forked from pool/strongswan
osc copypac from project:openSUSE:Leap:15.2 package:strongswan revision:16
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=117
This commit is contained in:
parent
f51dbccc77
commit
b84f3a369a
@ -15,10 +15,10 @@ utils/utils/memory.h:99:15: error: ‘uintptr_t’ undeclared (first use in this
|
|||||||
src/libstrongswan/utils/utils/memory.h | 2 ++
|
src/libstrongswan/utils/utils/memory.h | 2 ++
|
||||||
1 file changed, 2 insertions(+)
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
|
diff --git a/src/libstrongswan/utils/utils/memory.h b/src/libstrongswan/utils/utils/memory.h
|
||||||
===================================================================
|
index b978e7c..55aaaf5 100644
|
||||||
--- strongswan-5.6.2.orig/src/libstrongswan/utils/utils/memory.h 2017-08-14 08:48:41.000000000 +0200
|
--- a/src/libstrongswan/utils/utils/memory.h
|
||||||
+++ strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h 2018-04-17 16:53:57.590335103 +0200
|
+++ b/src/libstrongswan/utils/utils/memory.h
|
||||||
@@ -22,6 +22,8 @@
|
@@ -22,6 +22,8 @@
|
||||||
#ifndef MEMORY_H_
|
#ifndef MEMORY_H_
|
||||||
#define MEMORY_H_
|
#define MEMORY_H_
|
||||||
@ -28,3 +28,6 @@ Index: strongswan-5.6.2/src/libstrongswan/utils/utils/memory.h
|
|||||||
/**
|
/**
|
||||||
* Helper function that compares two binary blobs for equality
|
* Helper function that compares two binary blobs for equality
|
||||||
*/
|
*/
|
||||||
|
--
|
||||||
|
2.14.1
|
||||||
|
|
||||||
|
323
0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch
Normal file
323
0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch
Normal file
@ -0,0 +1,323 @@
|
|||||||
|
From ade8c9c4b73ec43cf43b9c4cd9af6aac5e6f7f9d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tobias Brunner <tobias@strongswan.org>
|
||||||
|
Date: Tue, 28 Aug 2018 11:26:24 +0200
|
||||||
|
Subject: [PATCH] gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them
|
||||||
|
|
||||||
|
Instead we generate the expected signature encoding and compare it to the
|
||||||
|
decrypted value.
|
||||||
|
|
||||||
|
Due to the lenient nature of the previous parsing code (minimum padding
|
||||||
|
length was not enforced, the algorithmIdentifier/OID parser accepts arbitrary
|
||||||
|
data after OIDs and in the parameters field etc.) it was susceptible to
|
||||||
|
Daniel Bleichenbacher's low-exponent attack (from 2006!), which allowed
|
||||||
|
forging signatures for keys that use low public exponents (i.e. e=3).
|
||||||
|
|
||||||
|
Since the public exponent is usually set to 0x10001 (65537) since quite a
|
||||||
|
while, the flaws in the previous code should not have had that much of a
|
||||||
|
practical impact in recent years.
|
||||||
|
|
||||||
|
Fixes: CVE-2018-16151, CVE-2018-16152
|
||||||
|
---
|
||||||
|
.../plugins/gmp/gmp_rsa_private_key.c | 66 +++++----
|
||||||
|
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 158 ++-------------------
|
||||||
|
2 files changed, 53 insertions(+), 171 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||||
|
index 21b420866e2f..025f61a9fa21 100644
|
||||||
|
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||||
|
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||||
|
@@ -262,14 +262,15 @@ static chunk_t rsasp1(private_gmp_rsa_private_key_t *this, chunk_t data)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
- * Build a signature using the PKCS#1 EMSA scheme
|
||||||
|
+ * Hashes the data and builds the plaintext signature value with EMSA
|
||||||
|
+ * PKCS#1 v1.5 padding.
|
||||||
|
+ *
|
||||||
|
+ * Allocates the signature data.
|
||||||
|
*/
|
||||||
|
-static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
|
||||||
|
- hash_algorithm_t hash_algorithm,
|
||||||
|
- chunk_t data, chunk_t *signature)
|
||||||
|
+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
|
||||||
|
+ chunk_t data, size_t keylen, chunk_t *em)
|
||||||
|
{
|
||||||
|
chunk_t digestInfo = chunk_empty;
|
||||||
|
- chunk_t em;
|
||||||
|
|
||||||
|
if (hash_algorithm != HASH_UNKNOWN)
|
||||||
|
{
|
||||||
|
@@ -293,43 +294,56 @@ static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
|
||||||
|
/* build DER-encoded digestInfo */
|
||||||
|
digestInfo = asn1_wrap(ASN1_SEQUENCE, "mm",
|
||||||
|
asn1_algorithmIdentifier(hash_oid),
|
||||||
|
- asn1_simple_object(ASN1_OCTET_STRING, hash)
|
||||||
|
- );
|
||||||
|
- chunk_free(&hash);
|
||||||
|
+ asn1_wrap(ASN1_OCTET_STRING, "m", hash));
|
||||||
|
+
|
||||||
|
data = digestInfo;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (data.len > this->k - 3)
|
||||||
|
+ if (data.len > keylen - 11)
|
||||||
|
{
|
||||||
|
- free(digestInfo.ptr);
|
||||||
|
- DBG1(DBG_LIB, "unable to sign %d bytes using a %dbit key", data.len,
|
||||||
|
- mpz_sizeinbase(this->n, 2));
|
||||||
|
+ chunk_free(&digestInfo);
|
||||||
|
+ DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "
|
||||||
|
+ "%zu bytes", data.len, keylen);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* build chunk to rsa-decrypt:
|
||||||
|
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
|
||||||
|
- * PS = 0xFF padding, with length to fill em
|
||||||
|
+ /* EM = 0x00 || 0x01 || PS || 0x00 || T.
|
||||||
|
+ * PS = 0xFF padding, with length to fill em (at least 8 bytes)
|
||||||
|
* T = encoded_hash
|
||||||
|
*/
|
||||||
|
- em.len = this->k;
|
||||||
|
- em.ptr = malloc(em.len);
|
||||||
|
+ *em = chunk_alloc(keylen);
|
||||||
|
|
||||||
|
/* fill em with padding */
|
||||||
|
- memset(em.ptr, 0xFF, em.len);
|
||||||
|
+ memset(em->ptr, 0xFF, em->len);
|
||||||
|
/* set magic bytes */
|
||||||
|
- *(em.ptr) = 0x00;
|
||||||
|
- *(em.ptr+1) = 0x01;
|
||||||
|
- *(em.ptr + em.len - data.len - 1) = 0x00;
|
||||||
|
- /* set DER-encoded hash */
|
||||||
|
- memcpy(em.ptr + em.len - data.len, data.ptr, data.len);
|
||||||
|
+ *(em->ptr) = 0x00;
|
||||||
|
+ *(em->ptr+1) = 0x01;
|
||||||
|
+ *(em->ptr + em->len - data.len - 1) = 0x00;
|
||||||
|
+ /* set encoded hash */
|
||||||
|
+ memcpy(em->ptr + em->len - data.len, data.ptr, data.len);
|
||||||
|
+
|
||||||
|
+ chunk_clear(&digestInfo);
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Build a signature using the PKCS#1 EMSA scheme
|
||||||
|
+ */
|
||||||
|
+static bool build_emsa_pkcs1_signature(private_gmp_rsa_private_key_t *this,
|
||||||
|
+ hash_algorithm_t hash_algorithm,
|
||||||
|
+ chunk_t data, chunk_t *signature)
|
||||||
|
+{
|
||||||
|
+ chunk_t em;
|
||||||
|
+
|
||||||
|
+ if (!gmp_emsa_pkcs1_signature_data(hash_algorithm, data, this->k, &em))
|
||||||
|
+ {
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* build signature */
|
||||||
|
*signature = rsasp1(this, em);
|
||||||
|
|
||||||
|
- free(digestInfo.ptr);
|
||||||
|
- free(em.ptr);
|
||||||
|
-
|
||||||
|
+ chunk_free(&em);
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
|
||||||
|
index 065c88903344..f27b24c6f319 100644
|
||||||
|
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
|
||||||
|
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
|
||||||
|
@@ -68,7 +68,9 @@ struct private_gmp_rsa_public_key_t {
|
||||||
|
/**
|
||||||
|
* Shared functions defined in gmp_rsa_private_key.c
|
||||||
|
*/
|
||||||
|
-extern chunk_t gmp_mpz_to_chunk(const mpz_t value);
|
||||||
|
+chunk_t gmp_mpz_to_chunk(const mpz_t value);
|
||||||
|
+bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
|
||||||
|
+ chunk_t data, size_t keylen, chunk_t *em);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* RSAEP algorithm specified in PKCS#1.
