diff --git a/strongswan-4.3.4-load_secrets-dbgmsg-fix.diff b/strongswan-4.3.4-load_secrets-dbgmsg-fix.diff deleted file mode 100644 index 5f902f9..0000000 --- a/strongswan-4.3.4-load_secrets-dbgmsg-fix.diff +++ /dev/null @@ -1,21 +0,0 @@ -From: Marius Tomaschewski -Date: Fri, 4 Sep 2009 11:36:36 +0200 -Subject: [PATCH] fixed open failure debug message in load_secrets - - -diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c -index 68df7f0..80e3954 100644 ---- a/src/charon/plugins/stroke/stroke_cred.c -+++ b/src/charon/plugins/stroke/stroke_cred.c -@@ -709,7 +709,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) - fd = fopen(file, "r"); - if (fd == NULL) - { -- DBG1(DBG_CFG, "opening secrets file '%s' failed"); -+ DBG1(DBG_CFG, "opening secrets file '%s' failed", file); - return; - } - --- -1.6.0.2 - diff --git a/strongswan-4.3.4-load_secrets-lock-fix.diff b/strongswan-4.3.4-load_secrets-lock-fix.diff deleted file mode 100644 index e20dcaa..0000000 --- a/strongswan-4.3.4-load_secrets-lock-fix.diff +++ /dev/null @@ -1,38 +0,0 @@ -From: Marius Tomaschewski -Date: Wed, 2 Sep 2009 13:49:39 +0200 -Subject: [PATCH] Fixed load_secrets to acquire/release lock in level 0 only - -The write_lock call fails with EDEADLK and unlocks in the -next recursion level. - -diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c -index 31bcfe9f486f4dac0ae30bc5846ed3d818526dbb..68df7f0b6d709c396d7a572ca4d0198ef12b2446 100644 ---- a/src/charon/plugins/stroke/stroke_cred.c -+++ b/src/charon/plugins/stroke/stroke_cred.c -@@ -722,9 +722,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) - fclose(fd); - src = chunk; - -- this->lock->write_lock(this->lock); - if (level == 0) - { -+ this->lock->write_lock(this->lock); -+ - /* flush secrets on non-recursive invocation */ - while (this->shared->remove_last(this->shared, - (void**)&shared) == SUCCESS) -@@ -1019,7 +1020,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level) - } - } - error: -- this->lock->unlock(this->lock); -+ if (level == 0) -+ { -+ this->lock->unlock(this->lock); -+ } - chunk_clear(&chunk); - } - --- -1.6.0.2 - diff --git a/strongswan-4.3.4.tar.bz2 b/strongswan-4.3.4.tar.bz2 deleted file mode 100644 index 1fb3bd0..0000000 --- a/strongswan-4.3.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6073c244232f2e741233533fd4a13498421398174757c5e42a51afa4bf16600c -size 2680982 diff --git a/strongswan-4.3.4.tar.bz2.sig b/strongswan-4.3.4.tar.bz2.sig deleted file mode 100644 index d7f9054..0000000 --- a/strongswan-4.3.4.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (GNU/Linux) - -iQGcBAABAgAGBQJKipUyAAoJEN9CwXCzTbp3pWwL/1yfdFPb7OYbldsXDSJASBNU -8jydSEnx4hJnbrf98sogQZSUvWtAXulqfo0QUXPICVtgw7cJ7r0Yfuc7FORy/a6L -Dfqt2dQGfB3Kl0CZlmBtdisCKPRm6+qLrUPKM0XtZM0cmdp9xjErzCYLrPTciO6I -vbVa+LAjl8SStoy1N75mMeLkZR+tXeqkg2p6ULbkJx8+b0igEM+oyQJWHTLkOuP5 -Q0pohbJywvNcYylQIua6S2HyMJUiCr009tnNhWeR8Wk/44h++HFpd7fE8rCGnpvH -teQnCojUU4h4JsWjrwMaDjkrhUsU5NLJV6ib9DAi7EI2cv5OnPujf6wZpIEip3j2 -BgM5Jh7IahnEDPGolVJxKG/48b7hvJ7WF5DYYr3sgl9mSsH5CfqGLZPVFdHi05NV -W7tZu2GbyGEx4XYik21fx3vjyQslyzZUspa8/apRPnTfsOfeLLFD24Q7xjd6i0+t -T15gr4/O78rDttgLyShQFpd81iUGqwu2VbXMobGokg== -=9hsf ------END PGP SIGNATURE----- diff --git a/strongswan-4.3.4-rpmlintrc b/strongswan-4.3.6-rpmlintrc similarity index 100% rename from strongswan-4.3.4-rpmlintrc rename to strongswan-4.3.6-rpmlintrc diff --git a/strongswan-4.3.6-time_t_ptr.diff b/strongswan-4.3.6-time_t_ptr.diff new file mode 100644 index 0000000..c0ed607 --- /dev/null +++ b/strongswan-4.3.6-time_t_ptr.diff @@ -0,0 +1,11 @@ +--- src/pluto/timer.c ++++ src/pluto/timer.c 2010/03/02 17:03:41 +@@ -48,7 +48,7 @@ time_t now(void) + { + static time_t delta = 0 + , last_time = 0; +- time_t n = time((time_t)NULL); ++ time_t n = time((time_t *)NULL); + + passert(n != (time_t)-1); + if (last_time > n) diff --git a/strongswan-4.3.6.tar.bz2 b/strongswan-4.3.6.tar.bz2 new file mode 100644 index 0000000..0c65c8a --- /dev/null +++ b/strongswan-4.3.6.