Accepting request 33800 from network:vpn

Copy from network:vpn/strongswan based on submit request 33800 from user mtomaschewski OBS-URL: https://build.opensuse.org/request/show/33800 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=19
2010-03-05 10:51:28 +00:00 · 2010-03-05 10:51:28 +00:00 · cf104ead60
commit cf104ead60
parent 70feac5f48
11 changed files with 163 additions and 139 deletions
--- a/strongswan-4.3.4-load_secrets-dbgmsg-fix.diff
+++ b/strongswan-4.3.4-load_secrets-dbgmsg-fix.diff
@ -1,21 +0,0 @@
-From: Marius Tomaschewski <mt@suse.de>
-Date: Fri, 4 Sep 2009 11:36:36 +0200
-Subject: [PATCH] fixed open failure debug message in load_secrets
-
-
-diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
-index 68df7f0..80e3954 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
-+++ b/src/charon/plugins/stroke/stroke_cred.c
-@@ -709,7 +709,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
- 	fd = fopen(file, "r");
- 	if (fd == NULL)
- 	{
-		DBG1(DBG_CFG, "opening secrets file '%s' failed");
-+		DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
- 		return;
- 	}
- 
-- 
-1.6.0.2
-
--- a/strongswan-4.3.4-load_secrets-lock-fix.diff
+++ b/strongswan-4.3.4-load_secrets-lock-fix.diff
@ -1,38 +0,0 @@
-From: Marius Tomaschewski <mt@suse.de>
-Date: Wed, 2 Sep 2009 13:49:39 +0200
-Subject: [PATCH] Fixed load_secrets to acquire/release lock in level 0 only
-
-The write_lock call fails with EDEADLK and unlocks in the
-next recursion level.
-
-diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
-index 31bcfe9f486f4dac0ae30bc5846ed3d818526dbb..68df7f0b6d709c396d7a572ca4d0198ef12b2446 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
-+++ b/src/charon/plugins/stroke/stroke_cred.c
-@@ -722,9 +722,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
- 	fclose(fd);
- 	src = chunk;
- 
-	this->lock->write_lock(this->lock);
- 	if (level == 0)
- 	{
-+		this->lock->write_lock(this->lock);
-+
- 		/* flush secrets on non-recursive invocation */
- 		while (this->shared->remove_last(this->shared,
- 										 (void**)&shared) == SUCCESS)
-@@ -1019,7 +1020,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
- 		}
- 	}
- error:
-	this->lock->unlock(this->lock);
-+	if (level == 0)
-+	{
-+		this->lock->unlock(this->lock);
-+	}
- 	chunk_clear(&chunk);
- }
- 
-- 
-1.6.0.2
-
--- a/strongswan-4.3.4.tar.bz2
+++ b/strongswan-4.3.4.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6073c244232f2e741233533fd4a13498421398174757c5e42a51afa4bf16600c
-size 2680982
--- a/strongswan-4.3.4.tar.bz2.sig
+++ b/strongswan-4.3.4.tar.bz2.sig
@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-iQGcBAABAgAGBQJKipUyAAoJEN9CwXCzTbp3pWwL/1yfdFPb7OYbldsXDSJASBNU
-8jydSEnx4hJnbrf98sogQZSUvWtAXulqfo0QUXPICVtgw7cJ7r0Yfuc7FORy/a6L
-Dfqt2dQGfB3Kl0CZlmBtdisCKPRm6+qLrUPKM0XtZM0cmdp9xjErzCYLrPTciO6I
-vbVa+LAjl8SStoy1N75mMeLkZR+tXeqkg2p6ULbkJx8+b0igEM+oyQJWHTLkOuP5
-Q0pohbJywvNcYylQIua6S2HyMJUiCr009tnNhWeR8Wk/44h++HFpd7fE8rCGnpvH
-teQnCojUU4h4JsWjrwMaDjkrhUsU5NLJV6ib9DAi7EI2cv5OnPujf6wZpIEip3j2
-BgM5Jh7IahnEDPGolVJxKG/48b7hvJ7WF5DYYr3sgl9mSsH5CfqGLZPVFdHi05NV
-W7tZu2GbyGEx4XYik21fx3vjyQslyzZUspa8/apRPnTfsOfeLLFD24Q7xjd6i0+t
-T15gr4/O78rDttgLyShQFpd81iUGqwu2VbXMobGokg==
-=9hsf
-----END PGP SIGNATURE-----
--- a/strongswan-4.3.6-rpmlintrc
+++ b/strongswan-4.3.6-rpmlintrc
--- a/strongswan-4.3.6-time_t_ptr.diff
+++ b/strongswan-4.3.6-time_t_ptr.diff
@ -0,0 +1,11 @@
+--- src/pluto/timer.c
+++ src/pluto/timer.c	2010/03/02 17:03:41
+@@ -48,7 +48,7 @@ time_t now(void)
+ {
+ 	static time_t delta = 0
+ 		, last_time = 0;
