pool/strongswan
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory
pool:devel
jengelh:master
jengelh:factory
...
pull from: jengelh:master
Branches Tags
jengelh:master
jengelh:factory
pool:factory
pool:devel

3 Commits
factory ... master

Author SHA256 Message Date
Jan Engelhardt
46bea02645 Re-enable stroke backend for now 2024-12-12 12:06:25 +01:00
Jan Engelhardt
b5f8ae4845 strongswan 6.0.0 2024-12-04 02:21:06 +01:00
Dirk Mueller
da8f2965e2 rename -hmac subpackage to -fips 2024-11-26 13:56:30 +02:00
8 changed files with 223 additions and 194 deletions
Show Stats Expand all files Collapse all files

14
harden_strongswan.service.patch
View File

@ -1,9 +1,13 @@
Index: strongswan-5.9.5/init/systemd/strongswan.service.in
---
init/systemd/strongswan.service.in | 11 +++++++++++
1 file changed, 11 insertions(+)
Index: strongswan-6.0.0/init/systemd/strongswan.service.in
===================================================================
--- strongswan-5.9.5.orig/init/systemd/strongswan.service.in
+++ strongswan-5.9.5/init/systemd/strongswan.service.in
@@ -3,6 +3,17 @@ Description=strongSwan IPsec IKEv1/IKEv2
After=network-online.target
--- strongswan-6.0.0.orig/init/systemd/strongswan.service.in
+++ strongswan-6.0.0/init/systemd/strongswan.service.in
@@ -4,6 +4,17 @@ After=network-online.target
Wants=network-online.target
[Service]
+# added automatically, for details please see

31
init.patch Normal file
View File

@ -0,0 +1,31 @@
From c58507ff186ae9cf014c0b54082c8bf74aef3219 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 3 Dec 2024 21:56:33 +0100
Subject: [PATCH] init: put strongswan-starter.service behind USE_FILE_CONFIG
References: https://github.com/strongswan/strongswan/pull/2553
stroke is no longer enabled by default, but the systemd unit
still is copied on `make install`. Fix that.
---
init/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/init/Makefile.am b/init/Makefile.am
index 54c090cea..824ebd695 100644
--- a/init/Makefile.am
+++ b/init/Makefile.am
@@ -3,9 +3,11 @@ SUBDIRS =
if USE_LEGACY_SYSTEMD
if USE_CHARON
+if USE_FILE_CONFIG
SUBDIRS += systemd-starter
endif
endif
+endif
if USE_SYSTEMD
if USE_SWANCTL
--
2.47.1

BIN
strongswan-5.9.14.tar.bz2 (Stored with Git LFS)
View File

Binary file not shown.

14
strongswan-5.9.14.tar.bz2.sig
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmX5cHAACgkQ30LBcLNN
une5oAwAiNFc9r4zuuJ9+Qd3q4AYTiCa7g4j6OhneQwY7Y6fzYOROfKKDzPoDhwJ
juU5vj+5d9yKVLEEueACCY2hM9cmAZL3mWMy5s86FmrNQcPRJ24cU19ZkyoxKGZ9
8lvEtPzb5r5aTrdJnSu3rydGK7nSVysxA5ZyamviUndx1lWUkGYlz3lKMl8xm2qa
QNCnBQiUcwm9mADl4txlxkCvSDPb1Ez7Y40K5lVTpKa/awaM9e9JuKXSgOJmBUBY
C/E8pCzC8lENEoq5EZI/eV7VNwlc1ussqp2iSj0Nhy45cmXvCHpCIslkhPuReQzW
nNDFbuMGiDzCvD2RNdi+l1z+74oLPFeC7663K2/VYMMobqwYVhdC4hg/PMOzDa1x
L18Y7Pffna4gNa/jarx1U7fMFLW4c0q5DVvM8qoLtnc7Q9zFw4A+EU6i3sFa5EF+
aVNbmHTIBXnf0YVoHmuOgjRH9kjjshnl/kSszOeW+wkoZzhuJkTzz/gllc9YWQNG
y+PFcIVK
=dVex
-----END PGP SIGNATURE-----

BIN
strongswan-6.0.0.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

14
strongswan-6.0.0.tar.bz2.sig Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEElI8Vik52onvz0HUy30LBcLNNuncFAmdO+hMACgkQ30LBcLNN
undilgwAgiT5p2PyMhwSp4qo1EUX8+PWwJ9Plqz7TNCCdFJe3uYre3hM2K5hFey0
azrPrqZ2HWtBycH0gI4BFzUSVO8E4SZOBQnPH/g3bsFg9VU71ML30LdZYx+Lg7wK
7AaMxYhl7xIvfb4D8+ZpYV6bSDH0o2tRN5h5gPk4IECOTTRhsLWL89IL8xOXgNPj
ao0meIUNfvg6cl1uLFff/c7H7cAGSFsKPSWtMWLfK0PglW4LVJJvr5PhGsduVPsE
JwY2VAMVi1BI1Y7I1WxS7T1qEAXLKAuNHKJHgIvd3xvSM1Q197qFrGyuujDQV5Yn
Olp583ccs2LJbfmDQiPD/AHeDpikMMtBZ3Hk7Od3CqRVpeIDyBC0/oEwiascw6Q4
5SDclgEdL9jHU7Uo1Z9v+Ltn0lihGAkAsAMgJMFyfCFiB03yCXFQu34PK65ZoIk7
GN3XeUqu7sdmK7Tg4RbsrZ1P7J9TiFllMiu7noYVluhW4My68A76yHIbk66i8DwF
pzxPfTqH
=8zOA
-----END PGP SIGNATURE-----

78
strongswan.changes
View File

@ -1,3 +1,35 @@
-------------------------------------------------------------------
Tue Dec 3 15:59:06 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- /usr/sbin/ipsec is deprecated since 5.2.0 and will be removed
in the future.
