rhbz#981429: New upstream release

- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215 - Fixes rhbz#991859 failed to build in rawhide - Updated local patches and removed which are not needed - Fixed errors around charon-nm - Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so, libstrongswan-sshkey.so - Added utility imv_policy_manager
2013-08-07 16:12:08 -04:00
parent 3bdb50eb15
commit 634a38ad93
11 changed files with 160 additions and 260 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 /strongswan-5.0.2.tar.bz2
 /strongswan-5.0.3.tar.bz2
 /strongswan-5.0.4.tar.bz2
 /strongswan-5.1.0.tar.bz2
--- a/libimcv-attestatiom-imv-crash.patch
+++ b/libimcv-attestatiom-imv-crash.patch
@@ -1,27 +0,0 @@
 diff -urNp strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c
 --- strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c	2013-05-01 15:50:51.331560749 -0400
 +++ strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c	2013-06-28 11:10:30.703893643 -0400
@@ -90,11 +90,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID
 		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
 		return TNC_RESULT_ALREADY_INITIALIZED;
 	}
 -	if (!pts_meas_algo_probe(&supported_algorithms) ||
 -		!pts_dh_group_probe(&supported_dh_groups))
 -	{
 -		return TNC_RESULT_FATAL;
 -	}
 	imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types),
 									   imv_id, actual_version);
 	if (!imv_attestation)
@@ -104,6 +99,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID
 	libpts_init();
 +	if (!pts_meas_algo_probe(&supported_algorithms) ||
 +		!pts_dh_group_probe(&supported_dh_groups))
 +	{
 +		return TNC_RESULT_FATAL;
 +	}
 	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
 	{
 		DBG1(DBG_IMV, "no common IF-IMV version");
--- a/libstrongswan-plugin.patch
+++ b/libstrongswan-plugin.patch
@@ -1,8 +1,8 @@
-diff -urNp strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c
+diff -urNp strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c
--- strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c	2013-05-01 15:50:51.375560719 -0400
+--- strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:16:36.266031511 -0400
-+++ strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c	2013-05-22 16:30:24.121091911 -0400
+++ strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:49:15.703354848 -0400
-@@ -267,7 +267,7 @@ static bool load_plugin(private_plugin_l
+@@ -353,7 +353,7 @@ static plugin_entry_t *load_plugin(priva
- 			return FALSE;
+ 			return NULL;
 		}
 	}
 -	handle = dlopen(file, RTLD_LAZY);
--- a/libstrongswan-settings-debug.patch
+++ b/libstrongswan-settings-debug.patch
@@ -1,7 +1,7 @@
-diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswan-5.0.4-current/src/libstrongswan/utils/settings.c
+diff -urNp strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c strongswan-5.1.0-current/src/libstrongswan/utils/settings.c
--- strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c	2013-05-01 15:50:51.337560745 -0400
+--- strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c	2013-08-06 17:16:36.244031484 -0400
-+++ strongswan-5.0.4-current/src/libstrongswan/utils/settings.c	2013-06-18 13:13:27.801428152 -0400
+++ strongswan-5.1.0-current/src/libstrongswan/utils/settings.c	2013-08-06 17:52:43.272606717 -0400
-@@ -940,7 +940,7 @@ static bool parse_file(linked_list_t *co
+@@ -960,7 +960,7 @@ static bool parse_file(linked_list_t *co
 	{
 		if (errno == ENOENT)
 		{
@@ -10,7 +10,7 @@ diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswa
 			return TRUE;
 		}
 		DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
