From a8013e7310fe455f2acdea445d79cdce6e3869b6 Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Wed, 1 May 2013 16:27:20 -0400 Subject: [PATCH 01/20] New upstream release - Fixes for CVE-2013-2944 - Enabled support for OS IMV/IMC - Created and applied a patch to disable ECP in fedora, because Openssl in Fedora does not allow ECP_256 and ECP_384. It makes it non-compliant to TCG's PTS standard, but there is no choice right now. see redhat bz # 319901. - Enabled Trousers support for TPM based operations. --- .gitignore | 1 + sources | 2 +- strongswan-pts-ecp-disable.patch | 20 ++++++++++++++++++++ strongswan.spec | 23 +++++++++++++++++++++-- 4 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 strongswan-pts-ecp-disable.patch diff --git a/.gitignore b/.gitignore index 81bf4de..d316010 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /strongswan-5.0.1.tar.bz2 /strongswan-5.0.2.tar.bz2 /strongswan-5.0.3.tar.bz2 +/strongswan-5.0.4.tar.bz2 diff --git a/sources b/sources index bb79e8d..c5e1904 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -12e0a7a1be2ca0490c69146899e8a9bb strongswan-5.0.3.tar.bz2 +0ab0397b44b197febfd0f89148344035 strongswan-5.0.4.tar.bz2 diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch new file mode 100644 index 0000000..6cd3ff4 --- /dev/null +++ b/strongswan-pts-ecp-disable.patch @@ -0,0 +1,20 @@ +diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c +--- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c 2013-05-01 15:50:51.332560748 -0400 ++++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c 2013-05-01 15:57:53.545271367 -0400 +@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t * + { + DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names, + ECP_256_BIT); ++ /* Openssl in Fedora does not allow ECP_256 and ECP_384, so lets not die ++ * here. As far as, there is one dh group available, lets continue. It makes ++ * it non-compliant to TCG's PTS standard, but there is no choice right now. ++ * see redhat bz # 319901. ++ */ ++ if(*dh_groups != PTS_DH_GROUP_NONE) ++ { ++ return TRUE; ++ } ++ + } + return FALSE; + } diff --git a/strongswan.spec b/strongswan.spec index c9cda40..3592b3b 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,12 +1,13 @@ Name: strongswan -Version: 5.0.3 -Release: 2%{?dist} +Version: 5.0.4 +Release: 1%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ URL: http://www.strongswan.org/ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Patch0: strongswan-init.patch +Patch1: strongswan-pts-ecp-disable.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -15,6 +16,7 @@ BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-glib-devel BuildRequires: sqlite-devel BuildRequires: gettext-devel +BuildRequires: trousers-devel %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 BuildRequires: systemd-units @@ -53,6 +55,7 @@ IF-IMC/IMV interface. %prep %setup -q %patch0 -p1 +%patch1 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora %build @@ -63,6 +66,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --sysconfdir=%{_sysconfdir}/%{name} \ --with-ipsecdir=%{_libexecdir}/%{name} \ --with-ipseclibdir=%{_libdir}/%{name} \ + --with-tss=trousers \ --enable-openssl \ --enable-md4 \ --enable-xauth-eap \ @@ -82,6 +86,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-imv-scanner \ --enable-imc-attestation \ --enable-imv-attestation \ + --enable-imv-os \ + --enable-imc-os \ --enable-eap-tnc \ --enable-tnccs-20 \ --enable-tnc-imc \ @@ -213,9 +219,11 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %dir %{_libdir}/%{name}/imcvs/imc-attestation.so %dir %{_libdir}/%{name}/imcvs/imc-scanner.so %dir %{_libdir}/%{name}/imcvs/imc-test.so +%dir %{_libdir}/%{name}/imcvs/imc-os.so %dir %{_libdir}/%{name}/imcvs/imv-attestation.so %dir %{_libdir}/%{name}/imcvs/imv-scanner.so %dir %{_libdir}/%{name}/imcvs/imv-test.so +%dir %{_libdir}/%{name}/imcvs/imv-os.so %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so @@ -227,6 +235,7 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/attest +%{_libexecdir}/%{name}/pacman %files NetworkManager @@ -271,6 +280,16 @@ fi %endif %changelog +* Wed May 1 2013 Avesh Agarwal - 5.0.4-1 +- New upstream release +- Fixes for CVE-2013-2944 +- Enabled support for OS IMV/IMC +- Created and applied a patch to disable ECP in fedora, because + Openssl in Fedora does not allow ECP_256 and ECP_384. It makes + it non-compliant to TCG's PTS standard, but there is no choice + right now. see redhat bz # 319901. +- Enabled Trousers support for TPM based operations. + * Sat Apr 20 2013 Pavel Šimerda - 5.0.3-2 - Rebuilt for a single specfile for rawhide/f19/f18/el6 From 517e1ea8a48fd59f42b4624ed573a480113e8061 Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Tue, 11 Jun 2013 12:15:25 -0400 Subject: [PATCH 02/20] Enabled TNCCS 1.1 protocol - Fixed libxm2-devel build dependency - Patch to fix the issue with loading of plugins --- libstrongswan-plugin.patch | 12 ++++++++++++ strongswan.spec | 16 +++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 libstrongswan-plugin.patch diff --git a/libstrongswan-plugin.patch b/libstrongswan-plugin.patch new file mode 100644 index 0000000..0f4dc32 --- /dev/null +++ b/libstrongswan-plugin.patch @@ -0,0 +1,12 @@ +diff -urNp strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c +--- strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c 2013-05-01 15:50:51.375560719 -0400 ++++ strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c 2013-05-22 16:30:24.121091911 -0400 +@@ -267,7 +267,7 @@ static bool load_plugin(private_plugin_l + return FALSE; + } + } +- handle = dlopen(file, RTLD_LAZY); ++ handle = dlopen(file, RTLD_NOW|RTLD_GLOBAL); + if (handle == NULL) + { + DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); diff --git a/strongswan.spec b/strongswan.spec index 3592b3b..a2e3612 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.0.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -8,6 +8,7 @@ URL: http://www.strongswan.org/ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch +Patch2: libstrongswan-plugin.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -17,6 +18,7 @@ BuildRequires: NetworkManager-glib-devel BuildRequires: sqlite-devel BuildRequires: gettext-devel BuildRequires: trousers-devel +BuildRequires: libxml2-devel %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 BuildRequires: systemd-units @@ -56,6 +58,8 @@ IF-IMC/IMV interface. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 + echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora %build @@ -90,6 +94,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-imc-os \ --enable-eap-tnc \ --enable-tnccs-20 \ + --enable-tnccs-11 \ + --enable-tnccs-dynamic \ --enable-tnc-imc \ --enable-tnc-imv \ --enable-eap-radius \ @@ -97,6 +103,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-eap-identity +#make %{?_smp_mflags} IPSEC_CONFDIR=%{_sysconfdir}/%{name} make %{?_smp_mflags} sed -i 's/\t/ /' src/strongswan.conf src/starter/ipsec.conf @@ -232,6 +239,8 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %{_libdir}/%{name}/plugins/lib%{name}-tnc-imv.so %{_libdir}/%{name}/plugins/lib%{name}-tnc-tnccs.so %{_libdir}/%{name}/plugins/lib%{name}-tnccs-20.so +%{_libdir}/%{name}/plugins/lib%{name}-tnccs-11.so +%{_libdir}/%{name}/plugins/lib%{name}-tnccs-dynamic.so %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/attest @@ -280,6 +289,11 @@ fi %endif %changelog +* Tue Jun 11 2013 Avesh Agarwal - 5.0.4-2 +- Enabled TNCCS 1.1 protocol +- Fixed libxm2-devel build dependency +- Patch to fix the issue with loading of plugins + * Wed May 1 2013 Avesh Agarwal - 5.0.4-1 - New upstream release - Fixes for CVE-2013-2944 From 78378685d922260e2371955a9a88201b739dc927 Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Fri, 28 Jun 2013 15:20:51 -0400 Subject: [PATCH 03/20] Patch to fix a major crash issue when Freeradius loads attestatiom-imv and does not initialize libstrongswan which causes crash due to calls to PTS algorithms probing APIs. So this patch fixes the order of initialization. This issues does not occur with charon because libstrongswan gets initialized earlier. - Patch that allows to outputs errors when there are permission issues when accessing strongswan.conf. - Patch to make loading of modules configurable when libimcv is used in stand alone mode without charon with freeradius and wpa_supplicant. --- libimcv-attestatiom-imv-crash.patch | 27 +++++++++++++++++ libstrongswan-settings-debug.patch | 30 +++++++++++++++++++ ...40cac68f83c77d981368a4c041eb620310ed.patch | 26 ++++++++++++++++ strongswan.spec | 21 ++++++++++++- 4 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 libimcv-attestatiom-imv-crash.patch create mode 100644 libstrongswan-settings-debug.patch create mode 100644 strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch diff --git a/libimcv-attestatiom-imv-crash.patch b/libimcv-attestatiom-imv-crash.patch new file mode 100644 index 0000000..825ce81 --- /dev/null +++ b/libimcv-attestatiom-imv-crash.patch @@ -0,0 +1,27 @@ +diff -urNp strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c +--- strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c 2013-05-01 15:50:51.331560749 -0400 ++++ strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c 2013-06-28 11:10:30.703893643 -0400 +@@ -90,11 +90,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID + DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name); + return TNC_RESULT_ALREADY_INITIALIZED; + } +- if (!pts_meas_algo_probe(&supported_algorithms) || +- !pts_dh_group_probe(&supported_dh_groups)) +- { +- return TNC_RESULT_FATAL; +- } + imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types), + imv_id, actual_version); + if (!imv_attestation) +@@ -104,6 +99,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID + + libpts_init(); + ++ if (!pts_meas_algo_probe(&supported_algorithms) || ++ !pts_dh_group_probe(&supported_dh_groups)) ++ { ++ return TNC_RESULT_FATAL; ++ } + if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1) + { + DBG1(DBG_IMV, "no common IF-IMV version"); diff --git a/libstrongswan-settings-debug.patch b/libstrongswan-settings-debug.patch new file mode 100644 index 0000000..f7cb93f --- /dev/null +++ b/libstrongswan-settings-debug.patch @@ -0,0 +1,30 @@ +diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswan-5.0.4-current/src/libstrongswan/utils/settings.c +--- strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c 2013-05-01 15:50:51.337560745 -0400 ++++ strongswan-5.0.4-current/src/libstrongswan/utils/settings.c 2013-06-18 13:13:27.801428152 -0400 +@@ -940,7 +940,7 @@ static bool parse_file(linked_list_t *co + { + if (errno == ENOENT) + { +- DBG2(DBG_LIB, "'%s' does not exist, ignored", file); ++ DBG1(DBG_LIB, "'%s' does not exist, ignored", file); + return TRUE; + } + DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno)); +@@ -1003,7 +1003,7 @@ static bool parse_files(linked_list_t *c + + if (!strlen(pattern)) + { +- DBG2(DBG_LIB, "empty include pattern, ignored"); ++ DBG1(DBG_LIB, "empty include pattern, ignored"); + return TRUE; + } + +@@ -1035,7 +1035,7 @@ static bool parse_files(linked_list_t *c + status = glob(pat, GLOB_ERR, NULL, &buf); + if (status == GLOB_NOMATCH) + { +- DBG2(DBG_LIB, "no files found matching '%s', ignored", pat); ++ DBG1(DBG_LIB, "no files found matching '%s', ignored", pat); + } + else if (status != 0) + { diff --git a/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch b/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch new file mode 100644 index 0000000..d58cc00 --- /dev/null +++ b/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch @@ -0,0 +1,26 @@ +From 71d740cac68f83c77d981368a4c041eb620310ed Mon Sep 17 00:00:00 2001 +From: Andreas Steffen +Date: Fri, 24 May 2013 12:56:21 +0200 +Subject: [PATCH] Make plugins in standalone libimcv configurable + +--- + src/libimcv/imcv.