From 12e8dea6e72591141247b759aa97d2a84877dca6ecb420c80fd0c74ab0a7621c Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Tue, 16 Nov 2010 12:10:30 +0000
Subject: [PATCH] - Updated to strongSwan 4.5.0 release, changes since 4.4.1
 are:   * IMPORTANT: the default keyexchange mode 'ike' is changing with  
 release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five   year
 anniversary of the IKEv2 RFC 4306 and its mature successor   RFC 5996. The
 time has definitively come for IKEv1 to go into   retirement and to cede its
 place to the much more robust, powerful   and versatile IKEv2 protocol!   *
 Added new ctr, ccm and gcm plugins providing Counter, Counter   with CBC-MAC
 and Galois/Counter Modes based on existing CBC   implementations. These new
 plugins bring support for AES and   Camellia Counter and CCM algorithms and
 the AES GCM algorithms   for use in IKEv2.   * The new pkcs11 plugin brings
 full Smartcard support to the IKEv2   daemon and the pki utility using one or
 more PKCS#11 libraries. It   currently supports RSA private and public key
 operations and loads   X.509 certificates from tokens.   * Implemented a
 general purpose TLS stack based on crypto and   credential primitives of
 libstrongswan. libtls supports TLS   versions 1.0, 1.1 and 1.2,
 ECDHE-ECDSA/RSA, DHE-RSA and RSA key   exchange algorithms and RSA/ECDSA
 based client authentication.   * Based on libtls, the eap-tls plugin brings
 certificate based EAP   authentication for client and server. It is
 compatible to Windows   7 IKEv2 Smartcard authentication and the OpenSSL
 based FreeRADIUS   EAP-TLS backend.   * Implemented the TNCCS 1.1 Trusted
 Network Connect protocol using   the libtnc library on the strongSwan client
 and server side via   the tnccs_11 plugin and optionally connecting to a
 TNC@FHH-enhanced   FreeRADIUS AAA server. Depending on the resulting TNC
 Recommendation,   strongSwan clients are granted access to a network behind a
   strongSwan gateway (allow), are put into a remediation zone (isolate)   or
 are blocked (none), respectively.   Any number of Integrity Measurement
 Collector/Verifier pairs can be   attached via the tnc-imc and tnc-imv charon
 plugins.   * The IKEv1 daemon pluto now uses the same kernel interfaces as
 the   IKEv2 daemon charon. As a result of this, pluto now supports xfrm  
 marks which were introduced in charon with 4.4.1.   * The RADIUS plugin
 eap-radius now supports multiple RADIUS servers   for redundant setups.
 Servers are selected by a defined priority,   server load and availability.  
 * The simple led plugin controls hardware LEDs through the Linux LED  
 subsystem. It currently shows activity of the IKE daemon and is a   good
 example how to implement a simple event listener.   * Improved MOBIKE
 behavior in several corner cases, for instance,   if the initial responder
 moves to a different address.   * Fixed left-/rightnexthop option, which was
 broken since 4.4.0.   * Fixed a bug not releasing a virtual IP address to a
 pool if the   XAUTH identity was different from the IKE identity.   * Fixed
 the alignment of ModeConfig messages on 4-byte boundaries   in the case where
 the attributes are not a multiple of 4 bytes   (e.g. Cisco's UNITY_BANNER).  
 * Fixed the interoperability of the socket_raw and socket_default   charon
 plugins.   * Added man page for strongswan.conf - Adopted spec file, removed
 obsolete error range patch.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=20
---
 README.SUSE                                   | 34 ++++++++---
 strongswan-4.4.1-fix_notify_error_range.patch | 22 -------
 strongswan-4.4.1.tar.bz2                      |  3 -
 strongswan-4.4.1.tar.bz2.sig                  | 14 -----
 ....1-rpmlintrc => strongswan-4.5.0-rpmlintrc |  0
 strongswan-4.5.0.tar.bz2                      |  3 +
 strongswan-4.5.0.tar.bz2.sig                  | 14 +++++
 strongswan.changes                            | 58 +++++++++++++++++++
 strongswan.spec                               | 13 ++---
 9 files changed, 105 insertions(+), 56 deletions(-)
 delete mode 100644 strongswan-4.4.1-fix_notify_error_range.patch
 delete mode 100644 strongswan-4.4.1.tar.bz2
 delete mode 100644 strongswan-4.4.1.tar.bz2.sig
 rename strongswan-4.4.1-rpmlintrc => strongswan-4.5.0-rpmlintrc (100%)
 create mode 100644 strongswan-4.5.0.tar.bz2
 create mode 100644 strongswan-4.5.0.tar.bz2.sig

diff --git a/README.SUSE b/README.SUSE
index 140478d..ae2311b 100644
--- a/README.SUSE
+++ b/README.SUSE
@@ -1,14 +1,30 @@
 Dear Customer,
 
-this package does no provide any files any more, but triggers the
-installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and
-the traditional starter scripts inclusive of the /etc/init.d/ipsec
-init script and /etc/ipsec.conf file.
