pool/strongswan
SHA256
4
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[info=abdc3edde3ca7173e4de70715f39c695bb0e08687724782c783ece5161de4ad1]

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=168
This commit is contained in:
OBS User unknown 2024-12-04 01:17:28 +00:00 committed by Git OBS Bridge
commit aa0b45e732
19 changed files with 3781 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

27
0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch Normal file
View File

@ -0,0 +1,27 @@
From 4e16732c1c668c27e73574724d2d90537a74f67a Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Jun 2016 18:19:48 +0200
Subject: [PATCH] ikev1: Don't retransmit Aggressive Mode response
These could theoretically be used for an amplified DDoS attack.
---
src/libcharon/sa/ikev1/task_manager_v1.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 48ec3e7..0912555 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -770,8 +770,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
continue;
case NEED_MORE:
/* processed, but task needs another exchange */
- if (task->get_type(task) == TASK_QUICK_MODE ||
- task->get_type(task) == TASK_AGGRESSIVE_MODE)
+ if (task->get_type(task) == TASK_QUICK_MODE)
{ /* we rely on initiator retransmission, except for
* three-message exchanges */
expect_request = TRUE;
--
2.13.2

54
README.SUSE Normal file
View File

@ -0,0 +1,54 @@
Dear Customer,
please note, that the strongswan release 4.5 changes the keyexchange mode
to IKEv2 as default -- from strongswan-4.5.0/NEWS:
"[...]
IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
come for IKEv1 to go into retirement and to cede its place to the much more
robust, powerful and versatile IKEv2 protocol!
[...]"
This requires adoption of either the "conn %default" or all other IKEv1
"conn" sections in the /etc/ipsec.conf to use explicit:
keyexchange=ikev1
The charon daemon in strongswan 5.x versions supports IKEv1 and IKEv2,
thus a separate pluto IKEv1 daemon is not needed / not shipped any more.
The strongswan package does not provide any files except of this README,
but triggers the installation of the charon daemon and the "traditional"
strongswan-ipsec package providing the "ipsec" script and service.
The ipsec.service is an alias link to the "strongswan.service" systemd
service unit and created by "systemctl enable strongswan.service".
There is a new strongswan-nm package with a NetworkManager specific charon-nm
binary controlling the charon daemon through D-Bus and designed to work using
the NetworkManager-strongswan graphical user interface.
It does not depend on the traditional starter scripts, but on the IKEv2
charon daemon and plugins only.
The stongswan-hmac package provides the fips hmac hash files, a _fipscheck
script and a /etc/strongswan.d/charon/zzz_fips-enforce.conf config file,
which disables all non-openssl algorithm implementations.
When fips operation mode is enabled in the kernel using the fips=1 boot
parameter, the strongswan fips checks are executed in front of any start
action of the "ipsec" script provided by the "strongswan-ipsec" package
and a verification problem causes a failure as required by fips-140-2.
Further, it is not required to enable the fips_mode in the openssl plugin
(/etc/strongswan.d/charon/openssl.conf); the kernel entablement enables
it automatically as needed.
The "ipsec _fipscheck" command allows to execute the fips checks manually
without a check if fips is enabled (/proc/sys/crypto/fips_enabled is 1),
e.g. for testing purposes.
Have a lot of fun...

4
_scmsync.obsinfo Normal file
View File

@ -0,0 +1,4 @@
mtime: 1733275015
commit: abdc3edde3ca7173e4de70715f39c695bb0e08687724782c783ece5161de4ad1
url: https://src.opensuse.org/jengelh/strongswan
revision: master

3
build.specials.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:267097dbd2532911c7dca6ee1d2db36daf54029b43a67ddfb953c3626af2b73b
size 256

51
fips-enforce.conf Normal file
View File

@ -0,0 +1,51 @@
#
# When fips is enabled (fips=1 kernel parameter), only certified openssl
# and kernel crypto API (af-alg) algorithms are supported.
#
# The strongswan-hmac package is supposed to be used/installed when fips
# is enabled and provides this blacklist disabling other plugins
# providing further and/or alternative algorithm implementations.
#
gcrypt {
load = no
}
blowfish {
load = no
}
random {
load = no
}
des {
load = no
}
aes {
load = no
}
rc2 {
load = no
}
ctr {
load = no
}
cmac {
load = no
}
xcbc {
load = no
}
md4 {
load = no
}
md5 {
load = no
}
sha1 {
load = no
}
sha2 {
load = no
}
ccm {
load = no
}

26
harden_strongswan.service.patch Normal file
View File

@ -0,0 +1,26 @@
---
init/systemd/strongswan.service.in | 11 +++++++++++
1 file changed, 11 insertions(+)
Index: strongswan-6.0.0/init/systemd/strongswan.service.in
===================================================================
--- strongswan-6.0.0.orig/init/systemd/strongswan.service.in
+++ strongswan-6.0.0/init/systemd/strongswan.service.in
@@ -4,6 +4,17 @@ After=network-online.target
Wants=network-online.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=notify
ExecStart=@SBINDIR@/charon-systemd
ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt