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c +index 6cee0ad..f9ecf79 100644 +--- a/src/libimcv/imcv.c ++++ b/src/libimcv/imcv.c +@@ -118,7 +118,8 @@ bool libimcv_init(void) + openlog("imcv", 0, LOG_DAEMON); + + if (!lib->plugins->load(lib->plugins, NULL, +- "sha1 sha2 random nonce gmp pubkey x509")) ++ lib->settings->get_str(lib->settings, "libimcv.load", ++ "random nonce gmp pubkey x509"))) + { + library_deinit(); + return FALSE; +-- +1.7.4.1 + diff --git a/strongswan.spec b/strongswan.spec index a2e3612..6a2fe20 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.0.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -9,6 +9,9 @@ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch Patch2: libstrongswan-plugin.patch +Patch3: libstrongswan-settings-debug.patch +Patch4: strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch +Patch5: libimcv-attestatiom-imv-crash.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -59,6 +62,9 @@ IF-IMC/IMV interface. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -289,6 +295,19 @@ fi %endif %changelog +* Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 +- Patch to fix a major crash issue when Freeradius loads + attestatiom-imv and does not initialize libstrongswan which + causes crash due to calls to PTS algorithms probing APIs. + So this patch fixes the order of initialization. This issues + does not occur with charon because libstrongswan gets + initialized earlier. +- Patch that allows to outputs errors when there are permission + issues when accessing strongswan.conf. +- Patch to make loading of modules configurable when libimcv + is used in stand alone mode without charon with freeradius + and wpa_supplicant. + * Tue Jun 11 2013 Avesh Agarwal - 5.0.4-2 - Enabled TNCCS 1.1 protocol - Fixed libxm2-devel build dependency From c996b630948ce83740a6d8e7ef068af6c0fd2fb8 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:10:29 +0100 Subject: [PATCH 04/20] %files section packages some files as directories (#984437) --- strongswan.spec | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 6a2fe20..b428f7a 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.0.4 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -229,14 +229,14 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %{_libdir}/%{name}/libradius.so.0 %{_libdir}/%{name}/libradius.so.0.0.0 %dir %{_libdir}/%{name}/imcvs -%dir %{_libdir}/%{name}/imcvs/imc-attestation.so -%dir %{_libdir}/%{name}/imcvs/imc-scanner.so -%dir %{_libdir}/%{name}/imcvs/imc-test.so -%dir %{_libdir}/%{name}/imcvs/imc-os.so -%dir %{_libdir}/%{name}/imcvs/imv-attestation.so -%dir %{_libdir}/%{name}/imcvs/imv-scanner.so -%dir %{_libdir}/%{name}/imcvs/imv-test.so -%dir %{_libdir}/%{name}/imcvs/imv-os.so +%{_libdir}/%{name}/imcvs/imc-attestation.so +%{_libdir}/%{name}/imcvs/imc-scanner.so +%{_libdir}/%{name}/imcvs/imc-test.so +%{_libdir}/%{name}/imcvs/imc-os.so +%{_libdir}/%{name}/imcvs/imv-attestation.so +%{_libdir}/%{name}/imcvs/imv-scanner.so +%{_libdir}/%{name}/imcvs/imv-test.so +%{_libdir}/%{name}/imcvs/imv-os.so %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so @@ -295,6 +295,9 @@ fi %endif %changelog +* Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 +- %%files tries to package some of the shared objects as directories (#984437) + * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads attestatiom-imv and does not initialize libstrongswan which From 6f27d18516587fd0f59fc7547e3957eddd778c2f Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:18:44 +0100 Subject: [PATCH 05/20] Fix broken systemd unit file (#984300) --- strongswan-init.patch | 32 +------------------------------- strongswan.spec | 1 + 2 files changed, 2 insertions(+), 31 deletions(-) diff --git a/strongswan-init.patch b/strongswan-init.patch index 6ad4d59..89317f8 100644 --- a/strongswan-init.patch +++ b/strongswan-init.patch @@ -124,32 +124,15 @@ Index: strongswan-5.0.0/configure.in =================================================================== --- strongswan-5.0.0.orig/configure.in +++ strongswan-5.0.0/configure.in -@@ -1082,6 +1082,9 @@ AC_OUTPUT( +@@ -1082,6 +1082,8 @@ AC_OUTPUT( man/Makefile init/Makefile init/systemd/Makefile -+ init/systemd/strongswan.service + init/sysvinit/Makefile + init/sysvinit/strongswan src/Makefile src/include/Makefile src/libstrongswan/Makefile -Index: strongswan-5.0.0/init/systemd/Makefile.am -=================================================================== ---- strongswan-5.0.0.orig/init/systemd/Makefile.am -+++ strongswan-5.0.0/init/systemd/Makefile.am -@@ -1,11 +1 @@ -- --EXTRA_DIST = strongswan.service.in --CLEANFILES = strongswan.service -- - systemdsystemunit_DATA = strongswan.service -- --strongswan.service : strongswan.service.in -- sed \ -- -e "s:@SBINDIR@:$(sbindir):" \ -- -e "s:@IPSEC_SCRIPT@:$(ipsec_script):" \ -- $(srcdir)/$@.in > $@ Index: strongswan-5.0.0/init/sysvinit/strongswan =================================================================== --- /dev/null @@ -255,16 +238,3 @@ Index: strongswan-5.0.0/init/sysvinit/strongswan + exit 2 +esac +exit $? -Index: strongswan-5.0.0/init/systemd/strongswan.service.in -=================================================================== ---- strongswan-5.0.0.orig/init/systemd/strongswan.service.in -+++ strongswan-5.0.0/init/systemd/strongswan.service.in -@@ -3,7 +3,7 @@ Description=strongSwan IPsec - After=syslog.target - - [Service] --ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork -+ExecStart=@sbindir@/@ipsec_script@ start --nofork - StandardOutput=syslog - - [Install] diff --git a/strongswan.spec b/strongswan.spec index b428f7a..073e438 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -297,6 +297,7 @@ fi %changelog * Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 - %%files tries to package some of the shared objects as directories (#984437) +- fix broken systemd unit file (#984300) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 28ffe686f1c65ab2fc577f0ffbc218dd2b7cd95a Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:22:19 +0100 Subject: [PATCH 06/20] Fix various minor rpmlint errors --- strongswan.spec | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 073e438..45f7b30 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -34,9 +34,9 @@ Requires(preun): chkconfig Requires(preun): initscripts %endif %description -The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange -protocols in conjunction with the native NETKEY IPsec stack of the Linux -kernel. +The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key +exchange protocols in conjunction with the native NETKEY IPsec stack of the +Linux kernel. %package NetworkManager Summary: NetworkManager plugin for Strongswan @@ -46,15 +46,15 @@ NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. %package tnc-imcvs -Summary: Trusted network connect (TNC)'s IMC/IMV fuctionality +Summary: Trusted network connect (TNC)'s IMC/IMV functionality Group: Applications/System Requires: %{name} = %{version} %description tnc-imcvs -This package provides Trusted Network Connect's (TNC) IMC and IMV functionality. -Specifically it includes PTS based IMC/IMV for TPM based remote attestation and -scanner and test IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be -used by any third party TNC Client/Server implementation possessing a standard -IF-IMC/IMV interface. +This package provides Trusted Network Connect's (TNC) IMC and IMV +functionality. Specifically it includes PTS based IMC/IMV for TPM based +remote attestation and scanner and test IMCs and IMVs. The Strongswan's +IMC/IMV dynamic libraries can be used by any third party TNC Client/Server +implementation possessing a standard IF-IMC/IMV interface. %prep @@ -106,10 +106,10 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-tnc-imv \ --enable-eap-radius \ --enable-curl \ - --enable-eap-identity + --enable-eap-identity -#make %{?_smp_mflags} IPSEC_CONFDIR=%{_sysconfdir}/%{name} +#make %%{?_smp_mflags} IPSEC_CONFDIR=%%{_sysconfdir}/%%{name} make %{?_smp_mflags} sed -i 's/\t/ /' src/strongswan.conf src/starter/ipsec.conf @@ -298,6 +298,9 @@ fi * Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 - %%files tries to package some of the shared objects as directories (#984437) - fix broken systemd unit file (#984300) +- fix rpmlint error: description-line-too-long +- fix rpmlint error: macro-in-comment +- fix rpmlint error: spelling-error Summary(en_US) fuctionality * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 258e15b857b0d083297ca903cb6d4e26304e7d11 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:26:49 +0100 Subject: [PATCH 07/20] Update system related dependencies and scriptlets --- strongswan.spec | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 45f7b30..b3ad6b2 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -24,10 +24,10 @@ BuildRequires: trousers-devel BuildRequires: libxml2-devel %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -BuildRequires: systemd-units -Requires(post): systemd-units -Requires(preun): systemd-units -Requires(postun): systemd-units +BuildRequires: systemd +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd %else Requires(post): chkconfig Requires(preun): chkconfig @@ -260,21 +260,14 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %post /sbin/ldconfig %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -if [ $1 -eq 1 ] ; then - # Initial installation - /bin/systemctl daemon-reload >/dev/null 2>&1 || : -fi +%systemd_post %{name}.service %else /sbin/chkconfig --add %{name} %endif %preun %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable %{name}.service > /dev/null 2>&1 || : - /bin/systemctl stop %{name}.service > /dev/null 2>&1 || : -fi +%systemd_preun %{name}.service %else if [ $1 -eq 0 ] ; then # Package removal, not upgrade @@ -286,11 +279,7 @@ fi %postun /sbin/ldconfig %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -/bin/systemctl daemon-reload >/dev/null 2>&1 || : -if [ $1 -ge 1 ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart %{name}.service >/dev/null 2>&1 || : -fi +%systemd_postun_with_restart %{name}.service %else %endif @@ -301,6 +290,8 @@ fi - fix rpmlint error: description-line-too-long - fix rpmlint error: macro-in-comment - fix rpmlint error: spelling-error Summary(en_US) fuctionality +- depend on 'systemd' instead of 'systemd-units' +- use new systemd scriptlet macros * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From c50ae20645ae306215dc052519a94b92ee5c30f9 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:27:16 +0100 Subject: [PATCH 08/20] NetworkManager subpackage is missing a license (#984490) --- strongswan.