forked from pool/strongswan
osc copypac from project:openSUSE:Leap:15.2 package:strongswan revision:16
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=117
This commit is contained in:
parent
f51dbccc77
commit
b84f3a369a
@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this
|
||||
src/libstrongswan/utils/utils/memory.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200
|
||||
diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h
|
||||
index b978e7c..55aaaf5 100644
|
||||
--- a/src/libstrongswan/utils/utils/memory.h
|
||||
+++ b/src/libstrongswan/utils/utils/memory.h
|
||||
@@ -22,6 +22,8 @@
|
||||
#ifndef MEMORY_H_
|
||||
#define MEMORY_H_
|
||||
@ -28,3 +28,6 @@ Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
|
||||
/**
|
||||
* Helper function that compares two binary blobs for equality
|
||||
*/
|
||||
--
|
||||
2.14.1
|
||||
|
||||
|
323
0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch
Normal file
323
0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch
Normal file
@ -0,0 +1,323 @@
|
||||
From ade8c9c4b73ec43cf43b9c4cd9af6aac5e6f7f9d Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Tue, 28 Aug 2018 11:26:24 +0200
|
||||
Subject: [PATCH] gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them
|
||||
|
||||
Instead we generate the expected signature encoding and compare it to the
|
||||
decrypted value.
|
||||
|
||||
Due to the lenient nature of the previous parsing code (minimum padding
|
||||
length was not enforced, the algorithmIdentifier/OID parser accepts arbitrary
|
||||
data after OIDs and in the parameters field etc.) it was susceptible to
|
||||
Daniel Bleichenbacher's low-exponent attack (from 2006!), which allowed
|
||||
forging signatures for keys that use low public exponents (i.e. e=3).
|
||||
|
||||
Since the public exponent is usually set to 0x10001 (65537) since quite a
|
||||
while, the flaws in the previous code should not have had that much of a
|
||||
practical impact in recent years.
|
||||
|
||||
Fixes: CVE-2018-16151, CVE-2018-16152
|
||||
---
|
||||
.../plugins/gmp/gmp_rsa_private_key.c | 66 +++++----
|
||||
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 158 ++-------------------
|
||||
2 files changed, 53 insertions(+), 171 deletions(-)
|
||||
|
||||
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||
index 21b420866e2f..025f61a9fa21 100644
|
||||
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||
@@ -262,14 +262,15 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
|
||||
}
|
||||
|
||||
/**
|
||||
- * Build a signature using the PKCS#1 EMSA scheme
|
||||
+ * Hashes the data and builds the plaintext signature value with EMSA
|
||||
+ * PKCS#1 v1.5 padding.
|
||||
+ *
|
||||
+ * Allocates the signature data.
|
||||
*/
|
||||
-static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
|
||||
- hash_algorithm_t hash_algorithm,
|
||||
- chunk_t data, chunk_t *signature)
|
||||
+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
|
||||
+ chunk_t data, size_t keylen, chunk_t *em)
|
||||
{
|
||||
chunk_t digestInfo = chunk_empty;
|
||||
- chunk_t em;
|
||||
|
||||
if (hash_algorithm != HASH_UNKNOWN)
|
||||
{
|
||||
@@ -293,43 +294,56 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
|
||||
/* build DER-encoded digestInfo */
|
||||
digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
|
||||
asn1_algorithmIdentifier(hash_oid),
|
||||
- asn1_simple_object(ASN1_OCTET_STRING, hash)
|
||||
- );
|
||||
- chunk_free(&hash);
|
||||
+ asn1_wrap(ASN1_OCTET_STRING, "m", hash));
|
||||
+
|
||||
data = digestInfo;
|
||||
}
|
||||
|
||||
- if (data.len > this->k - 3)
|
||||
+ if (data.len > keylen - 11)
|
||||
{
|
||||
- free(digestInfo.ptr);
|
||||
- DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
|
||||
- mpz_sizeinbase(this->n, 2));
|
||||
+ chunk_free(&digestInfo);
|
||||
+ DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "
|
||||
+ "%zu bytes", data.len, keylen);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- /* build chunk to rsa-decrypt:
|
||||
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
|
||||
- * PS = 0xFF padding, with length to fill em
|
||||
+ /* EM = 0x00 || 0x01 || PS || 0x00 || T.
|
||||
+ * PS = 0xFF padding, with length to fill em (at least 8 bytes)
|
||||
* T = encoded_hash
|
||||
*/
|
||||
- em.len = this->k;
|
||||
- em.ptr = malloc(em.len);
|
||||
+ *em = chunk_alloc(keylen);
|
||||
|
||||
/* fill em with padding */
|
||||
- memset(em.ptr, 0xFF, em.len);
|
||||
+ memset(em->ptr, 0xFF, em->len);
|
||||
/* set magic bytes */
|
||||
- *(em.ptr) = 0x00;
|
||||
- *(em.ptr+1) = 0x01;
|
||||
- *(em.ptr + em.len - data.len - 1) = 0x00;
|
||||
- /* set DER-encoded hash */
|
||||
- memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
|
||||
+ *(em->ptr) = 0x00;
|
||||
+ *(em->ptr+1) = 0x01;
|
||||
+ *(em->ptr + em->len - data.len - 1) = 0x00;
|
||||
+ /* set encoded hash */
|
||||
+ memcpy(em->ptr + em->len - data.len, data.ptr, data.len);
|
||||
+
|
||||
+ chunk_clear(&digestInfo);
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+ * Build a signature using the PKCS#1 EMSA scheme
|
||||
+ */
|
||||
+static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
|
||||
+ hash_algorithm_t hash_algorithm,
|
||||
+ chunk_t data, chunk_t *signature)
|
||||
+{
|
||||
+ chunk_t em;
|
||||
+
|
||||
+ if (!gmp_emsa_pkcs1_signature_data(hash_algorithm, data, this->k, &em))
|
||||
+ {
|
||||
+ return FALSE;
|
||||
+ }
|
||||
|
||||
/* build signature */
|
||||
*signature = rsasp1(this, em);
|
||||
|
||||
- free(digestInfo.ptr);
|
||||
- free(em.ptr);
|
||||
-
|
||||
+ chunk_free(&em);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
|
||||
index 065c88903344..f27b24c6f319 100644
|
||||
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
|
||||
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
|
||||
@@ -68,7 +68,9 @@ struct private_gmp_rsa_public_key_t {
|
||||
/**
|
||||
* Shared functions defined in gmp_rsa_private_key.c
|
||||
*/
|
||||
-extern chunk_t gmp_mpz_to_chunk(const mpz_t value);
|
||||
+chunk_t gmp_mpz_to_chunk(const mpz_t value);
|
||||
+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
|
||||
+ chunk_t data, size_t keylen, chunk_t *em);
|
||||
|
||||
/**
|
||||
* RSAEP algorithm specified in PKCS#1.
