Hello community,
here is the log from the commit of package strongswan for openSUSE:Factory
checked in at Thu Nov 18 16:56:26 CET 2010.
--------
--- strongswan/strongswan.changes 2010-08-02 12:52:54.000000000 +0200
+++ strongswan/strongswan.changes 2010-11-16 13:10:30.000000000 +0100
@@ -1,0 +2,106 @@
+Tue Nov 16 12:01:46 UTC 2010 - mt(a)suse.de
+
+- Updated to strongSwan 4.5.0 release, changes since 4.4.1 are:
+ * IMPORTANT: the default keyexchange mode 'ike' is changing with
+ release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five
+ year anniversary of the IKEv2 RFC 4306 and its mature successor
+ RFC 5996. The time has definitively come for IKEv1 to go into
+ retirement and to cede its place to the much more robust, powerful
+ and versatile IKEv2 protocol!
+ * Added new ctr, ccm and gcm plugins providing Counter, Counter
+ with CBC-MAC and Galois/Counter Modes based on existing CBC
+ implementations. These new plugins bring support for AES and
+ Camellia Counter and CCM algorithms and the AES GCM algorithms
+ for use in IKEv2.
+ * The new pkcs11 plugin brings full Smartcard support to the IKEv2
+ daemon and the pki utility using one or more PKCS#11 libraries. It
+ currently supports RSA private and public key operations and loads
+ X.509 certificates from tokens.
+ * Implemented a general purpose TLS stack based on crypto and
+ credential primitives of libstrongswan. libtls supports TLS
+ versions 1.0, 1.1 and 1.2, ECDHE-ECDSA/RSA, DHE-RSA and RSA key
+ exchange algorithms and RSA/ECDSA based client authentication.
+ * Based on libtls, the eap-tls plugin brings certificate based EAP
+ authentication for client and server. It is compatible to Windows
+ 7 IKEv2 Smartcard authentication and the OpenSSL based FreeRADIUS
+ EAP-TLS backend.
+ * Implemented the TNCCS 1.1 Trusted Network Connect protocol using
+ the libtnc library on the strongSwan client and server side via
+ the tnccs_11 plugin and optionally connecting to a TNC@FHH-enhanced
+ FreeRADIUS AAA server. Depending on the resulting TNC Recommendation,
+ strongSwan clients are granted access to a network behind a
+ strongSwan gateway (allow), are put into a remediation zone (isolate)
+ or are blocked (none), respectively.
+ Any number of Integrity Measurement Collector/Verifier pairs can be
+ attached via the tnc-imc and tnc-imv charon plugins.
+ * The IKEv1 daemon pluto now uses the same kernel interfaces as the
+ IKEv2 daemon charon. As a result of this, pluto now supports xfrm
+ marks which were introduced in charon with 4.4.1.
+ * The RADIUS plugin eap-radius now supports multiple RADIUS servers
+ for redundant setups. Servers are selected by a defined priority,
+ server load and availability.
+ * The simple led plugin controls hardware LEDs through the Linux LED
+ subsystem. It currently shows activity of the IKE daemon and is a
+ good example how to implement a simple event listener.
+ * Improved MOBIKE behavior in several corner cases, for instance,
+ if the initial responder moves to a different address.
+ * Fixed left-/rightnexthop option, which was broken since 4.4.0.
+ * Fixed a bug not releasing a virtual IP address to a pool if the
+ XAUTH identity was different from the IKE identity.
+ * Fixed the alignment of ModeConfig messages on 4-byte boundaries
+ in the case where the attributes are not a multiple of 4 bytes
+ (e.g. Cisco's UNITY_BANNER).
+ * Fixed the interoperability of the socket_raw and socket_default
+ charon plugins.
+ * Added man page for strongswan.conf
+- Adopted spec file, removed obsolete error range patch.
+
+-------------------------------------------------------------------
+Tue Aug 10 11:43:38 UTC 2010 - mt(a)suse.de
+
+- Updated to strongSwan 4.4.1 release, changes since 4.4.0 are:
+ * Support of xfrm marks in IPsec SAs and IPsec policies introduced
+ with the Linux 2.6.34 kernel.