+-	time_t n = time((time_t)NULL);
+	time_t n = time((time_t *)NULL);
+ 
+ 	passert(n != (time_t)-1);
+ 	if (last_time > n)
--- a/strongswan-4.3.6.tar.bz2
+++ b/strongswan-4.3.6.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:39a311c62f4f2474faf239c0edf6518a14a953b9c2092bbfa473cd34dcb8f5e7
+size 2831944
--- a/strongswan-4.3.6.tar.bz2.sig
+++ b/strongswan-4.3.6.tar.bz2.sig
@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iQGcBAABAgAGBQJLcr+BAAoJEN9CwXCzTbp3fp4L/js5E69jqpEIKe82amRjLewK
+orEWWfaXq7p/Ob8KYICUBt4lXtDNka8NspMZ88bWTUYLkDMTITBB9JiYVu2NXTYY
+6CQAR9eNB6E+uOOkj6udU1Y/dt+MY5uvbrjOgTN2Kcue+AlVrngSuruN71r+GOnD
+vWDf6AxU8LtiPUaY8WTC7Nn8Qgi1g10I5HXn5D6QN6Cz4oWf/hx1VvOZ1s7gTekW
+4E/V2ladLFKhXIC2D3tUn5J8FwKXFyqdooBnWvqhrDidNEQ8CDr62lkfOwJ3/qTP
+wpvQkwlOdX5TQQJAaYeW/S39MorK/E10lZWvkF/rkW6vGU5pgQkfGyozP6O/A4w5
+MkRtCsbcbtRIDicsYj4oX+2SiazZtmB5eMVc6SO0GT0dXgEMTGUKC3ezUV03LwXR
+PiWLVtrlqnVMxyzfr59HFd8B9c7l5rXcyYpYpspWlfdDM6K83NTOydn4i6HT1DgZ
+x5QkqBzdcH7dUmyZmRRUoopNtTRiu4+nmKmHugzrgA==
+=n9aW
+-----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,103 @@
+-------------------------------------------------------------------
+Tue Mar  2 21:42:10 CET 2010 - mt@suse.de
+
+- Updated to strongSwan 4.3.6 release, changes since 4.3.4 are:
+  * The IKEv2 daemon supports RFC 3779 IP address block constraints
+  carried as a critical X.509v3 extension in the peer certificate.
+  * The ipsec pool --add|del dns|nbns command manages DNS and NBNS
+  name server entries that are sent via the IKEv1 Mode Config or
+  IKEv2 Configuration Payload to remote clients.
+  * The Camellia cipher can be used as an IKEv1 encryption algorithm.
+  * The IKEv1 and IKEV2 daemons now check certificate path length
+  constraints.
+  * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
+  no traffic was sent or received within the given interval. To close
+  the complete IKE_SA if its only CHILD_SA was inactive, set the
+  global strongswan.conf option "charon.inactivity_close_ike" to yes.
+  * More detailed IKEv2 EAP payload information in debug output
+  * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
+  * Added required userland changes for proper SHA256 and SHA384/512
+  in ESP that will be introduced with Linux 2.6.33.
+  The "sha256"/"sha2_256" keyword now configures the kernel with 128
+  bit truncation, not the non-standard 96 bit truncation used by
+  previous releases. To use the old 96 bit truncation scheme, the new
+  "sha256_96" proposal keyword has been introduced.
+  * Fixed IPComp in tunnel mode, stripping out the duplicated outer
+  header. This change makes IPcomp tunnel mode connections
+  incompatible with previous releases; disable compression on such
+  tunnels.
+  * Fixed BEET mode connections on recent kernels by installing SAs
+  with appropriate traffic selectors, based on a patch by Michael
+  Rossberg.
+  * Using extensions (such as BEET mode) and crypto algorithms (such
+  as twofish, serpent, sha256_96) allocated in the private use space
+  now require that we know its meaning, i.e. we are talking to
+  strongSwan. Use the new "charon.send_vendor_id" option in
+  strongswan.conf to let the remote peer know this is the case.
+  * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where
+  the responder omits public key authentication in favor of a mutual
+  authentication method. To enable EAP-only authentication, set
+  rightauth=eap on the responder to rely only on the MSK constructed
+  AUTH payload. This not-yet standardized extension requires the