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/strongswan.spec b/strongswan.spec index b3ad6b2..6c34448 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -254,6 +254,7 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %files NetworkManager +%doc COPYING %{_libexecdir}/%{name}/charon-nm @@ -292,6 +293,7 @@ fi - fix rpmlint error: spelling-error Summary(en_US) fuctionality - depend on 'systemd' instead of 'systemd-units' - use new systemd scriptlet macros +- NetworkManager subpackage should have a copy of the license (#984490) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 05829beaf54930cb9da4d6810d6357fcb5a4e37f Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:28:17 +0100 Subject: [PATCH 09/20] Enable hardened_build as it meets the criteria (#984429) --- strongswan.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/strongswan.spec b/strongswan.spec index 6c34448..104cb79 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,3 +1,5 @@ +%global hardened_build 1 + Name: strongswan Version: 5.0.4 Release: 4%{?dist} @@ -294,6 +296,7 @@ fi - depend on 'systemd' instead of 'systemd-units' - use new systemd scriptlet macros - NetworkManager subpackage should have a copy of the license (#984490) +- enable hardened_build as this package meets the PIE criteria (#984429) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 98c7f2828ad778817137badef215906c49c7a611 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 15:31:03 +0100 Subject: [PATCH 10/20] Patch to change 'ipsec _updown' to 'strongswan _updown' --- ...ge-ipsec-updown-to-strongswan-updown.patch | 25 +++++++++++++++++++ strongswan.spec | 5 ++++ 2 files changed, 30 insertions(+) create mode 100644 strongswan-Change-ipsec-updown-to-strongswan-updown.patch diff --git a/strongswan-Change-ipsec-updown-to-strongswan-updown.patch b/strongswan-Change-ipsec-updown-to-strongswan-updown.patch new file mode 100644 index 0000000..2f62d39 --- /dev/null +++ b/strongswan-Change-ipsec-updown-to-strongswan-updown.patch @@ -0,0 +1,25 @@ +From daa81c04068956ff34fb0efb72956401969a8d9b Mon Sep 17 00:00:00 2001 +From: Jamie Nguyen +Date: Mon, 15 Jul 2013 13:42:14 +0100 +Subject: [PATCH] Change 'ipsec _updown' to 'strongswan _updown' + +--- + src/starter/confread.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/starter/confread.c b/src/starter/confread.c +index f0f05b0..ffd44c0 100644 +--- a/src/starter/confread.c ++++ b/src/starter/confread.c +@@ -38,7 +38,7 @@ + static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536"; + static const char esp_defaults[] = "aes128-sha1,3des-sha1"; + +-static const char firewall_defaults[] = "ipsec _updown iptables"; ++static const char firewall_defaults[] = "strongswan _updown iptables"; + + static bool daemon_exists(char *daemon, char *path) + { +-- +1.8.3.1 + diff --git a/strongswan.spec b/strongswan.spec index 104cb79..9bbdf8d 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -14,6 +14,8 @@ Patch2: libstrongswan-plugin.patch Patch3: libstrongswan-settings-debug.patch Patch4: strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch Patch5: libimcv-attestatiom-imv-crash.patch +Patch6: strongswan-Change-ipsec-updown-to-strongswan-updown.patch + BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel @@ -67,6 +69,7 @@ implementation possessing a standard IF-IMC/IMV interface. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -297,6 +300,8 @@ fi - use new systemd scriptlet macros - NetworkManager subpackage should have a copy of the license (#984490) - enable hardened_build as this package meets the PIE criteria (#984429) +- invocation of "ipsec _updown iptables" is broken as ipsec is renamed + to strongswan in this package (#948306) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 6b308072994da12faf0c4493b6fc5825398a1159 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 22:46:14 +0100 Subject: [PATCH 11/20] Patch to change 'ipsec scepclient' to 'strongswan scepclient' --- ...-scepclient-to-strongswan-scepclient.patch | 25 +++++++++++++++++++ strongswan.spec | 4 +++ 2 files changed, 29 insertions(+) create mode 100644 strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch diff --git a/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch b/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch new file mode 100644 index 0000000..ca4e05e --- /dev/null +++ b/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch @@ -0,0 +1,25 @@ +From c282e8fa3c55a9d0046a3119d7b2a3fe07d83c37 Mon Sep 17 00:00:00 2001 +From: Jamie Nguyen +Date: Mon, 15 Jul 2013 22:31:34 +0100 +Subject: [PATCH] Change 'ipsec scepclient' to 'strongswan scepclent' + +--- + src/starter/starter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/starter/starter.c b/src/starter/starter.c +index 917e52d..868b224 100644 +--- a/src/starter/starter.c ++++ b/src/starter/starter.c +@@ -293,7 +293,7 @@ static void generate_selfcert() + #endif + setegid(gid); + seteuid(uid); +- ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet")); ++ ignore_result(system("strongswan scepclient --out pkcs1 --out cert-self --quiet")); + seteuid(0); + setegid(0); + +-- +1.8.3.1 + diff --git a/strongswan.spec b/strongswan.spec index 9bbdf8d..5f89918 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -15,6 +15,7 @@ Patch3: libstrongswan-settings-debug.patch Patch4: strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch Patch5: libimcv-attestatiom-imv-crash.patch Patch6: strongswan-Change-ipsec-updown-to-strongswan-updown.patch +Patch7: strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel @@ -70,6 +71,7 @@ implementation possessing a standard IF-IMC/IMV interface. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -302,6 +304,8 @@ fi - enable hardened_build as this package meets the PIE criteria (#984429) - invocation of "ipsec _updown iptables" is broken as ipsec is renamed to strongswan in this package (#948306) +- invocation of "ipsec scepclient" is broken as ipsec is renamed + to strongswan in this package * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 7290f0658cdb1c8ede9e09720f93713300b641f5 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 22:49:59 +0100 Subject: [PATCH 12/20] Add /etc/strongswan/ipsec.d and missing subdirectories --- strongswan.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/strongswan.spec b/strongswan.spec index 5f89918..e464c82 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -141,10 +141,17 @@ chmod 700 %{buildroot}%{_sysconfdir}/%{name} install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %endif +# Create ipsec.d directory tree. +install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d +for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do + install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d/${i} +done + %files %doc README README.Fedora COPYING NEWS TODO %dir %{_sysconfdir}/%{name} +%{_sysconfdir}/%{name}/ipsec.d/ %config(noreplace) %{_sysconfdir}/%{name}/ipsec.conf %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -306,6 +313,7 @@ fi to strongswan in this package (#948306) - invocation of "ipsec scepclient" is broken as ipsec is renamed to strongswan in this package +- add /etc/strongswan/ipsec.d and missing subdirectories * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 6a02ce6fc632d60e32ac7ca902b40990f883b22a Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Mon, 15 Jul 2013 23:30:42 +0100 Subject: [PATCH 13/20] Conditionalize NM subpackage as NM on EL6 is too old --- strongswan.spec | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index e464c82..06e7e64 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,5 +1,11 @@ %global hardened_build 1 +%if 0%{?rhel} <= 6 +%global enable_nm 0 +%else +%global _enable_nm --enable-nm +%endif + Name: strongswan Version: 5.0.4 Release: 4%{?dist} @@ -21,12 +27,16 @@ BuildRequires: gmp-devel BuildRequires: libcurl-devel BuildRequires: openldap-devel BuildRequires: openssl-devel -BuildRequires: NetworkManager-devel -BuildRequires: NetworkManager-glib-devel BuildRequires: sqlite-devel BuildRequires: gettext-devel BuildRequires: trousers-devel BuildRequires: libxml2-devel +%if 0%{?enable_nm} +BuildRequires: NetworkManager-devel +BuildRequires: NetworkManager-glib-devel +%else +Obsoletes: %{name}-NetworkManager < 5.0.0-3.git20120619 +%endif %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 BuildRequires: systemd @@ -43,12 +53,14 @@ The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. +%if 0%{enable_nm} %package NetworkManager Summary: NetworkManager plugin for Strongswan Group: System Environment/Daemons %description NetworkManager NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. +%endif %package tnc-imcvs Summary: Trusted network connect (TNC)'s IMC/IMV functionality @@ -95,7 +107,6 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-eap-mschapv2 \ --enable-farp \ --enable-dhcp \ - --enable-nm \ --enable-sqlite \ --enable-imc-test \ --enable-imv-test \ @@ -113,7 +124,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-tnc-imv \ --enable-eap-radius \ --enable-curl \ - --enable-eap-identity + --enable-eap-identity \ + %{?_enable_nm} #make %%{?_smp_mflags} IPSEC_CONFDIR=%%{_sysconfdir}/%%{name} @@ -267,9 +279,11 @@ done %{_libexecdir}/%{name}/pacman +%if 0%{?enable_nm} %files NetworkManager %doc COPYING %{_libexecdir}/%{name}/charon-nm +%endif %post @@ -314,6 +328,8 @@ fi - invocation of "ipsec scepclient" is broken as ipsec is renamed to strongswan in this package - add /etc/strongswan/ipsec.d and missing subdirectories +- conditionalize building of strongswan-NetworkManager subpackage as the + version of NetworkManager in EL6 is too old (#984497) * Fri Jun 28 2013 Avesh Agarwal - 5.0.4-3 - Patch to fix a major crash issue when Freeradius loads From 3bdb50eb1582a60a6b6e960769a070fe22968289 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Thu, 25 Jul 2013 07:23:48 +0100 Subject: [PATCH 14/20] Rename strongswan-NetworkManager to strongswan-charon-nm --- strongswan.spec | 80 ++++++++++++++++++++++++++----------------------- 1 file changed, 43 insertions(+), 37 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 06e7e64..1ffc703 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,14 +1,15 @@ %global hardened_build 1 -%if 0%{?rhel} <= 6 -%global enable_nm 0 +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%global enable_nm 1 +%global _enable_nm '--enable-nm' %else -%global _enable_nm --enable-nm +%global enable_nm 0 %endif Name: strongswan Version: 5.0.4 -Release: 4%{?dist} +Release: 5%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -34,8 +35,10 @@ BuildRequires: libxml2-devel %if 0%{?enable_nm} BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-glib-devel +Obsoletes: %{name}-NetworkManager < 0:5.0.4-5 +Provides: %{name}-NetworkManager = 0:%{version}-%{release} %else -Obsoletes: %{name}-NetworkManager < 5.0.0-3.git20120619 +Obsoletes: %{name}-NetworkManager < 0:5.0.0-3.git20120619 %endif %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 @@ -53,11 +56,11 @@ The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. -%if 0%{enable_nm} -%package NetworkManager +%if 0%{?enable_nm} +%package charon-nm Summary: NetworkManager plugin for Strongswan Group: System Environment/Daemons -%description NetworkManager +%description charon-nm NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. %endif @@ -128,7 +131,6 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro %{?_enable_nm} -#make %%{?_smp_mflags} IPSEC_CONFDIR=%%{_sysconfdir}/%%{name} make %{?