This commit is contained in:
parent
47413c56c2
commit
380fc5b493
@ -1,3 +0,0 @@
|
||||
addFilter('strongswan.* shlib-policy-missing-suffix')
|
||||
addFilter("strongswan.* incoherent-init-script-name ipsec")
|
||||
addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4b9acc7a8d3f8b5b715472375d8f5baea92656a427352a9c40d898075230e09a
|
||||
size 2740464
|
@ -1,9 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.9 (GNU/Linux)
|
||||
|
||||
iQCVAwUASc5e/tYbDnNAmVNZAQJZewP/Y6KYLbebalL3GNjqANG5hB7k/xSjIuSX
|
||||
txhYdqmYxKQhe9F4nd0/LGpuco+pBzT2d7evUoANUnytNPH4YBAq+6xKNnuCwAth
|
||||
LnqgfxFhp2Hn+IUrRDztD+Cl9wQqVzf3ld/mCGNY0epnMrvRvOhSPW+k8b2t3Hxn
|
||||
O5Jh906OVbI=
|
||||
=P088
|
||||
-----END PGP SIGNATURE-----
|
4
strongswan-4.3.2-rpmlintrc
Normal file
4
strongswan-4.3.2-rpmlintrc
Normal file
@ -0,0 +1,4 @@
|
||||
addFilter("strongswan.* incoherent-init-script-name ipsec")
|
||||
addFilter('strongswan.* shlib-policy-missing-suffix')
|
||||
#addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins")
|
||||
#addFilter("strongswan.* unstripped-binary-or-object")
|
3
strongswan-4.3.2.tar.bz2
Normal file
3
strongswan-4.3.2.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d2dc584596dda758c6d3d84b292a6aa80bfb53f6178ad08aec1b59519cf9d9e9
|
||||
size 2639343
|
9
strongswan-4.3.2.tar.bz2.sig
Normal file
9
strongswan-4.3.2.tar.bz2.sig
Normal file
@ -0,0 +1,9 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.9 (GNU/Linux)
|
||||
|
||||
iQCVAwUASjtPmtYbDnNAmVNZAQIK4wQAqJnGiXmod2HenrCH9y1A/rinnVuLZ7TF
|
||||
s5/yBD3GN2xSnqQELlnPqkVxjNiLbTXhQs7mcmui1Zg9c53WRN09+oriGeHWhomf
|
||||
czxNDdsmbxgvR8SlRFr7cZOz0hs8FJ/wldASE6Nz54H7vUYFkxrYhk4lyN4GoolL
|
||||
S4dF7hGkTkY=
|
||||
=pMzJ
|
||||
-----END PGP SIGNATURE-----
|
@ -1,42 +0,0 @@
|
||||
--- src/libfreeswan/optionsfrom.c
|
||||
+++ src/libfreeswan/optionsfrom.c
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
static const char *dowork(const char *, int *, char ***, int);
|
||||
static const char *getanarg(FILE *, struct work *, char **);
|
||||
-static char *getline(FILE *, char *, size_t);
|
||||
+static char *my_getline(FILE *, char *, size_t);
|
||||
|
||||
/*
|
||||
- optionsfrom - add some options, taken from a file, to argc/argv
|
||||
@@ -149,7 +149,7 @@
|
||||
char *endp;
|
||||
|
||||
while (w->pending == NULL) { /* no pending line */
|
||||
- if ((w->line = getline(f, w->buf, sizeof(w->buf))) == NULL)
|
||||
+ if ((w->line = my_getline(f, w->buf, sizeof(w->buf))) == NULL)
|
||||
return "error in line read"; /* caller checks EOF */
|
||||
if (w->line[0] != '#' &&
|
||||
*(w->line + strspn(w->line, " \t")) != '\0')
|
||||
@@ -171,7 +171,7 @@
|
||||
if (*linep == NULL)
|
||||
return "out of memory for new line";
|
||||
strcpy(*linep, p);
|
||||
- } else /* getline already malloced it */
|
||||
+ } else /* my_getline already malloced it */
|
||||
*linep = p;
|
||||
return NULL;
|
||||
}
|
||||
@@ -203,10 +203,10 @@
|
||||
}
|
||||
|
||||
/*
|
||||
- - getline - read a line from the file, trim newline off
|
||||
+ - my_getline - read a line from the file, trim newline off
|
||||
*/
|
||||
static char * /* pointer to line, NULL for eof/error */
|
||||
-getline(f, buf, bufsize)
|
||||
+my_getline(f, buf, bufsize)
|
||||
FILE *f;
|
||||
char *buf; /* buffer to use, if convenient */
|
||||
size_t bufsize; /* size of buf */
|
@ -1,24 +0,0 @@
|
||||
commit 0a3ca29021ffe389ae4f7400ee05f42dcf384d6b
|
||||
Author: Martin Willi <martin@strongswan.org>
|
||||
Date: Tue May 12 17:13:09 2009 +0200
|
||||
|
||||
fixed cleanup of traffic selector lists
|
||||
|
||||
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
|
||||
index 382266f..6bf9e9d 100644
|
||||
--- a/src/charon/sa/tasks/child_create.c
|
||||
+++ b/src/charon/sa/tasks/child_create.c
|
||||
@@ -1126,11 +1126,11 @@ static void destroy(private_child_create_t *this)
|
||||
{
|
||||
chunk_free(&this->my_nonce);
|
||||
chunk_free(&this->other_nonce);
|
||||
- if (this->tsi)
|
||||
+ if (this->tsr)
|
||||
{
|
||||
this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
|
||||
}
|
||||
- if (this->tsr)
|
||||
+ if (this->tsi)
|
||||
{
|
||||
this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
|
||||
}
|
@ -1,22 +0,0 @@
|
||||
commit a627e31f463367d83be5814aff8ddbceb725f4ed
|
||||
Author: Martin Willi <martin@strongswan.org>
|
||||
Date: Thu May 7 15:53:45 2009 +0200
|
||||
|
||||
properly delete IKE_SA if IKE_SA_INIT processing failed
|
||||
|
||||
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
|
||||
index b8e8213..126011e 100644
|
||||
--- a/src/charon/sa/ike_sa.c
|
||||
+++ b/src/charon/sa/ike_sa.c
|
||||
@@ -1424,6 +1424,11 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
|
||||
exchange_type_names, message->get_exchange_type(message),
|
||||
message->get_request(message) ? "request" : "response",
|
||||
message->get_message_id(message));
|
||||
+
|
||||
+ if (this->state == IKE_CREATED)
|
||||
+ { /* invalid initiation attempt, close SA */
|
||||
+ return DESTROY_ME;
|
||||
+ }
|
||||
return status;
|
||||
}
|
||||
else
|
@ -1,3 +1,77 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 10 11:04:44 CEST 2009 - mt@suse.de
|
||||
|
||||
- Updated to strongSwan 4.3.2 release, that fixes two asn1 parser
|
||||
DoS vulnerabilities and provides several new features, e.g.:
|
||||
* The new gcrypt plugin provides symmetric cipher, hasher, RNG,
|
||||
Diffie-Hellman and RSA crypto primitives using the LGPL licensed
|
||||
GNU gcrypt library.