|
||||||
|
@@ -113,26 +115,13 @@ static chunk_t rsavp1(private_gmp_rsa_public_key_t *this, chunk_t data)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
- * ASN.1 definition of digestInfo
|
||||||
|
- */
|
||||||
|
-static const asn1Object_t digestInfoObjects[] = {
|
||||||
|
- { 0, "digestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
|
||||||
|
- { 1, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 1 */
|
||||||
|
- { 1, "digest", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
|
||||||
|
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
|
||||||
|
-};
|
||||||
|
-#define DIGEST_INFO 0
|
||||||
|
-#define DIGEST_INFO_ALGORITHM 1
|
||||||
|
-#define DIGEST_INFO_DIGEST 2
|
||||||
|
-
|
||||||
|
-/**
|
||||||
|
- * Verification of an EMPSA PKCS1 signature described in PKCS#1
|
||||||
|
+ * Verification of an EMSA PKCS1 signature described in PKCS#1
|
||||||
|
*/
|
||||||
|
static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
|
||||||
|
hash_algorithm_t algorithm,
|
||||||
|
chunk_t data, chunk_t signature)
|
||||||
|
{
|
||||||
|
- chunk_t em_ori, em;
|
||||||
|
+ chunk_t em_expected, em;
|
||||||
|
bool success = FALSE;
|
||||||
|
|
||||||
|
/* remove any preceding 0-bytes from signature */
|
||||||
|
@@ -146,140 +135,19 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this,
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* unpack signature */
|
||||||
|
- em_ori = em = rsavp1(this, signature);
|
||||||
|
-
|
||||||
|
- /* result should look like this:
|
||||||
|
- * EM = 0x00 || 0x01 || PS || 0x00 || T.
|
||||||
|
- * PS = 0xFF padding, with length to fill em
|
||||||
|
- * T = oid || hash
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- /* check magic bytes */
|
||||||
|
- if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
|
||||||
|
- {
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- em = chunk_skip(em, 2);
|
||||||
|
-
|
||||||
|
- /* find magic 0x00 */
|
||||||
|
- while (em.len > 0)
|
||||||
|
- {
|
||||||
|
- if (*em.ptr == 0x00)
|
||||||
|
- {
|
||||||
|
- /* found magic byte, stop */
|
||||||
|
- em = chunk_skip(em, 1);
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- else if (*em.ptr != 0xFF)
|
||||||
|
- {
|
||||||
|
- /* bad padding, decryption failed ?!*/
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- em = chunk_skip(em, 1);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (em.len == 0)
|
||||||
|
+ /* generate expected signature value */
|
||||||
|
+ if (!gmp_emsa_pkcs1_signature_data(algorithm, data, this->k, &em_expected))
|
||||||
|
{
|
||||||
|
- /* no digestInfo found */
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (algorithm == HASH_UNKNOWN)
|
||||||
|
- { /* IKEv1 signatures without digestInfo */
|
||||||
|
- if (em.len != data.len)
|
||||||
|
- {
|
||||||
|
- DBG1(DBG_LIB, "hash size in signature is %u bytes instead of"
|
||||||
|
- " %u bytes", em.len, data.len);
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- success = memeq_const(em.ptr, data.ptr, data.len);
|
||||||
|
+ return FALSE;
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
- { /* IKEv2 and X.509 certificate signatures */
|
||||||
|
- asn1_parser_t *parser;
|
||||||
|
- chunk_t object;
|
||||||
|
- int objectID;
|
||||||
|
- hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
|
||||||
|
|
||||||
|
- DBG2(DBG_LIB, "signature verification:");
|
||||||
|
- parser = asn1_parser_create(digestInfoObjects, em);
|
||||||
|
-
|
||||||
|
- while (parser->iterate(parser, &objectID, &object))
|
||||||
|
- {
|
||||||
|
- switch (objectID)
|
||||||
|
- {
|
||||||
|
- case DIGEST_INFO:
|
||||||
|
- {
|
||||||
|
- if (em.len > object.len)
|
||||||
|
- {
|
||||||
|
- DBG1(DBG_LIB, "digestInfo field in signature is"
|
||||||
|
- " followed by %u surplus bytes",
|
||||||
|
- em.len - object.len);
|
||||||
|
- goto end_parser;
|
||||||
|
- }
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- case DIGEST_INFO_ALGORITHM:
|
||||||
|
- {
|
||||||
|
- int hash_oid = asn1_parse_algorithmIdentifier(object,
|
||||||
|
- parser->get_level(parser)+1, NULL);
|
||||||
|
-
|
||||||
|
- hash_algorithm = hasher_algorithm_from_oid(hash_oid);
|
||||||
|
- if (hash_algorithm == HASH_UNKNOWN || hash_algorithm != algorithm)
|
||||||
|
- {
|
||||||
|
- DBG1(DBG_LIB, "expected hash algorithm %N, but found"
|
||||||
|
- " %N (OID: %#B)", hash_algorithm_names, algorithm,
|
||||||
|
- hash_algorithm_names, hash_algorithm, &object);
|
||||||
|
- goto end_parser;
|
||||||
|
- }
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- case DIGEST_INFO_DIGEST:
|
||||||
|
- {
|
||||||
|
- chunk_t hash;
|
||||||
|
- hasher_t *hasher;
|
||||||
|
-
|
||||||
|
- hasher = lib->crypto->create_hasher(lib->crypto, hash_algorithm);
|
||||||
|
- if (hasher == NULL)
|
||||||
|
- {
|
||||||
|
- DBG1(DBG_LIB, "hash algorithm %N not supported",
|
||||||
|
- hash_algorithm_names, hash_algorithm);
|
||||||
|
- goto end_parser;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (object.len != hasher->get_hash_size(hasher))
|
||||||
|
- {
|
||||||
|
- DBG1(DBG_LIB, "hash size in signature is %u bytes"
|
||||||
|
- " instead of %u bytes", object.len,
|
||||||
|
- hasher->get_hash_size(hasher));
|
||||||
|
- hasher->destroy(hasher);
|
||||||
|
- goto end_parser;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* build our own hash and compare */
|
||||||
|
- if (!hasher->allocate_hash(hasher, data, &hash))
|
||||||
|
- {
|
||||||
|
- hasher->destroy(hasher);
|
||||||
|
- goto end_parser;
|
||||||
|
- }
|
||||||
|
- hasher->destroy(hasher);
|
||||||
|
- success = memeq_const(object.ptr, hash.ptr, hash.len);
|
||||||
|
- free(hash.ptr);
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- default:
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ /* unpack signature */
|
||||||
|
+ em = rsavp1(this, signature);
|
||||||
|
|
||||||
|
-end_parser:
|
||||||
|
- success &= parser->success(parser);
|
||||||
|
- parser->destroy(parser);
|
||||||
|
- }
|
||||||
|
+ success = chunk_equals_const(em_expected, em);
|
||||||
|
|
||||||
|
-end:
|
||||||
|
- free(em_ori.ptr);
|
||||||
|
+ chunk_free(&em_expected);
|
||||||
|
+ chunk_free(&em);
|
||||||
|
return success;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
28
0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch
Normal file
28
0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From 0acd1ab4d08d53d80393b1a37b8781f6e7b2b996 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tobias Brunner <tobias@strongswan.org>
|
||||||
|
Date: Tue, 13 Mar 2018 18:54:08 +0100
|
||||||
|
Subject: [PATCH] stroke: Ensure a minimum message length
|
||||||
|
|
||||||
|
---
|
||||||
|
src/libcharon/plugins/stroke/stroke_socket.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
|
||||||
|
index c568440b7ae2..1e7f210e940a 100644
|
||||||
|
--- a/src/libcharon/plugins/stroke/stroke_socket.c
|
||||||
|
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
|
||||||
|
@@ -627,6 +627,11 @@ static bool on_accept(private_stroke_socket_t *this, stream_t *stream)
|
||||||
|
}
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+ if (len < offsetof(stroke_msg_t, buffer))
|
||||||
|
+ {
|
||||||
|
+ DBG1(DBG_CFG, "invalid stroke message length %d", len);
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* read message (we need an additional byte to terminate the buffer) */
|
||||||
|
msg = malloc(len + 1);
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
39
0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch
Normal file
39
0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From b450318c15496f89e7c93392c9b5d2c6045c7de9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tobias Brunner <tobias@strongswan.org>
|
||||||
|
Date: Mon, 19 Mar 2018 17:03:05 +0100
|
||||||
|
Subject: [PATCH] ikev2: Initialize variable in case set_key() or
|
||||||
|
allocate_bytes() fails
|
||||||
|
|
||||||
|
In case the PRF's set_key() or allocate_bytes() method failed, skeyseed
|
||||||
|
was not initialized and the chunk_clear() call later caused a crash.
