rhbz#981429: New upstream release

- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215 - Fixes rhbz#991859 failed to build in rawhide - Updated local patches and removed which are not needed - Fixed errors around charon-nm - Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so, libstrongswan-sshkey.so - Added utility imv_policy_manager
2013-08-07 16:12:08 -04:00
parent 3bdb50eb15
commit 634a38ad93
11 changed files with 160 additions and 260 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 /strongswan-5.0.2.tar.bz2
 /strongswan-5.0.3.tar.bz2
 /strongswan-5.0.4.tar.bz2
+/strongswan-5.1.0.tar.bz2
--- a/libimcv-attestatiom-imv-crash.patch
+++ b/libimcv-attestatiom-imv-crash.patch
@@ -1,27 +0,0 @@
-diff -urNp strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c
--- strongswan-5.0.4-patched/src/libpts/plugins/imv_attestation/imv_attestation.c	2013-05-01 15:50:51.331560749 -0400
-+++ strongswan-5.0.4-current/src/libpts/plugins/imv_attestation/imv_attestation.c	2013-06-28 11:10:30.703893643 -0400
-@@ -90,11 +90,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID
- 		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
- 		return TNC_RESULT_ALREADY_INITIALIZED;
- 	}
-	if (!pts_meas_algo_probe(&supported_algorithms) ||
-		!pts_dh_group_probe(&supported_dh_groups))
-	{
-		return TNC_RESULT_FATAL;
-	}
- 	imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types),
- 									   imv_id, actual_version);
- 	if (!imv_attestation)
-@@ -104,6 +99,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID
- 
- 	libpts_init();
- 
-+	if (!pts_meas_algo_probe(&supported_algorithms) ||
-+		!pts_dh_group_probe(&supported_dh_groups))
-+	{
-+		return TNC_RESULT_FATAL;
-+	}
- 	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
- 	{
- 		DBG1(DBG_IMV, "no common IF-IMV version");
--- a/libstrongswan-plugin.patch
+++ b/libstrongswan-plugin.patch
@@ -1,8 +1,8 @@
-diff -urNp strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c
--- strongswan-5.0.4-patched/src/libstrongswan/plugins/plugin_loader.c	2013-05-01 15:50:51.375560719 -0400
-+++ strongswan-5.0.4-current/src/libstrongswan/plugins/plugin_loader.c	2013-05-22 16:30:24.121091911 -0400
-@@ -267,7 +267,7 @@ static bool load_plugin(private_plugin_l
- 			return FALSE;
+diff -urNp strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c
+--- strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:16:36.266031511 -0400
+++ strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:49:15.703354848 -0400
+@@ -353,7 +353,7 @@ static plugin_entry_t *load_plugin(priva
+ 			return NULL;
 		}
 	}
 -	handle = dlopen(file, RTLD_LAZY);
--- a/libstrongswan-settings-debug.patch
+++ b/libstrongswan-settings-debug.patch
@@ -1,7 +1,7 @@
-diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswan-5.0.4-current/src/libstrongswan/utils/settings.c
--- strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c	2013-05-01 15:50:51.337560745 -0400
-+++ strongswan-5.0.4-current/src/libstrongswan/utils/settings.c	2013-06-18 13:13:27.801428152 -0400
-@@ -940,7 +940,7 @@ static bool parse_file(linked_list_t *co
+diff -urNp strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c strongswan-5.1.0-current/src/libstrongswan/utils/settings.c
+--- strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c	2013-08-06 17:16:36.244031484 -0400
+++ strongswan-5.1.0-current/src/libstrongswan/utils/settings.c	2013-08-06 17:52:43.272606717 -0400
+@@ -960,7 +960,7 @@ static bool parse_file(linked_list_t *co
 	{
 		if (errno == ENOENT)
 		{
@@ -10,7 +10,7 @@ diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswa
 			return TRUE;
 		}
 		DBG1(DBG_LIB, "failed to stat '%s': %s", file, strerror(errno));
-@@ -1003,7 +1003,7 @@ static bool parse_files(linked_list_t *c
+@@ -1023,7 +1023,7 @@ static bool parse_files(linked_list_t *c
 
 	if (!strlen(pattern))
 	{
@@ -19,7 +19,7 @@ diff -urNp strongswan-5.0.4-patched/src/libstrongswan/utils/settings.c strongswa
 		return TRUE;
 	}
 
-@@ -1035,7 +1035,7 @@ static bool parse_files(linked_list_t *c
+@@ -1055,7 +1055,7 @@ static bool parse_files(linked_list_t *c
 		status = glob(pat, GLOB_ERR, NULL, &buf);
 		if (status == GLOB_NOMATCH)
 		{
--- a/2
+++ b/2
@@ -1 +1 @@
-0ab0397b44b197febfd0f89148344035  strongswan-5.0.4.tar.bz2
+c1cd0a3ba9960f590cae28c8470800e8  strongswan-5.1.0.tar.bz2
--- a/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch
+++ b/strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch
@@ -1,25 +0,0 @@
-From c282e8fa3c55a9d0046a3119d7b2a3fe07d83c37 Mon Sep 17 00:00:00 2001
-From: Jamie Nguyen <j@jamielinux.com>
-Date: Mon, 15 Jul 2013 22:31:34 +0100
-Subject: [PATCH] Change 'ipsec scepclient' to 'strongswan scepclent'
-
---
- src/starter/starter.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/starter/starter.c b/src/starter/starter.c
-index 917e52d..868b224 100644
--- a/src/starter/starter.c
-+++ b/src/starter/starter.c
-@@ -293,7 +293,7 @@ static void generate_selfcert()
- #endif
- 		setegid(gid);
- 		seteuid(uid);
-		ignore_result(system("ipsec scepclient --out pkcs1 --out cert-self --quiet"));
-+		ignore_result(system("strongswan scepclient --out pkcs1 --out cert-self --quiet"));
- 		seteuid(0);
- 		setegid(0);
- 
-- 
-1.8.3.1
-
--- a/strongswan-Change-ipsec-updown-to-strongswan-updown.patch
+++ b/strongswan-Change-ipsec-updown-to-strongswan-updown.patch
@@ -1,25 +0,0 @@
-From daa81c04068956ff34fb0efb72956401969a8d9b Mon Sep 17 00:00:00 2001
-From: Jamie Nguyen <j@jamielinux.com>
-Date: Mon, 15 Jul 2013 13:42:14 +0100
-Subject: [PATCH] Change 'ipsec _updown' to 'strongswan _updown'
-
---
- src/starter/confread.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/starter/confread.c b/src/starter/confread.c
-index f0f05b0..ffd44c0 100644
--- a/src/starter/confread.c
-+++ b/src/starter/confread.c
-@@ -38,7 +38,7 @@
- static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536";
- static const char esp_defaults[] = "aes128-sha1,3des-sha1";
- 
-static const char firewall_defaults[] = "ipsec _updown iptables";
-+static const char firewall_defaults[] = "strongswan _updown iptables";
- 
- static bool daemon_exists(char *daemon, char *path)
- {
-- 
-1.8.3.1
-
--- a/strongswan-init.patch
+++ b/strongswan-init.patch
@@ -1,130 +1,7 @@
-Index: strongswan-5.0.0/init/Makefile.am
-===================================================================
--- strongswan-5.0.0.orig/init/Makefile.am
-+++ strongswan-5.0.0/init/Makefile.am
-@@ -1,5 +1,5 @@
- 
-SUBDIRS =
-+SUBDIRS = sysvinit
- 
- if HAVE_SYSTEMD
-   SUBDIRS += systemd
-Index: strongswan-5.0.0/init/sysvinit/Makefile.am
-===================================================================
--- /dev/null
-+++ strongswan-5.0.0/init/sysvinit/Makefile.am
-@@ -0,0 +1 @@
-+noinst_DATA = strongswan
-Index: strongswan-5.0.0/init/sysvinit/strongswan.in
-===================================================================
--- /dev/null
-+++ strongswan-5.0.0/init/sysvinit/strongswan.in
-@@ -0,0 +1,100 @@
-+#!/bin/sh
-+#
-+# strongswan   An implementation of key management system for IPsec
-+#
-+# chkconfig:   - 48 52
-+# description: Starts or stops the Strongswan daemon.