|
||||
@@ -113,26 +115,13 @@ static chunk_t rsavp1(private_gmp_rsa_public_key_t *this, chunk_t data)
|
||||
}
|
||||
|
||||
/**
|
||||
- * ASN.1 definition of digestInfo
|
||||
- */
|
||||
-static const asn1Object_t digestInfoObjects[] = {
|
||||
- { 0, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
|
||||
- { 1, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 1 */
|
||||
- { 1, "digest", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
|
||||
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
|
||||
-};
|
||||
-#define DIGEST_INFO 0
|
||||
-#define DIGEST_INFO_ALGORITHM 1
|
||||
-#define DIGEST_INFO_DIGEST 2
|
||||
-
|
||||
-/**
|
||||
- * Verification of an EMPSA PKCS1 signature described in PKCS#1
|
||||
+ * Verification of an EMSA PKCS1 signature described in PKCS#1
|
||||
*/
|
||||
static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
|
||||
hash_algorithm_t algorithm,
|
||||
chunk_t data, chunk_t signature)
|
||||
{
|
||||
- chunk_t em_ori, em;
|
||||
+ chunk_t em_expected, em;
|
||||
bool success = FALSE;
|
||||
|
||||
/* remove any preceding 0-bytes from signature */
|
||||
@@ -146,140 +135,19 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- /* unpack signature */
|
||||
- em_ori = em = rsavp1(this, signature);
|
||||
-
|
||||
- /* result should look like this:
|
||||
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
|
||||
- * PS = 0xFF padding, with length to fill em
|
||||
- * T = oid || hash
|
||||
- */
|
||||
-
|
||||
- /* check magic bytes */
|
||||
- if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
|
||||
- {
|
||||
- goto end;
|
||||
- }
|
||||
- em = chunk_skip(em, 2);
|
||||
-
|
||||
- /* find magic 0x00 */
|
||||
- while (em.len > 0)
|
||||
- {
|
||||
- if (*em.ptr == 0x00)
|
||||
- {
|
||||
- /* found magic byte, stop */
|
||||
- em = chunk_skip(em, 1);
|
||||
- break;
|
||||
- }
|
||||
- else if (*em.ptr != 0xFF)
|
||||
- {
|
||||
- /* bad padding, decryption failed ?!*/
|
||||
- goto end;
|
||||
- }
|
||||
- em = chunk_skip(em, 1);
|
||||
- }
|
||||
-
|
||||
- if (em.len == 0)
|
||||
+ /* generate expected signature value */
|
||||
+ if (!gmp_emsa_pkcs1_signature_data(algorithm, data, this->k, &em_expected))
|
||||
{
|
||||
- /* no digestInfo found */
|
||||
- goto end;
|
||||
- }
|
||||
-
|
||||
- if (algorithm == HASH_UNKNOWN)
|
||||
- { /* IKEv1 signatures without digestInfo */
|
||||
- if (em.len != data.len)
|
||||
- {
|
||||
- DBG1(DBG_LIB, "hash size in signature is %u bytes instead of"
|
||||
- " %u bytes", em.len, data.len);
|
||||
- goto end;
|
||||
- }
|
||||
- success = memeq_const(em.ptr, data.ptr, data.len);
|
||||
+ return FALSE;
|
||||
}
|
||||
- else
|
||||
- { /* IKEv2 and X.509 certificate signatures */
|
||||
- asn1_parser_t *parser;
|
||||
- chunk_t object;
|
||||
- int objectID;
|
||||
- hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
|
||||
|
||||
- DBG2(DBG_LIB, "signature verification:");
|
||||
- parser = asn1_parser_create(digestInfoObjects, em);
|
||||
-
|
||||
- while (parser->iterate(parser, &objectID, &object))
|
||||
- {
|
||||
- switch (objectID)
|
||||
- {
|
||||
- case DIGEST_INFO:
|
||||
- {
|
||||
- if (em.len > object.len)
|
||||
- {
|
||||
- DBG1(DBG_LIB, "digestInfo field in signature is"
|
||||
- " followed by %u surplus bytes",
|
||||
- em.len - object.len);
|
||||
- goto end_parser;
|
||||
- }
|
||||
- break;
|
||||
- }
|
||||
- case DIGEST_INFO_ALGORITHM:
|
||||
- {
|
||||
- int hash_oid = asn1_parse_algorithmIdentifier(object,
|
||||
- parser->get_level(parser)+1, NULL);
|
||||
-
|
||||
- hash_algorithm = hasher_algorithm_from_oid(hash_oid);
|
||||
- if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm)
|
||||
- {
|
||||
- DBG1(DBG_LIB, "expected hash algorithm %N, but found"
|
||||
- " %N (OID: %#B)", hash_algorithm_names, algorithm,
|
||||
- hash_algorithm_names, hash_algorithm, &object);
|
||||
- goto end_parser;
|
||||
- }
|
||||
- break;
|
||||
- }
|
||||
- case DIGEST_INFO_DIGEST:
|
||||
- {
|
||||
- chunk_t hash;
|
||||
- hasher_t *hasher;
|
||||
-
|
||||
- hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
|
||||
- if (hasher == NULL)
|
||||
- {
|
||||
- DBG1(DBG_LIB, "hash algorithm %N not supported",
|
||||
- hash_algorithm_names, hash_algorithm);
|
||||
- goto end_parser;
|
||||
- }
|
||||
-
|
||||
- if (object.len != hasher->get_hash_size(hasher))
|
||||
- {
|
||||
- DBG1(DBG_LIB, "hash size in signature is %u bytes"
|
||||
- " instead of %u bytes", object.len,
|
||||
- hasher->get_hash_size(hasher));
|
||||
- hasher->destroy(hasher);
|
||||
- goto end_parser;
|
||||
- }
|
||||
-
|
||||
- /* build our own hash and compare */
|
||||
- if (!hasher->allocate_hash(hasher, data, &hash))
|
||||
- {
|
||||
- hasher->destroy(hasher);
|
||||
- goto end_parser;
|
||||
- }
|
||||
- hasher->destroy(hasher);
|
||||
- success = memeq_const(object.ptr, hash.ptr, hash.len);
|
||||
- free(hash.ptr);
|
||||
- break;
|
||||
- }
|
||||
- default:
|
||||
- break;
|
||||
- }
|
||||
- }
|
||||
+ /* unpack signature */
|
||||
+ em = rsavp1(this, signature);
|
||||
|
||||
-end_parser:
|
||||
- success &= parser->success(parser);
|
||||
- parser->destroy(parser);
|
||||
- }
|
||||
+ success = chunk_equals_const(em_expected, em);
|
||||
|
||||
-end:
|
||||
- free(em_ori.ptr);
|
||||
+ chunk_free(&em_expected);
|
||||
+ chunk_free(&em);
|
||||
return success;
|
||||
}
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
28
0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch
Normal file
28
0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 0acd1ab4d08d53d80393b1a37b8781f6e7b2b996 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Tue, 13 Mar 2018 18:54:08 +0100
|
||||
Subject: [PATCH] stroke: Ensure a minimum message length
|
||||
|
||||
---
|
||||
src/libcharon/plugins/stroke/stroke_socket.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
|
||||
index c568440b7ae2..1e7f210e940a 100644
|
||||
--- a/src/libcharon/plugins/stroke/stroke_socket.c
|