- Update to release 6.0.0
* Support for multiple IKEv2 key exchanges (RFC 9370)
* Support for the Module-Lattice-Based Key-Encapsulation
Mechanism (ML-KEM, FIPS 203)
* AF_VSOCK socket support
* The file logger can optionally log messages as JSON objects
* Handling of CHILD_SA rekey collisions has been improved
* The kernel-netlink plugin explicitly configures the direction
of IPsec SAs when running on 6.10+ kernels
* The NetworkManager plugin (charon-nm) now uses a different
routing table than the regular IKE daemon to avoid conflicts
if both are running
* The following crypto plugins are no longer built:
aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2,
sha1, sha2. (Their replacement is the "openssl" plugin.)
* The following deprecated plugins have been removed: bliss
(signature scheme), newhope (key exchange method), ntru (key
exchange method).
- Add init.patch
-------------------------------------------------------------------
Tue Nov 26 12:02:16 UTC 2024 - Dirk Müller <dmueller@suse.com>
- rename -hmac subpackage to -fips because it isn't providing
the hmac files, it provides the configuration drop in to
enforce fips mode.
-------------------------------------------------------------------
Thu Jun 20 12:10:36 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
@ -104,7 +136,7 @@ Wed Apr 5 01:34:28 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
vici aka swanctl interface which is current upstream's default.
strongswan.service which enables swanctl interface is masked to
stop interfering with the ipsec interface (bsc#1184144)
- Removes deprecated SysV support
- Removes deprecated SysV support
-------------------------------------------------------------------
Thu Mar 2 13:34:37 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
@ -225,7 +257,7 @@ Wed Mar 16 12:57:46 UTC 2022 - Marcus Meissner <meissner@suse.com>
-------------------------------------------------------------------
Thu Mar 3 14:49:26 UTC 2022 - Marcus Meissner <meissner@suse.com>
- Added prf-plus-modularization.patch that outsources the IKE
- Added prf-plus-modularization.patch that outsources the IKE
key derivation to openssl. (will be merged to 5.9.6)
- package the kdf config, template and plugin
@ -415,9 +447,9 @@ Tue Mar 31 16:42:23 UTC 2020 - Madhu Mohan Nelemane <mmnelemane@suse.com>
-------------------------------------------------------------------
Mon Feb 17 20:26:37 UTC 2020 - Johannes Kastl <kastl@b1-systems.de>
- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
to strongswan-nm subpackage, as it is needed for the
NetworkManager plugin that uses strongswan-nm, not
- move file %{_datadir}/dbus-1/system.d/nm-strongswan-service.conf
to strongswan-nm subpackage, as it is needed for the
NetworkManager plugin that uses strongswan-nm, not
strongswan-ipsec
This fixes the following error:
```
@ -624,7 +656,7 @@ Tue Apr 17 13:24:38 UTC 2018 - bjorn.lie@gmail.com
-------------------------------------------------------------------
Fri Mar 16 08:55:10 UTC 2018 - mmnelemane@suse.com
- Removed unused requires and macro calls(bsc#1083261)
- Removed unused requires and macro calls(bsc#1083261)
-------------------------------------------------------------------
Tue Oct 17 11:27:54 UTC 2017 - jengelh@inai.de
@ -657,7 +689,7 @@ Tue Sep 5 17:10:11 CEST 2017 - ndas@suse.de
*By default the /etc/swanctl/conf.d directory is created and *.conf files in it are included in the default
swanctl.conf file.
*The curl plugin now follows HTTP redirects (configurable via strongswan.conf).