-+
-+### BEGIN INIT INFO
-+# Provides: ipsec
-+# Required-Start: $network $remote_fs $syslog $named
-+# Required-Stop: $syslog $remote_fs
-+# Default-Start:
-+# Default-Stop: 0 1 6
-+# Short-Description: Start Strongswan daemons at boot time
-+### END INIT INFO
-+
-+# Source function library.
-+. /etc/rc.d/init.d/functions
-+
-+exec="@sbindir@/@ipsec_script@"
-+prog="strongswan"
-+status_prog="starter"
-+config="/etc/strongswan/strongswan.conf"
-+
-+lockfile=/var/lock/subsys/$prog
-+
-+start() {
-+    [ -x $exec ] || exit 5
-+    [ -f $config ] || exit 6
-+    echo -n $"Starting $prog: "
-+    daemon $exec start
-+    retval=$?
-+    echo
-+    [ $retval -eq 0 ] && touch $lockfile
-+    return $retval
-+}
-+
-+stop() {
-+    echo -n $"Stopping $prog: "
-+    $exec stop
-+    retval=$?
-+    echo
-+    [ $retval -eq 0 ] && rm -f $lockfile
-+    return $retval
-+}
-+
-+restart() {
-+    stop
-+    start
-+}
-+
-+reload() {
-+    restart
-+}
-+
-+force_reload() {
-+    restart
-+}
-+
-+_status() {
-+    # run checks to determine if the service is running or use generic status
-+    status $status_prog
-+}
-+
-+_status_q() {
-+    _status >/dev/null 2>&1
-+}
-+
-+
-+case "$1" in
-+    start)
-+        _status_q && exit 0
-+        $1
-+        ;;
-+    stop)
-+        _status_q || exit 0
-+        $1
-+        ;;
-+    restart)
-+        $1
-+        ;;
-+    reload)
-+        _status_q || exit 7
-+        $1
-+        ;;
-+    force-reload)
-+        force_reload
-+        ;;
-+    status)
-+        _status
-+        ;;
-+    condrestart|try-restart)
-+        _status_q || exit 0
-+        restart
-+        ;;
-+    *)
-+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
-+        exit 2
-+esac
-+exit $?
-Index: strongswan-5.0.0/configure.in
-===================================================================
--- strongswan-5.0.0.orig/configure.in
-+++ strongswan-5.0.0/configure.in
-@@ -1082,6 +1082,8 @@ AC_OUTPUT(
+diff -urNp strongswan-5.1.0-patched/configure.ac strongswan-5.1.0-current/configure.ac
+--- strongswan-5.1.0-patched/configure.ac	2013-08-06 17:16:36.279031528 -0400
+++ strongswan-5.1.0-current/configure.ac	2013-08-06 17:35:01.750380445 -0400
+@@ -1311,6 +1311,8 @@ AC_CONFIG_FILES([
 	man/Makefile
 	init/Makefile
 	init/systemd/Makefile
@@ -133,10 +10,24 @@ Index: strongswan-5.0.0/configure.in
 	src/Makefile
 	src/include/Makefile
 	src/libstrongswan/Makefile
-Index: strongswan-5.0.0/init/sysvinit/strongswan
-===================================================================
--- /dev/null
-+++ strongswan-5.0.0/init/sysvinit/strongswan
+diff -urNp strongswan-5.1.0-patched/init/Makefile.am strongswan-5.1.0-current/init/Makefile.am
+--- strongswan-5.1.0-patched/init/Makefile.am	2013-08-06 17:16:36.279031528 -0400
+++ strongswan-5.1.0-current/init/Makefile.am	2013-08-06 17:36:19.905472912 -0400
+@@ -1,5 +1,5 @@
+ 
+-SUBDIRS =
+SUBDIRS = sysvinit
+ 
+ if HAVE_SYSTEMD
+   SUBDIRS += systemd
+diff -urNp strongswan-5.1.0-patched/init/sysvinit/Makefile.am strongswan-5.1.0-current/init/sysvinit/Makefile.am
+--- strongswan-5.1.0-patched/init/sysvinit/Makefile.am	1969-12-31 19:00:00.000000000 -0500
+++ strongswan-5.1.0-current/init/sysvinit/Makefile.am	2013-07-31 15:56:21.919959000 -0400