31
init.patch Normal file
View File

@ -0,0 +1,31 @@
From c58507ff186ae9cf014c0b54082c8bf74aef3219 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 3 Dec 2024 21:56:33 +0100
Subject: [PATCH] init: put strongswan-starter.service behind USE_FILE_CONFIG
References: https://github.com/strongswan/strongswan/pull/2553
stroke is no longer enabled by default, but the systemd unit
still is copied on `make install`. Fix that.
---
init/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/init/Makefile.am b/init/Makefile.am
index 54c090cea..824ebd695 100644
--- a/init/Makefile.am
+++ b/init/Makefile.am
@@ -3,9 +3,11 @@ SUBDIRS =
if USE_LEGACY_SYSTEMD
if USE_CHARON
+if USE_FILE_CONFIG
SUBDIRS += systemd-starter
endif
endif
+endif
if USE_SYSTEMD
if USE_SWANCTL
--
2.47.1

BIN
strongswan-5.9.14.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

14
strongswan-5.9.14.tar.bz2.sig Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmX5cHAACgkQ30LBcLNN
une5oAwAiNFc9r4zuuJ9+Qd3q4AYTiCa7g4j6OhneQwY7Y6fzYOROfKKDzPoDhwJ
juU5vj+5d9yKVLEEueACCY2hM9cmAZL3mWMy5s86FmrNQcPRJ24cU19ZkyoxKGZ9
8lvEtPzb5r5aTrdJnSu3rydGK7nSVysxA5ZyamviUndx1lWUkGYlz3lKMl8xm2qa
QNCnBQiUcwm9mADl4txlxkCvSDPb1Ez7Y40K5lVTpKa/awaM9e9JuKXSgOJmBUBY
C/E8pCzC8lENEoq5EZI/eV7VNwlc1ussqp2iSj0Nhy45cmXvCHpCIslkhPuReQzW
nNDFbuMGiDzCvD2RNdi+l1z+74oLPFeC7663K2/VYMMobqwYVhdC4hg/PMOzDa1x
L18Y7Pffna4gNa/jarx1U7fMFLW4c0q5DVvM8qoLtnc7Q9zFw4A+EU6i3sFa5EF+
aVNbmHTIBXnf0YVoHmuOgjRH9kjjshnl/kSszOeW+wkoZzhuJkTzz/gllc9YWQNG
y+PFcIVK
=dVex
-----END PGP SIGNATURE-----

BIN
strongswan-6.0.0.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

14
strongswan-6.0.0.tar.bz2.sig Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmdO+hMACgkQ30LBcLNN
undilgwAgiT5p2PyMhwSp4qo1EUX8+PWwJ9Plqz7TNCCdFJe3uYre3hM2K5hFey0
azrPrqZ2HWtBycH0gI4BFzUSVO8E4SZOBQnPH/g3bsFg9VU71ML30LdZYx+Lg7wK
7AaMxYhl7xIvfb4D8+ZpYV6bSDH0o2tRN5h5gPk4IECOTTRhsLWL89IL8xOXgNPj
ao0meIUNfvg6cl1uLFff/c7H7cAGSFsKPSWtMWLfK0PglW4LVJJvr5PhGsduVPsE
JwY2VAMVi1BI1Y7I1WxS7T1qEAXLKAuNHKJHgIvd3xvSM1Q197qFrGyuujDQV5Yn
Olp583ccs2LJbfmDQiPD/AHeDpikMMtBZ3Hk7Od3CqRVpeIDyBC0/oEwiascw6Q4
5SDclgEdL9jHU7Uo1Z9v+Ltn0lihGAkAsAMgJMFyfCFiB03yCXFQu34PK65ZoIk7
GN3XeUqu7sdmK7Tg4RbsrZ1P7J9TiFllMiu7noYVluhW4My68A76yHIbk66i8DwF
pzxPfTqH
=8zOA
-----END PGP SIGNATURE-----

9
strongswan-rpmlintrc Normal file
View File

@ -0,0 +1,9 @@
### Known warnings:
# - traditional name
addFilter("strongswan.* incoherent-init-script-name ipsec")
# - readme only, triggers full ipsec + ikev1&ikev2 install
addFilter("strongswan.* no-binary")
# - link to init script, covered by service(8)
addFilter("strongswan.* no-manual-page-for-binary rcipsec")
# - no, restating tunnels on update may break the update
addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec")

