rpms-fedora-extras/strongswan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: rpms-fedora-extras:strongswan-6.0.2-4.fc42
Branches Tags
rpms-fedora-extras:master rpms-fedora-extras:strongswan-6.0.2-4.fc42 rpms-fedora-extras:strongswan-5.9.14-5.fc42 rpms-fedora-extras:strongswan-6.0.1-1.fc41 rpms-fedora-extras:strongswan-5.9.14-5.fc41 rpms-fedora-extras:strongswan-5.9.14-1.fc40 rpms-fedora-extras:strongswan-5.9.11-3.fc40 rpms-fedora-extras:strongswan-5.9.11-2.fc39 rpms-fedora-extras:strongswan-5.9.11-1.fc38 rpms-fedora-extras:strongswan-5.9.10-1.fc38 rpms-fedora-extras:strongswan-5.9.9-2.fc37 rpms-fedora-extras:strongswan-5.9.8-1.fc36 rpms-fedora-extras:strongswan-5.9.6-1.fc36 rpms-fedora-extras:strongswan-5.9.5-3.fc35 rpms-fedora-extras:strongswan-5.9.5-3.fc36 rpms-fedora-extras:f35 rpms-fedora-extras:strongswan-5.9.5-2.fc35 rpms-fedora-extras:strongswan-5.9.4-4.fc35 rpms-fedora-extras:strongswan-5.9.4-2.fc35 rpms-fedora-extras:strongswan-5.9.4-1.fc34 rpms-fedora-extras:strongswan-5.9.3-1.fc34 rpms-fedora-extras:strongswan-5.9.1-1.fc32 rpms-fedora-extras:strongswan-5.9.1-1.fc33 rpms-fedora-extras:strongswan-5.9.1-1.fc34 rpms-fedora-extras:strongswan-5.9.0-2.fc32 rpms-fedora-extras:5.9.2-test rpms-fedora-extras:strongswan-5.9.0-2.fc33 rpms-fedora-extras:5.9.0-1.fc32 rpms-fedora-extras:strongswan-5.8.4-2.fc32 rpms-fedora-extras:strongswan-5.8.2-2.fc31 rpms-fedora-extras:f32 rpms-fedora-extras:strongswan-5.7.2-3.fc31-vici rpms-fedora-extras:strongswan-5.7.2-2.fc31-vici rpms-fedora-extras:strongswan-5.6.3-2.fc31-vici rpms-fedora-extras:f31
..
compare: rpms-fedora-extras:f28c40e3b857bac963a83c259ef9a8307d567320
Branches Tags
rpms-fedora-extras:strongswan-6.0.2-4.fc42 rpms-fedora-extras:strongswan-5.9.14-5.fc42 rpms-fedora-extras:strongswan-6.0.1-1.fc41 rpms-fedora-extras:strongswan-5.9.14-5.fc41 rpms-fedora-extras:strongswan-5.9.14-1.fc40 rpms-fedora-extras:strongswan-5.9.11-3.fc40 rpms-fedora-extras:strongswan-5.9.11-2.fc39 rpms-fedora-extras:strongswan-5.9.11-1.fc38 rpms-fedora-extras:strongswan-5.9.10-1.fc38 rpms-fedora-extras:strongswan-5.9.9-2.fc37 rpms-fedora-extras:strongswan-5.9.8-1.fc36 rpms-fedora-extras:strongswan-5.9.6-1.fc36 rpms-fedora-extras:strongswan-5.9.5-3.fc35 rpms-fedora-extras:strongswan-5.9.5-3.fc36 rpms-fedora-extras:f35 rpms-fedora-extras:strongswan-5.9.5-2.fc35 rpms-fedora-extras:strongswan-5.9.4-4.fc35 rpms-fedora-extras:strongswan-5.9.4-2.fc35 rpms-fedora-extras:strongswan-5.9.4-1.fc34 rpms-fedora-extras:strongswan-5.9.3-1.fc34 rpms-fedora-extras:strongswan-5.9.1-1.fc32 rpms-fedora-extras:strongswan-5.9.1-1.fc33 rpms-fedora-extras:strongswan-5.9.1-1.fc34 rpms-fedora-extras:strongswan-5.9.0-2.fc32 rpms-fedora-extras:5.9.2-test rpms-fedora-extras:strongswan-5.9.0-2.fc33 rpms-fedora-extras:master rpms-fedora-extras:5.9.0-1.fc32 rpms-fedora-extras:strongswan-5.8.4-2.fc32 rpms-fedora-extras:strongswan-5.8.2-2.fc31 rpms-fedora-extras:f32 rpms-fedora-extras:strongswan-5.7.2-3.fc31-vici rpms-fedora-extras:strongswan-5.7.2-2.fc31-vici rpms-fedora-extras:strongswan-5.6.3-2.fc31-vici rpms-fedora-extras:f31

7 Commits
strongswan ... f28c40e3b8

Author SHA1 Message Date
Zoran Peričić
f28c40e3b8 Add gcc 15 patches 2025-11-08 19:07:17 +01:00
Zoran Peričić
a183b985eb Run autoreconf 
WARNING: 'aclocal-1.16' is missing on your system
 2025-11-08 17:42:03 +01:00
Zoran Peričić
087a9c32e8 strongswan-5.9.14-5.nhrp.11 2025-08-16 04:30:51 +02:00
Zoran Peričić
0b4abaf5fe 5.9.14 - New patches 2024-12-09 19:33:37 +01:00
Zoran Peričić
f978fcb51f 5.9.14 - Old patches 2024-12-09 19:33:37 +01:00
Zoran Peričić
d7e57af704 Support GRE key in selectors 2024-12-09 19:33:37 +01:00
Zoran Peričić
5db540d4e3 Patch vici for NHRP 2024-12-09 19:33:37 +01:00
10 changed files with 740 additions and 1289 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -19,5 +19,3 @@
/strongswan-5.9.11.tar.bz2.sig
/strongswan-5.9.14.tar.bz2
/strongswan-5.9.14.tar.bz2.sig
/strongswan-6.0.2.tar.bz2
/strongswan-6.0.2.tar.bz2.sig

74
0001-charon-add-optional-source-and-remote-overrides-for-.patch
View File

@@ -1,4 +1,4 @@
From 8ca99fb0a9d0027d08937bc2b198dc74bd5bb7a2 Mon Sep 17 00:00:00 2001
From d917774f73954cc6367e73b775ff9ea115d6fd28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zpericic@netst.org>
Date: Tue, 9 Jul 2024 19:07:57 +0200
Subject: [PATCH 1/4] charon: add optional source and remote overrides for
@@ -11,17 +11,17 @@ to initiate wildcard connection for known address via vici.
In addition this allows simpler implementation of trap-any patches
and is a prerequisite for dmvpn support.
---
src/libcharon/control/controller.c | 36 +++++++++++++++++-
src/libcharon/control/controller.h | 28 ++++++++++++++
src/libcharon/plugins/vici/vici_control.c | 41 ++++++++++++++++----
src/libcharon/sa/ike_sa_manager.c | 34 ++++++++++++++++-
src/libcharon/sa/ike_sa_manager.h | 25 +++++++++++-
src/libcharon/sa/trap_manager.c | 46 +++++++++--------------
src/libcharon/control/controller.c | 34 ++++++++++++++++--
src/libcharon/control/controller.h | 28 +++++++++++++++
src/libcharon/plugins/vici/vici_control.c | 41 +++++++++++++++++----
src/libcharon/sa/ike_sa_manager.c | 34 +++++++++++++++++-
src/libcharon/sa/ike_sa_manager.h | 25 ++++++++++++-
src/libcharon/sa/trap_manager.c | 44 +++++++++--------------
src/swanctl/commands/initiate.c | 19 +++++++++-
7 files changed, 189 insertions(+), 40 deletions(-)
7 files changed, 186 insertions(+), 39 deletions(-)
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 4e778ed63d..2b8a75e2c1 100644
index 027f48e937..ac4661a323 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -1,4 +1,6 @@
@@ -48,27 +48,26 @@ index 4e778ed63d..2b8a75e2c1 100644
/**
* unique ID, used for various methods
*/
@@ -418,9 +430,17 @@ METHOD(job_t, initiate_execute, job_requeue_t,
{
@@ -417,10 +429,16 @@ METHOD(job_t, initiate_execute, job_requeue_t,
ike_sa_t *ike_sa;
interface_listener_t *listener = &job->listener;
+ peer_cfg_t *peer_cfg = listener->peer_cfg;
peer_cfg_t *peer_cfg = listener->peer_cfg;
+ host_t *my_host = listener->my_host;
+ host_t *other_host = listener->other_host;
+
- ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
- peer_cfg);
+ ike_sa = charon->ike_sa_manager->checkout_by_config2(charon->ike_sa_manager,
+ peer_cfg, my_host, other_host);
+ peer_cfg->destroy(peer_cfg);
peer_cfg->destroy(peer_cfg);
+
+ if (my_host) my_host->destroy(my_host);
+ if (other_host) other_host->destroy(other_host);
- ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
- listener->peer_cfg);
+
if (!ike_sa)
{
listener->status = FAILED;
@@ -502,6 +522,15 @@ METHOD(controller_t, initiate, status_t,
DESTROY_IF(listener->child_cfg);
@@ -501,6 +519,15 @@ METHOD(controller_t, initiate, status_t,
private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
controller_cb_t callback, void *param, level_t max_level, u_int timeout,
bool limits)
@@ -84,7 +83,7 @@ index 4e778ed63d..2b8a75e2c1 100644
{
interface_job_t *job;
status_t status;
@@ -524,6 +553,8 @@ METHOD(controller_t, initiate, status_t,
@@ -523,6 +550,8 @@ METHOD(controller_t, initiate, status_t,
.status = FAILED,
.child_cfg = child_cfg,
.peer_cfg = peer_cfg,
@@ -93,7 +92,7 @@ index 4e778ed63d..2b8a75e2c1 100644
.lock = spinlock_create(),
.options.limits = limits,
},
@@ -771,6 +802,7 @@ controller_t *controller_create(void)
@@ -770,6 +799,7 @@ controller_t *controller_create(void)
.public = {
.create_ike_sa_enumerator = _create_ike_sa_enumerator,
.initiate = _initiate,
@@ -230,18 +229,18 @@ index 1c236d2491..932d0cb5a8 100644
/**
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index c128cc0787..bf4e125c84 100644
index 7763ae844e..cf53e9ae00 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1,5 +1,7 @@
/*
* Copyright (C) 2008-2024 Tobias Brunner
* Copyright (C) 2008-2022 Tobias Brunner
+ * Copyright (C) 2023 Zoran Peričić <zpericic@netst.org>
+ * Copyright (C) 2014 Timo Teräs <timo.teras@iki.fi>
* Copyright (C) 2005-2011 Martin Willi
* Copyright (C) 2005 Jan Hutter
*
@@ -1500,6 +1502,13 @@ typedef struct {
@@ -1499,6 +1501,13 @@ typedef struct {
METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
@@ -255,7 +254,7 @@ index c128cc0787..bf4e125c84 100644
{
enumerator_t *enumerator;
entry_t *entry;
@@ -1510,7 +1519,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -1509,7 +1518,16 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
u_int segment;
int i;
@@ -273,7 +272,7 @@ index c128cc0787..bf4e125c84 100644
if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1)
{ /* IKE_SA reuse disabled by config (not possible for IKEv1) */
@@ -1569,6 +1587,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -1567,6 +1585,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
continue;
}
@@ -289,7 +288,7 @@ index c128cc0787..bf4e125c84 100644
current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
if (current_peer && current_peer->equals(current_peer, peer_cfg))
{
@@ -1595,6 +1622,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
@@ -1593,6 +1620,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
{
ike_sa->set_peer_cfg(ike_sa, peer_cfg);
checkout_new(this, ike_sa);
@@ -300,7 +299,7 @@ index c128cc0787..bf4e125c84 100644
}
}
charon->bus->set_sa(charon->bus, ike_sa);
@@ -2560,6 +2591,7 @@ ike_sa_manager_t *ike_sa_manager_create()
@@ -2558,6 +2589,7 @@ ike_sa_manager_t *ike_sa_manager_create()
.checkout = _checkout,
.checkout_by_message = _checkout_by_message,
.checkout_by_config = _checkout_by_config,
@@ -352,22 +351,19 @@ index 004cc22168..d001f5a802 100644
* Reset initiator SPI.
*
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 17953010a1..c316eea213 100644
index 1b85c66a5b..bbc480c0cd 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -532,9 +532,9 @@ METHOD(trap_manager_t, acquire, void,
@@ -523,7 +523,7 @@ METHOD(trap_manager_t, acquire, void,
peer_cfg_t *peer;
child_cfg_t *child;
ike_sa_t *ike_sa;
- host_t *host = NULL;
+ host_t *host = NULL, *my_host = NULL, *other_host = NULL;
uint32_t allocated_reqid, seq = 0;
- bool wildcard;
+ bool wildcard, ignore = FALSE;
- host_t *host;
+ host_t *host, *my_host = NULL, *other_host = NULL;
uint32_t allocated_reqid;
bool wildcard, ignore = FALSE;
this->lock->read_lock(this->lock);
enumerator = this->traps->create_enumerator(this->traps);
@@ -609,36 +609,26 @@ METHOD(trap_manager_t, acquire, void,
@@ -603,36 +603,26 @@ METHOD(trap_manager_t, acquire, void,
this->lock->unlock(this->lock);
if (wildcard)
@@ -477,5 +473,5 @@ index e0fffb907d..c0fc8c5952 100644
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
--
2.51.0
2.49.0