+@@ -0,0 +1 @@
+noinst_DATA = strongswan
+diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan strongswan-5.1.0-current/init/sysvinit/strongswan
+--- strongswan-5.1.0-patched/init/sysvinit/strongswan	1969-12-31 19:00:00.000000000 -0500
+++ strongswan-5.1.0-current/init/sysvinit/strongswan	2013-07-31 15:56:21.920958000 -0400
@@ -0,0 +1,100 @@
 +#!/bin/sh
 +#
@@ -238,3 +129,107 @@ Index: strongswan-5.0.0/init/sysvinit/strongswan
 +        exit 2
 +esac
 +exit $?
+diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan.in strongswan-5.1.0-current/init/sysvinit/strongswan.in
+--- strongswan-5.1.0-patched/init/sysvinit/strongswan.in	1969-12-31 19:00:00.000000000 -0500
+++ strongswan-5.1.0-current/init/sysvinit/strongswan.in	2013-07-31 15:56:21.919959000 -0400
+@@ -0,0 +1,100 @@
+#!/bin/sh
+#
+# strongswan   An implementation of key management system for IPsec
+#
+# chkconfig:   - 48 52
+# description: Starts or stops the Strongswan daemon.
+
+### BEGIN INIT INFO
+# Provides: ipsec
+# Required-Start: $network $remote_fs $syslog $named
+# Required-Stop: $syslog $remote_fs
+# Default-Start:
+# Default-Stop: 0 1 6
+# Short-Description: Start Strongswan daemons at boot time
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+exec="@sbindir@/@ipsec_script@"
+prog="strongswan"
+status_prog="starter"
+config="/etc/strongswan/strongswan.conf"
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon $exec start
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    $exec stop
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    restart
+}
+
+force_reload() {
+    restart
+}
+
+_status() {
+    # run checks to determine if the service is running or use generic status
+    status $status_prog
+}
+
+_status_q() {
+    _status >/dev/null 2>&1
+}
+
+
+case "$1" in
+    start)
+        _status_q && exit 0
+        $1
+        ;;
+    stop)
+        _status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        _status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        _status
+        ;;
+    condrestart|try-restart)
+        _status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
--- a/strongswan-pts-ecp-disable.patch
+++ b/strongswan-pts-ecp-disable.patch
@@ -1,6 +1,6 @@
-diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c
--- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c	2013-05-01 15:50:51.332560748 -0400
-+++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c	2013-05-01 15:57:53.545271367 -0400
+diff -urNp strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c
+--- strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c	2013-08-06 17:16:36.238031476 -0400
+++ strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c	2013-08-06 17:44:48.005036651 -0400
@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t *
 	{
 		DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
--- a/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch
+++ b/strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch
@@ -1,26 +0,0 @@
-From 71d740cac68f83c77d981368a4c041eb620310ed Mon Sep 17 00:00:00 2001
-From: Andreas Steffen <andreas.steffen@strongswan.org>
-Date: Fri, 24 May 2013 12:56:21 +0200
-Subject: [PATCH] Make plugins in standalone libimcv configurable
-
---
