From 380fc5b49346b57ee2f475ba408871abdc8d14a59ebed94fdd7141a8df1e7be2 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 14 Jul 2009 21:56:37 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=13 --- strongswan-4.2.14-rpmlintrc | 3 - strongswan-4.2.14.tar.bz2 | 3 - strongswan-4.2.14.tar.bz2.sig | 9 - strongswan-4.3.2-rpmlintrc | 4 + strongswan-4.3.2.tar.bz2 | 3 + strongswan-4.3.2.tar.bz2.sig | 9 + strongswan-4.x.x-getline.patch | 42 --- strongswan-4.x.x._swapped_ts_check.patch | 24 -- strongswan-4.x.x_invalid_ike_state.patch | 22 -- strongswan.changes | 74 ++++ strongswan.spec | 259 ++------------ strongswan_modprobe_syslog.dif | 52 --- strongswan_modprobe_syslog.patch | 52 +++ strongswan_no_plugin_version.patch | 432 +++++++++++++++++++++++ strongswan_update-dns-server.dif | 43 --- 15 files changed, 601 insertions(+), 430 deletions(-) delete mode 100644 strongswan-4.2.14-rpmlintrc delete mode 100644 strongswan-4.2.14.tar.bz2 delete mode 100644 strongswan-4.2.14.tar.bz2.sig create mode 100644 strongswan-4.3.2-rpmlintrc create mode 100644 strongswan-4.3.2.tar.bz2 create mode 100644 strongswan-4.3.2.tar.bz2.sig delete mode 100644 strongswan-4.x.x-getline.patch delete mode 100644 strongswan-4.x.x._swapped_ts_check.patch delete mode 100644 strongswan-4.x.x_invalid_ike_state.patch delete mode 100644 strongswan_modprobe_syslog.dif create mode 100644 strongswan_modprobe_syslog.patch create mode 100644 strongswan_no_plugin_version.patch delete mode 100644 strongswan_update-dns-server.dif diff --git a/strongswan-4.2.14-rpmlintrc b/strongswan-4.2.14-rpmlintrc deleted file mode 100644 index 9db070f..0000000 --- a/strongswan-4.2.14-rpmlintrc +++ /dev/null @@ -1,3 +0,0 @@ -addFilter('strongswan.* shlib-policy-missing-suffix') -addFilter("strongswan.* incoherent-init-script-name ipsec") -addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins") diff --git a/strongswan-4.2.14.tar.bz2 b/strongswan-4.2.14.tar.bz2 deleted file mode 100644 index b1ebaaf..0000000 --- a/strongswan-4.2.14.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4b9acc7a8d3f8b5b715472375d8f5baea92656a427352a9c40d898075230e09a -size 2740464 diff --git a/strongswan-4.2.14.tar.bz2.sig b/strongswan-4.2.14.tar.bz2.sig deleted file mode 100644 index bbbb85d..0000000 --- a/strongswan-4.2.14.tar.bz2.sig +++ /dev/null @@ -1,9 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (GNU/Linux) - -iQCVAwUASc5e/tYbDnNAmVNZAQJZewP/Y6KYLbebalL3GNjqANG5hB7k/xSjIuSX -txhYdqmYxKQhe9F4nd0/LGpuco+pBzT2d7evUoANUnytNPH4YBAq+6xKNnuCwAth -LnqgfxFhp2Hn+IUrRDztD+Cl9wQqVzf3ld/mCGNY0epnMrvRvOhSPW+k8b2t3Hxn -O5Jh906OVbI= -=P088 ------END PGP SIGNATURE----- diff --git a/strongswan-4.3.2-rpmlintrc b/strongswan-4.3.2-rpmlintrc new file mode 100644 index 0000000..deae116 --- /dev/null +++ b/strongswan-4.3.2-rpmlintrc @@ -0,0 +1,4 @@ +addFilter("strongswan.* incoherent-init-script-name ipsec") +addFilter('strongswan.* shlib-policy-missing-suffix') +#addFilter("strongswan.* devel-file-in-non-devel-package .*/usr/lib.*/ipsec/plugins") +#addFilter("strongswan.* unstripped-binary-or-object") diff --git a/strongswan-4.3.2.tar.bz2 b/strongswan-4.3.2.tar.bz2 new file mode 100644 index 0000000..8c2160d --- /dev/null +++ b/strongswan-4.3.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d2dc584596dda758c6d3d84b292a6aa80bfb53f6178ad08aec1b59519cf9d9e9 +size 2639343 diff --git a/strongswan-4.3.2.tar.bz2.sig b/strongswan-4.3.2.tar.bz2.sig new file mode 100644 index 0000000..11aef66 --- /dev/null +++ b/strongswan-4.3.2.tar.bz2.sig @@ -0,0 +1,9 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iQCVAwUASjtPmtYbDnNAmVNZAQIK4wQAqJnGiXmod2HenrCH9y1A/rinnVuLZ7TF +s5/yBD3GN2xSnqQELlnPqkVxjNiLbTXhQs7mcmui1Zg9c53WRN09+oriGeHWhomf +czxNDdsmbxgvR8SlRFr7cZOz0hs8FJ/wldASE6Nz54H7vUYFkxrYhk4lyN4GoolL +S4dF7hGkTkY= +=pMzJ +-----END PGP SIGNATURE----- diff --git a/strongswan-4.x.x-getline.patch b/strongswan-4.x.x-getline.patch deleted file mode 100644 index a70ac9f..0000000 --- a/strongswan-4.x.x-getline.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- src/libfreeswan/optionsfrom.c -+++ src/libfreeswan/optionsfrom.c -@@ -31,7 +31,7 @@ - - static const char *dowork(const char *, int *, char ***, int); - static const char *getanarg(FILE *, struct work *, char **); --static char *getline(FILE *, char *, size_t); -+static char *my_getline(FILE *, char *, size_t); - - /* - - optionsfrom - add some options, taken from a file, to argc/argv -@@ -149,7 +149,7 @@ - char *endp; - - while (w->pending == NULL) { /* no pending line */ -- if ((w->line = getline(f, w->buf, sizeof(w->buf))) == NULL) -+ if ((w->line = my_getline(f, w->buf, sizeof(w->buf))) == NULL) - return "error in line read"; /* caller checks EOF */ - if (w->line[0] != '#' && - *(w->line + strspn(w->line, " \t")) != '\0') -@@ -171,7 +171,7 @@ - if (*linep == NULL) - return "out of memory for new line"; - strcpy(*linep, p); -- } else /* getline already malloced it */ -+ } else /* my_getline already malloced it */ - *linep = p; - return NULL; - } -@@ -203,10 +203,10 @@ - } - - /* -- - getline - read a line from the file, trim newline off -+ - my_getline - read a line from the file, trim newline off - */ - static char * /* pointer to line, NULL for eof/error */ --getline(f, buf, bufsize) -+my_getline(f, buf, bufsize) - FILE *f; - char *buf; /* buffer to use, if convenient */ - size_t bufsize; /* size of buf */ diff --git a/strongswan-4.x.x._swapped_ts_check.patch b/strongswan-4.x.x._swapped_ts_check.patch deleted file mode 100644 index e903411..0000000 --- a/strongswan-4.x.x._swapped_ts_check.