Accepting request 53144 from network:vpn

Accepted submit request 53144 from user mtomaschewski

OBS-URL: https://build.opensuse.org/request/show/53144
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=26

README.SUSE

@@ -1,14 +1,30 @@
 Dear Customer,
 
-this package does no provide any files any more, but triggers the
-installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and
-the traditional starter scripts inclusive of the /etc/init.d/ipsec
-init script and /etc/ipsec.conf file.
+please note, that the strongswan release 4.5 changes the keyexchange mode
+to IKEv2 as default -- from strongswan-4.5.0/NEWS:
+"[...]
+IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
+from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
+IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
+come for IKEv1 to go into retirement and to cede its place to the much more
+robust, powerful and versatile IKEv2 protocol!
+[...]"
 
-There is a new strongswan-nm package with a NetworkManager plugin
-to control the charon IKEv2 daemon through D-Bus, designed to work
-using the NetworkManager-strongswan graphical user interface.
-It does not depend on the traditional starter scripts, but on the
-IKEv2 charon daemon and plugins only. 
+This requires adoption of either the "conn %default" or all other IKEv1
+"conn" sections in the /etc/ipsec.conf to use explicit:
+
+	keyexchange=ikev1
+
+
+The strongswan package does no provide any files any more, but triggers
+the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the
+traditional starter scripts inclusive of the /etc/init.d/ipsec init script
+and /etc/ipsec.conf file.
+
+There is a new strongswan-nm package with a NetworkManager plugin to
+control the charon IKEv2 daemon through D-Bus, designed to work using the
+NetworkManager-strongswan graphical user interface.
+It does not depend on the traditional starter scripts, but on the IKEv2
+charon daemon and plugins only. 
 
 Have a lot of fun...

strongswan-4.5.0-rpmlintrc

@@ -0,0 +1,5 @@
+### Known warnings:
+# - traditional name
+addFilter("strongswan.* incoherent-init-script-name ipsec")
+# - readme only, triggers full ipsec + ikev1&ikev2 install
+addFilter("strongswan.* no-binary")

strongswan-4.5.0.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:108b0fbbf119011b24eb6ccabc3d9f8888f4036382dd3aad011dec04100ad559
+size 3154064

strongswan-4.5.0.tar.bz2.sig

@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQGcBAABAgAGBQJMykZ7AAoJEN9CwXCzTbp36BYL/A9q4F2n7EHvVW7HTmG6ogMw
+are1n1ZYRdqUmrdk2woCqJPfkzihHMa1nc7u6hgucRDi7wJfJBXoAT0Rvd9AN8qw
+bKuaajKRvXFA14qtORvkX4z+Se+/nqL3+ZlvlnPS6rgpdBD+kZY+sFNdSAhJxShJ
+zbJ4U+jnO74pyzp8I9hp1HccPKJjt/ljlCB7izPqJ1bQAbrNTQr90JHPNz9BSQkq
+BIF5T+nsRWE1p2tWzz6IAjvbC3ghc2lmVy5FGKjItMXWxsyCYuira4MlbGp2ObKE
+1aa9QbNYxJ0aD0vsX+r8usXvpdq5QLQotp1bLG2m2XYWdzC4yBwRHj2pS8JHIENP
+y9o4za9finsG1Ahb661+2Pw7xO/R2blLDDQyhxH5e6AO7p4Pz050yiicCxVKEwG0
+mJM6c5TbAerBCH2ovgwNeGV3hsOt9ng7e63SMIBkYtN41uQV8hqUjZbtYcvpsER2
+bB/Jdp14aR1F9jMgEmt/I6tNHizJWvB5FFGLqH2cTQ==
+=o5iz
+-----END PGP SIGNATURE-----