_smp_mflags} sed -i 's/\t/ /' src/strongswan.conf src/starter/ipsec.conf @@ -160,6 +162,33 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do done +%post +/sbin/ldconfig +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%systemd_post %{name}.service +%else +/sbin/chkconfig --add %{name} +%endif + +%preun +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%systemd_preun %{name}.service +%else +if [ $1 -eq 0 ] ; then + # Package removal, not upgrade + /sbin/service %{name} stop >/dev/null 2>&1 + /sbin/chkconfig --del %{name} +fi +%endif + +%postun +/sbin/ldconfig +%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 +%systemd_postun_with_restart %{name}.service +%else +%endif + + %files %doc README README.Fedora COPYING NEWS TODO %dir %{_sysconfdir}/%{name} @@ -278,41 +307,18 @@ done %{_libexecdir}/%{name}/attest %{_libexecdir}/%{name}/pacman - %if 0%{?enable_nm} -%files NetworkManager +%files charon-nm %doc COPYING %{_libexecdir}/%{name}/charon-nm %endif -%post -/sbin/ldconfig -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -%systemd_post %{name}.service -%else -/sbin/chkconfig --add %{name} -%endif - -%preun -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -%systemd_preun %{name}.service -%else -if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /sbin/service %{name} stop >/dev/null 2>&1 - /sbin/chkconfig --del %{name} -fi -%endif - -%postun -/sbin/ldconfig -%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 -%systemd_postun_with_restart %{name}.service -%else -%endif - %changelog +* Thu Jul 25 2013 Jamie Nguyen - 5.0.4-5 +- rename strongswan-NetworkManager to strongswan-charon-nm +- fix enable_nm macro + * Mon Jul 15 2013 Jamie Nguyen - 5.0.4-4 - %%files tries to package some of the shared objects as directories (#984437) - fix broken systemd unit file (#984300) From 634a38ad9300f0f4db9d7b7d443e940b0114428c Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Wed, 7 Aug 2013 16:12:08 -0400 Subject: [PATCH 15/20] rhbz#981429: New upstream release - Fixes CVE-2013-5018: rhbz#991216, rhbz#991215 - Fixes rhbz#991859 failed to build in rawhide - Updated local patches and removed which are not needed - Fixed errors around charon-nm - Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so, libstrongswan-sshkey.so - Added utility imv_policy_manager --- .gitignore | 1 + libimcv-attestatiom-imv-crash.patch | 27 -- libstrongswan-plugin.patch | 10 +- libstrongswan-settings-debug.patch | 12 +- sources | 2 +- ...-scepclient-to-strongswan-scepclient.patch | 25 -- ...ge-ipsec-updown-to-strongswan-updown.patch | 25 -- strongswan-init.patch | 257 +++++++++--------- strongswan-pts-ecp-disable.patch | 6 +- ...40cac68f83c77d981368a4c041eb620310ed.patch | 26 -- strongswan.spec | 29 +- 11 files changed, 160 insertions(+), 260 deletions(-) delete mode 100644 libimcv-attestatiom-imv-crash.patch delete mode 100644 strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch delete mode 100644 strongswan-Change-ipsec-updown-to-strongswan-updown.patch delete mode 100644 strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch diff --git a/.gitignore b/.gitignore index d316010..ee1d37e 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /strongswan-5.0.2.tar.bz2 /strongswan-5.0.3.tar.bz2 /strongswan-5.0.4.tar.bz2 +/strongswan-5.1.0.tar.bz2 diff --git a/libimcv-attestatiom-imv-crash.patch b/libimcv-attestatiom-imv-crash.patch deleted file mode 100644 index 825ce81..0000000 --- a/libimcv-attestatiom-imv-crash.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -urNp strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c ---- strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c 2013-05-01 15:50:51.331560749 -0400 -+++ strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c 2013-06-28 11:10:30.703893643 -0400 -@@ -90,11 +90,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID - DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name); - return TNC_RESULT_ALREADY_INITIALIZED; - } -- if (!pts_meas_algo_probe(&supported_algorithms) || -- !pts_dh_group_probe(&supported_dh_groups)) -- { -- return TNC_RESULT_FATAL; -- } - imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types), - imv_id, actual_version); - if (!imv_attestation) -@@ -104,6 +99,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID - - libpts_init(); - -+ if (!pts_meas_algo_probe(&supported_algorithms) || -+ !pts_dh_group_probe(&supported_dh_groups)) -+ { -+ return TNC_RESULT_FATAL; -+ } - if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1) - { - DBG1(DBG_IMV, "no common IF-IMV version"); diff --git a/libstrongswan-plugin.patch b/libstrongswan-plugin.patch index 0f4dc32..ce0951d 100644 --- a/libstrongswan-plugin.patch +++ b/libstrongswan-plugin.patch @@ -1,8 +1,8 @@ -diff -urNp strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c ---- strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c 2013-05-01 15:50:51.375560719 -0400 -+++ strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c 2013-05-22 16:30:24.121091911 -0400 -@@ -267,7 +267,7 @@ static bool load_plugin(private_plugin_l - return FALSE; +diff -urNp strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c +--- strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c 2013-08-06 17:16:36.266031511 -0400 ++++ strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c 2013-08-06 17:49:15.703354848 -0400 +@@ -353,7 +353,7 @@ static plugin_entry_t *load_plugin(priva + return NULL; } } - handle = dlopen(file, RTLD_LAZY); diff --git a/libstrongswan-settings-debug.patch b/libstrongswan-settings-debug.patch index f7cb93f..66bca56 100644 --- a/libstrongswan-settings-debug.patch +++ b/libstrongswan-settings-debug.patch @@ -1,7 +1,7 @@ -diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswan-5.0.4-current/src/libstrongswan/utils/settings.c ---- strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c 2013-05-01 15:50:51.337560745 -0400 -+++ strongswan-5.0.4-current/src/libstrongswan/utils/settings.c 2013-06-18 13:13:27.801428152 -0400 -@@ -940,7 +940,7 @@ static bool parse_file(linked_list_t *co +diff -urNp strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c strongswan-5.1.0-current/src/libstrongswan/utils/settings.c +--- strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c 2013-08-06 17:16:36.244031484 -0400 ++++ strongswan-5.1.0-current/src/libstrongswan/utils/settings.c 2013-08-06 17:52:43.272606717 -0400 +@@ -960,7 +960,7 @@ static bool parse_file(linked_list_t *co { if (errno == ENOENT) { @@ -10,7 +10,7 @@ diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswa return TRUE; } DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno)); -@@ -1003,7 +1003,7 @@ static bool parse_files(linked_list_t *c +@@ -1023,7 +1023,7 @@ static bool parse_files(linked_list_t *c if (!strlen(pattern)) { @@ -19,7 +19,7 @@ diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswa return TRUE; } -@@ -1035,7 +1035,7 @@ static bool parse_files(linked_list_t *c +@@ -1055,7 +1055,7 @@ static bool parse_files(linked_list_t *c status = glob(pat, GLOB_ERR, NULL, &buf); if (status == GLOB_NOMATCH) { diff --git a/sources b/sources index c5e1904..388cdfe 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0ab0397b44b197febfd0f89148344035 strongswan-5.0.4.tar.bz2 +c1cd0a3ba9960f590cae28c8470800e8 strongswan-5.1.0.tar.bz2 diff --git a/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch b/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch deleted file mode 100644 index ca4e05e..0000000 --- a/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c282e8fa3c55a9d0046a3119d7b2a3fe07d83c37 Mon Sep 17 00:00:00 2001 -From: Jamie Nguyen -Date: Mon, 15 Jul 2013 22:31:34 +0100 -Subject: [PATCH] Change 'ipsec scepclient' to 'strongswan scepclent' - ---- - src/starter/starter.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/starter/starter.c b/src/starter/starter.c -index 917e52d..868b224 100644 ---- a/src/starter/starter.c -+++ b/src/starter/starter.c -@@ -293,7 +293,7 @@ static void generate_selfcert() - #endif - setegid(gid); - seteuid(uid); -- ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet")); -+ ignore_result(system("strongswan scepclient --out pkcs1 --out cert-self --quiet")); - seteuid(0); - setegid(0); - --- -1.8.3.1 - diff --git a/strongswan-Change-ipsec-updown-to-strongswan-updown.patch b/strongswan-Change-ipsec-updown-to-strongswan-updown.patch deleted file mode 100644 index 2f62d39..0000000 --- a/strongswan-Change-ipsec-updown-to-strongswan-updown.patch +++ /dev/null @@ -1,25 +0,0 @@ -From daa81c04068956ff34fb0efb72956401969a8d9b Mon Sep 17 00:00:00 2001 -From: Jamie Nguyen -Date: Mon, 15 Jul 2013 13:42:14 +0100 -Subject: [PATCH] Change 'ipsec _updown' to 'strongswan _updown' - ---- - src/starter/confread.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/starter/confread.c b/src/starter/confread.c -index f0f05b0..ffd44c0 100644 ---- a/src/starter/confread.c -+++ b/src/starter/confread.c -@@ -38,7 +38,7 @@ - static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536"; - static const char esp_defaults[] = "aes128-sha1,3des-sha1"; - --static const char firewall_defaults[] = "ipsec _updown iptables"; -+static const char firewall_defaults[] = "strongswan _updown iptables"; - - static bool daemon_exists(char *daemon, char *path) - { --- -1.8.3.1 - diff --git a/strongswan-init.patch b/strongswan-init.patch index 89317f8..ccd653a 100644 --- a/strongswan-init.patch +++ b/strongswan-init.patch @@ -1,130 +1,7 @@ -Index: strongswan-5.0.0/init/Makefile.am -=================================================================== ---- strongswan-5.0.0.orig/init/Makefile.am -+++ strongswan-5.0.0/init/Makefile.am -@@ -1,5 +1,5 @@ - --SUBDIRS = -+SUBDIRS = sysvinit - - if HAVE_SYSTEMD - SUBDIRS += systemd -Index: strongswan-5.0.0/init/sysvinit/Makefile.am -=================================================================== ---- /dev/null -+++ strongswan-5.0.0/init/sysvinit/Makefile.am -@@ -0,0 +1 @@ -+noinst_DATA = strongswan -Index: strongswan-5.0.0/init/sysvinit/strongswan.in -=================================================================== ---- /dev/null -+++ strongswan-5.0.0/init/sysvinit/strongswan.in -@@ -0,0 +1,100 @@ -+#!