|
||||
* libstrongswan features an integrated crypto selftest framework
|
||||
for registered algorithms. The test-vector plugin provides a first
|
||||
set of test vectors and allows pluto and charon to rely on tested
|
||||
crypto algorithms.
|
||||
* pluto can now use all libstrongswan plugins with the exception
|
||||
of x509 and xcbc. Thanks to the openssl plugin, the ECP Diffie-
|
||||
Hellman groups 19, 20, 21, 25, and 26 as well as ECDSA-256,
|
||||
ECDSA-384, and ECDSA-521 authentication can be used with IKEv1.
|
||||
* Applying their fuzzing tool, the Orange Labs vulnerability
|
||||
research team found another two DoS vulnerabilities, one in the
|
||||
rather old ASN.1 parser of Relative Distinguished Names (RDNs)
|
||||
and a second one in the conversion of ASN.1 UTCTIME and
|
||||
GENERALIZEDTIME strings to a time_t value.
|
||||
* The nm plugin now passes DNS/NBNS server information to
|
||||
NetworkManager, allowing a gateway administrator to set DNS/NBNS
|
||||
configuration on clients dynamically.
|
||||
* The nm plugin also accepts CA certificates for gateway
|
||||
authentication. If a CA certificate is configured, strongSwan uses
|
||||
the entered gateway address as its idenitity, requiring the gateways
|
||||
certificate to contain the same as subjectAltName.
|
||||
This allows a gateway administrator to deploy the same
|
||||
certificates to Windows 7 and NetworkManager clients.
|
||||
* The command ipsec purgeike deletes IKEv2 SAs that don't have a
|
||||
CHILD SA.
|
||||
The command ipsec down <conn>{n} deletes CHILD SA instance n of
|
||||
connection <conn> whereas ipsec down <conn>{*} deletes all CHILD
|
||||
SA instances.
|
||||
The command ipsec down <conn>[n] deletes IKE SA instance n of
|
||||
connection <conn> plus dependent CHILD SAs whereas ipsec down
|
||||
<conn>[*] deletes all IKE SA instances of connection <conn>.
|
||||
* Fixed a regression introduced in 4.3.0 where EAP authentication
|
||||
calculated the AUTH payload incorrectly. Further, the EAP-MSCHAPv2
|
||||
MSK key derivation has been updated to be compatible with the
|
||||
Windows 7 Release Candidate.
|
||||
* Refactored installation of triggering policies. Routed policies
|
||||
are handled outside of IKE_SAs to keep them installed in any case.
|
||||
A tunnel gets established only once, even if initiation is delayed
|
||||
due network outages.
|
||||
* Improved the handling of multiple acquire signals triggered by
|
||||
the kernel.
|
||||
* Fixed two DoS vulnerabilities in the charon daemon that were
|
||||
discovered by fuzzing techniques:
|
||||
1) Sending a malformed IKE_SA_INIT request leaved an incomplete
|
||||
state which caused a null pointer dereference if a subsequent
|
||||
CREATE_CHILD_SA request was sent.
|
||||
2) Sending an IKE_AUTH request with either a missing TSi or TSr
|
||||
payload caused a null pointer derefence because the checks for
|
||||
TSi and TSr were interchanged.
|
||||
The IKEv2 fuzzer used was developped by the Orange Labs
|
||||
vulnerability research team. The tool was initially written
|
||||
by Gabriel Campana and is now maintained by Laurent Butti.
|
||||
* Added support for AES counter mode in ESP in IKEv2 using the
|
||||
proposal keywords aes128ctr, aes192ctr and aes256ctr.
|
||||
* Further progress in refactoring pluto: Use of the curl and ldap
|
||||
plugins for fetching crls and OCSP. Use of the random plugin to
|
||||
get keying material from /dev/random or /dev/urandom. Use of the
|
||||
openssl plugin as an alternative to the aes, des, sha1, sha2, and
|
||||
md5 plugins. The blowfish, twofish, and serpent encryption plugins
|
||||
are now optional and are not enabled by default.
|
||||
- Enabled new gcrypt plugin
|
||||
- Adopted spec file and modprobe to syslog patch
|
||||
- Removed obsolete getline glibc collision patch
|
||||
- Added patch to avoid library version for plugins (rpmlint).
|
||||
- Replaced update-dns-server patch with a --with-resolv-conf.
|
||||
- Removed restart_on_update from spec file (see bnc#450390).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 8 00:21:13 CEST 2009 - ro@suse.de
|
||||
|
||||
|
259
strongswan.spec
259
strongswan.spec
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package strongswan (Version 4.2.14)
|
||||
# spec file for package strongswan (Version 4.3.2)
|
||||
#
|
||||
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
@ -19,10 +19,10 @@
|
||||
|
||||
|
||||
Name: strongswan
|
||||
%define upstream_version 4.2.14
|
||||
%define upstream_version 4.3.2
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
Version: 4.2.14
|
||||
Release: 3
|
||||
Version: 4.3.2
|
||||
Release: 1
|
||||
License: GPL v2 or later
|
||||
Group: Productivity/Networking/Security
|
||||
Summary: StrongSwan -- OpenSource IPsec-based VPN Solution
|
||||
@ -37,22 +37,15 @@ Source0: http://download.strongswan.org/strongswan-%{upstream_version}.ta
|
||||
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
|
||||
Source2: %{name}.init.in
|
||||
Source3: %{name}-%{version}-rpmlintrc
|
||||
Patch1: %{name}_modprobe_syslog.dif
|
||||
Patch2: %{name}_update-dns-server.dif
|
||||
Patch3: %{name}-4.x.x_invalid_ike_state.patch
|
||||
Patch4: %{name}-4.x.x._swapped_ts_check.patch
|
||||
Patch5: strongswan-4.x.x-getline.patch
|
||||
Patch1: %{name}_modprobe_syslog.patch
|
||||
Patch2: %{name}_no_plugin_version.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison flex gmp-devel gperf pkg-config
|
||||
%if 0%{?suse_version} >= 1030
|
||||
BuildRequires: libopenssl-devel libpcap-devel
|
||||
%else
|
||||
BuildRequires: libpcap openssl-devel
|
||||
%endif
|
||||
# --enable-curl
|
||||
BuildRequires: curl-devel
|
||||
# --enable-ldap
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: libopenssl-devel
|
||||
BuildRequires: libgcrypt-devel
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: curl-devel
