolete patches crash_badcfg_reload and old-caps-version.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 30 22:40:31 CEST 2008 - mt@suse.de Mon Jun 30 22:40:31 CEST 2008 - mt@suse.de

View File

@ -1,10 +1,17 @@
# #
# spec file for package strongswan (Version 4.2.1) # spec file for package strongswan (Version 4.2.6)
# #
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
# #
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via http://bugs.opensuse.org/
# #
@ -12,10 +19,10 @@
Name: strongswan Name: strongswan
%define upstream_version 4.2.1 %define upstream_version 4.2.6
%define strongswan_docdir %{_docdir}/%{name} %define strongswan_docdir %{_docdir}/%{name}
Version: 4.2.1 Version: 4.2.6
Release: 16 Release: 1
License: GPL v2 or later License: GPL v2 or later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Summary: StrongSwan -- OpenSource IPsec-based VPN Solution Summary: StrongSwan -- OpenSource IPsec-based VPN Solution
@ -32,8 +39,7 @@ Source2: %{name}.init.in
Source3: %{name}-%{version}-rpmlintrc Source3: %{name}-%{version}-rpmlintrc
Patch1: %{name}_modprobe_syslog.dif Patch1: %{name}_modprobe_syslog.dif
Patch2: %{name}-%{upstream_version}.dif Patch2: %{name}-%{upstream_version}.dif
Patch3: %{name}_crash_badcfg_reload.dif Patch3: %{name}_update-dns-server.dif
Patch4: %{name}_old-caps-version.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: bison flex gmp-devel gperf pkg-config
%if 0%{?suse_version} >= 1030 %if 0%{?suse_version} >= 1030
@ -131,7 +137,6 @@ Authors:
%patch1 -p0 %patch1 -p0
%patch2 -p0 %patch2 -p0
%patch3 -p0 %patch3 -p0
%patch4 -p2
sed -e 's|@libexecdir@|%_libexecdir|g' \ sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \ < $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init > strongswan.init
@ -262,6 +267,67 @@ fi
%{_mandir}/man8/starter.8* %{_mandir}/man8/starter.8*
%changelog %changelog
* Thu Aug 28 2008 mt@suse.de
- Updated to 4.2.6 release, fixing bugs and offering a lot of new
features comparing to the last version provided by this package.
Most important are:
* A NetworkManager plugin allows GUI-based configuration of
road-warrior clients in a simple way. It features X509 based
gateway authentication and EAP client authentication, tunnel
setup/teardown and storing passwords in the Gnome Keyring.
* A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt
and allows username/password authentication against any PAM
service on the gateway. The new EAP method interacts nicely with
the NetworkManager plugin and allows client authentication against
e.g. LDAP.
* Improved support for the EAP-Identity method. The new ipsec.conf
eap_identity parameter defines an additional identity to pass to
the server in EAP authentication.
* Fixed two multithreading deadlocks occurring when starting up
several hundred tunnels concurrently.
* Fixed the --enable-integrity-test configure option which
computes a SHA-1 checksum over the libstrongswan library.
* Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
* Improved the performance of the SQL-based virtual IP address pool
by introducing an additional addresses table. The leases table
storing only history information has become optional and can be
disabled by setting charon.plugins.sql.lease_history = no in
strongswan.conf.
* The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
* management of different virtual IP pools for different network
interfaces have become possible.
* fixed a bug which prevented the assignment of more than 256
virtual IP addresses from a pool managed by an sql database.
* fixed a bug which did not delete own IPCOMP SAs in the kernel.
* The openssl plugin supports the elliptic curve Diffie-Hellman
groups 19, 20, 21, 25, and 26 and ECDSA authentication using
elliptic curve X.509 certificates.
* Fixed a bug in stroke which caused multiple charon threads to
close the file descriptors during packet transfers over the stroke
socket.
* ESP sequence numbers are now migrated in IPsec SA updates handled
by MOBIKE. Works only with Linux kernels >= 2.6.17.
* Fixed a number of minor bugs that where discovered during the 4th
IKEv2 interoperability workshop in San Antonio, TX.
* Plugins for libstrongswan and charon can optionally be loaded
according to a configuration in strongswan.conf. Most components
provide a "load = " option followed by a space separated list of
plugins to load. This allows e.g. the fallback from a hardware
crypto accelerator to to software-based crypto plugins.
* Charons SQL plugin has been extended by a virtual IP address pool.
Configurations with a rightsourceip=%%poolname setting query a
SQLite or MySQL database for leases. The "ipsec pool" command helps
in administrating the pool database. See ipsec pool --help for the
available options
* The Authenticated Encryption Algorithms AES-CCM-8/12/16 and
AES-GCM-8/12/16 for ESP are now supported starting with the Linux
2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
- Added patch disabling direct modifications of resolv.conf; has to
be replaced by a netconfig call.
- Added patch adding a missed file name argument in printf call in the
scripts/thread_analysis.c file -- resulting binary is not installed.
- Removed obsolete patches crash_badcfg_reload and old-caps-version.
* Tue Jul 01 2008 mt@suse.de * Tue Jul 01 2008 mt@suse.de
- Added fix that explicitly enables version 1 linux capabilities - Added fix that explicitly enables version 1 linux capabilities
on version 2 systems to aviod that the charon and pluto daemons on version 2 systems to aviod that the charon and pluto daemons