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 0a3ca29021ffe389ae4f7400ee05f42dcf384d6b -Author: Martin Willi -Date: Tue May 12 17:13:09 2009 +0200 - - fixed cleanup of traffic selector lists - -diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c -index 382266f..6bf9e9d 100644 ---- a/src/charon/sa/tasks/child_create.c -+++ b/src/charon/sa/tasks/child_create.c -@@ -1126,11 +1126,11 @@ static void destroy(private_child_create_t *this) - { - chunk_free(&this->my_nonce); - chunk_free(&this->other_nonce); -- if (this->tsi) -+ if (this->tsr) - { - this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); - } -- if (this->tsr) -+ if (this->tsi) - { - this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); - } diff --git a/strongswan-4.x.x_invalid_ike_state.patch b/strongswan-4.x.x_invalid_ike_state.patch deleted file mode 100644 index 5c5645d..0000000 --- a/strongswan-4.x.x_invalid_ike_state.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit a627e31f463367d83be5814aff8ddbceb725f4ed -Author: Martin Willi -Date: Thu May 7 15:53:45 2009 +0200 - - properly delete IKE_SA if IKE_SA_INIT processing failed - -diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c -index b8e8213..126011e 100644 ---- a/src/charon/sa/ike_sa.c -+++ b/src/charon/sa/ike_sa.c -@@ -1424,6 +1424,11 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) - exchange_type_names, message->get_exchange_type(message), - message->get_request(message) ? "request" : "response", - message->get_message_id(message)); -+ -+ if (this->state == IKE_CREATED) -+ { /* invalid initiation attempt, close SA */ -+ return DESTROY_ME; -+ } - return status; - } - else diff --git a/strongswan.changes b/strongswan.changes index 6b8f133..e8c3dd7 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,77 @@ +------------------------------------------------------------------- +Wed Jun 10 11:04:44 CEST 2009 - mt@suse.de + +- Updated to strongSwan 4.3.2 release, that fixes two asn1 parser + DoS vulnerabilities and provides several new features, e.g.: + * The new gcrypt plugin provides symmetric cipher, hasher, RNG, + Diffie-Hellman and RSA crypto primitives using the LGPL licensed + GNU gcrypt library. + * libstrongswan features an integrated crypto selftest framework + for registered algorithms. The test-vector plugin provides a first + set of test vectors and allows pluto and charon to rely on tested + crypto algorithms. + * pluto can now use all libstrongswan plugins with the exception + of x509 and xcbc. Thanks to the openssl plugin, the ECP Diffie- + Hellman groups 19, 20, 21, 25, and 26 as well as ECDSA-256, + ECDSA-384, and ECDSA-521 authentication can be used with IKEv1. + * Applying their fuzzing tool, the Orange Labs vulnerability + research team found another two DoS vulnerabilities, one in the + rather old ASN.1 parser of Relative Distinguished Names (RDNs) + and a second one in the conversion of ASN.1 UTCTIME and + GENERALIZEDTIME strings to a time_t value. + * The nm plugin now passes DNS/NBNS server information to + NetworkManager, allowing a gateway administrator to set DNS/NBNS + configuration on clients dynamically. + * The nm plugin also accepts CA certificates for gateway + authentication. If a CA certificate is configured, strongSwan uses + the entered gateway address as its idenitity, requiring the gateways + certificate to contain the same as subjectAltName. + This allows a gateway administrator to deploy the same + certificates to Windows 7 and NetworkManager clients. + * The command ipsec purgeike deletes IKEv2 SAs that don't have a + CHILD SA. + The command ipsec down {n} deletes CHILD SA instance n of + connection whereas ipsec down {*} deletes all CHILD + SA instances. + The command ipsec down [n] deletes IKE SA instance n of + connection plus dependent CHILD SAs whereas ipsec down + [*] deletes all IKE SA instances of connection . + * Fixed a regression introduced in 4.3.0 where EAP authentication + calculated the AUTH payload incorrectly. Further, the EAP-MSCHAPv2 + MSK key derivation has been updated to be compatible with the + Windows 7 Release Candidate. + * Refactored installation of triggering policies. Routed policies + are handled outside of IKE_SAs to keep them installed in any case. + A tunnel gets established only once, even if initiation is delayed + due network outages. + * Improved the handling of multiple acquire signals triggered by + the kernel. + * Fixed two DoS vulnerabilities in the charon daemon that were + discovered by fuzzing techniques: + 1) Sending a malformed IKE_SA_INIT request leaved an incomplete + state which caused a null pointer dereference if a subsequent + CREATE_CHILD_SA request was sent. + 2) Sending an IKE_AUTH request with either a missing TSi or TSr + payload caused a null pointer derefence because the checks for + TSi and TSr were interchanged. + The IKEv2 fuzzer used was developped by the Orange Labs + vulnerability research team. The tool was initially written + by Gabriel Campana and is now maintained by Laurent Butti. + * Added support for AES counter mode in ESP in IKEv2 using the + proposal keywords aes128ctr, aes192ctr and aes256ctr. + * Further progress in refactoring pluto: Use of the curl and ldap + plugins for fetching crls and OCSP. Use of the random plugin to + get keying material from /dev/random or /dev/urandom. Use of the + openssl plugin as an alternative to the aes, des, sha1, sha2, and + md5 plugins. The blowfish, twofish, and serpent encryption plugins + are now optional and are not enabled by default. +- Enabled new gcrypt plugin +- Adopted spec file and modprobe to syslog patch +- Removed obsolete getline glibc collision patch +- Added patch to avoid library version for plugins (rpmlint). +- Replaced update-dns-server patch with a --with-resolv-conf. +- Removed restart_on_update from spec file (see bnc#450390). + ------------------------------------------------------------------- Mon Jun 8 00:21:13 CEST 2009 - ro@suse.de diff --git a/strongswan.spec b/strongswan.spec index 8bb550b..e6aa3f0 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,5 @@ # -# spec file for package strongswan (Version 4.2.14) +# spec file for package strongswan (Version 4.3.2) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,10 +19,10 @@ Name: strongswan -%define upstream_version 4.2.14 +%define upstream_version 4.3.2 %define strongswan_docdir %{_docdir}/%{name} -Version: 4.2.14 -Release: 3 +Version: 4.3.2 +Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security Summary: StrongSwan -- OpenSource IPsec-based VPN Solution @@ -37,22 +37,15 @@ Source0: http://download.strongswan.org/strongswan-%{upstream_version}.ta Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc -Patch1: %{name}_modprobe_syslog.dif -Patch2: %{name}_update-dns-server.dif -Patch3: %{name}-4.x.x_invalid_ike_state.patch -Patch4: %{name}-4.x.x._swapped_ts_check.patch -Patch5: strongswan-4.x.x-getline.patch +Patch1: %{name}_modprobe_syslog.patch +Patch2: %{name}_no_plugin_version.