2285
strongswan.changes Normal file
View File

File diff suppressed because it is too large Load Diff

278
strongswan.init.in Normal file
View File

@ -0,0 +1,278 @@
#!/bin/bash
#
# SUSE/LSB system startup script for strongswan ipsec
#
# Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc.
# based on /etc/init.d/skeleton.compat by Kurt Garloff.
#
# This library is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or (at
# your option) any later version.
#
# This library is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
# USA.
#
# /etc/init.d/ipsec
# and its symbolic link
# /usr/sbin/rcipsec
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
# Please send feedback to http://www.suse.de/feedback/
#
# Note: This script uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule
# work on other distributions as well, by using the LSB (Linux Standard
# Base) or RH functions or by open coding the needed functions.
#
# chkconfig: 345 99 00
# description: StrongSwan IPsec
#
### BEGIN INIT INFO
# Provides: ipsec
# Required-Start: $syslog $remote_fs $named
# Should-Start: $time
# Required-Stop: $syslog $remote_fs $named
# Should-Stop: $time
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: StrongSwan IPsec
# Description: StrongSwan IPsec provides encrypted and authenticated
# communication via a unsafe network, such as the internet.
# This scripts loads the kernel modules and starts the user-space setup.
### END INIT INFO
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
IPSEC_CMD="/usr/sbin/ipsec"
test -x $IPSEC_CMD || {
echo "$IPSEC_CMD not installed";
if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
}
IPSEC_STARTER="@libexecdir@/ipsec/starter"
test -x $IPSEC_STARTER || {
echo "$IPSEC_STARTER not installed";
if [ "$1" = "stop" ]; then exit 0; else exit 5; fi;
}
# The pid file of the ipsec starter
IPSEC_PIDFILE="/var/run/starter.pid"
# Check for existence of needed config files
IPSEC_CONFIG="/etc/ipsec.conf"
test -r $IPSEC_CONFIG || {
echo "$IPSEC_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
}
IPSEC_SECRET="/etc/ipsec.secrets"
test -r $IPSEC_SECRET || {
echo "$IPSEC_SECRET not existing";
if [ "$1" = "stop" ]; then exit 0; else exit 6; fi;
}
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
# Use the SUSE rc_ init script functions;
# emulate them on LSB, RH and other systems
# Default: Assume sysvinit binaries exist
start_daemon() { /sbin/start_daemon ${1+"$@"}; }
killproc() { /sbin/killproc ${1+"$@"}; }
pidofproc() { /sbin/pidofproc ${1+"$@"}; }
checkproc() { /sbin/checkproc ${1+"$@"}; }
if test -e /etc/rc.status; then
# SUSE rc script library
. /etc/rc.status
else
export LC_ALL=POSIX
_cmd=$1
declare -a _SMSG
if test "${_cmd}" = "status"; then
_SMSG=(running dead dead unused unknown reserved)
_RC_UNUSED=3
else
_SMSG=(done failed failed missed failed skipped unused failed failed reserved)
_RC_UNUSED=6
fi
if test -e /lib/lsb/init-functions; then
# LSB
. /lib/lsb/init-functions
echo_rc()
{
if test ${_RC_RV} = 0; then
log_success_msg " [${_SMSG[${_RC_RV}]}] "
else
log_failure_msg " [${_SMSG[${_RC_RV}]}] "
fi
}
# TODO: Add checking for lockfiles
checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; }
elif test -e /etc/init.d/functions; then
# RHAT
. /etc/init.d/functions
echo_rc()
{
#echo -n " [${_SMSG[${_RC_RV}]}] "
if test ${_RC_RV} = 0; then
success " [${_SMSG[${_RC_RV}]}] "
else
failure " [${_SMSG[${_RC_RV}]}] "
fi
}
checkproc() { status ${1+"$@"}; }
start_daemon() { daemon ${1+"$@"}; }
else
# emulate it
echo_rc() { echo " [${_SMSG[${_RC_RV}]}] "; }
fi
rc_reset() { _RC_RV=0; }
rc_failed()
{
if test -z "$1"; then
_RC_RV=1;
elif test "$1" != "0"; then
_RC_RV=$1;
fi
return ${_RC_RV}
}
rc_check()
{
rc_failed $?
}
rc_status()
{
rc_failed $?
if test "$1" = "-r"; then _RC_RV=0; shift; fi
if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi
if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi
if test "$1" = "-v"; then echo_rc; shift; fi
if test "$1" = "-r"; then _RC_RV=0; shift; fi
return ${_RC_RV}
}
rc_exit() { exit ${_RC_RV}; }
rc_active()
{
local x
for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do
test -e $x && return 0 || break
done
return 1
}
fi
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "$1" in
start)
$IPSEC_CMD start 2>&1
rc_status -v1
;;
stop)
$IPSEC_CMD stop 2>&1
rc_status -v1
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
sleep 2
$0 start
# Remember status and be quiet
rc_status
;;
reload|force-reload)
$IPSEC_CMD reload
rc_status -v1
;;
status)
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
echo -n "Checking for service strongSwan IPsec "
#checkproc $IPSEC_STARTER
$IPSEC_CMD status 2>&1 >/dev/null
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)
test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \
test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

53
strongswan.keyring Normal file
View File

@ -0,0 +1,53 @@
pub 3072R/B34DBA77 2009-06-12
uid Andreas Steffen <andreas.steffen@strongswan.org>
sub 3072g/0E10E91A 2009-08-20
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A
ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX
C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v
hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU
SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF
Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7
iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I
oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6
pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm
ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII
AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A
GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr
wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn
1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb
thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D
fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh
/jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR
MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3
iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3
KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ
8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI
wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg
IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB
R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa
pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl
56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4
w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA
Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV
xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP
jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+
lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6
lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E
ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7
TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay
M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E
GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki
kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al
W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4
MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU
Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM
+M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf
u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS
CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF
b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS
=ze82
-----END PGP PUBLIC KEY BLOCK-----

