From f013a86fad326182ed321f2a94863a0279d1bab520a431e13f6d15cf22f5961e Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <mt@suse.com> Date: Wed, 31 Oct 2012 16:08:08 +0000 Subject: [PATCH] - Updated to strongSwan 5.0.1 release. Changes digest: - Introduced the sending of the standard IETF Assessment Result PA-TNC attribute by all strongSwan Integrity Measurement Verifiers. - Extended PTS Attestation IMC/IMV pair to provide full evidence of the Linux IMA measurement process. All pertinent file information of a Linux OS can be collected and stored in an SQL database. - The PA-TNC and PB-TNC protocols can now process huge data payloads. - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid authenticated clients against any PAM service. - The new unity plugin brings support for some parts of the IKEv1 Cisco Unity Extensions. - The kernel-netlink plugin supports the new strongswan.conf option charon.install_virtual_ip_on. - Job handling in controller_t was fixed, which occasionally caused crashes on ipsec up/down. - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain part. Changes digest from strongSwan 5.0.0 version: * The charon IKE daemon gained experimental support for the IKEv1 protocol. Pluto has been removed from the 5.x series. * The NetworkManager charon plugin of previous releases is now provided by a separate executable (charon-nm) and it should work again with NM 0.9. * scepclient was updated and it now works fine with Windows Server 2008 R2. For full list of the changes, please read the NEWS file shipped in the strongswan-doc package or online: http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 - Adopted spec file, enabled several plugins. - Changed to install strongswan.service with alias to ipsec.service OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=51 --- strongswan.changes | 34 ++++++- strongswan.spec | 168 +++++++++++++++++++-------------- strongswan_ipsec_service.patch | 7 ++ 3 files changed, 134 insertions(+), 75 deletions(-) create mode 100644 strongswan_ipsec_service.patch diff --git a/strongswan.changes b/strongswan.changes index 64f2832..4b524e5 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,7 +1,37 @@ ------------------------------------------------------------------- -Tue Oct 30 17:09:36 UTC 2012 - mt@suse.de +Wed Oct 31 15:25:16 UTC 2012 - mt@suse.de -- WORK-IN-PROGRESS snapshot: Update to strongSwan 5.0.1 +- Updated to strongSwan 5.0.1 release. Changes digest: + - Introduced the sending of the standard IETF Assessment Result + PA-TNC attribute by all strongSwan Integrity Measurement Verifiers. + - Extended PTS Attestation IMC/IMV pair to provide full evidence of + the Linux IMA measurement process. All pertinent file information + of a Linux OS can be collected and stored in an SQL database. + - The PA-TNC and PB-TNC protocols can now process huge data payloads. + - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid + authenticated clients against any PAM service. + - The new unity plugin brings support for some parts of the IKEv1 + Cisco Unity Extensions. + - The kernel-netlink plugin supports the new strongswan.conf option + charon.install_virtual_ip_on. + - Job handling in controller_t was fixed, which occasionally caused + crashes on ipsec up/down. + - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain + part. + Changes digest from strongSwan 5.0.0 version: + * The charon IKE daemon gained experimental support for the IKEv1 + protocol. Pluto has been removed from the 5.x series. + * The NetworkManager charon plugin of previous releases is now + provided by a separate executable (charon-nm) and it should work + again with NM 0.9. + * scepclient was updated and it now works fine with Windows