diff --git a/README.SUSE b/README.SUSE index 140478d..ae2311b 100644 --- a/README.SUSE +++ b/README.SUSE @@ -1,14 +1,30 @@ Dear Customer, -this package does no provide any files any more, but triggers the -installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and -the traditional starter scripts inclusive of the /etc/init.d/ipsec -init script and /etc/ipsec.conf file. +please note, that the strongswan release 4.5 changes the keyexchange mode +to IKEv2 as default -- from strongswan-4.5.0/NEWS: +"[...] +IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 +from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the +IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively +come for IKEv1 to go into retirement and to cede its place to the much more +robust, powerful and versatile IKEv2 protocol! +[...]" -There is a new strongswan-nm package with a NetworkManager plugin -to control the charon IKEv2 daemon through D-Bus, designed to work -using the NetworkManager-strongswan graphical user interface. -It does not depend on the traditional starter scripts, but on the -IKEv2 charon daemon and plugins only. +This requires adoption of either the "conn %default" or all other IKEv1 +"conn" sections in the /etc/ipsec.conf to use explicit: + + keyexchange=ikev1 + + +The strongswan package does no provide any files any more, but triggers +the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the +traditional starter scripts inclusive of the /etc/init.d/ipsec init script +and /etc/ipsec.conf file. + +There is a new strongswan-nm package with a NetworkManager plugin to +control the charon IKEv2 daemon through D-Bus, designed to work using the +NetworkManager-strongswan graphical user interface. +It does not depend on the traditional starter scripts, but on the IKEv2 +charon daemon and plugins only. Have a lot of fun... diff --git a/strongswan-4.5.0-rpmlintrc b/strongswan-4.5.0-rpmlintrc new file mode 100644 index 0000000..1a4d703 --- /dev/null +++ b/strongswan-4.5.0-rpmlintrc @@ -0,0 +1,5 @@ +### Known warnings: +# - traditional name +addFilter("strongswan.* incoherent-init-script-name ipsec") +# - readme only, triggers full ipsec + ikev1&ikev2 install +addFilter("strongswan.* no-binary") diff --git a/strongswan-4.5.0.tar.bz2 b/strongswan-4.5.0.tar.bz2 new file mode 100644 index 0000000..11ae48f --- /dev/null +++ b/strongswan-4.5.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:108b0fbbf119011b24eb6ccabc3d9f8888f4036382dd3aad011dec04100ad559 +size 3154064 diff --git a/strongswan-4.5.0.tar.bz2.sig b/strongswan-4.5.0.tar.bz2.sig new file mode 100644 index 0000000..0d16c14 --- /dev/null +++ b/strongswan-4.5.0.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.10 (GNU/Linux) + +iQGcBAABAgAGBQJMykZ7AAoJEN9CwXCzTbp36BYL/A9q4F2n7EHvVW7HTmG6ogMw +are1n1ZYRdqUmrdk2woCqJPfkzihHMa1nc7u6hgucRDi7wJfJBXoAT0Rvd9AN8qw +bKuaajKRvXFA14qtORvkX4z+Se+/nqL3+ZlvlnPS6rgpdBD+kZY+sFNdSAhJxShJ +zbJ4U+jnO74pyzp8I9hp1HccPKJjt/ljlCB7izPqJ1bQAbrNTQr90JHPNz9BSQkq +BIF5T+nsRWE1p2tWzz6IAjvbC3ghc2lmVy5FGKjItMXWxsyCYuira4MlbGp2ObKE +1aa9QbNYxJ0aD0vsX+r8usXvpdq5QLQotp1bLG2m2XYWdzC4yBwRHj2pS8JHIENP +y9o4za9finsG1Ahb661+2Pw7xO/R2blLDDQyhxH5e6AO7p4Pz050yiicCxVKEwG0 +mJM6c5TbAerBCH2ovgwNeGV3hsOt9ng7e63SMIBkYtN41uQV8hqUjZbtYcvpsER2 +bB/Jdp14aR1F9jMgEmt/I6tNHizJWvB5FFGLqH2cTQ== +=o5iz +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index b09707f..2b05921 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,109 @@ +------------------------------------------------------------------- +Tue Nov 16 12:01:46 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are: + * IMPORTANT: the default keyexchange mode 'ike' is changing with + release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five + year anniversary of the IKEv2 RFC 4306 and its mature successor + RFC 5996. The time has definitively come for IKEv1 to go into + retirement and to cede its place to the much more robust, powerful + and versatile IKEv2 protocol! + * Added new ctr, ccm and gcm plugins providing Counter, Counter + with CBC-MAC and Galois/Counter Modes based on existing CBC + implementations. These new plugins bring support for AES and + Camellia Counter and CCM algorithms and the AES GCM algorithms + for use in IKEv2. + * The new pkcs11 plugin brings full Smartcard support to the IKEv2 + daemon and the pki utility using one or more PKCS#11 libraries. It + currently supports RSA private and public key operations and loads + X.509 certificates from tokens. + * Implemented a general purpose TLS stack based on crypto and + credential primitives of libstrongswan. libtls supports TLS + versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key + exchange algorithms and RSA/ECDSA based client authentication. + * Based on libtls, the eap-tls plugin brings certificate based EAP + authentication for client and server. It is compatible to Windows + 7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS + EAP-TLS backend. + * Implemented the TNCCS 1.1 Trusted Network Connect protocol using + the libtnc library on the strongSwan client and server side via + the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced + FreeRADIUS