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config -%if 0%{?suse_version} >= 1030 -BuildRequires: libopenssl-devel libpcap-devel -%else -BuildRequires: libpcap openssl-devel -%endif -# --enable-curl -BuildRequires: curl-devel -# --enable-ldap +BuildRequires: libcap-devel +BuildRequires: libopenssl-devel +BuildRequires: libgcrypt-devel BuildRequires: openldap2-devel +BuildRequires: curl-devel %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -137,10 +130,13 @@ Authors: %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 +# => no_plugin_version.patch creation cmd: +# +#find . -type f -name Makefile.am -exec \ +# grep -l 'la_LDFLAGS.*-module' \{\} \; | \ +# xargs -r sed -e "s/\(.*la_LDFLAGS.*-module.*\)/\1 -avoid-version/g" -i +# %patch2 -p0 -%patch3 -p1 -%patch4 -p1 -%patch5 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -152,11 +148,15 @@ libtoolize --force %{?suse_update_config:%{suse_update_config -f}} autoreconf %configure \ - --enable-smartcard --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \ - --enable-cisco-quirks \ - --enable-openssl \ - --enable-curl \ - --enable-ldap + --with-capabilities=libcap \ + --with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \ + --enable-smartcard \ + --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \ + --enable-cisco-quirks \ + --enable-openssl \ + --enable-gcrypt \ + --enable-ldap \ + --enable-curl make %{?_smp_mflags:%_smp_mflags} %install @@ -186,6 +186,7 @@ find $RPM_BUILD_ROOT%{_libdir}/ipsec \ install -m755 -d ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -m644 TODO NEWS README COPYING CREDITS \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ +install -m755 -d $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan %clean if [ -n "$RPM_BUILD_ROOT" ] && [ "$RPM_BUILD_ROOT" != "/" ] ; then @@ -207,7 +208,6 @@ fi %postun %{run_ldconfig} -%{restart_on_update ipsec} %{insserv_cleanup} %files @@ -235,6 +235,7 @@ fi %{_mandir}/man5/ipsec.conf.5* %{_mandir}/man5/ipsec.secrets.5* %{_mandir}/man8/ipsec.8* +%dir %{_localstatedir}/run/strongswan %files doc %defattr(-,root,root) @@ -253,7 +254,6 @@ fi %{_mandir}/man3/initaddr.3* %{_mandir}/man3/initsubnet.3* %{_mandir}/man3/keyblobtoid.3* -%{_mandir}/man3/optionsfrom.3* %{_mandir}/man3/portof.3* %{_mandir}/man3/prng.3* %{_mandir}/man3/rangetosubnet.3* @@ -263,7 +263,6 @@ fi %{_mandir}/man3/ttodata.3* %{_mandir}/man3/ttosa.3* %{_mandir}/man3/ttoul.3* -%{_mandir}/man3/version.3* %{_mandir}/man8/_copyright.8* %{_mandir}/man8/_updown.8* %{_mandir}/man8/_updown_espmark.8* @@ -273,207 +272,3 @@ fi %{_mandir}/man8/starter.8* %changelog -* Mon Jun 08 2009 ro@suse.de -- rename getline to my_getline to avoid collision with function - from glibc -* Tue Jun 02 2009 mt@suse.de -- Applied fix for a Denial-of-Service vulnerability where receiving - a malformed IKE_SA_INIT request leaves an incomplete state which - causes a crash of the IKEv2 charon while dereferencing a NULL - pointer if a subsequent CREATE_CHILD_SA is received (bnc#507742). -- Applied fix for a Denial-of-Service vulnerability where receiving - a malformed IKE_AUTH request with either a missing TSi or TSr - traffic selector payload causes a crash of the IKEv2 charon while - dereferencing a NULL pointer because the NULL pointer checks of - TSi and TSr before destruction were erroneously swapped - (bnc#507742). -* Tue Mar 31 2009 mt@suse.de -- Updated to strongSwan 4.2.14 release that fixes a grave DPD - denial of service vulnerability registered as CVE-2009-0790, - that had been slumbering in the code for many years: - * A vulnerability in the Dead Peer Detection (RFC 3706) code - was found by Gerd v. Egidy of - Intra2net AG affecting all Openswan and strongSwan releases. - A malicious (or expired ISAKMP) R_U_THERE or R_U_THERE_ACK - Dead Peer Detection packet can cause the pluto IKE daemon to - crash and restart. No authentication or encryption is required - to trigger this bug. One spoofed UDP packet can cause the pluto - IKE daemon to restart and be unresponsive for a few seconds - while restarting. This DPD null state vulnerability has been - officially registered as CVE-2009-0790 and is fixed by this - release. - * The new server-side EAP RADIUS plugin (--enable-eap-radius) - relays EAP messages to and from a RADIUS server. Succesfully - tested with with a freeradius server using EAP-MD5 and EAP-SIM. - * ASN.1 to time_t conversion caused a time wrap-around for dates - after Jan 18 03:14:07 UTC 2038 on 32-bit platforms. - As a workaround such dates are set to the maximum representable - time, i.e. Jan 19 03:14:07 UTC 2038. - * Distinguished Names containing wildcards (*) are not sent in the - IDr payload anymore. -* Mon Oct 20 2008 mt@suse.de -- Updated to 4.2.8 release: - * IKEv2 charon daemon supports authentication based on raw public - keys stored in the SQL database backend. The ipsec listpubkeys - command lists the available raw public keys via the stroke - interface. - * Several MOBIKE improvements: Detect changes in NAT mappings in - DPD exchanges, handle events if kernel detects NAT mapping changes - in UDP-encapsulated ESP packets (requires kernel patch), reuse old - addesses in MOBIKE updates as