Hello community, here is the log from the commit of package strongswan.2814 for openSUSE:12.3:Update checked in at 2014-05-22 11:17:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/strongswan.2814 (Old) and /work/SRC/openSUSE:12.3:Update/.strongswan.2814.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan.2814" Changes: -------- New Changes file: --- /dev/null 2014-05-19 01:51:27.372033255 +0200 +++ /work/SRC/openSUSE:12.3:Update/.strongswan.2814.new/strongswan.changes 2014-05-22 11:18:00.000000000 +0200 @@ -0,0 +1,980 @@ +------------------------------------------------------------------- +Wed May 14 06:53:36 UTC 2014 - [email protected] + +- Applied fix for DoS vulnerability by a crafted ID_DER_ASN1_DN ID + payload caused by a NULL-pointer dereference when such identities + are parsed (bnc#876449, CVE-2014-2891). + [+0007-strongswan-4.3.3-5.1.1_asn1_unwrap-CVE-2014-2891.patch] + +------------------------------------------------------------------- +Wed Apr 2 05:53:21 UTC 2014 - [email protected] + +- Applied fix for a authentication bypass vulnerability in the + strongSwan IKEv2 code. The bug can be triggered by rekeying an + unestablished IKE_SA while it gets actively initiated allowing + an attacker to trick a peer's IKE_SA state to established. + IKEv1 is not not affected. (CVE-2014-2338, bnc#870572). + [+0006-strongswan-CVE-2014-2338-5.x.patch] + +------------------------------------------------------------------- +Thu Oct 31 10:13:24 UTC 2013 - [email protected] + +- Applied upstream fix for a denial-of-service and authorization + bypass vulnerability via crafted ID payload in strongswan 4.3.3 + up to 5.1.0 (CVE-2013-6075, bnc#847506). + [0005-strongswan-4.3.3_5.1.0-bnc-847506-CVE-2013-6075.patch] +- Added missed references to patch file 0003. + +------------------------------------------------------------------- +Mon Aug 5 11:58:03 UTC 2013 - [email protected] + +- Applied upstream fix for a denial-of-service vulnerability, that + could be triggered by special XAuth usernames and EAP identities + (affected by this are 5.0.3 and 5.0.4), and local PEM files (all + versions since 4.1.11) (CVE-2013-5018,bnc#833278). + [0004-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch] + +------------------------------------------------------------------- +Tue Apr 30 12:23:23 UTC 2013 - [email protected] + +- Applied upstream patch for security vulnerability discovered by + Kevin Wojtysiak in ECDSA signature verification of the strongswan + openssl plugin (bnc#815236, CVE-2013-2944) + [0003-Check-return-value-of-ECDSA_Verify-correctly.patch] + +------------------------------------------------------------------- +Thu Nov 29 19:13:40 CET 2012 - [email protected] + +- Verify GPG signature. + +------------------------------------------------------------------- +Fri Nov 16 04:02:32 UTC 2012 - [email protected] + +- Fix systemd unit dir + +------------------------------------------------------------------- +Wed Oct 31 15:25:16 UTC 2012 - [email protected] + +- Updated to strongSwan 5.0.1 release. Changes digest: + - Introduced the sending of the standard IETF Assessment Result + PA-TNC attribute by all strongSwan Integrity Measurement Verifiers. + - Extended PTS Attestation IMC/IMV pair to provide full evidence of + the Linux IMA measurement process. All pertinent file information + of a Linux OS can be collected and stored in an SQL database. + - The PA-TNC and PB-TNC protocols can now process huge data payloads. + - The xauth-pam backend can authenticate IKEv1 XAuth and Hybrid + authenticated clients against any PAM service. + - The new unity plugin brings support for some parts of the IKEv1 + Cisco Unity Extensions. + - The kernel-netlink plugin supports the new strongswan.conf option + charon.install_virtual_ip_on. + - Job handling in controller_t was fixed, which occasionally caused + crashes on ipsec up/down. + - Fixed transmission EAP-MSCHAPv2 user name if it contains a domain + part. + Changes digest from strongSwan 5.0.0 version: + * The charon IKE daemon gained experimental support for the IKEv1 + protocol. Pluto has been removed from the 5.x series. + * The NetworkManager charon plugin of previous releases is now + provided by a separate executable (charon-nm) and it should work + again with NM 0.9. + * scepclient was updated and it now works fine with Windows Server + 2008 R2. + For full list of the changes, please read the NEWS file shipped + in the strongswan-doc package or online: + http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 +- Adopted spec file, enabled several plugins, e.g.: ccm, certexpire, + coupling, ctr, duplicheck, eap-dynamic, eap-peap, eap-tls, eap-tnc, + eap-ttls, gcm, nonce, radattr, tnc, tnccs, unity, xauth-eap