893
strongswan.spec Normal file
View File

@ -0,0 +1,893 @@
#
# spec file for package strongswan
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_libdir %{_libdir}/ipsec
%define strongswan_configs %{_sysconfdir}/strongswan.d
%define strongswan_datadir %{_datadir}/strongswan
%define strongswan_plugins %{strongswan_libdir}/plugins
%define strongswan_templates %{strongswan_datadir}/templates
%if 0%{?suse_version} < 1600
%bcond_without stroke
%else
%bcond_with stroke
%endif
%bcond_with tests
%bcond_without fipscheck
%ifarch %{ix86} ppc64le
%bcond_without integrity
%else
%bcond_with integrity
%endif
%bcond_without farp
%bcond_without afalg
%bcond_without mysql
%bcond_without sqlite
%bcond_without gcrypt
%bcond_without nm
%bcond_without systemd
Name: strongswan
Version: 6.0.0
Release: 0
Summary: IPsec-based VPN solution
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: https://www.strongswan.org/
Source0: http://download.strongswan.org/strongswan-%version.tar.bz2
Source1: http://download.strongswan.org/strongswan-%version.tar.bz2.sig
Source2: %{name}.init.in
Source3: %{name}-rpmlintrc
Source4: README.SUSE
Source5: %{name}.keyring
Source7: fips-enforce.conf
Patch2: %{name}_ipsec_service.patch
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: harden_strongswan.service.patch
Patch7: init.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gmp-devel
BuildRequires: gperf
BuildRequires: iptables
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: libtool
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pcsc-lite-devel
BuildRequires: pkg-config
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(libsystemd)
%if %{with mysql}
BuildRequires: libmysqlclient-devel
%endif
%if %{with sqlite}
BuildRequires: pkgconfig(sqlite3)
%endif
%if %{with gcrypt}
BuildRequires: pkgconfig(libgcrypt)
%endif
%if %{with nm}
BuildRequires: pkgconfig(libnm)
%endif
Obsoletes: strongswan-libs0 < %version-%release
Provides: strongswan-libs0 = %version-%release
%{?systemd_requires}
%{!?_rundir: %global _rundir /run}
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
%description
StrongSwan is an IPsec-based VPN solution for Linux.
* IKEv1 and IKEv2 (RFC 4306, 9370) key exchange protocol support
* Support of IPv6 IPsec tunnel and transport connections
* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* 128/192/256-bit AES encryption
* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) to detect dangling tunnels
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
* Authentication based on X.509 certificates or preshared keys
* Generation of a default self-signed certificate during first strongSwan startup
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
* CA management (OCSP and CRL URIs, default LDAP server)
* IPsec policies based on wildcards or intermediate CAs
* Group policies based on X.509 attribute certificates (RFC 3281)
* Storage of RSA private keys and certificates on a smartcard (PKCS#11 interface)
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Linux desktop integration via the strongSwan NetworkManager applet
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
%package doc
Summary: Documentation for strongSwan
Group: Documentation/Man
BuildArch: noarch
%description doc
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the StrongSwan documentation.
%package fips
Summary: Config file to disable non FIPS-140-2 algos in strongSwan
Group: Productivity/Networking/Security
Requires: strongswan = %version
Provides: strongswan-hmac = %{version}-%{release}
Obsoletes: strongswan-hmac < %{version}-%{release}
%description fips
The package provides a config file disabling alternative algorithm
implementation when FIPS-140-2 compliant operation mode is enabled.
%package ipsec
Summary: Old-style "ipsec" interface (stroke/starter) for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan = %version
Provides: VPN
Provides: ipsec
Conflicts: freeswan
Conflicts: openswan
%description ipsec
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides an ipsec(8) command-line interface and
configuration mechanism (/etc/ipsec.conf, ipsec.secrets).
Old-style ipsec(8) management of strongSwan is deprecated since
version 5.2.0.
%package mysql
Summary: MySQL plugin for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan = %version
%description mysql
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan mysql plugin.
%package sqlite
Summary: SQLite plugin for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan = %version
%description sqlite
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan sqlite plugin.
%package nm
Summary: NetworkManager plugin for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan = %version
%description nm
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the NetworkManager plugin to control the
charon IKEv2 daemon through D-Bus, designed to work using the
NetworkManager-strongswan graphical user interface.
%package tests
Summary: Testing plugins for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan = %version
%description tests
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan crypto test vectors plugin
and the load testing plugin for IKEv2 daemon.
%prep
%autosetup -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
> strongswan.init
%build
autoreconf --force --install
%configure \
CFLAGS="%optflags -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" \
%if %{with integrity}
--enable-integrity-test \
%endif
--with-capabilities=libcap \
--with-plugindir=%{strongswan_plugins} \