-@@ -1003,7 +1003,7 @@ static bool parse_files(linked_list_t *c
+@@ -1023,7 +1023,7 @@ static bool parse_files(linked_list_t *c
 	if (!strlen(pattern))
 	{
@@ -19,7 +19,7 @@ diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswa
 		return TRUE;
 	}
-@@ -1035,7 +1035,7 @@ static bool parse_files(linked_list_t *c
+@@ -1055,7 +1055,7 @@ static bool parse_files(linked_list_t *c
 		status = glob(pat, GLOB_ERR, NULL, &buf);
 		if (status == GLOB_NOMATCH)
 		{
--- a/2
+++ b/2
@@ -1 +1 @@
-0ab0397b44b197febfd0f89148344035  strongswan-5.0.4.tar.bz2
+c1cd0a3ba9960f590cae28c8470800e8  strongswan-5.1.0.tar.bz2
--- a/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch
+++ b/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch
@@ -1,25 +0,0 @@
 From c282e8fa3c55a9d0046a3119d7b2a3fe07d83c37 Mon Sep 17 00:00:00 2001
 From: Jamie Nguyen <j@jamielinux.com>
 Date: Mon, 15 Jul 2013 22:31:34 +0100
 Subject: [PATCH] Change 'ipsec scepclient' to 'strongswan scepclent'
 ---
 src/starter/starter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/starter/starter.c b/src/starter/starter.c
 index 917e52d..868b224 100644
 --- a/src/starter/starter.c
 +++ b/src/starter/starter.c
@@ -293,7 +293,7 @@ static void generate_selfcert()
 #endif
 		setegid(gid);
 		seteuid(uid);
 -		ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
 +		ignore_result(system("strongswan scepclient --out pkcs1 --out cert-self --quiet"));
 		seteuid(0);
 		setegid(0);
 -- 
 1.8.3.1
--- a/strongswan-Change-ipsec-updown-to-strongswan-updown.patch
+++ b/strongswan-Change-ipsec-updown-to-strongswan-updown.patch
@@ -1,25 +0,0 @@
 From daa81c04068956ff34fb0efb72956401969a8d9b Mon Sep 17 00:00:00 2001
 From: Jamie Nguyen <j@jamielinux.com>
 Date: Mon, 15 Jul 2013 13:42:14 +0100
 Subject: [PATCH] Change 'ipsec _updown' to 'strongswan _updown'
 ---
 src/starter/confread.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/starter/confread.c b/src/starter/confread.c
 index f0f05b0..ffd44c0 100644
 --- a/src/starter/confread.c
 +++ b/src/starter/confread.c
@@ -38,7 +38,7 @@
 static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
 static const char esp_defaults[] = "aes128-sha1,3des-sha1";
 -static const char firewall_defaults[] = "ipsec _updown iptables";
 +static const char firewall_defaults[] = "strongswan _updown iptables";
 static bool daemon_exists(char *daemon, char *path)
 {
 -- 
 1.8.3.1
--- a/strongswan-init.patch
+++ b/strongswan-init.patch
@@ -1,130 +1,7 @@
-Index: strongswan-5.0.0/init/Makefile.am
+diff -urNp strongswan-5.1.0-patched/configure.ac strongswan-5.1.0-current/configure.ac
-===================================================================
+--- strongswan-5.1.0-patched/configure.ac	2013-08-06 17:16:36.279031528 -0400
--- strongswan-5.0.0.orig/init/Makefile.am
+++ strongswan-5.1.0-current/configure.ac	2013-08-06 17:35:01.750380445 -0400
-+++ strongswan-5.0.0/init/Makefile.am
+@@ -1311,6 +1311,8 @@ AC_CONFIG_FILES([
@@ -1,5 +1,5 @@
 -SUBDIRS =
 +SUBDIRS = sysvinit
 if HAVE_SYSTEMD
   SUBDIRS += systemd
 Index: strongswan-5.0.0/init/sysvinit/Makefile.am
 ===================================================================
 --- /dev/null
 +++ strongswan-5.0.0/init/sysvinit/Makefile.am
@@ -0,0 +1 @@
 +noinst_DATA = strongswan
 Index: strongswan-5.0.0/init/sysvinit/strongswan.in
 ===================================================================
 --- /dev/null
 +++ strongswan-5.0.0/init/sysvinit/strongswan.in
@@ -0,0 +1,100 @@
 +#!/bin/sh
 +#
 +# strongswan   An implementation of key management system for IPsec
 +#
 +# chkconfig:   - 48 52
 +# description: Starts or stops the Strongswan daemon.