long as possible and other fixes. - * Fixed a bug in addr_in_subnet() which caused insertion of wrong - source routes for destination subnets having netwmasks not being a - multiple of 8 bits. Thanks go to Wolfgang Steudel, TU Ilmenau for - reporting this bug. -* Tue Oct 14 2008 mt@suse.de -- Applied fix for addr_in_subnet() extracted from strongswan-4.2.8 - which caused insertion of wrong source routes for destination - subnets having netwmasks not being a multiple of 8 bits. - Thanks go to Wolfgang Steudel, TU Ilmenau for reporting this bug. - (bnc#435200) -* Fri Oct 10 2008 mt@suse.de -- Applied fix for a Denial-of-Service vulnerability where an - IKE_SA_INIT message with a KE payload containing zeroes only can - cause a crash of the IKEv2 charon daemon due to a NULL pointer - returned by the mpz_export() function of the GNU Multi Precision - (GMP) library. Thanks go to Mu Dynamics Research Labs for making - us aware of this problem. (bnc#435194) -* Thu Aug 28 2008 mt@suse.de -- Fixed to use --enable-curl instead of --enable-http as before -- Enabled the OpenSSL crypto plugin in the spec file. -* Thu Aug 28 2008 mt@suse.de -- Updated to 4.2.6 release, fixing bugs and offering a lot of new - features comparing to the last version provided by this package. - Most important are: - * A NetworkManager plugin allows GUI-based configuration of - road-warrior clients in a simple way. It features X509 based - gateway authentication and EAP client authentication, tunnel - setup/teardown and storing passwords in the Gnome Keyring. - * A new EAP-GTC plugin implements draft-sheffer-ikev2-gtc-00.txt - and allows username/password authentication against any PAM - service on the gateway. The new EAP method interacts nicely with - the NetworkManager plugin and allows client authentication against - e.g. LDAP. - * Improved support for the EAP-Identity method. The new ipsec.conf - eap_identity parameter defines an additional identity to pass to - the server in EAP authentication. - * Fixed two multithreading deadlocks occurring when starting up - several hundred tunnels concurrently. - * Fixed the --enable-integrity-test configure option which - computes a SHA-1 checksum over the libstrongswan library. - * Consistent logging of IKE and CHILD SAs at the audit (AUD) level. - * Improved the performance of the SQL-based virtual IP address pool - by introducing an additional addresses table. The leases table - storing only history information has become optional and can be - disabled by setting charon.plugins.sql.lease_history = no in - strongswan.conf. - * The XFRM_STATE_AF_UNSPEC flag added to xfrm.h allows IPv4-over-IPv6 - and IPv6-over-IPv4 tunnels with the 2.6.26 and later Linux kernels. - * management of different virtual IP pools for different network - interfaces have become possible. - * fixed a bug which prevented the assignment of more than 256 - virtual IP addresses from a pool managed by an sql database. - * fixed a bug which did not delete own IPCOMP SAs in the kernel. - * The openssl plugin supports the elliptic curve Diffie-Hellman - groups 19, 20, 21, 25, and 26 and ECDSA authentication using - elliptic curve X.509 certificates. - * Fixed a bug in stroke which caused multiple charon threads to - close the file descriptors during packet transfers over the stroke - socket. - * ESP sequence numbers are now migrated in IPsec SA updates handled - by MOBIKE. Works only with Linux kernels >= 2.6.17. - * Fixed a number of minor bugs that where discovered during the 4th - IKEv2 interoperability workshop in San Antonio, TX. - * Plugins for libstrongswan and charon can optionally be loaded - according to a configuration in strongswan.conf. Most components - provide a "load = " option followed by a space separated list of - plugins to load. This allows e.g. the fallback from a hardware - crypto accelerator to to software-based crypto plugins. - * Charons SQL plugin has been extended by a virtual IP address pool. - Configurations with a rightsourceip=%%poolname setting query a - SQLite or MySQL database for leases. The "ipsec pool" command helps - in administrating the pool database. See ipsec pool --help for the - available options - * The Authenticated Encryption Algorithms AES-CCM-8/12/16 and - AES-GCM-8/12/16 for ESP are now supported starting with the Linux - 2.6.25 kernel. The syntax is e.g. esp=aes128ccm12 or esp=aes256gcm16. -- Added patch disabling direct modifications of resolv.conf; has to - be replaced by a netconfig call. -- Added patch adding a missed file name argument in printf call in the - scripts/thread_analysis.c file -- resulting binary is not installed. -- Removed obsolete patches crash_badcfg_reload and old-caps-version. -* Mon Jun 30 2008 mt@suse.de -- Added fix that explicitly enables version 1 linux capabilities - on version 2 systems to aviod that the charon and pluto daemons - exit because of failed capset call (bnc#404989). -* Mon May 19 2008 mt@suse.de -- Applied fix (strongswan_crash_badcfg_reload.dif) to avoid - a crash after reloading with bad config (bnc#392062). -* Wed Apr 23 2008 mt@suse.de -- Updated to 4.2.1 release. A lot of code refactoring in the 4.2 - release provides much more modularity and therefore much more - extensiblity and offers the following new features: - * libstrongswan has been modularized to attach crypto algorithms, - credential implementations (secret and private keys, certificates) - and http/ldap fetchers dynamically through plugins. - * A relational database API that uses pluggable database providers - was added to libstrongswan including plugins for MySQL and SQLite. - * The IKEv2 keying charon daemon has become more extensible. Generic - plugins can provide arbitrary interfaces to credential stores and - connection management interfaces. Also any EAP method can be added. - * The authentication and credential framework in charon has been - heavily refactored to