forked from pool/strongswan
Accepting request 33800 from network:vpn
Copy from network:vpn/strongswan based on submit request 33800 from user mtomaschewski OBS-URL: https://build.opensuse.org/request/show/33800 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=19
This commit is contained in:
parent
70feac5f48
commit
cf104ead60
@ -1,21 +0,0 @@
|
||||
From: Marius Tomaschewski <mt@suse.de>
|
||||
Date: Fri, 4 Sep 2009 11:36:36 +0200
|
||||
Subject: [PATCH] fixed open failure debug message in load_secrets
|
||||
|
||||
|
||||
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
|
||||
index 68df7f0..80e3954 100644
|
||||
--- a/src/charon/plugins/stroke/stroke_cred.c
|
||||
+++ b/src/charon/plugins/stroke/stroke_cred.c
|
||||
@@ -709,7 +709,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
|
||||
fd = fopen(file, "r");
|
||||
if (fd == NULL)
|
||||
{
|
||||
- DBG1(DBG_CFG, "opening secrets file '%s' failed");
|
||||
+ DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
|
||||
return;
|
||||
}
|
||||
|
||||
--
|
||||
1.6.0.2
|
||||
|
@ -1,38 +0,0 @@
|
||||
From: Marius Tomaschewski <mt@suse.de>
|
||||
Date: Wed, 2 Sep 2009 13:49:39 +0200
|
||||
Subject: [PATCH] Fixed load_secrets to acquire/release lock in level 0 only
|
||||
|
||||
The write_lock call fails with EDEADLK and unlocks in the
|
||||
next recursion level.
|
||||
|
||||
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
|
||||
index 31bcfe9f486f4dac0ae30bc5846ed3d818526dbb..68df7f0b6d709c396d7a572ca4d0198ef12b2446 100644
|
||||
--- a/src/charon/plugins/stroke/stroke_cred.c
|
||||
+++ b/src/charon/plugins/stroke/stroke_cred.c
|
||||
@@ -722,9 +722,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
|
||||
fclose(fd);
|
||||
src = chunk;
|
||||
|
||||
- this->lock->write_lock(this->lock);
|
||||
if (level == 0)
|
||||
{
|
||||
+ this->lock->write_lock(this->lock);
|
||||
+
|
||||
/* flush secrets on non-recursive invocation */
|
||||
while (this->shared->remove_last(this->shared,
|
||||
(void**)&shared) == SUCCESS)
|
||||
@@ -1019,7 +1020,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
|
||||
}
|
||||
}
|
||||
error:
|
||||
- this->lock->unlock(this->lock);
|
||||
+ if (level == 0)
|
||||
+ {
|
||||
+ this->lock->unlock(this->lock);
|
||||
+ }
|
||||
chunk_clear(&chunk);
|
||||
}
|
||||
|
||||
--
|
||||
1.6.0.2
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6073c244232f2e741233533fd4a13498421398174757c5e42a51afa4bf16600c
|
||||
size 2680982
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.9 (GNU/Linux)
|
||||
|
||||
iQGcBAABAgAGBQJKipUyAAoJEN9CwXCzTbp3pWwL/1yfdFPb7OYbldsXDSJASBNU
|
||||
8jydSEnx4hJnbrf98sogQZSUvWtAXulqfo0QUXPICVtgw7cJ7r0Yfuc7FORy/a6L
|
||||
Dfqt2dQGfB3Kl0CZlmBtdisCKPRm6+qLrUPKM0XtZM0cmdp9xjErzCYLrPTciO6I
|
||||
vbVa+LAjl8SStoy1N75mMeLkZR+tXeqkg2p6ULbkJx8+b0igEM+oyQJWHTLkOuP5
|
||||