|
||||||
|
|
||||||
|
This could have happened with OpenSSL in FIPS mode when MD5 was
|
||||||
|
negotiated (and test vectors were not checked, in which case the PRF
|
||||||
|
couldn't be instantiated as the test vectors would have failed).
|
||||||
|
MD5 is not included in the default proposal anymore since 5.6.1, so
|
||||||
|
with recent versions this could only happen with configs that are not
|
||||||
|
valid in FIPS mode anyway.
|
||||||
|
|
||||||
|
Fixes: CVE-2018-10811
|
||||||
|
---
|
||||||
|
src/libcharon/sa/ikev2/keymat_v2.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
|
||||||
|
index 0c41c68d0118..8b20d1ce986f 100644
|
||||||
|
--- a/src/libcharon/sa/ikev2/keymat_v2.c
|
||||||
|
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
|
||||||
|
@@ -303,8 +303,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
|
||||||
|
chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
|
||||||
|
pseudo_random_function_t rekey_function, chunk_t rekey_skd)
|
||||||
|
{
|
||||||
|
- chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
|
||||||
|
- chunk_t spi_i, spi_r;
|
||||||
|
+ chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce;
|
||||||
|
+ chunk_t prf_plus_seed, spi_i, spi_r;
|
||||||
|
prf_plus_t *prf_plus = NULL;
|
||||||
|
uint16_t alg, key_size, int_alg;
|
||||||
|
prf_t *rekey_prf = NULL;
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
38
0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
Normal file
38
0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 129ab919a8c3abfc17bea776f0774e0ccf33ca09 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tobias Brunner <tobias@strongswan.org>
|
||||||
|
Date: Tue, 25 Sep 2018 14:50:08 +0200
|
||||||
|
Subject: [PATCH] gmp: Fix buffer overflow with very small RSA keys
|
||||||
|
|
||||||
|
Because `keylen` is unsigned the subtraction results in an integer
|
||||||
|
underflow if the key length is < 11 bytes.
|
||||||
|
|
||||||
|
This is only a problem when verifying signatures with a public key (for
|
||||||
|
private keys the plugin enforces a minimum modulus length) and to do so
|
||||||
|
we usually only use trusted keys. However, the x509 plugin actually
|
||||||
|
calls issued_by() on a parsed certificate to check if it is self-signed,
|
||||||
|
which is the reason this issue was found by OSS-Fuzz in the first place.
|
||||||
|
So, unfortunately, this can be triggered by sending an invalid client
|
||||||
|
cert to a peer.
|
||||||
|
|
||||||
|
Fixes: 5955db5b124a ("gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them")
|
||||||
|
Fixes: CVE-2018-17540
|
||||||
|
---
|
||||||
|
src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||||
|
index e9a83fdf49a1..a255a40abce2 100644
|
||||||
|
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||||
|
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
|
||||||
|
@@ -301,7 +301,7 @@ bool gmp_emsa_pkcs1_signature_data(hash_algorithm_t hash_algorithm,
|
||||||
|
data = digestInfo;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (data.len > keylen - 11)
|
||||||
|
+ if (keylen < 11 || data.len > keylen - 11)
|
||||||
|
{
|
||||||
|
chunk_free(&digestInfo);
|
||||||
|
DBG1(DBG_LIB, "signature value of %zu bytes is too long for key of "
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
3
strongswan-5.6.0.tar.bz2
Normal file
3
strongswan-5.6.0.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:a14dc0d92634ed52730bfc76a76db30943a28ed3c65a560066e1e9f785827b13
|
||||||
|
size 4850722
|
14
strongswan-5.6.0.tar.bz2.sig
Normal file
14
strongswan-5.6.0.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Version: GnuPG v1
|
||||||
|
|
||||||
|
iQGcBAABAgAGBQJZkUjtAAoJEN9CwXCzTbp3m08L/3A4QqZMMuBMuliao4kwO4tG
|
||||||
|
kyHD+nWMrFIK2dwu9zAMY5noiVUNcXExPgF7UTbW77Tr2s8RtkrnIUCTEJ+qYk7F
|
||||||
|
CNX2BmdYbB9MAofkaou/xAXKgfxXVxw41DY7sK59e+VZayJ+LN9Suq413ymdF6Da
|
||||||
|
kclM5ZoEM9X7feY+n1U2/DG199pF5sFN4dEt+kgSD4NJuZHsn+jfLVYzciHBIyk5
|
||||||
|
d1tnUAVjVUIVfGrQ6SG2SoASIla4Qv27YszdRtzIRYVjzj+bt4gX2ORkpChLGg6M
|
||||||
|
an50EM6yDBdDDyF+muNKl8OaE6YaAmIBKuftn/Rlx8kILzUTtiKk+6au699XaW/H
|
||||||
|
dMdHgb8AsyTi/nudz/nYfHUyYIbalOLwttG8qh3U+qCZ9ZbXy6wi9HB8FBPUNRru
|
||||||
|
UBd1Y+kh7FMicZprlr5xGxJ78vi7avV9HOjxIZldfoAaP/AO9l4fXYs2AVzZRalJ
|
||||||
|
eCwB7EHznJ/KVoKZ9MpXp6ne3iPGLYsoo92B8OXY3g==
|
||||||
|
=ZRFr
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:86900ddbe7337c923dadf2c8339ae8ed2b9158e3691745884d08ae534677430e
|
|
||||||
size 4533402
|
|
@ -1,14 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
Version: GnuPG v1
|
|
||||||
|
|
||||||
iQGcBAABAgAGBQJd+MscAAoJEN9CwXCzTbp3f6ML/0y5DGj7CytdIWcT7ODbZ5Dt
|
|
||||||
S8MS2BHxUJ4cgzB8InCK4wNQFpyzRhR2goPly1B8RVNSVSfdyvqfSC/A++esZe3m
|
|
||||||
wwjsjzjWYVaNnkj1lrl/8azOiDkD/uA/NaaUcASp6hoJIJQALYW5HfPjL/S/hC+v
|
|
||||||
iVio5Fy9c/9HGJEeeZxqRMp/gTNjvh05hbP9ukLADk6klphwaNFg5o0YNgf1NJFE
|
|
||||||
CBo/rGJNVfvEUUlJMLiBlFCBaPMOIjoIXODpjootRioDpnF6IonfcoIGiR6TuRQC
|
|
||||||
zR3u3Zhgpe4tJfkKCpCCSPGwMCcwreMAUwzRf/U/HDUSPZX+c4sBOIl8eedwVA77
|
|
||||||
DjNlktwmPta8x4YOh6NB3ghAwwztEkPvvaAIcwH0gh1DkjIicFr2VkoXIS5jqaVN
|
|
||||||
bK2YvTQ7StZa35VaEYnlu5JzIchPlqhXND6sWLWJolnwrNWskZyojVYioyIv3KJJ
|
|
||||||
tXphbN0HHCfLPs5vX8/X97IAa06tsnEOZEZg5Sk3Jw==
|
|
||||||
=VHUc
|
|
||||||
-----END PGP SIGNATURE-----
|
|
@ -1,204 +1,35 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Jan 26 08:54:01 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
Thu Nov 14 12:56:01 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||||
|
|
||||||
- Replace %__-type macro indirections. Update homepage URL to https.
|
- Added patch to fix vulnerability: CVE-2018-17540 (bsc#1109845)
|
||||||
|
[+ 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch]
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Jan 6 22:06:58 UTC 2020 - Bjørn Lie <bjorn.lie@gmail.com>
|
Wed Nov 13 16:43:52 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||||
|
|
||||||
- Update to version 5.8.2:
|
- Added patch to fix vulnerability: CVE-2018-10811 (bsc#1093536)
|
||||||
* The systemd service units have changed their name.
|
- denial-of-service vulnerability
|
||||||
"strongswan" is now "strongswan-starter", and
|
[+ 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch]
|
||||||
"strongswan-swanctl" is now "strongswan".
|
|
||||||
After installation, you need to `systemctl disable` the old
|
|
||||||
name and `systemctl enable`+start the new one.
|
|
||||||
* Fix CVE-2018-17540, CVE-2018-16151 and CVE-2018-16152.
|
|
||||||
* boo#1109845 and boo#1107874.
|
|
||||||
- Please check included NEWS file for info on what other changes
|
|
||||||
that have been done in versions 5.8.2, 5.8.1 5.8.0, 5.7.2, 5.7.1
|
|
||||||
and 5.7.0.
|
|
||||||
- Rebase strongswan_ipsec_service.patch.
|
|
||||||
- Disable patches that need rebase or dropping:
|
|
||||||
* strongswan_modprobe_syslog.patch
|
|
||||||
* 0006-fix-compilation-error-by-adding-stdint.h.patch
|
|
||||||
- Add conditional pkgconfig(libsystemd) BuildRequires: New
|
|
||||||
dependency.