+  strongSwan vendor ID introduced above.
+  * The IKEv1 daemon ignores the Juniper SRX notification type 40001,
+  thus allowing interoperability.
+  * The IKEv1 pluto daemon can now use SQL-based address pools to
+  deal out virtual IP addresses as a Mode Config server. The pool
+  capability has been migrated from charon's sql plugin to a new
+  attr-sql plugin which is loaded by libstrongswan and which can be
+  used by both daemons either with a SQLite or MySQL database and the
+  corresponding plugin.
+  * Plugin names have been streamlined: EAP plugins now have a dash
+  after eap (e.g. eap-sim), as it is used with the --enable-eap-sim
+  ./configure option.
+  Plugin configuration sections in strongswan.conf now use the same
+  name as the plugin itself (i.e. with a dash). Make sure to update
+  "load" directives and the affected plugin sections in existing
+  strongswan.conf files.
+  * The private/public key parsing and encoding has been split up
+  into separate pkcs1, pgp, pem and dnskey plugins. The public key
+  implementation plugins gmp, gcrypt and openssl can all make use
+  of them.
+  * The EAP-AKA plugin can use different backends for USIM/quintuplet
+  calculations, very similar to the EAP-SIM plugin. The existing 3GPP2
+  software implementation has been migrated to a separate plugin.
+  * The IKEv2 daemon charon gained basic PGP support. It can use
+  locally installed peer certificates and can issue signatures based
+  on RSA private keys.
+  * The new 'ipsec pki' tool provides a set of commands to maintain a
+  public key infrastructure. It currently supports operations to
+  create RSA and ECDSA private/public keys, calculate fingerprints and
+  issue or verify certificates.
+  * Charon uses a monotonic time source for statistics and job
+  queueing, behaving correctly if the system time changes (e.g. when
+  using NTP).
+  * In addition to time based rekeying, charon supports IPsec SA
+  lifetimes based on processed volume or number of packets.
+  They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'),
+  'lifebytes' and 'lifepackets' handle SA timeouts, while the
+  parameters 'margintime' (an alias to rekeymargin), 'marginbytes'
+  and 'marginpackets' trigger the rekeying before a SA expires.
+  The existing parameter 'rekeyfuzz' affects all margins.
+  * If no CA/Gateway certificate is specified in the NetworkManager
+  plugin, charon uses a set of trusted root certificates preinstalled
+  by distributions. The directory containing CA certificates can be
+  specified using the --with-nm-ca-dir=path configure option.
+  * Fixed the encoding of the Email relative distinguished name in
+  left|rightid statements.
+  * Fixed the broken parsing of PKCS#7 wrapped certificates by the
+  pluto daemon.
+  * Fixed smartcard-based authentication in the pluto daemon which
+  was broken by the ECDSA support introduced with the 4.3.2 release.
+  * A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and
+  vice versa tunnels established with the IKEv1 pluto daemon.
+  * The pluto daemon now uses the libstrongswan x509 plugin for
+  certificates and CRls and the struct id type was replaced by
+  identification_t used by charon and the libstrongswan library.
+- Removed obsolete load_secrets patches, refreshed modprobe patch.
+- Corrected a time_t cast reported by rpmlint (timer.c:51)
+- Disabled libtoolize call and the gcrypt plugin on SLE 10.
+
 -------------------------------------------------------------------
 Fri Sep  4 12:56:59 CEST 2009 - mt@suse.de