|
||||
|
||||
%description
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
@ -137,10 +130,13 @@ Authors:
|
||||
%prep
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
%patch1 -p0
|
||||
# => no_plugin_version.patch creation cmd:
|
||||
#
|
||||
#find . -type f -name Makefile.am -exec \
|
||||
# grep -l 'la_LDFLAGS.*-module' \{\} \; | \
|
||||
# xargs -r sed -e "s/\(.*la_LDFLAGS.*-module.*\)/\1 -avoid-version/g" -i
|
||||
#
|
||||
%patch2 -p0
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||
> strongswan.init
|
||||
@ -152,11 +148,15 @@ libtoolize --force
|
||||
%{?suse_update_config:%{suse_update_config -f}}
|
||||
autoreconf
|
||||
%configure \
|
||||
--enable-smartcard --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
|
||||
--enable-cisco-quirks \
|
||||
--enable-openssl \
|
||||
--enable-curl \
|
||||
--enable-ldap
|
||||
--with-capabilities=libcap \
|
||||
--with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \
|
||||
--enable-smartcard \
|
||||
--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
|
||||
--enable-cisco-quirks \
|
||||
--enable-openssl \
|
||||
--enable-gcrypt \
|
||||
--enable-ldap \
|
||||
--enable-curl
|
||||
make %{?_smp_mflags:%_smp_mflags}
|
||||
|
||||
%install
|
||||
@ -186,6 +186,7 @@ find $RPM_BUILD_ROOT%{_libdir}/ipsec \
|
||||
install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||
install -m644 TODO NEWS README COPYING CREDITS \
|
||||
${RPM_BUILD_ROOT}%{strongswan_docdir}/
|
||||
install -m755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan
|
||||
|
||||
%clean
|
||||
if [ -n "$RPM_BUILD_ROOT" ] && [ "$RPM_BUILD_ROOT" != "/" ] ; then
|
||||
@ -207,7 +208,6 @@ fi
|
||||
|
||||
%postun
|
||||
%{run_ldconfig}
|
||||
%{restart_on_update ipsec}
|
||||
%{insserv_cleanup}
|
||||
|
||||
%files
|
||||
@ -235,6 +235,7 @@ fi
|
||||
%{_mandir}/man5/ipsec.conf.5*
|
||||
%{_mandir}/man5/ipsec.secrets.5*
|
||||
%{_mandir}/man8/ipsec.8*
|
||||
%dir %{_localstatedir}/run/strongswan
|
||||
|
||||
%files doc
|
||||
%defattr(-,root,root)
|
||||
@ -253,7 +254,6 @@ fi
|
||||
%{_mandir}/man3/initaddr.3*
|
||||
%{_mandir}/man3/initsubnet.3*
|
||||
%{_mandir}/man3/keyblobtoid.3*
|
||||
%{_mandir}/man3/optionsfrom.3*
|
||||
%{_mandir}/man3/portof.3*
|
||||
%{_mandir}/man3/prng.3*
|
||||
%{_mandir}/man3/rangetosubnet.3*
|
||||
@ -263,7 +263,6 @@ fi
|
||||
%{_mandir}/man3/ttodata.3*
|
||||
%{_mandir}/man3/ttosa.3*
|
||||
%{_mandir}/man3/ttoul.3*
|
||||
%{_mandir}/man3/version.3*
|
||||
%{_mandir}/man8/_copyright.8*
|
||||
%{_mandir}/man8/_updown.8*
|
||||
%{_mandir}/man8/_updown_espmark.8*
|
||||
@ -273,207 +272,3 @@ fi
|
||||
%{_mandir}/man8/starter.8*
|
||||
|
||||
%changelog
|
||||
* Mon Jun 08 2009 ro@suse.de
|
||||
- rename getline to my_getline to avoid collision with function
|
||||
from glibc
|
||||
* Tue Jun 02 2009 mt@suse.de
|
||||
- Applied fix for a Denial-of-Service vulnerability where receiving
|
||||
a malformed IKE_SA_INIT request leaves an incomplete state which
|
||||
causes a crash of the IKEv2 charon while dereferencing a NULL
|
||||
pointer if a subsequent CREATE_CHILD_SA is received (bnc#507742).
|
||||
- Applied fix for a Denial-of-Service vulnerability where receiving
|
||||
a malformed IKE_AUTH request with either a missing TSi or TSr
|
||||
traffic selector payload causes a crash of the IKEv2 charon while
|
||||
dereferencing a NULL pointer because the NULL pointer checks of
|
||||
TSi and TSr before destruction were erroneously swapped
|
||||
(bnc#507742).
|
||||
* Tue Mar 31 2009 mt@suse.de
|
||||
- Updated to strongSwan 4.2.14 release that fixes a grave DPD
|
||||
denial of service vulnerability registered as CVE-2009-0790,
|
||||
that had been slumbering in the code for many years:
|
||||
* A vulnerability in the Dead Peer Detection (RFC 3706) code
|
||||
was found by Gerd v. Egidy <gerd.von.egidy@intra2net.com> of
|
||||
Intra2net AG affecting all Openswan and strongSwan releases.
|
||||
A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK
|
||||
Dead Peer Detection packet can cause the pluto IKE daemon to
|
||||
crash and restart. No authentication or encryption is required
|
||||
to trigger this bug. One spoofed UDP packet can cause the pluto
|
||||
IKE daemon to restart and be unresponsive for a few seconds
|
||||
while restarting. This DPD null state vulnerability has been
|
||||
officially registered as CVE-2009-0790 and is fixed by this
|
||||
release.
|
||||
* The new server-side EAP RADIUS plugin (--enable-eap-radius)
|
||||
relays EAP messages to and from a RADIUS server. Succesfully
|
||||
tested with with a freeradius server using EAP-MD5 and EAP-SIM.
|
||||
* ASN.1 to time_t conversion caused a time wrap-around for dates
|
||||
after Jan 18 03:14:07 UTC 2038 on 32-bit platforms.
|
||||
As a workaround such dates are set to the maximum representable
|
||||
time, i.e. Jan 19 03:14:07 UTC 2038.
|
||||
* Distinguished Names containing wildcards (*) are not sent in the
|
||||
IDr payload anymore.
|
||||
* Mon Oct 20 2008 mt@suse.de
|
||||
- Updated to 4.2.8 release:
|
||||
* IKEv2 charon daemon supports authentication based on raw public
|
||||
keys stored in the SQL database backend. The ipsec listpubkeys
|
||||
command lists the available raw public keys via the stroke
|
||||
interface.
|
||||
* Several MOBIKE improvements: Detect changes in NAT mappings in
|
||||
DPD exchanges, handle events if kernel detects NAT mapping changes
|
||||
in UDP-encapsulated ESP packets (requires kernel patch), reuse old
|
||||
addesses in MOBIKE updates as long as possible and other fixes.
|
||||
* Fixed a bug in addr_in_subnet() which caused insertion of wrong
|
||||
source routes for destination subnets having netwmasks not being a
|
||||
multiple of 8 bits. Thanks go to Wolfgang Steudel, TU Ilmenau for
|
||||
reporting this bug.