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Jun 6 22:14:57 UTC 2018 - bjorn.lie@gmail.com
|
Wed Nov 13 15:41:29 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||||
|
|
||||||
- Update to version 5.6.3 (CVE-2018-10811, boo#1093536,
|
- Added patch to fix vulnerability: CVE-2018-5388 (bsc#1094462)
|
||||||
CVE-2018-5388, boo#1094462):
|
- Buffer Underflow in stroke_socket.c
|
||||||
* Fixed a DoS vulnerability in the IKEv2 key derivation if the
|
[+ 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch]
|
||||||
openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated
|
|
||||||
as PRF. This vulnerability has been registered as
|
|
||||||
CVE-2018-10811, boo#1093536.
|
|
||||||
* Fixed a vulnerability in the stroke plugin, which did not check
|
|
||||||
the received length before reading a message from the socket.
|
|
||||||
Unless a group is configured, root privileges are required to
|
|
||||||
access that socket, so in the default configuration this
|
|
||||||
shouldn't be an issue. This vulnerability has been registered
|
|
||||||
as CVE-2018-5388, boo#1094462.
|
|
||||||
* CRLs that are not yet valid are now ignored to avoid problems
|
|
||||||
in scenarios where expired certificates are removed from new
|
|
||||||
CRLs and the clock on the host doing the revocation check is
|
|
||||||
trailing behind that of the host issuing CRLs. Not doing this
|
|
||||||
could result in accepting a revoked and expired certificate, if
|
|
||||||
it's still valid according to the trailing clock but not
|
|
||||||
contained anymore in not yet valid CRLs.
|
|
||||||
* The issuer of fetched CRLs is now compared to the issuer of the
|
|
||||||
checked certificate (#2608).
|
|
||||||
* CRL validation results other than revocation (e.g. a skipped
|
|
||||||
check because the CRL couldn't be fetched) are now stored also
|
|
||||||
for intermediate CA certificates and not only for end-entity
|
|
||||||
certificates, so a strict CRL policy can be enforced in such
|
|
||||||
cases.
|
|
||||||
* In compliance with RFC 4945, section 5.1.3.2, certificates used
|
|
||||||
for IKE must now either not contain a keyUsage extension (like
|
|
||||||
the ones generated by pki), or have at least one of the
|
|
||||||
digitalSignature or nonRepudiation bits set.
|
|
||||||
* New options for vici/swanctl allow forcing the local
|
|
||||||
termination of an IKE_SA. This might be useful in situations
|
|
||||||
where it's known the other end is not reachable anymore, or
|
|
||||||
that it already removed the IKE_SA, so retransmitting a DELETE
|
|
||||||
and waiting for a response would be pointless.
|
|
||||||
* Waiting only a certain amount of time for a response (i.e.
|
|
||||||
shorter than all retransmits would be) before destroying the
|
|
||||||
IKE_SA is also possible by additionally specifying a timeout in
|
|
||||||
the forced termination request.
|
|
||||||
* When removing routes, the kernel-netlink plugin now checks if
|
|
||||||
it tracks other routes for the same destination and replaces
|
|
||||||
the installed route instead of just removing it. Same during
|
|
||||||
installation, where existing routes previously weren't
|
|
||||||
replaced. This should allow using traps with virtual IPs on
|
|
||||||
Linux (#2162).
|
|
||||||
* The dhcp plugin now only sends the client identifier DHCP
|
|
||||||
option if the identity_lease setting is enabled (7b660944b6).
|
|
||||||
It can also send identities of up to 255 bytes length, instead
|
|
||||||
of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server
|
|
||||||
address is configured, DHCP requests are now sent from port 67
|
|
||||||
instead of 68 to avoid ICMP port unreachables (becf027cd9).
|
|
||||||
* The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one
|
|
||||||
containing a DH group that wasn't proposed) during
|
|
||||||
CREATE_CHILD_SA exchanges has been improved (#2536).
|
|
||||||
* Roam events are now completely ignored for IKEv1 SAs (there is
|
|
||||||
no MOBIKE to handle such changes properly).
|
|
||||||
* ChaCha20/Poly1305 is now correctly proposed without key length
|
|
||||||
(#2614). For compatibility with older releases the
|
|
||||||
chacha20poly1305compat keyword may be included in proposals to
|
|
||||||
also propose the algorithm with a key length (c58434aeff).
|
|
||||||
* Configuration of hardware offload of IPsec SAs is now more
|
|
||||||
flexible and allows a new setting (auto), which automatically
|
|
||||||
uses it if the kernel and device both support it. If hw_offload
|
|
||||||
is set to yes and offloading is not supported, the CHILD_SA
|
|
||||||
installation now fails.
|
|
||||||
* The kernel-pfkey plugin optionally installs routes via internal
|
|
||||||
interface (one with an IP in the local traffic selector). On
|
|
||||||
FreeBSD, enabling this selects the correct source IP when
|
|
||||||
sending packets from the gateway itself (e811659323).
|
|
||||||
* SHA-2 based PRFs are supported in PKCS#8 files as generated by
|
|
||||||
OpenSSL 1.1 (#2574).
|
|
||||||
* The pki --verify tool may load CA certificates and CRLs from
|
|
||||||
directories.
|
|
||||||
* The IKE daemon now also switches to port 4500 if the remote
|
|
||||||
port is not 500 (e.g. because the remote maps the response to a
|
|
||||||
different port, as might happen on Azure), as long as the local
|
|
||||||
port is 500 (85bfab621d).
|
|
||||||
* Fixed an issue with DNS servers passed to NetworkManager in
|
|
||||||
charon-nm (ee8c25516a).
|
|
||||||
* Logged traffic selectors now always contain the protocol if
|
|
||||||
either protocol or port are set (a36d8097ed).
|
|
||||||
* Only the inbound SA/policy will be updated as reaction to IP
|
|
||||||
address changes for rekeyed CHILD_SAs that are kept around.
|
|
||||||
* The parser for strongswan.conf/swanctl.conf now accepts =
|
|
||||||
characters in values without having to put the value in quotes
|
|
||||||
(e.g. for Base64 encoded shared secrets).
|
|
||||||
- Rename strongswan-5.6.2-rpmlintrc to strongswan-rpmlintrc,
|
|
||||||
changing the version string on every version update makes no
|
|
||||||
sense.
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
|
Wed Nov 13 13:51:38 UTC 2019 - Madhu Mohan Nelemane <mmnelemane@suse.com>
|
||||||
|
|
||||||
- Update to version 5.6.2:
|
- Added patch to fix vulnerability: CVE-2018-16151,CVE-2018-16152 (bsc#1107874)
|
||||||
* Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
|
- Insufficient input validation in gmp plugin
|
||||||
signatures that was caused by insufficient input validation.
|
[+ 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch]
|
||||||
One of the configurable parameters in algorithm identifier
|
|
||||||
structures for RSASSA-PSS signatures is the mask generation
|
|
||||||
function (MGF). Only MGF1 is currently specified for this
|
|
||||||
purpose. However, this in turn takes itself a parameter that
|
|
||||||
specifies the underlying hash function. strongSwan's parser did
|
|
||||||
not correctly handle the case of this parameter being absent,
|
|
||||||
causing an undefined data read. This vulnerability has been
|
|
||||||
registered as CVE-2018-6459.
|
|
||||||
* When rekeying IKEv2 IKE_SAs the previously negotiated DH group
|
|
||||||
will be reused, instead of using the first configured group,
|
|
||||||
which avoids an additional exchange if the peer previously
|
|
||||||
selected a different DH group via INVALID_KE_PAYLOAD notify.
|
|
||||||
The same is also done when rekeying CHILD_SAs except for the
|
|
||||||
first rekeying of the CHILD_SA that was created with the
|
|
||||||
IKE_SA, where no DH group was negotiated yet. Also, the
|
|
||||||
selected DH group is moved to the front in all sent proposals
|
|
||||||
that contain it and all proposals that don't are moved to the
|
|
||||||
back in order to convey the preference for this group to the
|
|
||||||
peer.