/bin/sh -+# -+# strongswan An implementation of key management system for IPsec -+# -+# chkconfig: - 48 52 -+# description: Starts or stops the Strongswan daemon. -+ -+### BEGIN INIT INFO -+# Provides: ipsec -+# Required-Start: $network $remote_fs $syslog $named -+# Required-Stop: $syslog $remote_fs -+# Default-Start: -+# Default-Stop: 0 1 6 -+# Short-Description: Start Strongswan daemons at boot time -+### END INIT INFO -+ -+# Source function library. -+. /etc/rc.d/init.d/functions -+ -+exec="@sbindir@/@ipsec_script@" -+prog="strongswan" -+status_prog="starter" -+config="/etc/strongswan/strongswan.conf" -+ -+lockfile=/var/lock/subsys/$prog -+ -+start() { -+ [ -x $exec ] || exit 5 -+ [ -f $config ] || exit 6 -+ echo -n $"Starting $prog: " -+ daemon $exec start -+ retval=$? -+ echo -+ [ $retval -eq 0 ] && touch $lockfile -+ return $retval -+} -+ -+stop() { -+ echo -n $"Stopping $prog: " -+ $exec stop -+ retval=$? -+ echo -+ [ $retval -eq 0 ] && rm -f $lockfile -+ return $retval -+} -+ -+restart() { -+ stop -+ start -+} -+ -+reload() { -+ restart -+} -+ -+force_reload() { -+ restart -+} -+ -+_status() { -+ # run checks to determine if the service is running or use generic status -+ status $status_prog -+} -+ -+_status_q() { -+ _status >/dev/null 2>&1 -+} -+ -+ -+case "$1" in -+ start) -+ _status_q && exit 0 -+ $1 -+ ;; -+ stop) -+ _status_q || exit 0 -+ $1 -+ ;; -+ restart) -+ $1 -+ ;; -+ reload) -+ _status_q || exit 7 -+ $1 -+ ;; -+ force-reload) -+ force_reload -+ ;; -+ status) -+ _status -+ ;; -+ condrestart|try-restart) -+ _status_q || exit 0 -+ restart -+ ;; -+ *) -+ echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" -+ exit 2 -+esac -+exit $? -Index: strongswan-5.0.0/configure.in -=================================================================== ---- strongswan-5.0.0.orig/configure.in -+++ strongswan-5.0.0/configure.in -@@ -1082,6 +1082,8 @@ AC_OUTPUT( +diff -urNp strongswan-5.1.0-patched/configure.ac strongswan-5.1.0-current/configure.ac +--- strongswan-5.1.0-patched/configure.ac 2013-08-06 17:16:36.279031528 -0400 ++++ strongswan-5.1.0-current/configure.ac 2013-08-06 17:35:01.750380445 -0400 +@@ -1311,6 +1311,8 @@ AC_CONFIG_FILES([ man/Makefile init/Makefile init/systemd/Makefile @@ -133,10 +10,24 @@ Index: strongswan-5.0.0/configure.in src/Makefile src/include/Makefile src/libstrongswan/Makefile -Index: strongswan-5.0.0/init/sysvinit/strongswan -=================================================================== ---- /dev/null -+++ strongswan-5.0.0/init/sysvinit/strongswan +diff -urNp strongswan-5.1.0-patched/init/Makefile.am strongswan-5.1.0-current/init/Makefile.am +--- strongswan-5.1.0-patched/init/Makefile.am 2013-08-06 17:16:36.279031528 -0400 ++++ strongswan-5.1.0-current/init/Makefile.am 2013-08-06 17:36:19.905472912 -0400 +@@ -1,5 +1,5 @@ + +-SUBDIRS = ++SUBDIRS = sysvinit + + if HAVE_SYSTEMD + SUBDIRS += systemd +diff -urNp strongswan-5.1.0-patched/init/sysvinit/Makefile.am strongswan-5.1.0-current/init/sysvinit/Makefile.am +--- strongswan-5.1.0-patched/init/sysvinit/Makefile.am 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-5.1.0-current/init/sysvinit/Makefile.am 2013-07-31 15:56:21.919959000 -0400 +@@ -0,0 +1 @@ ++noinst_DATA = strongswan +diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan strongswan-5.1.0-current/init/sysvinit/strongswan +--- strongswan-5.1.0-patched/init/sysvinit/strongswan 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-5.1.0-current/init/sysvinit/strongswan 2013-07-31 15:56:21.920958000 -0400 @@ -0,0 +1,100 @@ +#!/bin/sh +# @@ -238,3 +129,107 @@ Index: strongswan-5.0.0/init/sysvinit/strongswan + exit 2 +esac +exit $? +diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan.in strongswan-5.1.0-current/init/sysvinit/strongswan.in +--- strongswan-5.1.0-patched/init/sysvinit/strongswan.in 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-5.1.0-current/init/sysvinit/strongswan.in 2013-07-31 15:56:21.919959000 -0400 +@@ -0,0 +1,100 @@ ++#!/bin/sh ++# ++# strongswan An implementation of key management system for IPsec ++# ++# chkconfig: - 48 52 ++# description: Starts or stops the Strongswan daemon. ++ ++### BEGIN INIT INFO ++# Provides: ipsec ++# Required-Start: $network $remote_fs $syslog $named ++# Required-Stop: $syslog $remote_fs ++# Default-Start: ++# Default-Stop: 0 1 6 ++# Short-Description: Start Strongswan daemons at boot time ++### END INIT INFO ++ ++# Source function library. ++. /etc/rc.d/init.d/functions ++ ++exec="@sbindir@/@ipsec_script@" ++prog="strongswan" ++status_prog="starter" ++config="/etc/strongswan/strongswan.conf" ++ ++lockfile=/var/lock/subsys/$prog ++ ++start() { ++ [ -x $exec ] || exit 5 ++ [ -f $config ] || exit 6 ++ echo -n $"Starting $prog: " ++ daemon $exec start ++ retval=$? ++ echo ++ [ $retval -eq 0 ] && touch $lockfile ++ return $retval ++} ++ ++stop() { ++ echo -n $"Stopping $prog: " ++ $exec stop ++ retval=$? ++ echo ++ [ $retval -eq 0 ] && rm -f $lockfile ++ return $retval ++} ++ ++restart() { ++ stop ++ start ++} ++ ++reload() { ++ restart ++} ++ ++force_reload() { ++ restart ++} ++ ++_status() { ++ # run checks to determine if the service is running or use generic status ++ status $status_prog ++} ++ ++_status_q() { ++ _status >/dev/null 2>&1 ++} ++ ++ ++case "$1" in ++ start) ++ _status_q && exit 0 ++ $1 ++ ;; ++ stop) ++ _status_q || exit 0 ++ $1 ++ ;; ++ restart) ++ $1 ++ ;; ++ reload) ++ _status_q || exit 7 ++ $1 ++ ;; ++ force-reload) ++ force_reload ++ ;; ++ status) ++ _status ++ ;; ++ condrestart|try-restart) ++ _status_q || exit 0 ++ restart ++ ;; ++ *) ++ echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" ++ exit 2 ++esac ++exit $? diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch index 6cd3ff4..59054eb 100644 --- a/strongswan-pts-ecp-disable.patch +++ b/strongswan-pts-ecp-disable.patch @@ -1,6 +1,6 @@ -diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c ---- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c 2013-05-01 15:50:51.332560748 -0400 -+++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c 2013-05-01 15:57:53.545271367 -0400 +diff -urNp strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c +--- strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c 2013-08-06 17:16:36.238031476 -0400 ++++ strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c 2013-08-06 17:44:48.005036651 -0400 @@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t * { DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names, diff --git a/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch b/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch deleted file mode 100644 index d58cc00..0000000 --- a/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 71d740cac68f83c77d981368a4c041eb620310ed Mon Sep 17 00:00:00 2001 -From: Andreas Steffen -Date: Fri, 24 May 2013 12:56:21 +0200 -Subject: [PATCH] Make plugins in standalone libimcv configurable - ---- - src/libimcv/imcv.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c -index 6cee0ad..f9ecf79 100644 ---- a/src/libimcv/imcv.c -+++ b/src/libimcv/imcv.c -@@ -118,7 +118,8 @@ bool libimcv_init(void) - openlog("imcv", 0, LOG_DAEMON); - - if (!lib->plugins->load(lib->plugins, NULL, -- "sha1 sha2 random nonce gmp pubkey x509")) -+ lib->settings->get_str(lib->settings, "libimcv.load", -+ "random nonce gmp pubkey x509"))) - { - library_deinit(); - return FALSE; --- -1.7.4.1 - diff --git a/strongswan.spec b/strongswan.spec index 1ffc703..0e9aa4c 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -8,8 +8,8 @@ %endif Name: strongswan -Version: 5.0.4 -Release: 5%{?dist} +Version: 5.1.0 +Release: 1%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -19,10 +19,6 @@ Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch Patch2: libstrongswan-plugin.patch Patch3: libstrongswan-settings-debug.patch -Patch4: strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch -Patch5: libimcv-attestatiom-imv-crash.patch -Patch6: strongswan-Change-ipsec-updown-to-strongswan-updown.patch -Patch7: strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel @@ -36,7 +32,7 @@ BuildRequires: libxml2-devel BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-glib-devel Obsoletes: %{name}-NetworkManager < 0:5.0.4-5 -Provides: %{name}-NetworkManager = 0:%{version}-%{release} +Provides: %{name}-charon-nm = 0:%{version}-%{release} %else Obsoletes: %{name}-NetworkManager < 0:5.0.0-3.git20120619 %endif @@ -83,10 +79,6 @@ implementation possessing a standard IF-IMC/IMV interface. %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -229,6 +221,9 @@ fi %{_libdir}/%{name}/plugins/lib%{name}-pgp.so %{_libdir}/%{name}/plugins/lib%{name}-pkcs1.so %{_libdir}/%{name}/plugins/lib%{name}-pkcs8.so +%{_libdir}/%{name}/plugins/lib%{name}-pkcs12.so +%{_libdir}/%{name}/plugins/lib%{name}-rc2.so +%{_libdir}/%{name}/plugins/lib%{name}-sshkey.so %{_libdir}/%{name}/plugins/lib%{name}-pubkey.so %{_libdir}/%{name}/plugins/lib%{name}-random.so %{_libdir}/%{name}/plugins/lib%{name}-resolve.so @@ -263,6 +258,8 @@ fi %{_libexecdir}/%{name}/scepclient %{_libexecdir}/%{name}/starter %{_libexecdir}/%{name}/stroke +%{_libexecdir}/%{name}/_imv_policy +%{_libexecdir}/%{name}/imv_policy_manager %{_sbindir}/%{name} %{_mandir}/man5/%{name}.conf.5.gz %{_mandir}/man5/%{name}_ipsec.conf.5.gz @@ -315,6 +312,16 @@ fi %changelog +* Wed Aug 7 2013 Avesh Agarwal - 5.1.0-1 +- rhbz#981429: New upstream release +- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215 +- Fixes rhbz#991859 failed to build in rawhide +- Updated local patches and removed which are not needed +- Fixed errors around charon-nm +- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so, + libstrongswan-sshkey.so +- Added utility imv_policy_manager + * Thu Jul 25 2013 Jamie Nguyen - 5.0.4-5 - rename strongswan-NetworkManager to strongswan-charon-nm - fix enable_nm macro From c5fe3b3899ad45b0c10d4b58760edc7f43dc6da4 Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Fri, 30 Aug 2013 15:43:32 -0400 Subject: [PATCH 16/20] Enabled fips support - Enabled TNC's ifmap support - Enabled TNC's pdp support - Fixed hardocded package name in this spec file --- strongswan.spec | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/strongswan.spec b/strongswan.spec index 0e9aa4c..f62adaf 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -9,7 +9,7 @@ Name: strongswan Version: 5.1.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -90,6 +90,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --sysconfdir=%{_sysconfdir}/%{name} \ --with-ipsecdir=%{_libexecdir}/%{name} \ --with-ipseclibdir=%{_libdir}/%{name} \ + --with-fips-mode=2 \ --with-tss=trousers \ --enable-openssl \ --enable-md4 \ @@ -103,6 +104,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-farp \ --enable-dhcp \ --enable-sqlite \ + --enable-tnc-ifmap \ + --enable-tnc-pdp \ --enable-imc-test \ --enable-imv-test \ --enable-imc-scanner \ @@ -130,8 +133,8 @@ sed -i 's/\t/ /' src/strongswan.conf src/starter/ipsec.conf make install DESTDIR=%{buildroot} # prefix man pages for i in %{buildroot}%{_mandir}/*/*; do - if echo "$i" | grep -vq '/strongswan[^\/]*$'; then - mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/strongswan_\1|'`" + if echo "$i" | grep -vq '/%{name}[^\/]*$'; then + mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/%{name}_\1|'`" fi done # delete unwanted library files @@ -300,6 +303,8 @@ fi %{_libdir}/%{name}/plugins/lib%{name}-tnccs-11.so %{_libdir}/%{name}/plugins/lib%{name}-tnccs-dynamic.so %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so +%{_libdir}/%{name}/plugins/lib%{name}-tnc-ifmap.so +%{_libdir}/%{name}/plugins/lib%{name}-tnc-pdp.