Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at Fri Mar 5 11:51:27 CET 2010. -------- --- strongswan/strongswan.changes 2009-09-04 14:39:39.000000000 +0200 +++ /mounts/work_src_done/STABLE/strongswan/strongswan.changes 2010-03-02 21:49:44.000000000 +0100 @@ -1,0 +2,100 @@ +Tue Mar 2 21:42:10 CET 2010 - mt@suse.de + +- Updated to strongSwan 4.3.6 release, changes since 4.3.4 are: + * The IKEv2 daemon supports RFC 3779 IP address block constraints + carried as a critical X.509v3 extension in the peer certificate. + * The ipsec pool --add|del dns|nbns command manages DNS and NBNS + name server entries that are sent via the IKEv1 Mode Config or + IKEv2 Configuration Payload to remote clients. + * The Camellia cipher can be used as an IKEv1 encryption algorithm. + * The IKEv1 and IKEV2 daemons now check certificate path length + constraints. + * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if + no traffic was sent or received within the given interval. To close + the complete IKE_SA if its only CHILD_SA was inactive, set the + global strongswan.conf option "charon.inactivity_close_ike" to yes. + * More detailed IKEv2 EAP payload information in debug output + * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library + * Added required userland changes for proper SHA256 and SHA384/512 + in ESP that will be introduced with Linux 2.6.33. + The "sha256"/"sha2_256" keyword now configures the kernel with 128 + bit truncation, not the non-standard 96 bit truncation used by + previous releases. To use the old 96 bit truncation scheme, the new + "sha256_96" proposal keyword has been introduced. + * Fixed IPComp in tunnel mode, stripping out the duplicated outer + header. This change makes IPcomp tunnel mode connections + incompatible with previous releases; disable compression on such + tunnels. + * Fixed BEET mode connections on recent kernels by installing SAs + with appropriate traffic selectors, based on a patch by Michael + Rossberg. + * Using extensions (such as BEET mode) and crypto algorithms (such + as twofish, serpent, sha256_96) allocated in the private use space + now require that we know its meaning, i.e. we are talking to + strongSwan. Use the new "charon.send_vendor_id" option in + strongswan.conf to let the remote peer know this is the case. + * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where + the responder omits public key authentication in favor of a mutual + authentication method. To enable EAP-only authentication, set + rightauth=eap on the responder to rely only on the MSK constructed + AUTH payload. This not-yet standardized extension requires the + strongSwan vendor ID introduced above. + * The IKEv1 daemon ignores the Juniper SRX notification type 40001, + thus allowing interoperability. + * The IKEv1 pluto daemon can now use SQL-based address pools to + deal out virtual IP addresses as a Mode Config server. The pool + capability has been migrated from charon's sql plugin to a new + attr-sql plugin which is loaded by libstrongswan and which can be + used by both daemons either with a SQLite or MySQL database and the + corresponding plugin. + * Plugin names have been streamlined: EAP plugins now have a dash + after eap (e.g. eap-sim), as it is used with the --enable-eap-sim + ./configure option. + Plugin configuration sections in strongswan.conf now use the same + name as the plugin itself (i.e. with a dash). Make sure to update + "load" directives and the affected plugin sections in existing + strongswan.conf files. + * The private/public key parsing and encoding has been split up + into separate pkcs1, pgp, pem and dnskey plugins. The public key + implementation plugins gmp, gcrypt and openssl can all make use + of them. + * The EAP-AKA plugin can use different backends for USIM/quintuplet + calculations, very similar to the EAP-SIM plugin. The existing 3GPP2 + software implementation has been migrated to a separate plugin. + * The IKEv2 daemon charon gained basic PGP support. It can use + locally installed peer certificates and can issue signatures based + on RSA private keys. + * The new 