|
||||
* Tue Oct 14 2008 mt@suse.de
|
||||
- Applied fix for addr_in_subnet() extracted from strongswan-4.2.8
|
||||
which caused insertion of wrong source routes for destination
|
||||
subnets having netwmasks not being a multiple of 8 bits.
|
||||
Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug.
|
||||
(bnc#435200)
|
||||
* Fri Oct 10 2008 mt@suse.de
|
||||
- Applied fix for a Denial-of-Service vulnerability where an
|
||||
IKE_SA_INIT message with a KE payload containing zeroes only can
|
||||
cause a crash of the IKEv2 charon daemon due to a NULL pointer
|
||||
returned by the mpz_export() function of the GNU Multi Precision
|
||||
(GMP) library. Thanks go to Mu Dynamics Research Labs for making
|
||||
us aware of this problem. (bnc#435194)
|
||||
* Thu Aug 28 2008 mt@suse.de
|
||||
- Fixed to use --enable-curl instead of --enable-http as before
|
||||
- Enabled the OpenSSL crypto plugin in the spec file.
|
||||
* Thu Aug 28 2008 mt@suse.de
|
||||
- Updated to 4.2.6 release, fixing bugs and offering a lot of new
|
||||
features comparing to the last version provided by this package.
|
||||
Most important are:
|
||||
* A NetworkManager plugin allows GUI-based configuration of
|
||||
road-warrior clients in a simple way. It features X509 based
|
||||
gateway authentication and EAP client authentication, tunnel
|
||||
setup/teardown and storing passwords in the Gnome Keyring.
|
||||
* A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt
|
||||
and allows username/password authentication against any PAM
|
||||
service on the gateway. The new EAP method interacts nicely with
|
||||
the NetworkManager plugin and allows client authentication against
|
||||
e.g. LDAP.
|
||||
* Improved support for the EAP-Identity method. The new ipsec.conf
|
||||
eap_identity parameter defines an additional identity to pass to
|
||||
the server in EAP authentication.
|
||||
* Fixed two multithreading deadlocks occurring when starting up
|
||||
several hundred tunnels concurrently.
|
||||
* Fixed the --enable-integrity-test configure option which
|
||||
computes a SHA-1 checksum over the libstrongswan library.
|
||||
* Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
|
||||
* Improved the performance of the SQL-based virtual IP address pool
|
||||
by introducing an additional addresses table. The leases table
|
||||
storing only history information has become optional and can be
|
||||
disabled by setting charon.plugins.sql.lease_history = no in
|
||||
strongswan.conf.
|
||||
* The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6
|
||||
and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels.
|
||||
* management of different virtual IP pools for different network
|
||||
interfaces have become possible.
|
||||
* fixed a bug which prevented the assignment of more than 256
|
||||
virtual IP addresses from a pool managed by an sql database.
|
||||
* fixed a bug which did not delete own IPCOMP SAs in the kernel.
|
||||
* The openssl plugin supports the elliptic curve Diffie-Hellman
|
||||
groups 19, 20, 21, 25, and 26 and ECDSA authentication using
|
||||
elliptic curve X.509 certificates.
|
||||
* Fixed a bug in stroke which caused multiple charon threads to
|
||||
close the file descriptors during packet transfers over the stroke
|
||||
socket.
|
||||
* ESP sequence numbers are now migrated in IPsec SA updates handled
|
||||
by MOBIKE. Works only with Linux kernels >= 2.6.17.
|
||||
* Fixed a number of minor bugs that where discovered during the 4th
|
||||
IKEv2 interoperability workshop in San Antonio, TX.
|
||||
* Plugins for libstrongswan and charon can optionally be loaded
|
||||
according to a configuration in strongswan.conf. Most components
|
||||
provide a "load = " option followed by a space separated list of
|
||||
plugins to load. This allows e.g. the fallback from a hardware
|
||||
crypto accelerator to to software-based crypto plugins.
|
||||
* Charons SQL plugin has been extended by a virtual IP address pool.
|
||||
Configurations with a rightsourceip=%%poolname setting query a
|
||||
SQLite or MySQL database for leases. The "ipsec pool" command helps
|
||||
in administrating the pool database. See ipsec pool --help for the
|
||||
available options
|
||||
* The Authenticated Encryption Algorithms AES-CCM-8/12/16 and
|
||||
AES-GCM-8/12/16 for ESP are now supported starting with the Linux
|
||||
2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16.
|
||||
- Added patch disabling direct modifications of resolv.conf; has to
|
||||
be replaced by a netconfig call.
|
||||
- Added patch adding a missed file name argument in printf call in the
|
||||
scripts/thread_analysis.c file -- resulting binary is not installed.
|
||||
- Removed obsolete patches crash_badcfg_reload and old-caps-version.
|
||||
* Mon Jun 30 2008 mt@suse.de
|
||||
- Added fix that explicitly enables version 1 linux capabilities
|
||||
on version 2 systems to aviod that the charon and pluto daemons
|
||||
exit because of failed capset call (bnc#404989).
|
||||
* Mon May 19 2008 mt@suse.de
|
||||
- Applied fix (strongswan_crash_badcfg_reload.dif) to avoid
|
||||
a crash after reloading with bad config (bnc#392062).
|
||||
* Wed Apr 23 2008 mt@suse.de
|
||||
- Updated to 4.2.1 release. A lot of code refactoring in the 4.2
|
||||
release provides much more modularity and therefore much more
|
||||
extensiblity and offers the following new features:
|
||||
* libstrongswan has been modularized to attach crypto algorithms,
|
||||
credential implementations (secret and private keys, certificates)
|
||||
and http/ldap fetchers dynamically through plugins.
|
||||
* A relational database API that uses pluggable database providers
|
||||
was added to libstrongswan including plugins for MySQL and SQLite.
|
||||
* The IKEv2 keying charon daemon has become more extensible. Generic
|
||||
plugins can provide arbitrary interfaces to credential stores and
|
||||
connection management interfaces. Also any EAP method can be added.
|
||||
* The authentication and credential framework in charon has been
|
||||
heavily refactored to support modular credential providers, proper
|
||||
CERTREQ/CERT payload exchanges and extensible authorization rules.
|
||||
* Support for "Hash and URL" encoded certificate payloads has been
|
||||
implemented in the IKEv2 daemon charon.
|
||||
* The IKEv2 daemon charon now supports the "uniqueids" option to
|
||||
close multiple IKE_SAs with the same peer.
|
||||
* The crypto factory in libstrongswan additionally supports random
|
||||
number generators. Plugins may provide other sources of randomness.
|
||||
* Extended the credential framework by a caching option to allow
|
||||
plugins persistent caching of fetched credentials.
|
||||
* The new trust chain verification introduced in 4.2.0 has been
|
||||
parallelized. Threads fetching CRL or OCSP information no longer
|
||||
block other threads.
|
||||
* A new IKEv2 configuration attribute framework has been introduced
|
||||
allowing plugins to provide virtual IP addresses, and in the future,
|
||||
other configuration attribute services (e.g. DNS/WINS servers).