AAA server. Depending on the resulting TNC Recommendation, + strongSwan clients are granted access to a network behind a + strongSwan gateway (allow), are put into a remediation zone (isolate) + or are blocked (none), respectively. + Any number of Integrity Measurement Collector/Verifier pairs can be + attached via the tnc-imc and tnc-imv charon plugins. + * The IKEv1 daemon pluto now uses the same kernel interfaces as the + IKEv2 daemon charon. As a result of this, pluto now supports xfrm + marks which were introduced in charon with 4.4.1. + * The RADIUS plugin eap-radius now supports multiple RADIUS servers + for redundant setups. Servers are selected by a defined priority, + server load and availability. + * The simple led plugin controls hardware LEDs through the Linux LED + subsystem. It currently shows activity of the IKE daemon and is a + good example how to implement a simple event listener. + * Improved MOBIKE behavior in several corner cases, for instance, + if the initial responder moves to a different address. + * Fixed left-/rightnexthop option, which was broken since 4.4.0. + * Fixed a bug not releasing a virtual IP address to a pool if the + XAUTH identity was different from the IKE identity. + * Fixed the alignment of ModeConfig messages on 4-byte boundaries + in the case where the attributes are not a multiple of 4 bytes + (e.g. Cisco's UNITY_BANNER). + * Fixed the interoperability of the socket_raw and socket_default + charon plugins. + * Added man page for strongswan.conf +- Adopted spec file, removed obsolete error range patch. + +------------------------------------------------------------------- +Tue Aug 10 11:43:38 UTC 2010 - mt@suse.de + +- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are: + * Support of xfrm marks in IPsec SAs and IPsec policies introduced + with the Linux 2.6.34 kernel. + For details see the example scenarios ikev2/nat-two-rw-mark, + ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. + * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be + used in a user-specific updown script to set marks on inbound ESP + or ESP_IN_UDP packets. + * The openssl plugin now supports X.509 certificate and CRL functions. + * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, + enabled by default. + Plase update manual load directives in strongswan.conf. + * RFC3779 ipAddrBlock constraint checking has been moved to the + addrblock plugin, disabled by default. Enable it and update manual + load directives in strongswan.conf, if required. + * The pki utility supports CRL generation using the --signcrl command. + * The ipsec pki --self, --issue and --req commands now support output + in PEM format using the --outform pem option. + * The major refactoring of the IKEv1 Mode Config functionality now + allows the transport and handling of any Mode Config attribute. + * The RADIUS proxy plugin eap-radius now supports multiple servers. + Configured servers are chosen randomly, with the option to prefer + a specific server. Non-responding servers are degraded by the + selection process. + * The ipsec pool tool manages arbitrary configuration attributes + stored in an SQL database. ipsec pool --help gives the details. + * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and + EAP-AKA, reading triplets/quintuplets from an SQL database. + * The High Availability plugin now supports a HA enabled in-memory + address pool and Node reintegration without IKE_SA rekeying. The + latter allows clients without IKE_SA rekeying support to keep + connected during reintegration. Additionally, many other issues + have been fixed in the ha plugin. + * Fixed a potential remote code execution vulnerability resulting + from the misuse of snprintf(). The vulnerability is exploitable + by unauthenticated users. +- Removed obsolete snprintf security fix, adopted spec file +- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth, + eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins. +- Enabled the mysql, sqlite, load-tester and test-vectors plugins, + that are packaged into separate mysql,sqlite,tests sub packages. +- Disabled sqlite plugin on SLE-10 -- sqlite3 lib is too old there. +- Applied patch by Jiri Bohac fixing error-type range in parsing of + NOTIFY payloads (RFC 4306, section 3.10.1). + ------------------------------------------------------------------- Fri Jul 2 15:40:17 UTC 2010 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index 460a08a..32af3af 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,5 @@ # -# spec file for package strongswan (Version 4.4.0) +# spec file for package strongswan (Version 4.5.0) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,11 +19,11 @@ Name: strongswan -%define upstream_version 4.4.0 +%define upstream_version 4.5.0 %define strongswan_docdir %{_docdir}/%{name} %define strongswan_plugins %{_libexecdir}/ipsec/plugins -Version: 4.4.0 -Release: 6 +Version: 4.5.0 +Release: 0 License: GPLv2+ Group: Productivity/Networking/Security Summary: OpenSource IPsec-based VPN Solution @@ -38,7 +38,6 @@ Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Patch1: %{name}_modprobe_syslog.patch -Patch2: %{name}-4.4.0-snprintf-fix.