Q0pohbJywvNcYylQIua6S2HyMJUiCr009tnNhWeR8Wk/44h++HFpd7fE8rCGnpvH
|
||||
teQnCojUU4h4JsWjrwMaDjkrhUsU5NLJV6ib9DAi7EI2cv5OnPujf6wZpIEip3j2
|
||||
BgM5Jh7IahnEDPGolVJxKG/48b7hvJ7WF5DYYr3sgl9mSsH5CfqGLZPVFdHi05NV
|
||||
W7tZu2GbyGEx4XYik21fx3vjyQslyzZUspa8/apRPnTfsOfeLLFD24Q7xjd6i0+t
|
||||
T15gr4/O78rDttgLyShQFpd81iUGqwu2VbXMobGokg==
|
||||
=9hsf
|
||||
-----END PGP SIGNATURE-----
|
11
strongswan-4.3.6-time_t_ptr.diff
Normal file
11
strongswan-4.3.6-time_t_ptr.diff
Normal file
@ -0,0 +1,11 @@
|
||||
--- src/pluto/timer.c
|
||||
+++ src/pluto/timer.c 2010/03/02 17:03:41
|
||||
@@ -48,7 +48,7 @@ time_t now(void)
|
||||
{
|
||||
static time_t delta = 0
|
||||
, last_time = 0;
|
||||
- time_t n = time((time_t)NULL);
|
||||
+ time_t n = time((time_t *)NULL);
|
||||
|
||||
passert(n != (time_t)-1);
|
||||
if (last_time > n)
|
3
strongswan-4.3.6.tar.bz2
Normal file
3
strongswan-4.3.6.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:39a311c62f4f2474faf239c0edf6518a14a953b9c2092bbfa473cd34dcb8f5e7
|
||||
size 2831944
|
14
strongswan-4.3.6.tar.bz2.sig
Normal file
14
strongswan-4.3.6.tar.bz2.sig
Normal file
@ -0,0 +1,14 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1.4.9 (GNU/Linux)
|
||||
|
||||
iQGcBAABAgAGBQJLcr+BAAoJEN9CwXCzTbp3fp4L/js5E69jqpEIKe82amRjLewK
|
||||
orEWWfaXq7p/Ob8KYICUBt4lXtDNka8NspMZ88bWTUYLkDMTITBB9JiYVu2NXTYY
|
||||
6CQAR9eNB6E+uOOkj6udU1Y/dt+MY5uvbrjOgTN2Kcue+AlVrngSuruN71r+GOnD
|
||||
vWDf6AxU8LtiPUaY8WTC7Nn8Qgi1g10I5HXn5D6QN6Cz4oWf/hx1VvOZ1s7gTekW
|
||||
4E/V2ladLFKhXIC2D3tUn5J8FwKXFyqdooBnWvqhrDidNEQ8CDr62lkfOwJ3/qTP
|
||||
wpvQkwlOdX5TQQJAaYeW/S39MorK/E10lZWvkF/rkW6vGU5pgQkfGyozP6O/A4w5
|
||||
MkRtCsbcbtRIDicsYj4oX+2SiazZtmB5eMVc6SO0GT0dXgEMTGUKC3ezUV03LwXR
|
||||
PiWLVtrlqnVMxyzfr59HFd8B9c7l5rXcyYpYpspWlfdDM6K83NTOydn4i6HT1DgZ
|
||||
x5QkqBzdcH7dUmyZmRRUoopNtTRiu4+nmKmHugzrgA==
|
||||
=n9aW
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,103 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 2 21:42:10 CET 2010 - mt@suse.de
|
||||
|
||||
- Updated to strongSwan 4.3.6 release, changes since 4.3.4 are:
|
||||
* The IKEv2 daemon supports RFC 3779 IP address block constraints
|
||||
carried as a critical X.509v3 extension in the peer certificate.
|
||||
* The ipsec pool --add|del dns|nbns command manages DNS and NBNS
|
||||
name server entries that are sent via the IKEv1 Mode Config or
|
||||
IKEv2 Configuration Payload to remote clients.
|
||||
* The Camellia cipher can be used as an IKEv1 encryption algorithm.
|
||||
* The IKEv1 and IKEV2 daemons now check certificate path length
|
||||
constraints.
|
||||
* The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
|
||||
no traffic was sent or received within the given interval. To close
|
||||
the complete IKE_SA if its only CHILD_SA was inactive, set the
|
||||
global strongswan.conf option "charon.inactivity_close_ike" to yes.