||||
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
|
||||
@@ -627,6 +627,11 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
+ if (len < offsetof(stroke_msg_t, buffer))
|
||||
+ {
|
||||
+ DBG1(DBG_CFG, "invalid stroke message length %d", len);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
|
||||
/* read message (we need an additional byte to terminate the buffer) */
|
||||
msg = malloc(len + 1);
|
||||
--
|
||||
2.7.4
|
||||
|
39
0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch
Normal file
39
0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From b450318c15496f89e7c93392c9b5d2c6045c7de9 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Mon, 19 Mar 2018 17:03:05 +0100
|
||||
Subject: [PATCH] ikev2: Initialize variable in case set_key() or
|
||||
allocate_bytes() fails
|
||||
|
||||
In case the PRF's set_key() or allocate_bytes() method failed, skeyseed
|
||||
was not initialized and the chunk_clear() call later caused a crash.
|
||||
|
||||
This could have happened with OpenSSL in FIPS mode when MD5 was
|
||||
negotiated (and test vectors were not checked, in which case the PRF
|
||||
couldn't be instantiated as the test vectors would have failed).
|
||||
MD5 is not included in the default proposal anymore since 5.6.1, so
|
||||
with recent versions this could only happen with configs that are not
|
||||
valid in FIPS mode anyway.
|
||||
|
||||
Fixes: CVE-2018-10811
|
||||
---
|
||||
src/libcharon/sa/ikev2/keymat_v2.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
|
||||
index 0c41c68d0118..8b20d1ce986f 100644
|
||||
--- a/src/libcharon/sa/ikev2/keymat_v2.c
|
||||
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
|
||||
@@ -303,8 +303,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
|
||||
chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
|
||||
pseudo_random_function_t rekey_function, chunk_t rekey_skd)
|
||||
{
|
||||
- chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
|
||||
- chunk_t spi_i, spi_r;
|
||||
+ chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce;
|
||||
+ chunk_t prf_plus_seed, spi_i, spi_r;
|
||||
prf_plus_t *prf_plus = NULL;
|
||||
uint16_t alg, key_size, int_alg;
|
||||
prf_t *rekey_prf = NULL;
|
||||
--
|
||||
2.7.4
|
||||
|
38
0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
Normal file
38
0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Brunner <tobias@strongswan.org>
|
||||
Date: Tue, 25 Sep 2018 14:50:08 +0200
|
||||
Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys
|
||||
|
||||
Because `keylen` is unsigned the subtraction results in an integer
|
||||
underflow if the key length is < 11 bytes.
|
||||
|
||||
This is only a problem when verifying signatures with a public key (for
|
||||
private keys the plugin enforces a minimum modulus length) and to do so
|
||||
we usually only use trusted keys. However, the x509 plugin actually
|
||||
calls issued_by() on a parsed certificate to check if it is self-signed,
|
||||
which is the reason this issue was found by OSS-Fuzz in the first place.
|
||||
So, unfortunately, this can be triggered by sending an invalid client
|
||||
cert to a peer.
|
||||
|
||||
Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them")
|
||||
Fixes: CVE-2018-17540
|
||||
---
|
||||
src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||
index e9a83fdf49a1..a255a40abce2 100644
|
||||
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||
@@ -301,7 +301,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
|
||||
data = digestInfo;
|
||||
}
|
||||
|
||||
- if (data.len > keylen - 11)
|
||||
+ if (keylen < 11 || data.len > keylen - 11)
|
||||
{
|
||||
chunk_free(&digestInfo);
|
||||
DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "
|
||||
--
|
||||
2.7.4
|
||||
|
3
strongswan-5.6.0.tar.bz2
Normal file
3
strongswan-5.6.0.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
|
||||
size 4850722
|
14
strongswan-5.6.0.tar.bz2.sig
Normal file
14
strongswan-5.6.0.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
|
||||
kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
|
||||
CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
|
||||
kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
|
||||
d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
|
||||
an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
|
||||
dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
|
||||
UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
|
||||
eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
|
||||
=ZRFr
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e
|
||||
size 4533402
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt
|
||||
S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m
|
||||
wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v
|
||||
iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE
|
||||
CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC
|
||||
zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77
|
||||
DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN
|
||||
bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ
|
||||
tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw==
|
||||
=VHUc
|
||||
-----END PGP SIGNATURE-----
|
@ -1,203 +1,34 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
||||
Thu Nov 14 12:56:01 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||
|
||||
- Replace %__-type macro indirections. Update homepage URL to https.
|
||||
- Added patch to fix vulnerability: CVE-2018-17540 (bsc#1109845)
|
||||
[+ 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
|
||||
Wed Nov 13 16:43:52 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||
|
||||
- Update to version 5.8.2:
|
||||
* The systemd service units have changed their name.
|
||||
"strongswan" is now "strongswan-starter", and
|
||||
"strongswan-swanctl" is now "strongswan".
|
||||
After installation, you need to `systemctl disable` the old
|
||||
name and `systemctl enable`+start the new one.
