Accepting request 33800 from network:vpn

Copy from network:vpn/strongswan based on submit request 33800 from user mtomaschewski OBS-URL: https://build.opensuse.org/request/show/33800 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=19
2010-03-05 10:51:28 +00:00 · 2010-03-05 10:51:28 +00:00 · cf104ead60
commit cf104ead60
parent 70feac5f48
11 changed files with 163 additions and 139 deletions
--- a/strongswan-4.3.4-load_secrets-dbgmsg-fix.diff
+++ b/strongswan-4.3.4-load_secrets-dbgmsg-fix.diff
@ -1,21 +0,0 @@
 From: Marius Tomaschewski <mt@suse.de>
 Date: Fri, 4 Sep 2009 11:36:36 +0200
 Subject: [PATCH] fixed open failure debug message in load_secrets
 diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
 index 68df7f0..80e3954 100644
 --- a/src/charon/plugins/stroke/stroke_cred.c
 +++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -709,7 +709,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 	fd = fopen(file, "r");
 	if (fd == NULL)
 	{
 -		DBG1(DBG_CFG, "opening secrets file '%s' failed");
 +		DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
 		return;
 	}
 -- 
 1.6.0.2
--- a/strongswan-4.3.4-load_secrets-lock-fix.diff
+++ b/strongswan-4.3.4-load_secrets-lock-fix.diff
@ -1,38 +0,0 @@
 From: Marius Tomaschewski <mt@suse.de>
 Date: Wed, 2 Sep 2009 13:49:39 +0200
 Subject: [PATCH] Fixed load_secrets to acquire/release lock in level 0 only
 The write_lock call fails with EDEADLK and unlocks in the
 next recursion level.
 diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
 index 31bcfe9f486f4dac0ae30bc5846ed3d818526dbb..68df7f0b6d709c396d7a572ca4d0198ef12b2446 100644
 --- a/src/charon/plugins/stroke/stroke_cred.c
 +++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -722,9 +722,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 	fclose(fd);
 	src = chunk;
 -	this->lock->write_lock(this->lock);
 	if (level == 0)
 	{
 +		this->lock->write_lock(this->lock);
 +
 		/* flush secrets on non-recursive invocation */
 		while (this->shared->remove_last(this->shared,
 										 (void**)&shared) == SUCCESS)
@@ -1019,7 +1020,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
 		}
 	}
 error:
 -	this->lock->unlock(this->lock);
 +	if (level == 0)
 +	{
 +		this->lock->unlock(this->lock);
 +	}
 	chunk_clear(&chunk);
 }
 -- 
 1.6.0.2
--- a/strongswan-4.3.4.tar.bz2
+++ b/strongswan-4.3.4.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:6073c244232f2e741233533fd4a13498421398174757c5e42a51afa4bf16600c
 size 2680982
--- a/strongswan-4.3.4.tar.bz2.sig
+++ b/strongswan-4.3.4.tar.bz2.sig
@ -1,14 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 iQGcBAABAgAGBQJKipUyAAoJEN9CwXCzTbp3pWwL/1yfdFPb7OYbldsXDSJASBNU
 8jydSEnx4hJnbrf98sogQZSUvWtAXulqfo0QUXPICVtgw7cJ7r0Yfuc7FORy/a6L
 Dfqt2dQGfB3Kl0CZlmBtdisCKPRm6+qLrUPKM0XtZM0cmdp9xjErzCYLrPTciO6I
 vbVa+LAjl8SStoy1N75mMeLkZR+tXeqkg2p6ULbkJx8+b0igEM+oyQJWHTLkOuP5
 Q0pohbJywvNcYylQIua6S2HyMJUiCr009tnNhWeR8Wk/44h++HFpd7fE8rCGnpvH
 teQnCojUU4h4JsWjrwMaDjkrhUsU5NLJV6ib9DAi7EI2cv5OnPujf6wZpIEip3j2
 BgM5Jh7IahnEDPGolVJxKG/48b7hvJ7WF5DYYr3sgl9mSsH5CfqGLZPVFdHi05NV
 W7tZu2GbyGEx4XYik21fx3vjyQslyzZUspa8/apRPnTfsOfeLLFD24Q7xjd6i0+t
 T15gr4/O78rDttgLyShQFpd81iUGqwu2VbXMobGokg==
 =9hsf
 -----END PGP SIGNATURE-----
--- a/strongswan-4.3.6-rpmlintrc
+++ b/strongswan-4.3.6-rpmlintrc
--- a/strongswan-4.3.6-time_t_ptr.diff
+++ b/strongswan-4.3.6-time_t_ptr.diff
@ -0,0 +1,11 @@
 --- src/pluto/timer.c
 +++ src/pluto/timer.c	2010/03/02 17:03:41
@@ -48,7 +48,7 @@ time_t now(void)
 {
 	static time_t delta = 0
 		, last_time = 0;
 -	time_t n = time((time_t)NULL);