|
||||
* The stroke plugin has been extended to provide virtual IP addresses
|
||||
from a simple pool defined in ipsec.conf.
|
||||
* Fixed compilation on uClibc and a couple of other minor bugs.
|
||||
* The IKEv1 pluto daemon now supports the ESP encryption algorithm
|
||||
CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the
|
||||
authentication algorithm AES_XCBC_MAC.
|
||||
- Applied a small patch defining _GNU_SOURCE for struct in6_pktinfo
|
||||
and adding inclusion of limits.h for PATH_MAX availability.
|
||||
- Added rpmlintrc file and a libtoolize call to the spec file.
|
||||
* Tue Feb 19 2008 mt@suse.de
|
||||
- Updated to 4.1.11 maintenance release, providing following fixes:
|
||||
* IKE rekeying in NAT situations did not inherit the NAT conditions
|
||||
to the rekeyed IKE_SA so that the UDP encapsulation was lost with
|
||||
the next CHILD_SA rekeying.
|
||||
* Wrong type definition of the next_payload variable in id_payload.c
|
||||
caused an INVALID_SYNTAX error on PowerPC platforms.
|
||||
* Implemented IKEv2 EAP-SIM server and client test modules that use
|
||||
triplets stored in a file. For details on the configuration see
|
||||
the scenario 'ikev2/rw-eap-sim-rsa'.
|
||||
- The 4.1.10 final version, declared upstream as "Fully tested support
|
||||
of IPv6 IPsec tunnel connections", fixes ordering error in oscp cache,
|
||||
IPv6 defaults of the nexthop parameter, adds support for new EAP
|
||||
modules [disabled in this build] and obsoletes our strongswan_path
|
||||
and strongswan_ipsec_script_msg patches.
|
||||
- Removed a sed call from init script.
|
||||
* Sat Dec 08 2007 mt@suse.de
|
||||
- Updated to 4.1.9 final, including all our patches.
|
||||
- Changed init script to use ipsec cmd using LSB codes now.
|
||||
- Added strongswan_path.dif setting a PATH in scripts (updown).
|
||||
- Added strongswan_ipsec_script_msg.dif for consistent look of
|
||||
ipsec script messages.
|
||||
- Added strongswan_modprobe_syslog.dif redirecting modprobe
|
||||
output to syslog.
|
||||
* Mon Nov 26 2007 mt@suse.de
|
||||
- Renamed charon plugins to avoid rpm conflicts with existing
|
||||
libraries (libstroke). Patch: strongswan-libconflicts.dif
|
||||
- Added init script. Template file: strongswan.init.in
|
||||
* Thu Nov 22 2007 mt@suse.de
|
||||
- Initial, unfinished package
|
||||
|
@ -1,52 +0,0 @@
|
||||
--- src/starter/klips.c
|
||||
+++ src/starter/klips.c 2009/03/23 10:46:01
|
||||
@@ -36,7 +36,7 @@ starter_klips_init(void)
|
||||
/* ipsec module makes the pf_key proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ipsec"));
|
||||
+ ignore_result(system("modprobe -a ipsec"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -50,9 +50,9 @@ starter_klips_init(void)
|
||||
}
|
||||
|
||||
/* load crypto algorithm modules */
|
||||
- ignore_result(system("modprobe -qv ipsec_aes"));
|
||||
- ignore_result(system("modprobe -qv ipsec_blowfish"));
|
||||
- ignore_result(system("modprobe -qv ipsec_sha2"));
|
||||
+ ignore_result(system("modprobe -s ipsec_aes"));
|
||||
+ ignore_result(system("modprobe -s ipsec_blowfish"));
|
||||
+ ignore_result(system("modprobe -s ipsec_sha2"));
|
||||
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("Found KLIPS IPsec stack")
|
||||
--- src/starter/netkey.c
|
||||
+++ src/starter/netkey.c 2009/03/23 10:46:34
|
||||
@@ -36,7 +36,7 @@ starter_netkey_init(void)
|
||||
/* af_key module makes the netkey proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv af_key"));
|
||||
+ ignore_result(system("modprobe -s af_key"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -52,11 +52,11 @@ starter_netkey_init(void)
|
||||
/* make sure that all required IPsec modules are loaded */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ah4"));
|
||||
- ignore_result(system("modprobe -qv esp4"));
|
||||
- ignore_result(system("modprobe -qv ipcomp"));
|
||||
- ignore_result(system("modprobe -qv xfrm4_tunnel"));
|
||||
- ignore_result(system("modprobe -qv xfrm_user"));
|
||||
+ ignore_result(system("modprobe -s ah4"));
|
||||
+ ignore_result(system("modprobe -s esp4"));
|
||||
+ ignore_result(system("modprobe -s ipcomp"));
|
||||
+ ignore_result(system("modprobe -s xfrm4_tunnel"));
|
||||
+ ignore_result(system("modprobe -s xfrm_user"));
|
||||
}
|
||||
|
||||
DBG(DBG_CONTROL,
|
52
strongswan_modprobe_syslog.patch
Normal file
52
strongswan_modprobe_syslog.patch
Normal file
@ -0,0 +1,52 @@
|
||||
--- src/starter/klips.c
|
||||
+++ src/starter/klips.c
|
||||
@@ -34,7 +34,7 @@ starter_klips_init(void)
|
||||
/* ipsec module makes the pf_key proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ipsec"));
|
||||
+ ignore_result(system("modprobe -s ipsec"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -48,9 +48,9 @@ starter_klips_init(void)
|
||||
}
|
||||
|
||||
/* load crypto algorithm modules */
|
||||
- ignore_result(system("modprobe -qv ipsec_aes"));
|
||||
- ignore_result(system("modprobe -qv ipsec_blowfish"));
|
||||
- ignore_result(system("modprobe -qv ipsec_sha2"));
|
||||
+ ignore_result(system("modprobe -s ipsec_aes"));
|
||||
+ ignore_result(system("modprobe -s ipsec_blowfish"));
|
||||
+ ignore_result(system("modprobe -s ipsec_sha2"));
|
||||
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("Found KLIPS IPsec stack")
|
||||
--- src/starter/netkey.c
|
||||
+++ src/starter/netkey.c
|
||||
@@ -34,7 +34,7 @@ starter_netkey_init(void)
|
||||
/* af_key module makes the netkey proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv af_key"));
|
||||
+ ignore_result(system("modprobe -s af_key"));
|
||||
}
|
||||
|
||||
/* now test again */
|
||||
@@ -50,11 +50,11 @@ starter_netkey_init(void)
|
||||
/* make sure that all required IPsec modules are loaded */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
{
|
||||
- ignore_result(system("modprobe -qv ah4"));
|
||||
- ignore_result(system("modprobe -qv esp4"));
|
||||
- ignore_result(system("modprobe -qv ipcomp"));
|
||||
- ignore_result(system("modprobe -qv xfrm4_tunnel"));
|
||||
- ignore_result(system("modprobe -qv xfrm_user"));
|
||||
+ ignore_result(system("modprobe -s ah4"));
|
||||