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:39a311c62f4f2474faf239c0edf6518a14a953b9c2092bbfa473cd34dcb8f5e7 +size 2831944 diff --git a/strongswan-4.3.6.tar.bz2.sig b/strongswan-4.3.6.tar.bz2.sig new file mode 100644 index 0000000..645c744 --- /dev/null +++ b/strongswan-4.3.6.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iQGcBAABAgAGBQJLcr+BAAoJEN9CwXCzTbp3fp4L/js5E69jqpEIKe82amRjLewK +orEWWfaXq7p/Ob8KYICUBt4lXtDNka8NspMZ88bWTUYLkDMTITBB9JiYVu2NXTYY +6CQAR9eNB6E+uOOkj6udU1Y/dt+MY5uvbrjOgTN2Kcue+AlVrngSuruN71r+GOnD +vWDf6AxU8LtiPUaY8WTC7Nn8Qgi1g10I5HXn5D6QN6Cz4oWf/hx1VvOZ1s7gTekW +4E/V2ladLFKhXIC2D3tUn5J8FwKXFyqdooBnWvqhrDidNEQ8CDr62lkfOwJ3/qTP +wpvQkwlOdX5TQQJAaYeW/S39MorK/E10lZWvkF/rkW6vGU5pgQkfGyozP6O/A4w5 +MkRtCsbcbtRIDicsYj4oX+2SiazZtmB5eMVc6SO0GT0dXgEMTGUKC3ezUV03LwXR +PiWLVtrlqnVMxyzfr59HFd8B9c7l5rXcyYpYpspWlfdDM6K83NTOydn4i6HT1DgZ +x5QkqBzdcH7dUmyZmRRUoopNtTRiu4+nmKmHugzrgA== +=n9aW +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index b4bd037..b4ceacb 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,103 @@ +------------------------------------------------------------------- +Tue Mar 2 21:42:10 CET 2010 - mt@suse.de + +- Updated to strongSwan 4.3.6 release, changes since 4.3.4 are: + * The IKEv2 daemon supports RFC 3779 IP address block constraints + carried as a critical X.509v3 extension in the peer certificate. + * The ipsec pool --add|del dns|nbns command manages DNS and NBNS + name server entries that are sent via the IKEv1 Mode Config or + IKEv2 Configuration Payload to remote clients. + * The Camellia cipher can be used as an IKEv1 encryption algorithm. + * The IKEv1 and IKEV2 daemons now check certificate path length + constraints. + * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if + no traffic was sent or received within the given interval. To close + the complete IKE_SA if its only CHILD_SA was inactive, set the + global strongswan.conf option "charon.inactivity_close_ike" to yes. + * More detailed IKEv2 EAP payload information in debug output + * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library + * Added required userland changes for proper SHA256 and SHA384/512 + in ESP that will be introduced with Linux 2.6.33. + The "sha256"/"sha2_256" keyword now configures the kernel with 128 + bit truncation, not the non-standard 96 bit truncation used by + previous releases. To use the old 96 bit truncation scheme, the new + "sha256_96" proposal keyword has been introduced. + * Fixed IPComp in tunnel mode, stripping out the duplicated outer + header. This change makes IPcomp tunnel mode connections + incompatible with previous releases; disable compression on such + tunnels. + * Fixed BEET mode connections on recent kernels by installing SAs + with appropriate traffic selectors, based on a patch by Michael + Rossberg. + * Using extensions (such as BEET mode) and crypto algorithms (such + as twofish, serpent, sha256_96) allocated in the private use space + now require that we know its meaning, i.e. we are talking to + strongSwan. Use the new "charon.send_vendor_id" option in + strongswan.conf to let the remote peer know this is the case. + * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where + the responder omits public key authentication in favor of a mutual + authentication method. To enable EAP-only authentication, set + rightauth=eap on the responder to rely only on the MSK constructed + AUTH payload. This not-yet standardized extension requires the + strongSwan vendor ID introduced above. + * The IKEv1 daemon ignores the Juniper SRX notification type 40001, + thus allowing interoperability. + * The IKEv1 pluto daemon can now use SQL-based address pools to + deal out virtual IP addresses as a Mode Config server. The pool + capability has been migrated from charon's sql plugin to a new + attr-sql plugin which is loaded by libstrongswan and which can be + used by both daemons either with a SQLite or MySQL database and the + corresponding plugin. + * Plugin names have been streamlined: EAP plugins now have a dash + after eap (e.g. eap-sim), as it is used with the --enable-eap-sim + ./configure option. + Plugin configuration sections in strongswan.conf now use the same + name as the plugin itself (i.e. with a