|
|
||||||
* Handling of MOBIKE task queuing has been improved. In
|
|
||||||
particular, the response to an address update (with NAT-D
|
|
||||||
payloads) is not ignored anymore if only an address list update
|
|
||||||
or DPD is queued as that could prevent updating the UDP
|
|
||||||
encapsulation in the kernel.
|
|
||||||
* On Linux, roam events may optionally be triggered by changes to
|
|
||||||
the routing rules, which can be useful if routing rules
|
|
||||||
(instead of e.g. route metrics) are used to switch from one to
|
|
||||||
another interface (i.e. from one to another routing table).
|
|
||||||
Since routing rules are currently not evaluated when doing
|
|
||||||
route lookups this is only useful if the kernel-based route
|
|
||||||
lookup is used (4664992f7d).
|
|
||||||
* The fallback drop policies installed to avoid traffic leaks
|
|
||||||
when replacing addresses in installed policies are now replaced
|
|
||||||
by temporary drop policies, which also prevent acquires because
|
|
||||||
we currently delete and reinstall IPsec SAs to update their
|
|
||||||
addresses (35ef1b032d).
|
|
||||||
* Access X.509 certificates held in non-volatile storage of a TPM
|
|
||||||
2.0 referenced via the NV index.
|
|
||||||
* Adding the --keyid parameter to pki --print allows to print
|
|
||||||
private keys or certificates stored in a smartcard or a TPM
|
|
||||||
2.0.
|
|
||||||
* Fixed proposal selection if a peer incorrectly sends DH groups
|
|
||||||
in the ESP proposal during IKE_AUTH and also if a DH group is
|
|
||||||
configured in the local ESP proposal and
|
|
||||||
charon.prefer_configured_proposals is disabled (d058fd3c32).
|
|
||||||
* The lookup for PSK secrets for IKEv1 has been improved for
|
|
||||||
certain scenarios (see #2497 for details).
|
|
||||||
* MSKs received via RADIUS are now padded to 64 bytes to avoid
|
|
||||||
compatibility issues with EAP-MSCHAPv2 and PRFs that have a
|
|
||||||
block size < 64 bytes (e.g. AES-XCBC-PRF-128, see 73cbce6013).
|
|
||||||
* The tpm_extendpcr command line tool extends a digest into a TPM
|
|
||||||
PCR.
|
|
||||||
* Ported the NetworkManager backend from the deprecated
|
|
||||||
libnm-glib to libnm.
|
|
||||||
* The save-keys debugging/development plugin saves IKE and/or ESP
|
|
||||||
keys to files compatible with Wireshark.
|
|
||||||
- Following upstreams port, replace NetworkManager-devel with
|
|
||||||
pkgconfig(libnm) BuildRequires.
|
|
||||||
- Refresh patches with quilt.
|
|
||||||
- Disable strongswan_fipsfilter.patch, needs rebase or dropping,
|
|
||||||
the file it patches no longer exists in tarball.
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com
|
Wed Mar 14 15:43:42 UTC 2018 - mmnelemane@suse.com
|
||||||
|
|
||||||
- Removed unused requires and macro calls(bsc#1083261)
|
- Removed unused requires and macro calls(bsc#1083261)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
|
||||||
Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de
|
|
||||||
|
|
||||||
- Update summaries and descriptions. Trim filler words and
|
|
||||||
author list.
|
|
||||||
- Drop %if..%endif guards that are idempotent and do not affect
|
|
||||||
the build result.
|
|
||||||
- Replace old $RPM_ shell variables.
|
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de
|
Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de
|
||||||
|
|
||||||
|
245
strongswan.spec
245
strongswan.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package strongswan
|
# spec file for package strongswan
|
||||||
#
|
#
|
||||||
# Copyright (c) 2020 SUSE LLC
|
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -12,12 +12,12 @@
|
|||||||
# license that conforms to the Open Source Definition (Version 1.9)
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
# published by the Open Source Initiative.
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
Name: strongswan
|
Name: strongswan
|
||||||
Version: 5.8.2
|
Version: 5.6.0
|
||||||
Release: 0
|
Release: 0
|
||||||
%define upstream_version %{version}
|
%define upstream_version %{version}
|
||||||
%define strongswan_docdir %{_docdir}/%{name}
|
%define strongswan_docdir %{_docdir}/%{name}
|
||||||
@ -61,31 +61,33 @@ Release: 0
|
|||||||
%else
|
%else
|
||||||
%bcond_with systemd
|
%bcond_with systemd
|
||||||
%endif
|
%endif
|
||||||
Summary: IPsec-based VPN solution
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
License: GPL-2.0-or-later
|
License: GPL-2.0+
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
URL: https://www.strongswan.org/
|
Url: http://www.strongswan.org/
|
||||||
|
Requires: strongswan-ipsec = %{version}
|
||||||
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
|
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
|
||||||
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
||||||
Source2: %{name}.init.in
|
Source2: %{name}.init.in
|
||||||
Source3: %{name}-rpmlintrc
|
Source3: %{name}-%{version}-rpmlintrc
|
||||||
Source4: README.SUSE
|
Source4: README.SUSE
|
||||||
Source5: %{name}.keyring
|
Source5: %{name}.keyring
|
||||||
%if %{with fipscheck}
|
%if %{with fipscheck}
|
||||||
Source6: fipscheck.sh.in
|
Source6: fipscheck.sh.in
|
||||||
Source7: fips-enforce.conf
|
Source7: fips-enforce.conf
|
||||||
%endif
|
%endif
|
||||||
# Needs rebase
|
|
||||||
Patch1: %{name}_modprobe_syslog.patch
|
Patch1: %{name}_modprobe_syslog.patch
|
||||||
Patch2: %{name}_ipsec_service.patch
|
Patch2: %{name}_ipsec_service.patch
|
||||||
%if %{with fipscheck}
|
%if %{with fipscheck}
|
||||||
Patch3: %{name}_fipscheck.patch
|
Patch3: %{name}_fipscheck.patch
|
||||||
# Patch4 needs rebase, file it patches no longer exists in tarball.
|
|
||||||
Patch4: %{name}_fipsfilter.patch
|
Patch4: %{name}_fipsfilter.patch
|
||||||
%endif
|
%endif
|
||||||
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
|
||||||
# Needs rebase
|
|
||||||
Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
|
Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch
|
||||||
|
Patch7: 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch
|
||||||
|
Patch8: 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch
|
||||||
|
Patch9: 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch
|
||||||
|
Patch10: 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: curl-devel
|
BuildRequires: curl-devel
|
||||||
@ -109,11 +111,10 @@ BuildRequires: sqlite3-devel
|
|||||||
BuildRequires: libgcrypt-devel
|
BuildRequires: libgcrypt-devel
|
||||||
%endif
|
%endif
|
||||||
%if %{with nm}
|
%if %{with nm}
|
||||||
BuildRequires: pkgconfig(libnm)
|
BuildRequires: NetworkManager-devel
|
||||||
%endif
|
%endif
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
BuildRequires: pkgconfig(libsystemd)
|
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: iptables
|
BuildRequires: iptables
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
@ -128,19 +129,19 @@ BuildRequires: automake
|
|||||||
BuildRequires: fipscheck
|
BuildRequires: fipscheck
|
||||||
%endif
|
%endif
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
Requires: strongswan-ipsec = %{version}
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
|
* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
|
||||||
|
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
|
||||||
* Fully tested support of IPv6 IPsec tunnel and transport connections
|
* Fully tested support of IPv6 IPsec tunnel and transport connections
|
||||||
* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
|
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
|
||||||
* Automatic insertion and deletion of IPsec-policy-based firewall rules
|
* Automatic insertion and deletion of IPsec-policy-based firewall rules
|
||||||
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
|
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
|
||||||
* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
|
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
|
||||||
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
|
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
|
||||||
* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
|
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
|
||||||
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
|
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
|
||||||
* Virtual IP address pool managed by IKE daemon or SQL database
|
* Virtual IP address pool managed by IKE daemon or SQL database
|
||||||
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
|
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
|
||||||
@ -157,32 +158,46 @@ StrongSwan is an IPsec-based VPN solution for Linux.
|
|||||||
* Modular plugins for crypto algorithms and relational database interfaces
|
* Modular plugins for crypto algorithms and relational database interfaces
|
||||||
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
|
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
|
||||||
* Optional built-in integrity and crypto tests for plugins and libraries
|
* Optional built-in integrity and crypto tests for plugins and libraries
|
||||||
* Linux desktop integration via the strongSwan NetworkManager applet
|
* Smooth Linux desktop integration via the strongSwan NetworkManager applet
|
||||||
|
|
||||||
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
|
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
|
||||||
|
|
||||||
|
Authors:
|
||||||
|
--------
|
||||||
|
Andreas Steffen
|
||||||
|
and others
|
||||||
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: Documentation for strongSwan
|
|
||||||
Group: Documentation/Man
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
|
Group: Productivity/Networking/Security
|
||||||
|
|
||||||
%description doc
|
%description doc
|
||||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
This package provides the StrongSwan documentation.