+ ignore_result(system("modprobe -s esp4"));
|
||||
+ ignore_result(system("modprobe -s ipcomp"));
|
||||
+ ignore_result(system("modprobe -s xfrm4_tunnel"));
|
||||
+ ignore_result(system("modprobe -s xfrm_user"));
|
||||
}
|
||||
|
||||
DBG(DBG_CONTROL,
|
432
strongswan_no_plugin_version.patch
Normal file
432
strongswan_no_plugin_version.patch
Normal file
@ -0,0 +1,432 @@
|
||||
--- src/charon/plugins/attr/Makefile.am
|
||||
+++ src/charon/plugins/attr/Makefile.am
|
||||
@@ -6,4 +6,4 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-attr.la
|
||||
libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
|
||||
attr_provider.h attr_provider.c
|
||||
-libstrongswan_attr_la_LDFLAGS = -module
|
||||
+libstrongswan_attr_la_LDFLAGS = -module -avoid-version
|
||||
--- src/charon/plugins/eap_aka/Makefile.am
|
||||
+++ src/charon/plugins/eap_aka/Makefile.am
|
||||
@@ -6,6 +6,6 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-eapaka.la
|
||||
|
||||
libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
|
||||
-libstrongswan_eapaka_la_LDFLAGS = -module
|
||||
+libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_eapaka_la_LIBADD = -lgmp
|
||||
|
||||
--- src/charon/plugins/eap_gtc/Makefile.am
|
||||
+++ src/charon/plugins/eap_gtc/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-eapgtc.la
|
||||
|
||||
libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
|
||||
-libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
|
||||
+libstrongswan_eapgtc_la_LDFLAGS = -module -lpam -avoid-version
|
||||
|
||||
--- src/charon/plugins/eap_identity/Makefile.am
|
||||
+++ src/charon/plugins/eap_identity/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-eapidentity.la
|
||||
libstrongswan_eapidentity_la_SOURCES = \
|
||||
eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
|
||||
-libstrongswan_eapidentity_la_LDFLAGS = -module
|
||||
+libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/eap_md5/Makefile.am
|
||||
+++ src/charon/plugins/eap_md5/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-eapmd5.la
|
||||
|
||||
libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
|
||||
-libstrongswan_eapmd5_la_LDFLAGS = -module
|
||||
+libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/eap_mschapv2/Makefile.am
|
||||
+++ src/charon/plugins/eap_mschapv2/Makefile.am
|
||||
@@ -8,5 +8,5 @@
|
||||
libstrongswan_eapmschapv2_la_SOURCES = \
|
||||
eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
|
||||
eap_mschapv2.h eap_mschapv2.c
|
||||
-libstrongswan_eapmschapv2_la_LDFLAGS = -module
|
||||
+libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/eap_radius/Makefile.am
|
||||
+++ src/charon/plugins/eap_radius/Makefile.am
|
||||
@@ -10,5 +10,5 @@
|
||||
eap_radius.h eap_radius.c \
|
||||
radius_client.h radius_client.c \
|
||||
radius_message.h radius_message.c
|
||||
-libstrongswan_eapradius_la_LDFLAGS = -module
|
||||
+libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/eap_sim/Makefile.am
|
||||
+++ src/charon/plugins/eap_sim/Makefile.am
|
||||
@@ -7,5 +7,5 @@
|
||||
|
||||
libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
|
||||
eap_sim_plugin.h eap_sim_plugin.c
|
||||
-libstrongswan_eapsim_la_LDFLAGS = -module
|
||||
+libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/eap_sim_file/Makefile.am
|
||||
+++ src/charon/plugins/eap_sim_file/Makefile.am
|
||||
@@ -10,5 +10,5 @@
|
||||
eap_sim_file_card.h eap_sim_file_card.c \
|
||||
eap_sim_file_provider.h eap_sim_file_provider.c \
|
||||
eap_sim_file_triplets.h eap_sim_file_triplets.c
|
||||
-libstrongswan_eapsim_file_la_LDFLAGS = -module
|
||||
+libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/kernel_klips/Makefile.am
|
||||
+++ src/charon/plugins/kernel_klips/Makefile.am
|
||||
@@ -7,4 +7,4 @@
|
||||
|
||||
libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
|
||||
kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
|
||||
-libstrongswan_kernel_klips_la_LDFLAGS = -module
|
||||
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
|
||||
--- src/charon/plugins/kernel_netlink/Makefile.am
|
||||
+++ src/charon/plugins/kernel_netlink/Makefile.am
|
||||
@@ -8,4 +8,4 @@
|
||||
libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
|
||||
kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
|
||||
kernel_netlink_shared.h kernel_netlink_shared.c
|
||||
-libstrongswan_kernel_netlink_la_LDFLAGS = -module
|
||||
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
|
||||
--- src/charon/plugins/kernel_pfkey/Makefile.am
|
||||
+++ src/charon/plugins/kernel_pfkey/Makefile.am
|
||||
@@ -7,4 +7,4 @@
|
||||
|
||||
libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
|
||||
kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
|
||||
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module
|
||||
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
|
||||
--- src/charon/plugins/kernel_pfroute/Makefile.am
|
||||
+++ src/charon/plugins/kernel_pfroute/Makefile.am
|
||||
@@ -7,4 +7,4 @@
|
||||
|
||||
libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
|
||||
kernel_pfroute_net.h kernel_pfroute_net.c
|
||||
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module
|
||||
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
|
||||
--- src/charon/plugins/load_tester/Makefile.am
|
||||
+++ src/charon/plugins/load_tester/Makefile.am
|
||||
@@ -13,5 +13,5 @@
|
||||
load_tester_listener.c load_tester_listener.h \
|
||||
load_tester_diffie_hellman.c load_tester_diffie_hellman.h
|
||||
|
||||
-libstrongswan_load_tester_la_LDFLAGS = -module
|
||||
+libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/medcli/Makefile.am
|
||||
+++ src/charon/plugins/medcli/Makefile.am
|
||||
@@ -8,5 +8,5 @@
|
||||
medcli_creds.h medcli_creds.c \
|
||||
medcli_config.h medcli_config.c \
|
||||
medcli_listener.h medcli_listener.c
|
||||
-libstrongswan_medcli_la_LDFLAGS = -module
|
||||
+libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/medsrv/Makefile.am
|
||||
+++ src/charon/plugins/medsrv/Makefile.am
|
||||
@@ -7,5 +7,5 @@
|
||||
libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
|
||||
medsrv_creds.h medsrv_creds.c \
|
||||
medsrv_config.h medsrv_config.c