|
||||
* Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
|
||||
* boo#1109845 and boo#1107874.
|
||||
- Please check included NEWS file for info on what other changes
|
||||
that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
|
||||
and 5.7.0.
|
||||
- Rebase strongswan_ipsec_service.patch.
|
||||
- Disable patches that need rebase or dropping:
|
||||
* strongswan_modprobe_syslog.patch
|
||||
* 0006-fix-compilation-error-by-adding-stdint.h.patch
|
||||
- Add conditional pkgconfig(libsystemd) BuildRequires: New
|
||||
dependency.
|
||||
- Added patch to fix vulnerability: CVE-2018-10811 (bsc#1093536)
|
||||
- denial-of-service vulnerability
|
||||
[+ 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com
|
||||
Wed Nov 13 15:41:29 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||
|
||||
- Update to version 5.6.3 (CVE-2018-10811, boo#1093536,
|
||||
CVE-2018-5388, boo#1094462):
|
||||
* Fixed a DoS vulnerability in the IKEv2 key derivation if the
|
||||
openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated
|
||||
as PRF. This vulnerability has been registered as
|
||||
CVE-2018-10811, boo#1093536.
|
||||
* Fixed a vulnerability in the stroke plugin, which did not check
|
||||
the received length before reading a message from the socket.
|
||||
Unless a group is configured, root privileges are required to
|
||||
access that socket, so in the default configuration this
|
||||
shouldn't be an issue. This vulnerability has been registered
|
||||
as CVE-2018-5388, boo#1094462.
|
||||
* CRLs that are not yet valid are now ignored to avoid problems
|
||||
in scenarios where expired certificates are removed from new
|
||||
CRLs and the clock on the host doing the revocation check is
|
||||
trailing behind that of the host issuing CRLs. Not doing this
|
||||
could result in accepting a revoked and expired certificate, if
|
||||
it's still valid according to the trailing clock but not
|
||||
contained anymore in not yet valid CRLs.
|
||||
* The issuer of fetched CRLs is now compared to the issuer of the
|
||||
checked certificate (#2608).
|
||||
* CRL validation results other than revocation (e.g. a skipped
|
||||
check because the CRL couldn't be fetched) are now stored also
|
||||
for intermediate CA certificates and not only for end-entity
|
||||
certificates, so a strict CRL policy can be enforced in such
|
||||
cases.
|
||||
* In compliance with RFC 4945, section 5.1.3.2, certificates used
|
||||
for IKE must now either not contain a keyUsage extension (like
|
||||
the ones generated by pki), or have at least one of the
|
||||
digitalSignature or nonRepudiation bits set.
|
||||
* New options for vici/swanctl allow forcing the local
|
||||
termination of an IKE_SA. This might be useful in situations
|
||||
where it's known the other end is not reachable anymore, or
|
||||
that it already removed the IKE_SA, so retransmitting a DELETE
|
||||
and waiting for a response would be pointless.
|
||||
* Waiting only a certain amount of time for a response (i.e.
|
||||
shorter than all retransmits would be) before destroying the
|
||||
IKE_SA is also possible by additionally specifying a timeout in
|
||||
the forced termination request.
|
||||
* When removing routes, the kernel-netlink plugin now checks if
|
||||
it tracks other routes for the same destination and replaces
|
||||
the installed route instead of just removing it. Same during
|
||||
installation, where existing routes previously weren't
|
||||
replaced. This should allow using traps with virtual IPs on
|
||||
Linux (#2162).
|
||||
* The dhcp plugin now only sends the client identifier DHCP
|
||||
option if the identity_lease setting is enabled (7b660944b6).
|
||||
It can also send identities of up to 255 bytes length, instead
|
||||
of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server
|
||||
address is configured, DHCP requests are now sent from port 67
|
||||
instead of 68 to avoid ICMP port unreachables (becf027cd9).
|
||||
* The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
|
||||
containing a DH group that wasn't proposed) during
|
||||
CREATE_CHILD_SA exchanges has been improved (#2536).
|
||||
* Roam events are now completely ignored for IKEv1 SAs (there is
|
||||
no MOBIKE to handle such changes properly).
|
||||
* ChaCha20/Poly1305 is now correctly proposed without key length
|
||||
(#2614). For compatibility with older releases the
|
||||
chacha20poly1305compat keyword may be included in proposals to
|
||||
also propose the algorithm with a key length (c58434aeff).
|
||||
* Configuration of hardware offload of IPsec SAs is now more
|
||||
flexible and allows a new setting (auto), which automatically
|
||||
uses it if the kernel and device both support it. If hw_offload
|
||||
is set to yes and offloading is not supported, the CHILD_SA
|
||||
installation now fails.
|
||||
* The kernel-pfkey plugin optionally installs routes via internal
|
||||
interface (one with an IP in the local traffic selector). On
|
||||
FreeBSD, enabling this selects the correct source IP when
|
||||
sending packets from the gateway itself (e811659323).
|
||||
* SHA-2 based PRFs are supported in PKCS#8 files as generated by
|
||||
OpenSSL 1.1 (#2574).
|
||||
* The pki --verify tool may load CA certificates and CRLs from
|
||||
directories.
|
||||
* The IKE daemon now also switches to port 4500 if the remote
|
||||
port is not 500 (e.g. because the remote maps the response to a
|
||||
different port, as might happen on Azure), as long as the local
|
||||
port is 500 (85bfab621d).
|
||||
* Fixed an issue with DNS servers passed to NetworkManager in
|
||||
charon-nm (ee8c25516a).
|
||||
* Logged traffic selectors now always contain the protocol if
|
||||
either protocol or port are set (a36d8097ed).
|
||||
* Only the inbound SA/policy will be updated as reaction to IP
|
||||
address changes for rekeyed CHILD_SAs that are kept around.
|
||||
* The parser for strongswan.conf/swanctl.conf now accepts =
|
||||
characters in values without having to put the value in quotes
|
||||
(e.g. for Base64 encoded shared secrets).
|
||||
- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc,
|
||||
changing the version string on every version update makes no
|
||||
sense.
|
||||
- Added patch to fix vulnerability: CVE-2018-5388 (bsc#1094462)
|
||||
- Buffer Underflow in stroke_socket.c
|
||||
[+ 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
|
||||
Wed Nov 13 13:51:38 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||
|
||||
- Update to version 5.6.2:
|
||||
* Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
|
||||
signatures that was caused by insufficient input validation.