+please note, that the strongswan release 4.5 changes the keyexchange mode
+to IKEv2 as default -- from strongswan-4.5.0/NEWS:
+"[...]
+IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
+from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
+IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
+come for IKEv1 to go into retirement and to cede its place to the much more
+robust, powerful and versatile IKEv2 protocol!
+[...]"
 
-There is a new strongswan-nm package with a NetworkManager plugin
-to control the charon IKEv2 daemon through D-Bus, designed to work
-using the NetworkManager-strongswan graphical user interface.
-It does not depend on the traditional starter scripts, but on the
-IKEv2 charon daemon and plugins only. 
+This requires adoption of either the "conn %default" or all other IKEv1
+"conn" sections in the /etc/ipsec.conf to use explicit:
+
+	keyexchange=ikev1
+
+
+The strongswan package does no provide any files any more, but triggers
+the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the
+traditional starter scripts inclusive of the /etc/init.d/ipsec init script
+and /etc/ipsec.conf file.
+
+There is a new strongswan-nm package with a NetworkManager plugin to
+control the charon IKEv2 daemon through D-Bus, designed to work using the
+NetworkManager-strongswan graphical user interface.
+It does not depend on the traditional starter scripts, but on the IKEv2
+charon daemon and plugins only. 
 
 Have a lot of fun...
diff --git a/strongswan-4.4.1-fix_notify_error_range.patch b/strongswan-4.4.1-fix_notify_error_range.patch
deleted file mode 100644
index 79f2c2e..0000000
--- a/strongswan-4.4.1-fix_notify_error_range.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 30d8e8d04d132e046a19b6a29439e6efb8ff3e06 Mon Sep 17 00:00:00 2001
-From: Jiri Bohac <jbohac@suse.cz>
-Date: Thu, 5 Aug 2010 17:13:38 +0200
-Subject: [PATCH] fix error-type range in parsing of NOTIFY payloads
-
-
-diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c
-index 38fb572..dd4a5f5 100644
---- a/src/libcharon/sa/tasks/ike_init.c
-+++ b/src/libcharon/sa/tasks/ike_init.c
-@@ -468,7 +468,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
- 				}
- 				default:
- 				{
--					if (type < 16383)
-+					if (type <= 16383)
- 					{
- 						DBG1(DBG_IKE, "received %N notify error",
- 							 notify_type_names, type);
--- 
-1.7.1
-
diff --git a/strongswan-4.4.1.tar.bz2 b/strongswan-4.4.1.tar.bz2
deleted file mode 100644
index ae192f3..0000000
--- a/strongswan-4.4.1.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2bee6fb9f43c251827f530cd629af1195a566cf99e9d0320c338f1497cbf99c2
-size 2982652
diff --git a/strongswan-4.4.1.tar.bz2.sig b/strongswan-4.4.1.tar.bz2.sig
deleted file mode 100644
index f96e554..0000000
--- a/strongswan-4.4.1.tar.bz2.sig
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.10 (GNU/Linux)
-
-iQGcBAABAgAGBQJMUuERAAoJEN9CwXCzTbp3oqYL/3Gg3EDh4ZhMAvJunRK40JUI
-Sw8Ekp3XNFASLDDAOTjZAOOfd/ZAtC3zLDxaT9vRfq4mmWmhtKBHcnAnURDtNees
-fraJiv/flvmJ4enZbXp3R3NgIQcXNGDrOi2P7XSydzqq80pW1P4v8JZcMf+glFJO
-sdzMgnL2Tg9/TTiivBFtymtknf+yqT4cDKNNolzIuKWPzJ1dR+hSoLlVZ+4efUAS