|
This package provides the StrongSwan documentation.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Authors:
|
||||||
|
--------
|
||||||
|
Andreas Steffen
|
||||||
|
and others
|
||||||
|
|
||||||
%package libs0
|
%package libs0
|
||||||
Summary: strongSwan core libraries and basic plugins
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Conflicts: strongswan < %{version}
|
Conflicts: strongswan < %{version}
|
||||||
|
|
||||||
%description libs0
|
%description libs0
|
||||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
This package provides the strongswan library and plugins.
|
This package provides the strongswan library and plugins.
|
||||||
|
|
||||||
|
%if %{with fipscheck}
|
||||||
|
|
||||||
%package hmac
|
%package hmac
|
||||||
Summary: HMAC files for FIPS-140-2 integrity in strongSwan
|
Summary: HMAC files for FIPS-140-2 integrity
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Requires: fipscheck
|
Requires: fipscheck
|
||||||
Requires: strongswan-ipsec = %{version}
|
Requires: strongswan-ipsec = %{version}
|
||||||
@ -195,8 +210,10 @@ _fipscheck helper script preforming the integrity checks before e.g.
|
|||||||
"ipsec start" action is executed, when FIPS-140-2 compliant operation
|
"ipsec start" action is executed, when FIPS-140-2 compliant operation
|
||||||
mode is enabled.
|
mode is enabled.
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
%package ipsec
|
%package ipsec
|
||||||
Summary: IPsec-based VPN solution
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Requires: strongswan-libs0 = %{version}
|
Requires: strongswan-libs0 = %{version}
|
||||||
Provides: VPN
|
Provides: VPN
|
||||||
@ -206,83 +223,101 @@ Obsoletes: strongswan < %{version}
|
|||||||
Conflicts: freeswan openswan
|
Conflicts: freeswan openswan
|
||||||
|
|
||||||
%description ipsec
|
%description ipsec
|
||||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
This package provides the /etc/init.d/ipsec service script and allows
|
This package provides the /etc/init.d/ipsec service script and allows
|
||||||
to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
|
to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the
|
||||||
/etc/ipsec.sectes files.
|
/etc/ipsec.sectes files.
|
||||||
|
|
||||||
|
%if %{with mysql}
|
||||||
|
|
||||||
%package mysql
|
%package mysql
|
||||||
Summary: MySQL plugin for strongSwan
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Requires: strongswan-libs0 = %{version}
|
Requires: strongswan-libs0 = %{version}
|
||||||
|
|
||||||
%description mysql
|
%description mysql
|
||||||
StrongSwan is an IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
This package provides the strongswan mysql plugin.
|
This package provides the strongswan mysql plugin.
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with sqlite}
|
||||||
|
|
||||||
%package sqlite
|
%package sqlite
|
||||||
Summary: SQLite plugin for strongSwan
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Requires: strongswan-libs0 = %{version}
|
Requires: strongswan-libs0 = %{version}
|
||||||
|
|
||||||
%description sqlite
|
%description sqlite
|
||||||
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
This package provides the strongswan sqlite plugin.
|
This package provides the strongswan sqlite plugin.
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with nm}
|
||||||
|
|
||||||
%package nm
|
%package nm
|
||||||
Summary: NetworkManager plugin for strongSwan
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Requires: strongswan-libs0 = %{version}
|
Requires: strongswan-libs0 = %{version}
|
||||||
|
|
||||||
%description nm
|
%description nm
|
||||||
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
This package provides the NetworkManager plugin to control the
|
This package provides the NetworkManager plugin to control the
|
||||||
charon IKEv2 daemon through D-Bus, designed to work using the
|
charon IKEv2 daemon through D-Bus, designed to work using the
|
||||||
NetworkManager-strongswan graphical user interface.
|
NetworkManager-strongswan graphical user interface.
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{with tests}
|
||||||
|
|
||||||
%package tests
|
%package tests
|
||||||
Summary: Testing plugins for strongSwan
|
|
||||||
|
Summary: OpenSource IPsec-based VPN Solution
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
Requires: strongswan-libs0 = %{version}
|
Requires: strongswan-libs0 = %{version}
|
||||||
|
|
||||||
%description tests
|
%description tests
|
||||||
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
|
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||||
|
|
||||||
This package provides the strongswan crypto test vectors plugin
|
This package provides the strongswan crypto test-vectors plugin
|
||||||
and the load testing plugin for IKEv2 daemon.
|
and the load testing plugin for IKEv2 daemon.