Server + 2008 R2. + For full list of the changes, please read the NEWS file shipped + in the strongswan-doc package or online: + http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 +- Adopted spec file, enabled several plugins. +- Changed to install strongswan.service with alias to ipsec.service + instead of the /etc/init.d/ipsec init script on openSUSE > 12.2. ------------------------------------------------------------------- Fri Sep 7 08:36:57 UTC 2012 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index 1a67c6f..36b0c5f 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -23,11 +23,30 @@ Release: 0 %define strongswan_docdir %{_docdir}/%{name} %define strongswan_libdir %{_libdir}/ipsec %define strongswan_plugins %{strongswan_libdir}/plugins -%define with_mysql 1 -%define with_sqlite 0%{suse_version} >= 1110 -%define with_gcrypt 0%{suse_version} >= 1110 -%define with_nm 0%{suse_version} >= 1110 -%define with_tests 0 +%if 0 +%bcond_without tests +%else +%bcond_with tests +%endif +%if 1 +%bcond_without mysql +%else +%bcond_with mysql +%endif +%if 0%{suse_version} >= 1110 +%bcond_without sqlite +%bcond_without gcrypt +%bcond_without nm +%else +%bcond_with sqlite +%bcond_with gcrypt +%bcond_with nm +%endif +%if 0%{suse_version} > 1220 +%bcond_without systemd +%else +%bcond_with systemd +%endif Summary: OpenSource IPsec-based VPN Solution License: GPL-2.0+ Group: Productivity/Networking/Security @@ -39,6 +58,7 @@ Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Patch1: %{name}_modprobe_syslog.patch +Patch2: %{name}_ipsec_service.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -52,18 +72,21 @@ BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pcsc-lite-devel BuildRequires: pkg-config -%if %with_mysql +%if %{with mysql} BuildRequires: libmysqlclient-devel %endif -%if %with_sqlite +%if %{with sqlite} BuildRequires: sqlite3-devel %endif -%if %with_gcrypt +%if %{with gcrypt} BuildRequires: libgcrypt-devel %endif -%if %with_nm +%if %{with nm} BuildRequires: NetworkManager-devel %endif +%if %{with systemd} +BuildRequires: systemd-devel +%endif BuildRequires: iptables BuildRequires: libnl >= 1.1 @@ -131,30 +154,14 @@ StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the strongswan library and plugins. -%package charon -Summary: OpenSource IPsec-based VPN Solution -Group: Productivity/Networking/Security -Requires: iproute2 -Requires: strongswan-daemon-starter = %{version} -Requires: strongswan-libs0 = %{version} -Provides: strongswan-daemon = %{version} -Conflicts: openswan strongswan < %{version} - -%description charon -StrongSwan is an OpenSource IPsec-based VPN Solution for Linux - -This package provides the charon daemon supporting IKEv1 & IKEv2. - %package ipsec Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security PreReq: grep %insserv_prereq %fillup_prereq -Requires: strongswan-daemon = %{version} Requires: strongswan-libs0 = %{version} Provides: VPN Provides: ipsec Provides: strongswan = %{version} -Provides: strongswan-daemon-starter = %{version} Obsoletes: strongswan < %{version} Conflicts: freeswan openswan @@ -162,10 +169,10 @@ Conflicts: freeswan openswan StrongSwan is an OpenSource IPsec-based VPN Solution for Linux This package provides the /etc/init.d/ipsec service script and allows -to maintain both, IKEv1 and IKEv2 daemons, using /etc/ipsec.conf and +to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the /etc/ipsec.sectes files. -%if %with_mysql +%if %{with mysql} %package mysql Summary: OpenSource IPsec-based VPN Solution @@ -179,7 +186,7 @@ This package provides the strongswan mysql plugin. %endif -%if %with_sqlite +%if %{with sqlite} %package sqlite Summary: OpenSource IPsec-based VPN Solution @@ -193,14 +200,12 @@ This package provides the strongswan sqlite plugin. %endif -%if %with_nm +%if %{with nm} %package nm Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security -Requires: strongswan-ikev2 = %{version} Requires: strongswan-libs0 = %{version} -Provides: strongswan-daemon-starter = %{version} %description nm StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -211,7 +216,7 @@ NetworkManager-strongswan graphical user interface. %endif -%if %with_tests +%if %{with tests} %package tests @@ -230,6 +235,7 @@ and the load testing plugin for IKEv2 daemon. %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 +%patch2 -p0 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -276,6 +282,16 @@ export RPM_OPT_FLAGS CFLAGS --enable-eap-radius \ --enable-xauth-eap \ --enable-xauth-pam \ + --enable-tnc-pdp \ + --enable-tnc-imc \ + --enable-tnc-imv \ + --enable-tnccs-11 \ + --enable-tnccs-20 \ + --enable-tnccs-dynamic \ + --enable-imc-test \ + --enable-imv-test \ + --enable-imc-scanner \ + --enable-imv-scanner \ --enable-ha \ --enable-dhcp \ --enable-farp \ @@ -289,19 +305,19 @@ export RPM_OPT_FLAGS CFLAGS --enable-certexpire \ --enable-duplicheck \ --enable-coupling \ -%if %with_mysql +%if %{with mysql} --enable-mysql \ %endif -%if %with_sqlite +%if %{with sqlite} --enable-sqlite \ %endif -%if %with_gcrypt +%if %{with gcrypt} --enable-gcrypt \ %endif -%if %with_nm +%if %{with nm} --enable-nm \ %endif -%if %with_tests +%if %{with tests} --enable-load-tester \ --enable-test-vectors \ %endif @@ -314,9 +330,11 @@ make %{?_smp_mflags:%_smp_mflags} export RPM_BUILD_ROOT install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/ install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ +%if ! %{with systemd} install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec +%endif # make install DESTDIR="$RPM_BUILD_ROOT" # @@ -331,16 +349,16 @@ cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets EOT # rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so -rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs}.so +rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so find $RPM_BUILD_ROOT%{strongswan_libdir} \ -name "*.a" -o -name "*.la" | xargs -r rm -f # install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/ -#install -m644 TODO NEWS README COPYING CREDITS \ -# ${RPM_SOURCE_DIR}/README.SUSE \ -# ${RPM_BUILD_ROOT}%{strongswan_docdir}/ +install -c -m644 TODO NEWS README COPYING LICENSE \ + AUTHORS ChangeLog \ + ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \ - ${RPM_BUILD_ROOT}%{strongswan_docdir}/ + ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -d -m755 $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan %post libs0 @@ -352,10 +370,14 @@ test -d %{_localstatedir}/run/strongswan || \ %{run_ldconfig} %post ipsec +%if ! %{with systemd} %{fillup_and_insserv ipsec} +%endif %preun ipsec +%if ! %{with systemd} %{stop_on_removal ipsec} +%endif if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \ %{_sysconfdir}/ipsec.secrets.rpmsave.old @@ -366,7 +388,9 @@ if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then fi %postun ipsec +%if ! %{with systemd} %{insserv_cleanup} +%endif %files %defattr(-,root,root) @@ -386,8 +410,12 @@ fi %dir %{_sysconfdir}/ipsec.d/cacerts %dir %{_sysconfdir}/ipsec.d/ocspcerts %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private +%if %{with systemd} +/lib/systemd/system/strongswan.service +%else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec +%endif %{_sbindir}/ipsec %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* @@ -405,38 +433,21 @@ fi %{_libexecdir}/ipsec/scepclient %{_libexecdir}/ipsec/starter %{_libexecdir}/ipsec/stroke +%{_libexecdir}/ipsec/charon %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so -%files charon -%defattr(-,root,root) -%dir %{_libexecdir}/ipsec -%{_libexecdir}/ipsec/charon - %files doc %defattr(-,root,root) %dir %{strongswan_docdir} -#%{strongswan_docdir}/TODO -#%{strongswan_docdir}/NEWS -#%{strongswan_docdir}/README -#%{strongswan_docdir}/COPYING -#%{strongswan_docdir}/CREDITS -#%{_mandir}/man3/anyaddr.3* -#%{_mandir}/man3/atoaddr.3* -#%{_mandir}/man3/atoasr.3* -#%{_mandir}/man3/atoul.3* -#%{_mandir}/man3/goodmask.3* -#%{_mandir}/man3/initaddr.3* -#%{_mandir}/man3/initsubnet.3* -#%{_mandir}/man3/portof.3* -#%{_mandir}/man3/rangetosubnet.3* -#%{_mandir}/man3/sameaddr.3* -#%{_mandir}/man3/subnetof.3* -#%{_mandir}/man3/ttoaddr.3* -#%{_mandir}/man3/ttodata.3* -#%{_mandir}/man3/ttosa.3* -#%{_mandir}/man3/ttoul.3* +%{strongswan_docdir}/TODO +%{strongswan_docdir}/NEWS +%{strongswan_docdir}/README +%{strongswan_docdir}/COPYING +%{strongswan_docdir}/LICENSE +%{strongswan_docdir}/AUTHORS +%{strongswan_docdir}/ChangeLog %{_mandir}/man8/_updown.8* %{_mandir}/man8/_updown_espmark.8* %{_mandir}/man8/openac.8* @@ -446,7 +457,6 @@ fi %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf %dir %{_libexecdir}/ipsec -#%dir %{_libexecdir}/ipsec/pool %dir %{strongswan_libdir} %{strongswan_libdir}/libchecksum.so %{strongswan_libdir}/libcharon.so.* @@ -456,6 +466,12 @@ fi %{strongswan_libdir}/libstrongswan.so.* %{strongswan_libdir}/libtls.so.* %{strongswan_libdir}/libtnccs.so.* +%{strongswan_libdir}/libimcv.so.* +%dir %{strongswan_libdir}/imcvs +%{strongswan_libdir}/imcvs/imc-scanner.so +%{strongswan_libdir}/imcvs/imc-test.so +%{strongswan_libdir}/imcvs/imv-scanner.so +%{strongswan_libdir}/imcvs/imv-test.so %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-addrblock.so %{strongswan_plugins}/libstrongswan-aes.so @@ -496,7 +512,7 @@ fi %{strongswan_plugins}/libstrongswan-farp.so %{strongswan_plugins}/libstrongswan-fips-prf.so %{strongswan_plugins}/libstrongswan-gcm.so -%if %with_gcrypt +%if %{with gcrypt} %{strongswan_plugins}/libstrongswan-gcrypt.so %endif %{strongswan_plugins}/libstrongswan-gmp.so @@ -525,7 +541,13 @@ fi %{strongswan_plugins}/libstrongswan-socket-default.so %{strongswan_plugins}/libstrongswan-soup.so %{strongswan_plugins}/libstrongswan-sql.so +%{strongswan_plugins}/libstrongswan-tnc-imc.so +%{strongswan_plugins}/libstrongswan-tnc-imv.so +%{strongswan_plugins}/libstrongswan-tnc-pdp.so %{strongswan_plugins}/libstrongswan-tnc-tnccs.so +%{strongswan_plugins}/libstrongswan-tnccs-11.so +%{strongswan_plugins}/libstrongswan-tnccs-20.so +%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so %{strongswan_plugins}/libstrongswan-unity.so %{strongswan_plugins}/libstrongswan-x509.so %{strongswan_plugins}/libstrongswan-xauth-eap.so @@ -534,7 +556,7 @@ fi %{strongswan_plugins}/libstrongswan-xcbc.so %dir %ghost %{_localstatedir}/run/strongswan -%if %with_nm +%if %{with nm} %files nm %defattr(-,root,root) @@ -543,7 +565,7 @@ fi %{_libexecdir}/ipsec/charon-nm %endif -%if %with_mysql +%if %{with mysql} %files mysql %defattr(-,root,root) @@ -551,7 +573,7 @@ fi %{strongswan_plugins}/libstrongswan-mysql.so %endif -%if %with_sqlite +%if %{with sqlite} %files sqlite %defattr(-,root,root) @@ -559,7 +581,7 @@ fi %{strongswan_plugins}/libstrongswan-sqlite.so %endif -%if %with_tests +%if %{with tests} %files tests %defattr(-,root,root) diff --git a/strongswan_ipsec_service.patch b/strongswan_ipsec_service.patch new file mode 100644 index 0000000..ab8b13b --- /dev/null +++ b/strongswan_ipsec_service.patch @@ -0,0 +1,7 @@ +--- init/systemd/strongswan.service.in ++++ init/systemd/strongswan.service.in 2012/10/31 15:21:11 +@@ -8,3 +8,4 @@ StandardOutput=syslog + + [Install] + WantedBy=multi-user.target ++Alias=ipsec.service