 +	time_t n = time((time_t *)NULL);
 	passert(n != (time_t)-1);
 	if (last_time > n)
--- a/strongswan-4.3.6.tar.bz2
+++ b/strongswan-4.3.6.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:39a311c62f4f2474faf239c0edf6518a14a953b9c2092bbfa473cd34dcb8f5e7
 size 2831944
--- a/strongswan-4.3.6.tar.bz2.sig
+++ b/strongswan-4.3.6.tar.bz2.sig
@ -0,0 +1,14 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (GNU/Linux)
 iQGcBAABAgAGBQJLcr+BAAoJEN9CwXCzTbp3fp4L/js5E69jqpEIKe82amRjLewK
 orEWWfaXq7p/Ob8KYICUBt4lXtDNka8NspMZ88bWTUYLkDMTITBB9JiYVu2NXTYY
 6CQAR9eNB6E+uOOkj6udU1Y/dt+MY5uvbrjOgTN2Kcue+AlVrngSuruN71r+GOnD
 vWDf6AxU8LtiPUaY8WTC7Nn8Qgi1g10I5HXn5D6QN6Cz4oWf/hx1VvOZ1s7gTekW
 4E/V2ladLFKhXIC2D3tUn5J8FwKXFyqdooBnWvqhrDidNEQ8CDr62lkfOwJ3/qTP
 wpvQkwlOdX5TQQJAaYeW/S39MorK/E10lZWvkF/rkW6vGU5pgQkfGyozP6O/A4w5
 MkRtCsbcbtRIDicsYj4oX+2SiazZtmB5eMVc6SO0GT0dXgEMTGUKC3ezUV03LwXR
 PiWLVtrlqnVMxyzfr59HFd8B9c7l5rXcyYpYpspWlfdDM6K83NTOydn4i6HT1DgZ
 x5QkqBzdcH7dUmyZmRRUoopNtTRiu4+nmKmHugzrgA==
 =n9aW
 -----END PGP SIGNATURE-----
--- a/strongswan.changes
+++ b/strongswan.changes
@ -1,3 +1,103 @@
 -------------------------------------------------------------------
 Tue Mar  2 21:42:10 CET 2010 - mt@suse.de
 - Updated to strongSwan 4.3.6 release, changes since 4.3.4 are:
  * The IKEv2 daemon supports RFC 3779 IP address block constraints
  carried as a critical X.509v3 extension in the peer certificate.
  * The ipsec pool --add|del dns|nbns command manages DNS and NBNS
  name server entries that are sent via the IKEv1 Mode Config or
  IKEv2 Configuration Payload to remote clients.
  * The Camellia cipher can be used as an IKEv1 encryption algorithm.
  * The IKEv1 and IKEV2 daemons now check certificate path length
  constraints.
  * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
  no traffic was sent or received within the given interval. To close
  the complete IKE_SA if its only CHILD_SA was inactive, set the
  global strongswan.conf option "charon.inactivity_close_ike" to yes.
  * More detailed IKEv2 EAP payload information in debug output
  * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
  * Added required userland changes for proper SHA256 and SHA384/512
  in ESP that will be introduced with Linux 2.6.33.
  The "sha256"/"sha2_256" keyword now configures the kernel with 128
  bit truncation, not the non-standard 96 bit truncation used by
  previous releases. To use the old 96 bit truncation scheme, the new
  "sha256_96" proposal keyword has been introduced.
  * Fixed IPComp in tunnel mode, stripping out the duplicated outer
  header. This change makes IPcomp tunnel mode connections
  incompatible with previous releases; disable compression on such
  tunnels.
  * Fixed BEET mode connections on recent kernels by installing SAs
  with appropriate traffic selectors, based on a patch by Michael
  Rossberg.
  * Using extensions (such as BEET mode) and crypto algorithms (such
  as twofish, serpent, sha256_96) allocated in the private use space
  now require that we know its meaning, i.e. we are talking to
  strongSwan. Use the new "charon.send_vendor_id" option in
  strongswan.conf to let the remote peer know this is the case.
  * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where
  the responder omits public key authentication in favor of a mutual
  authentication method. To enable EAP-only authentication, set
  rightauth=eap on the responder to rely only on the MSK constructed
  AUTH payload. This not-yet standardized extension requires the
  strongSwan vendor ID introduced above.