--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
--with-piddir=%{_rundir}/%{name} \
--enable-systemd \
--with-systemdsystemunitdir=%{_unitdir} \
--enable-pkcs11 \
--enable-openssl \
--enable-agent \
%if %{with gcrypt}
--enable-gcrypt \
%else
--disable-gcrypt \
%endif
--enable-blowfish \
--enable-ctr \
--enable-ccm \
--enable-gcm \
--enable-unity \
--enable-md4 \
%if %{with afalg}
--enable-af-alg \
%endif
--enable-eap-sim \
--enable-eap-sim-file \
--enable-eap-sim-pcsc \
--enable-eap-aka \
--enable-eap-aka-3gpp2 \
--enable-eap-simaka-sql \
--enable-eap-simaka-pseudonym \
--enable-eap-simaka-reauth \
--enable-eap-identity \
--enable-eap-md5 \
--enable-eap-gtc \
--enable-eap-mschapv2 \
--enable-eap-tls \
--enable-eap-ttls \
--enable-eap-peap \
--enable-eap-tnc \
--enable-eap-dynamic \
--enable-eap-radius \
--enable-xauth-eap \
--enable-xauth-pam \
--enable-tnc-pdp \
--enable-tnc-imc \
--enable-tnc-imv \
--enable-tnccs-11 \
--enable-tnccs-20 \
--enable-tnccs-dynamic \
--enable-imc-test \
--enable-imv-test \
--enable-imc-scanner \
--enable-imv-scanner \
--enable-ha \
--enable-dhcp \
%if %{with farp}
--enable-farp \
%endif
--enable-smp \
--enable-sql \
--enable-attr-sql \
--enable-addrblock \
--enable-radattr \
--enable-mediation \
--enable-led \
--enable-certexpire \
--enable-duplicheck \
--enable-coupling \
%if %{with mysql}
--enable-mysql \
%endif
%if %{with sqlite}
--enable-sqlite \
%endif
%if %{with nm}
--enable-nm \
%else
--disable-nm \
%endif
%if %{with stroke}
--enable-stroke \
%endif
%if %{with tests}
--enable-conftest \
--enable-load-tester \
--enable-test-vectors \
%endif
--enable-ldap \
--enable-soup \
--enable-curl \
--enable-bypass-lan \
--disable-static
%make_build
%install
install -d -m755 %{buildroot}/%{_sbindir}/
install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/
#
# Ensure, plugin -> library dependencies can be resolved
# (e.g. libtls) to avoid plugin segment checksum errors.
#
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
%make_install
#
# checksums are calculated during make install using the
# installed binaries/libraries... but find-debuginfo.sh
# extracts debuginfo/debugsource breaking file checksums.
# let find-debuginfo.sh run on a build root copy and then
# calculate the checksums.
#
%if %{with integrity}
%{?__debug_package:
if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then
cp -a "%{buildroot}" "%{buildroot}-$$"
RPM_BUILD_ROOT="%{buildroot}-$$" \
%{_rpmconfigdir}/find-debuginfo.sh \
%{?_find_debuginfo_opts} "%{buildroot}-$$"
make -C src/checksum clean
rm -f src/checksum/checksum_builder
LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
make -C src/checksum install DESTDIR="%{buildroot}-$$"
mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \
"%{buildroot}/%{strongswan_libdir}/libchecksum.so"
rm -rf "%{buildroot}-$$"
fi
}
%endif
#
%if %{with stroke}
cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
EOT
#
%endif
%if ! %{with mysql}
rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
%endif
%if ! %{with sqlite}
rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
%endif
rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
install -d -m755 %{buildroot}/%{strongswan_docdir}/
install -c -m644 TODO NEWS README COPYING LICENSE \
AUTHORS ChangeLog \
%{buildroot}/%{strongswan_docdir}/
install -c -m644 %{_sourcedir}/README.SUSE \
%{buildroot}/%{strongswan_docdir}/
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf
%if %{with fipscheck}
install -c -m644 %{_sourcedir}/fips-enforce.conf \
%{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf
# disable bypass-lan plugin by default
sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
%endif
%post
/sbin/ldconfig
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
%postun -p /sbin/ldconfig
%post ipsec
%service_add_post %{name}-starter.service
# Following code does the migration from strongwan.service (ver < 5.8.0) to
# strongswan-starter.service (ver >= 5.8.0) during update. The systemd service
# units have been renamed. The modern unit, which was called strongswan-swanctl,
# is now called strongswan (the previous name is configured as alias in the unit,
# for which a symlink is created when the unit is enabled). The legacy unit is now
# called strongswan-starter.
_ipsec_active=$(/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null) || :
_swanctl_active=$(/usr/bin/systemctl is-active %{name}.service 2>/dev/null) || :
_ipsec_enable=$(/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null) || :
_swanctl_enable=$(/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null) || :
if [ "$_swanctl_enable" = "enabled" ] || [ "$_swanctl_active" = "active" ]; then
/usr/bin/systemctl disable --now %{name}.service || :
/usr/bin/systemctl mask %{name}.service || :
fi
if [ "$_swanctl_enable" = "enabled" ] || [ "$_ipsec_enable" = "enabled" ]; then
/usr/bin/systemctl daemon-reload
/usr/bin/systemctl enable %{name}-starter.service || :
fi
if [ "$_swanctl_active" = "active" ] || [ "$_ipsec_active" = "active" ]; then
/usr/bin/systemctl start %{name}-starter.service || :
fi
%preun ipsec
%service_del_preun %{name}-starter.service
if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then
cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \
%{_sysconfdir}/ipsec.secrets.rpmsave.old
fi
if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then
cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \
%{_sysconfdir}/ipsec.conf.rpmsave.old
fi
%postun ipsec
%service_del_postun %{name}-starter.service
%if %{with fipscheck}
%files fips