support modular credential providers, proper - CERTREQ/CERT payload exchanges and extensible authorization rules. - * Support for "Hash and URL" encoded certificate payloads has been - implemented in the IKEv2 daemon charon. - * The IKEv2 daemon charon now supports the "uniqueids" option to - close multiple IKE_SAs with the same peer. - * The crypto factory in libstrongswan additionally supports random - number generators. Plugins may provide other sources of randomness. - * Extended the credential framework by a caching option to allow - plugins persistent caching of fetched credentials. - * The new trust chain verification introduced in 4.2.0 has been - parallelized. Threads fetching CRL or OCSP information no longer - block other threads. - * A new IKEv2 configuration attribute framework has been introduced - allowing plugins to provide virtual IP addresses, and in the future, - other configuration attribute services (e.g. DNS/WINS servers). - * The stroke plugin has been extended to provide virtual IP addresses - from a simple pool defined in ipsec.conf. - * Fixed compilation on uClibc and a couple of other minor bugs. - * The IKEv1 pluto daemon now supports the ESP encryption algorithm - CAMELLIA with key lengths of 128, 192, and 256 bits, as well as the - authentication algorithm AES_XCBC_MAC. -- Applied a small patch defining _GNU_SOURCE for struct in6_pktinfo - and adding inclusion of limits.h for PATH_MAX availability. -- Added rpmlintrc file and a libtoolize call to the spec file. -* Tue Feb 19 2008 mt@suse.de -- Updated to 4.1.11 maintenance release, providing following fixes: - * IKE rekeying in NAT situations did not inherit the NAT conditions - to the rekeyed IKE_SA so that the UDP encapsulation was lost with - the next CHILD_SA rekeying. - * Wrong type definition of the next_payload variable in id_payload.c - caused an INVALID_SYNTAX error on PowerPC platforms. - * Implemented IKEv2 EAP-SIM server and client test modules that use - triplets stored in a file. For details on the configuration see - the scenario 'ikev2/rw-eap-sim-rsa'. -- The 4.1.10 final version, declared upstream as "Fully tested support - of IPv6 IPsec tunnel connections", fixes ordering error in oscp cache, - IPv6 defaults of the nexthop parameter, adds support for new EAP - modules [disabled in this build] and obsoletes our strongswan_path - and strongswan_ipsec_script_msg patches. -- Removed a sed call from init script. -* Sat Dec 08 2007 mt@suse.de -- Updated to 4.1.9 final, including all our patches. -- Changed init script to use ipsec cmd using LSB codes now. -- Added strongswan_path.dif setting a PATH in scripts (updown). -- Added strongswan_ipsec_script_msg.dif for consistent look of - ipsec script messages. -- Added strongswan_modprobe_syslog.dif redirecting modprobe - output to syslog. -* Mon Nov 26 2007 mt@suse.de -- Renamed charon plugins to avoid rpm conflicts with existing - libraries (libstroke). Patch: strongswan-libconflicts.dif -- Added init script. Template file: strongswan.init.in -* Thu Nov 22 2007 mt@suse.de -- Initial, unfinished package diff --git a/strongswan_modprobe_syslog.dif b/strongswan_modprobe_syslog.dif deleted file mode 100644 index 4593aa8..0000000 --- a/strongswan_modprobe_syslog.dif +++ /dev/null @@ -1,52 +0,0 @@ ---- src/starter/klips.c -+++ src/starter/klips.c 2009/03/23 10:46:01 -@@ -36,7 +36,7 @@ starter_klips_init(void) - /* ipsec module makes the pf_key proc interface visible */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv ipsec")); -+ ignore_result(system("modprobe -a ipsec")); - } - - /* now test again */ -@@ -50,9 +50,9 @@ starter_klips_init(void) - } - - /* load crypto algorithm modules */ -- ignore_result(system("modprobe -qv ipsec_aes")); -- ignore_result(system("modprobe -qv ipsec_blowfish")); -- ignore_result(system("modprobe -qv ipsec_sha2")); -+ ignore_result(system("modprobe -s ipsec_aes")); -+ ignore_result(system("modprobe -s ipsec_blowfish")); -+ ignore_result(system("modprobe -s ipsec_sha2")); - - DBG(DBG_CONTROL, - DBG_log("Found KLIPS IPsec stack") ---- src/starter/netkey.c -+++ src/starter/netkey.c 2009/03/23 10:46:34 -@@ -36,7 +36,7 @@ starter_netkey_init(void) - /* af_key module makes the netkey proc interface visible */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv af_key")); -+ ignore_result(system("modprobe -s af_key")); - } - - /* now test again */ -@@ -52,11 +52,11 @@ starter_netkey_init(void) - /* make sure that all required IPsec modules are loaded */ - if (stat(PROC_MODULES, &stb) == 0) - { -- ignore_result(system("modprobe -qv ah4")); -- ignore_result(system("modprobe -qv esp4")); -- ignore_result(system("modprobe -qv ipcomp")); -- ignore_result(system("modprobe -qv xfrm4_tunnel")); -- ignore_result(system("modprobe -qv xfrm_user")); -+ ignore_result(system("modprobe -s ah4")); -+ ignore_result(system("modprobe -s esp4")); -+ ignore_result(system("modprobe -s ipcomp")); -+ ignore_result(system("modprobe -s xfrm4_tunnel")); -+ ignore_result(system("modprobe -s xfrm_user")); - } - - DBG(DBG_CONTROL, diff --git a/strongswan_modprobe_syslog.patch b/strongswan_modprobe_syslog.patch new file mode 100644 index 0000000..638a943 --- /dev/null +++ b/strongswan_modprobe_syslog.patch @@ -0,0 +1,52 @@ +--- src/starter/klips.c ++++ src/starter/klips.c +@@ -34,7 +34,7 @@ starter_klips_init(void) + /* ipsec module makes the pf_key proc interface visible */ + if (stat(PROC_MODULES, &stb) == 0) + { +- ignore_result(system("modprobe -qv ipsec")); ++ ignore_result(system("modprobe -s ipsec")); + } + + /* now test again */ +@@ -48,9 +48,9 @@ starter_klips_init(void) + } + + /* load crypto algorithm modules */ +- ignore_result(system("modprobe -qv ipsec_aes")); +- ignore_result(system("modprobe -qv ipsec_blowfish")); +- ignore_result(system("modprobe -qv ipsec_sha2")); ++ ignore_result(system("modprobe -s ipsec_aes")); ++ ignore_result(system("modprobe -s