and pam. +- Changed to install strongswan.service with alias to ipsec.service + instead of the /etc/init.d/ipsec init script on openSUSE > 12.2. + +------------------------------------------------------------------- +Fri Sep 7 08:36:57 UTC 2012 - [email protected] + +- Applied upstream patch adjusting an internal thread id causing + charon keying daemon start failure (bnc#779038,strongswan#198): + openssl: Ensure the thread ID is never zero + This might otherwise cause problems because OpenSSL tries to + lock mutexes recursively if it assumes the lock is held by a + different thread e.g. during FIPS initialization. + See http://wiki.strongswan.org/issues/198 for more informations. + +------------------------------------------------------------------- +Thu May 31 16:08:43 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.4 release: + - Fixed a security vulnerability in the gmp plugin. If this + plugin was used for RSA signature verification an empty or + zeroed signature was handled as a legitimate one + (bnc#761325, CVE-2012-2388). + - Fixed several issues with reauthentication and address updates. + +------------------------------------------------------------------- +Thu May 10 09:15:38 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.3 release: + - The tnc-pdp plugin implements a RADIUS server interface allowing + a strongSwan TNC server to act as a Policy Decision Point. + - The eap-radius authentication backend enforces Session-Timeout + attributes using RFC4478 repeated authentication and acts upon + RADIUS Dynamic Authorization extensions, RFC 5176. Currently + supported are disconnect requests and CoA messages containing + a Session-Timeout. + - The eap-radius plugin can forward arbitrary RADIUS attributes + from and to clients using custom IKEv2 notify payloads. The new + radattr plugin reads attributes to include from files and prints + received attributes to the console. + - Added support for untruncated MD5 and SHA1 HMACs in ESP as used + in RFC 4595. + - The cmac plugin implements the AES-CMAC-96 and AES-CMAC-PRF-128 + algorithms as defined in RFC 4494 and RFC 4615, respectively. + - The resolve plugin automatically installs nameservers via + resolvconf(8), if it is installed, instead of modifying + /etc/resolv.conf directly. + - The IKEv2 charon daemon supports now raw RSA public keys in RFC + 3110 DNSKEY and PKCS#1 file format. + - The farp plugin sends ARP responses for any tunneled address, + not only virtual IPs. + - Charon resolves hosts again during additional keying tries. + - Fixed switching back to original address pair during MOBIKE. + - When resending IKE_SA_INIT with a COOKIE charon reuses the previous + DH value, as specified in RFC 5996. + This has an effect on the lifecycle of diffie_hellman_t, see + source:src/libcharon/sa/keymat.h#39 for details. + - COOKIEs are now kept enabled a bit longer to avoid certain race + conditions the commit message to 1b7debcc has some details. + - The new stroke user-creds command allows to set username/password + for a connection. + - strongswan.conf option added to set identifier for syslog(3) logging. + - Added a workaround for null-terminated XAuth secrets (as sent by + Android 4). + +------------------------------------------------------------------- +Sat Mar 3 00:10:34 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.2 release: + Changes in 4.6.2: + - Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3 + which supports IF-TNCCS 2.0 long message types, the exclusive flags + and multiple IMC/IMV IDs. Both the TNC Client and Server as well as + the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated. + - Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M" + standard (TLV-based messages only). TPM-based remote attestation of + Linux IMA (Integrity Measurement Architecture) possible. Measurement + reference values are automatically stored in an SQLite database. + - The EAP-RADIUS authentication backend supports RADIUS accounting. It sends + start/stop messages containing Username, Framed-IP and Input/Output-Octets + attributes and has been tested against FreeRADIUS and Microsoft NPS. + - Added support for PKCS#8 encoded private keys via the libstrongswan + pkcs8 plugin. This is the default format used by some OpenSSL tools since + version 1.0.0 (e.g. openssl req with -keyout). + - Added session resumption support to the strongSwan TLS stack. + +------------------------------------------------------------------- +Wed Feb 15 13:31:40 UTC 2012 - [email protected] + +- Updated to strongSwan 4.6.1 release: + Changes in 4.6.1: + - Because of changing checksums before and after installation which caused + the integrity