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
%endif
%files
%dir %{strongswan_docdir}
%{strongswan_docdir}/README.SUSE
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
%dir %{_sysconfdir}/swanctl
%{_unitdir}/strongswan.service
%{_sbindir}/charon-systemd
%{_bindir}/pki
%{_bindir}/pt-tls-client
%{_bindir}/tpm_extendpcr
%{_sbindir}/swanctl
%{_mandir}/man1/pki*.1*
%{_mandir}/man1/pt-tls-client.1*
%{_mandir}/man5/strongswan.conf.5*
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_updown
%if %{with test}
%{_libexecdir}/ipsec/conftest
%endif
%{_libexecdir}/ipsec/xfrmi
%{_libexecdir}/ipsec/duplicheck
%{_libexecdir}/ipsec/pool
%{_libexecdir}/ipsec/charon
%{_libexecdir}/ipsec/_imv_policy
%{_libexecdir}/ipsec/imv_policy_manager
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-drbg.so
%{strongswan_plugins}/libstrongswan-updown.so
%_mandir/man5/swanctl.conf.5.*
%_mandir/man8/swanctl.8.*
%{_tmpfilesdir}/%{name}.conf
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
%if %{with afalg}
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf
%endif
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/blowfish.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ccm.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/certexpire.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/cmac.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/constraints.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka-3gpp2.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-aka.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-dynamic.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-gtc.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-identity.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-md5.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-mschapv2.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-peap.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-radius.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-pseudonym.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-reauth.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-simaka-sql.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-file.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-sim-pcsc.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf
%if %{with farp}
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf
%endif
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf
%if %{with gcrypt}
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf
%endif
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imc.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-imv.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-pdp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnc-tnccs.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/unity.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/updown.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/x509.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-eap.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-generic.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-pam.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/bypass-lan.conf
%dir %{strongswan_libdir}
%if %{with integrity}
%{strongswan_libdir}/libchecksum.so
%endif
%{strongswan_libdir}/libcharon.so.*
%{strongswan_libdir}/libtpmtss.so.*
%{strongswan_libdir}/libtpmtss.so
%{strongswan_libdir}/libvici.so
%{strongswan_libdir}/libvici.so.*
%{strongswan_libdir}/libpttls.so.*
%{strongswan_libdir}/libradius.so.*
%{strongswan_libdir}/libsimaka.so.*
%{strongswan_libdir}/libstrongswan.so.*
%{strongswan_libdir}/libtls.so.*
%{strongswan_libdir}/libtnccs.so.*
%{strongswan_libdir}/libimcv.so.*
%dir %{strongswan_libdir}/imcvs
%{strongswan_libdir}/imcvs/imc-scanner.so
%{strongswan_libdir}/imcvs/imc-test.so
%{strongswan_libdir}/imcvs/imv-scanner.so
%{strongswan_libdir}/imcvs/imv-test.so
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-addrblock.so
%if %{with afalg}
%{strongswan_plugins}/libstrongswan-af-alg.so
%endif
%{strongswan_plugins}/libstrongswan-agent.so
%{strongswan_plugins}/libstrongswan-attr.so
%{strongswan_plugins}/libstrongswan-attr-sql.so
%{strongswan_plugins}/libstrongswan-blowfish.so
%{strongswan_plugins}/libstrongswan-ccm.so
%{strongswan_plugins}/libstrongswan-certexpire.so
%{strongswan_plugins}/libstrongswan-cmac.so
%{strongswan_plugins}/libstrongswan-counters.so
%{strongswan_plugins}/libstrongswan-constraints.so
%{strongswan_plugins}/libstrongswan-coupling.so
%{strongswan_plugins}/libstrongswan-ctr.so
%{strongswan_plugins}/libstrongswan-curl.so
%{strongswan_plugins}/libstrongswan-dhcp.so
%{strongswan_plugins}/libstrongswan-dnskey.so
%{strongswan_plugins}/libstrongswan-duplicheck.so
%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
%{strongswan_plugins}/libstrongswan-eap-aka.so
%{strongswan_plugins}/libstrongswan-eap-dynamic.so
%{strongswan_plugins}/libstrongswan-eap-gtc.so
%{strongswan_plugins}/libstrongswan-eap-identity.so
%{strongswan_plugins}/libstrongswan-eap-md5.so
%{strongswan_plugins}/libstrongswan-eap-mschapv2.so
%{strongswan_plugins}/libstrongswan-eap-peap.so
%{strongswan_plugins}/libstrongswan-eap-radius.so
%{strongswan_plugins}/libstrongswan-eap-sim-file.so
%{strongswan_plugins}/libstrongswan-eap-sim-pcsc.so
%{strongswan_plugins}/libstrongswan-eap-sim.so
%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
%{strongswan_plugins}/libstrongswan-eap-tls.so
%{strongswan_plugins}/libstrongswan-eap-tnc.so
%{strongswan_plugins}/libstrongswan-eap-ttls.so
%if %{with farp}
