rpms-fedora-extras/strongswan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New upstream release

Browse Source 
- Fixes for CVE-2013-2944
- Enabled support for OS IMV/IMC
- Created and applied a patch to disable ECP in fedora, because
  Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
  it non-compliant to TCG's PTS standard, but there is no choice
  right now. see redhat bz # 319901.
- Enabled Trousers support for TPM based operations.
This commit is contained in:
Avesh Agarwal
2013-05-01 16:30:44 -04:00
parent bc95a594ac
commit b0b4eb8e3b
4 changed files with 43 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -3,3 +3,4 @@
/strongswan-5.0.1.tar.bz2 /strongswan-5.0.1.tar.bz2
/strongswan-5.0.2.tar.bz2 /strongswan-5.0.2.tar.bz2
/strongswan-5.0.3.tar.bz2 /strongswan-5.0.3.tar.bz2
/strongswan-5.0.4.tar.bz2

2
sources
View File

@@ -1 +1 @@
12e0a7a1be2ca0490c69146899e8a9bb strongswan-5.0.3.tar.bz2 0ab0397b44b197febfd0f89148344035 strongswan-5.0.4.tar.bz2

20
strongswan-pts-ecp-disable.patch Normal file
View File

@@ -0,0 +1,20 @@
diff -urNp strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c
--- strongswan-5.0.4-patched/src/libpts/pts/pts_dh_group.c 2013-05-01 15:50:51.332560748 -0400
+++ strongswan-5.0.4-current/src/libpts/pts/pts_dh_group.c 2013-05-01 15:57:53.545271367 -0400
@@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t *
{
DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
ECP_256_BIT);
+ /* Openssl in Fedora does not allow ECP_256 and ECP_384, so lets not die
+ * here. As far as, there is one dh group available, lets continue. It makes
+ * it non-compliant to TCG's PTS standard, but there is no choice right now.
+ * see redhat bz # 319901.
+ */
+ if(*dh_groups != PTS_DH_GROUP_NONE)
+ {
+ return TRUE;
+ }
+
}
return FALSE;
}

23
strongswan.spec
View File

@@ -1,12 +1,13 @@
Name: strongswan Name: strongswan
Version: 5.0.3 Version: 5.0.4
Release: 2%{?dist} Release: 1%{?dist}
Summary: An OpenSource IPsec-based VPN Solution Summary: An OpenSource IPsec-based VPN Solution
Group: System Environment/Daemons Group: System Environment/Daemons
License: GPLv2+ License: GPLv2+
URL: http://www.strongswan.org/ URL: http://www.strongswan.org/
Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2
Patch0: strongswan-init.patch Patch0: strongswan-init.patch
Patch1: strongswan-pts-ecp-disable.patch
BuildRequires: gmp-devel BuildRequires: gmp-devel
BuildRequires: libcurl-devel BuildRequires: libcurl-devel
BuildRequires: openldap-devel BuildRequires: openldap-devel
@@ -15,6 +16,7 @@ BuildRequires: NetworkManager-devel
BuildRequires: NetworkManager-glib-devel BuildRequires: NetworkManager-glib-devel
BuildRequires: sqlite-devel BuildRequires: sqlite-devel
BuildRequires: gettext-devel BuildRequires: gettext-devel
BuildRequires: trousers-devel
%if 0%{?fedora} >= 15 || 0%{?rhel} >= 7 %if 0%{?fedora} >= 15 || 0%{?rhel} >= 7
BuildRequires: systemd-units BuildRequires: systemd-units
@@ -53,6 +55,7 @@ IF-IMC/IMV interface.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora
%build %build
@@ -63,6 +66,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
--sysconfdir=%{_sysconfdir}/%{name} \ --sysconfdir=%{_sysconfdir}/%{name} \
--with-ipsecdir=%{_libexecdir}/%{name} \ --with-ipsecdir=%{_libexecdir}/%{name} \
--with-ipseclibdir=%{_libdir}/%{name} \ --with-ipseclibdir=%{_libdir}/%{name} \
--with-tss=trousers \
--enable-openssl \ --enable-openssl \
--enable-md4 \ --enable-md4 \
--enable-xauth-eap \ --enable-xauth-eap \
@@ -82,6 +86,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
--enable-imv-scanner \ --enable-imv-scanner \
--enable-imc-attestation \ --enable-imc-attestation \
--enable-imv-attestation \ --enable-imv-attestation \
--enable-imv-os \
--enable-imc-os \
--enable-eap-tnc \ --enable-eap-tnc \
--enable-tnccs-20 \ --enable-tnccs-20 \
--enable-tnc-imc \ --enable-tnc-imc \
@@ -213,9 +219,11 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name}
%dir %{_libdir}/%{name}/imcvs/imc-attestation.so %dir %{_libdir}/%{name}/imcvs/imc-attestation.so
%dir %{_libdir}/%{name}/imcvs/imc-scanner.so %dir %{_libdir}/%{name}/imcvs/imc-scanner.so
%dir %{_libdir}/%{name}/imcvs/imc-test.so %dir %{_libdir}/%{name}/imcvs/imc-test.so
%dir %{_libdir}/%{name}/imcvs/imc-os.so
%dir %{_libdir}/%{name}/imcvs/imv-attestation.so %dir %{_libdir}/%{name}/imcvs/imv-attestation.so
%dir %{_libdir}/%{name}/imcvs/imv-scanner.so %dir %{_libdir}/%{name}/imcvs/imv-scanner.so
%dir %{_libdir}/%{name}/imcvs/imv-test.so %dir %{_libdir}/%{name}/imcvs/imv-test.so
%dir %{_libdir}/%{name}/imcvs/imv-os.so
%dir %{_libdir}/%{name}/plugins %dir %{_libdir}/%{name}/plugins
%{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so
%{_libdir}/%{name}/plugins/lib%{name}-sqlite.so %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so
@@ -227,6 +235,7 @@ install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name}
%{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so
%dir %{_libexecdir}/%{name} %dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/attest %{_libexecdir}/%{name}/attest
%{_libexecdir}/%{name}/pacman
%files NetworkManager %files NetworkManager
@@ -271,6 +280,16 @@ fi
%endif %endif
%changelog %changelog
* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
- New upstream release
- Fixes for CVE-2013-2944
- Enabled support for OS IMV/IMC
- Created and applied a patch to disable ECP in fedora, because
Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
it non-compliant to TCG's PTS standard, but there is no choice
right now. see redhat bz # 319901.
- Enabled Trousers support for TPM based operations.
* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2 * Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
- Rebuilt for a single specfile for rawhide/f19/f18/el6 - Rebuilt for a single specfile for rawhide/f19/f18/el6