strongswan.changes

@@ -1,3 +1,109 @@
+-------------------------------------------------------------------
+Tue Nov 16 12:01:46 UTC 2010 - mt@suse.de
+
+- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
+  * IMPORTANT: the default keyexchange mode 'ike' is changing with
+  release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
+  year anniversary of the IKEv2 RFC 4306 and its mature successor
+  RFC 5996. The time has definitively come for IKEv1 to go into
+  retirement and to cede its place to the much more robust, powerful
+  and versatile IKEv2 protocol!
+  * Added new ctr, ccm and gcm plugins providing Counter, Counter
+  with CBC-MAC and Galois/Counter Modes based on existing CBC
+  implementations. These new plugins bring support for AES and
+  Camellia Counter and CCM algorithms and the AES GCM algorithms
+  for use in IKEv2.
+  * The new pkcs11 plugin brings full Smartcard support to the IKEv2
+  daemon and the pki utility using one or more PKCS#11 libraries. It
+  currently supports RSA private and public key operations and loads
+  X.509 certificates from tokens.
+  * Implemented a general purpose TLS stack based on crypto and
+  credential primitives of libstrongswan. libtls supports TLS
+  versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
+  exchange algorithms and RSA/ECDSA based client authentication.
+  * Based on libtls, the eap-tls plugin brings certificate based EAP
+  authentication for client and server. It is compatible to Windows
+  7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
+  EAP-TLS backend.
+  * Implemented the TNCCS 1.1 Trusted Network Connect protocol using
+  the libtnc library on the strongSwan client and server side via
+  the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
+  FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
+  strongSwan clients are granted access to a network behind a
+  strongSwan gateway (allow), are put into a remediation zone (isolate)
+  or are blocked (none), respectively.
+  Any number of Integrity Measurement Collector/Verifier pairs can be
+  attached via the tnc-imc and tnc-imv charon plugins.
+  * The IKEv1 daemon pluto now uses the same kernel interfaces as the
+  IKEv2 daemon charon. As a result of this, pluto now supports xfrm
+  marks which were introduced in charon with 4.4.1.
+  * The RADIUS plugin eap-radius now supports multiple RADIUS servers
+  for redundant setups. Servers are selected by a defined priority,
+  server load and availability.
+  * The simple led plugin controls hardware LEDs through the Linux LED
+  subsystem. It currently shows activity of the IKE daemon and is a
+  good example how to implement a simple event listener.
+  * Improved MOBIKE behavior in several corner cases, for instance,
+  if the initial responder moves to a different address.
+  * Fixed left-/rightnexthop option, which was broken since 4.4.0.
+  * Fixed a bug not releasing a virtual IP address to a pool if the
+  XAUTH identity was different from the IKE identity.
+  * Fixed the alignment of ModeConfig messages on 4-byte boundaries
+  in the case where the attributes are not a multiple of 4 bytes
+  (e.g. Cisco's UNITY_BANNER).
+  * Fixed the interoperability of the socket_raw and socket_default
+  charon plugins.
+  * Added man page for strongswan.conf
+- Adopted spec file, removed obsolete error range patch.
+
+-------------------------------------------------------------------
+Tue Aug 10 11:43:38 UTC 2010 - mt@suse.de
+
+- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
+  * Support of xfrm marks in IPsec SAs and IPsec policies introduced
+    with the Linux 2.6.34 kernel.
+    For details see the example scenarios ikev2/nat-two-rw-mark,
+    ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
+  * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
+    used in a user-specific updown script to set marks on inbound ESP
+    or ESP_IN_UDP packets.
+  * The openssl plugin now supports X.509 certificate and CRL functions.
+  * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
+    enabled by default.
+    Plase update manual load directives in strongswan.conf.
+  * RFC3779 ipAddrBlock constraint checking has been moved to the
+    addrblock plugin, disabled by default. Enable it and update manual
+    load directives in strongswan.conf, if required.
+  * The pki utility supports CRL generation using the --signcrl command.
+  * The ipsec pki --self, --issue and --req commands now support output
+    in PEM format using the --outform pem option.
+  * The major refactoring of the IKEv1 Mode Config functionality now
+    allows the transport and handling of any Mode Config attribute.
+  * The RADIUS proxy plugin eap-radius now supports multiple servers.
+    Configured servers are chosen randomly, with the option to prefer
+    a specific server.  Non-responding servers are degraded by the
+    selection process.
+  * The ipsec pool tool manages arbitrary configuration attributes
+    stored in an SQL database. ipsec pool --help gives the details.
+  * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
+    EAP-AKA, reading triplets/quintuplets from an SQL database.
+  * The High Availability plugin now supports a HA enabled in-memory
+    address pool and Node reintegration without IKE_SA rekeying. The
+    latter allows clients without IKE_SA rekeying support to keep
+    connected during reintegration. Additionally, many other issues
+    have been fixed in the ha plugin.
+  * Fixed a potential remote code execution vulnerability resulting
+    from the misuse of snprintf(). The vulnerability is exploitable
+    by unauthenticated users.
+- Removed obsolete snprintf security fix, adopted spec file
+- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
+  eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
+- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
+  that are packaged into separate mysql,sqlite,tests sub packages.
+- Disabled sqlite plugin on SLE-10 -- sqlite3 lib is too old there.
+- Applied patch by Jiri Bohac fixing error-type range in parsing of
+  NOTIFY payloads (RFC 4306, section 3.10.1).
+
 -------------------------------------------------------------------
 Fri Jul  2 15:40:17 UTC 2010 - mt@suse.de
 