|
||||||
|
|
||||||
|
%endif
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{upstream_version}
|
%setup -q -n %{name}-%{upstream_version}
|
||||||
# Needs rebase, file it patches no longer exists.
|
%patch1 -p0
|
||||||
#patch1 -p1
|
%patch2 -p0
|
||||||
%patch2 -p1
|
|
||||||
%if %{with fipscheck}
|
%if %{with fipscheck}
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
# Needs rebase, file it patches no longer exists.
|
%patch4 -p1
|
||||||
#patch4 -p1
|
|
||||||
%endif
|
%endif
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
# Needs rebase.
|
%patch6 -p1
|
||||||
#patch6 -p1
|
%patch7 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||||
< %{_sourcedir}/strongswan.init.in \
|
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||||
> strongswan.init
|
> strongswan.init
|
||||||
%if %{with fipscheck}
|
%if %{with fipscheck}
|
||||||
sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
|
sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \
|
||||||
-e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
|
-e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \
|
||||||
-e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
|
-e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \
|
||||||
-e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
|
-e 's|@IPSEC_BINDIR@|%{_bindir}|g' \
|
||||||
< %{_sourcedir}/fipscheck.sh.in \
|
< $RPM_SOURCE_DIR/fipscheck.sh.in \
|
||||||
> _fipscheck
|
> _fipscheck
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%build
|
%build
|
||||||
CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
|
CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
|
||||||
export CFLAGS
|
export RPM_OPT_FLAGS CFLAGS
|
||||||
autoreconf --force --install
|
autoreconf --force --install
|
||||||
%configure \
|
%configure \
|
||||||
%if %{with integrity}
|
%if %{with integrity}
|
||||||
@ -293,7 +328,6 @@ autoreconf --force --install
|
|||||||
--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
|
--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
|
||||||
--with-piddir=%{_rundir}/%{name} \
|
--with-piddir=%{_rundir}/%{name} \
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
--enable-systemd \
|
|
||||||
--with-systemdsystemunitdir=%{_unitdir} \
|
--with-systemdsystemunitdir=%{_unitdir} \
|
||||||
%endif
|
%endif
|
||||||
--enable-pkcs11 \
|
--enable-pkcs11 \
|
||||||
@ -378,24 +412,25 @@ autoreconf --force --install
|
|||||||
--enable-soup \
|
--enable-soup \
|
||||||
--enable-curl \
|
--enable-curl \
|
||||||
--disable-static
|
--disable-static
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags:%_smp_mflags}
|
||||||
|
|
||||||
%install
|
%install
|
||||||
install -d -m755 %{buildroot}/%{_sbindir}/
|
export RPM_BUILD_ROOT
|
||||||
install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/
|
install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/
|
||||||
|
install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan
|
ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan
|
||||||
%else
|
%else
|
||||||
install -d -m755 %{buildroot}/%{_sysconfdir}/init.d/
|
install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
|
||||||
install -m755 strongswan.init %{buildroot}/%{_sysconfdir}/init.d/ipsec
|
install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
|
||||||
ln -s %{_sysconfdir}/init.d/ipsec %{buildroot}/%{_sbindir}/rcipsec
|
ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
|
||||||
%endif
|
%endif
|
||||||
#
|
#
|
||||||
# Ensure, plugin -> library dependencies can be resolved
|
# Ensure, plugin -> library dependencies can be resolved
|
||||||
# (e.g. libtls) to avoid plugin segment checksum errors.
|
# (e.g. libtls) to avoid plugin segment checksum errors.
|
||||||
#
|
#
|
||||||
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \
|
||||||
%make_install
|
make install DESTDIR="$RPM_BUILD_ROOT"
|
||||||
#
|
#
|
||||||
# checksums are calculated during make install using the
|
# checksums are calculated during make install using the
|
||||||
# installed binaries/libraries... but find-debuginfo.sh
|
# installed binaries/libraries... but find-debuginfo.sh
|
||||||
@ -406,23 +441,23 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
|||||||
%if %{with integrity}
|
%if %{with integrity}
|
||||||
%{?__debug_package:
|
%{?__debug_package:
|
||||||
if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then
|
if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then
|
||||||
cp -a "%{buildroot}" "%{buildroot}-$$"
|
cp -a "${RPM_BUILD_ROOT}" "${RPM_BUILD_ROOT}-$$"
|
||||||
RPM_BUILD_ROOT="%{buildroot}-$$" \
|
RPM_BUILD_ROOT="$RPM_BUILD_ROOT-$$" \
|
||||||
%{_rpmconfigdir}/find-debuginfo.sh \
|
%{_rpmconfigdir}/find-debuginfo.sh \
|
||||||
%{?_find_debuginfo_opts} "%{buildroot}-$$"
|
%{?_find_debuginfo_opts} "${RPM_BUILD_ROOT}-$$"
|
||||||
make -C src/checksum clean
|
make -C src/checksum clean
|
||||||
rm -f src/checksum/checksum_builder
|
rm -f src/checksum/checksum_builder
|
||||||
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
|
LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \
|
||||||
make -C src/checksum install DESTDIR="%{buildroot}-$$"
|
make -C src/checksum install DESTDIR="$RPM_BUILD_ROOT-$$"
|
||||||
mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
|
mv "$RPM_BUILD_ROOT-$$%{strongswan_libdir}/libchecksum.so" \
|
||||||
"%{buildroot}/%{strongswan_libdir}/libchecksum.so"
|
"$RPM_BUILD_ROOT%{strongswan_libdir}/libchecksum.so"
|
||||||
rm -rf "%{buildroot}-$$"
|
rm -rf "${RPM_BUILD_ROOT}-$$"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
%endif
|
%endif
|
||||||
#
|
#
|
||||||
rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
|
||||||
cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
|
||||||
#
|
#
|
||||||
# ipsec.secrets
|
# ipsec.secrets
|
||||||
#
|
#
|
||||||
@ -432,47 +467,47 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
|
|||||||
EOT
|
EOT
|
||||||
#
|
#
|
||||||
%if ! %{with mysql}
|
%if ! %{with mysql}
|
||||||
rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
|
rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql
|
||||||
%endif
|
%endif
|
||||||
%if ! %{with sqlite}
|
%if ! %{with sqlite}
|
||||||
rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
|
rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql
|
||||||
%endif
|
%endif
|
||||||
rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
|
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
|
||||||
rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
|
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
|
||||||
find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
|
find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete
|
||||||
#
|
#
|
||||||
install -d -m755 %{buildroot}/%{strongswan_docdir}/
|
install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||||
install -c -m644 TODO NEWS README COPYING LICENSE \
|
install -c -m644 TODO NEWS README COPYING LICENSE \
|
||||||
AUTHORS ChangeLog \
|
AUTHORS ChangeLog \
|
||||||
%{buildroot}/%{strongswan_docdir}/
|
${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||||
install -c -m644 %{_sourcedir}/README.SUSE \
|
install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
|
||||||
%{buildroot}/%{strongswan_docdir}/
|
${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
||||||
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||||
%endif
|
%endif
|
||||||
%if %{with fipscheck}
|
%if %{with fipscheck}
|
||||||
#
|
#
|
||||||
# note: keep the following, _fipscheck's and file lists in sync
|
# note: keep the following, _fipscheck's and file lists in sync
|
||||||
#
|
#
|
||||||
install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/
|
install -c -m750 _fipscheck ${RPM_BUILD_ROOT}%{_libexecdir}/ipsec/
|
||||||
install -c -m644 %{_sourcedir}/fips-enforce.conf \
|
install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \
|
||||||
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
|
${RPM_BUILD_ROOT}%{strongswan_configs}/charon/zzz_fips-enforce.conf
|
||||||
# create fips hmac hashes _after_ install post run
|
# create fips hmac hashes _after_ install post run
|
||||||
%{expand:%%global __os_install_post {%__os_install_post
|
%{expand:%%global __os_install_post {%__os_install_post
|
||||||
for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \
|
for f in $RPM_BUILD_ROOT%{strongswan_libdir}/lib*.so.*.*.* \
|
||||||
%{buildroot}/%{strongswan_libdir}/imcvs/*.so \
|
$RPM_BUILD_ROOT%{strongswan_libdir}/imcvs/*.so \
|
||||||
%{buildroot}/%{strongswan_plugins}/*.so \
|
$RPM_BUILD_ROOT%{strongswan_plugins}/*.so \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/charon \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/charon-nm \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon-nm \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/stroke \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/stroke \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/starter \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/pool \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/scepclient \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \
|
||||||
%{buildroot}/%{_libexecdir}/ipsec/_fipscheck \
|
$RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \
|
||||||
%{buildroot}/%{_bindir}/pt-tls-client \
|
$RPM_BUILD_ROOT%{_bindir}/pt-tls-client \
|
||||||
%{buildroot}/%{_sbindir}/ipsec \
|
$RPM_BUILD_ROOT%{_sbindir}/ipsec \
|
||||||
;
|
;
|
||||||
do
|
do
|
||||||
/usr/bin/fipshmac "$f"
|
/usr/bin/fipshmac "$f"
|
||||||
@ -483,7 +518,7 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
|
|||||||
%post libs0
|
%post libs0
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
|
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
|
||||||
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
|
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}}
|
||||||
|
|
||||||
%postun libs0 -p /sbin/ldconfig
|
%postun libs0 -p /sbin/ldconfig
|
||||||
|
|
||||||
@ -557,11 +592,9 @@ fi
|
|||||||