+ For details see the example scenarios ikev2/nat-two-rw-mark,
+ ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp.
+ * The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be
+ used in a user-specific updown script to set marks on inbound ESP
+ or ESP_IN_UDP packets.
+ * The openssl plugin now supports X.509 certificate and CRL functions.
+ * OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
+ enabled by default.
+ Plase update manual load directives in strongswan.conf.
+ * RFC3779 ipAddrBlock constraint checking has been moved to the
+ addrblock plugin, disabled by default. Enable it and update manual
+ load directives in strongswan.conf, if required.
+ * The pki utility supports CRL generation using the --signcrl command.
+ * The ipsec pki --self, --issue and --req commands now support output
+ in PEM format using the --outform pem option.
+ * The major refactoring of the IKEv1 Mode Config functionality now
+ allows the transport and handling of any Mode Config attribute.
+ * The RADIUS proxy plugin eap-radius now supports multiple servers.
+ Configured servers are chosen randomly, with the option to prefer
+ a specific server. Non-responding servers are degraded by the
+ selection process.
+ * The ipsec pool tool manages arbitrary configuration attributes
+ stored in an SQL database. ipsec pool --help gives the details.
+ * The new eap-simaka-sql plugin acts as a backend for EAP-SIM and
+ EAP-AKA, reading triplets/quintuplets from an SQL database.
+ * The High Availability plugin now supports a HA enabled in-memory
+ address pool and Node reintegration without IKE_SA rekeying. The
+ latter allows clients without IKE_SA rekeying support to keep
+ connected during reintegration. Additionally, many other issues
+ have been fixed in the ha plugin.
+ * Fixed a potential remote code execution vulnerability resulting
+ from the misuse of snprintf(). The vulnerability is exploitable
+ by unauthenticated users.
+- Removed obsolete snprintf security fix, adopted spec file
+- Enabled the eap-sim,eap-sim-file,eap-simaka-sql,eap-simaka-reauth,
+ eap-simaka-pseudonym,eap-aka-3gpp2,md4,blowfish,addrblock plugins.
+- Enabled the mysql, sqlite, load-tester and test-vectors plugins,
+ that are packaged into separate mysql,sqlite,tests sub packages.
+- Disabled sqlite plugin on SLE-10 -- sqlite3 lib is too old there.
+- Applied patch by Jiri Bohac fixing error-type range in parsing of
+ NOTIFY payloads (RFC 4306, section 3.10.1).
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
strongswan-4.4.0-snprintf-fix.diff
strongswan-4.4.0.tar.bz2
strongswan-4.4.0.tar.bz2.sig
New:
----
strongswan-4.5.0-rpmlintrc
strongswan-4.5.0.tar.bz2
strongswan-4.5.0.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ strongswan.spec ++++++
--- /var/tmp/diff_new_pack.2rcY5W/_old 2010-11-18 16:53:13.000000000 +0100
+++ /var/tmp/diff_new_pack.2rcY5W/_new 2010-11-18 16:53:13.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package strongswan (Version 4.4.0)
+# spec file for package strongswan (Version 4.5.0)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -19,11 +19,11 @@
Name: strongswan
-%define upstream_version 4.4.0
+%define upstream_version 4.5.0
%define strongswan_docdir %{_docdir}/%{name}
%define strongswan_plugins %{_libexecdir}/ipsec/plugins
-Version: 4.4.0
-Release: 6
+Version: 4.5.0
+Release: 1
License: GPLv2+
Group: Productivity/Networking/Security
Summary: OpenSource IPsec-based VPN Solution
@@ -38,7 +38,6 @@
Source3: %{name}-%{version}-rpmlintrc
Source4: README.SUSE
Patch1: %{name}_modprobe_syslog.patch
-Patch2: %{name}-4.4.0-snprintf-fix.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison flex gmp-devel gperf pkg-config
BuildRequires: libcap-devel
@@ -49,7 +48,9 @@
%if 0%{suse_version} >= 1110
BuildRequires: libuuid-devel
BuildRequires: NetworkManager-devel
+BuildRequires: sqlite3-devel
%endif
+BuildRequires: libmysqlclient-devel
%description
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
@@ -116,6 +117,44 @@
This package provides the strongswan library and plugins.