  * The IKEv1 daemon ignores the Juniper SRX notification type 40001,
  thus allowing interoperability.
  * The IKEv1 pluto daemon can now use SQL-based address pools to
  deal out virtual IP addresses as a Mode Config server. The pool
  capability has been migrated from charon's sql plugin to a new
  attr-sql plugin which is loaded by libstrongswan and which can be
  used by both daemons either with a SQLite or MySQL database and the
  corresponding plugin.
  * Plugin names have been streamlined: EAP plugins now have a dash
  after eap (e.g. eap-sim), as it is used with the --enable-eap-sim
  ./configure option.
  Plugin configuration sections in strongswan.conf now use the same
  name as the plugin itself (i.e. with a dash). Make sure to update
  "load" directives and the affected plugin sections in existing
  strongswan.conf files.
  * The private/public key parsing and encoding has been split up
  into separate pkcs1, pgp, pem and dnskey plugins. The public key
  implementation plugins gmp, gcrypt and openssl can all make use
  of them.
  * The EAP-AKA plugin can use different backends for USIM/quintuplet
  calculations, very similar to the EAP-SIM plugin. The existing 3GPP2
  software implementation has been migrated to a separate plugin.
  * The IKEv2 daemon charon gained basic PGP support. It can use
  locally installed peer certificates and can issue signatures based
  on RSA private keys.
  * The new 'ipsec pki' tool provides a set of commands to maintain a
  public key infrastructure. It currently supports operations to
  create RSA and ECDSA private/public keys, calculate fingerprints and
  issue or verify certificates.
  * Charon uses a monotonic time source for statistics and job
  queueing, behaving correctly if the system time changes (e.g. when
  using NTP).
  * In addition to time based rekeying, charon supports IPsec SA
  lifetimes based on processed volume or number of packets.
  They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'),
  'lifebytes' and 'lifepackets' handle SA timeouts, while the
  parameters 'margintime' (an alias to rekeymargin), 'marginbytes'
  and 'marginpackets' trigger the rekeying before a SA expires.
  The existing parameter 'rekeyfuzz' affects all margins.
  * If no CA/Gateway certificate is specified in the NetworkManager
  plugin, charon uses a set of trusted root certificates preinstalled
  by distributions. The directory containing CA certificates can be
  specified using the --with-nm-ca-dir=path configure option.
  * Fixed the encoding of the Email relative distinguished name in
  left|rightid statements.
  * Fixed the broken parsing of PKCS#7 wrapped certificates by the
  pluto daemon.
  * Fixed smartcard-based authentication in the pluto daemon which
  was broken by the ECDSA support introduced with the 4.3.2 release.
  * A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and
  vice versa tunnels established with the IKEv1 pluto daemon.
  * The pluto daemon now uses the libstrongswan x509 plugin for
  certificates and CRls and the struct id type was replaced by
  identification_t used by charon and the libstrongswan library.
 - Removed obsolete load_secrets patches, refreshed modprobe patch.
 - Corrected a time_t cast reported by rpmlint (timer.c:51)
 - Disabled libtoolize call and the gcrypt plugin on SLE 10.