dash). Make sure to update + "load" directives and the affected plugin sections in existing + strongswan.conf files. + * The private/public key parsing and encoding has been split up + into separate pkcs1, pgp, pem and dnskey plugins. The public key + implementation plugins gmp, gcrypt and openssl can all make use + of them. + * The EAP-AKA plugin can use different backends for USIM/quintuplet + calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 + software implementation has been migrated to a separate plugin. + * The IKEv2 daemon charon gained basic PGP support. It can use + locally installed peer certificates and can issue signatures based + on RSA private keys. + * The new 'ipsec pki' tool provides a set of commands to maintain a + public key infrastructure. It currently supports operations to + create RSA and ECDSA private/public keys, calculate fingerprints and + issue or verify certificates. + * Charon uses a monotonic time source for statistics and job + queueing, behaving correctly if the system time changes (e.g. when + using NTP). + * In addition to time based rekeying, charon supports IPsec SA + lifetimes based on processed volume or number of packets. + They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'), + 'lifebytes' and 'lifepackets' handle SA timeouts, while the + parameters 'margintime' (an alias to rekeymargin), 'marginbytes' + and 'marginpackets' trigger the rekeying before a SA expires. + The existing parameter 'rekeyfuzz' affects all margins. + * If no CA/Gateway certificate is specified in the NetworkManager + plugin, charon uses a set of trusted root certificates preinstalled + by distributions. The directory containing CA certificates can be + specified using the --with-nm-ca-dir=path configure option. + * Fixed the encoding of the Email relative distinguished name in + left|rightid statements. + * Fixed the broken parsing of PKCS#7 wrapped certificates by the + pluto daemon. + * Fixed smartcard-based authentication in the pluto daemon which + was broken by the ECDSA support introduced with the 4.3.2 release. + * A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and + vice versa tunnels established with the IKEv1 pluto daemon. + * The pluto daemon now uses the libstrongswan x509 plugin for + certificates and CRls and the struct id type was replaced by + identification_t used by charon and the libstrongswan library. +- Removed obsolete load_secrets patches, refreshed modprobe patch. +- Corrected a time_t cast reported by rpmlint (timer.c:51) +- Disabled libtoolize call and the gcrypt plugin on SLE 10. + ------------------------------------------------------------------- Fri Sep 4 12:56:59 CEST 2009 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index 0e2028d..3f2c1a5 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # -# spec file for package strongswan (Version 4.3.4) +# spec file for package strongswan (Version 4.3.6) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,11 +19,11 @@ Name: strongswan -%define upstream_version 4.3.4 +%define upstream_version 4.3.6 %define strongswan_docdir %{_docdir}/%{name} -Version: 4.3.4 -Release: 3 -License: GPL v2 or later +Version: 4.3.6 +Release: 1 +License: GPLv2+ Group: Productivity/Networking/Security Summary: StrongSwan -- OpenSource IPsec-based VPN Solution Url: http://www.strongswan.org/ @@ -38,8 +38,7 @@ Source1: http://download.strongswan.org/strongswan-%{upstream_version}.ta Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Patch1: %{name}_modprobe_syslog.patch -Patch2: %{name}-4.3.4-load_secrets-lock-fix.diff -Patch3: %{name}-4.3.4-load_secrets-dbgmsg-fix.diff +Patch2: strongswan-4.3.6-time_t_ptr.