strongswan.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package strongswan (Version 4.4.0)
+# spec file for package strongswan (Version 4.5.0)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -19,11 +19,11 @@
 
 
 Name:           strongswan
-%define         upstream_version 4.4.0
+%define         upstream_version 4.5.0
 %define         strongswan_docdir  %{_docdir}/%{name}
 %define         strongswan_plugins %{_libexecdir}/ipsec/plugins
-Version:        4.4.0
-Release:        6
+Version:        4.5.0
+Release:        0
 License:        GPLv2+
 Group:          Productivity/Networking/Security
 Summary:        OpenSource IPsec-based VPN Solution
@@ -38,7 +38,6 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Source4:        README.SUSE
 Patch1:         %{name}_modprobe_syslog.patch
-Patch2:         %{name}-4.4.0-snprintf-fix.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 BuildRequires:  libcap-devel
@@ -49,7 +48,9 @@ BuildRequires:  curl-devel pam-devel
 %if 0%{suse_version} >= 1110
 BuildRequires:  libuuid-devel
 BuildRequires:  NetworkManager-devel
+BuildRequires:  sqlite3-devel
 %endif
+BuildRequires:  libmysqlclient-devel
 
 %description
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -116,6 +117,44 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
 
 This package provides the strongswan library and plugins.
 
+%package mysql
+License:        GPLv2+
+Summary:        OpenSource IPsec-based VPN Solution
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description mysql
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan mysql plugin.
+
+%if 0%{suse_version} >= 1110
+
+%package sqlite
+License:        GPLv2+
+Summary:        OpenSource IPsec-based VPN Solution
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description sqlite
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan sqlite plugin.
+
+%endif
+
+%package tests
+License:        GPLv2+
+Summary:        OpenSource IPsec-based VPN Solution
+Group:          Productivity/Networking/Security
+Requires:       strongswan-libs0 = %{version}
+
+%description tests
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan crypto test-vectors plugin
+and the load testing plugin for IKEv2 daemon.
+
 %package ikev1
 License:        GPLv2+
 Summary:        OpenSource IPsec-based VPN Solution
@@ -190,7 +229,6 @@ NetworkManager-strongswan graphical user interface.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
-%patch2 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -211,24 +249,36 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-cisco-quirks \
 	--enable-openssl \
 	--enable-agent \
+	--enable-md4 \
+	--enable-blowfish \
+	--enable-eap-sim \
+	--enable-eap-sim-file \
+	--enable-eap-simaka-sql \
+	--enable-eap-simaka-pseudonym \
+	--enable-eap-simaka-reauth \
 	--enable-eap-md5 \
 	--enable-eap-gtc \
 	--enable-eap-aka \
 	--enable-eap-radius \
 	--enable-eap-identity \
 	--enable-eap-mschapv2 \
+	--enable-eap-aka-3gpp2 \
 	--enable-ha \
 	--enable-dhcp \
 	--enable-farp \
 	--enable-sql \
 	--enable-attr-sql \
-	--enable-socket-dynamic \
+	--enable-addrblock \
 %if 0%{suse_version} >= 1110
 	--enable-gcrypt \
 	--enable-nm \
+	--enable-sqlite \
 %endif
 	--enable-ldap \
-	--enable-curl
+	--enable-curl \
+	--enable-mysql \
+	--enable-load-tester \
+	--enable-test-vectors
 make %{?_smp_mflags:%_smp_mflags}
 