|
||||
* More detailed IKEv2 EAP payload information in debug output
|
||||
* IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
|
||||
* Added required userland changes for proper SHA256 and SHA384/512
|
||||
in ESP that will be introduced with Linux 2.6.33.
|
||||
The "sha256"/"sha2_256" keyword now configures the kernel with 128
|
||||
bit truncation, not the non-standard 96 bit truncation used by
|
||||
previous releases. To use the old 96 bit truncation scheme, the new
|
||||
"sha256_96" proposal keyword has been introduced.
|
||||
* Fixed IPComp in tunnel mode, stripping out the duplicated outer
|
||||
header. This change makes IPcomp tunnel mode connections
|
||||
incompatible with previous releases; disable compression on such
|
||||
tunnels.
|
||||
* Fixed BEET mode connections on recent kernels by installing SAs
|
||||
with appropriate traffic selectors, based on a patch by Michael
|
||||
Rossberg.
|
||||
* Using extensions (such as BEET mode) and crypto algorithms (such
|
||||
as twofish, serpent, sha256_96) allocated in the private use space
|
||||
now require that we know its meaning, i.e. we are talking to
|
||||
strongSwan. Use the new "charon.send_vendor_id" option in
|
||||
strongswan.conf to let the remote peer know this is the case.
|
||||
* Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where
|
||||
the responder omits public key authentication in favor of a mutual
|
||||
authentication method. To enable EAP-only authentication, set
|
||||
rightauth=eap on the responder to rely only on the MSK constructed
|
||||
AUTH payload. This not-yet standardized extension requires the
|
||||
strongSwan vendor ID introduced above.
|
||||
* The IKEv1 daemon ignores the Juniper SRX notification type 40001,
|
||||
thus allowing interoperability.
|
||||
* The IKEv1 pluto daemon can now use SQL-based address pools to
|
||||
deal out virtual IP addresses as a Mode Config server. The pool
|
||||
capability has been migrated from charon's sql plugin to a new
|
||||
attr-sql plugin which is loaded by libstrongswan and which can be
|
||||
used by both daemons either with a SQLite or MySQL database and the
|
||||
corresponding plugin.
|
||||
* Plugin names have been streamlined: EAP plugins now have a dash
|
||||
after eap (e.g. eap-sim), as it is used with the --enable-eap-sim
|
||||
./configure option.
|
||||
Plugin configuration sections in strongswan.conf now use the same
|
||||
name as the plugin itself (i.e. with a dash). Make sure to update
|
||||
"load" directives and the affected plugin sections in existing
|
||||
strongswan.conf files.
|
||||
* The private/public key parsing and encoding has been split up
|
||||
into separate pkcs1, pgp, pem and dnskey plugins. The public key
|
||||
implementation plugins gmp, gcrypt and openssl can all make use
|
||||
of them.
|
||||
* The EAP-AKA plugin can use different backends for USIM/quintuplet
|
||||
calculations, very similar to the EAP-SIM plugin. The existing 3GPP2
|
||||
software implementation has been migrated to a separate plugin.
|
||||
* The IKEv2 daemon charon gained basic PGP support. It can use
|
||||
locally installed peer certificates and can issue signatures based
|
||||
on RSA private keys.
|
||||
* The new 'ipsec pki' tool provides a set of commands to maintain a
|
||||
public key infrastructure. It currently supports operations to
|
||||
create RSA and ECDSA private/public keys, calculate fingerprints and
|
||||
issue or verify certificates.
|
||||
* Charon uses a monotonic time source for statistics and job
|
||||
queueing, behaving correctly if the system time changes (e.g. when
|
||||
using NTP).
|
||||
* In addition to time based rekeying, charon supports IPsec SA
|
||||
lifetimes based on processed volume or number of packets.
|
||||
They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'),
|
||||
'lifebytes' and 'lifepackets' handle SA timeouts, while the
|
||||
parameters 'margintime' (an alias to rekeymargin), 'marginbytes'
|
||||
and 'marginpackets' trigger the rekeying before a SA expires.