-qGK8EsqTDawZ5AsEvx7BVfusn38wMgQehKV5DhyhM29sm9hYj6nfO99NEfXq8VhG
-eYTWU4uJNH5ghTOllc3s9zA8jK49aG+ITIlpqn9xUi41uRlr3DdvMINDBETjGL8E
-eKd8AkV0NCDWRsia2mHJLBW9/W107/w3BPKMCm23avMtiRRezsSB0OQ2XpzgDjEH
-iPLj0xY4cK6Ratd9qfApfafU1sJSll/Hj0XOiv/UEoIgZUaStVKOO+5d5SrljTlp
-hIGJFjWcK262L+aDTGrckDqEpQ/1xHc8KLGF/XiKFg==
-=TTSf
------END PGP SIGNATURE-----
diff --git a/strongswan-4.4.1-rpmlintrc b/strongswan-4.5.0-rpmlintrc
similarity index 100%
rename from strongswan-4.4.1-rpmlintrc
rename to strongswan-4.5.0-rpmlintrc
diff --git a/strongswan-4.5.0.tar.bz2 b/strongswan-4.5.0.tar.bz2
new file mode 100644
index 0000000..11ae48f
--- /dev/null
+++ b/strongswan-4.5.0.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:108b0fbbf119011b24eb6ccabc3d9f8888f4036382dd3aad011dec04100ad559
+size 3154064
diff --git a/strongswan-4.5.0.tar.bz2.sig b/strongswan-4.5.0.tar.bz2.sig
new file mode 100644
index 0000000..0d16c14
--- /dev/null
+++ b/strongswan-4.5.0.tar.bz2.sig
@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQGcBAABAgAGBQJMykZ7AAoJEN9CwXCzTbp36BYL/A9q4F2n7EHvVW7HTmG6ogMw
+are1n1ZYRdqUmrdk2woCqJPfkzihHMa1nc7u6hgucRDi7wJfJBXoAT0Rvd9AN8qw
+bKuaajKRvXFA14qtORvkX4z+Se+/nqL3+ZlvlnPS6rgpdBD+kZY+sFNdSAhJxShJ
+zbJ4U+jnO74pyzp8I9hp1HccPKJjt/ljlCB7izPqJ1bQAbrNTQr90JHPNz9BSQkq
+BIF5T+nsRWE1p2tWzz6IAjvbC3ghc2lmVy5FGKjItMXWxsyCYuira4MlbGp2ObKE
+1aa9QbNYxJ0aD0vsX+r8usXvpdq5QLQotp1bLG2m2XYWdzC4yBwRHj2pS8JHIENP
+y9o4za9finsG1Ahb661+2Pw7xO/R2blLDDQyhxH5e6AO7p4Pz050yiicCxVKEwG0
+mJM6c5TbAerBCH2ovgwNeGV3hsOt9ng7e63SMIBkYtN41uQV8hqUjZbtYcvpsER2
+bB/Jdp14aR1F9jMgEmt/I6tNHizJWvB5FFGLqH2cTQ==
+=o5iz
+-----END PGP SIGNATURE-----
diff --git a/strongswan.changes b/strongswan.changes
index c90352f..2b05921 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,61 @@
+-------------------------------------------------------------------
+Tue Nov 16 12:01:46 UTC 2010 - mt@suse.de
+
+- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
+  * IMPORTANT: the default keyexchange mode 'ike' is changing with
+  release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
+  year anniversary of the IKEv2 RFC 4306 and its mature successor
+  RFC 5996. The time has definitively come for IKEv1 to go into
+  retirement and to cede its place to the much more robust, powerful
+  and versatile IKEv2 protocol!
+  * Added new ctr, ccm and gcm plugins providing Counter, Counter
+  with CBC-MAC and Galois/Counter Modes based on existing CBC
+  implementations. These new plugins bring support for AES and
+  Camellia Counter and CCM algorithms and the AES GCM algorithms
+  for use in IKEv2.
+  * The new pkcs11 plugin brings full Smartcard support to the IKEv2
+  daemon and the pki utility using one or more PKCS#11 libraries. It
+  currently supports RSA private and public key operations and loads
+  X.509 certificates from tokens.
+  * Implemented a general purpose TLS stack based on crypto and
+  credential primitives of libstrongswan. libtls supports TLS
+  versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
+  exchange algorithms and RSA/ECDSA based client authentication.