24
0002-vici-send-certificates-for-ike-sa-events.patch
View File

@@ -1,4 +1,4 @@
From 59e1a0469bbd50704f777835c0fcd7013f7841c7 Mon Sep 17 00:00:00 2001
From f6210f6ab72ead26a24a8f231eee67948d3ca543 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 21 Sep 2015 13:42:05 +0300
Subject: [PATCH 2/4] vici: send certificates for ike-sa events
@@ -12,10 +12,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
1 file changed, 42 insertions(+), 8 deletions(-)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 43e3f44137..5e49cb8a0b 100644
index bacb7b101e..19acc0789b 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -433,7 +433,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
@@ -402,7 +402,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b,
* List details of an IKE_SA
*/
static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -24,7 +24,7 @@ index 43e3f44137..5e49cb8a0b 100644
{
time_t t;
ike_sa_id_t *id;
@@ -442,6 +442,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -411,6 +411,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
uint32_t if_id;
uint16_t alg, ks;
host_t *host;
@@ -33,7 +33,7 @@ index 43e3f44137..5e49cb8a0b 100644
b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa));
b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa));
@@ -451,11 +453,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
@@ -420,11 +422,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b,
b->add_kv(b, "local-host", "%H", host);
b->add_kv(b, "local-port", "%d", host->get_port(host));
b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa));
@@ -77,7 +77,7 @@ index 43e3f44137..5e49cb8a0b 100644
eap = ike_sa->get_other_eap_id(ike_sa);
@@ -588,7 +622,7 @@ CALLBACK(list_sas, vici_message_t*,
@@ -556,7 +590,7 @@ CALLBACK(list_sas, vici_message_t*,
b = vici_builder_create();
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -86,7 +86,7 @@ index 43e3f44137..5e49cb8a0b 100644
b->begin_section(b, "child-sas");
csas = ike_sa->create_child_sa_enumerator(ike_sa);
@@ -1805,7 +1839,7 @@ METHOD(listener_t, ike_updown, bool,
@@ -1774,7 +1808,7 @@ METHOD(listener_t, ike_updown, bool,
}
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -95,7 +95,7 @@ index 43e3f44137..5e49cb8a0b 100644
b->end_section(b);
this->dispatcher->raise_event(this->dispatcher,
@@ -1830,10 +1864,10 @@ METHOD(listener_t, ike_rekey, bool,
@@ -1799,10 +1833,10 @@ METHOD(listener_t, ike_rekey, bool,
b = vici_builder_create();
b->begin_section(b, old->get_name(old));
b->begin_section(b, "old");
@@ -108,7 +108,7 @@ index 43e3f44137..5e49cb8a0b 100644
b->end_section(b);
b->end_section(b);
@@ -1864,7 +1898,7 @@ METHOD(listener_t, ike_update, bool,
@@ -1833,7 +1867,7 @@ METHOD(listener_t, ike_update, bool,
b->add_kv(b, "remote-port", "%d", remote->get_port(remote));
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -117,7 +117,7 @@ index 43e3f44137..5e49cb8a0b 100644
b->end_section(b);
this->dispatcher->raise_event(this->dispatcher,
@@ -1894,7 +1928,7 @@ METHOD(listener_t, child_updown, bool,
@@ -1863,7 +1897,7 @@ METHOD(listener_t, child_updown, bool,
}
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -126,7 +126,7 @@ index 43e3f44137..5e49cb8a0b 100644
b->begin_section(b, "child-sas");
snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
@@ -1929,7 +1963,7 @@ METHOD(listener_t, child_rekey, bool,
@@ -1898,7 +1932,7 @@ METHOD(listener_t, child_rekey, bool,
b = vici_builder_create();
b->begin_section(b, ike_sa->get_name(ike_sa));
@@ -136,5 +136,5 @@ index 43e3f44137..5e49cb8a0b 100644
b->begin_section(b, old->get_name(old));
--
2.51.0
2.49.0

14
0003-vici-add-support-for-individual-sa-state-changes.patch
View File

@@ -1,4 +1,4 @@
From 17118385d600eeb9814af4106b690c8e2b285971 Mon Sep 17 00:00:00 2001
From effc140ed0ed5c7f1897c8abb6364d2d4789a4ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 21 Sep 2015 13:42:11 +0300
Subject: [PATCH 3/4] vici: add support for individual sa state changes
@@ -14,10 +14,10 @@ Signed-off-by: Timo Teräs <timo.teras@iki.fi>
1 file changed, 106 insertions(+)
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 5e49cb8a0b..1115161f6b 100644
index 19acc0789b..fa1aca9536 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -1805,8 +1805,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
@@ -1774,8 +1774,16 @@ static void manage_commands(private_vici_query_t *this, bool reg)
this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg);
this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg);
this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
@@ -34,7 +34,7 @@ index 5e49cb8a0b..1115161f6b 100644
manage_command(this, "list-sas", list_sas, reg);
manage_command(this, "list-policies", list_policies, reg);
manage_command(this, "list-conns", list_conns, reg);
@@ -1907,6 +1915,46 @@ METHOD(listener_t, ike_update, bool,
@@ -1876,6 +1884,46 @@ METHOD(listener_t, ike_update, bool,
return TRUE;
}
@@ -81,7 +81,7 @@ index 5e49cb8a0b..1115161f6b 100644
METHOD(listener_t, child_updown, bool,
private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up)
{
@@ -1986,6 +2034,62 @@ METHOD(listener_t, child_rekey, bool,
@@ -1955,6 +2003,62 @@ METHOD(listener_t, child_rekey, bool,
return TRUE;
}
@@ -144,7 +144,7 @@ index 5e49cb8a0b..1115161f6b 100644
METHOD(vici_query_t, destroy, void,
private_vici_query_t *this)
{
@@ -2006,8 +2110,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
@@ -1975,8 +2079,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
.ike_updown = _ike_updown,
.ike_rekey = _ike_rekey,
.ike_update = _ike_update,
@@ -156,5 +156,5 @@ index 5e49cb8a0b..1115161f6b 100644
.destroy = _destroy,
},
--
2.51.0
2.49.0

34
0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch
View File

@@ -1,4 +1,4 @@
From 30238c949e7c1ba2df4f8adfaefdc205f7ddb98f Mon Sep 17 00:00:00 2001
From 7f32aed540533e50fa05486df471ef3c19879324 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zoran=20Peri=C4=8Di=C4=87?= <zoran.pericic@infomaas.com>
Date: Sun, 21 Jan 2024 03:11:32 +0100
Subject: [PATCH 4/4] Support GRE key in selectors with kernel-netlink.
@@ -17,10 +17,10 @@ similar to ICMP.
8 files changed, 145 insertions(+), 4 deletions(-)
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index d951aa0737..dd279c24aa 100644
index db0b2ac37a..d4f9571817 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -893,6 +893,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
@@ -864,6 +864,7 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
{
struct xfrm_selector sel;
uint16_t port;
@@ -28,7 +28,7 @@ index d951aa0737..dd279c24aa 100644
memset(&sel, 0, sizeof(sel));
sel.family = (src->get_type(src) == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
@@ -913,6 +914,24 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
@@ -884,6 +885,24 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src,
sel.dport = htons(traffic_selector_icmp_code(port));
sel.dport_mask = sel.dport ? ~0 : 0;
}
@@ -54,10 +54,10 @@ index d951aa0737..dd279c24aa 100644
sel.user = 0;
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index 2a440aa630..bc9a1e40b9 100644
index 58e1cd98a0..f20fdae522 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -507,7 +507,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
@@ -498,7 +498,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
*protocol = (uint8_t)p;
}
}
@@ -87,10 +87,10 @@ index 2a440aa630..bc9a1e40b9 100644
*from_port = 0;
*to_port = 0xffff;
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index b6e700fa9c..017e6b4766 100644
index 55db379ffe..b4340b8d1b 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -926,7 +926,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
@@ -927,7 +927,27 @@ static bool parse_protoport(char *token, uint16_t *from_port,
*protocol = (uint8_t)p;
}
}
@@ -120,10 +120,10 @@ index b6e700fa9c..017e6b4766 100644
*from_port = 0;
*to_port = 0xffff;
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 6ea239f0a1..96c2d1276e 100644
index c858e9945c..24a254689b 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -749,7 +749,27 @@ CALLBACK(parse_ts, bool,
@@ -715,7 +715,27 @@ CALLBACK(parse_ts, bool,
proto = (uint8_t)p;
}
}
@@ -152,7 +152,7 @@ index 6ea239f0a1..96c2d1276e 100644
{
from = 0xffff;
to = 0;
@@ -786,6 +806,11 @@ CALLBACK(parse_ts, bool,
@@ -752,6 +772,11 @@ CALLBACK(parse_ts, bool,
}
}
}
@@ -165,7 +165,7 @@ index 6ea239f0a1..96c2d1276e 100644
{
ts = traffic_selector_create_dynamic(proto, from, to);
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index 4022c45c13..ae07e02995 100644
index fe61e3768b..09757ec36f 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -205,6 +205,18 @@ static int print_icmp(printf_hook_data_t *data, uint16_t port)
@@ -268,12 +268,12 @@ index 5065bc369f..039b6f402b 100644
end->from_port = 0;
end->to_port = 0xffff;
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 8336735fff..be185bc056 100644
index d9fd949ed1..1d63dadb89 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -805,6 +805,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
equal to 256, with the type in the most significant 8 bits and the code in
the least significant 8 bits.
@@ -765,6 +765,9 @@ connections.<conn>.children.<child>.local_ts = dynamic
value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
as well, none of the kernel backends currently support port ranges, though.
+ If protocol is restricted to GRE, port restriction specifies GRE key
+ in 32 bit numeric form eg. dynamic[gre/100].
@@ -282,5 +282,5 @@ index 8336735fff..be185bc056 100644
the Cisco Unity extension plugin is used. This is due to a limitation of the
IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
--
2.51.0
2.49.0