ipsec_blowfish")); ++ ignore_result(system("modprobe -s ipsec_sha2")); + + DBG(DBG_CONTROL, + DBG_log("Found KLIPS IPsec stack") +--- src/starter/netkey.c ++++ src/starter/netkey.c +@@ -34,7 +34,7 @@ starter_netkey_init(void) + /* af_key module makes the netkey proc interface visible */ + if (stat(PROC_MODULES, &stb) == 0) + { +- ignore_result(system("modprobe -qv af_key")); ++ ignore_result(system("modprobe -s af_key")); + } + + /* now test again */ +@@ -50,11 +50,11 @@ starter_netkey_init(void) + /* make sure that all required IPsec modules are loaded */ + if (stat(PROC_MODULES, &stb) == 0) + { +- ignore_result(system("modprobe -qv ah4")); +- ignore_result(system("modprobe -qv esp4")); +- ignore_result(system("modprobe -qv ipcomp")); +- ignore_result(system("modprobe -qv xfrm4_tunnel")); +- ignore_result(system("modprobe -qv xfrm_user")); ++ ignore_result(system("modprobe -s ah4")); ++ ignore_result(system("modprobe -s esp4")); ++ ignore_result(system("modprobe -s ipcomp")); ++ ignore_result(system("modprobe -s xfrm4_tunnel")); ++ ignore_result(system("modprobe -s xfrm_user")); + } + + DBG(DBG_CONTROL, diff --git a/strongswan_no_plugin_version.patch b/strongswan_no_plugin_version.patch new file mode 100644 index 0000000..1f83138 --- /dev/null +++ b/strongswan_no_plugin_version.patch @@ -0,0 +1,432 @@ +--- src/charon/plugins/attr/Makefile.am ++++ src/charon/plugins/attr/Makefile.am +@@ -6,4 +6,4 @@ + plugin_LTLIBRARIES = libstrongswan-attr.la + libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \ + attr_provider.h attr_provider.c +-libstrongswan_attr_la_LDFLAGS = -module ++libstrongswan_attr_la_LDFLAGS = -module -avoid-version +--- src/charon/plugins/eap_aka/Makefile.am ++++ src/charon/plugins/eap_aka/Makefile.am +@@ -6,6 +6,6 @@ + plugin_LTLIBRARIES = libstrongswan-eapaka.la + + libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c +-libstrongswan_eapaka_la_LDFLAGS = -module ++libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version + libstrongswan_eapaka_la_LIBADD = -lgmp + +--- src/charon/plugins/eap_gtc/Makefile.am ++++ src/charon/plugins/eap_gtc/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-eapgtc.la + + libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c +-libstrongswan_eapgtc_la_LDFLAGS = -module -lpam ++libstrongswan_eapgtc_la_LDFLAGS = -module -lpam -avoid-version + +--- src/charon/plugins/eap_identity/Makefile.am ++++ src/charon/plugins/eap_identity/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-eapidentity.la + libstrongswan_eapidentity_la_SOURCES = \ + eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c +-libstrongswan_eapidentity_la_LDFLAGS = -module ++libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/eap_md5/Makefile.am ++++ src/charon/plugins/eap_md5/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-eapmd5.la + + libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c +-libstrongswan_eapmd5_la_LDFLAGS = -module ++libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/eap_mschapv2/Makefile.am ++++ src/charon/plugins/eap_mschapv2/Makefile.am +@@ -8,5 +8,5 @@ + libstrongswan_eapmschapv2_la_SOURCES = \ + eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ + eap_mschapv2.h eap_mschapv2.c +-libstrongswan_eapmschapv2_la_LDFLAGS = -module ++libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/eap_radius/Makefile.am ++++ src/charon/plugins/eap_radius/Makefile.am +@@ -10,5 +10,5 @@ + eap_radius.h eap_radius.c \ + radius_client.h radius_client.c \ + radius_message.h radius_message.c +-libstrongswan_eapradius_la_LDFLAGS = -module ++libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/eap_sim/Makefile.am ++++ src/charon/plugins/eap_sim/Makefile.am +@@ -7,5 +7,5 @@ + + libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \ + eap_sim_plugin.h eap_sim_plugin.c +-libstrongswan_eapsim_la_LDFLAGS = -module ++libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/eap_sim_file/Makefile.am ++++ src/charon/plugins/eap_sim_file/Makefile.am +@@ -10,5 +10,5 @@ + eap_sim_file_card.h eap_sim_file_card.c \ + eap_sim_file_provider.h eap_sim_file_provider.c \ + eap_sim_file_triplets.h eap_sim_file_triplets.c +-libstrongswan_eapsim_file_la_LDFLAGS = -module ++libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/kernel_klips/Makefile.am ++++ src/charon/plugins/kernel_klips/Makefile.am +@@ -7,4 +7,4 @@ + + libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \ + kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h +-libstrongswan_kernel_klips_la_LDFLAGS = -module ++libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version +--- src/charon/plugins/kernel_netlink/Makefile.am ++++ src/charon/plugins/kernel_netlink/Makefile.am +@@ -8,4 +8,4 @@ + libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \ + kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ + kernel_netlink_shared.h kernel_netlink_shared.c +-libstrongswan_kernel_netlink_la_LDFLAGS = -module ++libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version +--- src/charon/plugins/kernel_pfkey/Makefile.am ++++ src/charon/plugins/kernel_pfkey/Makefile.am +@@ -7,4 +7,4 @@ + + libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ + kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c +-libstrongswan_kernel_pfkey_la_LDFLAGS = -module ++libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version +--- src/charon/plugins/kernel_pfroute/Makefile.am ++++ src/charon/plugins/kernel_pfroute/Makefile.am +@@ -7,4 +7,4 @@ + + libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ + kernel_pfroute_net.h kernel_pfroute_net.c +-libstrongswan_kernel_pfroute_la_LDFLAGS = -module ++libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version +--- src/charon/plugins/load_tester/Makefile.am ++++ src/charon/plugins/load_tester/Makefile.am +@@ -13,5 +13,5 @@ + load_tester_listener.c load_tester_listener.h \ + load_tester_diffie_hellman.c load_tester_diffie_hellman.h + +-libstrongswan_load_tester_la_LDFLAGS = -module ++libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/medcli/Makefile.am ++++ src/charon/plugins/medcli/Makefile.am +@@ -8,5 +8,5 @@ + medcli_creds.h medcli_creds.c \ + medcli_config.h medcli_config.c \ + medcli_listener.h medcli_listener.c +-libstrongswan_medcli_la_LDFLAGS = -module ++libstrongswan_medcli_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/medsrv/Makefile.am ++++ src/charon/plugins/medsrv/Makefile.am +@@ -7,5 +7,5 @@ + libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \ + medsrv_creds.h medsrv_creds.c \ + medsrv_config.h medsrv_config.c +-libstrongswan_medsrv_la_LDFLAGS = -module ++libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/nm/Makefile.am ++++ src/charon/plugins/nm/Makefile.am +@@ -9,5 +9,5 @@ + nm_service.h nm_service.c \ + nm_creds.h nm_creds.c \ + nm_handler.h nm_handler.c +-libstrongswan_nm_la_LDFLAGS = -module ++libstrongswan_nm_la_LDFLAGS = -module -avoid-version + libstrongswan_nm_la_LIBADD = ${nm_LIBS} +--- src/charon/plugins/resolv_conf/Makefile.am ++++ src/charon/plugins/resolv_conf/Makefile.am +@@ -8,6 +8,6 @@ + libstrongswan_resolv_conf_la_SOURCES = \ + resolv_conf_plugin.h resolv_conf_plugin.c \ + resolv_conf_handler.h resolv_conf_handler.c +-libstrongswan_resolv_conf_la_LDFLAGS = -module ++libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version + + +--- src/charon/plugins/smp/Makefile.am ++++ src/charon/plugins/smp/Makefile.am +@@ -5,6 +5,6 @@ + + plugin_LTLIBRARIES = libstrongswan-smp.la + libstrongswan_smp_la_SOURCES = smp.h smp.c +-libstrongswan_smp_la_LDFLAGS = -module ++libstrongswan_smp_la_LDFLAGS = -module -avoid-version + libstrongswan_smp_la_LIBADD = ${xml_LIBS} + +--- src/charon/plugins/sql/Makefile.am ++++ src/charon/plugins/sql/Makefile.am +@@ -10,7 +10,7 @@ + libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \ + sql_config.h sql_config.c sql_cred.h sql_cred.c \ + sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c +-libstrongswan_sql_la_LDFLAGS = -module ++libstrongswan_sql_la_LDFLAGS = -module -avoid-version + + ipsec_PROGRAMS = pool + pool_SOURCES = pool.c +--- src/charon/plugins/stroke/Makefile.am ++++ src/charon/plugins/stroke/Makefile.am +@@ -18,5 +18,5 @@ + stroke_list.h stroke_list.c \ + stroke_shared_key.h stroke_shared_key.c + +-libstrongswan_stroke_la_LDFLAGS = -module ++libstrongswan_stroke_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/uci/Makefile.am ++++ src/charon/plugins/uci/Makefile.am +@@ -8,7 +8,7 @@ + uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \ + uci_config.h uci_config.c uci_creds.h uci_creds.c \ + uci_control.h uci_control.c +-libstrongswan_uci_la_LDFLAGS = -module ++libstrongswan_uci_la_LDFLAGS = -module -avoid-version + libstrongswan_uci_la_LIBADD = -luci + + +--- src/charon/plugins/unit_tester/Makefile.am ++++ src/charon/plugins/unit_tester/Makefile.am +@@ -20,5 +20,5 @@ + tests/test_agent.c \ + tests/test_id.c + +-libstrongswan_unit_tester_la_LDFLAGS = -module ++libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version + +--- src/charon/plugins/updown/Makefile.am ++++ src/charon/plugins/updown/Makefile.am +@@ -7,6 +7,6 @@ + libstrongswan_updown_la_SOURCES = \ + updown_plugin.h updown_plugin.c \ + updown_listener.h updown_listener.c +-libstrongswan_updown_la_LDFLAGS = -module ++libstrongswan_updown_la_LDFLAGS = -module -avoid-version + + +--- src/libstrongswan/plugins/aes/Makefile.am ++++ src/libstrongswan/plugins/aes/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-aes.la + + libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h +-libstrongswan_aes_la_LDFLAGS = -module ++libstrongswan_aes_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/agent/Makefile.am ++++ src/libstrongswan/plugins/agent/Makefile.am +@@ -8,5 +8,5 @@ + libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \ + agent_private_key.c agent_private_key.h + +-libstrongswan_agent_la_LDFLAGS = -module ++libstrongswan_agent_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/blowfish/Makefile.am ++++ src/libstrongswan/plugins/blowfish/Makefile.am +@@ -8,5 +8,5 @@ + libstrongswan_blowfish_la_SOURCES = \ + blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \ + bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c +-libstrongswan_blowfish_la_LDFLAGS = -module ++libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/curl/Makefile.am ++++ src/libstrongswan/plugins/curl/Makefile.am +@@ -6,6 +6,6 @@ + plugin_LTLIBRARIES = libstrongswan-curl.la + + libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h +-libstrongswan_curl_la_LDFLAGS = -module ++libstrongswan_curl_la_LDFLAGS = -module -avoid-version + libstrongswan_curl_la_LIBADD = -lcurl + +--- src/libstrongswan/plugins/des/Makefile.am ++++ src/libstrongswan/plugins/des/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-des.la + + libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h +-libstrongswan_des_la_LDFLAGS = -module ++libstrongswan_des_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/fips_prf/Makefile.am ++++ src/libstrongswan/plugins/fips_prf/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-fips-prf.la + + libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h +-libstrongswan_fips_prf_la_LDFLAGS = -module ++libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/gcrypt/Makefile.am ++++ src/libstrongswan/plugins/gcrypt/Makefile.am +@@ -13,5 +13,5 @@ + gcrypt_crypter.h gcrypt_crypter.c \ + gcrypt_hasher.h gcrypt_hasher.c + +-libstrongswan_gcrypt_la_LDFLAGS = -module ++libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version + libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS) +--- src/libstrongswan/plugins/gmp/Makefile.am ++++ src/libstrongswan/plugins/gmp/Makefile.am +@@ -10,6 +10,6 @@ + gmp_rsa_private_key.c gmp_rsa_private_key.h \ + gmp_rsa_public_key.c gmp_rsa_public_key.h + +-libstrongswan_gmp_la_LDFLAGS = -module ++libstrongswan_gmp_la_LDFLAGS = -module -avoid-version + libstrongswan_gmp_la_LIBADD = -lgmp + +--- src/libstrongswan/plugins/hmac/Makefile.am ++++ src/libstrongswan/plugins/hmac/Makefile.am +@@ -7,5 +7,5 @@ + + libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \ + hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c +-libstrongswan_hmac_la_LDFLAGS = -module ++libstrongswan_hmac_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/ldap/Makefile.am ++++ src/libstrongswan/plugins/ldap/Makefile.am +@@ -6,6 +6,6 @@ + plugin_LTLIBRARIES = libstrongswan-ldap.la + + libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c +-libstrongswan_ldap_la_LDFLAGS = -module ++libstrongswan_ldap_la_LDFLAGS = -module -avoid-version + libstrongswan_ldap_la_LIBADD = -lldap -llber + +--- src/libstrongswan/plugins/md4/Makefile.am ++++ src/libstrongswan/plugins/md4/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-md4.la + + libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h +-libstrongswan_md4_la_LDFLAGS = -module ++libstrongswan_md4_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/md5/Makefile.am ++++ src/libstrongswan/plugins/md5/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-md5.la + + libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h +-libstrongswan_md5_la_LDFLAGS = -module ++libstrongswan_md5_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/mysql/Makefile.am ++++ src/libstrongswan/plugins/mysql/Makefile.am +@@ -7,6 +7,6 @@ + + libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \ + mysql_database.h mysql_database.c +-libstrongswan_mysql_la_LDFLAGS = -module ++libstrongswan_mysql_la_LDFLAGS = -module -avoid-version + libstrongswan_mysql_la_LIBADD = -lmysqlclient_r + +--- src/libstrongswan/plugins/openssl/Makefile.am ++++ src/libstrongswan/plugins/openssl/Makefile.am +@@ -16,6 +16,6 @@ + openssl_ec_private_key.c openssl_ec_private_key.h \ + openssl_ec_public_key.c openssl_ec_public_key.h + +-libstrongswan_openssl_la_LDFLAGS = -module ++libstrongswan_openssl_la_LDFLAGS = -module -avoid-version + libstrongswan_openssl_la_LIBADD = -lcrypto + +--- src/libstrongswan/plugins/padlock/Makefile.am ++++ src/libstrongswan/plugins/padlock/Makefile.am +@@ -9,5 +9,5 @@ + padlock_aes_crypter.c padlock_aes_crypter.h \ + padlock_sha1_hasher.c padlock_sha1_hasher.h \ + padlock_rng.c padlock_rng.h +-libstrongswan_padlock_la_LDFLAGS = -module ++libstrongswan_padlock_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/pubkey/Makefile.am ++++ src/libstrongswan/plugins/pubkey/Makefile.am +@@ -9,5 +9,5 @@ + pubkey_cert.h pubkey_cert.c\ + pubkey_public_key.h pubkey_public_key.c + +-libstrongswan_pubkey_la_LDFLAGS = -module ++libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/random/Makefile.am ++++ src/libstrongswan/plugins/random/Makefile.am +@@ -7,5 +7,5 @@ + + libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \ + random_rng.c random_rng.h +-libstrongswan_random_la_LDFLAGS = -module ++libstrongswan_random_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/sha1/Makefile.am ++++ src/libstrongswan/plugins/sha1/Makefile.am +@@ -7,5 +7,5 @@ + + libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \ + sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h +-libstrongswan_sha1_la_LDFLAGS = -module ++libstrongswan_sha1_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/sha2/Makefile.am ++++ src/libstrongswan/plugins/sha2/Makefile.am +@@ -6,5 +6,5 @@ + plugin_LTLIBRARIES = libstrongswan-sha2.la + + libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h +-libstrongswan_sha2_la_LDFLAGS = -module ++libstrongswan_sha2_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/sqlite/Makefile.am ++++ src/libstrongswan/plugins/sqlite/Makefile.am +@@ -7,6 +7,6 @@ + + libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \ + sqlite_database.h sqlite_database.c +-libstrongswan_sqlite_la_LDFLAGS = -module ++libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version + libstrongswan_sqlite_la_LIBADD = -lsqlite3 + +--- src/libstrongswan/plugins/test_vectors/Makefile.am ++++ src/libstrongswan/plugins/test_vectors/Makefile.am +@@ -29,5 +29,5 @@ + test_vectors/sha2_hmac.c \ + test_vectors/fips_prf.c \ + test_vectors/rng.c +-libstrongswan_test_vectors_la_LDFLAGS = -module ++libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/x509/Makefile.am ++++ src/libstrongswan/plugins/x509/Makefile.am +@@ -12,5 +12,5 @@ + x509_ocsp_request.h x509_ocsp_request.c \ + x509_ocsp_response.h x509_ocsp_response.c \ + ietf_attr_list.h ietf_attr_list.c +-libstrongswan_x509_la_LDFLAGS = -module ++libstrongswan_x509_la_LDFLAGS = -module -avoid-version + +--- src/libstrongswan/plugins/xcbc/Makefile.am ++++ src/libstrongswan/plugins/xcbc/Makefile.am +@@ -7,5 +7,5 @@ + + libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \ + xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c +-libstrongswan_xcbc_la_LDFLAGS = -module ++libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version + diff --git a/strongswan_update-dns-server.dif b/strongswan_update-dns-server.dif deleted file mode 100644 index 50d225e..0000000 --- a/strongswan_update-dns-server.dif +++ /dev/null @@ -1,43 +0,0 @@ ---- src/charon/sa/ike_sa.c -+++ src/charon/sa/ike_sa.c 2008/08/28 07:31:59 -@@ -2316,6 +2316,11 @@ - */ - static void remove_dns_servers(private_ike_sa_t *this) - { -+ (void)this; -+#if 0 -+ /* -+ ** TODO: don't change resolv.conf => use netconfig -+ */ - FILE *file; - struct stat stats; - chunk_t contents, line, orig_line, token; -@@ -2391,6 +2396,7 @@ - } - iterator->destroy(iterator); - fclose(file); -+#endif - } - - /** -@@ -2398,6 +2404,12 @@ - */ - static void add_dns_server(private_ike_sa_t *this, host_t *dns) - { -+ (void)this; -+ (void)dns; -+#if 0 -+ /* -+ ** TODO: don't change resolv.conf => use netconfig -+ */ - FILE *file; - struct stat stats; - chunk_t contents; -@@ -2442,6 +2454,7 @@ - fwrite(contents.ptr, contents.len, 1, file); - - fclose(file); -+#endif - } - - /**