--- a/strongswan.spec
+++ b/strongswan.spec
@ -1,7 +1,7 @@
 #
-# spec file for package strongswan (Version 4.3.4)
+# spec file for package strongswan (Version 4.3.6)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -19,11 +19,11 @@


 Name:           strongswan
-%define         upstream_version 4.3.4
+%define         upstream_version 4.3.6
 %define         strongswan_docdir %{_docdir}/%{name}
-Version:        4.3.4
-Release:        3
-License:        GPL v2 or later
+Version:        4.3.6
+Release:        1
+License:        GPLv2+
 Group:          Productivity/Networking/Security
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
 Url:            http://www.strongswan.org/
@ -38,8 +38,7 @@ Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.ta
 Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Patch1:         %{name}_modprobe_syslog.patch
-Patch2:         %{name}-4.3.4-load_secrets-lock-fix.diff
-Patch3:         %{name}-4.3.4-load_secrets-dbgmsg-fix.diff
+Patch2:         strongswan-4.3.6-time_t_ptr.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 BuildRequires:  libcap-devel
@ -51,59 +50,31 @@ BuildRequires:  curl-devel
 %description
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

-* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec)
-   kernels
-
-* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange
-   protocols
-
-* NEW: Fully tested support of IPv6 IPsec tunnel connections
-
-* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC
-   4555)
-
-* Fast connection startup and periodic update using ipsec starter
-
-* Automatic insertion and deletion of IPsec policy based firewall
-   rules
-
-* Strong 3DES, AES, Serpent, Twofish, or Blowfish encryption
-
+* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
+* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
+* Fully tested support of IPv6 IPsec tunnel and transport connections
+* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
+* Automatic insertion and deletion of IPsec-policy-based firewall rules
+* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
 * NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
-
-* Static Virtual IPs and IKE Mode Config Pull and Push modes
-
-* XAUTH server and client functionality on top of IKE Main Mode
-   authentication
-
 * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
-
+* Static virtual IPs and IKEv1 ModeConfig pull and push modes
+* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
+* Virtual IP address pool managed by IKE daemon or SQL database
+* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
+* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
+* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
 * Authentication based on X.509 certificates or preshared keys
-
-* Generation of a default self-signed certificate during first
-   strongSwan startup
-
-* Retrieval and local caching of Certificate Revocation Lists via
-   HTTP or LDAP
-
-* Full support of the Online Certificate Status Protocol (OCSP, RCF
-   2560).
-
+* Generation of a default self-signed certificate during first strongSwan startup
+* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
+* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
 * CA management (OCSP and CRL URIs, default LDAP server)
-
 * Powerful IPsec policies based on wildcards or intermediate CAs
-
-* Group policies based on X.509 attribute certificates ( RFC 3281)
-
-* Optional storage of RSA private keys and certificates on a
-   smartcard
-
-* Smartcard access via standardized PKCS #11 interface
-
-* PKCS #11 proxy function offering RSA decryption services via whack
-
-* NEW: strongSwan Manager - a graphical management interface for IKEv2
-
+* Group policies based on X.509 attribute certificates (RFC 3281)
+* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
+* Modular plugins for crypto algorithms and relational database interfaces
+* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
+* Optional built-in integrity and crypto tests for plugins and libraries


 Authors:
@ -112,7 +83,7 @@ Authors:
    and others

 %package doc
-License:        GPL v2 or later
+License:        GPLv2+
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
 Group:          Productivity/Networking/Security

@ -131,8 +102,7 @@ Authors:
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
-%patch2 -p1
-%patch3 -p1
+%patch2 -p0
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < $RPM_SOURCE_DIR/strongswan.init.in \
     > strongswan.init
@ -140,7 +110,7 @@ sed -e 's|@libexecdir@|%_libexecdir|g'    \
 %build
 CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing"
 export RPM_OPT_FLAGS CFLAGS
-libtoolize --force
+#libtoolize --force
 %{?suse_update_config:%{suse_update_config -f}}
 autoreconf
 %configure \
@ -151,7 +121,9 @@ autoreconf
 	--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
 	--enable-cisco-quirks \
 	--enable-openssl \
+%if 0%{suse_version} >= 1110
 	--enable-gcrypt \
+%endif
 	--enable-ldap \
 	--enable-curl
 make %{?_smp_mflags:%_smp_mflags}
--- a/strongswan_modprobe_syslog.patch
+++ b/strongswan_modprobe_syslog.patch
@ -1,5 +1,5 @@
 --- src/starter/klips.c
-+++ src/starter/klips.c
+++ src/starter/klips.c	2010/03/02 16:43:05
@@ -34,7 +34,7 @@ starter_klips_init(void)
 		/* ipsec module makes the pf_key proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)
@ -11,7 +11,7 @@
 		/* now test again */
@@ -48,9 +48,9 @@ starter_klips_init(void)
 	}
- 	
+ 
 	/* load crypto algorithm modules */
 -	ignore_result(system("modprobe -qv ipsec_aes"));
 -	ignore_result(system("modprobe -qv ipsec_blowfish"));
@ -23,7 +23,7 @@
 	DBG(DBG_CONTROL,
 		DBG_log("Found KLIPS IPsec stack")
 --- src/starter/netkey.c
-+++ src/starter/netkey.c
+++ src/starter/netkey.c	2010/03/02 16:43:05
@@ -34,7 +34,7 @@ starter_netkey_init(void)
 		/* af_key module makes the netkey proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)