tests to fail we avoided directly linking libsimaka, + libtls and libtnccs to those libcharon plugins which make use of these + dynamiclibraries. + Instead we linked the libraries to the charon daemon. Unfortunately + Ubuntu 11.10 activated the --as-needed ld option which discards explicit + links to dynamic libraries that are not actually used by the charon + daemon itself, thus causing failures during the loading of the plugins + which depend on these libraries for resolving external symbols. + - Therefore our approach of computing integrity checksums for plugins had + to be changed radically by moving the hash generation from the + compilation to the post-installation phase. + Changes in 4.6.0: + - The new libstrongswan certexpire plugin collects expiration information + of all used certificates and exports them to CSV files. It either + directly exports them or uses cron style scheduling for batch exports. + - Starter passes unresolved hostnames to charon, allowing it to do name + resolution not before the connection attempt. This is especially useful + with connections between hosts using dynamic IP addresses. ++++ 783 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.strongswan.2814.new/strongswan.changes New: ---- 0003-Check-return-value-of-ECDSA_Verify-correctly.patch 0004-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch 0005-strongswan-4.3.3_5.1.0-bnc-847506-CVE-2013-6075.patch 0006-strongswan-CVE-2014-2338-5.x.patch 0007-strongswan-4.3.3-5.1.1_asn1_unwrap-CVE-2014-2891.patch README.SUSE strongswan-5.0.1-rpmlintrc strongswan-5.0.1.tar.bz2 strongswan-5.0.1.tar.bz2.sig strongswan.changes strongswan.init.in strongswan.keyring strongswan.spec strongswan_ipsec_service.patch strongswan_modprobe_syslog.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ ++++ 606 lines (skipped) ++++++ 0003-Check-return-value-of-ECDSA_Verify-correctly.patch ++++++ >From 0faaab20cd9c4a519fb6269ab6c8be15d0b61864 Mon Sep 17 00:00:00 2001 From: Martin Willi <[email protected]> Date: Tue, 9 Apr 2013 10:56:09 +0200 References: bnc#815236, CVE-2013-2944 Upstream: yes Subject: Check return value of ECDSA_Verify() correctly --- src/libstrongswan/plugins/openssl/openssl_ec_public_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index c8a45f7..38cc8be 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -124,7 +124,7 @@ static bool verify_der_signature(private_openssl_ec_public_key_t *this, if (openssl_hash_chunk(nid_hash, data, &hash)) { valid = ECDSA_verify(0, hash.ptr, hash.len, - signature.ptr, signature.len, this->ec); + signature.ptr, signature.len, this->ec) == 1; free(hash.ptr); } return valid; -- 1.7.10.4 ++++++ 0004-strongswan-4.3.0-5.0.4_is_asn1-CVE-2013-5018.bnc833278.patch ++++++ References: CVE-2013-5018,bnc#833278 Upstream: yes >From 057265e0183ddf52d56f21adaf0db0f3dc6585a4 Mon Sep 17 00:00:00 2001 From: Tobias Brunner <[email protected]> Date: Mon, 29 Jul 2013 23:45:38 +0200 Subject: [PATCH] asn1: Fix handling of invalid ASN.1 length in is_asn1() Fixes CVE-2013-5018. --- src/libstrongswan/asn1/asn1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 68f37f4..d860ad9 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -642,6 +642,11 @@ bool is_asn1(chunk_t blob) len = asn1_length(&blob); + if (len == ASN1_INVALID_LENGTH) + { + return FALSE; + } + /* exact match */ if (len == blob.len) { -- 1.7.10.4 ++++++ 0005-strongswan-4.3.3_5.1.0-bnc-847506-CVE-2013-6075.patch ++++++ >From aa277adfc204b6bda2c3792710138f9a8723a8f1 Mon Sep 17 00:00:00 2001 From: Martin Willi <[email protected]> Date: Mon, 7 Oct 2013 14:21:57 +0200 References: CVE-2013-6075,bnc#847506 Upstream: yes Subject: [PATCH] identification: Properly check length before comparing for binary DN equality Fixes CVE-2013-6075. --- src/libstrongswan/utils/identification.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 5df3e5f..9c43ad5 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -602,7 +602,7 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc) } } /* try a binary compare */ - if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len)) + if (chunk_equals(t_dn, o_dn)) { return TRUE; } -- 1.8.1.2 ++++++ 0006-strongswan-CVE-2014-2338-5.x.patch ++++++ >From b980ba7757dcfedd756aa055b3271ea58cf85aa6 Mon Sep 17 00:00:00 2001 From: Martin Willi <[email protected]> Date: Thu, 20 Feb 2014 16:08:43 +0100 Upstream: yes References: CVE-2014-2338, bnc#870572 Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs Prevents a responder peer to trick us into established state by starting IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. Fixes CVE-2014-2338 for 5.x versions of strongSwan. --- src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index