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: libcap-devel @@ -49,7 +48,9 @@ BuildRequires: curl-devel pam-devel %if 0%{suse_version} >= 1110 BuildRequires: libuuid-devel BuildRequires: NetworkManager-devel +BuildRequires: sqlite3-devel %endif +BuildRequires: libmysqlclient-devel %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -116,6 +117,44 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan library and plugins. +%package mysql +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description mysql +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the strongswan mysql plugin. + +%if 0%{suse_version} >= 1110 + +%package sqlite +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description sqlite +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the strongswan sqlite plugin. + +%endif + +%package tests +License: GPLv2+ +Summary: OpenSource IPsec-based VPN Solution +Group: Productivity/Networking/Security +Requires: strongswan-libs0 = %{version} + +%description tests +StrongSwan is an OpenSource IPsec-based VPN Solution for Linux + +This package provides the strongswan crypto test-vectors plugin +and the load testing plugin for IKEv2 daemon. + %package ikev1 License: GPLv2+ Summary: OpenSource IPsec-based VPN Solution @@ -190,7 +229,6 @@ NetworkManager-strongswan graphical user interface. %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 -%patch2 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -211,24 +249,36 @@ export RPM_OPT_FLAGS CFLAGS --enable-cisco-quirks \ --enable-openssl \ --enable-agent \ + --enable-md4 \ + --enable-blowfish \ + --enable-eap-sim \ + --enable-eap-sim-file \ + --enable-eap-simaka-sql \ + --enable-eap-simaka-pseudonym \ + --enable-eap-simaka-reauth \ --enable-eap-md5 \ --enable-eap-gtc \ --enable-eap-aka \ --enable-eap-radius \ --enable-eap-identity \ --enable-eap-mschapv2 \ + --enable-eap-aka-3gpp2 \ --enable-ha \ --enable-dhcp \ --enable-farp \ --enable-sql \ --enable-attr-sql \ - --enable-socket-dynamic \ + --enable-addrblock \ %if 0%{suse_version} >= 1110 --enable-gcrypt \ --enable-nm \ + --enable-sqlite \ %endif --enable-ldap \ - --enable-curl + --enable-curl \ + --enable-mysql \ + --enable-load-tester \ + --enable-test-vectors make %{?_smp_mflags:%_smp_mflags} %install @@ -308,6 +358,7 @@ fi %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* +%{_mandir}/man5/strongswan.conf.5* %dir %{_libexecdir}/ipsec %{_libexecdir}/ipsec/_updown %{_libexecdir}/ipsec/_updown_espmark @@ -390,20 +441,28 @@ fi %dir %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/libchecksum.so %dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-addrblock.so %{strongswan_plugins}/libstrongswan-aes.so %{strongswan_plugins}/libstrongswan-agent.so %{strongswan_plugins}/libstrongswan-attr.so %{strongswan_plugins}/libstrongswan-attr-sql.so +%{strongswan_plugins}/libstrongswan-blowfish.so %{strongswan_plugins}/libstrongswan-curl.so %{strongswan_plugins}/libstrongswan-des.so %{strongswan_plugins}/libstrongswan-dhcp.so %{strongswan_plugins}/libstrongswan-dnskey.so +%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so %{strongswan_plugins}/libstrongswan-eap-aka.so %{strongswan_plugins}/libstrongswan-eap-gtc.so %{strongswan_plugins}/libstrongswan-eap-identity.so %{strongswan_plugins}/libstrongswan-eap-md5.so %{strongswan_plugins}/libstrongswan-eap-mschapv2.so %{strongswan_plugins}/libstrongswan-eap-radius.so +%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so +%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so +%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so +%{strongswan_plugins}/libstrongswan-eap-sim-file.so +%{strongswan_plugins}/libstrongswan-eap-sim.so %{strongswan_plugins}/libstrongswan-farp.so %{strongswan_plugins}/libstrongswan-fips-prf.so %if 0%{suse_version} >= 1110 @@ -414,6 +473,7 @@ fi %{strongswan_plugins}/libstrongswan-hmac.so %{strongswan_plugins}/libstrongswan-kernel-netlink.so %{strongswan_plugins}/libstrongswan-ldap.so +%{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so @@ -422,13 +482,32 @@ fi %{strongswan_plugins}/libstrongswan-pubkey.so %{strongswan_plugins}/libstrongswan-random.so %{strongswan_plugins}/libstrongswan-resolve.so +%{strongswan_plugins}/libstrongswan-revocation.so %{strongswan_plugins}/libstrongswan-sha1.so %{strongswan_plugins}/libstrongswan-sha2.so -%{strongswan_plugins}/libstrongswan-socket-dynamic.so -%{strongswan_plugins}/libstrongswan-socket-raw.so +%{strongswan_plugins}/libstrongswan-socket*.so %{strongswan_plugins}/libstrongswan-sql.so %{strongswan_plugins}/libstrongswan-x509.so +%{strongswan_plugins}/libstrongswan-xauth.so %{strongswan_plugins}/libstrongswan-xcbc.so %dir %ghost %{_localstatedir}/run/strongswan +%files mysql +%defattr(-,root,root) +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-mysql.so + +%if 0%{suse_version} >= 1110 +%files sqlite +%defattr(-,root,root) +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-sqlite.so +%endif + +%files tests +%defattr(-,root,root) +%dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-load-tester.so +%{strongswan_plugins}/libstrongswan-test-vectors.so + %changelog