'ipsec pki' tool provides a set of commands to maintain a + public key infrastructure. It currently supports operations to + create RSA and ECDSA private/public keys, calculate fingerprints and + issue or verify certificates. + * Charon uses a monotonic time source for statistics and job + queueing, behaving correctly if the system time changes (e.g. when + using NTP). + * In addition to time based rekeying, charon supports IPsec SA + lifetimes based on processed volume or number of packets. + They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'), + 'lifebytes' and 'lifepackets' handle SA timeouts, while the + parameters 'margintime' (an alias to rekeymargin), 'marginbytes' + and 'marginpackets' trigger the rekeying before a SA expires. + The existing parameter 'rekeyfuzz' affects all margins. + * If no CA/Gateway certificate is specified in the NetworkManager + plugin, charon uses a set of trusted root certificates preinstalled + by distributions. The directory containing CA certificates can be + specified using the --with-nm-ca-dir=path configure option. + * Fixed the encoding of the Email relative distinguished name in + left|rightid statements. + * Fixed the broken parsing of PKCS#7 wrapped certificates by the + pluto daemon. + * Fixed smartcard-based authentication in the pluto daemon which + was broken by the ECDSA support introduced with the 4.3.2 release. + * A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and + vice versa tunnels established with the IKEv1 pluto daemon. + * The pluto daemon now uses the libstrongswan x509 plugin for + certificates and CRls and the struct id type was replaced by + identification_t used by charon and the libstrongswan library. +- Removed obsolete load_secrets patches, refreshed modprobe patch. +- Corrected a time_t cast reported by rpmlint (timer.c:51) +- Disabled libtoolize call and the gcrypt plugin on SLE 10. + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- strongswan-4.3.4-load_secrets-dbgmsg-fix.diff strongswan-4.3.4-load_secrets-lock-fix.diff strongswan-4.3.4-rpmlintrc strongswan-4.3.4.tar.bz2 strongswan-4.3.4.tar.bz2.sig New: ---- strongswan-4.3.6-rpmlintrc strongswan-4.3.6.tar.bz2 strongswan-4.3.6.tar.bz2.sig strongswan-4.3.6-time_t_ptr.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.8XUu3G/_old 2010-03-05 11:51:08.000000000 +0100 +++ /var/tmp/diff_new_pack.8XUu3G/_new 2010-03-05 11:51:08.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package strongswan (Version 4.3.4) +# spec file for package strongswan (Version 4.3.6) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,11 +19,11 @@ Name: strongswan -%define upstream_version 4.3.4 +%define upstream_version 4.3.6 %define strongswan_docdir %{_docdir}/%{name} -Version: 4.3.4 -Release: 3 -License: GPL v2 or later +Version: 4.3.6 +Release: 1 +License: GPLv2+ Group: Productivity/Networking/Security Summary: StrongSwan -- OpenSource IPsec-based VPN Solution Url: http://www.strongswan.org/ @@ -38,8 +38,7 @@ Source2: %{name}.init.in Source3: %{name}-%{version}-rpmlintrc Patch1: %{name}_modprobe_syslog.patch -Patch2: %{name}-4.3.4-load_secrets-lock-fix.diff -Patch3: %{name}-4.3.4-load_secrets-dbgmsg-fix.diff +Patch2: strongswan-4.3.6-time_t_ptr.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex gmp-devel gperf pkg-config BuildRequires: libcap-devel @@ -51,59 +50,31 @@ %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux -* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) - kernels - -* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange - protocols - -* NEW: Fully tested support of IPv6 IPsec tunnel connections - -* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC - 4555) - -* Fast connection startup and periodic update using ipsec starter - -* Automatic insertion and deletion of IPsec policy based firewall - rules - -* Strong 3DES, AES, Serpent, Twofish, or Blowfish encryption - +* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels +* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols +* Fully tested support of IPv6 IPsec tunnel and transport connections +* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) +* Automatic insertion and deletion of IPsec-policy-based firewall rules +* Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) - -* Static Virtual IPs and IKE Mode Config Pull and Push modes - -* XAUTH server and client functionality on top of IKE Main Mode - authentication - * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels - +* Static virtual IPs and IKEv1 ModeConfig pull and push modes +* XAUTH server and client functionality on top of IKEv1 Main Mode authentication +* Virtual IP address pool managed by IKE daemon or SQL database +* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) +* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin +* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys - -* Generation of a default self-signed certificate during first - strongSwan startup - -* Retrieval and local caching of Certificate Revocation Lists via - HTTP or LDAP - -* Full support of the Online Certificate Status Protocol (OCSP, RCF - 2560). - +* Generation of a default self-signed certificate during first strongSwan startup +* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP +* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) - * Powerful IPsec policies based on wildcards or intermediate CAs - -* Group policies based on X.509 attribute certificates ( RFC 3281) - -* Optional storage of RSA private keys and certificates on a - smartcard - -* Smartcard access via standardized PKCS #11 interface - -* PKCS #11 proxy function offering RSA decryption services via whack - -* NEW: strongSwan Manager - a graphical management interface for IKEv2 - +* Group policies based on X.509 attribute certificates (RFC 3281) +* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) +* Modular plugins for crypto algorithms and relational database interfaces +* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) +* Optional built-in integrity and crypto tests for plugins and libraries Authors: @@ -112,7 +83,7 @@ and others %package doc -License: GPL v2 or later +License: GPLv2+ Summary: StrongSwan -- OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security @@ -131,8 +102,7 @@ %prep %setup -q -n %{name}-%{upstream_version} %patch1 -p0 -%patch2 -p1 -%patch3 -p1 +%patch2 -p0 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -140,7 +110,7 @@ %build CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing" export RPM_OPT_FLAGS CFLAGS -libtoolize --force +#libtoolize --force %{?suse_update_config:%{suse_update_config -f}} autoreconf %configure \ @@ -151,7 +121,9 @@ --with-default-pkcs11=%{_libdir}/opensc-pkcs11.so \ --enable-cisco-quirks \ --enable-openssl \ +%if 0%{suse_version} >= 1110 --enable-gcrypt \ +%endif --enable-ldap \ --enable-curl make %{?_smp_mflags:%_smp_mflags} ++++++ strongswan-4.3.4-rpmlintrc -> strongswan-4.3.6-rpmlintrc ++++++ ++++++ strongswan-4.3.4.tar.bz2 -> strongswan-4.3.6.tar.bz2 ++++++ ++++ 244337 lines of diff (skipped) ++++++ strongswan-4.3.6-time_t_ptr.diff ++++++ --- src/pluto/timer.c +++ src/pluto/timer.c 2010/03/02 17:03:41 @@ -48,7 +48,7 @@ time_t now(void) { static time_t delta = 0 , last_time = 0; - time_t n = time((time_t)NULL); + time_t n = time((time_t *)NULL); passert(n != (time_t)-1); if (last_time > n) ++++++ strongswan_modprobe_syslog.patch ++++++ --- /var/tmp/diff_new_pack.8XUu3G/_old 2010-03-05 11:51:11.000000000 +0100 +++ /var/tmp/diff_new_pack.8XUu3G/_new 2010-03-05 11:51:11.000000000 +0100 @@ -1,5 +1,5 @@ --- src/starter/klips.c -+++ src/starter/klips.c ++++ src/starter/klips.c 2010/03/02 16:43:05 @@ -34,7 +34,7 @@ starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) @@ -11,7 +11,7 @@ /* now test again */ @@ -48,9 +48,9 @@ starter_klips_init(void) } - + /* load crypto algorithm modules */ - ignore_result(system("modprobe -qv ipsec_aes")); - ignore_result(system("modprobe -qv ipsec_blowfish")); @@ -23,7 +23,7 @@ DBG(DBG_CONTROL, DBG_log("Found KLIPS IPsec stack") --- src/starter/netkey.c -+++ src/starter/netkey.c ++++ src/starter/netkey.c 2010/03/02 16:43:05 @@ -34,7 +34,7 @@ starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org