jengelh/strongswan
SHA256
1
0
Fork 3
forked from pool/strongswan
Code Pull Requests Activity

Compare commits

base: jengelh:master
Branches Tags
jengelh:master jengelh:factory pool:factory pool:devel
..
compare: pool:factory
Branches Tags
pool:factory pool:devel jengelh:master jengelh:factory

8 Commits
master ... factory

Author SHA256 Message Date
Ana Guerrero
802d0e048c Accepting request 1230634 from network:vpn 
- /usr/sbin/ipsec is deprecated since 5.2.0 and will be removed
  in the future.
- Update to release 6.0.0

OBS-URL: https://build.opensuse.org/request/show/1230634
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=98
 2024-12-13 21:32:58 +00:00
OBS User unknown
c46ce1c107 [info=46bea0264513c39e6ae4994587410457fe0ffb8fe1ccbd431d7a7fd338768f89] 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=170
 2024-12-12 11:34:16 +00:00
OBS User unknown
c84335ac47 [info=b5f8ae4845d00301e89e2a40f6c81bebfa4e2b7b8a99130d3c88883de90aca08] 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=169
 2024-12-04 01:21:18 +00:00
OBS User unknown
aa0b45e732 [info=abdc3edde3ca7173e4de70715f39c695bb0e08687724782c783ece5161de4ad1] 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=168
 2024-12-04 01:17:28 +00:00
Ana Guerrero
3bf0600596 Accepting request 1226518 from network:vpn 
- rename -hmac subpackage to -fips because it isn't providing
  the hmac files, it provides the configuration drop in to
  enforce fips mode.

OBS-URL: https://build.opensuse.org/request/show/1226518
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=97
 2024-11-27 21:05:20 +00:00
OBS User unknown
ef46e72ebe [info=da8f2965e2b2460d9eb4f7b25c3be52f7b60a42ab5b9bab48c984206a964d52e] 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=167
 2024-11-26 12:59:57 +00:00
Jan Engelhardt
8c0cb384be [info=47ab1ca7708f6b09cc99afa33d7ec92c5e02aff2338545eedb72b0511ac25478] 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=166
 2024-11-26 12:58:42 +00:00
Jan Engelhardt
cf0313df27 - rename -hmac subpackage to -fips because it isn't providing 
the hmac files, it provides the configuration drop in to
  enforce fips mode.

- Removes deprecated SysV support
- Added prf-plus-modularization.patch that outsources the IKE
- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
  to strongswan-nm subpackage, as it is needed for the
  NetworkManager plugin that uses strongswan-nm, not
- Removed unused requires and macro calls(bsc#1083261)
    improved oracle are not compatible with the earlier
    (wasn't the case since 5.0.0) and packets that have the flag
    also checked against IKEv2 signature schemes. If such
    constraints are used for certificate chain validation in
    transport mode connections coming over the same NAT device for
    Windows 7 IKEv2 clients, which announces its services over the
  * For the vici plugin a Python Egg has been added to allow
    Python applications to control or monitor the IKE daemon using
  * EAP server methods now can fulfill public key constraints,
- Fix build in factory
- Fix systemd unit dir
  from glibc
    IDr payload anymore.
  * Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
  caused an INVALID_SYNTAX error on PowerPC platforms.
- Initial, unfinished package

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=165
 2024-11-26 12:56:29 +00:00
9 changed files with 72 additions and 111 deletions
Expand all files Collapse all files

4
_scmsync.obsinfo Normal file
View File

@@ -0,0 +1,4 @@
mtime: 1734001585
commit: 46bea0264513c39e6ae4994587410457fe0ffb8fe1ccbd431d7a7fd338768f89
url: https://src.opensuse.org/jengelh/strongswan
revision: master

3
build.specials.obscpio Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:62325c078f84c3007f3e88be6d0258f3d5640ece9cb801076c8399991d05869a
size 256

31
init.patch Normal file
View File

@@ -0,0 +1,31 @@
From c58507ff186ae9cf014c0b54082c8bf74aef3219 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 3 Dec 2024 21:56:33 +0100
Subject: [PATCH] init: put strongswan-starter.service behind USE_FILE_CONFIG
References: https://github.com/strongswan/strongswan/pull/2553
stroke is no longer enabled by default, but the systemd unit
still is copied on `make install`. Fix that.
---
init/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/init/Makefile.am b/init/Makefile.am
index 54c090cea..824ebd695 100644
--- a/init/Makefile.am
+++ b/init/Makefile.am
@@ -3,9 +3,11 @@ SUBDIRS =
if USE_LEGACY_SYSTEMD
if USE_CHARON
+if USE_FILE_CONFIG
SUBDIRS += systemd-starter
endif
endif
+endif
if USE_SYSTEMD
if USE_SWANCTL
--
2.47.1