|
||||
The existing parameter 'rekeyfuzz' affects all margins.
|
||||
* If no CA/Gateway certificate is specified in the NetworkManager
|
||||
plugin, charon uses a set of trusted root certificates preinstalled
|
||||
by distributions. The directory containing CA certificates can be
|
||||
specified using the --with-nm-ca-dir=path configure option.
|
||||
* Fixed the encoding of the Email relative distinguished name in
|
||||
left|rightid statements.
|
||||
* Fixed the broken parsing of PKCS#7 wrapped certificates by the
|
||||
pluto daemon.
|
||||
* Fixed smartcard-based authentication in the pluto daemon which
|
||||
was broken by the ECDSA support introduced with the 4.3.2 release.
|
||||
* A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and
|
||||
vice versa tunnels established with the IKEv1 pluto daemon.
|
||||
* The pluto daemon now uses the libstrongswan x509 plugin for
|
||||
certificates and CRls and the struct id type was replaced by
|
||||
identification_t used by charon and the libstrongswan library.
|
||||
- Removed obsolete load_secrets patches, refreshed modprobe patch.
|
||||
- Corrected a time_t cast reported by rpmlint (timer.c:51)
|
||||
- Disabled libtoolize call and the gcrypt plugin on SLE 10.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 4 12:56:59 CEST 2009 - mt@suse.de
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package strongswan (Version 4.3.4)
|
||||
# spec file for package strongswan (Version 4.3.6)
|
||||
#
|
||||
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -19,11 +19,11 @@
|
||||
|
||||
|
||||
Name: strongswan
|
||||
%define upstream_version 4.3.4
|
||||
%define upstream_version 4.3.6
|
||||
%define strongswan_docdir %{_docdir}/%{name}
|
||||
Version: 4.3.4
|
||||
Release: 3
|
||||
License: GPL v2 or later
|
||||
Version: 4.3.6
|
||||
Release: 1
|
||||
License: GPLv2+
|
||||
Group: Productivity/Networking/Security
|
||||
Summary: StrongSwan -- OpenSource IPsec-based VPN Solution
|
||||
Url: http://www.strongswan.org/
|
||||
@ -38,8 +38,7 @@ Source1: http://download.strongswan.org/strongswan-%{upstream_version}.ta
|
||||
Source2: %{name}.init.in
|
||||
Source3: %{name}-%{version}-rpmlintrc
|
||||
Patch1: %{name}_modprobe_syslog.patch
|
||||
Patch2: %{name}-4.3.4-load_secrets-lock-fix.diff
|
||||
Patch3: %{name}-4.3.4-load_secrets-dbgmsg-fix.diff
|
||||
Patch2: strongswan-4.3.6-time_t_ptr.diff
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: bison flex gmp-devel gperf pkg-config
|
||||
BuildRequires: libcap-devel
|
||||
@ -51,59 +50,31 @@ BuildRequires: curl-devel
|
||||
%description
|
||||
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
|
||||
|
||||
* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec)
|
||||
kernels
|
||||
|
||||
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange
|
||||
protocols
|
||||
|
||||
* NEW: Fully tested support of IPv6 IPsec tunnel connections
|
||||
|
||||
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC
|
||||
4555)
|
||||
|
||||
* Fast connection startup and periodic update using ipsec starter
|
||||
|
||||
* Automatic insertion and deletion of IPsec policy based firewall
|
||||
rules
|
||||
|
||||
* Strong 3DES, AES, Serpent, Twofish, or Blowfish encryption
|
||||
|
||||
* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
|
||||
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
|
||||
* Fully tested support of IPv6 IPsec tunnel and transport connections
|
||||
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
|
||||
* Automatic insertion and deletion of IPsec-policy-based firewall rules
|
||||
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
|
||||
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
|
||||
|
||||
* Static Virtual IPs and IKE Mode Config Pull and Push modes
|
||||
|
||||
* XAUTH server and client functionality on top of IKE Main Mode
|
||||
authentication
|
||||
|
||||
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
|
||||
|
||||
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
|
||||
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
|
||||
* Virtual IP address pool managed by IKE daemon or SQL database
|
||||
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
|
||||
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
|
||||
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
|
||||
* Authentication based on X.509 certificates or preshared keys
|
||||
|
||||
* Generation of a default self-signed certificate during first
|
||||
strongSwan startup
|
||||
|
||||
* Retrieval and local caching of Certificate Revocation Lists via
|
||||
HTTP or LDAP
|
||||
|
||||
* Full support of the Online Certificate Status Protocol (OCSP, RCF
|
||||
2560).