 -------------------------------------------------------------------
 Fri Sep  4 12:56:59 CEST 2009 - mt@suse.de
--- a/strongswan.spec
+++ b/strongswan.spec
@ -1,7 +1,7 @@
 #
-# spec file for package strongswan (Version 4.3.4)
+# spec file for package strongswan (Version 4.3.6)
 #
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -19,11 +19,11 @@
 Name:           strongswan
-%define         upstream_version 4.3.4
+%define         upstream_version 4.3.6
 %define         strongswan_docdir %{_docdir}/%{name}
-Version:        4.3.4
+Version:        4.3.6
-Release:        3
+Release:        1
-License:        GPL v2 or later
+License:        GPLv2+
 Group:          Productivity/Networking/Security
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
 Url:            http://www.strongswan.org/
@ -38,8 +38,7 @@ Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.ta
 Source2:        %{name}.init.in
 Source3:        %{name}-%{version}-rpmlintrc
 Patch1:         %{name}_modprobe_syslog.patch
-Patch2:         %{name}-4.3.4-load_secrets-lock-fix.diff
+Patch2:         strongswan-4.3.6-time_t_ptr.diff
 Patch3:         %{name}-4.3.4-load_secrets-dbgmsg-fix.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison flex gmp-devel gperf pkg-config
 BuildRequires:  libcap-devel
@ -51,59 +50,31 @@ BuildRequires:  curl-devel
 %description
 StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
-* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec)
+* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
-   kernels
+* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
-
+* Fully tested support of IPv6 IPsec tunnel and transport connections
-* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange
+* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
-   protocols
+* Automatic insertion and deletion of IPsec-policy-based firewall rules
-
+* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
 * NEW: Fully tested support of IPv6 IPsec tunnel connections
 * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC
   4555)
 * Fast connection startup and periodic update using ipsec starter
 * Automatic insertion and deletion of IPsec policy based firewall
   rules
 * Strong 3DES, AES, Serpent, Twofish, or Blowfish encryption
 * NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
 * Static Virtual IPs and IKE Mode Config Pull and Push modes
 * XAUTH server and client functionality on top of IKE Main Mode
   authentication
 * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
-
+* Static virtual IPs and IKEv1 ModeConfig pull and push modes
 * XAUTH server and client functionality on top of IKEv1 Main Mode authentication
 * Virtual IP address pool managed by IKE daemon or SQL database
 * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
 * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
 * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
 * Authentication based on X.509 certificates or preshared keys
-
+* Generation of a default self-signed certificate during first strongSwan startup
-* Generation of a default self-signed certificate during first
+* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
-   strongSwan startup
+* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
 * Retrieval and local caching of Certificate Revocation Lists via
   HTTP or LDAP
 * Full support of the Online Certificate Status Protocol (OCSP, RCF
   2560).
 * CA management (OCSP and CRL URIs, default LDAP server)
 * Powerful IPsec policies based on wildcards or intermediate CAs
-
+* Group policies based on X.509 attribute certificates (RFC 3281)
-* Group policies based on X.509 attribute certificates ( RFC 3281)
+* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
-
+* Modular plugins for crypto algorithms and relational database interfaces
-* Optional storage of RSA private keys and certificates on a
+* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
-   smartcard
+* Optional built-in integrity and crypto tests for plugins and libraries
 * Smartcard access via standardized PKCS #11 interface
 * PKCS #11 proxy function offering RSA decryption services via whack
 * NEW: strongSwan Manager - a graphical management interface for IKEv2
 Authors:
@ -112,7 +83,7 @@ Authors:
    and others
 %package doc
-License:        GPL v2 or later
+License:        GPLv2+
 Summary:        StrongSwan -- OpenSource IPsec-based VPN Solution
 Group:          Productivity/Networking/Security
@ -131,8 +102,7 @@ Authors:
 %prep
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
-%patch2 -p1
+%patch2 -p0
 %patch3 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < $RPM_SOURCE_DIR/strongswan.init.in \
     > strongswan.init
@ -140,7 +110,7 @@ sed -e 's|@libexecdir@|%_libexecdir|g'    \
 %build
 CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing"
 export RPM_OPT_FLAGS CFLAGS
-libtoolize --force
+#libtoolize --force
 %{?suse_update_config:%{suse_update_config -f}}
 autoreconf
 %configure \
@ -151,7 +121,9 @@ autoreconf
 	--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
 	--enable-cisco-quirks \
 	--enable-openssl \
 %if 0%{suse_version} >= 1110
 	--enable-gcrypt \
 %endif
 	--enable-ldap \
 	--enable-curl
 make %{?_smp_mflags:%_smp_mflags}
--- a/strongswan_modprobe_syslog.patch
+++ b/strongswan_modprobe_syslog.patch
@ -1,5 +1,5 @@
 --- src/starter/klips.c
-+++ src/starter/klips.c
+++ src/starter/klips.c	2010/03/02 16:43:05
@@ -34,7 +34,7 @@ starter_klips_init(void)
 		/* ipsec module makes the pf_key proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)
@ -11,7 +11,7 @@
 		/* now test again */
@@ -48,9 +48,9 @@ starter_klips_init(void)
 	}
- 	
+ 
 	/* load crypto algorithm modules */
 -	ignore_result(system("modprobe -qv ipsec_aes"));
 -	ignore_result(system("modprobe -qv ipsec_blowfish"));
@ -23,7 +23,7 @@
 	DBG(DBG_CONTROL,
 		DBG_log("Found KLIPS IPsec stack")
 --- src/starter/netkey.c
-+++ src/starter/netkey.c
+++ src/starter/netkey.c	2010/03/02 16:43:05
@@ -34,7 +34,7 @@ starter_netkey_init(void)
 		/* af_key module makes the netkey proc interface visible */
 		if (stat(PROC_MODULES, &stb) == 0)