659
changelog
View File

@@ -1,659 +0,0 @@
* Mon Aug 25 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-12
- Fix ipsec.d cacerts removing system ca
* Fri Aug 22 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-11
- Link new system ca bundle in the ipsec.d cacerts
* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 5.9.14-10
- Rebuilt for Python 3.14.0rc2 bytecode
* Thu Aug 14 2025 Carlos Rodriguez-Fernandez <carlosrodrifernandez@gmail.com> - 5.9.14-9
- Fix build issue (rhbz#2368971)
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Mon Jun 02 2025 Python Maint <python-maint@redhat.com> - 5.9.14-7
- Rebuilt for Python 3.14
* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
- convert license to SPDX
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
- Rebuilt for Python 3.13
* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
- Resolves: rhbz#2214186 strongswan-5.9.11 is available
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
- Rebuilt for Python 3.12
* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
- Update to 5.9.10
* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
- Use configure paths in manual pages (#2106120)
* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
- Update to 5.9.9 (#2157850)
* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
- Add BR perl-generators to automatically generates run-time dependencies
for installed Perl files
* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
- Resolves rhbz#2112274 strongswan-5.9.8 is available
- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
- Add BuildRequire for autoconf and automake, now required for release
- Remove obsolete patches
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
- Resolves rhbz#2080070 strongswan-5.9.6 is available
- Fixed missing format string in enum_flags_to_string()
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
- Rebuilt for Python 3.11
* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
- Use newly published/cleaned strongswan gpg key
* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
- Resolves rhbz#1419441 Add python and perl vici bindings
- Adds optional tests run
* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
- Return to using tmpfiles, but extend to cover strongswan-starter service too
- Cleanup old patches
* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
- Resolves: rhbz#2015165 strongswan-5.9.4 is available
- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
- Rebuild for versioned symbols in json-c
* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
- Resolves: rhbz#1979574 strongswan-5.9.3 is available
- Make strongswan main dir world readable so apps can find strongswan.conf
* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
- Resolves: rhbz#1896545 strongswan-5.9.2 is available
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
- Resolves: rhbz#1896545 strongswan-5.9.1 is available
* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
- Build with with capabilities support
- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
- Resolves: rhbz#1861747 strongswan-5.9.0 is available
- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
(use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
- Rebuild (json-c)
* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
- Patch0: Add RuntimeDirectory options to service files (#1789263)
* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
- Updated to 5.8.4
- Patch4 has been applied upstream
* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
- Patch to declare a global variable with extern (#1800117)
* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
- use tmpfile to ensure rundir is present
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
- Use /run/strongswan as rundir to support strongswans in namespaces
* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
- Update to 5.8.2 (#1784457)
- The D-Bus config file moved under datadir
* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
- Update to 5.8.1 (#1711920)
- No more separate strongswan-swanctl.service to start out of order (#1775548)
- Added strongswan-starter.service
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
- Updated to 5.7.2
* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
- Updated to 5.7.1
- Resolves rhbz#1635872 CVE-2018-16152
- Resolves rhbz#1635875 CVE-2018-16151
* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
- Add plugin bypass-lan, disabled by default
- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
- New version 5.6.3
* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
sqlite (#1579945)
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
- Updated to 5.6.1 (RSA-PSS support)
* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
- Rebuilt for libjson-c.so.3
* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
- Fix the placement of charon-nm D-Bus policy
* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
- Updated to 5.6.0
- Fixup configure arguments, enabled a bunch of new features
- Added new BuildRequires:
- Fixup Obsolete/Conflicts, use license macro
- Don't require autoconf/autotools for non-snapshots
- Remove macro overuse, remove fedora/rhel checks and sysvinit support
- Make listings/grouping of all plugins/libs to reduce file listing
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
- Updated to 5.5.3
* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
- Updated to 5.5.2
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
- Resolves: #1367796 - Enable the unity plugin
* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
- New version 5.5.0
* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
- New version 5.4.0
* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
- New version 5.3.5
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
- Enable IKEv2 GCM (requires gcrypt module as well)
* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
- new version 5.3.3
* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
- Resolves: #1264598 - strongswan: many configuration files are not protected
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
- new version 5.3.2
* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
- new version 5.3.1
* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
- new version 5.3.0
* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
- Fixes strongswan swanctl service issue rhbz#1193106
* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
- new version 5.2.2
* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
- Enabled ccm, and ctr plugins as it seems enabling just openssl does
not work for using ccm and ctr algos.
* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
- New strongswan developer release 5.2.2dr1
* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
- 1167331: Enabled native systemd support.
- Does not disable old systemd, starter, ipsec.conf support yet.
* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
- New upstream release 5.2.1
* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
- New upstream release candidate 5.2.1rc1
* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
- new version 5.2.1dr1
* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
- use upstream patch for json/json-c dependency
* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
- Resolves: #1081804 - enable Kernel IPSec support
* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
- rebuilt
* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
- fix json-c dependency
* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
- New upstream release 5.2.0
- The Attestation IMC/IMV pair supports the IMA-NG
measurement format
- Aikgen tool to generate an Attestation Identity Key bound
to a TPM
- Swanctl tool to provide a portable, complete IKE
configuration and control interface for the command
line using vici interface with libvici library
- PT-EAP transport protocol (RFC 7171) for TNC
- Enabled support for acert for checking X509 attribute certificate
- Updated patches, removed selinux patch as upstream has fixed it
in this release.
- Updated spec file with minor cleanups
* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
- improve prerelease macro
* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
- Resolves: #1111895 - bump to 5.2.0dr6
* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
- fix the pre-release version according to guidelines before it gets branched
* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
- new version 5.2.0dr5
- add json-c-devel to build deps
* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
- merge two related patches
* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
- clean up the patches a bit
* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
- New upstream developer release 5.2.0dr4
- Attestation IMV/IMC supports IMA-NG measurement format now
- Aikgen tool to generate an Attestation Identity Key bound
to a TPM
- PT-EAP transport protocol (RFC 7171) for TNC
- vici plugin provides IKE Configuration Interface for charon
- Enabled support for acert for checking X509 attribute certificate
- Updated patches
- Updated spec file with minor cleanups
* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
- new version 5.1.3
* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
- new version 5.1.3rc1
* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
- #1069928 - updated libexec patch.
* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
- fixed el6 initscript
- fixed pki directory location
* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
- clean up the specfile a bit
- replace the initscript patch with an individual initscript
- patch to build for epel6
* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
- #1071353 - bump to 5.1.2
- #1071338 - strongswan is compiled without xauth-pam plugin
- remove obsolete patches
- sent all patches upstream
- added comments to all patches
- don't touch the config with sed
* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
- Fixed full hardening for strongswan (full relro and PIE).
The previous macros had a typo and did not work
(see bz#1067119).
- Fixed tnc package description to reflect the current state of
the package.
- Fixed pki binary and moved it to /usr/libexece/strongswan as
others binaries are there too.
* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
- Removed redundant patches and *.spec commands caused by branch merging
* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
- rebuilt
* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
- Resolves: 973315
- Resolves: 1036844
* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
- Support for PT-TLS (RFC 6876)
- Support for SWID IMC/IMV
- Support for command line IKE client charon-cmd
- Changed location of pki to /usr/bin
- Added swid tags files
- Added man pages for pki and charon-cmd
- Renamed pki to strongswan-pki to avoid conflict with
pki-core/pki-tools package.
- Update local patches
- Fixes CVE-2013-6075
- Fixes CVE-2013-6076
- Fixed autoconf/automake issue as configure.ac got changed
and it required running autoreconf during the build process.
- added strongswan signature file to the sources.
* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
- Fixed initialization crash of IMV and IMC particularly
attestation imv/imc as libstrongswas was not getting
initialized.
* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
- Enabled fips support
- Enabled TNC's ifmap support
- Enabled TNC's pdp support
- Fixed hardocded package name in this spec file
* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
- rhbz#981429: New upstream release
- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
- Fixes rhbz#991859 failed to build in rawhide
- Updated local patches and removed which are not needed
- Fixed errors around charon-nm
- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
libstrongswan-sshkey.so
- Added utility imv_policy_manager
* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
- rename strongswan-NetworkManager to strongswan-charon-nm
- fix enable_nm macro
* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
- %%files tries to package some of the shared objects as directories (#984437)
- fix broken systemd unit file (#984300)
- fix rpmlint error: description-line-too-long
- fix rpmlint error: macro-in-comment
- fix rpmlint error: spelling-error Summary(en_US) fuctionality
- depend on 'systemd' instead of 'systemd-units'
- use new systemd scriptlet macros
- NetworkManager subpackage should have a copy of the license (#984490)
- enable hardened_build as this package meets the PIE criteria (#984429)
- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
to strongswan in this package (#948306)
- invocation of "ipsec scepclient" is broken as ipsec is renamed
to strongswan in this package
- add /etc/strongswan/ipsec.d and missing subdirectories
- conditionalize building of strongswan-NetworkManager subpackage as the
version of NetworkManager in EL6 is too old (#984497)
* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
- Patch to fix a major crash issue when Freeradius loads
attestatiom-imv and does not initialize libstrongswan which
causes crash due to calls to PTS algorithms probing APIs.
So this patch fixes the order of initialization. This issues
does not occur with charon because libstrongswan gets
initialized earlier.
- Patch that allows to outputs errors when there are permission
issues when accessing strongswan.conf.
- Patch to make loading of modules configurable when libimcv
is used in stand alone mode without charon with freeradius
and wpa_supplicant.
* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
- Enabled TNCCS 1.1 protocol
- Fixed libxm2-devel build dependency
- Patch to fix the issue with loading of plugins
* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
- New upstream release
- Fixes for CVE-2013-2944
- Enabled support for OS IMV/IMC
- Created and applied a patch to disable ECP in fedora, because
Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
it non-compliant to TCG's PTS standard, but there is no choice
right now. see redhat bz # 319901.
- Enabled Trousers support for TPM based operations.
* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
- Rebuilt for a single specfile for rawhide/f19/f18/el6
* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
- New upstream release
- Enabled curl and eap-identity plugins
- Enabled support for eap-radius plugin.
* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
- Add gettext-devel to BuildRequires because of epel6
- Remove unnecessary comments
* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
- Enabled support for eap-radius plugin.
* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
- Update to upstream release 5.0.2
- Created sub package strongswan-tnc-imcvs that provides trusted network
connect's IMC and IMV funtionality. Specifically it includes PTS
based IMC/IMV for TPM based remote attestation and scanner and test
IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
by any third party TNC Client/Server implementation possessing a
standard IF-IMC/IMV interface.
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
- Update to release 5.0.1
* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
- Add plugins to interoperate with Windows 7 and Android (#862472)
(contributed by Haim Gelfenbeyn)
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
- Fix configure substitutions in initscripts
* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
- Update to current upstream release
- Comment out all stuff that is only needed for git builds
- Remove renaming patch from git
- Improve init patch used for EPEL
* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
- Build with openssl plugin enabled
* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
- Add README.Fedora with link to 4.6 to 5.0 migration information
* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
- Snapshot of upcoming major release
- Move patches and renaming upstream
http://wiki.strongswan.org/issues/194
http://wiki.strongswan.org/issues/195
- Notified upstream about manpage issues
* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
- Make initscript patch more distro-neutral
- Add links to bugreports for patches
* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
- New upstream version (CVE-2012-2388)
* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
- Add --enable-nm to configure
- Add NetworkManager-devel to BuildRequires
- Add NetworkManager-glib-devel to BuildRequires
- Add strongswan-NetworkManager package
* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
- New version of Strongswan
- Support for RFC 3110 DNSKEY (see upstream changelog)
- Fix corrupt scriptlets
* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
- #808612 - strongswan binary renaming side-effect
* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
- New upstream version
- Changed from .tar.gz to .tar.bz2
- Added libstrongswan-pkcs8.so
* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
- Fix initscript's status function
* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
- Expand tabs in config files for better readability
- Add sysvinit script for epel6
* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
- Fix program name in systemd unit file
* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
- Improve fedora/epel conditionals
* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
- Protect configuration directory from ordinary users
- Add still missing directory /etc/strongswan
* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
- Change directory structure to avoid clashes with Openswan
- Prefixed all manpages with 'strongswan_'
- Every file now includes 'strongswan' somewhere in its path
- Removed conflict with Openswan
- Finally fix permissions on strongswan.conf
* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
- Change license tag from GPL to GPLv2+
- Change permissions on /etc/strongswan.conf to 644
- Rename ipsec.8 manpage to strongswan.8
- Fix empty scriptlets for non-fedora builds
- Add ldconfig scriptlet
- Add missing directories and files
* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
- Bump to version 4.6.1
* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
- Add systemd scriptlets
- Add conditions to also support EPEL6
* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
- Experimental build for development