|
||||
One of the configurable parameters in algorithm identifier
|
||||
structures for RSASSA-PSS signatures is the mask generation
|
||||
function (MGF). Only MGF1 is currently specified for this
|
||||
purpose. However, this in turn takes itself a parameter that
|
||||
specifies the underlying hash function. strongSwan's parser did
|
||||
not correctly handle the case of this parameter being absent,
|
||||
causing an undefined data read. This vulnerability has been
|
||||
registered as CVE-2018-6459.
|
||||
* When rekeying IKEv2 IKE_SAs the previously negotiated DH group
|
||||
will be reused, instead of using the first configured group,
|
||||
which avoids an additional exchange if the peer previously
|
||||
selected a different DH group via INVALID_KE_PAYLOAD notify.
|
||||
The same is also done when rekeying CHILD_SAs except for the
|
||||
first rekeying of the CHILD_SA that was created with the
|
||||
IKE_SA, where no DH group was negotiated yet. Also, the
|
||||
selected DH group is moved to the front in all sent proposals
|
||||
that contain it and all proposals that don't are moved to the
|
||||
back in order to convey the preference for this group to the
|
||||
peer.
|
||||
* Handling of MOBIKE task queuing has been improved. In
|
||||
particular, the response to an address update (with NAT-D
|
||||
payloads) is not ignored anymore if only an address list update
|
||||
or DPD is queued as that could prevent updating the UDP
|
||||
encapsulation in the kernel.
|
||||
* On Linux, roam events may optionally be triggered by changes to
|
||||
the routing rules, which can be useful if routing rules
|
||||
(instead of e.g. route metrics) are used to switch from one to
|
||||
another interface (i.e. from one to another routing table).
|
||||
Since routing rules are currently not evaluated when doing
|
||||
route lookups this is only useful if the kernel-based route
|
||||
lookup is used (4664992f7d).
|
||||
* The fallback drop policies installed to avoid traffic leaks
|
||||
when replacing addresses in installed policies are now replaced
|
||||
by temporary drop policies, which also prevent acquires because
|
||||
we currently delete and reinstall IPsec SAs to update their
|
||||
addresses (35ef1b032d).
|
||||
* Access X.509 certificates held in non-volatile storage of a TPM
|
||||
2.0 referenced via the NV index.
|
||||
* Adding the --keyid parameter to pki --print allows to print
|
||||
private keys or certificates stored in a smartcard or a TPM
|
||||
2.0.
|
||||
* Fixed proposal selection if a peer incorrectly sends DH groups
|
||||
in the ESP proposal during IKE_AUTH and also if a DH group is
|
||||
configured in the local ESP proposal and
|
||||
charon.prefer_configured_proposals is disabled (d058fd3c32).
|
||||
* The lookup for PSK secrets for IKEv1 has been improved for
|
||||
certain scenarios (see #2497 for details).
|
||||
* MSKs received via RADIUS are now padded to 64 bytes to avoid
|
||||
compatibility issues with EAP-MSCHAPv2 and PRFs that have a
|
||||
block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
|
||||
* The tpm_extendpcr command line tool extends a digest into a TPM
|
||||
PCR.
|
||||
* Ported the NetworkManager backend from the deprecated
|
||||
libnm-glib to libnm.
|
||||
* The save-keys debugging/development plugin saves IKE and/or ESP
|
||||
keys to files compatible with Wireshark.
|
||||
- Following upstreams port, replace NetworkManager-devel with
|
||||
pkgconfig(libnm) BuildRequires.
|
||||
- Refresh patches with quilt.
|
||||
- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
|
||||
the file it patches no longer exists in tarball.
|
||||
- Added patch to fix vulnerability: CVE-2018-16151,CVE-2018-16152 (bsc#1107874)
|
||||
- Insufficient input validation in gmp plugin
|
||||
[+ 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com
|
||||
Wed Mar 14 15:43:42 UTC 2018 - mmnelemane@suse.com
|
||||
|
||||
- Removed unused requires and macro calls(bsc#1083261)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de
|
||||
|
||||
- Update summaries and descriptions. Trim filler words and
|
||||
author list.
|
||||
- Drop %if..%endif guards that are idempotent and do not affect
|
||||
the build result.
|
||||
- Replace old $RPM_ shell variables.
|
||||
- Removed unused requires and macro calls(bsc#1083261)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de
|
||||
|
245
strongswan.spec
245
strongswan.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package strongswan