BIN
strongswan-6.0.0.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

14
strongswan-6.0.0.tar.bz2.sig Normal file
View File

@@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmdO+hMACgkQ30LBcLNN
undilgwAgiT5p2PyMhwSp4qo1EUX8+PWwJ9Plqz7TNCCdFJe3uYre3hM2K5hFey0
azrPrqZ2HWtBycH0gI4BFzUSVO8E4SZOBQnPH/g3bsFg9VU71ML30LdZYx+Lg7wK
7AaMxYhl7xIvfb4D8+ZpYV6bSDH0o2tRN5h5gPk4IECOTTRhsLWL89IL8xOXgNPj
ao0meIUNfvg6cl1uLFff/c7H7cAGSFsKPSWtMWLfK0PglW4LVJJvr5PhGsduVPsE
JwY2VAMVi1BI1Y7I1WxS7T1qEAXLKAuNHKJHgIvd3xvSM1Q197qFrGyuujDQV5Yn
Olp583ccs2LJbfmDQiPD/AHeDpikMMtBZ3Hk7Od3CqRVpeIDyBC0/oEwiascw6Q4
5SDclgEdL9jHU7Uo1Z9v+Ltn0lihGAkAsAMgJMFyfCFiB03yCXFQu34PK65ZoIk7
GN3XeUqu7sdmK7Tg4RbsrZ1P7J9TiFllMiu7noYVluhW4My68A76yHIbk66i8DwF
pzxPfTqH
=8zOA
-----END PGP SIGNATURE-----

BIN
strongswan-6.0.2.tar.bz2 (Stored with Git LFS)
View File

Binary file not shown.

14
strongswan-6.0.2.tar.bz2.sig
View File

@@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmhzZ7MACgkQ30LBcLNN
und9wQv+O2IUyvwR8T7+hDt9JIXcGWLdN6/gV42l0mR/KY5Yg18w57SQNbPqoIHq
OddaLAMmd2yRWtpSCd8eTjBJjuBq5h2LX3w5mdu7x97+Y3tI3QWUCG9zC9Sjiu3D
o+5KkRpUyXjWZ8068RMBVJ/zFXnybF5cCSqnC+NBDkRMoA6OjytgP+cVdPnO9GTY
f4rEiuu8DYrdVDGv2elvLihXzhRzfxgPRYHgO3KfwBWdhg0mS/CucVx3piUqoVjt
RR4XdyKpOU+Yh/ObACGTY3yIGxMKfKlsDbOVeH1xzlL8ZKRsRhB+GAuJ7Vz3wJRP
ZXcW+00ZXxichUfyUcd8fEiIpgcODIT0u19ZF62fqe1VL0ltGw+Uvdn1L6VEV/ZQ
VzGl6tByRpQegmw4/ElmYFynYnj7d8hQm9SZguX1d8DHg6Oyz3jRq13JBqKcuQYZ
ljLWqCH+FBWwdGyU4Oh7vhHdVHKoXU2g/LuUN7G0BfW6r7fVkQKcFvSZK/qf5CtC
Anpr4za4
=JGRz
-----END PGP SIGNATURE-----

75
strongswan.changes
View File

@@ -1,78 +1,3 @@
-------------------------------------------------------------------
Mon Jul 14 21:10:28 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.0.2
* Support for per-CPU SAs (RFC 9611) has been added on Linux
6.13+. The new per_cpu_sas setting enables the installation of
special trap policies (start_action=trap) that instruct the
kernel to consider the CPU from which a packet originates.
* Basic support for IP-TFS's (RFC 9347) new AGGFRAG mode has been
added on Linux 6.14+. It's similar to tunnel mode but allows
aggregating small IP packets into single ESP packets and
fragmenting large IP packets into multiple ESP packets.
* POSIX regular expressions are now supported to match remote
identities. They must start with an explicit type prefix,
followed by a caret character (^), and end with a dollar sign
($) to indicate an anchored pattern. Regular expressions are
always matched case insensitive against the string
representation of other identities, however, the type must
match as well.
* Switching configs based on EAP-Identities is supported. This
changes how configured EAP identities are used. Instead of
statically setting and using a configured remote.eap_id !=
%any, an EAP-Identity exchange is now always initiated (and
required). If the received identity doesn't match the
configuration, the peer config is switched to one with a
matching identity (wildcards and regular expressions are
supported for that match).
* ML-KEM is now supported via OpenSSL 3.5+ by the openssl plugin.
- Delete init.patch (merged), strongswan-gcc15-part1.patch
strongswan-gcc15-part2.patch, strongswan-gcc15-part3.patch
-------------------------------------------------------------------
Thu Jun 5 07:41:56 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Add pkgconfig(libxml-2.0) BuildRequire which was previously
implicitly pulled in through SOUP. Move everything else to
pkgconfig() symbols as well.
-------------------------------------------------------------------
Tue Jun 3 17:45:03 UTC 2025 - Michael Gorse <mgorse@suse.com>
- Disable soup fetcher. It is redundant with the curl fetcher, and
this allows us to drop the dependency on libsoup2.
-------------------------------------------------------------------
Tue May 6 14:01:21 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
- Add patches from upstream github.com/strongswan/strongswan
to fix gcc-15 compile-time errors:
* strongswan-gcc15-part1.patch
* strongswan-gcc15-part2.patch
* strongswan-gcc15-part3.patch
-------------------------------------------------------------------
Tue Mar 11 18:54:30 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.0.1
* The `dhcp` plugin has gained a new `interface_receive` option
* The `eap-radius` plugin hsa gained a new `source` option
* The NetworkManager plugin (charon-nm) received an option to
configure the local traffic selectors.
* The `ha` plugin now supports synchronizing IKE and Child SAs
with multiple key exchanges
* Self-signed root CAs that do not contain policies are now
excluded from policy validation.
* When deciding whether to send a DPD, inbound traffic on Child
SAs is now ignored unless UDP-encapsulation is used.
* When connecting to port 4500 or a custom server port, the
initial IKE_SA_INIT request is now sent from the NAT-T
socket.
* The NetworkManager backend (charon-nm) now enables
charon-nm.check_current_path to force a DPD after
connectivity changes without IP change.
- Ensure build recipe is POSIX sh compatible
-------------------------------------------------------------------
Tue Dec 3 15:59:06 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