4
sources
View File

@@ -1,2 +1,2 @@
SHA512 (strongswan-6.0.2.tar.bz2) = b1ee61b7d0eab40a9fcb5a7e28cfea9050f5f894fa66032edf9511b1e260104870e23fc19329b48be01f03eb491bfc27c9b74838722c80ba0284a48596a68d71
SHA512 (strongswan-6.0.2.tar.bz2.sig) = 374e16baf4b3ee24966abdb872890eb29da4aa6fc4e8a5e2a67d6099e2a72bad195257e505765cecbfae3a77ea42942fc3cea543b954f1f7b3e415ad536321ff
SHA512 (strongswan-5.9.14.tar.bz2) = e48bc9d215f9de6b54e24f7b4765d59aec4c615291d5c1f24f6a6d7da45dc8b17b2e0e150faf5fabb35e5d465abc5e6f6efa06cd002467067c5d7844ead359f6
SHA512 (strongswan-5.9.14.tar.bz2.sig) = 1b3d57448caab91060fe3d209d90708c57dbf35ae62c97574107b32677cff73f13f7545dc91682ef84400bb8a2f105a1761aba8334763dc8c35d97be7921c242

12
strongswan-6.0.2-no-isolation.patch
View File

@@ -1,12 +0,0 @@
diff -Naur strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am
--- strongswan-6.0.2-orig/src/libcharon/plugins/vici/python/Makefile.am 2025-07-12 02:36:20.000000000 -0400
+++ strongswan-6.0.2/src/libcharon/plugins/vici/python/Makefile.am 2025-09-10 15:31:43.217806666 -0400
@@ -19,7 +19,7 @@
all-local: dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl
dist/vici-$(PYTHON_PACKAGE_VERSION)-py3-none-any.whl: $(EXTRA_DIST) $(srcdir)/setup.py
- (cd $(srcdir); $(PYTHON) -m build -o $(abs_builddir)/dist)
+ (cd $(srcdir); $(PYTHON) -m build --no-isolation -o $(abs_builddir)/dist)
clean-local:
rm -rf $(srcdir)/setup.py $(srcdir)/vici.egg-info $(builddir)/dist

