- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:

* Support of xfrm marks in IPsec SAs and IPsec policies introduced
    with the Linux 2.6.34 kernel.
    For details see the example scenarios ikev2/nat-two-rw-mark,
    ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
  * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
    used in a user-specific updown script to set marks on inbound ESP
    or ESP_IN_UDP packets.
  * The openssl plugin now supports X.509 certificate and CRL functions.
  * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
    enabled by default.
    Plase update manual load directives in strongswan.conf.
  * RFC3779 ipAddrBlock constraint checking has been moved to the
    addrblock plugin, disabled by default. Enable it and update manual
    load directives in strongswan.conf, if required.
  * The pki utility supports CRL generation using the --signcrl command.
  * The ipsec pki --self, --issue and --req commands now support output
    in PEM format using the --outform pem option.
  * The major refactoring of the IKEv1 Mode Config functionality now
    allows the transport and handling of any Mode Config attribute.
  * The RADIUS proxy plugin eap-radius now supports multiple servers.
    Configured servers are chosen randomly, with the option to prefer
    a specific server.  Non-responding servers are degraded by the
    selection process.
  * The ipsec pool tool manages arbitrary configuration attributes
    stored in an SQL database. ipsec pool --help gives the details.
  * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
    EAP-AKA, reading triplets/quintuplets from an SQL database.
  * The High Availability plugin now supports a HA enabled in-memory
    address pool and Node reintegration without IKE_SA rekeying. The
    latter allows clients without IKE_SA rekeying support to keep
    connected during reintegration. Additionally, many other issues
    have been fixed in the ha plugin.
  * Fixed a potential remote code execution vulnerability resulting
    from the misuse of snprintf(). The vulnerability is exploitable
    by unauthenticated users.
- Removed obsolete snprintf security fix, adopted spec file
- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
  eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
  that are packaged into separate mysql,sqlite,tests sub packages.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=18

strongswan-4.4.0-snprintf-fix.diff

@@ -1,105 +0,0 @@
-From 96e2f9f3a70a7c918772f7dde57c6cb8befbc60e Mon Sep 17 00:00:00 2001
-From: Martin Willi <martin@revosec.ch>
-Date: Fri, 18 Jun 2010 09:18:27 +0200
-Subject: [PATCH] snprintf() fixes, version 4.4.0
-
----
- .../credentials/ietf_attributes/ietf_attributes.c  |   13 +++++++++++--
- src/libstrongswan/utils/identification.c           |   12 ++++++++++++
- src/pluto/x509.c                                   |    4 ++++
- 3 files changed, 27 insertions(+), 2 deletions(-)
-
-diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
-index ff3ddeb..de5b85b 100644
---- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
-+++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c
-@@ -159,7 +159,7 @@ static char* get_string(private_ietf_attributes_t *this)
- 		enumerator = this->list->create_enumerator(this->list);
- 		while (enumerator->enumerate(enumerator, &attr))
- 		{
--			int written = 0;
-+			int written;
- 
- 			if (first)
- 			{
-@@ -168,8 +168,12 @@ static char* get_string(private_ietf_attributes_t *this)
- 			else
- 			{
- 				written = snprintf(pos, len, ", ");
-+				if (written < 0 || written >= len)
-+				{
-+					break;
-+				}
- 				pos += written;
--				len -= written; 
-+				len -= written;
- 			}
- 
- 			switch (attr->type)
-@@ -194,8 +198,13 @@ static char* get_string(private_ietf_attributes_t *this)
- 					break;
- 				}
- 				default:
-+					written = 0;
- 					break;
- 			}
-+			if (written < 0 || written >= len)
-+			{
-+				break;
-+			}
- 			pos += written;
- 			len -= written;
- 		}
-diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
-index 6a3c393..6ccfa19 100644
---- a/src/libstrongswan/utils/identification.c
-+++ b/src/libstrongswan/utils/identification.c
-@@ -297,18 +297,30 @@ static void dntoa(chunk_t dn, char *buf, size_t len)
- 		{
- 			written = snprintf(buf, len,"%s=", oid_names[oid].name);
- 		}
-+		if (written < 0 || written >= len)
-+		{
-+			break;
-+		}
- 		buf += written;
- 		len -= written;
- 
- 		chunk_printable(data, &printable, '?');
- 		written = snprintf(buf, len, "%.*s", printable.len, printable.ptr);
- 		chunk_free(&printable);
-+		if (written < 0 || written >= len)
-+		{
-+			break;
-+		}
- 		buf += written;
- 		len -= written;
- 
- 		if (data.ptr + data.len != dn.ptr + dn.len)
- 		{
- 			written = snprintf(buf, len, ", ");
-+			if (written < 0 || written >= len)
-+			{
-+				break;
-+			}
- 			buf += written;
- 			len -= written;
- 		}
-diff --git a/src/pluto/x509.c b/src/pluto/x509.c
-index 0a29830..0abebc6 100644
---- a/src/pluto/x509.c
-+++ b/src/pluto/x509.c
-@@ -393,6 +393,10 @@ void list_x509cert_chain(const char *caption, cert_t* cert,
- 				{
- 					written = snprintf(pos, len, ", %Y", id);
- 				}
-+				if (written < 0 || written >= len)
-+				{
-+					break;
-+				}
- 				pos += written;
- 				len -= written;
- 			}
---
-1.7.0.4
-