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/attest %{_libexecdir}/%{name}/pacman @@ -312,6 +317,12 @@ fi %changelog +* Fri Aug 30 2013 Avesh Agarwal - 5.1.0-2 +- Enabled fips support +- Enabled TNC's ifmap support +- Enabled TNC's pdp support +- Fixed hardocded package name in this spec file + * Wed Aug 7 2013 Avesh Agarwal - 5.1.0-1 - rhbz#981429: New upstream release - Fixes CVE-2013-5018: rhbz#991216, rhbz#991215 From 07bd95ec6740f92ad1358d32e9f3472d8e38d9fc Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Thu, 12 Sep 2013 13:23:21 -0400 Subject: [PATCH 17/20] Fixed initialization crash of IMV and IMC particularly attestation imv/imc as libstrongswas was not getting initialized. --- imcv-initialization-crash-git-5ec08.patch | 145 ++++++++++++++++++++++ strongswan.spec | 9 +- 2 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 imcv-initialization-crash-git-5ec08.patch diff --git a/imcv-initialization-crash-git-5ec08.patch b/imcv-initialization-crash-git-5ec08.patch new file mode 100644 index 0000000..d1fc80c --- /dev/null +++ b/imcv-initialization-crash-git-5ec08.patch @@ -0,0 +1,145 @@ +diff -urNp strongswan-5.1.0/src/libimcv/plugins/imv_os/imv_os_agent.c strongswan-5.1.0-test/src/libimcv/plugins/imv_os/imv_os_agent.c +--- strongswan-5.1.0/src/libimcv/plugins/imv_os/imv_os_agent.c 2013-07-04 15:55:16.000000000 -0400 ++++ strongswan-5.1.0-test/src/libimcv/plugins/imv_os/imv_os_agent.c 2013-09-11 15:39:04.263741942 -0400 +@@ -779,6 +779,14 @@ imv_agent_if_t *imv_os_agent_create(cons + TNC_Version *actual_version) + { + private_imv_os_agent_t *this; ++ imv_agent_t *agent; ++ ++ agent = imv_agent_create(name, msg_types, countof(msg_types), id, ++ actual_version); ++ if (!agent) ++ { ++ return NULL; ++ } + + INIT(this, + .public = { +@@ -790,16 +798,10 @@ imv_agent_if_t *imv_os_agent_create(cons + .solicit_recommendation = _solicit_recommendation, + .destroy = _destroy, + }, +- .agent = imv_agent_create(name, msg_types, countof(msg_types), id, +- actual_version), ++ .agent = agent, + .db = imv_os_database_create(imcv_db), + ); + +- if (!this->agent) +- { +- destroy(this); +- return NULL; +- } + return &this->public; + } + +diff -urNp strongswan-5.1.0/src/libimcv/plugins/imv_test/imv_test_agent.c strongswan-5.1.0-test/src/libimcv/plugins/imv_test/imv_test_agent.c +--- strongswan-5.1.0/src/libimcv/plugins/imv_test/imv_test_agent.c 2013-06-21 17:27:07.000000000 -0400 ++++ strongswan-5.1.0-test/src/libimcv/plugins/imv_test/imv_test_agent.c 2013-09-11 15:39:04.263741942 -0400 +@@ -296,6 +296,14 @@ imv_agent_if_t *imv_test_agent_create(co + TNC_Version *actual_version) + { + private_imv_test_agent_t *this; ++ imv_agent_t *agent; ++ ++ agent = imv_agent_create(name, msg_types, countof(msg_types), id, ++ actual_version); ++ if (!agent) ++ { ++ return NULL; ++ } + + INIT(this, + .public = { +@@ -307,15 +315,9 @@ imv_agent_if_t *imv_test_agent_create(co + .solicit_recommendation = _solicit_recommendation, + .destroy = _destroy, + }, +- .agent = imv_agent_create(name, msg_types, countof(msg_types), id, +- actual_version), ++ .agent = agent, + ); + +- if (!this->agent) +- { +- destroy(this); +- return NULL; +- } + return &this->public; + } + +diff -urNp strongswan-5.1.0/src/libpts/plugins/imc_attestation/imc_attestation.c strongswan-5.1.0-test/src/libpts/plugins/imc_attestation/imc_attestation.c +--- strongswan-5.1.0/src/libpts/plugins/imc_attestation/imc_attestation.c 2013-05-14 05:16:46.000000000 -0400 ++++ strongswan-5.1.0-test/src/libpts/plugins/imc_attestation/imc_attestation.c 2013-09-11 15:39:04.264741942 -0400 +@@ -71,11 +71,6 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID + DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name); + return TNC_RESULT_ALREADY_INITIALIZED; + } +- if (!pts_meas_algo_probe(&supported_algorithms) || +- !pts_dh_group_probe(&supported_dh_groups)) +- { +- return TNC_RESULT_FATAL; +- } + imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types), + imc_id, actual_version); + if (!imc_attestation) +@@ -83,6 +78,13 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID + return TNC_RESULT_FATAL; + } + ++ if (!pts_meas_algo_probe(&supported_algorithms) || ++ !pts_dh_group_probe(&supported_dh_groups)) ++ { ++ imc_attestation->destroy(imc_attestation); ++ imc_attestation = NULL; ++ return TNC_RESULT_FATAL; ++ } + libpts_init(); + + if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1) +diff -urNp strongswan-5.1.0/src/libpts/plugins/imv_attestation/imv_attestation_agent.c strongswan-5.1.0-test/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +--- strongswan-5.1.0/src/libpts/plugins/imv_attestation/imv_attestation_agent.c 2013-07-10 05:00:34.000000000 -0400 ++++ strongswan-5.1.0-test/src/libpts/plugins/imv_attestation/imv_attestation_agent.c 2013-09-11 15:39:04.264741942 -0400 +@@ -565,8 +565,16 @@ imv_agent_if_t *imv_attestation_agent_cr + TNC_Version *actual_version) + { + private_imv_attestation_agent_t *this; ++ imv_agent_t *agent; + char *hash_alg, *dh_group, *cadir; + ++ agent = imv_agent_create(name, msg_types, countof(msg_types), id, ++ actual_version); ++ if (!agent) ++ { ++ return NULL; ++ } ++ + hash_alg = lib->settings->get_str(lib->settings, + "libimcv.plugins.imv-attestation.hash_algorithm", "sha256"); + dh_group = lib->settings->get_str(lib->settings, +@@ -584,8 +592,7 @@ imv_agent_if_t *imv_attestation_agent_cr + .solicit_recommendation = _solicit_recommendation, + .destroy = _destroy, + }, +- .agent = imv_agent_create(name, msg_types, countof(msg_types), id, +- actual_version), ++ .agent = agent, + .supported_algorithms = PTS_MEAS_ALGO_NONE, + .supported_dh_groups = PTS_DH_GROUP_NONE, + .pts_credmgr = credential_manager_create(), +@@ -595,8 +602,7 @@ imv_agent_if_t *imv_attestation_agent_cr + + libpts_init(); + +- if (!this->agent || +- !pts_meas_algo_probe(&this->supported_algorithms) || ++ if (!pts_meas_algo_probe(&this->supported_algorithms) || + !pts_dh_group_probe(&this->supported_dh_groups) || + !pts_meas_algo_update(hash_alg, &this->supported_algorithms) || + !pts_dh_group_update(dh_group, &this->supported_dh_groups)) +@@ -613,4 +619,3 @@ imv_agent_if_t *imv_attestation_agent_cr + + return &this->public; + } +- diff --git a/strongswan.spec b/strongswan.spec index f62adaf..a3d5772 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -9,7 +9,7 @@ Name: strongswan Version: 5.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -19,6 +19,7 @@ Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch Patch2: libstrongswan-plugin.patch Patch3: libstrongswan-settings-debug.patch +Patch4: imcv-initialization-crash-git-5ec08.patch BuildRequires: gmp-devel BuildRequires: libcurl-devel @@ -79,6 +80,7 @@ implementation possessing a standard IF-IMC/IMV interface. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -317,6 +319,11 @@ fi %changelog +* Thu Sep 12 2013 Avesh Agarwal - 5.1.0-3 +- Fixed initialization crash of IMV and IMC particularly + attestation imv/imc as libstrongswas was not getting + initialized. + * Fri Aug 30 2013 Avesh Agarwal - 5.1.0-2 - Enabled fips support - Enabled TNC's ifmap support From 2cef5e58a7444db887f7e8032dfb800d5e516408 Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Fri, 1 Nov 2013 15:08:47 -0400 Subject: [PATCH 18/20] Support for PT-TLS (RFC 6876) - Support for SWID IMC/IMV - Support for command line IKE client charon-cmd - Changed location of pki to /usr/bin - Added swid tags files - Added man pages for pki and charon-cmd - Renamed pki to strongswan-pki to avoid conflict with pki-core/pki-tools package. - Update local patches - Fixes CVE-2013-6075 - Fixes CVE-2013-6076 - Fixed autoconf/automake issue as configure.ac got changed and it required running autoreconf during the build process. - added strongswan signature file to the sources. --- .gitignore | 2 + imcv-initialization-crash-git-5ec08.patch | 145 ---------------------- sources | 3 +- strongswan.spec | 43 +++++-- 4 files changed, 40 insertions(+), 153 deletions(-) delete mode 100644 imcv-initialization-crash-git-5ec08.patch diff --git a/.gitignore b/.gitignore index ee1d37e..caf2c88 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,5 @@ /strongswan-5.0.3.tar.bz2 /strongswan-5.0.4.tar.bz2 /strongswan-5.1.0.tar.bz2 +/strongswan-5.1.1.tar.bz2 +/strongswan-5.1.1.tar.bz2.sig diff --git a/imcv-initialization-crash-git-5ec08.patch b/imcv-initialization-crash-git-5ec08.patch deleted file mode 100644 index d1fc80c..0000000 --- a/imcv-initialization-crash-git-5ec08.patch +++ /dev/null @@ -1,145 +0,0 @@ -diff -urNp strongswan-5.1.0/src/libimcv/plugins/imv_os/imv_os_agent.c strongswan-5.1.0-test/src/libimcv/plugins/imv_os/imv_os_agent.c ---- strongswan-5.1.0/src/libimcv/plugins/imv_os/imv_os_agent.c 2013-07-04 15:55:16.000000000 -0400 -+++ strongswan-5.1.0-test/src/libimcv/plugins/imv_os/imv_os_agent.c 2013-09-11 15:39:04.263741942 -0400 -@@ -779,6 +779,14 @@ imv_agent_if_t *imv_os_agent_create(cons - TNC_Version *actual_version) - { - private_imv_os_agent_t *this; -+ imv_agent_t *agent; -+ -+ agent = imv_agent_create(name, msg_types, countof(msg_types), id, -+ actual_version); -+ if (!agent) -+ { -+ return NULL; -+ } - - INIT(this, - .public = { -@@ -790,16 +798,10 @@ imv_agent_if_t *imv_os_agent_create(cons - .solicit_recommendation = _solicit_recommendation, - .destroy = _destroy, - }, -- .agent = imv_agent_create(name, msg_types, countof(msg_types), id, -- actual_version), -+ .agent = agent, - .db = imv_os_database_create(imcv_db), - ); - -- if (!this->agent) -- { -- destroy(this); -- return NULL; -- } - return &this->public; - } - -diff -urNp strongswan-5.1.0/src/libimcv/plugins/imv_test/imv_test_agent.c strongswan-5.1.0-test/src/libimcv/plugins/imv_test/imv_test_agent.c ---- strongswan-5.1.0/src/libimcv/plugins/imv_test/imv_test_agent.c 2013-06-21 17:27:07.000000000 -0400 -+++ strongswan-5.1.0-test/src/libimcv/plugins/imv_test/imv_test_agent.c 2013-09-11 15:39:04.263741942 -0400 -@@ -296,6 +296,14 @@ imv_agent_if_t *imv_test_agent_create(co - TNC_Version *actual_version) - { - private_imv_test_agent_t *this; -+ imv_agent_t *agent; -+ -+ agent = imv_agent_create(name, msg_types, countof(msg_types), id, -+ actual_version); -+ if (!agent) -+ { -+ return NULL; -+ } - - INIT(this, - .public = { -@@ -307,15 +315,9 @@ imv_agent_if_t *imv_test_agent_create(co - .solicit_recommendation = _solicit_recommendation, - .destroy = _destroy, - }, -- .agent = imv_agent_create(name, msg_types, countof(msg_types), id, -- actual_version), -+ .agent = agent, - ); - -- if (!this->agent) -- { -- destroy(this); -- return NULL; -- } - return &this->public; - } - -diff -urNp strongswan-5.1.0/src/libpts/plugins/imc_attestation/imc_attestation.c strongswan-5.1.0-test/src/libpts/plugins/imc_attestation/imc_attestation.c ---- strongswan-5.1.0/src/libpts/plugins/imc_attestation/imc_attestation.c 2013-05-14 05:16:46.000000000 -0400 -+++ strongswan-5.1.0-test/src/libpts/plugins/imc_attestation/imc_attestation.c 2013-09-11 15:39:04.264741942 -0400 -@@ -71,11 +71,6 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID - DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name); - return TNC_RESULT_ALREADY_INITIALIZED; - } -- if (!pts_meas_algo_probe(&supported_algorithms) || -- !pts_dh_group_probe(&supported_dh_groups)) -- { -- return TNC_RESULT_FATAL; -- } - imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types), - imc_id, actual_version); - if (!imc_attestation) -@@ -83,6 +78,13 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID - return TNC_RESULT_FATAL; - } - -+ if (!pts_meas_algo_probe(&supported_algorithms) || -+ !pts_dh_group_probe(&supported_dh_groups)) -+ { -+ imc_attestation->destroy(imc_attestation); -+ imc_attestation = NULL; -+ return TNC_RESULT_FATAL; -+ } - libpts_init(); - - if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1) -diff -urNp strongswan-5.1.0/src/libpts/plugins/imv_attestation/imv_attestation_agent.c strongswan-5.1.0-test/src/libpts/plugins/imv_attestation/imv_attestation_agent.c ---- strongswan-5.1.0/src/libpts/plugins/imv_attestation/imv_attestation_agent.c 2013-07-10 05:00:34.000000000 -0400 -+++ strongswan-5.1.0-test/src/libpts/plugins/imv_attestation/imv_attestation_agent.c 2013-09-11 15:39:04.264741942 -0400 -@@ -565,8 +565,16 @@ imv_agent_if_t *imv_attestation_agent_cr - TNC_Version *actual_version) - { - private_imv_attestation_agent_t *this; -+ imv_agent_t *agent; - char *hash_alg, *dh_group, *cadir; - -+ agent = imv_agent_create(name, msg_types, countof(msg_types), id, -+ actual_version); -+ if (!agent) -+ { -+ return NULL; -+ } -+ - hash_alg = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.hash_algorithm", "sha256"); - dh_group = lib->settings->get_str(lib->settings, -@@ -584,8 +592,7 @@ imv_agent_if_t *imv_attestation_agent_cr - .solicit_recommendation = _solicit_recommendation, - .destroy = _destroy, - }, -- .agent = imv_agent_create(name, msg_types, countof(msg_types), id, -- actual_version), -+ .agent = agent, - .supported_algorithms = PTS_MEAS_ALGO_NONE, - .supported_dh_groups = PTS_DH_GROUP_NONE, - .pts_credmgr = credential_manager_create(), -@@ -595,8 +602,7 @@ imv_agent_if_t *imv_attestation_agent_cr - - libpts_init(); - -- if (!this->agent || -- !pts_meas_algo_probe(&this->supported_algorithms) || -+ if (!pts_meas_algo_probe(&this->supported_algorithms) || - !pts_dh_group_probe(&this->supported_dh_groups) || - !pts_meas_algo_update(hash_alg, &this->supported_algorithms) || - !pts_dh_group_update(dh_group, &this->supported_dh_groups)) -@@ -613,4 +619,3 @@ imv_agent_if_t *imv_attestation_agent_cr - - return &this->public; - } -- diff --git a/sources b/sources index 388cdfe..b3b0e07 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -c1cd0a3ba9960f590cae28c8470800e8 strongswan-5.1.0.tar.bz2 +e3af3d493d22286be3cd794533a8966a strongswan-5.1.1.tar.bz2 +5381c48d5cabec932aa2904abde93cd3 strongswan-5.1.1.tar.bz2.sig diff --git a/strongswan.spec b/strongswan.spec index a3d5772..f7e2d23 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -8,8 +8,8 @@ %endif Name: strongswan -Version: 5.1.0 -Release: 3%{?dist} +Version: 5.1.1 +Release: 1%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -19,9 +19,8 @@ Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch Patch2: libstrongswan-plugin.patch Patch3: libstrongswan-settings-debug.patch -Patch4: imcv-initialization-crash-git-5ec08.patch -BuildRequires: gmp-devel +BuildRequires: gmp-devel autoconf automake BuildRequires: libcurl-devel BuildRequires: openldap-devel BuildRequires: openssl-devel @@ -80,13 +79,12 @@ implementation possessing a standard IF-IMC/IMV interface. %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora %build # for initscript patch to work -#autoreconf +autoreconf %configure --disable-static \ --with-ipsec-script=%{name} \ --sysconfdir=%{_sysconfdir}/%{name} \ @@ -116,6 +114,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-imv-attestation \ --enable-imv-os \ --enable-imc-os \ + --enable-imc-swid \ + --enable-imv-swid \ --enable-eap-tnc \ --enable-tnccs-20 \ --enable-tnccs-11 \ @@ -125,6 +125,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro --enable-eap-radius \ --enable-curl \ --enable-eap-identity \ + --enable-cmd \ %{?_enable_nm} @@ -151,6 +152,8 @@ chmod 700 %{buildroot}%{_sysconfdir}/%{name} %else install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name} %endif +#rename /usr/bin/pki to avoid conflict with pki-core/pki-tools +mv %{buildroot}%{_bindir}/pki %{buildroot}%{_bindir}/%{name}-pki # Create ipsec.d directory tree. install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d @@ -259,13 +262,15 @@ fi %{_libexecdir}/%{name}/_updown_espmark %{_libexecdir}/%{name}/charon %{_libexecdir}/%{name}/openac -%{_libexecdir}/%{name}/pki %{_libexecdir}/%{name}/scepclient %{_libexecdir}/%{name}/starter %{_libexecdir}/%{name}/stroke %{_libexecdir}/%{name}/_imv_policy %{_libexecdir}/%{name}/imv_policy_manager +%{_bindir}/%{name}-pki +%{_sbindir}/charon-cmd %{_sbindir}/%{name} +%{_mandir}/man1/%{name}_pki*.1.gz %{_mandir}/man5/%{name}.conf.5.gz %{_mandir}/man5/%{name}_ipsec.conf.5.gz %{_mandir}/man5/%{name}_ipsec.secrets.5.gz @@ -274,6 +279,7 @@ fi %{_mandir}/man8/%{name}__updown_espmark.8.gz %{_mandir}/man8/%{name}_openac.8.gz %{_mandir}/man8/%{name}_scepclient.8.gz +%{_mandir}/man8/%{name}_charon-cmd.8.gz %files tnc-imcvs %dir %{_libdir}/%{name} @@ -290,10 +296,12 @@ fi %{_libdir}/%{name}/imcvs/imc-scanner.so %{_libdir}/%{name}/imcvs/imc-test.so %{_libdir}/%{name}/imcvs/imc-os.so +%{_libdir}/%{name}/imcvs/imc-swid.so %{_libdir}/%{name}/imcvs/imv-attestation.so %{_libdir}/%{name}/imcvs/imv-scanner.so %{_libdir}/%{name}/imcvs/imv-test.so %{_libdir}/%{name}/imcvs/imv-os.so +%{_libdir}/%{name}/imcvs/imv-swid.so %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so @@ -310,6 +318,11 @@ fi %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/attest %{_libexecdir}/%{name}/pacman +%{_libexecdir}/%{name}/pt-tls-client +#swid files +%{_libexecdir}/%{name}/*.swidtag +%dir %{_datadir}/regid.2004-03.org.%{name} +%{_datadir}/regid.2004-03.org.%{name}/*.swidtag %if 0%{?enable_nm} %files charon-nm @@ -319,6 +332,22 @@ fi %changelog +* Fri Nov 1 2013 Avesh Agarwal - 5.1.1-1 +- Support for PT-TLS (RFC 6876) +- Support for SWID IMC/IMV +- Support for command line IKE client charon-cmd +- Changed location of pki to /usr/bin +- Added swid tags files +- Added man pages for pki and charon-cmd +- Renamed pki to strongswan-pki to avoid conflict with + pki-core/pki-tools package. +- Update local patches +- Fixes CVE-2013-6075 +- Fixes CVE-2013-6076 +- Fixed autoconf/automake issue as configure.ac got changed + and it required running autoreconf during the build process. +- added strongswan signature file to the sources. + * Thu Sep 12 2013 Avesh Agarwal - 5.1.0-3 - Fixed initialization crash of IMV and IMC particularly attestation imv/imc as libstrongswas was not getting From 285d7534b81a4b67e77061c752305b31f8967a0c Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Fri, 1 Nov 2013 15:09:30 -0400 Subject: [PATCH 19/20] Support for PT-TLS (RFC 6876) - Support for SWID IMC/IMV - Support for command line IKE client charon-cmd - Changed location of pki to /usr/bin - Added swid tags files - Added man pages for pki and charon-cmd - Renamed pki to strongswan-pki to avoid conflict with pki-core/pki-tools package. - Update local patches - Fixes CVE-2013-6075 - Fixes CVE-2013-6076 - Fixed autoconf/automake issue as configure.ac got changed and it required running autoreconf during the build process. - added strongswan signature file to the sources. --- libstrongswan-plugin.patch | 6 +++--- libstrongswan-settings-debug.patch | 6 +++--- strongswan-init.patch | 32 +++++++++++++++--------------- strongswan-pts-ecp-disable.patch | 6 +++--- 4 files changed, 25 insertions(+), 25 deletions(-) diff --git a/libstrongswan-plugin.patch b/libstrongswan-plugin.patch index ce0951d..f204a1e 100644 --- a/libstrongswan-plugin.patch +++ b/libstrongswan-plugin.patch @@ -1,6 +1,6 @@ -diff -urNp strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c ---- strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c 2013-08-06 17:16:36.266031511 -0400 -+++ strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c 2013-08-06 17:49:15.703354848 -0400 +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.1-current/src/libstrongswan/plugins/plugin_loader.c +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/plugin_loader.c 2013-11-01 13:12:06.046927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/plugin_loader.c 2013-11-01 13:16:59.680916657 -0400 @@ -353,7 +353,7 @@ static plugin_entry_t *load_plugin(priva return NULL; } diff --git a/libstrongswan-settings-debug.patch b/libstrongswan-settings-debug.patch index 66bca56..692690d 100644 --- a/libstrongswan-settings-debug.patch +++ b/libstrongswan-settings-debug.patch @@ -1,6 +1,6 @@ -diff -urNp strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c strongswan-5.1.0-current/src/libstrongswan/utils/settings.c ---- strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c 2013-08-06 17:16:36.244031484 -0400 -+++ strongswan-5.1.0-current/src/libstrongswan/utils/settings.c 2013-08-06 17:52:43.272606717 -0400 +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/utils/settings.c strongswan-5.1.1-current/src/libstrongswan/utils/settings.c +--- strongswan-5.1.1-patched/src/libstrongswan/utils/settings.c 2013-11-01 13:12:06.034927154 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/utils/settings.c 2013-11-01 13:18:56.230912491 -0400 @@ -960,7 +960,7 @@ static bool parse_file(linked_list_t *co { if (errno == ENOENT) diff --git a/strongswan-init.patch b/strongswan-init.patch index ccd653a..eb29bdb 100644 --- a/strongswan-init.patch +++ b/strongswan-init.patch @@ -1,7 +1,7 @@ -diff -urNp strongswan-5.1.0-patched/configure.ac strongswan-5.1.0-current/configure.ac ---- strongswan-5.1.0-patched/configure.ac 2013-08-06 17:16:36.279031528 -0400 -+++ strongswan-5.1.0-current/configure.ac 2013-08-06 17:35:01.750380445 -0400 -@@ -1311,6 +1311,8 @@ AC_CONFIG_FILES([ +diff -urNp strongswan-5.1.1-patched/configure.ac strongswan-5.1.1-current/configure.ac +--- strongswan-5.1.1-patched/configure.ac 2013-11-01 13:12:05.964927156 -0400 ++++ strongswan-5.1.1-current/configure.ac 2013-11-01 13:12:24.357926499 -0400 +@@ -1330,6 +1330,8 @@ AC_CONFIG_FILES([ man/Makefile init/Makefile init/systemd/Makefile @@ -10,9 +10,9 @@ diff -urNp strongswan-5.1.0-patched/configure.ac strongswan-5.1.0-current/config src/Makefile src/include/Makefile src/libstrongswan/Makefile -diff -urNp strongswan-5.1.0-patched/init/Makefile.am strongswan-5.1.0-current/init/Makefile.am ---- strongswan-5.1.0-patched/init/Makefile.am 2013-08-06 17:16:36.279031528 -0400 -+++ strongswan-5.1.0-current/init/Makefile.am 2013-08-06 17:36:19.905472912 -0400 +diff -urNp strongswan-5.1.1-patched/init/Makefile.am strongswan-5.1.1-current/init/Makefile.am +--- strongswan-5.1.1-patched/init/Makefile.am 2013-11-01 13:12:05.966927156 -0400 ++++ strongswan-5.1.1-current/init/Makefile.am 2013-11-01 13:12:24.357926499 -0400 @@ -1,5 +1,5 @@ -SUBDIRS = @@ -20,14 +20,14 @@ diff -urNp strongswan-5.1.0-patched/init/Makefile.am strongswan-5.1.0-current/in if HAVE_SYSTEMD SUBDIRS += systemd -diff -urNp strongswan-5.1.0-patched/init/sysvinit/Makefile.am strongswan-5.1.0-current/init/sysvinit/Makefile.am ---- strongswan-5.1.0-patched/init/sysvinit/Makefile.am 1969-12-31 19:00:00.000000000 -0500 -+++ strongswan-5.1.0-current/init/sysvinit/Makefile.am 2013-07-31 15:56:21.919959000 -0400 +diff -urNp strongswan-5.1.1-patched/init/sysvinit/Makefile.am strongswan-5.1.1-current/init/sysvinit/Makefile.am +--- strongswan-5.1.1-patched/init/sysvinit/Makefile.am 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-5.1.1-current/init/sysvinit/Makefile.am 2013-11-01 13:12:24.358926499 -0400 @@ -0,0 +1 @@ +noinst_DATA = strongswan -diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan strongswan-5.1.0-current/init/sysvinit/strongswan ---- strongswan-5.1.0-patched/init/sysvinit/strongswan 1969-12-31 19:00:00.000000000 -0500 -+++ strongswan-5.1.0-current/init/sysvinit/strongswan 2013-07-31 15:56:21.920958000 -0400 +diff -urNp strongswan-5.1.1-patched/init/sysvinit/strongswan strongswan-5.1.1-current/init/sysvinit/strongswan +--- strongswan-5.1.1-patched/init/sysvinit/strongswan 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-5.1.1-current/init/sysvinit/strongswan 2013-11-01 13:12:24.358926499 -0400 @@ -0,0 +1,100 @@ +#!/bin/sh +# @@ -129,9 +129,9 @@ diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan strongswan-5.1.0-cu + exit 2 +esac +exit $? -diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan.in strongswan-5.1.0-current/init/sysvinit/strongswan.in ---- strongswan-5.1.0-patched/init/sysvinit/strongswan.in 1969-12-31 19:00:00.000000000 -0500 -+++ strongswan-5.1.0-current/init/sysvinit/strongswan.in 2013-07-31 15:56:21.919959000 -0400 +diff -urNp strongswan-5.1.1-patched/init/sysvinit/strongswan.in strongswan-5.1.1-current/init/sysvinit/strongswan.in +--- strongswan-5.1.1-patched/init/sysvinit/strongswan.in 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-5.1.1-current/init/sysvinit/strongswan.in 2013-11-01 13:12:24.359926499 -0400 @@ -0,0 +1,100 @@ +#!