%dir %{_sysconfdir}/ipsec.d/ocspcerts
|
%dir %{_sysconfdir}/ipsec.d/ocspcerts
|
||||||
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
|
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
|
||||||
%if %{with systemd}
|
%if %{with systemd}
|
||||||
%{_unitdir}/strongswan-starter.service
|
|
||||||
%{_unitdir}/strongswan.service
|
%{_unitdir}/strongswan.service
|
||||||
%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
|
%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf
|
||||||
%{_sbindir}/rcstrongswan
|
%{_sbindir}/rcstrongswan
|
||||||
%{_sbindir}/charon-systemd
|
|
||||||
%else
|
%else
|
||||||
%config %{_sysconfdir}/init.d/ipsec
|
%config %{_sysconfdir}/init.d/ipsec
|
||||||
%{_sbindir}/rcipsec
|
%{_sbindir}/rcipsec
|
||||||
@ -582,7 +615,6 @@ fi
|
|||||||
%if %{with test}
|
%if %{with test}
|
||||||
%{_libexecdir}/ipsec/conftest
|
%{_libexecdir}/ipsec/conftest
|
||||||
%endif
|
%endif
|
||||||
%{_libexecdir}/ipsec/xfrmi
|
|
||||||
%{_libexecdir}/ipsec/duplicheck
|
%{_libexecdir}/ipsec/duplicheck
|
||||||
%{_libexecdir}/ipsec/pool
|
%{_libexecdir}/ipsec/pool
|
||||||
%{_libexecdir}/ipsec/scepclient
|
%{_libexecdir}/ipsec/scepclient
|
||||||
@ -592,7 +624,6 @@ fi
|
|||||||
%{_libexecdir}/ipsec/_imv_policy
|
%{_libexecdir}/ipsec/_imv_policy
|
||||||
%{_libexecdir}/ipsec/imv_policy_manager
|
%{_libexecdir}/ipsec/imv_policy_manager
|
||||||
%dir %{strongswan_plugins}
|
%dir %{strongswan_plugins}
|
||||||
%{strongswan_plugins}/libstrongswan-drbg.so
|
|
||||||
%{strongswan_plugins}/libstrongswan-stroke.so
|
%{strongswan_plugins}/libstrongswan-stroke.so
|
||||||
%{strongswan_plugins}/libstrongswan-updown.so
|
%{strongswan_plugins}/libstrongswan-updown.so
|
||||||
|
|
||||||
@ -619,9 +650,6 @@ fi
|
|||||||
%dir %{strongswan_configs}
|
%dir %{strongswan_configs}
|
||||||
%dir %{strongswan_configs}/charon
|
%dir %{strongswan_configs}/charon
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
|
||||||
%if %{with systemd}
|
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
|
|
||||||
%endif
|
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
|
||||||
@ -632,9 +660,7 @@ fi
|
|||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
|
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
|
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
|
||||||
%if %{with afalg}
|
%if %{with afalg}
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
|
||||||
@ -688,7 +714,6 @@ fi
|
|||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
|
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
|
||||||
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
|
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
|
||||||
@ -760,7 +785,6 @@ fi
|
|||||||
%{strongswan_plugins}/libstrongswan-ccm.so
|
%{strongswan_plugins}/libstrongswan-ccm.so
|
||||||
%{strongswan_plugins}/libstrongswan-certexpire.so
|
%{strongswan_plugins}/libstrongswan-certexpire.so
|
||||||
%{strongswan_plugins}/libstrongswan-cmac.so
|
%{strongswan_plugins}/libstrongswan-cmac.so
|
||||||
%{strongswan_plugins}/libstrongswan-counters.so
|
|
||||||
%{strongswan_plugins}/libstrongswan-constraints.so
|
%{strongswan_plugins}/libstrongswan-constraints.so
|
||||||
%{strongswan_plugins}/libstrongswan-coupling.so
|
%{strongswan_plugins}/libstrongswan-coupling.so
|
||||||
%{strongswan_plugins}/libstrongswan-ctr.so
|
%{strongswan_plugins}/libstrongswan-ctr.so
|
||||||
@ -803,7 +827,6 @@ fi
|
|||||||
%{strongswan_plugins}/libstrongswan-led.so
|
%{strongswan_plugins}/libstrongswan-led.so
|
||||||
%{strongswan_plugins}/libstrongswan-md4.so
|
%{strongswan_plugins}/libstrongswan-md4.so
|
||||||
%{strongswan_plugins}/libstrongswan-md5.so
|
%{strongswan_plugins}/libstrongswan-md5.so
|
||||||
%{strongswan_plugins}/libstrongswan-mgf1.so
|
|
||||||
%{strongswan_plugins}/libstrongswan-nonce.so
|
%{strongswan_plugins}/libstrongswan-nonce.so
|
||||||
%{strongswan_plugins}/libstrongswan-openssl.so
|
%{strongswan_plugins}/libstrongswan-openssl.so
|
||||||
%{strongswan_plugins}/libstrongswan-pem.so
|
%{strongswan_plugins}/libstrongswan-pem.so
|
||||||
@ -862,7 +885,6 @@ fi
|
|||||||
%{strongswan_templates}/config/plugins/ccm.conf
|
%{strongswan_templates}/config/plugins/ccm.conf
|
||||||
%{strongswan_templates}/config/plugins/certexpire.conf
|
%{strongswan_templates}/config/plugins/certexpire.conf
|
||||||
%{strongswan_templates}/config/plugins/cmac.conf
|
%{strongswan_templates}/config/plugins/cmac.conf
|
||||||
%{strongswan_templates}/config/plugins/counters.conf
|
|
||||||
%{strongswan_templates}/config/plugins/constraints.conf
|
%{strongswan_templates}/config/plugins/constraints.conf
|
||||||
%{strongswan_templates}/config/plugins/coupling.conf
|
%{strongswan_templates}/config/plugins/coupling.conf
|
||||||
%{strongswan_templates}/config/plugins/ctr.conf
|
%{strongswan_templates}/config/plugins/ctr.conf
|
||||||
@ -870,7 +892,6 @@ fi
|
|||||||
%{strongswan_templates}/config/plugins/des.conf
|
%{strongswan_templates}/config/plugins/des.conf
|
||||||
%{strongswan_templates}/config/plugins/dhcp.conf
|
%{strongswan_templates}/config/plugins/dhcp.conf
|
||||||
%{strongswan_templates}/config/plugins/dnskey.conf
|
%{strongswan_templates}/config/plugins/dnskey.conf
|
||||||
%{strongswan_templates}/config/plugins/drbg.conf
|
|
||||||
%{strongswan_templates}/config/plugins/duplicheck.conf
|
%{strongswan_templates}/config/plugins/duplicheck.conf
|
||||||
%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
|
%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
|
||||||
%{strongswan_templates}/config/plugins/eap-aka.conf
|
%{strongswan_templates}/config/plugins/eap-aka.conf
|
||||||
@ -906,7 +927,6 @@ fi
|
|||||||
%{strongswan_templates}/config/plugins/led.conf
|
%{strongswan_templates}/config/plugins/led.conf
|
||||||
%{strongswan_templates}/config/plugins/md4.conf
|
%{strongswan_templates}/config/plugins/md4.conf
|
||||||
%{strongswan_templates}/config/plugins/md5.conf
|
%{strongswan_templates}/config/plugins/md5.conf
|
||||||
%{strongswan_templates}/config/plugins/mgf1.conf
|
|
||||||
%{strongswan_templates}/config/plugins/nonce.conf
|
%{strongswan_templates}/config/plugins/nonce.conf
|
||||||
%{strongswan_templates}/config/plugins/openssl.conf
|
%{strongswan_templates}/config/plugins/openssl.conf
|
||||||
%{strongswan_templates}/config/plugins/pem.conf
|
%{strongswan_templates}/config/plugins/pem.conf
|
||||||
@ -946,9 +966,6 @@ fi
|
|||||||
%{strongswan_templates}/config/plugins/xcbc.conf
|
%{strongswan_templates}/config/plugins/xcbc.conf
|
||||||
%{strongswan_templates}/config/plugins/curve25519.conf
|
%{strongswan_templates}/config/plugins/curve25519.conf
|
||||||
%{strongswan_templates}/config/plugins/vici.conf
|
%{strongswan_templates}/config/plugins/vici.conf
|
||||||
%if %{with systemd}
|
|
||||||
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
|
|
||||||
%endif
|
|
||||||
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
|
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
|
||||||
%{strongswan_templates}/config/strongswan.d/charon.conf
|
%{strongswan_templates}/config/strongswan.d/charon.conf
|
||||||
%{strongswan_templates}/config/strongswan.d/imcv.conf
|
%{strongswan_templates}/config/strongswan.d/imcv.conf
|
||||||
|
@ -1,8 +1,6 @@
|
|||||||
Index: strongswan-5.6.2/init/systemd/strongswan.service.in
|
--- init/systemd/strongswan.service.in
|
||||||
===================================================================
|
+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11
|
||||||
--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100
|
@@ -8,3 +8,4 @@ StandardOutput=syslog
|
||||||
+++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200
|
|
||||||
@@ -9,3 +9,4 @@ Restart=on-abnormal
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -1,7 +1,5 @@
|
|||||||
Index: strongswan-5.6.2/src/starter/klips.c
|
--- src/starter/klips.c
|
||||||
===================================================================
|
+++ src/starter/klips.c 2012/10/30 17:07:23
|
||||||
--- strongswan-5.6.2.orig/src/starter/klips.c 2016-04-22 22:01:35.000000000 +0200
|
|
||||||
+++ strongswan-5.6.2/src/starter/klips.c 2018-04-17 16:53:57.534334655 +0200
|
|
||||||
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
|
@@ -30,7 +30,7 @@ bool starter_klips_init(void)
|
||||||
/* ipsec module makes the pf_key proc interface visible */
|
/* ipsec module makes the pf_key proc interface visible */
|
||||||
if (stat(PROC_MODULES, &stb) == 0)
|
if (stat(PROC_MODULES, &stb) == 0)
|
||||||
@ -24,11 +22,9 @@ Index: strongswan-5.6.2/src/starter/klips.c
|
|||||||
|
|
||||||
DBG2(DBG_APP, "found KLIPS IPsec stack");
|
DBG2(DBG_APP, "found KLIPS IPsec stack");
|
||||||
return TRUE;
|
return TRUE;
|
||||||
Index: strongswan-5.6.2/src/starter/netkey.c
|
--- src/starter/netkey.c
|
||||||
===================================================================
|
+++ src/starter/netkey.c 2012/10/30 17:07:02
|
||||||
--- strongswan-5.6.2.orig/src/starter/netkey.c 2016-04-22 22:01:35.000000000 +0200
|
@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
|
||||||
+++ strongswan-5.6.2/src/starter/netkey.c 2018-04-17 16:53:57.534334655 +0200
|
|
||||||
@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
|
|
||||||
/* af_key module makes the netkey proc interface visible */
|
/* af_key module makes the netkey proc interface visible */
|
||||||
if (stat(PROC_MODULES, &stb) == 0)
|
if (stat(PROC_MODULES, &stb) == 0)
|
||||||
{
|
{
|
||||||
@ -37,7 +33,7 @@ Index: strongswan-5.6.2/src/starter/netkey.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* now test again */
|
/* now test again */
|
||||||
@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
|
@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
|
||||||
/* make sure that all required IPsec modules are loaded */
|
/* make sure that all required IPsec modules are loaded */
|
||||||
if (stat(PROC_MODULES, &stb) == 0)
|
if (stat(PROC_MODULES, &stb) == 0)
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user