strongswan-4.4.1-rpmlintrc

@@ -0,0 +1,5 @@
+### Known warnings:
+# - traditional name
+addFilter("strongswan.* incoherent-init-script-name ipsec")
+# - readme only, triggers full ipsec + ikev1&ikev2 install
+addFilter("strongswan.* no-binary")

strongswan-4.4.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2bee6fb9f43c251827f530cd629af1195a566cf99e9d0320c338f1497cbf99c2
+size 2982652

strongswan-4.4.1.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQGcBAABAgAGBQJMUuERAAoJEN9CwXCzTbp3oqYL/3Gg3EDh4ZhMAvJunRK40JUI
+Sw8Ekp3XNFASLDDAOTjZAOOfd/ZAtC3zLDxaT9vRfq4mmWmhtKBHcnAnURDtNees
+fraJiv/flvmJ4enZbXp3R3NgIQcXNGDrOi2P7XSydzqq80pW1P4v8JZcMf+glFJO
+sdzMgnL2Tg9/TTiivBFtymtknf+yqT4cDKNNolzIuKWPzJ1dR+hSoLlVZ+4efUAS
+qGK8EsqTDawZ5AsEvx7BVfusn38wMgQehKV5DhyhM29sm9hYj6nfO99NEfXq8VhG
+eYTWU4uJNH5ghTOllc3s9zA8jK49aG+ITIlpqn9xUi41uRlr3DdvMINDBETjGL8E
+eKd8AkV0NCDWRsia2mHJLBW9/W107/w3BPKMCm23avMtiRRezsSB0OQ2XpzgDjEH
+iPLj0xY4cK6Ratd9qfApfafU1sJSll/Hj0XOiv/UEoIgZUaStVKOO+5d5SrljTlp
+hIGJFjWcK262L+aDTGrckDqEpQ/1xHc8KLGF/XiKFg==
+=TTSf
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Tue Aug 10 10:56:34 UTC 2010 - mt@suse.de
+
+- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
+  * Support of xfrm marks in IPsec SAs and IPsec policies introduced
+    with the Linux 2.6.34 kernel.
+    For details see the example scenarios ikev2/nat-two-rw-mark,
+    ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
+  * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
+    used in a user-specific updown script to set marks on inbound ESP
+    or ESP_IN_UDP packets.
+  * The openssl plugin now supports X.509 certificate and CRL functions.
+  * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
+    enabled by default.
+    Plase update manual load directives in strongswan.conf.
+  * RFC3779 ipAddrBlock constraint checking has been moved to the
+    addrblock plugin, disabled by default. Enable it and update manual
+    load directives in strongswan.conf, if required.
+  * The pki utility supports CRL generation using the --signcrl command.
+  * The ipsec pki --self, --issue and --req commands now support output
+    in PEM format using the --outform pem option.
+  * The major refactoring of the IKEv1 Mode Config functionality now
+    allows the transport and handling of any Mode Config attribute.
+  * The RADIUS proxy plugin eap-radius now supports multiple servers.
+    Configured servers are chosen randomly, with the option to prefer
+    a specific server.  Non-responding servers are degraded by the
+    selection process.
+  * The ipsec pool tool manages arbitrary configuration attributes
+    stored in an SQL database. ipsec pool --help gives the details.
+  * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
+    EAP-AKA, reading triplets/quintuplets from an SQL database.
+  * The High Availability plugin now supports a HA enabled in-memory
+    address pool and Node reintegration without IKE_SA rekeying. The
+    latter allows clients without IKE_SA rekeying support to keep
+    connected during reintegration. Additionally, many other issues
+    have been fixed in the ha plugin.
+  * Fixed a potential remote code execution vulnerability resulting
+    from the misuse of snprintf(). The vulnerability is exploitable
+    by unauthenticated users.
+- Removed obsolete snprintf security fix, adopted spec file
+- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
+  eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
+- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
+  that are packaged into separate mysql,sqlite,tests sub packages.
+
 -------------------------------------------------------------------
 Fri Jul  2 15:40:17 UTC 2010 - mt@suse.de
 

