Accepting request 81608 from network:vpn

update to 4.5.3

OBS-URL: https://build.opensuse.org/request/show/81608
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=33

_service

@@ -1,3 +1,3 @@
 <services>
-  <service name="download_url"><param name="path">/strongswan-4.5.2.tar.bz2.sig</param><param name="host">download.strongswan.org</param></service>
+  <service name="download_url"><param name="path">/strongswan-4.5.3.tar.bz2.sig</param><param name="host">download.strongswan.org</param></service>
-<service name="download_url"><param name="path">/strongswan-4.5.2.tar.bz2</param><param name="host">download.strongswan.org</param></service></services>
+<service name="download_url"><param name="path">/strongswan-4.5.3.tar.bz2</param><param name="host">download.strongswan.org</param></service></services>

_service:download_url:strongswan-4.5.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f13b5db946393dacc8590db7397b3ddd56eb37619f93a482a9c6cf9d556e105a
-size 3271219

_service:download_url:strongswan-4.5.2.tar.bz2.sig

@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
-
-iQGcBAABAgAGBQJNzvEVAAoJEN9CwXCzTbp3iKMMAJ2jhS0kbzGn/E3osePgMJHH
-lVbhKag6rnIQfNS9lelBrdJLI/3xV6b88geqvcCgcK2X545X4PUcQtZm08N75qLH
-Vjku1qKcKjrPa65glD0nkRYg4MS9dN+obYiPl+S6HhrDO05pvddhSx2a7YA97F8W
-7CAbZdULLIIgVlC2plv+W3y1tLQNQEP4rS7FrzMVuTeZCw3W0XawQMvIOwckLEfE
-AHMGXrFjevvipOr9pOD5uzi9kJFQGsw2kl7+W2o9mZUlkFGlgVFemH/T5WUaz/BJ
-ha1HLdsgIOOJQlLV+bj7bFTbNkkVEdY4hr4c+9JHWr6vRhe/7zrRCP5PIidnqpQ2
-e5O/26qzz1IyRRA4v/KO5b35BTp5dJjPeeOknLz+vBptMiU7uXpUtT0NmsojSw0f
-SOli9Kl9RSLL+7E6y8k6qU8uWxfTIRsVWsmBZQkdByY4Ua1UtMv67YdRlaxgwe/M
-xpu2k+aSGZVcUBrvOf3GFT9I6pL+orac4+gYBGIJJw==
-=LG31
------END PGP SIGNATURE-----

strongswan-4.5.3-fmt-warnings.patch

@@ -0,0 +1,31 @@
+--- src/checksum/checksum_builder.c
++++ src/checksum/checksum_builder.c	2011/09/08 15:45:10
+@@ -64,9 +64,9 @@ static void build_checksum(char *path, c
+ 			fprintf(stderr, "dlopen failed: %s\n", dlerror());
+ 		}
+ 	}
+-	printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
++	printf("\t{\"%-20s%7zu, 0x%08x, %6zu, 0x%08x},\n",
+ 		   name, fsize, fsum, ssize, ssum);
+-	fprintf(stderr, "\"%-20s%7u / 0x%08x       %6u / 0x%08x\n",
++	fprintf(stderr, "\"%-20s%7zu / 0x%08x       %6zu / 0x%08x\n",
+ 			name, fsize, fsum, ssize, ssum);
+ }
+ 
+@@ -106,14 +106,14 @@ static void build_binary_checksum(char *
+ 		pos = strrchr(binary, '.');
+ 		if (pos && streq(pos, ".so"))
+ 		{
+-			snprintf(name, sizeof(name), "%.*s\",", pos - binary, binary);
++			snprintf(name, sizeof(name), "%.*s\",", (int)(pos - binary), binary);
+ 			if (streq(name, "libstrongswan\","))
+ 			{
+ 				snprintf(sname, sizeof(sname), "%s", "library_init");
+ 			}
+ 			else
+ 			{
+-				snprintf(sname, sizeof(sname), "%.*s_init", pos - binary, binary);
++				snprintf(sname, sizeof(sname), "%.*s_init", (int)(pos - binary), binary);
+ 			}
+ 			build_checksum(path, name, sname);
+ 		}