ac3be90..a5252ab 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this, case CREATE_CHILD_SA: { /* FIXME: we should prevent this on mediation connections */ bool notify_found = FALSE, ts_found = FALSE; + + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || + this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) + { + DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " + "unestablished IKE_SA, rejected"); + return FAILED; + } + enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { -- 1.8.1.2 ++++++ 0007-strongswan-4.3.3-5.1.1_asn1_unwrap-CVE-2014-2891.patch ++++++ >From 4609d5384c187aef2e58f91f53f5889f25faeaeb Mon Sep 17 00:00:00 2001 From: Tobias Brunner <[email protected]> Date: Thu, 24 Apr 2014 17:04:10 +0200 Upstream: yes References: bnc#876449,CVE-2014-2891 Subject: [PATCH] asn1: Properly check length in asn1_unwrap() Fixes CVE-2014-2891 in strongSwan releases 4.3.3-5.1.1. --- src/libstrongswan/asn1/asn1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index d860ad9..9a5f5c5 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -296,7 +296,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner) else { /* composite length, determine number of length octets */ len &= 0x7f; - if (len == 0 || len > sizeof(res.len)) + if (len == 0 || len > blob->len || len > sizeof(res.len)) { return ASN1_INVALID; } -- 1.7.10.4 ++++++ README.SUSE ++++++ Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The strongswan package does no provide any files any more, but triggers the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the traditional starter scripts inclusive of the /etc/init.d/ipsec init script and /etc/ipsec.conf file. There is a new strongswan-nm package with a NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. Have a lot of fun... ++++++ strongswan-5.0.1-rpmlintrc ++++++ ### Known warnings: # - traditional name addFilter("strongswan.* incoherent-init-script-name ipsec") # - readme only, triggers full ipsec + ikev1&ikev2 install addFilter("strongswan.* no-binary") # - link to init script, covered by service(8) addFilter("strongswan.* no-manual-page-for-binary rcipsec") # - no, restating tunnels on update may break the update addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec") ++++++ strongswan.init.in ++++++ #!/bin/bash # # SUSE/LSB system startup script for strongswan ipsec # # Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc. # based on /etc/init.d/skeleton.compat by Kurt Garloff. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, # USA. # # /etc/init.d/ipsec # and its symbolic link # /usr/sbin/rcipsec # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # Please send feedback to http://www.suse.de/feedback/ # # Note: This script uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule # work on other distributions as well, by using the LSB (Linux Standard # Base) or RH functions or by open coding the needed functions. # # chkconfig: 345 99 00 # description: StrongSwan IPsec # ### BEGIN INIT INFO # Provides: ipsec # Required-Start: $syslog $remote_fs $named # Should-Start: $time # Required-Stop: $syslog $remote_fs $named # Should-Stop: $time # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: StrongSwan IPsec # Description: StrongSwan IPsec provides encrypted and authenticated # communication via a unsafe network, such as the internet. # This scripts loads the kernel modules and starts the user-space setup. ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance IPSEC_CMD="/usr/sbin/ipsec" test -x $IPSEC_CMD || { echo "$IPSEC_CMD not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } IPSEC_STARTER="@libexecdir@/ipsec/starter" test -x $IPSEC_STARTER || { echo "$IPSEC_STARTER not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # The pid file of the ipsec starter IPSEC_PIDFILE="/var/run/starter.pid" # Check for existence of needed config files IPSEC_CONFIG="/etc/ipsec.conf" test -r $IPSEC_CONFIG || { echo "$IPSEC_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } IPSEC_SECRET="/etc/ipsec.secrets" test -r $IPSEC_SECRET || { echo "$IPSEC_SECRET not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks # Use the SUSE rc_ init script functions; # emulate them on LSB, RH and other systems # Default: Assume sysvinit binaries exist start_daemon() { /sbin/start_daemon ${1+"$@"}; } killproc() { /sbin/killproc ${1+"$@"}; } pidofproc() { /sbin/pidofproc ${1+"$@"}; } checkproc() { /sbin/checkproc ${1+"$@"}; } if test -e /etc/rc.status; then # SUSE rc script library . /etc/rc.status else export LC_ALL=POSIX _cmd=$1 declare -a _SMSG if test "${_cmd}" = "status"; then _SMSG=(running dead dead unused unknown reserved) _RC_UNUSED=3 else _SMSG=(done failed failed missed failed skipped