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: libcap-devel @@ -51,59 +50,31 @@ BuildRequires: curl-devel %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux -* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) - kernels - -* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange - protocols - -* NEW: Fully tested support of IPv6 IPsec tunnel connections - -* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC - 4555) - -* Fast connection startup and periodic update using ipsec starter - -* Automatic insertion and deletion of IPsec policy based firewall - rules - -* Strong 3DES, AES, Serpent, Twofish, or Blowfish encryption - +* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels +* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols +* Fully tested support of IPv6 IPsec tunnel and transport connections +* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) +* Automatic insertion and deletion of IPsec-policy-based firewall rules +* Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) - -* Static Virtual IPs and IKE Mode Config Pull and Push modes - -* XAUTH server and client functionality on top of IKE Main Mode - authentication - * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels - +* Static virtual IPs and IKEv1 ModeConfig pull and push modes +* XAUTH server and client functionality on top of IKEv1 Main Mode authentication +* Virtual IP address pool managed by IKE daemon or SQL database +* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) +* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin +* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys - -* Generation of a default self-signed certificate during first - strongSwan startup - -* Retrieval and local caching of Certificate Revocation Lists via - HTTP or LDAP - -* Full support of the Online Certificate Status Protocol (OCSP, RCF - 2560). - +* Generation of a default self-signed certificate during first strongSwan startup +* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP +* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) - * Powerful IPsec policies based on wildcards or intermediate CAs - -* Group policies based on X.509 attribute certificates ( RFC 3281) - -* Optional storage of RSA private keys and certificates on a - smartcard - -* Smartcard access via standardized PKCS #11 interface - -* PKCS #11 proxy function offering RSA decryption services via whack - -* NEW: strongSwan Manager - a graphical management interface for IKEv2 - +* Group policies based on X.509 attribute certificates (RFC 3281) +* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) +* Modular plugins for crypto algorithms and relational database interfaces +* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) +* Optional built-in integrity and crypto tests for plugins and libraries Authors: @@ -112,7 +83,7 @@ Authors: and others %package doc -License: GPL v2 or later +License: GPLv2+ Summary: StrongSwan -- OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security @@ -131,8 +102,7 @@ Authors: %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 -%patch2 -p1 -%patch3 -p1 +%patch2 -p0 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -140,7 +110,7 @@ sed -e 's|@libexecdir@|%_libexecdir|g' \ %build CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing" export RPM_OPT_FLAGS CFLAGS -libtoolize --force +#libtoolize --force %{?suse_update_config:%{suse_update_config -f}} autoreconf %configure \ @@ -151,7 +121,9 @@ autoreconf --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \ --enable-cisco-quirks \ --enable-openssl \ +%if 0%{suse_version} >= 1110 --enable-gcrypt \ +%endif --enable-ldap \ --enable-curl make %{?_smp_mflags:%_smp_mflags} diff --git a/strongswan_modprobe_syslog.patch b/strongswan_modprobe_syslog.patch index 638a943..26817fe 100644 --- a/strongswan_modprobe_syslog.patch +++ b/strongswan_modprobe_syslog.patch @@ -1,5 +1,5 @@ --- src/starter/klips.c -+++ src/starter/klips.c ++++ src/starter/klips.c 2010/03/02 16:43:05 @@ -34,7 +34,7 @@ starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) @@ -11,7 +11,7 @@ /* now test again */ @@ -48,9 +48,9 @@ starter_klips_init(void) } - + /* load crypto algorithm modules */ - ignore_result(system("modprobe -qv ipsec_aes")); - ignore_result(system("modprobe -qv ipsec_blowfish")); @@ -23,7 +23,7 @@ DBG(DBG_CONTROL, DBG_log("Found KLIPS IPsec stack") --- src/starter/netkey.c -+++ src/starter/netkey.c ++++ src/starter/netkey.c 2010/03/02 16:43:05 @@ -34,7 +34,7 @@ starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0)