strongswan.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Thu Sep  8 16:06:46 UTC 2011 - mt@suse.com
+
+- Updated to strongSwan 4.5.2 release, changes overview since 4.5.2:
+  * Our private libraries (e.g. libstrongswan) are not installed directly in
+    prefix/lib anymore. Instead a subdirectory is used (prefix/lib/ipsec/ by
+    default). The plugins directory is also moved from libexec/ipsec/ to that
+    directory.
+  * The dynamic IMC/IMV libraries were moved from the plugins directory to
+    a new imcvs directory in the prefix/lib/ipsec/ subdirectory.
+  * Job priorities were introduced to prevent thread starvation caused by too
+    many threads handling blocking operations (such as CRL fetching).
+  * Two new strongswan.conf options allow to fine-tune performance on IKEv2
+    gateways by dropping IKE_SA_INIT requests on high load.
+  * IKEv2 charon daemon supports PASS and DROP shunt policies
+    preventing traffic to go through IPsec connections. Installation of the
+    shunt policies either via the XFRM netfilter or PFKEYv2 IPsec kernel
+    interfaces.
+  * The history of policies installed in the kernel is now tracked so that e.g.
+    trap policies are correctly updated when reauthenticated SAs are terminated.
+  * IMC/IMV Scanner pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
+    Using "netstat -l" the IMC scans open listening ports on the TNC client
+    and sends a port list to the IMV which based on a port policy decides if
+    the client is admitted to the network.
+  * IMC/IMV Test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
+  * The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
+    setting, but the value defined by its own closeaction keyword. The action
+    is triggered if the remote peer closes a CHILD_SA unexpectedly.
+- Fixed some fmt warnings in libchecksum, adopted paths in the spec file
+
 -------------------------------------------------------------------
 Sun May 29 16:37:00 UTC 2011 - jcnengel@googlemail.com
 

strongswan.spec

@@ -19,16 +19,17 @@
 
 
 Name:           strongswan
-%define         upstream_version 4.5.2
+Version:        4.5.3
+Release:        0
+%define         upstream_version   %{version}
 %define         strongswan_docdir  %{_docdir}/%{name}
-%define         strongswan_plugins %{_libexecdir}/ipsec/plugins
+%define         strongswan_libdir  %{_libdir}/ipsec
+%define         strongswan_plugins %{strongswan_libdir}/plugins
 %define		with_mysql	1
 %define		with_sqlite	0%{suse_version} >= 1110
 %define		with_gcrypt	0%{suse_version} >= 1110
 %define		with_nm		0%{suse_version} >= 1110
 %define		with_tests	0
-Version:        4.5.2
-Release:        1
 License:        GPLv2+
 Group:          Productivity/Networking/Security
 Summary:        OpenSource IPsec-based VPN Solution
@@ -43,6 +44,7 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Source4:        README.SUSE
 Patch1:         %{name}_modprobe_syslog.patch
+Patch2:         %{name}-%{version}-fmt-warnings.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 BuildRequires:  libcap-devel
@@ -61,6 +63,7 @@ BuildRequires:  libgcrypt-devel
 %if %with_nm
 BuildRequires:  NetworkManager-devel
 %endif
+BuildRequires:  iptables libnl >= 1.1
 
 %description
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -245,6 +248,7 @@ and the load testing plugin for IKEv2 daemon.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
+%patch2 -p0
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -325,8 +329,8 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
 #
 EOT
 #
-rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.{so,a,la}
+rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so
-find  $RPM_BUILD_ROOT%{_libexecdir}/ipsec \
+find  $RPM_BUILD_ROOT%{strongswan_libdir} \
       -name "*.a" -o -name "*.la" | xargs -r rm -f
 #
 install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/
@@ -440,15 +444,16 @@ fi
 %files libs0
 %defattr(-,root,root)
 %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
-%{_libdir}/libhydra.so.0
-%{_libdir}/libhydra.so.0.0.0
-%{_libdir}/libcharon.so.0
-%{_libdir}/libcharon.so.0.0.0
-%{_libdir}/libstrongswan.so.0
-%{_libdir}/libstrongswan.so.0.0.0
 %dir %{_libexecdir}/ipsec
 %dir %{_libexecdir}/ipsec/pool
-%{_libexecdir}/ipsec/libchecksum.so
+%dir %{strongswan_libdir}
+%{strongswan_libdir}/libchecksum.so
+%{strongswan_libdir}/libhydra.so.0
+%{strongswan_libdir}/libhydra.so.0.0.0
+%{strongswan_libdir}/libcharon.so.0
+%{strongswan_libdir}/libcharon.so.0.0.0
+%{strongswan_libdir}/libstrongswan.so.0
+%{strongswan_libdir}/libstrongswan.so.0.0.0
 %dir %{strongswan_plugins}
 %{strongswan_plugins}/libstrongswan-addrblock.so
 %{strongswan_plugins}/libstrongswan-aes.so