- src/libimcv/imcv.c |    3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c
-index 6cee0ad..f9ecf79 100644
--- a/src/libimcv/imcv.c
-+++ b/src/libimcv/imcv.c
-@@ -118,7 +118,8 @@ bool libimcv_init(void)
- 		openlog("imcv", 0, LOG_DAEMON);
- 
- 		if (!lib->plugins->load(lib->plugins, NULL,
-							"sha1 sha2 random nonce gmp pubkey x509"))
-+				lib->settings->get_str(lib->settings, "libimcv.load",
-+					"random nonce gmp pubkey x509")))
- 		{
- 			library_deinit();
- 			return FALSE;
-- 
-1.7.4.1
-
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -8,8 +8,8 @@
 %endif

 Name:           strongswan
-Version:        5.0.4
-Release:        5%{?dist}
+Version:        5.1.0
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN Solution
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -19,10 +19,6 @@ Patch0:         strongswan-init.patch
 Patch1:         strongswan-pts-ecp-disable.patch
 Patch2:         libstrongswan-plugin.patch
 Patch3:         libstrongswan-settings-debug.patch
-Patch4:         strongswan.git-71d740cac68f83c77d981368a4c041eb620310ed.patch
-Patch5:         libimcv-attestatiom-imv-crash.patch
-Patch6:         strongswan-Change-ipsec-updown-to-strongswan-updown.patch
-Patch7:         strongswan-Change-ipsec-scepclient-to-strongswan-scepclient.patch

 BuildRequires:  gmp-devel
 BuildRequires:  libcurl-devel
@@ -36,7 +32,7 @@ BuildRequires:  libxml2-devel
 BuildRequires:  NetworkManager-devel
 BuildRequires:  NetworkManager-glib-devel
 Obsoletes:      %{name}-NetworkManager < 0:5.0.4-5
-Provides:       %{name}-NetworkManager = 0:%{version}-%{release}
+Provides:       %{name}-charon-nm = 0:%{version}-%{release}
 %else
 Obsoletes:      %{name}-NetworkManager < 0:5.0.0-3.git20120619
 %endif
@@ -83,10 +79,6 @@ implementation possessing a standard IF-IMC/IMV interface.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1

 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora

@@ -229,6 +221,9 @@ fi
 %{_libdir}/%{name}/plugins/lib%{name}-pgp.so
 %{_libdir}/%{name}/plugins/lib%{name}-pkcs1.so
 %{_libdir}/%{name}/plugins/lib%{name}-pkcs8.so
+%{_libdir}/%{name}/plugins/lib%{name}-pkcs12.so
+%{_libdir}/%{name}/plugins/lib%{name}-rc2.so
+%{_libdir}/%{name}/plugins/lib%{name}-sshkey.so
 %{_libdir}/%{name}/plugins/lib%{name}-pubkey.so
 %{_libdir}/%{name}/plugins/lib%{name}-random.so
 %{_libdir}/%{name}/plugins/lib%{name}-resolve.so
@@ -263,6 +258,8 @@ fi
 %{_libexecdir}/%{name}/scepclient
 %{_libexecdir}/%{name}/starter
 %{_libexecdir}/%{name}/stroke
+%{_libexecdir}/%{name}/_imv_policy
+%{_libexecdir}/%{name}/imv_policy_manager
 %{_sbindir}/%{name}
 %{_mandir}/man5/%{name}.conf.5.gz
 %{_mandir}/man5/%{name}_ipsec.conf.5.gz
@@ -315,6 +312,16 @@ fi


 %changelog
+* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
+- rhbz#981429: New upstream release
+- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
+- Fixes rhbz#991859 failed to build in rawhide
+- Updated local patches and removed which are not needed
+- Fixed errors around charon-nm
+- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
+  libstrongswan-sshkey.so
+- Added utility imv_policy_manager
+
 * Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
 - rename strongswan-NetworkManager to strongswan-charon-nm
 - fix enable_nm macro