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -12,12 +12,12 @@
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
Name: strongswan
|
||||
Version: 5.8.2
|
||||
Version: 5.6.0
|
||||
Release: 0
|
||||
%define upstream_version %{version}
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
@ -61,31 +61,33 @@ Release: 0
|
||||
%else
|
||||
%bcond_with systemd
|
||||
%endif
|
||||
Summary: IPsec-based VPN solution
|
||||
License: GPL-2.0-or-later
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
License: GPL-2.0+
|
||||
Group: Productivity/Networking/Security
|
||||
URL: https://www.strongswan.org/
|
||||
Url: http://www.strongswan.org/
|
||||
Requires: strongswan-ipsec = %{version}
|
||||
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
|
||||
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
||||
Source2: %{name}.init.in
|
||||
Source3: %{name}-rpmlintrc
|
||||
Source3: %{name}-%{version}-rpmlintrc
|
||||
Source4: README.SUSE
|
||||
Source5: %{name}.keyring
|
||||
%if %{with fipscheck}
|
||||
Source6: fipscheck.sh.in
|
||||
Source7: fips-enforce.conf
|
||||
%endif
|
||||
# Needs rebase
|
||||
Patch1: %{name}_modprobe_syslog.patch
|
||||
Patch2: %{name}_ipsec_service.patch
|
||||
%if %{with fipscheck}
|
||||
Patch3: %{name}_fipscheck.patch
|
||||
# Patch4 needs rebase, file it patches no longer exists in tarball.
|
||||
Patch4: %{name}_fipsfilter.patch
|
||||
%endif
|
||||
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
||||
# Needs rebase
|
||||
Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
|
||||
Patch7: 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch
|
||||
Patch8: 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch
|
||||
Patch9: 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch
|
||||
Patch10: 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
@ -109,11 +111,10 @@ BuildRequires: sqlite3-devel
|
||||
BuildRequires: libgcrypt-devel
|
||||
%endif
|
||||
%if %{with nm}
|
||||
BuildRequires: pkgconfig(libnm)
|
||||
BuildRequires: NetworkManager-devel
|
||||
%endif
|
||||
%if %{with systemd}
|
||||
%{?systemd_requires}
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
%endif
|
||||
BuildRequires: iptables
|
||||
%if %{with systemd}
|
||||
@ -128,19 +129,19 @@ BuildRequires: automake
|
||||
BuildRequires: fipscheck
|
||||
%endif
|
||||
BuildRequires: libtool
|
||||
Requires: strongswan-ipsec = %{version}
|
||||
|
||||
%description
|
||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
|
||||
* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
|
||||
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
|
||||
* Fully tested support of IPv6 IPsec tunnel and transport connections
|
||||
* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
|
||||
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
|
||||
* Automatic insertion and deletion of IPsec-policy-based firewall rules
|
||||
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
|
||||
* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
|
||||
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
|
||||
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
|
||||
* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
|
||||
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
|
||||
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
|
||||
* Virtual IP address pool managed by IKE daemon or SQL database
|
||||
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
|
||||
@ -157,32 +158,46 @@ StrongSwan is an IPsec-based VPN solution for Linux.
|
||||
* Modular plugins for crypto algorithms and relational database interfaces
|
||||
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
|
||||
* Optional built-in integrity and crypto tests for plugins and libraries
|
||||
* Linux desktop integration via the strongSwan NetworkManager applet
|
||||
* Smooth Linux desktop integration via the strongSwan NetworkManager applet
|
||||
|
||||
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Andreas Steffen
|
||||
and others
|
||||
|
||||
%package doc
|
||||
Summary: Documentation for strongSwan
|
||||
Group: Documentation/Man
|
||||
BuildArch: noarch
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
|
||||
%description doc
|
||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
This package provides the StrongSwan documentation.
|
||||
|
||||
|
||||
|
||||
Authors:
|
||||
--------
|
||||
Andreas Steffen
|
||||
and others
|
||||
|
||||
%package libs0
|
||||
Summary: strongSwan core libraries and basic plugins
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
Conflicts: strongswan < %{version}
|
||||
|
||||
%description libs0
|
||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
This package provides the strongswan library and plugins.
|
||||
|
||||
%if %{with fipscheck}
|
||||
|
||||
%package hmac
|
||||
Summary: HMAC files for FIPS-140-2 integrity in strongSwan
|
||||
Summary: HMAC files for FIPS-140-2 integrity
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: fipscheck
|
||||
Requires: strongswan-ipsec = %{version}
|
||||
@ -195,8 +210,10 @@ _fipscheck helper script preforming the integrity checks before e.g.
|
||||
"ipsec start" action is executed, when FIPS-140-2 compliant operation
|
||||
mode is enabled.
|
||||
|
||||
%endif
|
||||
|
||||
%package ipsec
|
||||
Summary: IPsec-based VPN solution
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: strongswan-libs0 = %{version}
|
||||
Provides: VPN
|
||||
@ -206,83 +223,101 @@ Obsoletes: strongswan < %{version}
|
||||
Conflicts: freeswan openswan
|
||||
|
||||
%description ipsec
|
||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
This package provides the /etc/init.d/ipsec service script and allows
|
||||
to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
|
||||
to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the
|
||||
/etc/ipsec.sectes files.
|
||||
|
||||
%if %{with mysql}
|
||||
|
||||
%package mysql
|
||||
Summary: MySQL plugin for strongSwan
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: strongswan-libs0 = %{version}
|
||||
|
||||
%description mysql
|
||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
This package provides the strongswan mysql plugin.
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with sqlite}
|
||||
|
||||
%package sqlite
|
||||
Summary: SQLite plugin for strongSwan
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: strongswan-libs0 = %{version}
|
||||
|
||||
%description sqlite
|
||||
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
This package provides the strongswan sqlite plugin.
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with nm}
|
||||
|
||||
%package nm
|
||||
Summary: NetworkManager plugin for strongSwan
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: strongswan-libs0 = %{version}
|
||||
|
||||
%description nm
|
||||
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
This package provides the NetworkManager plugin to control the
|
||||
charon IKEv2 daemon through D-Bus, designed to work using the
|
||||
NetworkManager-strongswan graphical user interface.
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with tests}
|
||||
|
||||
%package tests
|
||||
Summary: Testing plugins for strongSwan
|
||||
|
||||
Summary: OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
Requires: strongswan-libs0 = %{version}
|
||||
|
||||
%description tests
|
||||
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
This package provides the strongswan crypto test vectors plugin
|
||||
This package provides the strongswan crypto test-vectors plugin
|
||||
and the load testing plugin for IKEv2 daemon.
|
||||
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
# Needs rebase, file it patches no longer exists.
|
||||
#patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch1 -p0
|
||||
%patch2 -p0
|
||||
%if %{with fipscheck}
|
||||
%patch3 -p1
|
||||
# Needs rebase, file it patches no longer exists.
|
||||
#patch4 -p1
|
||||
%patch4 -p1
|
||||
%endif
|
||||
%patch5 -p1
|
||||
# Needs rebase.
|
||||
#patch6 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< %{_sourcedir}/strongswan.init.in \