*The CHILD_SA rekeying was fixed in charon-tkm and the behavior is refined a bit more since 5.5.3
@ -786,7 +818,7 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
based random oracle has been fixed, generalized and
standardized by employing the MGF1 mask generation function
with SHA-512. As a consequence BLISS signatures unsing the
improved oracle are not compatible with the earlier
improved oracle are not compatible with the earlier
implementation.
* Support for auto=route with right=%any for transport mode
connections has been added (the ikev2/trap-any scenario
@ -806,7 +838,7 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
rightauth=any, which prevented it from using this same config
as responder).
* The initiator flag in the IKEv2 header is compared again
(wasn't the case since 5.0.0) and packets that have the flag
(wasn't the case since 5.0.0) and packets that have the flag
set incorrectly are again ignored.
* Implemented a demo Hardcopy Device IMC/IMV pair based on the
"Hardcopy Device Health Assessment Trusted Network Connect
@ -852,8 +884,8 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
are chosen based on the strength of the signature key, but
specific hash algorithms may be configured in leftauth.
* Key types and hash algorithms specified in rightauth are now
also checked against IKEv2 signature schemes. If such
constraints are used for certificate chain validation in
also checked against IKEv2 signature schemes. If such
constraints are used for certificate chain validation in
existing configurations, in particular with peers that don't
support RFC 7427, it may be necessary to disable this feature
with the charon.signature_authentication_constraints setting,
@ -862,7 +894,7 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
* The new connmark plugin allows a host to bind conntrack flows
to a specific CHILD_SA by applying and restoring the SA mark
to conntrack entries. This allows a peer to handle multiple
transport mode connections coming over the same NAT device for
transport mode connections coming over the same NAT device for
client-initiated flows. A common use case is to protect
L2TP/IPsec, as supported by some systems.
* The forecast plugin can forward broadcast and multicast
@ -870,13 +902,13 @@ Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au
using unique marks, it sets up the required Netfilter rules
and uses a multicast/broadcast listener that forwards such
messages to all connected clients. This plugin is designed for
Windows 7 IKEv2 clients, which announces its services over the
Windows 7 IKEv2 clients, which announces its services over the
tunnel if the negotiated IPsec policy allows it.
* For the vici plugin a Python Egg has been added to allow
Python applications to control or monitor the IKE daemon using
* For the vici plugin a Python Egg has been added to allow
Python applications to control or monitor the IKE daemon using
the VICI interface, similar to the existing ruby gem. The
Python library has been contributed by Björn Schuberg.
* EAP server methods now can fulfill public key constraints,
* EAP server methods now can fulfill public key constraints,
such as rightcert or rightca. Additionally, public key and
signature constraints can be specified for EAP methods in the
rightauth keyword. Currently the EAP-TLS and EAP-TTLS methods
@ -1077,7 +1109,7 @@ Thu Jul 3 13:39:45 UTC 2014 - meissner@suse.com
-------------------------------------------------------------------
Fri Jun 20 17:38:07 UTC 2014 - crrodriguez@opensuse.org
- Fix build in factory
- Fix build in factory
* Do not include var/run directories in package
* Move runtime data to /run and provide tmpfiles.d snippet
* Add proper systemd macros to rpm scriptlets.
@ -1324,7 +1356,7 @@ Thu Nov 29 19:13:40 CET 2012 - sbrabec@suse.cz
-------------------------------------------------------------------
Fri Nov 16 04:02:32 UTC 2012 - crrodriguez@opensuse.org
- Fix systemd unit dir
- Fix systemd unit dir
-------------------------------------------------------------------
Wed Oct 31 15:25:16 UTC 2012 - mt@suse.de
@ -2007,7 +2039,7 @@ Wed Jun 10 11:04:44 CEST 2009 - mt@suse.de
Mon Jun 8 00:21:13 CEST 2009 - ro@suse.de
- rename getline to my_getline to avoid collision with function
from glibc
from glibc
-------------------------------------------------------------------
Tue Jun 2 09:56:16 CEST 2009 - mt@suse.de
@ -2048,7 +2080,7 @@ Tue Mar 31 11:19:03 CEST 2009 - mt@suse.de
As a workaround such dates are set to the maximum representable
time, i.e. Jan 19 03:14:07 UTC 2038.
* Distinguished Names containing wildcards (*) are not sent in the
IDr payload anymore.
IDr payload anymore.
-------------------------------------------------------------------
Mon Oct 20 09:27:06 CEST 2008 - mt@suse.de
@ -2114,7 +2146,7 @@ Thu Aug 28 09:48:14 CEST 2008 - mt@suse.de
several hundred tunnels concurrently.
* Fixed the --enable-integrity-test configure option which
computes a SHA-1 checksum over the libstrongswan library.
* Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
* Consistent logging of IKE and CHILD SAs at the audit (AUD) level.