%{strongswan_plugins}/libstrongswan-farp.so
%endif
%{strongswan_plugins}/libstrongswan-fips-prf.so
%{strongswan_plugins}/libstrongswan-gcm.so
%if %{with gcrypt}
%{strongswan_plugins}/libstrongswan-gcrypt.so
%endif
%{strongswan_plugins}/libstrongswan-gmp.so
%{strongswan_plugins}/libstrongswan-ha.so
%{strongswan_plugins}/libstrongswan-kdf.so
%{strongswan_plugins}/libstrongswan-kernel-netlink.so
%{strongswan_plugins}/libstrongswan-ldap.so
%{strongswan_plugins}/libstrongswan-led.so
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-mgf1.so
%{strongswan_plugins}/libstrongswan-nonce.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
%{strongswan_plugins}/libstrongswan-pgp.so
%{strongswan_plugins}/libstrongswan-pkcs1.so
%{strongswan_plugins}/libstrongswan-pkcs11.so
%{strongswan_plugins}/libstrongswan-pkcs7.so
%{strongswan_plugins}/libstrongswan-pkcs8.so
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-radattr.so
%{strongswan_plugins}/libstrongswan-random.so
%{strongswan_plugins}/libstrongswan-resolve.so
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-smp.so
%{strongswan_plugins}/libstrongswan-socket-default.so
%{strongswan_plugins}/libstrongswan-soup.so
%{strongswan_plugins}/libstrongswan-sql.so
%{strongswan_plugins}/libstrongswan-sshkey.so
%{strongswan_plugins}/libstrongswan-tnc-imc.so
%{strongswan_plugins}/libstrongswan-tnc-imv.so
%{strongswan_plugins}/libstrongswan-tnc-pdp.so
%{strongswan_plugins}/libstrongswan-tnc-tnccs.so
%{strongswan_plugins}/libstrongswan-tnccs-11.so
%{strongswan_plugins}/libstrongswan-tnccs-20.so
%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so
%{strongswan_plugins}/libstrongswan-unity.so
%{strongswan_plugins}/libstrongswan-x509.so
%{strongswan_plugins}/libstrongswan-xauth-eap.so
%{strongswan_plugins}/libstrongswan-xauth-generic.so
%{strongswan_plugins}/libstrongswan-xauth-pam.so
%{strongswan_plugins}/libstrongswan-xcbc.so
%{strongswan_plugins}/libstrongswan-vici.so
%{strongswan_plugins}/libstrongswan-bypass-lan.so
%dir %{strongswan_datadir}
%dir %{strongswan_templates}
%dir %{strongswan_templates}/config
%dir %{strongswan_templates}/config/plugins
%dir %{strongswan_templates}/config/strongswan.d
%dir %{strongswan_templates}/database
%dir %{strongswan_templates}/database/imv
%dir %{strongswan_templates}/database/sql
%{strongswan_templates}/config/strongswan.conf
%{strongswan_templates}/config/plugins/addrblock.conf
%if %{with afalg}
%{strongswan_templates}/config/plugins/af-alg.conf
%endif
%{strongswan_templates}/config/plugins/agent.conf
%{strongswan_templates}/config/plugins/attr-sql.conf
%{strongswan_templates}/config/plugins/attr.conf
%{strongswan_templates}/config/plugins/blowfish.conf
%{strongswan_templates}/config/plugins/ccm.conf
%{strongswan_templates}/config/plugins/certexpire.conf
%{strongswan_templates}/config/plugins/cmac.conf
%{strongswan_templates}/config/plugins/counters.conf
%{strongswan_templates}/config/plugins/constraints.conf
%{strongswan_templates}/config/plugins/coupling.conf
%{strongswan_templates}/config/plugins/ctr.conf
%{strongswan_templates}/config/plugins/curl.conf
%{strongswan_templates}/config/plugins/dhcp.conf
%{strongswan_templates}/config/plugins/dnskey.conf
%{strongswan_templates}/config/plugins/drbg.conf
%{strongswan_templates}/config/plugins/duplicheck.conf
%{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf
%{strongswan_templates}/config/plugins/eap-aka.conf
%{strongswan_templates}/config/plugins/eap-dynamic.conf
%{strongswan_templates}/config/plugins/eap-gtc.conf
%{strongswan_templates}/config/plugins/eap-identity.conf
%{strongswan_templates}/config/plugins/eap-md5.conf
%{strongswan_templates}/config/plugins/eap-mschapv2.conf
%{strongswan_templates}/config/plugins/eap-peap.conf
%{strongswan_templates}/config/plugins/eap-radius.conf
%{strongswan_templates}/config/plugins/eap-sim-file.conf
%{strongswan_templates}/config/plugins/eap-sim-pcsc.conf
%{strongswan_templates}/config/plugins/eap-sim.conf
%{strongswan_templates}/config/plugins/eap-simaka-pseudonym.conf
%{strongswan_templates}/config/plugins/eap-simaka-reauth.conf
%{strongswan_templates}/config/plugins/eap-simaka-sql.conf
%{strongswan_templates}/config/plugins/eap-tls.conf
%{strongswan_templates}/config/plugins/eap-tnc.conf
%{strongswan_templates}/config/plugins/eap-ttls.conf
%if %{with farp}
%{strongswan_templates}/config/plugins/farp.conf
%endif
%{strongswan_templates}/config/plugins/fips-prf.conf
%{strongswan_templates}/config/plugins/gcm.conf
%if %{with gcrypt}
%{strongswan_templates}/config/plugins/gcrypt.conf
%endif
%{strongswan_templates}/config/plugins/gmp.conf
%{strongswan_templates}/config/plugins/ha.conf
%{strongswan_templates}/config/plugins/kdf.conf
%{strongswan_templates}/config/plugins/kernel-netlink.conf
%{strongswan_templates}/config/plugins/ldap.conf
%{strongswan_templates}/config/plugins/led.conf
%{strongswan_templates}/config/plugins/md4.conf
%{strongswan_templates}/config/plugins/mgf1.conf
%{strongswan_templates}/config/plugins/nonce.conf
%{strongswan_templates}/config/plugins/openssl.conf
%{strongswan_templates}/config/plugins/pem.conf
%{strongswan_templates}/config/plugins/pgp.conf
%{strongswan_templates}/config/plugins/pkcs1.conf
%{strongswan_templates}/config/plugins/pkcs11.conf
%{strongswan_templates}/config/plugins/pkcs7.conf
%{strongswan_templates}/config/plugins/pkcs8.conf
%{strongswan_templates}/config/plugins/pubkey.conf
%{strongswan_templates}/config/plugins/radattr.conf
%{strongswan_templates}/config/plugins/random.conf
%{strongswan_templates}/config/plugins/resolve.conf