514
strongswan-6.0.2-no-md5-b3011e8e.patch
View File

@@ -1,514 +0,0 @@
From b3011e8e87a1fad1bfb026448fc37b80b7cfc007 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 23 Sep 2025 14:59:37 +0200
Subject: [PATCH] Remove support for MD2
No part of IKE/IPsec or X.509 uses MD2 anymore, so there really is no
reason to still support it (unlike MD4 that is used in EAP-MSCHAPv2,
MD5 that's used in EAP-MD5, or SHA-1 that's used for e.g. NAT-D hashes).
It caused test vectors to fail on systems where OpenSSL is built with
MD2 support but has it disabled at runtime.
---
src/libstrongswan/asn1/oid.txt | 4 +-
.../credentials/containers/pkcs12.c | 1 -
src/libstrongswan/crypto/hashers/hasher.c | 15 ---
src/libstrongswan/crypto/hashers/hasher.h | 16 +--
src/libstrongswan/crypto/xofs/xof.c | 1 -
.../plugins/gcrypt/gcrypt_hasher.c | 3 -
.../plugins/openssl/openssl_plugin.c | 3 -
.../plugins/pkcs11/pkcs11_hasher.c | 1 -
.../plugins/pkcs11/pkcs11_plugin.c | 1 -
.../plugins/test_vectors/Makefile.am | 1 -
.../plugins/test_vectors/test_vectors.h | 7 -
.../plugins/test_vectors/test_vectors/md2.c | 64 ---------
src/libstrongswan/tests/suites/test_hasher.c | 127 +++++++++---------
13 files changed, 71 insertions(+), 173 deletions(-)
delete mode 100644 src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index f58a44d326..b9c3189cd2 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -94,7 +94,7 @@
0x01 "PKCS"
0x01 "PKCS-1"
0x01 "rsaEncryption" OID_RSA_ENCRYPTION
- 0x02 "md2WithRSAEncryption" OID_MD2_WITH_RSA
+ 0x02 "md2WithRSAEncryption"
0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA
0x05 "sha-1WithRSAEncryption" OID_SHA1_WITH_RSA
0x07 "id-RSAES-OAEP" OID_RSAES_OAEP
@@ -148,7 +148,7 @@
0x05 "secretBag"
0x06 "safeContentsBag"
0x02 "digestAlgorithm"
- 0x02 "md2" OID_MD2
+ 0x02 "md2"
0x05 "md5" OID_MD5
0x07 "hmacWithSHA1" OID_HMAC_SHA1
0x08 "hmacWithSHA224" OID_HMAC_SHA224
diff --git a/src/libstrongswan/credentials/containers/pkcs12.c b/src/libstrongswan/credentials/containers/pkcs12.c
index d738910077..be0c750393 100644
--- a/src/libstrongswan/credentials/containers/pkcs12.c
+++ b/src/libstrongswan/credentials/containers/pkcs12.c
@@ -83,7 +83,6 @@ static bool derive_key(hash_algorithm_t hash, chunk_t unicode, chunk_t salt,
}
switch (hash)
{
- case HASH_MD2:
case HASH_MD5:
case HASH_SHA1:
case HASH_SHA224:
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 2fed3b4133..444a59c5f0 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -30,7 +30,6 @@ ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
"HASH_IDENTITY");
ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
"HASH_UNKNOWN",
- "HASH_MD2",
"HASH_MD4",
"HASH_MD5",
"HASH_SHA2_224",
@@ -48,7 +47,6 @@ ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_IDENTITY,
"identity");
ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
"unknown",
- "md2",
"md4",
"md5",
"sha224",
@@ -66,7 +64,6 @@ ENUM_BEGIN(hash_algorithm_short_names_upper, HASH_SHA1, HASH_IDENTITY,
"IDENTITY");
ENUM_NEXT(hash_algorithm_short_names_upper, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
"UNKNOWN",
- "MD2",
"MD4",
"MD5",
"SHA2_224",
@@ -91,8 +88,6 @@ size_t hasher_hash_size(hash_algorithm_t alg)
return HASH_SIZE_SHA384;
case HASH_SHA512:
return HASH_SIZE_SHA512;
- case HASH_MD2:
- return HASH_SIZE_MD2;
case HASH_MD4:
return HASH_SIZE_MD4;
case HASH_MD5:
@@ -121,9 +116,6 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
{
switch (oid)
{
- case OID_MD2:
- case OID_MD2_WITH_RSA:
- return HASH_MD2;
case OID_MD5:
case OID_MD5_WITH_RSA:
return HASH_MD5;
@@ -323,7 +315,6 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
return AUTH_HMAC_SHA2_512_512;
}
break;
- case HASH_MD2:
case HASH_MD4:
case HASH_SHA224:
case HASH_SHA3_224:
@@ -350,7 +341,6 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
case HASH_SHA512:
return TRUE;
case HASH_UNKNOWN:
- case HASH_MD2:
case HASH_MD4:
case HASH_MD5:
case HASH_SHA1:
@@ -373,9 +363,6 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
switch (alg)
{
- case HASH_MD2:
- oid = OID_MD2;
- break;
case HASH_MD5:
oid = OID_MD5;
break;
@@ -422,8 +409,6 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
case KEY_RSA:
switch (alg)
{
- case HASH_MD2:
- return OID_MD2_WITH_RSA;
case HASH_MD5:
return OID_MD5_WITH_RSA;
case HASH_SHA1:
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index ad434035da..0a4237cd93 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -45,17 +45,15 @@ enum hash_algorithm_t {
HASH_IDENTITY = 5,
/* use private use range for algorithms not defined/permitted by RFC 7427 */
HASH_UNKNOWN = 1024,
- HASH_MD2 = 1025,
- HASH_MD4 = 1026,
- HASH_MD5 = 1027,
- HASH_SHA224 = 1028,
- HASH_SHA3_224 = 1029,
- HASH_SHA3_256 = 1030,
- HASH_SHA3_384 = 1031,
- HASH_SHA3_512 = 1032
+ HASH_MD4 = 1025,
+ HASH_MD5 = 1026,
+ HASH_SHA224 = 1027,
+ HASH_SHA3_224 = 1028,
+ HASH_SHA3_256 = 1029,
+ HASH_SHA3_384 = 1030,
+ HASH_SHA3_512 = 1031
};
-#define HASH_SIZE_MD2 16
#define HASH_SIZE_MD4 16
#define HASH_SIZE_MD5 16
#define HASH_SIZE_SHA1 20
diff --git a/src/libstrongswan/crypto/xofs/xof.c b/src/libstrongswan/crypto/xofs/xof.c
index 7c1eb37e42..f21e037a5a 100644
--- a/src/libstrongswan/crypto/xofs/xof.c
+++ b/src/libstrongswan/crypto/xofs/xof.c
@@ -60,7 +60,6 @@ ext_out_function_t xof_mgf1_from_hash_algorithm(hash_algorithm_t alg)
return XOF_MGF1_SHA3_384;
case HASH_IDENTITY:
case HASH_UNKNOWN:
- case HASH_MD2:
case HASH_MD4:
case HASH_MD5:
break;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 29f86a5139..5e30ac7dc3 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -92,9 +92,6 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
switch (algo)
{
- case HASH_MD2:
- gcrypt_alg = GCRY_MD_MD2;
- break;
case HASH_MD4:
gcrypt_alg = GCRY_MD_MD4;
break;
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index c3e1d2e173..ef7fe8908f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -400,9 +400,6 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(CRYPTER, ENCR_NULL, 0),
/* hashers */
PLUGIN_REGISTER(HASHER, openssl_hasher_create),
-#ifndef OPENSSL_NO_MD2
- PLUGIN_PROVIDE(HASHER, HASH_MD2),
-#endif
#ifndef OPENSSL_NO_MD4
PLUGIN_PROVIDE(HASHER, HASH_MD4),
#endif
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
index e5ac18ed8c..409a05a2ab 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_hasher.c
@@ -234,7 +234,6 @@ static CK_MECHANISM_PTR algo_to_mechanism(hash_algorithm_t algo, size_t *size)
CK_MECHANISM mechanism;
size_t size;
} mappings[] = {
- {HASH_MD2, {CKM_MD2, NULL, 0}, HASH_SIZE_MD2},
{HASH_MD5, {CKM_MD5, NULL, 0}, HASH_SIZE_MD5},
{HASH_SHA1, {CKM_SHA_1, NULL, 0}, HASH_SIZE_SHA1},
{HASH_SHA256, {CKM_SHA256, NULL, 0}, HASH_SIZE_SHA256},
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 5510db99f4..aa27f1e384 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -189,7 +189,6 @@ METHOD(plugin_t, get_features, int,
{
static plugin_feature_t f_hash[] = {
PLUGIN_REGISTER(HASHER, pkcs11_hasher_create),
- PLUGIN_PROVIDE(HASHER, HASH_MD2),
PLUGIN_PROVIDE(HASHER, HASH_MD5),
PLUGIN_PROVIDE(HASHER, HASH_SHA1),
PLUGIN_PROVIDE(HASHER, HASH_SHA256),
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 6074027f7d..eaf6485abc 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -37,7 +37,6 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/rc5.c \
test_vectors/serpent_cbc.c \
test_vectors/twofish_cbc.c \
- test_vectors/md2.c \
test_vectors/md4.c \
test_vectors/md5.c \
test_vectors/md5_hmac.c \
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index bf8609cb62..85436ff74a 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -160,13 +160,6 @@ TEST_VECTOR_SIGNER(sha512_hmac_s1)
TEST_VECTOR_SIGNER(sha512_hmac_s2)
TEST_VECTOR_SIGNER(sha512_hmac_s3)
-TEST_VECTOR_HASHER(md2_1)
-TEST_VECTOR_HASHER(md2_2)
-TEST_VECTOR_HASHER(md2_3)
-TEST_VECTOR_HASHER(md2_4)
-TEST_VECTOR_HASHER(md2_5)
-TEST_VECTOR_HASHER(md2_6)
-TEST_VECTOR_HASHER(md2_7)
TEST_VECTOR_HASHER(md4_1)
TEST_VECTOR_HASHER(md4_2)
TEST_VECTOR_HASHER(md4_3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
deleted file mode 100644
index b2707a1317..0000000000
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/md2.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- *
- * Copyright (C) secunet Security Networks AG
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the Licenseor (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be usefulbut
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <crypto/crypto_tester.h>
-
-/**
- * MD2 vectors from RFC 1319
- */
-hasher_test_vector_t md2_1 = {
- .alg = HASH_MD2, .len = 0,
- .data = "",
- .hash = "\x83\x50\xe5\xa3\xe2\x4c\x15\x3d\xf2\x27\x5c\x9f\x80\x69\x27\x73"
-};
-
-hasher_test_vector_t md2_2 = {
- .alg = HASH_MD2, .len = 1,
- .data = "a",
- .hash = "\x32\xec\x01\xec\x4a\x6d\xac\x72\xc0\xab\x96\xfb\x34\xc0\xb5\xd1"
-};
-
-hasher_test_vector_t md2_3 = {
- .alg = HASH_MD2, .len = 3,
- .data = "abc",
- .hash = "\xda\x85\x3b\x0d\x3f\x88\xd9\x9b\x30\x28\x3a\x69\xe6\xde\xd6\xbb"
-};
-
-hasher_test_vector_t md2_4 = {
- .alg = HASH_MD2, .len = 14,