strongswan.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package strongswan (Version 4.4.0)
+# spec file for package strongswan (Version 4.4.1)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -19,11 +19,11 @@
 
 
 Name:           strongswan
-%define         upstream_version 4.4.0
+%define         upstream_version 4.4.1
 %define         strongswan_docdir  %{_docdir}/%{name}
 %define         strongswan_plugins %{_libexecdir}/ipsec/plugins
-Version:        4.4.0
-Release:        4.<RELEASE1>
+Version:        4.4.1
+Release:        0
 License:        GPLv2+
 Group:          Productivity/Networking/Security
 Summary:        OpenSource IPsec-based VPN Solution
@@ -38,7 +38,6 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Source4:        README.SUSE
 Patch1:         %{name}_modprobe_syslog.patch
-Patch2:         %{name}-4.4.0-snprintf-fix.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 BuildRequires:  libcap-devel
@@ -50,6 +49,7 @@ BuildRequires:  curl-devel pam-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  NetworkManager-devel
 %endif
+BuildRequires:  libmysqlclient-devel sqlite3-devel
 
 %description
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -116,6 +116,40 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
 
 This package provides the strongswan library and plugins.
 
+%package mysql
+License:        GPLv2+
+Summary:        OpenSource IPsec-based VPN Solution
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description mysql
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan mysql plugin.
+
+%package sqlite
+License:        GPLv2+
+Summary:        OpenSource IPsec-based VPN Solution
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description sqlite
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan sqlite plugin.
+
+%package tests
+License:        GPLv2+
+Summary:        OpenSource IPsec-based VPN Solution
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description tests
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan crypto test-vectors plugin
+and the load testing plugin for IKEv2 daemon.
+
 %package ikev1
 License:        GPLv2+
 Summary:        OpenSource IPsec-based VPN Solution
@@ -190,7 +224,6 @@ NetworkManager-strongswan graphical user interface.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
-%patch2 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -211,24 +244,37 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-cisco-quirks \
 	--enable-openssl \
 	--enable-agent \
+	--enable-md4 \
+	--enable-blowfish \
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-simaka-sql \
+	--enable-eap-simaka-pseudonym \
+	--enable-eap-simaka-reauth \
 	--enable-eap-md5 \
 	--enable-eap-gtc \
 	--enable-eap-aka \
 	--enable-eap-radius \
 	--enable-eap-identity \
 	--enable-eap-mschapv2 \
+	--enable-eap-aka-3gpp2 \
 	--enable-ha \
 	--enable-dhcp \
 	--enable-farp \
 	--enable-sql \
 	--enable-attr-sql \
+	--enable-addrblock \
 	--enable-socket-dynamic \
 %if 0%{suse_version} >= 1110
 	--enable-gcrypt \
 	--enable-nm \
 %endif
 	--enable-ldap \
-	--enable-curl
+	--enable-curl \
+	--enable-mysql \
+	--enable-sqlite \
+	--enable-load-tester \
+	--enable-test-vectors
 make %{?_smp_mflags:%_smp_mflags}
 