* Improved the performance of the SQL-based virtual IP address pool
by introducing an additional addresses table. The leases table
storing only history information has become optional and can be
@ -2218,7 +2250,7 @@ Tue Feb 19 11:44:03 CET 2008 - mt@suse.de
to the rekeyed IKE_SA so that the UDP encapsulation was lost with
the next CHILD_SA rekeying.
* Wrong type definition of the next_payload variable in id_payload.c
caused an INVALID_SYNTAX error on PowerPC platforms.
caused an INVALID_SYNTAX error on PowerPC platforms.
* Implemented IKEv2 EAP-SIM server and client test modules that use
triplets stored in a file. For details on the configuration see
the scenario 'ikev2/rw-eap-sim-rsa'.
@ -2250,5 +2282,5 @@ Mon Nov 26 10:19:40 CET 2007 - mt@suse.de
-------------------------------------------------------------------
Thu Nov 22 10:25:56 CET 2007 - mt@suse.de
- Initial, unfinished package
- Initial, unfinished package

260
strongswan.spec
View File

@ -16,21 +16,14 @@
#
Name: strongswan
Version: 5.9.14
Release: 0
%define upstream_version %{version}
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_libdir %{_libdir}/ipsec
%define strongswan_configs %{_sysconfdir}/strongswan.d
%define strongswan_datadir %{_datadir}/strongswan
%define strongswan_plugins %{strongswan_libdir}/plugins
%define strongswan_templates %{strongswan_datadir}/templates
%if 0
%bcond_without tests
%else
%bcond_without stroke
%bcond_with tests
%endif
%bcond_without fipscheck
%ifarch %{ix86} ppc64le
%bcond_without integrity
@ -44,70 +37,73 @@ Release: 0
%bcond_without gcrypt
%bcond_without nm
%bcond_without systemd
Name: strongswan
Version: 6.0.0
Release: 0
Summary: IPsec-based VPN solution
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: https://www.strongswan.org/
Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
Source0: http://download.strongswan.org/strongswan-%version.tar.bz2
Source1: http://download.strongswan.org/strongswan-%version.tar.bz2.sig
Source2: %{name}.init.in
Source3: %{name}-rpmlintrc
Source4: README.SUSE
Source5: %{name}.keyring
%if %{with fipscheck}
Source7: fips-enforce.conf
%endif
Patch2: %{name}_ipsec_service.patch
Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch
Patch6: harden_strongswan.service.patch
Patch7: init.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gmp-devel
BuildRequires: gperf
BuildRequires: iptables
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: libtool
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pcsc-lite-devel
BuildRequires: pkg-config
BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(libsystemd)
%if %{with mysql}
BuildRequires: libmysqlclient-devel
%endif
%if %{with sqlite}
BuildRequires: sqlite3-devel
BuildRequires: pkgconfig(sqlite3)
%endif
%if %{with gcrypt}
BuildRequires: libgcrypt-devel
BuildRequires: pkgconfig(libgcrypt)
%endif
%if %{with nm}
BuildRequires: pkgconfig(libnm)
%endif
Obsoletes: strongswan-libs0 < %version-%release
Provides: strongswan-libs0 = %version-%release
%{?systemd_requires}
BuildRequires: iptables
BuildRequires: pkgconfig(libsystemd)
%{!?_rundir: %global _rundir /run}
%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
Requires: strongswan-ipsec = %{version}
%description
StrongSwan is an IPsec-based VPN solution for Linux.
* Implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
* IKEv1 and IKEv2 (RFC 4306, 9370) key exchange protocol support
* Support of IPv6 IPsec tunnel and transport connections
* Dynamic IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
* 128/192/256-bit AES encryption
* NAT Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
* Static virtual IP addresses and IKEv1 ModeConfig pull and push modes
* Dead Peer Detection (DPD, RFC 3706) to detect dangling tunnels
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
* Authentication based on X.509 certificates or preshared keys
@ -115,12 +111,11 @@ StrongSwan is an IPsec-based VPN solution for Linux.
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
* CA management (OCSP and CRL URIs, default LDAP server)
* Powerful IPsec policies based on wildcards or intermediate CAs
* IPsec policies based on wildcards or intermediate CAs
* Group policies based on X.509 attribute certificates (RFC 3281)
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
* Storage of RSA private keys and certificates on a smartcard (PKCS#11 interface)
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Optional built-in integrity and crypto tests for plugins and libraries
* Linux desktop integration via the strongSwan NetworkManager applet
This package triggers the installation of both, IKEv1 and IKEv2 daemons.
@ -135,48 +130,39 @@ StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the StrongSwan documentation.
%package libs0
Summary: strongSwan core libraries and basic plugins
Group: Productivity/Networking/Security
Conflicts: strongswan < %{version}
%description libs0
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan library and plugins.