 +
 +### BEGIN INIT INFO
 +# Provides: ipsec
 +# Required-Start: $network $remote_fs $syslog $named
 +# Required-Stop: $syslog $remote_fs
 +# Default-Start:
 +# Default-Stop: 0 1 6
 +# Short-Description: Start Strongswan daemons at boot time
 +### END INIT INFO
 +
 +# Source function library.
 +. /etc/rc.d/init.d/functions
 +
 +exec="@sbindir@/@ipsec_script@"
 +prog="strongswan"
 +status_prog="starter"
 +config="/etc/strongswan/strongswan.conf"
 +
 +lockfile=/var/lock/subsys/$prog
 +
 +start() {
 +    [ -x $exec ] || exit 5
 +    [ -f $config ] || exit 6
 +    echo -n $"Starting $prog: "
 +    daemon $exec start
 +    retval=$?
 +    echo
 +    [ $retval -eq 0 ] && touch $lockfile
 +    return $retval
 +}
 +
 +stop() {
 +    echo -n $"Stopping $prog: "
 +    $exec stop
 +    retval=$?
 +    echo
 +    [ $retval -eq 0 ] && rm -f $lockfile
 +    return $retval
 +}
 +
 +restart() {
 +    stop
 +    start
 +}
 +
 +reload() {
 +    restart
 +}
 +
 +force_reload() {
 +    restart
 +}
 +
 +_status() {
 +    # run checks to determine if the service is running or use generic status
 +    status $status_prog
 +}
 +
 +_status_q() {
 +    _status >/dev/null 2>&1
 +}
 +
 +
 +case "$1" in
 +    start)
 +        _status_q && exit 0
 +        $1
 +        ;;
 +    stop)
 +        _status_q || exit 0
 +        $1
 +        ;;
 +    restart)
 +        $1
 +        ;;
 +    reload)
 +        _status_q || exit 7
 +        $1
 +        ;;
 +    force-reload)
 +        force_reload
 +        ;;
 +    status)
 +        _status
 +        ;;
 +    condrestart|try-restart)
 +        _status_q || exit 0
 +        restart
 +        ;;
 +    *)
 +        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
 +        exit 2
 +esac
 +exit $?
 Index: strongswan-5.0.0/configure.in
 ===================================================================
 --- strongswan-5.0.0.orig/configure.in
 +++ strongswan-5.0.0/configure.in
@@ -1082,6 +1082,8 @@ AC_OUTPUT(
 	man/Makefile
 	init/Makefile
 	init/systemd/Makefile
@@ -133,10 +10,24 @@ Index: strongswan-5.0.0/configure.in
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
-Index: strongswan-5.0.0/init/sysvinit/strongswan
+diff -urNp strongswan-5.1.0-patched/init/Makefile.am strongswan-5.1.0-current/init/Makefile.am
-===================================================================
+--- strongswan-5.1.0-patched/init/Makefile.am	2013-08-06 17:16:36.279031528 -0400
--- /dev/null
+++ strongswan-5.1.0-current/init/Makefile.am	2013-08-06 17:36:19.905472912 -0400
-+++ strongswan-5.0.0/init/sysvinit/strongswan
+@@ -1,5 +1,5 @@
 -SUBDIRS =
 +SUBDIRS = sysvinit
 if HAVE_SYSTEMD
   SUBDIRS += systemd
 diff -urNp strongswan-5.1.0-patched/init/sysvinit/Makefile.am strongswan-5.1.0-current/init/sysvinit/Makefile.am
 --- strongswan-5.1.0-patched/init/sysvinit/Makefile.am	1969-12-31 19:00:00.000000000 -0500
 +++ strongswan-5.1.0-current/init/sysvinit/Makefile.am	2013-07-31 15:56:21.919959000 -0400
@@ -0,0 +1 @@
 +noinst_DATA = strongswan
 diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan strongswan-5.1.0-current/init/sysvinit/strongswan
 --- strongswan-5.1.0-patched/init/sysvinit/strongswan	1969-12-31 19:00:00.000000000 -0500
 +++ strongswan-5.1.0-current/init/sysvinit/strongswan	2013-07-31 15:56:21.920958000 -0400
@@ -0,0 +1,100 @@
 +#!/bin/sh
 +#
@@ -238,3 +129,107 @@ Index: strongswan-5.0.0/init/sysvinit/strongswan
 +        exit 2
 +esac
 +exit $?
 diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan.in strongswan-5.1.0-current/init/sysvinit/strongswan.in
 --- strongswan-5.1.0-patched/init/sysvinit/strongswan.in	1969-12-31 19:00:00.000000000 -0500
 +++ strongswan-5.1.0-current/init/sysvinit/strongswan.in	2013-07-31 15:56:21.919959000 -0400
@@ -0,0 +1,100 @@
 +#!/bin/sh
 +#
 +# strongswan   An implementation of key management system for IPsec
 +#
 +# chkconfig:   - 48 52
 +# description: Starts or stops the Strongswan daemon.
 +
 +### BEGIN INIT INFO
 +# Provides: ipsec
 +# Required-Start: $network $remote_fs $syslog $named
 +# Required-Stop: $syslog $remote_fs
 +# Default-Start:
 +# Default-Stop: 0 1 6
 +# Short-Description: Start Strongswan daemons at boot time
 +### END INIT INFO
 +
 +# Source function library.
 +. /etc/rc.d/init.d/functions
 +
 +exec="@sbindir@/@ipsec_script@"
 +prog="strongswan"
 +status_prog="starter"
 +config="/etc/strongswan/strongswan.conf"
 +
 +lockfile=/var/lock/subsys/$prog
 +
 +start() {
 +    [ -x $exec ] || exit 5
 +    [ -f $config ] || exit 6
 +    echo -n $"Starting $prog: "
 +    daemon $exec start
 +    retval=$?
 +    echo
 +    [ $retval -eq 0 ] && touch $lockfile
 +    return $retval
 +}
 +
 +stop() {
 +    echo -n $"Stopping $prog: "
 +    $exec stop
 +    retval=$?
 +    echo
 +    [ $retval -eq 0 ] && rm -f $lockfile
 +    return $retval
 +}
 +
 +restart() {
 +    stop
 +    start
 +}
 +
 +reload() {
 +    restart
 +}
 +
 +force_reload() {
 +    restart
 +}
 +
 +_status() {
 +    # run checks to determine if the service is running or use generic status
 +    status $status_prog
 +}
 +
 +_status_q() {
 +    _status >/dev/null 2>&1
 +}
 +
 +
 +case "$1" in
 +    start)
 +        _status_q && exit 0
 +        $1
 +        ;;
 +    stop)
 +        _status_q || exit 0
 +        $1
 +        ;;
 +    restart)
 +        $1
 +        ;;
 +    reload)
 +        _status_q || exit 7
 +        $1
 +        ;;
 +    force-reload)
 +        force_reload
 +        ;;
 +    status)
 +        _status
 +        ;;
 +    condrestart|try-restart)
 +        _status_q || exit 0
 +        restart
 +        ;;
 +    *)
 +        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
 +        exit 2
 +esac
 +exit $?