 %install
@@ -308,6 +358,7 @@ fi
 %{_mandir}/man8/ipsec.8*
 %{_mandir}/man5/ipsec.conf.5*
 %{_mandir}/man5/ipsec.secrets.5*
+%{_mandir}/man5/strongswan.conf.5*
 %dir %{_libexecdir}/ipsec
 %{_libexecdir}/ipsec/_updown
 %{_libexecdir}/ipsec/_updown_espmark
@@ -390,20 +441,28 @@ fi
 %dir %{_libexecdir}/ipsec/pool
 %{_libexecdir}/ipsec/libchecksum.so
 %dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-addrblock.so
 %{strongswan_plugins}/libstrongswan-aes.so
 %{strongswan_plugins}/libstrongswan-agent.so
 %{strongswan_plugins}/libstrongswan-attr.so
 %{strongswan_plugins}/libstrongswan-attr-sql.so
+%{strongswan_plugins}/libstrongswan-blowfish.so
 %{strongswan_plugins}/libstrongswan-curl.so
 %{strongswan_plugins}/libstrongswan-des.so
 %{strongswan_plugins}/libstrongswan-dhcp.so
 %{strongswan_plugins}/libstrongswan-dnskey.so
+%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
 %{strongswan_plugins}/libstrongswan-eap-aka.so
 %{strongswan_plugins}/libstrongswan-eap-gtc.so
 %{strongswan_plugins}/libstrongswan-eap-identity.so
 %{strongswan_plugins}/libstrongswan-eap-md5.so
 %{strongswan_plugins}/libstrongswan-eap-mschapv2.so
 %{strongswan_plugins}/libstrongswan-eap-radius.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
+%{strongswan_plugins}/libstrongswan-eap-sim-file.so
+%{strongswan_plugins}/libstrongswan-eap-sim.so
 %{strongswan_plugins}/libstrongswan-farp.so
 %{strongswan_plugins}/libstrongswan-fips-prf.so
 %if 0%{suse_version} >= 1110
@@ -414,6 +473,7 @@ fi
 %{strongswan_plugins}/libstrongswan-hmac.so
 %{strongswan_plugins}/libstrongswan-kernel-netlink.so
 %{strongswan_plugins}/libstrongswan-ldap.so
+%{strongswan_plugins}/libstrongswan-md4.so
 %{strongswan_plugins}/libstrongswan-md5.so
 %{strongswan_plugins}/libstrongswan-openssl.so
 %{strongswan_plugins}/libstrongswan-pem.so
@@ -422,13 +482,32 @@ fi
 %{strongswan_plugins}/libstrongswan-pubkey.so
 %{strongswan_plugins}/libstrongswan-random.so
 %{strongswan_plugins}/libstrongswan-resolve.so
+%{strongswan_plugins}/libstrongswan-revocation.so
 %{strongswan_plugins}/libstrongswan-sha1.so
 %{strongswan_plugins}/libstrongswan-sha2.so
-%{strongswan_plugins}/libstrongswan-socket-dynamic.so
-%{strongswan_plugins}/libstrongswan-socket-raw.so
+%{strongswan_plugins}/libstrongswan-socket*.so
 %{strongswan_plugins}/libstrongswan-sql.so
 %{strongswan_plugins}/libstrongswan-x509.so
+%{strongswan_plugins}/libstrongswan-xauth.so
 %{strongswan_plugins}/libstrongswan-xcbc.so
 %dir %ghost %{_localstatedir}/run/strongswan
 
+%files mysql
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-mysql.so
+
+%if 0%{suse_version} >= 1110
+%files sqlite
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-sqlite.so
+%endif
+
+%files tests
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-load-tester.so
+%{strongswan_plugins}/libstrongswan-test-vectors.so
+
 %changelog