+%package mysql
+License: GPLv2+
+Summary: OpenSource IPsec-based VPN Solution
+Group: Productivity/Networking/Security
+Requires: strongswan-libs0 = %{version}
+
+%description mysql
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan mysql plugin.
+
+%if 0%{suse_version} >= 1110
+
+%package sqlite
+License: GPLv2+
+Summary: OpenSource IPsec-based VPN Solution
+Group: Productivity/Networking/Security
+Requires: strongswan-libs0 = %{version}
+
+%description sqlite
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan sqlite plugin.
+
+%endif
+
+%package tests
+License: GPLv2+
+Summary: OpenSource IPsec-based VPN Solution
+Group: Productivity/Networking/Security
+Requires: strongswan-libs0 = %{version}
+
+%description tests
+StrongSwan is an OpenSource IPsec-based VPN Solution for Linux
+
+This package provides the strongswan crypto test-vectors plugin
+and the load testing plugin for IKEv2 daemon.
+
%package ikev1
License: GPLv2+
Summary: OpenSource IPsec-based VPN Solution
@@ -190,7 +229,6 @@
%prep
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
-%patch2 -p1
sed -e 's|@libexecdir@|%_libexecdir|g' \
< $RPM_SOURCE_DIR/strongswan.init.in \
> strongswan.init
@@ -211,24 +249,36 @@
--enable-cisco-quirks \
--enable-openssl \
--enable-agent \
+ --enable-md4 \
+ --enable-blowfish \
+ --enable-eap-sim \
+ --enable-eap-sim-file \
+ --enable-eap-simaka-sql \
+ --enable-eap-simaka-pseudonym \
+ --enable-eap-simaka-reauth \
--enable-eap-md5 \
--enable-eap-gtc \
--enable-eap-aka \
--enable-eap-radius \
--enable-eap-identity \
--enable-eap-mschapv2 \
+ --enable-eap-aka-3gpp2 \
--enable-ha \
--enable-dhcp \
--enable-farp \
--enable-sql \
--enable-attr-sql \
- --enable-socket-dynamic \
+ --enable-addrblock \
%if 0%{suse_version} >= 1110
--enable-gcrypt \
--enable-nm \
+ --enable-sqlite \
%endif
--enable-ldap \
- --enable-curl
+ --enable-curl \
+ --enable-mysql \
+ --enable-load-tester \
+ --enable-test-vectors
make %{?_smp_mflags:%_smp_mflags}
%install
@@ -308,6 +358,7 @@
%{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5*
%{_mandir}/man5/ipsec.secrets.5*
+%{_mandir}/man5/strongswan.conf.5*
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_updown
%{_libexecdir}/ipsec/_updown_espmark
@@ -390,20 +441,28 @@
%dir %{_libexecdir}/ipsec/pool
%{_libexecdir}/ipsec/libchecksum.so
%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-addrblock.so
%{strongswan_plugins}/libstrongswan-aes.so
%{strongswan_plugins}/libstrongswan-agent.so
%{strongswan_plugins}/libstrongswan-attr.so
%{strongswan_plugins}/libstrongswan-attr-sql.so
+%{strongswan_plugins}/libstrongswan-blowfish.so
%{strongswan_plugins}/libstrongswan-curl.so
%{strongswan_plugins}/libstrongswan-des.so
%{strongswan_plugins}/libstrongswan-dhcp.so
%{strongswan_plugins}/libstrongswan-dnskey.so
+%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
%{strongswan_plugins}/libstrongswan-eap-aka.so
%{strongswan_plugins}/libstrongswan-eap-gtc.so
%{strongswan_plugins}/libstrongswan-eap-identity.so
%{strongswan_plugins}/libstrongswan-eap-md5.so
%{strongswan_plugins}/libstrongswan-eap-mschapv2.so
%{strongswan_plugins}/libstrongswan-eap-radius.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
+%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
+%{strongswan_plugins}/libstrongswan-eap-sim-file.so
+%{strongswan_plugins}/libstrongswan-eap-sim.so
%{strongswan_plugins}/libstrongswan-farp.so
%{strongswan_plugins}/libstrongswan-fips-prf.so
%if 0%{suse_version} >= 1110
@@ -414,6 +473,7 @@