View File

@ -1,21 +0,0 @@
--- src/starter/starter.c
+++ src/starter/starter.c 2008/05/20 08:42:39
@@ -390,7 +390,7 @@
);
new_cfg = confread_load(CONFIG_FILE);
- if (new_cfg->err + new_cfg->non_fatal_err == 0)
+ if (new_cfg && new_cfg->err + new_cfg->non_fatal_err == 0)
{
/* Switch to new config. New conn will be loaded below */
if (!starter_cmp_defaultroute(&new_cfg->defaultroute
@@ -484,7 +484,8 @@
else
{
plog("can't reload config file due to errors -- keeping old one");
- confread_free(new_cfg);
+ if(new_cfg)
+ confread_free(new_cfg);
}
_action_ &= ~FLAG_ACTION_UPDATE;
last_reload = time(NULL);

View File

@ -1,30 +0,0 @@
Index: /trunk/src/charon/daemon.c
===================================================================
--- /trunk/src/charon/daemon.c (revision 3825)
+++ /trunk/src/charon/daemon.c (revision 3908)
@@ -267,5 +267,11 @@
}
+ /* we use the old capset version for now. For systems with version 2
+ * available, we specifiy version 1 excplicitly. */
+#ifdef _LINUX_CAPABILITY_VERSION_1
+ hdr.version = _LINUX_CAPABILITY_VERSION_1;
+#else
hdr.version = _LINUX_CAPABILITY_VERSION;
+#endif
hdr.pid = 0;
data.inheritable = data.effective = data.permitted = keep;
Index: /trunk/src/pluto/plutomain.c
===================================================================
--- /trunk/src/pluto/plutomain.c (revision 3253)
+++ /trunk/src/pluto/plutomain.c (revision 3914)
@@ -618,5 +620,9 @@
/* drop unneeded capabilities and change UID/GID */
+#ifdef _LINUX_CAPABILITY_VERSION_1
+ hdr.version = _LINUX_CAPABILITY_VERSION_1;
+#else
hdr.version = _LINUX_CAPABILITY_VERSION;
+#endif
hdr.pid = 0;
data.inheritable = data.effective = data.permitted =

View File

@ -0,0 +1,43 @@
--- src/charon/sa/ike_sa.c
+++ src/charon/sa/ike_sa.c 2008/08/28 07:31:59
@@ -2316,6 +2316,11 @@
*/
static void remove_dns_servers(private_ike_sa_t *this)
{
+ (void)this;
+#if 0
+ /*
+ ** TODO: don't change resolv.conf => use netconfig
+ */
FILE *file;
struct stat stats;
chunk_t contents, line, orig_line, token;
@@ -2391,6 +2396,7 @@
}
iterator->destroy(iterator);
fclose(file);
+#endif
}
/**
@@ -2398,6 +2404,12 @@
*/
static void add_dns_server(private_ike_sa_t *this, host_t *dns)
{
+ (void)this;
+ (void)dns;
+#if 0
+ /*
+ ** TODO: don't change resolv.conf => use netconfig
+ */
FILE *file;
struct stat stats;
chunk_t contents;
@@ -2442,6 +2454,7 @@
fwrite(contents.ptr, contents.len, 1, file);
fclose(file);
+#endif
}
/**