/bin/sh +# diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch index 59054eb..4f5c141 100644 --- a/strongswan-pts-ecp-disable.patch +++ b/strongswan-pts-ecp-disable.patch @@ -1,6 +1,6 @@ -diff -urNp strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c ---- strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c 2013-08-06 17:16:36.238031476 -0400 -+++ strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c 2013-08-06 17:44:48.005036651 -0400 +diff -urNp strongswan-5.1.1-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.1-current/src/libpts/pts/pts_dh_group.c +--- strongswan-5.1.1-patched/src/libpts/pts/pts_dh_group.c 2013-11-01 13:12:05.985927156 -0400 ++++ strongswan-5.1.1-current/src/libpts/pts/pts_dh_group.c 2013-11-01 13:15:12.192920500 -0400 @@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t * { DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names, From 1ca0c0e019e7c204ce94744257e1c2f9e732998c Mon Sep 17 00:00:00 2001 From: Avesh Agarwal Date: Mon, 2 Dec 2013 16:11:46 -0500 Subject: [PATCH 20/20] Resolves: 973315 - Resolves: 1036844 --- libstrongswan-973315.patch | 137 +++++++++++++++++++++++++++++++++++++ strongswan-1036844.patch | 22 ++++++ strongswan.spec | 10 ++- 3 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 libstrongswan-973315.patch create mode 100644 strongswan-1036844.patch diff --git a/libstrongswan-973315.patch b/libstrongswan-973315.patch new file mode 100644 index 0000000..20710b3 --- /dev/null +++ b/libstrongswan-973315.patch @@ -0,0 +1,137 @@ +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/Makefile.am strongswan-5.1.1-current/src/libstrongswan/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/Makefile.am 2013-11-01 13:12:06.038927154 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/Makefile.am 2013-12-02 15:22:56.501380158 -0500 +@@ -102,6 +102,8 @@ AM_CFLAGS = \ + AM_LDFLAGS = \ + -no-undefined + ++AM_LDFLAGS = -rdynamic ++ + if USE_LEAK_DETECTIVE + AM_CPPFLAGS += -DLEAK_DETECTIVE + libstrongswan_la_SOURCES += utils/leak_detective.c +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/cmac/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/cmac/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/cmac/Makefile.am 2013-11-01 13:12:06.045927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/cmac/Makefile.am 2013-12-02 15:22:56.502380158 -0500 +@@ -13,4 +13,5 @@ endif + libstrongswan_cmac_la_SOURCES = \ + cmac_plugin.h cmac_plugin.c cmac.h cmac.c + +-libstrongswan_cmac_la_LDFLAGS = -module -avoid-version ++libstrongswan_cmac_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_cmac_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +\ No newline at end of file +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/constraints/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/constraints/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/constraints/Makefile.am 2013-11-01 13:12:06.054927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/constraints/Makefile.am 2013-12-02 15:22:56.526380158 -0500 +@@ -14,4 +14,5 @@ libstrongswan_constraints_la_SOURCES = \ + constraints_plugin.h constraints_plugin.c \ + constraints_validator.h constraints_validator.c + +-libstrongswan_constraints_la_LDFLAGS = -module -avoid-version ++libstrongswan_constraints_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_constraints_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/hmac/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/hmac/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/hmac/Makefile.am 2013-11-01 13:12:06.051927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/hmac/Makefile.am 2013-12-02 15:22:56.526380158 -0500 +@@ -13,4 +13,5 @@ endif + libstrongswan_hmac_la_SOURCES = \ + hmac_plugin.h hmac_plugin.c hmac.h hmac.c + +-libstrongswan_hmac_la_LDFLAGS = -module -avoid-version ++libstrongswan_hmac_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_hmac_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/nonce/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/nonce/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/nonce/Makefile.am 2013-11-01 13:12:06.053927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/nonce/Makefile.am 2013-12-02 15:22:56.527380158 -0500 +@@ -14,4 +14,5 @@ libstrongswan_nonce_la_SOURCES = \ + nonce_plugin.h nonce_plugin.c \ + nonce_nonceg.c nonce_nonceg.h + +-libstrongswan_nonce_la_LDFLAGS = -module -avoid-version ++libstrongswan_nonce_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_nonce_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/openssl/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/openssl/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/openssl/Makefile.am 2013-11-01 13:12:06.050927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/openssl/Makefile.am 2013-12-02 15:22:56.527380158 -0500 +@@ -31,5 +31,6 @@ libstrongswan_openssl_la_SOURCES = \ + openssl_hmac.c openssl_hmac.h \ + openssl_gcm.c openssl_gcm.h + +-libstrongswan_openssl_la_LDFLAGS = -module -avoid-version +-libstrongswan_openssl_la_LIBADD = -lcrypto ++libstrongswan_openssl_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_openssl_la_LIBADD = -lcrypto \ ++ $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/pem/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/pem/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/pem/Makefile.am 2013-11-01 13:12:06.045927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/pem/Makefile.am 2013-12-02 15:22:56.527380158 -0500 +@@ -15,4 +15,5 @@ libstrongswan_pem_la_SOURCES = \ + pem_builder.c pem_builder.h \ + pem_encoder.c pem_encoder.h + +-libstrongswan_pem_la_LDFLAGS = -module -avoid-version ++libstrongswan_pem_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_pem_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/pgp/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/pgp/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/pgp/Makefile.am 2013-11-01 13:12:06.047927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/pgp/Makefile.am 2013-12-02 15:22:56.528380158 -0500 +@@ -17,4 +17,5 @@ libstrongswan_pgp_la_SOURCES = \ + pgp_encoder.h pgp_encoder.c \ + pgp_builder.h pgp_builder.c + +-libstrongswan_pgp_la_LDFLAGS = -module -avoid-version ++libstrongswan_pgp_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_pgp_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/random/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/random/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/random/Makefile.am 2013-11-01 13:12:06.043927154 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/random/Makefile.am 2013-12-02 15:22:56.528380158 -0500 +@@ -16,4 +16,5 @@ libstrongswan_random_la_SOURCES = \ + random_plugin.h random_plugin.c \ + random_rng.c random_rng.h + +-libstrongswan_random_la_LDFLAGS = -module -avoid-version ++libstrongswan_random_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_random_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/revocation/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/revocation/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/revocation/Makefile.am 2013-11-01 13:12:06.058927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/revocation/Makefile.am 2013-12-02 15:22:56.528380158 -0500 +@@ -14,4 +14,5 @@ libstrongswan_revocation_la_SOURCES = \ + revocation_plugin.h revocation_plugin.c \ + revocation_validator.h revocation_validator.c + +-libstrongswan_revocation_la_LDFLAGS = -module -avoid-version ++libstrongswan_revocation_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_revocation_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/sqlite/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/sqlite/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/sqlite/Makefile.am 2013-11-01 13:12:06.051927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/sqlite/Makefile.am 2013-12-02 15:22:56.547380158 -0500 +@@ -14,5 +14,6 @@ libstrongswan_sqlite_la_SOURCES = \ + sqlite_plugin.h sqlite_plugin.c \ + sqlite_database.h sqlite_database.c + +-libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version +-libstrongswan_sqlite_la_LIBADD = -lsqlite3 ++libstrongswan_sqlite_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_sqlite_la_LIBADD = -lsqlite3 \ ++ $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/x509/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/x509/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/x509/Makefile.am 2013-11-01 13:12:06.056927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/x509/Makefile.am 2013-12-02 15:22:56.548380158 -0500 +@@ -19,4 +19,5 @@ libstrongswan_x509_la_SOURCES = \ + x509_ocsp_request.h x509_ocsp_request.c \ + x509_ocsp_response.h x509_ocsp_response.c + +-libstrongswan_x509_la_LDFLAGS = -module -avoid-version ++libstrongswan_x509_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_x509_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/xcbc/Makefile.am strongswan-5.1.1-current/src/libstrongswan/plugins/xcbc/Makefile.am +--- strongswan-5.1.1-patched/src/libstrongswan/plugins/xcbc/Makefile.am 2013-11-01 13:12:06.059927153 -0400 ++++ strongswan-5.1.1-current/src/libstrongswan/plugins/xcbc/Makefile.am 2013-12-02 15:22:56.561380158 -0500 +@@ -13,4 +13,5 @@ endif + libstrongswan_xcbc_la_SOURCES = \ + xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c + +-libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version ++libstrongswan_xcbc_la_LDFLAGS = -no-undefined -module -avoid-version ++libstrongswan_xcbc_la_LIBADD = $(top_builddir)/src/libstrongswan/libstrongswan.la diff --git a/strongswan-1036844.patch b/strongswan-1036844.patch new file mode 100644 index 0000000..f221f80 --- /dev/null +++ b/strongswan-1036844.patch @@ -0,0 +1,22 @@ +diff -urNp strongswan-5.1.1-patched/configure.ac strongswan-5.1.1-current/configure.ac +--- strongswan-5.1.1-patched/configure.ac 2013-11-01 13:14:29.753922017 -0400 ++++ strongswan-5.1.1-current/configure.ac 2013-12-02 15:33:47.530389926 -0500 +@@ -20,7 +20,17 @@ + # ============================ + + AC_INIT([strongSwan],[5.1.1]) +-AM_INIT_AUTOMAKE([tar-ustar subdir-objects]) ++AM_INIT_AUTOMAKE(m4_esyscmd([ ++ echo tar-ustar ++ echo subdir-objects ++ case `automake --version | head -n 1` in ++ *" 1.9"*);; ++ *" 1.10"*);; ++ *" 1.11"*);; ++ # don't use parallel test harness in 1.12 and up ++ *) echo serial-tests;; ++ esac ++])) + m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) + AC_CONFIG_MACRO_DIR([m4/config]) + AC_CONFIG_HEADERS([config.h]) diff --git a/strongswan.spec b/strongswan.spec index f7e2d23..8235f5c 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -9,7 +9,7 @@ Name: strongswan Version: 5.1.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An OpenSource IPsec-based VPN Solution Group: System Environment/Daemons License: GPLv2+ @@ -19,6 +19,8 @@ Patch0: strongswan-init.patch Patch1: strongswan-pts-ecp-disable.patch Patch2: libstrongswan-plugin.patch Patch3: libstrongswan-settings-debug.patch +Patch4: libstrongswan-973315.patch +Patch5: strongswan-1036844.patch BuildRequires: gmp-devel autoconf automake BuildRequires: libcurl-devel @@ -79,6 +81,8 @@ implementation possessing a standard IF-IMC/IMV interface. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora @@ -332,6 +336,10 @@ fi %changelog +* Mon Dec 2 2013 Avesh Agarwal - 5.1.1-2 +- Resolves: 973315 +- Resolves: 1036844 + * Fri Nov 1 2013 Avesh Agarwal - 5.1.1-1 - Support for PT-TLS (RFC 6876) - Support for SWID IMC/IMV