%{strongswan_templates}/config/plugins/revocation.conf
%{strongswan_templates}/config/plugins/smp.conf
%{strongswan_templates}/config/plugins/socket-default.conf
%{strongswan_templates}/config/plugins/soup.conf
%{strongswan_templates}/config/plugins/sql.conf
%{strongswan_templates}/config/plugins/sshkey.conf
%{strongswan_templates}/config/plugins/tnc-imc.conf
%{strongswan_templates}/config/plugins/tnc-imv.conf
%{strongswan_templates}/config/plugins/tnc-pdp.conf
%{strongswan_templates}/config/plugins/tnc-tnccs.conf
%{strongswan_templates}/config/plugins/tnccs-11.conf
%{strongswan_templates}/config/plugins/tnccs-20.conf
%{strongswan_templates}/config/plugins/tnccs-dynamic.conf
%{strongswan_templates}/config/plugins/unity.conf
%{strongswan_templates}/config/plugins/updown.conf
%{strongswan_templates}/config/plugins/x509.conf
%{strongswan_templates}/config/plugins/xauth-eap.conf
%{strongswan_templates}/config/plugins/xauth-generic.conf
%{strongswan_templates}/config/plugins/xauth-pam.conf
%{strongswan_templates}/config/plugins/xcbc.conf
%{strongswan_templates}/config/plugins/vici.conf
%{strongswan_templates}/config/plugins/bypass-lan.conf
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
%{strongswan_templates}/config/strongswan.d/charon-logging.conf
%{strongswan_templates}/config/strongswan.d/charon.conf
%{strongswan_templates}/config/strongswan.d/imcv.conf
%{strongswan_templates}/config/strongswan.d/pki.conf
%{strongswan_templates}/config/strongswan.d/pool.conf
%{strongswan_templates}/config/strongswan.d/tnc.conf
%{strongswan_templates}/config/strongswan.d/swanctl.conf
%{strongswan_templates}/database/imv/data.sql
%{strongswan_templates}/database/imv/tables.sql
%if %{with nm}
%files nm
%dir %{_libexecdir}/ipsec
%dir %{strongswan_plugins}
%{_libexecdir}/ipsec/charon-nm
%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
%endif
%if %{with mysql}
%files mysql
%dir %{strongswan_libdir}
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-mysql.so
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mysql.conf
%dir %{strongswan_datadir}
%dir %{strongswan_templates}
%dir %{strongswan_templates}/config
%dir %{strongswan_templates}/config/plugins
%dir %{strongswan_templates}/database
%dir %{strongswan_templates}/database/sql
%{strongswan_templates}/config/plugins/mysql.conf
%{strongswan_templates}/database/imv/tables-mysql.sql
%{strongswan_templates}/database/sql/mysql.sql
%endif
%if %{with sqlite}
%files sqlite
%dir %{strongswan_libdir}
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-sqlite.so
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sqlite.conf
%dir %{strongswan_datadir}
%dir %{strongswan_templates}
%dir %{strongswan_templates}/config
%dir %{strongswan_templates}/config/plugins
%dir %{strongswan_templates}/database
%dir %{strongswan_templates}/database/sql
%{strongswan_templates}/config/plugins/sqlite.conf
%{strongswan_templates}/database/sql/sqlite.sql
%endif
%if %{with tests}
%files tests
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%{strongswan_configs}/charon/load-tester.conf
%{strongswan_configs}/charon/test-vectors.conf
%dir %{strongswan_templates}
%dir %{strongswan_templates}/config
%dir %{strongswan_templates}/config/plugins
%{strongswan_templates}/config/plugins/load-tester.conf
%{strongswan_templates}/config/plugins/test-vectors.conf
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/conftest
%{_libexecdir}/ipsec/load-tester
%dir %{strongswan_libdir}
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-load-tester.so
%{strongswan_plugins}/libstrongswan-test-vectors.so
%endif
%if %{with stroke}
%files ipsec
%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.conf
%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.secrets
%dir %_sysconfdir/ipsec.d
%dir %_sysconfdir/ipsec.d/crls
%dir %_sysconfdir/ipsec.d/reqs
%dir %_sysconfdir/ipsec.d/certs
%dir %_sysconfdir/ipsec.d/acerts
%dir %_sysconfdir/ipsec.d/aacerts
%dir %_sysconfdir/ipsec.d/cacerts
%dir %_sysconfdir/ipsec.d/ocspcerts
%dir %attr(700,root,root) %_sysconfdir/ipsec.d/private
%_sbindir/ipsec
%_mandir/man8/ipsec.8*
%_mandir/man5/ipsec.conf.5*
%_mandir/man5/ipsec.secrets.5*
%dir %_libexecdir/ipsec/
%_libexecdir/ipsec/starter
%_libexecdir/ipsec/stroke
%_unitdir/strongswan-starter.service
%dir %strongswan_plugins/
%strongswan_plugins/libstrongswan-stroke.so
%dir %strongswan_configs/
%dir %strongswan_configs/charon/
%config(noreplace) %attr(600,root,root) %strongswan_configs/starter.conf
%config(noreplace) %attr(600,root,root) %strongswan_configs/charon/stroke.conf
%dir %strongswan_templates/
%dir %strongswan_templates/config/
%dir %strongswan_templates/config/plugins/
%strongswan_templates/config/plugins/stroke.conf
%dir %strongswan_templates/config/strongswan.d/
%strongswan_templates/config/strongswan.d/starter.conf
%endif
%files doc
%dir %strongswan_docdir
%strongswan_docdir/TODO
%strongswan_docdir/NEWS
%strongswan_docdir/README
%strongswan_docdir/COPYING
%strongswan_docdir/LICENSE
%strongswan_docdir/AUTHORS
%strongswan_docdir/ChangeLog
%changelog

9
strongswan_ipsec_service.patch Normal file
View File

@ -0,0 +1,9 @@
Index: strongswan-5.6.2/init/systemd/strongswan.service.in
===================================================================
--- strongswan-5.6.2.orig/init/systemd-starter/strongswan-starter.service.in 2017-02-07 08:04:04.000000000 +0100
+++ strongswan-5.6.2/init/systemd-starter/strongswan-starter.service.in 2018-04-17 16:53:57.546334751 +0200
@@ -9,3 +9,4 @@ Restart=on-abnormal
[Install]
WantedBy=multi-user.target
+Alias=ipsec.service