%{strongswan_plugins}/libstrongswan-hmac.so
%{strongswan_plugins}/libstrongswan-kernel-netlink.so
%{strongswan_plugins}/libstrongswan-ldap.so
+%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
@@ -422,13 +482,33 @@
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-random.so
%{strongswan_plugins}/libstrongswan-resolve.so
+%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-sha1.so
%{strongswan_plugins}/libstrongswan-sha2.so
-%{strongswan_plugins}/libstrongswan-socket-dynamic.so
-%{strongswan_plugins}/libstrongswan-socket-raw.so
+%{strongswan_plugins}/libstrongswan-socket*.so
%{strongswan_plugins}/libstrongswan-sql.so
%{strongswan_plugins}/libstrongswan-x509.so
+%{strongswan_plugins}/libstrongswan-xauth.so
%{strongswan_plugins}/libstrongswan-xcbc.so
%dir %ghost %{_localstatedir}/run/strongswan
+%files mysql
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-mysql.so
+
+%if 0%{suse_version} >= 1110
+
+%files sqlite
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-sqlite.so
+%endif
+
+%files tests
+%defattr(-,root,root)
+%dir %{strongswan_plugins}
+%{strongswan_plugins}/libstrongswan-load-tester.so
+%{strongswan_plugins}/libstrongswan-test-vectors.so
+
%changelog
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.2rcY5W/_old 2010-11-18 16:53:13.000000000 +0100
+++ /var/tmp/diff_new_pack.2rcY5W/_new 2010-11-18 16:53:13.000000000 +0100
@@ -1,14 +1,30 @@
Dear Customer,
-this package does no provide any files any more, but triggers the
-installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and
-the traditional starter scripts inclusive of the /etc/init.d/ipsec
-init script and /etc/ipsec.conf file.
-
-There is a new strongswan-nm package with a NetworkManager plugin
-to control the charon IKEv2 daemon through D-Bus, designed to work
-using the NetworkManager-strongswan graphical user interface.
-It does not depend on the traditional starter scripts, but on the
-IKEv2 charon daemon and plugins only.
+please note, that the strongswan release 4.5 changes the keyexchange mode
+to IKEv2 as default -- from strongswan-4.5.0/NEWS:
+"[...]
+IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5
+from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the
+IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively
+come for IKEv1 to go into retirement and to cede its place to the much more
+robust, powerful and versatile IKEv2 protocol!
+[...]"
+
+This requires adoption of either the "conn %default" or all other IKEv1
+"conn" sections in the /etc/ipsec.conf to use explicit:
+
+ keyexchange=ikev1
+
+
+The strongswan package does no provide any files any more, but triggers
+the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the
+traditional starter scripts inclusive of the /etc/init.d/ipsec init script
+and /etc/ipsec.conf file.
+
+There is a new strongswan-nm package with a NetworkManager plugin to
+control the charon IKEv2 daemon through D-Bus, designed to work using the
+NetworkManager-strongswan graphical user interface.
+It does not depend on the traditional starter scripts, but on the IKEv2
+charon daemon and plugins only.
Have a lot of fun...
++++++ strongswan-4.5.0-rpmlintrc ++++++
### Known warnings:
# - traditional name
addFilter("strongswan.* incoherent-init-script-name ipsec")
# - readme only, triggers full ipsec + ikev1&ikev2 install
addFilter("strongswan.* no-binary")
++++++ strongswan-4.4.0.tar.bz2 -> strongswan-4.5.0.tar.bz2 ++++++
++++ 185214 lines of diff (skipped)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org