|
||||
-libstrongswan_medsrv_la_LDFLAGS = -module
|
||||
+libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/nm/Makefile.am
|
||||
+++ src/charon/plugins/nm/Makefile.am
|
||||
@@ -9,5 +9,5 @@
|
||||
nm_service.h nm_service.c \
|
||||
nm_creds.h nm_creds.c \
|
||||
nm_handler.h nm_handler.c
|
||||
-libstrongswan_nm_la_LDFLAGS = -module
|
||||
+libstrongswan_nm_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_nm_la_LIBADD = ${nm_LIBS}
|
||||
--- src/charon/plugins/resolv_conf/Makefile.am
|
||||
+++ src/charon/plugins/resolv_conf/Makefile.am
|
||||
@@ -8,6 +8,6 @@
|
||||
libstrongswan_resolv_conf_la_SOURCES = \
|
||||
resolv_conf_plugin.h resolv_conf_plugin.c \
|
||||
resolv_conf_handler.h resolv_conf_handler.c
|
||||
-libstrongswan_resolv_conf_la_LDFLAGS = -module
|
||||
+libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
|
||||
--- src/charon/plugins/smp/Makefile.am
|
||||
+++ src/charon/plugins/smp/Makefile.am
|
||||
@@ -5,6 +5,6 @@
|
||||
|
||||
plugin_LTLIBRARIES = libstrongswan-smp.la
|
||||
libstrongswan_smp_la_SOURCES = smp.h smp.c
|
||||
-libstrongswan_smp_la_LDFLAGS = -module
|
||||
+libstrongswan_smp_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_smp_la_LIBADD = ${xml_LIBS}
|
||||
|
||||
--- src/charon/plugins/sql/Makefile.am
|
||||
+++ src/charon/plugins/sql/Makefile.am
|
||||
@@ -10,7 +10,7 @@
|
||||
libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
|
||||
sql_config.h sql_config.c sql_cred.h sql_cred.c \
|
||||
sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
|
||||
-libstrongswan_sql_la_LDFLAGS = -module
|
||||
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
ipsec_PROGRAMS = pool
|
||||
pool_SOURCES = pool.c
|
||||
--- src/charon/plugins/stroke/Makefile.am
|
||||
+++ src/charon/plugins/stroke/Makefile.am
|
||||
@@ -18,5 +18,5 @@
|
||||
stroke_list.h stroke_list.c \
|
||||
stroke_shared_key.h stroke_shared_key.c
|
||||
|
||||
-libstrongswan_stroke_la_LDFLAGS = -module
|
||||
+libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/uci/Makefile.am
|
||||
+++ src/charon/plugins/uci/Makefile.am
|
||||
@@ -8,7 +8,7 @@
|
||||
uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
|
||||
uci_config.h uci_config.c uci_creds.h uci_creds.c \
|
||||
uci_control.h uci_control.c
|
||||
-libstrongswan_uci_la_LDFLAGS = -module
|
||||
+libstrongswan_uci_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_uci_la_LIBADD = -luci
|
||||
|
||||
|
||||
--- src/charon/plugins/unit_tester/Makefile.am
|
||||
+++ src/charon/plugins/unit_tester/Makefile.am
|
||||
@@ -20,5 +20,5 @@
|
||||
tests/test_agent.c \
|
||||
tests/test_id.c
|
||||
|
||||
-libstrongswan_unit_tester_la_LDFLAGS = -module
|
||||
+libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/charon/plugins/updown/Makefile.am
|
||||
+++ src/charon/plugins/updown/Makefile.am
|
||||
@@ -7,6 +7,6 @@
|
||||
libstrongswan_updown_la_SOURCES = \
|
||||
updown_plugin.h updown_plugin.c \
|
||||
updown_listener.h updown_listener.c
|
||||
-libstrongswan_updown_la_LDFLAGS = -module
|
||||
+libstrongswan_updown_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
|
||||
--- src/libstrongswan/plugins/aes/Makefile.am
|
||||
+++ src/libstrongswan/plugins/aes/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-aes.la
|
||||
|
||||
libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
|
||||
-libstrongswan_aes_la_LDFLAGS = -module
|
||||
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/agent/Makefile.am
|
||||
+++ src/libstrongswan/plugins/agent/Makefile.am
|
||||
@@ -8,5 +8,5 @@
|
||||
libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
|
||||
agent_private_key.c agent_private_key.h
|
||||
|
||||
-libstrongswan_agent_la_LDFLAGS = -module
|
||||
+libstrongswan_agent_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/blowfish/Makefile.am
|
||||
+++ src/libstrongswan/plugins/blowfish/Makefile.am
|
||||
@@ -8,5 +8,5 @@
|
||||
libstrongswan_blowfish_la_SOURCES = \
|
||||
blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
|
||||
bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
|
||||
-libstrongswan_blowfish_la_LDFLAGS = -module
|
||||
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/curl/Makefile.am
|
||||
+++ src/libstrongswan/plugins/curl/Makefile.am
|
||||
@@ -6,6 +6,6 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-curl.la
|
||||
|
||||
libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
|
||||
-libstrongswan_curl_la_LDFLAGS = -module
|
||||
+libstrongswan_curl_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_curl_la_LIBADD = -lcurl
|
||||
|
||||
--- src/libstrongswan/plugins/des/Makefile.am
|
||||
+++ src/libstrongswan/plugins/des/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-des.la
|
||||
|
||||
libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
|
||||
-libstrongswan_des_la_LDFLAGS = -module
|
||||
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/fips_prf/Makefile.am
|
||||
+++ src/libstrongswan/plugins/fips_prf/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-fips-prf.la
|
||||
|
||||
libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
|
||||
-libstrongswan_fips_prf_la_LDFLAGS = -module
|
||||
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/gcrypt/Makefile.am
|
||||
+++ src/libstrongswan/plugins/gcrypt/Makefile.am
|
||||
@@ -13,5 +13,5 @@
|
||||
gcrypt_crypter.h gcrypt_crypter.c \
|
||||
gcrypt_hasher.h gcrypt_hasher.c
|
||||
|
||||
-libstrongswan_gcrypt_la_LDFLAGS = -module
|
||||
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
|
||||
--- src/libstrongswan/plugins/gmp/Makefile.am
|
||||
+++ src/libstrongswan/plugins/gmp/Makefile.am
|
||||
@@ -10,6 +10,6 @@
|
||||
gmp_rsa_private_key.c gmp_rsa_private_key.h \
|
||||
gmp_rsa_public_key.c gmp_rsa_public_key.h
|
||||
|
||||
-libstrongswan_gmp_la_LDFLAGS = -module
|
||||
+libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_gmp_la_LIBADD = -lgmp
|
||||
|
||||
--- src/libstrongswan/plugins/hmac/Makefile.am
|
||||
+++ src/libstrongswan/plugins/hmac/Makefile.am
|
||||
@@ -7,5 +7,5 @@
|
||||
|
||||
libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
|
||||
hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