- .data = "message digest",
- .hash = "\xab\x4f\x49\x6b\xfb\x2a\x53\x0b\x21\x9f\xf3\x30\x31\xfe\x06\xb0"
-};
-
-hasher_test_vector_t md2_5 = {
- .alg = HASH_MD2, .len = 26,
- .data = "abcdefghijklmnopqrstuvwxyz",
- .hash = "\x4e\x8d\xdf\xf3\x65\x02\x92\xab\x5a\x41\x08\xc3\xaa\x47\x94\x0b"
-};
-
-hasher_test_vector_t md2_6 = {
- .alg = HASH_MD2, .len = 62,
- .data = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
- .hash = "\xda\x33\xde\xf2\xa4\x2d\xf1\x39\x75\x35\x28\x46\xc3\x03\x38\xcd"
-};
-
-hasher_test_vector_t md2_7 = {
- .alg = HASH_MD2, .len = 80,
- .data = "1234567890123456789012345678901234567890"
- "1234567890123456789012345678901234567890",
- .hash = "\xd5\x97\x6f\x79\xd8\x3d\x3a\x0d\xc9\x80\x6c\x3c\x66\xf3\xef\xd8"
-};
-
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
index c07eed8d93..3bdcc7e3d7 100644
--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -28,41 +28,39 @@ typedef struct {
key_type_t key;
}hasher_oid_t;
+/* make sure to adjust offsets in constructor when changing this array */
static hasher_oid_t oids[] = {
- { OID_MD2, HASH_MD2, KEY_ANY }, /* 0 */
- { OID_MD5, HASH_MD5, KEY_ANY }, /* 1 */
- { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 2 */
- { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 3 */
- { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 4 */
- { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 5 */
- { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 6 */
- { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 7 */
- { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 8 */
- { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 9 */
- { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 10 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 11 */
- { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, /* 12 */
- { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 13 */
- { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 14 */
- { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 15 */
- { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 16 */
- { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 17 */
- { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 18 */
- { OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 19 */
- { OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 20 */
- { OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 21 */
- { OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 22 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 23 */
- { OID_ED25519, HASH_IDENTITY, KEY_ED25519 }, /* 24 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 }, /* 25 */
- { OID_ED448, HASH_IDENTITY, KEY_ED448 }, /* 26 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 }, /* 27 */
- { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 28 */
- { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 29 */
- { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 30 */
- { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 31 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 32 */
-
+ { OID_MD5, HASH_MD5, KEY_ANY }, /* 0 */
+ { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 1 */
+ { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 2 */
+ { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 3 */
+ { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 4 */
+ { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 5 */
+ { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 6 */
+ { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 7 */
+ { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 8 */
+ { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 9 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 10 */
+ { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 11 */
+ { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 12 */
+ { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 13 */
+ { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 14 */
+ { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 15 */
+ { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 16 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 17 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 18 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 19 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 20 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 21 */
+ { OID_ED25519, HASH_IDENTITY, KEY_ED25519 }, /* 22 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 }, /* 23 */
+ { OID_ED448, HASH_IDENTITY, KEY_ED448 }, /* 24 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 }, /* 25 */
+ { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 26 */
+ { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 27 */
+ { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 28 */
+ { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 29 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 30 */
};
START_TEST(test_hasher_from_oid)
@@ -174,32 +172,32 @@ typedef struct {
size_t length;
}hasher_auth_t;
+/* make sure to adjust offsets in constructor when changing this array */
static hasher_auth_t auths[] = {
- { AUTH_UNDEFINED, HASH_MD2, 0 },
- { AUTH_UNDEFINED, HASH_MD4, 0 },
- { AUTH_UNDEFINED, HASH_SHA224, 0 },
- { AUTH_UNDEFINED, 9, 0 },
- { AUTH_UNDEFINED, HASH_UNKNOWN, 0 },
- { AUTH_HMAC_MD5_96, HASH_MD5, 12 },
- { AUTH_HMAC_SHA1_96, HASH_SHA1, 12 },
- { AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 },
- { AUTH_HMAC_MD5_128, HASH_MD5, 16 },
- { AUTH_HMAC_SHA1_128, HASH_SHA1, 16 },
- { AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 },
- { AUTH_HMAC_SHA1_160, HASH_SHA1, 20 },
- { AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 },
- { AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 },
- { AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 },
- { AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 },
- { AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 },
- { AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 },
- { AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 },
- { AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 },
- { AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 },
- { AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 },
- { AUTH_DES_MAC, HASH_UNKNOWN, 0 },
- { AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 },
- { 0, HASH_UNKNOWN, 0 }
+ { AUTH_UNDEFINED, HASH_MD4, 0 }, /* 0 */
+ { AUTH_UNDEFINED, HASH_SHA224, 0 }, /* 1 */
+ { AUTH_UNDEFINED, 9, 0 }, /* 2 */
+ { AUTH_UNDEFINED, HASH_UNKNOWN, 0 }, /* 3 */
+ { AUTH_HMAC_MD5_96, HASH_MD5, 12 }, /* 4 */
+ { AUTH_HMAC_SHA1_96, HASH_SHA1, 12 }, /* 5 */
+ { AUTH_HMAC_SHA2_256_96, HASH_SHA256, 12 }, /* 6 */
+ { AUTH_HMAC_MD5_128, HASH_MD5, 16 }, /* 7 */
+ { AUTH_HMAC_SHA1_128, HASH_SHA1, 16 }, /* 8 */
+ { AUTH_HMAC_SHA2_256_128, HASH_SHA256, 16 }, /* 9 */
+ { AUTH_HMAC_SHA1_160, HASH_SHA1, 20 }, /* 10 */
+ { AUTH_HMAC_SHA2_384_192, HASH_SHA384, 24 }, /* 11 */
+ { AUTH_HMAC_SHA2_256_256, HASH_SHA256, 32 }, /* 12 */
+ { AUTH_HMAC_SHA2_512_256, HASH_SHA512, 32 }, /* 13 */
+ { AUTH_HMAC_SHA2_384_384, HASH_SHA384, 48 }, /* 14 */
+ { AUTH_HMAC_SHA2_512_512, HASH_SHA512, 64 }, /* 15 */
+ { AUTH_AES_CMAC_96, HASH_UNKNOWN, 0 }, /* 16 */
+ { AUTH_AES_128_GMAC, HASH_UNKNOWN, 0 }, /* 17 */
+ { AUTH_AES_192_GMAC, HASH_UNKNOWN, 0 }, /* 18 */
+ { AUTH_AES_256_GMAC, HASH_UNKNOWN, 0 }, /* 19 */
+ { AUTH_AES_XCBC_96, HASH_UNKNOWN, 0 }, /* 20 */
+ { AUTH_DES_MAC, HASH_UNKNOWN, 0 }, /* 21 */
+ { AUTH_CAMELLIA_XCBC_96, HASH_UNKNOWN, 0 }, /* 22 */
+ { 0, HASH_UNKNOWN, 0 } /* 23 */
};
START_TEST(test_hasher_from_integrity)
@@ -237,7 +235,6 @@ static hasher_ikev2_t ikev2[] = {
{ HASH_SHA384, TRUE },
{ HASH_SHA512, TRUE },
{ HASH_UNKNOWN, FALSE },
- { HASH_MD2, FALSE },
{ HASH_MD4, FALSE },
{ HASH_MD5, FALSE },
{ HASH_SHA224, FALSE },
@@ -262,15 +259,15 @@ Suite *hasher_suite_create()
s = suite_create("hasher");
tc = tcase_create("from_oid");
- tcase_add_loop_test(tc, test_hasher_from_oid, 0, 28);
+ tcase_add_loop_test(tc, test_hasher_from_oid, 0, 26);
suite_add_tcase(s, tc);
tc = tcase_create("to_oid");
- tcase_add_loop_test(tc, test_hasher_to_oid, 0, 12);
+ tcase_add_loop_test(tc, test_hasher_to_oid, 0, 11);
suite_add_tcase(s, tc);
tc = tcase_create("sig_to_oid");
- tcase_add_loop_test(tc, test_hasher_sig_to_oid, 11, countof(oids));
+ tcase_add_loop_test(tc, test_hasher_sig_to_oid, 10, countof(oids));
suite_add_tcase(s, tc);
tc = tcase_create("from_sig_scheme");
@@ -283,11 +280,11 @@ Suite *hasher_suite_create()
suite_add_tcase(s, tc);
tc = tcase_create("from_integrity");
- tcase_add_loop_test(tc, test_hasher_from_integrity, 4, countof(auths));
+ tcase_add_loop_test(tc, test_hasher_from_integrity, 3, countof(auths));
suite_add_tcase(s, tc);
tc = tcase_create("to_integrity");
- tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 17);
+ tcase_add_loop_test(tc, test_hasher_to_integrity, 0, 16);
suite_add_tcase(s, tc);
tc = tcase_create("for_ikev2");