%package hmac
%package fips
Summary: Config file to disable non FIPS-140-2 algos in strongSwan
Group: Productivity/Networking/Security
Requires: strongswan-ipsec = %{version}
Requires: strongswan-libs0 = %{version}
Requires: strongswan = %version
Provides: strongswan-hmac = %{version}-%{release}
Obsoletes: strongswan-hmac < %{version}-%{release}
%description hmac
%description fips
The package provides a config file disabling alternative algorithm
implementation when FIPS-140-2 compliant operation mode is enabled.
%package ipsec
Summary: IPsec-based VPN solution
Summary: Old-style "ipsec" interface (stroke/starter) for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
Requires: strongswan = %version
Provides: VPN
Provides: ipsec
Provides: strongswan = %{version}
Obsoletes: strongswan < %{version}
Conflicts: freeswan
Conflicts: openswan
%description ipsec
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the systemd service definition and allows
to maintain both IKEv1 and IKEv2 using the /etc/ipsec.conf and the
/etc/ipsec.secrets files.
This package provides an ipsec(8) command-line interface and
configuration mechanism (/etc/ipsec.conf, ipsec.secrets).
Old-style ipsec(8) management of strongSwan is deprecated since
version 5.2.0.
%package mysql
Summary: MySQL plugin for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
Requires: strongswan = %version
%description mysql
StrongSwan is an IPsec-based VPN solution for Linux.
@ -186,20 +172,20 @@ This package provides the strongswan mysql plugin.
%package sqlite
Summary: SQLite plugin for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
Requires: strongswan = %version
%description sqlite
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan sqlite plugin.
%package nm
Summary: NetworkManager plugin for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
Requires: strongswan = %version
%description nm
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the NetworkManager plugin to control the
charon IKEv2 daemon through D-Bus, designed to work using the
@ -208,28 +194,24 @@ NetworkManager-strongswan graphical user interface.
%package tests
Summary: Testing plugins for strongSwan
Group: Productivity/Networking/Security
Requires: strongswan-libs0 = %{version}
Requires: strongswan = %version
%description tests
StrongSwan is an OpenSource IPsec-based VPN solution for Linux.
StrongSwan is an IPsec-based VPN solution for Linux.
This package provides the strongswan crypto test vectors plugin
and the load testing plugin for IKEv2 daemon.
%prep
%setup -q -n %{name}-%{upstream_version}
%patch -P 2 -p1
%patch -P 5 -p1
%autosetup -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< %{_sourcedir}/strongswan.init.in \
> strongswan.init
%patch -P 6 -p1
%build
CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter"
export CFLAGS
autoreconf --force --install
%configure \
CFLAGS="%optflags -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" \
%if %{with integrity}
--enable-integrity-test \
%endif
@ -312,6 +294,9 @@ autoreconf --force --install
%else
--disable-nm \
%endif
%if %{with stroke}
--enable-stroke \
%endif
%if %{with tests}
--enable-conftest \
--enable-load-tester \
@ -358,7 +343,7 @@ LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \
}
%endif
#
rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets
%if %{with stroke}
cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
#
# ipsec.secrets
@ -368,6 +353,7 @@ cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets
#
EOT
#
%endif
%if ! %{with mysql}
rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql
%endif
@ -377,7 +363,6 @@ rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql
rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so
rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete
#
install -d -m755 %{buildroot}/%{strongswan_docdir}/
install -c -m644 TODO NEWS README COPYING LICENSE \
AUTHORS ChangeLog \
@ -393,36 +378,37 @@ install -c -m644 %{_sourcedir}/fips-enforce.conf \
sed -i 's/\(load[ ]*=[ ]*\)yes/\1no/g' %{buildroot}/%{strongswan_configs}/charon/bypass-lan.conf