 %install
@@ -390,20 +436,28 @@ fi
 %dir %{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/libchecksum.so
 %dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-addrblock.so
 %{strongswan_plugins}/libstrongswan-aes.so
 %{strongswan_plugins}/libstrongswan-agent.so
 %{strongswan_plugins}/libstrongswan-attr.so
 %{strongswan_plugins}/libstrongswan-attr-sql.so
+%{strongswan_plugins}/libstrongswan-blowfish.so
 %{strongswan_plugins}/libstrongswan-curl.so
 %{strongswan_plugins}/libstrongswan-des.so
 %{strongswan_plugins}/libstrongswan-dhcp.so
 %{strongswan_plugins}/libstrongswan-dnskey.so
+%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
 %{strongswan_plugins}/libstrongswan-eap-aka.so
 %{strongswan_plugins}/libstrongswan-eap-gtc.so
 %{strongswan_plugins}/libstrongswan-eap-identity.so
 %{strongswan_plugins}/libstrongswan-eap-md5.so
 %{strongswan_plugins}/libstrongswan-eap-mschapv2.so
 %{strongswan_plugins}/libstrongswan-eap-radius.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
+%{strongswan_plugins}/libstrongswan-eap-sim-file.so
+%{strongswan_plugins}/libstrongswan-eap-sim.so
 %{strongswan_plugins}/libstrongswan-farp.so
 %{strongswan_plugins}/libstrongswan-fips-prf.so
 %if 0%{suse_version} >= 1110
@@ -414,6 +468,7 @@ fi
 %{strongswan_plugins}/libstrongswan-hmac.so
 %{strongswan_plugins}/libstrongswan-kernel-netlink.so
 %{strongswan_plugins}/libstrongswan-ldap.so
+%{strongswan_plugins}/libstrongswan-md4.so
 %{strongswan_plugins}/libstrongswan-md5.so
 %{strongswan_plugins}/libstrongswan-openssl.so
 %{strongswan_plugins}/libstrongswan-pem.so
@@ -422,13 +477,31 @@ fi
 %{strongswan_plugins}/libstrongswan-pubkey.so
 %{strongswan_plugins}/libstrongswan-random.so
 %{strongswan_plugins}/libstrongswan-resolve.so
+%{strongswan_plugins}/libstrongswan-revocation.so
 %{strongswan_plugins}/libstrongswan-sha1.so
 %{strongswan_plugins}/libstrongswan-sha2.so
 %{strongswan_plugins}/libstrongswan-socket-dynamic.so
 %{strongswan_plugins}/libstrongswan-socket-raw.so
 %{strongswan_plugins}/libstrongswan-sql.so
 %{strongswan_plugins}/libstrongswan-x509.so
+%{strongswan_plugins}/libstrongswan-xauth.so
 %{strongswan_plugins}/libstrongswan-xcbc.so
 %dir %ghost %{_localstatedir}/run/strongswan
 
+%files mysql
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-mysql.so
+
+%files sqlite
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-sqlite.so
+
+%files tests
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-load-tester.so
+%{strongswan_plugins}/libstrongswan-test-vectors.so
+
 %changelog