unused failed failed reserved) _RC_UNUSED=6 fi if test -e /lib/lsb/init-functions; then # LSB . /lib/lsb/init-functions echo_rc() { if test ${_RC_RV} = 0; then log_success_msg " [${_SMSG[${_RC_RV}]}] " else log_failure_msg " [${_SMSG[${_RC_RV}]}] " fi } # TODO: Add checking for lockfiles checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; } elif test -e /etc/init.d/functions; then # RHAT . /etc/init.d/functions echo_rc() { #echo -n " [${_SMSG[${_RC_RV}]}] " if test ${_RC_RV} = 0; then success " [${_SMSG[${_RC_RV}]}] " else failure " [${_SMSG[${_RC_RV}]}] " fi } checkproc() { status ${1+"$@"}; } start_daemon() { daemon ${1+"$@"}; } else # emulate it echo_rc() { echo " [${_SMSG[${_RC_RV}]}] "; } fi rc_reset() { _RC_RV=0; } rc_failed() { if test -z "$1"; then _RC_RV=1; elif test "$1" != "0"; then _RC_RV=$1; fi return ${_RC_RV} } rc_check() { rc_failed $? } rc_status() { rc_failed $? if test "$1" = "-r"; then _RC_RV=0; shift; fi if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi if test "$1" = "-v"; then echo_rc; shift; fi if test "$1" = "-r"; then _RC_RV=0; shift; fi return ${_RC_RV} } rc_exit() { exit ${_RC_RV}; } rc_active() { local x for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do test -e $x && return 0 || break done return 1 } fi # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. case "$1" in start) $IPSEC_CMD start 2>&1 rc_status -v1 ;; stop) $IPSEC_CMD stop 2>&1 rc_status -v1 ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop sleep 2 $0 start # Remember status and be quiet rc_status ;; reload|force-reload) $IPSEC_CMD reload rc_status -v1 ;; status) # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) echo -n "Checking for service strongSwan IPsec " #checkproc $IPSEC_STARTER $IPSEC_CMD status 2>&1 >/dev/null # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \ test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ strongswan.keyring ++++++ pub 3072R/B34DBA77 2009-06-12 uid Andreas Steffen <[email protected]> sub 3072g/0E10E91A 2009-08-20 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7 iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6 pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn 1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh /jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3 iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3 KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ 8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl 56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4 w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+ lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6 lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7 TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4 MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM +M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS =ze82 -----END PGP PUBLIC KEY BLOCK----- ++++++ strongswan_ipsec_service.patch ++++++ --- init/systemd/strongswan.service.in +++ init/systemd/strongswan.service.in 2012/10/31 15:21:11 @@ -8,3 +8,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=ipsec.service ++++++ strongswan_modprobe_syslog.patch ++++++ --- src/starter/klips.c +++ src/starter/klips.c 2012/10/30 17:07:23 @@ -30,7 +30,7 @@ bool starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv ipsec")); + ignore_result(system("modprobe -s ipsec")); } /* now test again */ @@ -42,9 +42,9 @@ bool starter_klips_init(void) } /* load crypto algorithm modules */ - ignore_result(system("modprobe -qv ipsec_aes")); - ignore_result(system("modprobe -qv ipsec_blowfish")); - ignore_result(system("modprobe -qv ipsec_sha2")); + ignore_result(system("modprobe -s ipsec_aes")); + ignore_result(system("modprobe -s ipsec_blowfish")); + ignore_result(system("modprobe -s ipsec_sha2")); DBG2(DBG_APP, "found KLIPS IPsec stack"); return TRUE; --- src/starter/netkey.c +++ src/starter/netkey.c 2012/10/30 17:07:02 @@ -31,7 +31,7 @@ bool starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv af_key")); + ignore_result(system("modprobe -s af_key")); } /* now test again */ @@ -45,11 +45,11 @@ bool starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv ah4")); - ignore_result(system("modprobe -qv esp4")); - ignore_result(system("modprobe -qv ipcomp")); - ignore_result(system("modprobe -qv xfrm4_tunnel")); - ignore_result(system("modprobe -qv xfrm_user")); + ignore_result(system("modprobe -s ah4")); + ignore_result(system("modprobe -s esp4")); + ignore_result(system("modprobe -s ipcomp")); + ignore_result(system("modprobe -s xfrm4_tunnel")); + ignore_result(system("modprobe -s xfrm_user")); } DBG2(DBG_APP, "found netkey IPsec stack"); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