%endif
%post libs0
%post
/sbin/ldconfig
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf}
%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}}
%postun libs0 -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%pre ipsec
%service_add_pre %{name}-starter.service
%post ipsec
%service_add_post %{name}-starter.service
# Following code does the migration from strongwan.service (ver < 5.8.0) to
# strongswan-starter.service (ver >= 5.8.0) during update. The systemd service
# units have been renamed. The modern unit, which was called strongswan-swanctl,
# is now called strongswan (the previous name is configured as alias in the unit,
# for which a symlink is created when the unit is enabled). The legacy unit is now
# called strongswan-starter.
_ipsec_active=`/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null` || :
_swanctl_active=`/usr/bin/systemctl is-active %{name}.service 2>/dev/null` || :
_ipsec_enable=`/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null` || :
_swanctl_enable=`/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null` || :
if [[ "$_swanctl_enable" == "enabled" || "$_swanctl_active" == "active" ]]; then
_ipsec_active=$(/usr/bin/systemctl is-active %{name}-starter.service 2>/dev/null) || :
_swanctl_active=$(/usr/bin/systemctl is-active %{name}.service 2>/dev/null) || :
_ipsec_enable=$(/usr/bin/systemctl is-enabled %{name}-starter.service 2>/dev/null) || :
_swanctl_enable=$(/usr/bin/systemctl is-enabled %{name}.service 2>/dev/null) || :
if [ "$_swanctl_enable" = "enabled" ] || [ "$_swanctl_active" = "active" ]; then
/usr/bin/systemctl disable --now %{name}.service || :
/usr/bin/systemctl mask %{name}.service || :
fi
if [[ "$_swanctl_enable" == "enabled" || "$_ipsec_enable" == "enabled" ]]; then
if [ "$_swanctl_enable" = "enabled" ] || [ "$_ipsec_enable" = "enabled" ]; then
/usr/bin/systemctl daemon-reload
/usr/bin/systemctl enable %{name}-starter.service || :
fi
if [[ "$_swanctl_active" == "active" || "$_ipsec_active" == "active" ]]; then
if [ "$_swanctl_active" = "active" ] || [ "$_ipsec_active" = "active" ]; then
/usr/bin/systemctl start %{name}-starter.service || :
fi
@ -440,45 +426,26 @@ fi
%postun ipsec
%service_del_postun %{name}-starter.service
%files
%dir %{strongswan_docdir}
%{strongswan_docdir}/README.SUSE
%if %{with fipscheck}
%files hmac
%files fips
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf
%endif
%files ipsec
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
%files
%dir %{strongswan_docdir}
%{strongswan_docdir}/README.SUSE
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf
%dir %{_sysconfdir}/swanctl
%dir %{_sysconfdir}/ipsec.d
%dir %{_sysconfdir}/ipsec.d/crls
%dir %{_sysconfdir}/ipsec.d/reqs
%dir %{_sysconfdir}/ipsec.d/certs
%dir %{_sysconfdir}/ipsec.d/acerts
%dir %{_sysconfdir}/ipsec.d/aacerts
%dir %{_sysconfdir}/ipsec.d/cacerts
%dir %{_sysconfdir}/ipsec.d/ocspcerts
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
%{_unitdir}/strongswan-starter.service
%{_unitdir}/strongswan.service
%{_sbindir}/charon-systemd
%{_bindir}/pki
%{_bindir}/pt-tls-client
%{_bindir}/tpm_extendpcr
%{_sbindir}/ipsec
%{_sbindir}/swanctl
%{_mandir}/man1/pki*.1*
%{_mandir}/man1/pt-tls-client.1*
%{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5*
%{_mandir}/man5/ipsec.secrets.5*
%{_mandir}/man5/strongswan.conf.5*
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_updown
@ -488,29 +455,14 @@ fi
%{_libexecdir}/ipsec/xfrmi
%{_libexecdir}/ipsec/duplicheck
%{_libexecdir}/ipsec/pool
%{_libexecdir}/ipsec/starter
%{_libexecdir}/ipsec/stroke
%{_libexecdir}/ipsec/charon
%{_libexecdir}/ipsec/_imv_policy
%{_libexecdir}/ipsec/imv_policy_manager
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-drbg.so
%{strongswan_plugins}/libstrongswan-stroke.so
%{strongswan_plugins}/libstrongswan-updown.so
%files doc
%dir %{strongswan_docdir}
%{strongswan_docdir}/TODO
%{strongswan_docdir}/NEWS
%{strongswan_docdir}/README
%{strongswan_docdir}/COPYING
%{strongswan_docdir}/LICENSE
%{strongswan_docdir}/AUTHORS
%{strongswan_docdir}/ChangeLog
%{_mandir}/man5/swanctl.conf.5.*
%{_mandir}/man8/swanctl.8.*
%files libs0
%_mandir/man5/swanctl.conf.5.*
%_mandir/man8/swanctl.8.*
%{_tmpfilesdir}/%{name}.conf
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
%dir %{strongswan_configs}
@ -521,13 +473,10 @@ fi
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/pool.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf
%if %{with afalg}
@ -544,7 +493,6 @@ fi