692
strongswan.spec
View File

@@ -2,17 +2,22 @@
#%%define prerelease dr1
%global dist .nhrp.11%{?dist}
# pytho vici bindings cannot build without network, so temp. disabled
%bcond_with python3
%bcond_without python3
%bcond_without perl
# checks fail for test_params_parse_rsa_pss
%bcond_with check
%if (0%{?fedora} && 0%{?fedora} < 36) || (0%{?rhel} && 0%{?rhel} < 9)
# trousers was retired for F36+ and no longer available in RHEL with 9+
%bcond_without tss_trousers
%else
%bcond_with tss_trousers
%endif
%global forgeurl0 https://github.com/strongswan/strongswan
Name: strongswan
Version: 6.0.2
Release: 4%{?dist}
Version: 5.9.14
Release: 5%{?dist}
Summary: An OpenSource IPsec-based VPN and TNC solution
# Automatically converted from old format: GPLv2+ - review is highly recommended.
License: GPL-2.0-or-later
@@ -22,13 +27,11 @@ Source0: https://download.strongswan.org/strongswan-%{version}%{?prerelea
Source1: https://download.strongswan.org/strongswan-%{version}%{?prerelease}.tar.bz2.sig
Source2: https://download.strongswan.org/STRONGSWAN-RELEASE-PGP-KEY
Source3: tmpfiles-strongswan.conf
# https://github.com/strongswan/strongswan/issues/1198 (also pinged upstream via email)
Patch0: strongswan-5.6.0-uintptr_t.patch
# https://github.com/strongswan/strongswan/issues/1198
Patch1: strongswan-5.9.7-error-no-format.patch
# Use isolation to prevent pip attempting to download during build
Patch2: strongswan-6.0.2-no-isolation.patch
# Remove MD2, which causes test case failures due to fedora crypto policies
# https://github.com/strongswan/strongswan/commit/b3011e8e87a1fad1bfb026448fc37b80b7cfc007
Patch3: strongswan-6.0.2-no-md5-b3011e8e.patch
Patch2: strongswan-6.0.0-gcc15.patch
Patch3: strongswan-6.0.1-gcc15.patch
Patch10: 0001-charon-add-optional-source-and-remote-overrides-for-.patch
Patch11: 0002-vici-send-certificates-for-ike-sa-events.patch
@@ -38,7 +41,6 @@ Patch13: 0004-Support-GRE-key-in-selectors-with-kernel-netlink.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gnupg2
BuildRequires: libtool
BuildRequires: make
BuildRequires: gcc
BuildRequires: systemd
@@ -65,9 +67,7 @@ Recommends: tpm2-tools
%if %{with python3}
BuildRequires: python3-devel
BuildRequires: python3-build
BuildRequires: python3-setuptools
BuildRequires: python3-daemon
BuildRequires: python3-pytest
%endif
@@ -76,6 +76,10 @@ BuildRequires: perl-devel perl-generators
BuildRequires: perl(ExtUtils::MakeMaker)
%endif
%if %{with tss_trousers}
BuildRequires: trousers-devel
%endif
BuildRequires: NetworkManager-libnm-devel
Requires(post): systemd
Requires(preun): systemd
@@ -158,8 +162,7 @@ for Strongswan runtime configuration from perl applications.
%build
# only for snapshots
export ACLOCAL_PATH=/usr/share/gettext/m4:$ACLOCAL_PATH
autoreconf -fiv
autoreconf
# --with-ipsecdir moves internal commands to /usr/libexec/strongswan
# --bindir moves 'pki' command to /usr/libexec/strongswan
@@ -184,7 +187,6 @@ autoreconf -fiv
--enable-gcm \
--enable-chapoly \
--enable-md4 \
--enable-ml \
--enable-gcrypt \
--enable-newhope \
--enable-xauth-eap \
@@ -240,23 +242,26 @@ autoreconf -fiv
--enable-vici \
--enable-swanctl \
--enable-duplicheck \
--enable-selinux \
--enable-stroke \
%ifarch x86_64 %{ix86}
--enable-aesni \
%endif
%if %{with python3}
PYTHON=%{python3} --enable-python-wheels \
PYTHON=%{python3} --enable-python-eggs \
%endif
%if %{with perl}
--enable-perl-cpan \
%endif
%if %{with check}
--enable-test-vectors \
%endif
%if %{with tss_trousers}
--enable-tss-trousers \
--enable-aikgen \
%endif
--enable-kernel-libipsec \
--with-capabilities=libcap \
CPPFLAGS="-DSTARTER_ALLOW_NON_ROOT"
# TODO: --enable-python-eggs-install not python3 ready
# disable certain plugins in the daemon configuration by default
for p in bypass-lan; do
@@ -296,8 +301,8 @@ pushd src/libcharon/plugins/vici
pushd python
# TODO: --enable-python-eggs breaks our previous build. Do it now
# propose better way to upstream
%pyproject_wheel
%pyproject_install
%py3_build
%py3_install
popd
%endif
%if %{with perl}
@@ -326,6 +331,7 @@ install -d -m 0700 %{buildroot}%{_rundir}/strongswan
install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan.conf
install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.conf
%check
%if %{with check}
# Seen some tests hang. Ensure we do not block builder forever
@@ -364,7 +370,6 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
%{_sbindir}/strongswan
%{_sbindir}/swanctl
%{_libdir}/strongswan/*.so.*
%{_libdir}/strongswan/plugins/*.so.*
%exclude %{_libdir}/strongswan/libimcv.so.*
%exclude %{_libdir}/strongswan/libtnccs.so.*
%exclude %{_libdir}/strongswan/libipsec.so.*
@@ -414,7 +419,7 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
%license COPYING
%doc src/libcharon/plugins/vici/python/README.rst
%{python3_sitelib}/vici
%{python3_sitelib}/vici-%{version}.dist-info
%{python3_sitelib}/vici-%{version}-py*.egg-info
%endif
%if %{with perl}
@@ -424,4 +429,641 @@ install -D -m 0644 %{SOURCE3} %{buildroot}/%{_tmpfilesdir}/strongswan-starter.co
%endif
%changelog
%autochangelog
* Sat Jul 27 2024 Michel Lind <salimma@fedoraproject.org> - 5.9.14-5
- Depend on openssl-devel-engine since we still use this deprecated feature (rhbz#2295335)
* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 5.9.14-4
- convert license to SPDX
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.14-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 5.9.14-2
- Rebuilt for Python 3.13
* Fri May 31 2024 Paul Wouters <paul.wouters@aiven.io> - 5.9.14-1
- Resolves: rhbz#2254560 CVE-2023-41913 buffer overflow and possible RCE
- Resolved: rhbz#2250666 Update to 5.9.14 (IKEv2 OCSP extensions, seqno/regno overflow handling
- Update to 5.9.13 (OCSP nonce set regression configuration option charon.ocsp_nonce_len)
- Update to 5.9.12 (CVE-2023-41913 fix, various IKEv2 fixes)
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jul 14 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.11-1
- Resolves: rhbz#2214186 strongswan-5.9.11 is available
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 5.9.10-2
- Rebuilt for Python 3.12
* Thu Mar 02 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.10-1
- Update to 5.9.10
* Tue Feb 28 2023 Paul Wouters <paul.wouters@aiven.io - 5.9.9-3
- Resolves: CVE-2023-26463 authorization bypass in TLS-based EAP methods
* Mon Jan 16 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-2
- Use configure paths in manual pages (#2106120)
* Sun Jan 15 2023 Petr Menšík <pemensik@redhat.com> - 5.9.9-1
- Update to 5.9.9 (#2157850)
* Thu Dec 08 2022 Jitka Plesnikova <jplesnik@redhat.com> - 5.9.8-2
- Add BR perl-generators to automatically generates run-time dependencies
for installed Perl files
* Sun Oct 16 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.8-1
- Resolves rhbz#2112274 strongswan-5.9.8 is available
- Patch1 removes CFLAGS -Wno-format which interferes with -Werror=format-security
- Add BuildRequire for autoconf and automake, now required for release
- Remove obsolete patches
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 22 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.6-1
- Resolves rhbz#2080070 strongswan-5.9.6 is available
- Fixed missing format string in enum_flags_to_string()
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 5.9.5-4
- Rebuilt for Python 3.11
* Fri Feb 25 2022 Arne Reiter <redhat@arnereiter.de> - 5.9.5-3
- Resolves: rhbz#2048108 - segfault at 18 ip 00007f4c7c0d841c sp 00007ffe49f61b70 error 4 in libc.so.6
* Tue Jan 25 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-2
- Use newly published/cleaned strongswan gpg key
* Mon Jan 24 2022 Paul Wouters <paul.wouters@aiven.io> - 5.9.5-1
- Resolves rhbz#2044361 strongswan-5.9.5 is available (CVE-2021-45079)
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Dec 16 2021 Neal Gompa <ngompa@datto.com> - 5.9.4-4
- Disable TPM/TSS 1.2 support for F36+ / RHEL9+
- Resolves: rhbz#2033299 Drop TPM/TSS 1.2 support (trousers)
* Thu Nov 11 2021 Petr Menšík <pemensik@redhat.com> - 5.9.4-3
- Resolves rhbz#1419441 Add python and perl vici bindings
- Adds optional tests run
* Tue Nov 09 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-2
- Resolves rhbz#2018547 'strongswan restart' breaks ipsec started with strongswan-starter
- Return to using tmpfiles, but extend to cover strongswan-starter service too
- Cleanup old patches
* Wed Oct 20 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.4-1
- Resolves: rhbz#2015165 strongswan-5.9.4 is available
- Resolves: rhbz#2015611 CVE-2021-41990 strongswan: gmp plugin: integer overflow via a crafted certificate with an RSASSA-PSS signature
- Resolves: rhbz#2015614 CVE-2021-41991 strongswan: integer overflow when replacing certificates in cache
- Add BuildRequire for tpm2-tss-devel and weak dependency for tpm2-tools
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 5.9.3-4
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> - 5.9.3-2
- Rebuild for versioned symbols in json-c
* Tue Jul 06 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.3-1
- Resolves: rhbz#1979574 strongswan-5.9.3 is available
- Make strongswan main dir world readable so apps can find strongswan.conf
* Thu Jun 03 2021 Paul Wouters <paul.wouters@aiven.io> - 5.9.2-1
- Resolves: rhbz#1896545 strongswan-5.9.2 is available
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 5.9.1-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Feb 12 2021 Paul Wouters <pwouters@redhat.com> - 5.9.1-1
- Resolves: rhbz#1896545 strongswan-5.9.1 is available
* Thu Feb 11 2021 Davide Cavalca <dcavalca@fedoraproject.org> - 5.9.0-4
- Build with with capabilities support
- Resolves: rhbz#1911572 StrongSwan not configured with libcap support
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.9.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Oct 22 12:43:48 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-2
- Resolves: rhbz#1886759 charon looking for certificates in the wrong place
* Mon Sep 28 12:36:45 EDT 2020 Paul Wouters <pwouters@redhat.com> - 5.9.0-1
- Resolves: rhbz#1861747 strongswan-5.9.0 is available
- Remove --enable-fips-mode=2, which defaults strongswan to FIPS only.
(use fips_mode = 2 in plugins {} openssl {} in strongswan.conf to enable FIPS)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-5
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 5.8.4-3
- Rebuild (json-c)
* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-2
- Patch0: Add RuntimeDirectory options to service files (#1789263)
* Sun Apr 12 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.4-1
- Updated to 5.8.4
- Patch4 has been applied upstream
* Sat Feb 22 2020 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-5
- Patch to declare a global variable with extern (#1800117)
* Mon Feb 10 2020 Paul Wouters <pwouters@redhat.com> - 5.8.2-4
- use tmpfile to ensure rundir is present
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Dec 28 2019 Paul Wouters <pwouters@redhat.com> - 5.8.2-2
- Use /run/strongswan as rundir to support strongswans in namespaces
* Tue Dec 17 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.2-1
- Update to 5.8.2 (#1784457)
- The D-Bus config file moved under datadir
* Mon Sep 02 2019 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.8.1-1
- Update to 5.8.1 (#1711920)
- No more separate strongswan-swanctl.service to start out of order (#1775548)
- Added strongswan-starter.service
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.7.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jan 09 2019 Paul Wouters <pwouters@redhat.com> - 5.7.2-1
- Updated to 5.7.2
* Thu Oct 04 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.7.1-1
- Updated to 5.7.1
- Resolves rhbz#1635872 CVE-2018-16152
- Resolves rhbz#1635875 CVE-2018-16151
* Thu Aug 23 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-3
- Add plugin bypass-lan, disabled by default
- Resolves rhbz#1554479 Update to strongswan-charon-nm fails
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 29 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.3-1
- New version 5.6.3
* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-6
- Resolves rhbz#1581868 CVE-2018-5388 strongswan: buffer underflow in stroke_socket.c
* Thu May 24 2018 Paul Wouters <pwouters@redhat.com> - 5.6.2-5
- Resolves rhbz#1574939 IKEv2 VPN connections fail to use DNS servers provided by the server
- Resolves rhbz#1449875 Strongswan on epel built without the sql plugin but with the sqlite plugin
* Sun May 20 2018 Mikhail Zabaluev <mikhail.zabaluev@gmail.com> - 5.6.2-3
- Move eap-radius, sqlite, and pkcs7 plugins out of tnc-imcvs, added package
sqlite (#1579945)
* Tue Mar 06 2018 Björn Esser <besser82@fedoraproject.org> - 5.6.2-2
- Rebuilt for libjson-c.so.4 (json-c v0.13.1)
* Wed Feb 21 2018 Lubomir Rintel <lkundrak@v3.sk> - 5.6.2-1
- Updated to 5.6.2 (Dropped libnm-glib use in charon-nm)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Dec 22 2017 Paul Wouters <pwouters@redhat.com> - 5.6.1-1
- Updated to 5.6.1 (RSA-PSS support)
* Sun Dec 10 2017 Björn Esser <besser82@fedoraproject.org> - 5.6.0-3
- Rebuilt for libjson-c.so.3
* Fri Dec 01 2017 Lubomir Rintel <lkundrak@v3.sk> - 5.6.0-2
- Fix the placement of charon-nm D-Bus policy
* Sat Sep 09 2017 Paul Wouters <pwouters@redhat.com> - 5.6.0-1
- Updated to 5.6.0
- Fixup configure arguments, enabled a bunch of new features
- Added new BuildRequires:
- Fixup Obsolete/Conflicts, use license macro
- Don't require autoconf/autotools for non-snapshots
- Remove macro overuse, remove fedora/rhel checks and sysvinit support
- Make listings/grouping of all plugins/libs to reduce file listing
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon Jun 12 2017 Paul Wouters <pwouters@redhat.com> - 5.5.3-1
- Updated to 5.5.3
* Sat May 27 2017 Paul Wouters <pwouters@redhat.com> - 5.5.2-1
- Updated to 5.5.2
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Sep 15 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-2
- Resolves: #1367796 - Enable the unity plugin
* Mon Aug 08 2016 Pavel Šimerda <psimerda@redhat.com> - 5.5.0-1
- New version 5.5.0
* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com>
- Enable IKEv2 GCM (requires gcrypt module as well) - merged from f22 by Paul Wouters
* Wed Jun 22 2016 Pavel Šimerda <psimerda@redhat.com> - 5.4.0-1
- New version 5.4.0
* Thu Mar 03 2016 Pavel Šimerda <psimerda@redhat.com> - 5.3.5-1
- New version 5.3.5
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 5.3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Jan 15 2016 Paul Wouters <pwouters@redhat.com> - 5.3.3-2