|
||||
|
||||
* Generation of a default self-signed certificate during first strongSwan startup
|
||||
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
|
||||
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
|
||||
* CA management (OCSP and CRL URIs, default LDAP server)
|
||||
|
||||
* Powerful IPsec policies based on wildcards or intermediate CAs
|
||||
|
||||
* Group policies based on X.509 attribute certificates ( RFC 3281)
|
||||
|
||||
* Optional storage of RSA private keys and certificates on a
|
||||
smartcard
|
||||
|
||||
* Smartcard access via standardized PKCS #11 interface
|
||||
|
||||
* PKCS #11 proxy function offering RSA decryption services via whack
|
||||
|
||||
* NEW: strongSwan Manager - a graphical management interface for IKEv2
|
||||
|
||||
* Group policies based on X.509 attribute certificates (RFC 3281)
|
||||
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
|
||||
* Modular plugins for crypto algorithms and relational database interfaces
|
||||
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
|
||||
* Optional built-in integrity and crypto tests for plugins and libraries
|
||||
|
||||
|
||||
Authors:
|
||||
@ -112,7 +83,7 @@ Authors:
|
||||
and others
|
||||
|
||||
%package doc
|
||||
License: GPL v2 or later
|
||||
License: GPLv2+
|
||||
Summary: StrongSwan -- OpenSource IPsec-based VPN Solution
|
||||
Group: Productivity/Networking/Security
|
||||
|
||||
@ -131,8 +102,7 @@ Authors:
|
||||
%prep
|
||||
%setup -q -n %{name}-%{upstream_version}
|
||||
%patch1 -p0
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch2 -p0
|
||||
sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
< $RPM_SOURCE_DIR/strongswan.init.in \
|
||||
> strongswan.init
|
||||
@ -140,7 +110,7 @@ sed -e 's|@libexecdir@|%_libexecdir|g' \
|
||||
%build
|
||||
CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing"
|
||||
export RPM_OPT_FLAGS CFLAGS
|
||||
libtoolize --force
|
||||
#libtoolize --force
|
||||
%{?suse_update_config:%{suse_update_config -f}}
|
||||
autoreconf
|
||||
%configure \
|
||||
@ -151,7 +121,9 @@ autoreconf
|
||||
--with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \
|
||||
--enable-cisco-quirks \
|
||||
--enable-openssl \
|
||||
%if 0%{suse_version} >= 1110
|
||||
--enable-gcrypt \
|
||||
%endif
|
||||
--enable-ldap \
|
||||
--enable-curl
|
||||
make %{?_smp_mflags:%_smp_mflags}
|
||||
|
@ -1,5 +1,5 @@
|
||||
--- src/starter/klips.c
|
||||
+++ src/starter/klips.c
|
||||
+++ src/starter/klips.c 2010/03/02 16:43:05
|
||||
@@ -34,7 +34,7 @@ starter_klips_init(void)
|
||||
/* ipsec module makes the pf_key proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
@ -23,7 +23,7 @@
|
||||
DBG(DBG_CONTROL,
|
||||
DBG_log("Found KLIPS IPsec stack")
|
||||
--- src/starter/netkey.c
|
||||
+++ src/starter/netkey.c
|
||||
+++ src/starter/netkey.c 2010/03/02 16:43:05
|
||||
@@ -34,7 +34,7 @@ starter_netkey_init(void)
|
||||
/* af_key module makes the netkey proc interface visible */
|
||||
if (stat(PROC_MODULES, &stb) == 0)
|
||||
|
Loading…
Reference in New Issue
Block a user