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/coupling.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ctr.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/des.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dhcp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/dnskey.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/duplicheck.conf
@ -576,37 +524,30 @@ fi
%endif
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kdf.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/kernel-netlink.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ldap.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pgp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs11.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs12.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs7.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pkcs8.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pubkey.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/radattr.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/random.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/rc2.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/resolve.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/revocation.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha1.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sha2.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/smp.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/socket-default.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/soup.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sql.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/sshkey.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/stroke.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-11.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-20.conf
%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/tnccs-dynamic.conf
@ -645,7 +586,6 @@ fi
%{strongswan_libdir}/imcvs/imv-test.so
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-addrblock.so
%{strongswan_plugins}/libstrongswan-aes.so
%if %{with afalg}
%{strongswan_plugins}/libstrongswan-af-alg.so
%endif
@ -661,7 +601,6 @@ fi
%{strongswan_plugins}/libstrongswan-coupling.so
%{strongswan_plugins}/libstrongswan-ctr.so
%{strongswan_plugins}/libstrongswan-curl.so
%{strongswan_plugins}/libstrongswan-des.so
%{strongswan_plugins}/libstrongswan-dhcp.so
%{strongswan_plugins}/libstrongswan-dnskey.so
%{strongswan_plugins}/libstrongswan-duplicheck.so
@ -693,13 +632,11 @@ fi
%endif
%{strongswan_plugins}/libstrongswan-gmp.so
%{strongswan_plugins}/libstrongswan-ha.so
%{strongswan_plugins}/libstrongswan-hmac.so
%{strongswan_plugins}/libstrongswan-kdf.so
%{strongswan_plugins}/libstrongswan-kernel-netlink.so
%{strongswan_plugins}/libstrongswan-ldap.so
%{strongswan_plugins}/libstrongswan-led.so
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
%{strongswan_plugins}/libstrongswan-mgf1.so
%{strongswan_plugins}/libstrongswan-nonce.so
%{strongswan_plugins}/libstrongswan-openssl.so
@ -707,17 +644,13 @@ fi
%{strongswan_plugins}/libstrongswan-pgp.so
%{strongswan_plugins}/libstrongswan-pkcs1.so
%{strongswan_plugins}/libstrongswan-pkcs11.so
%{strongswan_plugins}/libstrongswan-pkcs12.so
%{strongswan_plugins}/libstrongswan-pkcs7.so
%{strongswan_plugins}/libstrongswan-pkcs8.so
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-radattr.so
%{strongswan_plugins}/libstrongswan-random.so
%{strongswan_plugins}/libstrongswan-rc2.so
%{strongswan_plugins}/libstrongswan-resolve.so
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-sha1.so
%{strongswan_plugins}/libstrongswan-sha2.so
%{strongswan_plugins}/libstrongswan-smp.so
%{strongswan_plugins}/libstrongswan-socket-default.so
%{strongswan_plugins}/libstrongswan-soup.so
@ -736,7 +669,6 @@ fi
%{strongswan_plugins}/libstrongswan-xauth-generic.so
%{strongswan_plugins}/libstrongswan-xauth-pam.so
%{strongswan_plugins}/libstrongswan-xcbc.so
%{strongswan_plugins}/libstrongswan-curve25519.so
%{strongswan_plugins}/libstrongswan-vici.so
%{strongswan_plugins}/libstrongswan-bypass-lan.so
%dir %{strongswan_datadir}
@ -749,7 +681,6 @@ fi
%dir %{strongswan_templates}/database/sql
%{strongswan_templates}/config/strongswan.conf
%{strongswan_templates}/config/plugins/addrblock.conf
%{strongswan_templates}/config/plugins/aes.conf
%if %{with afalg}
%{strongswan_templates}/config/plugins/af-alg.conf
%endif
@ -765,7 +696,6 @@ fi
%{strongswan_templates}/config/plugins/coupling.conf
%{strongswan_templates}/config/plugins/ctr.conf
%{strongswan_templates}/config/plugins/curl.conf
%{strongswan_templates}/config/plugins/des.conf
%{strongswan_templates}/config/plugins/dhcp.conf
%{strongswan_templates}/config/plugins/dnskey.conf
%{strongswan_templates}/config/plugins/drbg.conf
@ -798,13 +728,11 @@ fi