|
||||
-libstrongswan_hmac_la_LDFLAGS = -module
|
||||
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/ldap/Makefile.am
|
||||
+++ src/libstrongswan/plugins/ldap/Makefile.am
|
||||
@@ -6,6 +6,6 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-ldap.la
|
||||
|
||||
libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
|
||||
-libstrongswan_ldap_la_LDFLAGS = -module
|
||||
+libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_ldap_la_LIBADD = -lldap -llber
|
||||
|
||||
--- src/libstrongswan/plugins/md4/Makefile.am
|
||||
+++ src/libstrongswan/plugins/md4/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-md4.la
|
||||
|
||||
libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
|
||||
-libstrongswan_md4_la_LDFLAGS = -module
|
||||
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/md5/Makefile.am
|
||||
+++ src/libstrongswan/plugins/md5/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-md5.la
|
||||
|
||||
libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
|
||||
-libstrongswan_md5_la_LDFLAGS = -module
|
||||
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/mysql/Makefile.am
|
||||
+++ src/libstrongswan/plugins/mysql/Makefile.am
|
||||
@@ -7,6 +7,6 @@
|
||||
|
||||
libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \
|
||||
mysql_database.h mysql_database.c
|
||||
-libstrongswan_mysql_la_LDFLAGS = -module
|
||||
+libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
|
||||
|
||||
--- src/libstrongswan/plugins/openssl/Makefile.am
|
||||
+++ src/libstrongswan/plugins/openssl/Makefile.am
|
||||
@@ -16,6 +16,6 @@
|
||||
openssl_ec_private_key.c openssl_ec_private_key.h \
|
||||
openssl_ec_public_key.c openssl_ec_public_key.h
|
||||
|
||||
-libstrongswan_openssl_la_LDFLAGS = -module
|
||||
+libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_openssl_la_LIBADD = -lcrypto
|
||||
|
||||
--- src/libstrongswan/plugins/padlock/Makefile.am
|
||||
+++ src/libstrongswan/plugins/padlock/Makefile.am
|
||||
@@ -9,5 +9,5 @@
|
||||
padlock_aes_crypter.c padlock_aes_crypter.h \
|
||||
padlock_sha1_hasher.c padlock_sha1_hasher.h \
|
||||
padlock_rng.c padlock_rng.h
|
||||
-libstrongswan_padlock_la_LDFLAGS = -module
|
||||
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/pubkey/Makefile.am
|
||||
+++ src/libstrongswan/plugins/pubkey/Makefile.am
|
||||
@@ -9,5 +9,5 @@
|
||||
pubkey_cert.h pubkey_cert.c\
|
||||
pubkey_public_key.h pubkey_public_key.c
|
||||
|
||||
-libstrongswan_pubkey_la_LDFLAGS = -module
|
||||
+libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/random/Makefile.am
|
||||
+++ src/libstrongswan/plugins/random/Makefile.am
|
||||
@@ -7,5 +7,5 @@
|
||||
|
||||
libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
|
||||
random_rng.c random_rng.h
|
||||
-libstrongswan_random_la_LDFLAGS = -module
|
||||
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/sha1/Makefile.am
|
||||
+++ src/libstrongswan/plugins/sha1/Makefile.am
|
||||
@@ -7,5 +7,5 @@
|
||||
|
||||
libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
|
||||
sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
|
||||
-libstrongswan_sha1_la_LDFLAGS = -module
|
||||
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/sha2/Makefile.am
|
||||
+++ src/libstrongswan/plugins/sha2/Makefile.am
|
||||
@@ -6,5 +6,5 @@
|
||||
plugin_LTLIBRARIES = libstrongswan-sha2.la
|
||||
|
||||
libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
|
||||
-libstrongswan_sha2_la_LDFLAGS = -module
|
||||
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/sqlite/Makefile.am
|
||||
+++ src/libstrongswan/plugins/sqlite/Makefile.am
|
||||
@@ -7,6 +7,6 @@
|
||||
|
||||
libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \
|
||||
sqlite_database.h sqlite_database.c
|
||||
-libstrongswan_sqlite_la_LDFLAGS = -module
|
||||
+libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
|
||||
libstrongswan_sqlite_la_LIBADD = -lsqlite3
|
||||
|
||||
--- src/libstrongswan/plugins/test_vectors/Makefile.am
|
||||
+++ src/libstrongswan/plugins/test_vectors/Makefile.am
|
||||
@@ -29,5 +29,5 @@
|
||||
test_vectors/sha2_hmac.c \
|
||||
test_vectors/fips_prf.c \
|
||||
test_vectors/rng.c
|
||||
-libstrongswan_test_vectors_la_LDFLAGS = -module
|
||||
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/x509/Makefile.am
|
||||
+++ src/libstrongswan/plugins/x509/Makefile.am
|
||||
@@ -12,5 +12,5 @@
|
||||
x509_ocsp_request.h x509_ocsp_request.c \
|
||||
x509_ocsp_response.h x509_ocsp_response.c \
|
||||
ietf_attr_list.h ietf_attr_list.c
|
||||
-libstrongswan_x509_la_LDFLAGS = -module
|
||||
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
|
||||
|
||||
--- src/libstrongswan/plugins/xcbc/Makefile.am
|
||||
+++ src/libstrongswan/plugins/xcbc/Makefile.am
|
||||
@@ -7,5 +7,5 @@
|
||||
|
||||
libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
|
||||
xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
|
||||
-libstrongswan_xcbc_la_LDFLAGS = -module
|
||||
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
|
||||
|
@ -1,43 +0,0 @@
|
||||
--- src/charon/sa/ike_sa.c
|
||||
+++ src/charon/sa/ike_sa.c 2008/08/28 07:31:59
|
||||
@@ -2316,6 +2316,11 @@
|
||||
*/
|
||||
static void remove_dns_servers(private_ike_sa_t *this)
|
||||
{
|
||||
+ (void)this;
|
||||
+#if 0
|
||||
+ /*
|
||||
+ ** TODO: don't change resolv.conf => use netconfig
|
||||
+ */
|
||||
FILE *file;
|
||||
struct stat stats;
|
||||
chunk_t contents, line, orig_line, token;
|
||||
@@ -2391,6 +2396,7 @@
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
fclose(file);
|
||||
+#endif
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -2398,6 +2404,12 @@
|
||||
*/
|
||||
static void add_dns_server(private_ike_sa_t *this, host_t *dns)
|
||||
{
|
||||
+ (void)this;
|
||||
+ (void)dns;
|
||||
+#if 0
|
||||
+ /*
|
||||
+ ** TODO: don't change resolv.conf => use netconfig
|
||||
+ */
|
||||
FILE *file;
|
||||
struct stat stats;
|
||||
chunk_t contents;
|
||||
@@ -2442,6 +2454,7 @@
|
||||
fwrite(contents.ptr, contents.len, 1, file);
|
||||
|
||||
fclose(file);
|
||||
+#endif
|
||||
}
|
||||
|
||||
/**
|
Loading…
Reference in New Issue
Block a user