|
||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||
> strongswan.init
|
||||
%if %{with fipscheck}
|
||||
sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
|
||||
-e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
|
||||
-e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
|
||||
-e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
|
||||
< %{_sourcedir}/fipscheck.sh.in \
|
||||
< $RPM_SOURCE_DIR/fipscheck.sh.in \
|
||||
> _fipscheck
|
||||
%endif
|
||||
|
||||
%build
|
||||
CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
|
||||
export CFLAGS
|
||||
CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
|
||||
export RPM_OPT_FLAGS CFLAGS
|
||||
autoreconf --force --install
|
||||
%configure \
|
||||
%if %{with integrity}
|
||||
@ -293,7 +328,6 @@ autoreconf --force --install
|
||||
--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
|
||||
--with-piddir=%{_rundir}/%{name} \
|
||||
%if %{with systemd}
|
||||
--enable-systemd \
|
||||
--with-systemdsystemunitdir=%{_unitdir} \
|
||||
%endif
|
||||
--enable-pkcs11 \
|
||||
@ -378,24 +412,25 @@ autoreconf --force --install
|
||||
--enable-soup \
|
||||
--enable-curl \
|
||||
--disable-static
|
||||
make %{?_smp_mflags}
|
||||
make %{?_smp_mflags:%_smp_mflags}
|
||||
|
||||
%install
|
||||
install -d -m755 %{buildroot}/%{_sbindir}/
|
||||
install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/
|
||||
export RPM_BUILD_ROOT
|
||||
install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/
|
||||
install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
|
||||
%if %{with systemd}
|
||||
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan
|
||||
ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan
|
||||
%else
|
||||
install -d -m755 %{buildroot}/%{_sysconfdir}/init.d/
|
||||
install -m755 strongswan.init %{buildroot}/%{_sysconfdir}/init.d/ipsec
|
||||
ln -s %{_sysconfdir}/init.d/ipsec %{buildroot}/%{_sbindir}/rcipsec
|
||||
install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
|
||||
install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
|
||||
ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
|
||||
%endif
|
||||
#
|
||||
# Ensure, plugin -> library dependencies can be resolved
|
||||
# (e.g. libtls) to avoid plugin segment checksum errors.
|
||||
#
|
||||
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
||||
%make_install
|
||||
LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \
|
||||
make install DESTDIR="$RPM_BUILD_ROOT"
|
||||
#
|
||||
# checksums are calculated during make install using the
|
||||
# installed binaries/libraries... but find-debuginfo.sh
|
||||
@ -406,23 +441,23 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
||||
%if %{with integrity}
|
||||
%{?__debug_package:
|
||||
if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then
|
||||
cp -a "%{buildroot}" "%{buildroot}-$$"
|
||||
RPM_BUILD_ROOT="%{buildroot}-$$" \
|
||||
cp -a "${RPM_BUILD_ROOT}" "${RPM_BUILD_ROOT}-$$"
|
||||
RPM_BUILD_ROOT="$RPM_BUILD_ROOT-$$" \
|
||||
%{_rpmconfigdir}/find-debuginfo.sh \
|
||||
%{?_find_debuginfo_opts} "%{buildroot}-$$"
|
||||
%{?_find_debuginfo_opts} "${RPM_BUILD_ROOT}-$$"
|
||||
make -C src/checksum clean
|
||||
rm -f src/checksum/checksum_builder
|
||||
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
||||
make -C src/checksum install DESTDIR="%{buildroot}-$$"
|
||||
mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
|
||||
"%{buildroot}/%{strongswan_libdir}/libchecksum.so"
|
||||
rm -rf "%{buildroot}-$$"
|
||||
LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \
|
||||
make -C src/checksum install DESTDIR="$RPM_BUILD_ROOT-$$"
|
||||
mv "$RPM_BUILD_ROOT-$$%{strongswan_libdir}/libchecksum.so" \
|
||||
"$RPM_BUILD_ROOT%{strongswan_libdir}/libchecksum.so"
|
||||
rm -rf "${RPM_BUILD_ROOT}-$$"
|
||||
fi
|
||||
}
|
||||
%endif
|
||||
#
|
||||
rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
||||
cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
||||
rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
|
||||
cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
|
||||
#
|
||||
# ipsec.secrets
|
||||
#
|
||||
@ -432,47 +467,47 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
||||
EOT
|
||||
#
|
||||
%if ! %{with mysql}
|
||||
rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
|
||||
rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql
|
||||
%endif
|
||||
%if ! %{with sqlite}
|
||||
rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
|
||||
rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql
|
||||
%endif
|
||||
rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
|
||||
rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
|
||||
find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
|
||||
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
|
||||
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
|
||||
find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete
|
||||
#
|
||||
install -d -m755 %{buildroot}/%{strongswan_docdir}/
|
||||
install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||
install -c -m644 TODO NEWS README COPYING LICENSE \
|
||||
AUTHORS ChangeLog \
|
||||
%{buildroot}/%{strongswan_docdir}/
|
||||
install -c -m644 %{_sourcedir}/README.SUSE \
|
||||
%{buildroot}/%{strongswan_docdir}/
|
||||
${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||
install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
|
||||
${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||
%if %{with systemd}
|
||||
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
||||
%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
||||
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
%endif
|
||||
%if %{with fipscheck}
|
||||
#
|
||||
# note: keep the following, _fipscheck's and file lists in sync
|
||||
#
|
||||
install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
|
||||
install -c -m644 %{_sourcedir}/fips-enforce.conf \
|
||||
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
|
||||
install -c -m750 _fipscheck ${RPM_BUILD_ROOT}%{_libexecdir}/ipsec/
|
||||
install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \
|
||||
${RPM_BUILD_ROOT}%{strongswan_configs}/charon/zzz_fips-enforce.conf
|
||||
# create fips hmac hashes _after_ install post run
|
||||
%{expand:%%global __os_install_post {%__os_install_post
|
||||
for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
|
||||
%{buildroot}/%{strongswan_libdir}/imcvs/*.so \
|
||||
%{buildroot}/%{strongswan_plugins}/*.so \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/charon \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/charon-nm \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/stroke \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/starter \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/pool \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/scepclient \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
|
||||
%{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
|
||||
%{buildroot}/%{_bindir}/pt-tls-client \