- Enable IKEv2 GCM (requires gcrypt module as well)
* Tue Sep 29 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.3-1
- new version 5.3.3
* Thu Sep 24 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.2-3
- Resolves: #1264598 - strongswan: many configuration files are not protected
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.3.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Jun 09 2015 Pavel Šimerda <psimerda@redhat.com>
- new version 5.3.2
* Fri Jun 05 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.1-1
- new version 5.3.1
* Tue Mar 31 2015 Pavel Šimerda <psimerda@redhat.com> - 5.3.0-1
- new version 5.3.0
* Fri Feb 20 2015 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-2
- Fixes strongswan swanctl service issue rhbz#1193106
* Tue Jan 06 2015 Pavel Šimerda <psimerda@redhat.com> - 5.2.2-1
- new version 5.2.2
* Thu Dec 18 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.2.dr1
- Enabled ccm, and ctr plugins as it seems enabling just openssl does
not work for using ccm and ctr algos.
* Mon Dec 8 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.2-0.1.dr1
- New strongswan developer release 5.2.2dr1
* Mon Nov 24 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-2
- 1167331: Enabled native systemd support.
- Does not disable old systemd, starter, ipsec.conf support yet.
* Thu Oct 30 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-1
- New upstream release 5.2.1
* Thu Oct 16 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.1-0.2.rc1
- New upstream release candidate 5.2.1rc1
* Fri Oct 10 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.1-1
- new version 5.2.1dr1
* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-7
- use upstream patch for json/json-c dependency
* Thu Sep 25 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-6
- Resolves: #1146145 - Strongswan is compiled without xauth-noauth plugin
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.2.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Aug 05 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-4
- Resolves: #1081804 - enable Kernel IPSec support
* Wed Jul 30 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-3
- rebuilt
* Tue Jul 29 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-2
- fix json-c dependency
* Tue Jul 15 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0-1
- New upstream release 5.2.0
- The Attestation IMC/IMV pair supports the IMA-NG
measurement format
- Aikgen tool to generate an Attestation Identity Key bound
to a TPM
- Swanctl tool to provide a portable, complete IKE
configuration and control interface for the command
line using vici interface with libvici library
- PT-EAP transport protocol (RFC 7171) for TNC
- Enabled support for acert for checking X509 attribute certificate
- Updated patches, removed selinux patch as upstream has fixed it
in this release.
- Updated spec file with minor cleanups
* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.4.dr6
- improve prerelease macro
* Thu Jun 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.3
- Resolves: #1111895 - bump to 5.2.0dr6
* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.2
- Related: #1087437 - remove or upstream all patches not specific to fedora/epel
* Thu Jun 12 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0-0.1.dr5
- fix the pre-release version according to guidelines before it gets branched
* Fri Jun 06 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr5-1
- new version 5.2.0dr5
- add json-c-devel to build deps
* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-3
- merge two related patches
* Mon May 26 2014 Pavel Šimerda <psimerda@redhat.com> - 5.2.0dr4-2
- clean up the patches a bit
* Thu May 22 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.2.0dr4-1
- New upstream developer release 5.2.0dr4
- Attestation IMV/IMC supports IMA-NG measurement format now
- Aikgen tool to generate an Attestation Identity Key bound
to a TPM
- PT-EAP transport protocol (RFC 7171) for TNC
- vici plugin provides IKE Configuration Interface for charon
- Enabled support for acert for checking X509 attribute certificate
- Updated patches
- Updated spec file with minor cleanups
* Tue Apr 15 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3-1
- new version 5.1.3
* Mon Apr 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.3rc1-1
- new version 5.1.3rc1
* Mon Mar 24 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-4
- #1069928 - updated libexec patch.
* Tue Mar 18 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-3
- fixed el6 initscript
- fixed pki directory location
* Fri Mar 14 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-2
- clean up the specfile a bit
- replace the initscript patch with an individual initscript
- patch to build for epel6
* Mon Mar 03 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.2-1
- #1071353 - bump to 5.1.2
- #1071338 - strongswan is compiled without xauth-pam plugin
- remove obsolete patches
- sent all patches upstream
- added comments to all patches
- don't touch the config with sed
* Thu Feb 20 2014 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-6
- Fixed full hardening for strongswan (full relro and PIE).
The previous macros had a typo and did not work
(see bz#1067119).
- Fixed tnc package description to reflect the current state of
the package.
- Fixed pki binary and moved it to /usr/libexece/strongswan as
others binaries are there too.
* Wed Feb 19 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-5
- #903638 - SELinux is preventing /usr/sbin/xtables-multi from 'read' accesses on the chr_file /dev/random
* Thu Jan 09 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-4
- Removed redundant patches and *.spec commands caused by branch merging
* Wed Jan 08 2014 Pavel Šimerda <psimerda@redhat.com> - 5.1.1-3
- rebuilt
* Mon Dec 2 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-2
- Resolves: 973315
- Resolves: 1036844
* Fri Nov 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.1-1
- Support for PT-TLS (RFC 6876)
- Support for SWID IMC/IMV
- Support for command line IKE client charon-cmd
- Changed location of pki to /usr/bin
- Added swid tags files
- Added man pages for pki and charon-cmd
- Renamed pki to strongswan-pki to avoid conflict with
pki-core/pki-tools package.
- Update local patches
- Fixes CVE-2013-6075
- Fixes CVE-2013-6076
- Fixed autoconf/automake issue as configure.ac got changed
and it required running autoreconf during the build process.
- added strongswan signature file to the sources.
* Thu Sep 12 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-3
- Fixed initialization crash of IMV and IMC particularly
attestation imv/imc as libstrongswas was not getting
initialized.
* Fri Aug 30 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-2
- Enabled fips support
- Enabled TNC's ifmap support
- Enabled TNC's pdp support
- Fixed hardocded package name in this spec file
* Wed Aug 7 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.1.0-1
- rhbz#981429: New upstream release
- Fixes CVE-2013-5018: rhbz#991216, rhbz#991215
- Fixes rhbz#991859 failed to build in rawhide
- Updated local patches and removed which are not needed
- Fixed errors around charon-nm
- Added plugins libstrongswan-pkcs12.so, libstrongswan-rc2.so,
libstrongswan-sshkey.so
- Added utility imv_policy_manager
* Thu Jul 25 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-5
- rename strongswan-NetworkManager to strongswan-charon-nm
- fix enable_nm macro
* Mon Jul 15 2013 Jamie Nguyen <jamielinux@fedoraproject.org> - 5.0.4-4
- %%files tries to package some of the shared objects as directories (#984437)
- fix broken systemd unit file (#984300)
- fix rpmlint error: description-line-too-long
- fix rpmlint error: macro-in-comment
- fix rpmlint error: spelling-error Summary(en_US) fuctionality
- depend on 'systemd' instead of 'systemd-units'
- use new systemd scriptlet macros
- NetworkManager subpackage should have a copy of the license (#984490)
- enable hardened_build as this package meets the PIE criteria (#984429)
- invocation of "ipsec _updown iptables" is broken as ipsec is renamed
to strongswan in this package (#948306)
- invocation of "ipsec scepclient" is broken as ipsec is renamed
to strongswan in this package
- add /etc/strongswan/ipsec.d and missing subdirectories
- conditionalize building of strongswan-NetworkManager subpackage as the
version of NetworkManager in EL6 is too old (#984497)
* Fri Jun 28 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-3
- Patch to fix a major crash issue when Freeradius loads
attestatiom-imv and does not initialize libstrongswan which
causes crash due to calls to PTS algorithms probing APIs.
So this patch fixes the order of initialization. This issues
does not occur with charon because libstrongswan gets
initialized earlier.
- Patch that allows to outputs errors when there are permission
issues when accessing strongswan.conf.
- Patch to make loading of modules configurable when libimcv
is used in stand alone mode without charon with freeradius
and wpa_supplicant.
* Tue Jun 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-2
- Enabled TNCCS 1.1 protocol
- Fixed libxm2-devel build dependency
- Patch to fix the issue with loading of plugins
* Wed May 1 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.4-1
- New upstream release
- Fixes for CVE-2013-2944
- Enabled support for OS IMV/IMC
- Created and applied a patch to disable ECP in fedora, because
Openssl in Fedora does not allow ECP_256 and ECP_384. It makes
it non-compliant to TCG's PTS standard, but there is no choice
right now. see redhat bz # 319901.
- Enabled Trousers support for TPM based operations.
* Sat Apr 20 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.3-2
- Rebuilt for a single specfile for rawhide/f19/f18/el6
* Fri Apr 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.3-1
- New upstream release
- Enabled curl and eap-identity plugins
- Enabled support for eap-radius plugin.
* Thu Apr 18 2013 Pavel Šimerda <psimerda@redhat.com> - 5.0.2-3
- Add gettext-devel to BuildRequires because of epel6
- Remove unnecessary comments
* Tue Mar 19 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-2
- Enabled support for eap-radius plugin.
* Mon Mar 11 2013 Avesh Agarwal <avagarwa@redhat.com> - 5.0.2-1
- Update to upstream release 5.0.2
- Created sub package strongswan-tnc-imcvs that provides trusted network
connect's IMC and IMV funtionality. Specifically it includes PTS
based IMC/IMV for TPM based remote attestation and scanner and test
IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used
by any third party TNC Client/Server implementation possessing a
standard IF-IMC/IMV interface.
* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.1-1
- Update to release 5.0.1
* Thu Oct 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-4.git20120619
- Add plugins to interoperate with Windows 7 and Android (#862472)
(contributed by Haim Gelfenbeyn)
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.0.0-3.git20120619
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Sun Jul 08 2012 Pavel Šimerda <pavlix@pavlix.net> - 5.0.0-2.git20120619
- Fix configure substitutions in initscripts
* Wed Jul 04 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-1.git20120619
- Update to current upstream release
- Comment out all stuff that is only needed for git builds
- Remove renaming patch from git
- Improve init patch used for EPEL
* Thu Jun 21 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.3.git20120619
- Build with openssl plugin enabled
* Wed Jun 20 2012 Pavel Šimerda <psimerda@redhat.com> - 5.0.0-0.2.git20120619
- Add README.Fedora with link to 4.6 to 5.0 migration information
* Tue Jun 19 2012 Pavel Šimerda - 5.0.0-0.1.git20120619
- Snapshot of upcoming major release
- Move patches and renaming upstream
http://wiki.strongswan.org/issues/194
http://wiki.strongswan.org/issues/195
- Notified upstream about manpage issues
* Tue Jun 19 2012 Pavel Šimerda - 4.6.4-2
- Make initscript patch more distro-neutral
- Add links to bugreports for patches
* Fri Jun 01 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.4-1
- New upstream version (CVE-2012-2388)
* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-2
- Add --enable-nm to configure
- Add NetworkManager-devel to BuildRequires
- Add NetworkManager-glib-devel to BuildRequires
- Add strongswan-NetworkManager package
* Sat May 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.3-1
- New version of Strongswan
- Support for RFC 3110 DNSKEY (see upstream changelog)
- Fix corrupt scriptlets
* Fri Mar 30 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-2
- #808612 - strongswan binary renaming side-effect
* Sun Feb 26 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.2-1
- New upstream version
- Changed from .tar.gz to .tar.bz2
- Added libstrongswan-pkcs8.so
* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-8
- Fix initscript's status function
* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-7
- Expand tabs in config files for better readability
- Add sysvinit script for epel6
* Wed Feb 15 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-6
- Fix program name in systemd unit file
* Tue Feb 14 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-5
- Improve fedora/epel conditionals
* Sat Jan 21 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-4
- Protect configuration directory from ordinary users
- Add still missing directory /etc/strongswan
* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-3
- Change directory structure to avoid clashes with Openswan
- Prefixed all manpages with 'strongswan_'
- Every file now includes 'strongswan' somewhere in its path
- Removed conflict with Openswan
- Finally fix permissions on strongswan.conf
* Fri Jan 20 2012 Pavel Šimerda <pavlix@pavlix.net> - 4.6.1-2
- Change license tag from GPL to GPLv2+
- Change permissions on /etc/strongswan.conf to 644
- Rename ipsec.8 manpage to strongswan.8
- Fix empty scriptlets for non-fedora builds
- Add ldconfig scriptlet
- Add missing directories and files
* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.1-1
- Bump to version 4.6.1
* Sun Jan 01 2012 Pavel Šimerda <pavlix@pavlix.net - 4.6.0-3
- Add systemd scriptlets
- Add conditions to also support EPEL6
* Sat Dec 10 2011 Pavel Šimerda <pavlix@pavlix.net> - 4.6.0-2
- Experimental build for development