%endif
%{strongswan_templates}/config/plugins/gmp.conf
%{strongswan_templates}/config/plugins/ha.conf
%{strongswan_templates}/config/plugins/hmac.conf
%{strongswan_templates}/config/plugins/kdf.conf
%{strongswan_templates}/config/plugins/kernel-netlink.conf
%{strongswan_templates}/config/plugins/ldap.conf
%{strongswan_templates}/config/plugins/led.conf
%{strongswan_templates}/config/plugins/md4.conf
%{strongswan_templates}/config/plugins/md5.conf
%{strongswan_templates}/config/plugins/mgf1.conf
%{strongswan_templates}/config/plugins/nonce.conf
%{strongswan_templates}/config/plugins/openssl.conf
@ -812,23 +740,18 @@ fi
%{strongswan_templates}/config/plugins/pgp.conf
%{strongswan_templates}/config/plugins/pkcs1.conf
%{strongswan_templates}/config/plugins/pkcs11.conf
%{strongswan_templates}/config/plugins/pkcs12.conf
%{strongswan_templates}/config/plugins/pkcs7.conf
%{strongswan_templates}/config/plugins/pkcs8.conf
%{strongswan_templates}/config/plugins/pubkey.conf
%{strongswan_templates}/config/plugins/radattr.conf
%{strongswan_templates}/config/plugins/random.conf
%{strongswan_templates}/config/plugins/rc2.conf
%{strongswan_templates}/config/plugins/resolve.conf
%{strongswan_templates}/config/plugins/revocation.conf
%{strongswan_templates}/config/plugins/sha1.conf
%{strongswan_templates}/config/plugins/sha2.conf
%{strongswan_templates}/config/plugins/smp.conf
%{strongswan_templates}/config/plugins/socket-default.conf
%{strongswan_templates}/config/plugins/soup.conf
%{strongswan_templates}/config/plugins/sql.conf
%{strongswan_templates}/config/plugins/sshkey.conf
%{strongswan_templates}/config/plugins/stroke.conf
%{strongswan_templates}/config/plugins/tnc-imc.conf
%{strongswan_templates}/config/plugins/tnc-imv.conf
%{strongswan_templates}/config/plugins/tnc-pdp.conf
@ -843,7 +766,6 @@ fi
%{strongswan_templates}/config/plugins/xauth-generic.conf
%{strongswan_templates}/config/plugins/xauth-pam.conf
%{strongswan_templates}/config/plugins/xcbc.conf
%{strongswan_templates}/config/plugins/curve25519.conf
%{strongswan_templates}/config/plugins/vici.conf
%{strongswan_templates}/config/plugins/bypass-lan.conf
%{strongswan_templates}/config/strongswan.d/charon-systemd.conf
@ -852,14 +774,12 @@ fi
%{strongswan_templates}/config/strongswan.d/imcv.conf
%{strongswan_templates}/config/strongswan.d/pki.conf
%{strongswan_templates}/config/strongswan.d/pool.conf
%{strongswan_templates}/config/strongswan.d/starter.conf
%{strongswan_templates}/config/strongswan.d/tnc.conf
%{strongswan_templates}/config/strongswan.d/swanctl.conf
%{strongswan_templates}/database/imv/data.sql
%{strongswan_templates}/database/imv/tables.sql
%if %{with nm}
%files nm
%dir %{_libexecdir}/ipsec
%dir %{strongswan_plugins}
@ -868,7 +788,6 @@ fi
%endif
%if %{with mysql}
%files mysql
%dir %{strongswan_libdir}
%dir %{strongswan_plugins}
@ -888,7 +807,6 @@ fi
%endif
%if %{with sqlite}
%files sqlite
%dir %{strongswan_libdir}
%dir %{strongswan_plugins}
@ -907,7 +825,6 @@ fi
%endif
%if %{with tests}
%files tests
%dir %{strongswan_configs}
%dir %{strongswan_configs}/charon
@ -927,4 +844,49 @@ fi
%{strongswan_plugins}/libstrongswan-test-vectors.so
%endif
%if %{with stroke}
%files ipsec
%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.conf
%config(noreplace) %attr(600,root,root) %_sysconfdir/ipsec.secrets
%dir %_sysconfdir/ipsec.d
%dir %_sysconfdir/ipsec.d/crls
%dir %_sysconfdir/ipsec.d/reqs
%dir %_sysconfdir/ipsec.d/certs
%dir %_sysconfdir/ipsec.d/acerts
%dir %_sysconfdir/ipsec.d/aacerts
%dir %_sysconfdir/ipsec.d/cacerts
%dir %_sysconfdir/ipsec.d/ocspcerts
%dir %attr(700,root,root) %_sysconfdir/ipsec.d/private
%_sbindir/ipsec
%_mandir/man8/ipsec.8*
%_mandir/man5/ipsec.conf.5*
%_mandir/man5/ipsec.secrets.5*
%dir %_libexecdir/ipsec/
%_libexecdir/ipsec/starter
%_libexecdir/ipsec/stroke
%_unitdir/strongswan-starter.service
%dir %strongswan_plugins/
%strongswan_plugins/libstrongswan-stroke.so
%dir %strongswan_configs/
%dir %strongswan_configs/charon/
%config(noreplace) %attr(600,root,root) %strongswan_configs/starter.conf
%config(noreplace) %attr(600,root,root) %strongswan_configs/charon/stroke.conf
%dir %strongswan_templates/
%dir %strongswan_templates/config/
%dir %strongswan_templates/config/plugins/
%strongswan_templates/config/plugins/stroke.conf
%dir %strongswan_templates/config/strongswan.d/
%strongswan_templates/config/strongswan.d/starter.conf
%endif
%files doc
%dir %strongswan_docdir
%strongswan_docdir/TODO
%strongswan_docdir/NEWS
%strongswan_docdir/README
%strongswan_docdir/COPYING
%strongswan_docdir/LICENSE
%strongswan_docdir/AUTHORS
%strongswan_docdir/ChangeLog
%changelog