|
||||
%{buildroot}/%{_sbindir}/ipsec \
|
||||
for f in $RPM_BUILD_ROOT%{strongswan_libdir}/lib*.so.*.*.* \
|
||||
$RPM_BUILD_ROOT%{strongswan_libdir}/imcvs/*.so \
|
||||
$RPM_BUILD_ROOT%{strongswan_plugins}/*.so \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon-nm \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/stroke \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \
|
||||
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \
|
||||
$RPM_BUILD_ROOT%{_bindir}/pt-tls-client \
|
||||
$RPM_BUILD_ROOT%{_sbindir}/ipsec \
|
||||
;
|
||||
do
|
||||
/usr/bin/fipshmac "$f"
|
||||
@ -483,7 +518,7 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
|
||||
%post libs0
|
||||
/sbin/ldconfig
|
||||
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
|
||||
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
|
||||
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}}
|
||||
|
||||
%postun libs0 -p /sbin/ldconfig
|
||||
|
||||
@ -557,11 +592,9 @@ fi
|
||||
%dir %{_sysconfdir}/ipsec.d/ocspcerts
|
||||
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
|
||||
%if %{with systemd}
|
||||
%{_unitdir}/strongswan-starter.service
|
||||
%{_unitdir}/strongswan.service
|
||||
%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
|
||||
%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
|
||||
%{_sbindir}/rcstrongswan
|
||||
%{_sbindir}/charon-systemd
|
||||
%else
|
||||
%config %{_sysconfdir}/init.d/ipsec
|
||||
%{_sbindir}/rcipsec
|
||||
@ -582,7 +615,6 @@ fi
|
||||
%if %{with test}
|
||||
%{_libexecdir}/ipsec/conftest
|
||||
%endif
|
||||
%{_libexecdir}/ipsec/xfrmi
|
||||
%{_libexecdir}/ipsec/duplicheck
|
||||
%{_libexecdir}/ipsec/pool
|
||||
%{_libexecdir}/ipsec/scepclient
|
||||
@ -592,7 +624,6 @@ fi
|
||||
%{_libexecdir}/ipsec/_imv_policy
|
||||
%{_libexecdir}/ipsec/imv_policy_manager
|
||||
%dir %{strongswan_plugins}
|
||||
%{strongswan_plugins}/libstrongswan-drbg.so
|
||||
%{strongswan_plugins}/libstrongswan-stroke.so
|
||||
%{strongswan_plugins}/libstrongswan-updown.so
|
||||
|
||||
@ -619,9 +650,6 @@ fi
|
||||
%dir %{strongswan_configs}
|
||||
%dir %{strongswan_configs}/charon
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
|
||||
%if %{with systemd}
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
|
||||
%endif
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
|
||||
@ -632,9 +660,7 @@ fi
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
|
||||
%if %{with afalg}
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
|
||||
@ -688,7 +714,6 @@ fi
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
|
||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
|
||||
@ -760,7 +785,6 @@ fi
|
||||
%{strongswan_plugins}/libstrongswan-ccm.so
|
||||
%{strongswan_plugins}/libstrongswan-certexpire.so
|
||||
%{strongswan_plugins}/libstrongswan-cmac.so
|
||||
%{strongswan_plugins}/libstrongswan-counters.so
|
||||
%{strongswan_plugins}/libstrongswan-constraints.so
|
||||
%{strongswan_plugins}/libstrongswan-coupling.so
|
||||
%{strongswan_plugins}/libstrongswan-ctr.so
|
||||
@ -803,7 +827,6 @@ fi
|
||||
%{strongswan_plugins}/libstrongswan-led.so
|
||||
%{strongswan_plugins}/libstrongswan-md4.so
|
||||
%{strongswan_plugins}/libstrongswan-md5.so
|
||||
%{strongswan_plugins}/libstrongswan-mgf1.so
|
||||
%{strongswan_plugins}/libstrongswan-nonce.so
|
||||
%{strongswan_plugins}/libstrongswan-openssl.so
|
||||
%{strongswan_plugins}/libstrongswan-pem.so
|
||||
@ -862,7 +885,6 @@ fi
|
||||
%{strongswan_templates}/config/plugins/ccm.conf
|
||||
%{strongswan_templates}/config/plugins/certexpire.conf
|
||||
%{strongswan_templates}/config/plugins/cmac.conf
|
||||
%{strongswan_templates}/config/plugins/counters.conf
|
||||
%{strongswan_templates}/config/plugins/constraints.conf
|
||||
%{strongswan_templates}/config/plugins/coupling.conf
|
||||
%{strongswan_templates}/config/plugins/ctr.conf
|
||||
@ -870,7 +892,6 @@ fi
|
||||
%{strongswan_templates}/config/plugins/des.conf
|
||||
%{strongswan_templates}/config/plugins/dhcp.conf
|
||||
%{strongswan_templates}/config/plugins/dnskey.conf
|
||||
%{strongswan_templates}/config/plugins/drbg.conf
|
||||
%{strongswan_templates}/config/plugins/duplicheck.conf
|
||||
%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
|
||||
%{strongswan_templates}/config/plugins/eap-aka.conf
|
||||
@ -906,7 +927,6 @@ fi
|
||||
%{strongswan_templates}/config/plugins/led.conf
|
||||
%{strongswan_templates}/config/plugins/md4.conf
|
||||
%{strongswan_templates}/config/plugins/md5.conf
|
||||
%{strongswan_templates}/config/plugins/mgf1.conf
|
||||
%{strongswan_templates}/config/plugins/nonce.conf
|
||||
%{strongswan_templates}/config/plugins/openssl.conf
|
||||
%{strongswan_templates}/config/plugins/pem.conf
|
||||
@ -946,9 +966,6 @@ fi
|
||||
%{strongswan_templates}/config/plugins/xcbc.conf
|
||||
%{strongswan_templates}/config/plugins/curve25519.conf
|
||||
%{strongswan_templates}/config/plugins/vici.conf
|
||||
%if %{with systemd}
|
||||
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
|
||||
%endif
|
||||
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
|
||||
%{strongswan_templates}/config/strongswan.d/charon.conf
|
||||
%{strongswan_templates}/config/strongswan.d/imcv.conf
|
||||
|
@ -1,8 +1,6 @@
|
||||
Index: strongswan-5.6.2/init/systemd/strongswan.service.in
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100
|
||||
+++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200
|
||||
@@ -9,3 +9,4 @@ Restart=on-abnormal
|
||||
--- init/systemd/strongswan.service.in
|
||||
+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11
|
||||
@@ -8,3 +8,4 @@ StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -1,7 +1,5 @@
|
||||
Index: strongswan-5.6.2/src/starter/klips.c
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200
|
||||
--- src/starter/klips.c
|
||||
+++ src/starter/klips.c 2012/10/30 17:07:23
|
||||
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
|
||||
/* ipsec module makes the pf_key proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
@ -24,11 +22,9 @@ Index: strongswan-5.6.2/src/starter/klips.c
|
||||
|
||||
DBG2(DBG_APP, "found KLIPS IPsec stack");
|
||||
return TRUE;
|
||||
Index: strongswan-5.6.2/src/starter/netkey.c
|
||||
===================================================================
|
||||
--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200
|
||||
+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200
|
||||
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
|
||||
--- src/starter/netkey.c
|
||||
+++ src/starter/netkey.c 2012/10/30 17:07:02
|
||||
@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
|
||||
/* af_key module makes the netkey proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
@ -37,7 +33,7 @@ Index: strongswan-5.6.2/src/starter/netkey.c
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
|
||||
@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
|
||||
/* make sure that all required IPsec modules are loaded */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user