--- a/strongswan-pts-ecp-disable.patch
+++ b/strongswan-pts-ecp-disable.patch
@@ -1,6 +1,6 @@
-diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c
+diff -urNp strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c
--- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c	2013-05-01 15:50:51.332560748 -0400
+--- strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c	2013-08-06 17:16:36.238031476 -0400
-+++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c	2013-05-01 15:57:53.545271367 -0400
+++ strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c	2013-08-06 17:44:48.005036651 -0400
@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t *
 	{
 		DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
--- a/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch
+++ b/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch
@@ -1,26 +0,0 @@
 From 71d740cac68f83c77d981368a4c041eb620310ed Mon Sep 17 00:00:00 2001
 From: Andreas Steffen <andreas.steffen@strongswan.org>
 Date: Fri, 24 May 2013 12:56:21 +0200
 Subject: [PATCH] Make plugins in standalone libimcv configurable
 ---
 src/libimcv/imcv.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
 diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
 index 6cee0ad..f9ecf79 100644
 --- a/src/libimcv/imcv.c
 +++ b/src/libimcv/imcv.c
@@ -118,7 +118,8 @@ bool libimcv_init(void)
 		openlog("imcv", 0, LOG_DAEMON);
 		if (!lib->plugins->load(lib->plugins, NULL,
 -							"sha1 sha2 random nonce gmp pubkey x509"))
 +				lib->settings->get_str(lib->settings, "libimcv.load",
 +					"random nonce gmp pubkey x509")))
 		{
 			library_deinit();
 			return FALSE;
 -- 
 1.7.4.1
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -8,8 +8,8 @@
 %endif
 Name:           strongswan
-Version:        5.0.4
+Version:        5.1.0
-Release:        5%{?dist}
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN Solution
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -19,10 +19,6 @@ Patch0:         strongswan-init.patch
 Patch1:         strongswan-pts-ecp-disable.patch
 Patch2:         libstrongswan-plugin.patch
 Patch3:         libstrongswan-settings-debug.patch
 Patch4:         strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch
 Patch5:         libimcv-attestatiom-imv-crash.patch
 Patch6:         strongswan-Change-ipsec-updown-to-strongswan-updown.patch
 Patch7:         strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch
 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
@@ -36,7 +32,7 @@ BuildRequires:  libxml2-devel
 BuildRequires:  NetworkManager-devel
 BuildRequires:  NetworkManager-glib-devel
 Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Provides:       %{name}-NetworkManager = 0:%{version}-%{release}
+Provides:       %{name}-charon-nm = 0:%{version}-%{release}
 %else
 Obsoletes:      %{name}-NetworkManager < 0:5.0.0-3.git20120619
 %endif
@@ -83,10 +79,6 @@ implementation possessing a standard IF-IMC/IMV interface.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora
@@ -229,6 +221,9 @@ fi
 %{_libdir}/%{name}/plugins/lib%{name}-pgp.so
 %{_libdir}/%{name}/plugins/lib%{name}-pkcs1.so
 %{_libdir}/%{name}/plugins/lib%{name}-pkcs8.so
 %{_libdir}/%{name}/plugins/lib%{name}-pkcs12.so
 %{_libdir}/%{name}/plugins/lib%{name}-rc2.so
 %{_libdir}/%{name}/plugins/lib%{name}-sshkey.so
 %{_libdir}/%{name}/plugins/lib%{name}-pubkey.so
 %{_libdir}/%{name}/plugins/lib%{name}-random.so
 %{_libdir}/%{name}/plugins/lib%{name}-resolve.so
@@ -263,6 +258,8 @@ fi
 %{_libexecdir}/%{name}/scepclient
 %{_libexecdir}/%{name}/starter
 %{_libexecdir}/%{name}/stroke
 %{_libexecdir}/%{name}/_imv_policy
 %{_libexecdir}/%{name}/imv_policy_manager
 %{_sbindir}/%{name}
 %{_mandir}/man5/%{name}.conf.5.gz
 %{_mandir}/man5/%{name}_ipsec.conf.5.gz
@@ -315,6 +312,16 @@ fi
 %changelog
 * Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
 - rhbz#981429: New upstream release
 - Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
 - Fixes rhbz#991859 failed to build in rawhide
 - Updated local patches and removed which are not needed
 - Fixed errors around charon-nm
 - Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
  libstrongswan-sshkey.so
 - Added utility imv_policy_manager
 * Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
 - rename strongswan-NetworkManager to strongswan-charon-nm
 - fix enable_nm macro
`@@ -1 +1 @@`
	`0ab0397b44b197febfd0f89148344035 strongswan-5.0.4.tar.bz2`	`c1cd0a3ba9960f590cae28c8470800e8 strongswan-5.1.0.tar.bz2`