36
strongswan.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package strongswan
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -39,7 +39,7 @@
%bcond_without systemd
Name: strongswan
Version: 6.0.2
Version: 6.0.0
Release: 0
Summary: IPsec-based VPN solution
License: GPL-2.0-or-later
@@ -55,23 +55,24 @@ Source7: fips-enforce.conf
Patch2: %{name}_ipsec_service.patch
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: harden_strongswan.service.patch
Patch7: init.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gmp-devel
BuildRequires: gperf
BuildRequires: iptables
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: libtool
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pcsc-lite-devel
BuildRequires: pkg-config
BuildRequires: pkgconfig(ldap)
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcrypto)
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libpcsclite)
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(pam)
%if %{with mysql}
BuildRequires: libmysqlclient-devel
%endif
@@ -302,6 +303,7 @@ autoreconf --force --install
--enable-test-vectors \
%endif
--enable-ldap \
--enable-soup \
--enable-curl \
--enable-bypass-lan \
--disable-static
@@ -331,7 +333,7 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
%{_rpmconfigdir}/find-debuginfo.sh \
%{?_find_debuginfo_opts} "%{buildroot}-$$"
make -C src/checksum clean
rm -f src/checksum/checksum_builder
rm -f src/checksum/checksum_builder
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
make -C src/checksum install DESTDIR="%{buildroot}-$$"
mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
@@ -358,9 +360,8 @@ rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
%if ! %{with sqlite}
rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
%endif
for i in charon hydra strongswan pttls radius simaka tls tnccs imcv; do
rm -fv %{buildroot}/%{strongswan_libdir}/lib$i.so
done
rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
install -d -m755 %{buildroot}/%{strongswan_docdir}/
install -c -m644 TODO NEWS README COPYING LICENSE \
@@ -467,12 +468,9 @@ fi
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-nm.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imv_policy_manager.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/iptfs.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
@@ -547,6 +545,7 @@ fi
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
@@ -654,6 +653,7 @@ fi
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-smp.so
%{strongswan_plugins}/libstrongswan-socket-default.so
%{strongswan_plugins}/libstrongswan-soup.so
%{strongswan_plugins}/libstrongswan-sql.so
%{strongswan_plugins}/libstrongswan-sshkey.so
%{strongswan_plugins}/libstrongswan-tnc-imc.so
@@ -749,6 +749,7 @@ fi
%{strongswan_templates}/config/plugins/revocation.conf
%{strongswan_templates}/config/plugins/smp.conf
%{strongswan_templates}/config/plugins/socket-default.conf
%{strongswan_templates}/config/plugins/soup.conf
%{strongswan_templates}/config/plugins/sql.conf
%{strongswan_templates}/config/plugins/sshkey.conf
%{strongswan_templates}/config/plugins/tnc-imc.conf
@@ -770,10 +771,7 @@ fi
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
%{strongswan_templates}/config/strongswan.d/charon.conf
%{strongswan_templates}/config/strongswan.d/charon-nm.conf
%{strongswan_templates}/config/strongswan.d/imcv.conf
%{strongswan_templates}/config/strongswan.d/imv_policy_manager.conf
%{strongswan_templates}/config/strongswan.d/iptfs.conf
%{strongswan_templates}/config/strongswan.d/pki.conf
%{strongswan_templates}/config/strongswan.d/pool.conf
%{strongswan_templates}/config/strongswan.d/tnc.conf