+  * Based on libtls, the eap-tls plugin brings certificate based EAP
+  authentication for client and server. It is compatible to Windows
+  7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
+  EAP-TLS backend.
+  * Implemented the TNCCS 1.1 Trusted Network Connect protocol using
+  the libtnc library on the strongSwan client and server side via
+  the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
+  FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
+  strongSwan clients are granted access to a network behind a
+  strongSwan gateway (allow), are put into a remediation zone (isolate)
+  or are blocked (none), respectively.
+  Any number of Integrity Measurement Collector/Verifier pairs can be
+  attached via the tnc-imc and tnc-imv charon plugins.
+  * The IKEv1 daemon pluto now uses the same kernel interfaces as the
+  IKEv2 daemon charon. As a result of this, pluto now supports xfrm
+  marks which were introduced in charon with 4.4.1.
+  * The RADIUS plugin eap-radius now supports multiple RADIUS servers
+  for redundant setups. Servers are selected by a defined priority,
+  server load and availability.
+  * The simple led plugin controls hardware LEDs through the Linux LED
+  subsystem. It currently shows activity of the IKE daemon and is a
+  good example how to implement a simple event listener.
+  * Improved MOBIKE behavior in several corner cases, for instance,
+  if the initial responder moves to a different address.
+  * Fixed left-/rightnexthop option, which was broken since 4.4.0.
+  * Fixed a bug not releasing a virtual IP address to a pool if the
+  XAUTH identity was different from the IKE identity.
+  * Fixed the alignment of ModeConfig messages on 4-byte boundaries
+  in the case where the attributes are not a multiple of 4 bytes
+  (e.g. Cisco's UNITY_BANNER).
+  * Fixed the interoperability of the socket_raw and socket_default
+  charon plugins.
+  * Added man page for strongswan.conf
+- Adopted spec file, removed obsolete error range patch.
+
 -------------------------------------------------------------------
 Tue Aug 10 11:43:38 UTC 2010 - mt@suse.de
 
diff --git a/strongswan.spec b/strongswan.spec
index e4eb9e8..32af3af 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -1,5 +1,5 @@
 #
-# spec file for package strongswan (Version 4.4.1)
+# spec file for package strongswan (Version 4.5.0)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -19,10 +19,10 @@
 
 
 Name:           strongswan
-%define         upstream_version 4.4.1
+%define         upstream_version 4.5.0
 %define         strongswan_docdir  %{_docdir}/%{name}
 %define         strongswan_plugins %{_libexecdir}/ipsec/plugins
-Version:        4.4.1
+Version:        4.5.0
 Release:        0
 License:        GPLv2+
 Group:          Productivity/Networking/Security
@@ -38,7 +38,6 @@ Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Source4:        README.SUSE
 Patch1:         %{name}_modprobe_syslog.patch
-Patch2:         %{name}-4.4.1-fix_notify_error_range.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 BuildRequires:  libcap-devel
@@ -230,7 +229,6 @@ NetworkManager-strongswan graphical user interface.
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
-%patch2 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -271,7 +269,6 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-sql \
 	--enable-attr-sql \
 	--enable-addrblock \
-	--enable-socket-dynamic \
 %if 0%{suse_version} >= 1110
 	--enable-gcrypt \
 	--enable-nm \
@@ -361,6 +358,7 @@ fi
 %{_mandir}/man8/ipsec.8*
 %{_mandir}/man5/ipsec.conf.5*
 %{_mandir}/man5/ipsec.secrets.5*
+%{_mandir}/man5/strongswan.conf.5*
 %dir %{_libexecdir}/ipsec
 %{_libexecdir}/ipsec/_updown
 %{_libexecdir}/ipsec/_updown_espmark
@@ -487,8 +485,7 @@ fi
 %{strongswan_plugins}/libstrongswan-revocation.so
 %{strongswan_plugins}/libstrongswan-sha1.so
 %{strongswan_plugins}/libstrongswan-sha2.so
-%{strongswan_plugins}/libstrongswan-socket-dynamic.so
-%{strongswan_plugins}/libstrongswan-socket-raw.so
+%{strongswan_plugins}/libstrongswan-socket*.so
 %{strongswan_plugins}/libstrongswan-sql.so
 %{strongswan_plugins}/libstrongswan-x509.so
 %{strongswan_plugins}/libstrongswan-xauth.so