Hello community, here is the log from the commit of package strongswan for openSUSE:Leap:15.2 checked in at 2020-01-30 14:50:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/strongswan (Old) and /work/SRC/openSUSE:Leap:15.2/.strongswan.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan" Thu Jan 30 14:50:32 2020 rev:17 rq:768533 version:5.8.2 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/strongswan/strongswan.changes 2020-01-15 16:04:21.299955180 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.strongswan.new.26092/strongswan.changes 2020-01-30 14:51:44.550945292 +0100 @@ -1,0 +2,459 @@ +Thu Jan 30 09:13:59 UTC 2020 - Madhu Mohan Nelemane <[email protected]> + + - Dropped following patches due to irrelevance in the updated version: + [- strongswan_modprobe_syslog.patch ] + [- strongswan_fipsfilter.patch ] + [- 0006-fix-compilation-error-by-adding-stdint.h.patch ] + [- 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch ] + [- 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch ] + [- 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch ] + [- 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch ] + +- Updated to version 5.8.2 + + - Version 5.8.2 + =============== + * Identity-based CA constraints, which enforce that the certificate chain of the remote + peer contains a CA certificate with a specific identity, are supported via + vici/swanctl.conf. This is similar to the existing CA constraints but doesn't require + that the CA certificate is locally installed, for instance, intermediate CA certificates + received from the peers. Wildcard identity matching (e.g. ..., OU=Research, CN=*) could + also be used for the latter but requires trust in the intermediate CAs to only issue + certificates with legitimate subject DNs (e.g. the "Sales" CA must not issue certificates + with OU=Research). With the new constraint that's not necessary as long as a path length + basic constraint (--pathlen for pki --issue) prevents intermediate CAs from issuing further + intermediate CAs. + * Intermediate CA certificates may now be sent in hash-and-URL encoding by configuring a + base URL for the parent CA (#3234, swanctl/rw-hash-and-url-multi-level). + * Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG) based on AES-CTR + and SHA2-HMAC modes. Currently used by the gmp and ntru plugins. + * Random nonces sent in an OCSP requests are now expected in the corresponding OCSP responses. + * The kernel-netlink plugin now ignores deprecated IPv6 addresses for MOBIKE. Whether temporary + or permanent IPv6 addresses are included now depends on the charon.prefer_temporary_addrs + setting (#3192). + * Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the kernel. + * The PF_KEY socket's receive buffer in the kernel-pfkey plugin is now cleared before sending + requests, as many of the messages sent by the kernel are sent as broadcasts to all PF_KEY + sockets. This is an issue if an external tool is used to manage SAs/policies unrelated to + IPsec (#3225). + * The vici plugin now uses unique section names for CHILD_SAs in child-updown events (7c74ce9190). + * For individually deleted CHILD_SAs (in particular for IKEv1) the vici child-updown event + now includes more information about the CHILD_SAs such as traffic statistics (#3198). + * Custom loggers are correctly re-registered if log levels are changed via stroke loglevel (#3182). + * Avoid lockups during startup on low entropy systems when using OpenSSL 1.1.1 (095a2c2eac). + * Instead of failing later when setting a key, creating HMACs via openssl plugin now fails + instantly if the underlying hash algorithm isn't supported (e.g. MD5 in FIPS-mode) so fallbacks + to other plugins work properly (#3284). + * Exponents of RSA keys read from TPM 2.0 via SAPI are correctly converted (8ee1242f1438). + * Routing table IDs > 255 are supported for custom routes on Linux. + * To avoid races, the check for hardware offloading support in the kernel-netlink plugin is + performed during initialization of the plugin (a605452c03). + * The D-Bus config file for charon-nm is now installed in $(datadir)/dbus-1/system.d instead of + $(sysconfdir)/dbus-1/system.d, which is intended for sysadmin overrides. + INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same exchange type + and with the same message ID as the request. + * IKEv2 SAs are now immediately destroyed when sending or receiving INVALID_SYNTAX notifies + in authenticated messages. + * For developers working from the repository the configure script now aborts if GNU gperf is + not found. + + - Version 5.8.1 + =============== + * RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global + strongswan.conf option charon.rdn_matching takes two alternative values that cause the + matching algorithm to either ignore the order of matched RDNs (reordered) or additionally + (relaxed) accept DNs that contain more RDNs than configured (unmatched RDNs are treated + like wildcard matches). + * The updown plugin now passes the same interface to the script that is also used for the + automatically installed routes, that is, the interface over which the peer is reached + instead of the interface on which the local address is found (#3095). + * TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple IKE_SAs use + the same private key concurrently (4b25885025). + * Do a rekey check after the third QM message was received (#3060). + * If available, explicit_bzero() is now used as memwipe() instead of our own implementation. + * An .editorconfig file has been added, mainly so Github shows files with proper indentation + (68346b6962). + * The internal certificate of the load-tester plugin has been modified so it can again be + used as end-entity cert with 5.6.3 and later (#3139). + * The maximum data length of received COOKIE notifies (64 bytes) is now enforced (#3160). + + - Version 5.8.0 + =============== + * The systemd service units have been renamed. The modern unit, which was called + strongswan-swanctl, is now called strongswan (the previous name is configured as alias in + the unit, for which a symlink is created when the unit is enabled). The legacy unit is now + called strongswan-starter. + * Support for XFRM interfaces (available since Linux 4.19) has been added, which are intended + to replace VTI devices (they are similar but offer several advantages, for instance, they + are not bound to an address or address family). + * IPsec SAs and policies are associated with such interfaces via interface IDs that can be + configured in swanctl.conf (dynamic IDs may optionally be allocated for each SA and even + direction). It's possible to use separate interfaces for in- and outbound traffic (or + only use an interface in one direction and regular policies in the other). + * Interfaces may be created dynamically via updown/vici scripts, or statically before or after + establishing the SAs. Routes must be added manually as needed (the daemon will not install + any routes for outbound policies with an interface ID). + * When moving XFRM interfaces to other network namespaces they retain access to the SAs and + policies installed in the original namespace, which allows providing IPsec tunnels for + processes in other network namespaces without giving them access to the IPsec keys or + IKE credentials. + More information can be found on the page about route-based VPNs. + * Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and supported by the + responder, no CHILD_SA is established during IKE_AUTH. Instead, all CHILD_SAs are created + with CREATE_CHILD_SA exchanges. This allows using a separate DH exchange even for the + first CHILD_SA, which is otherwise created during IKE_AUTH with keys derived from the + IKE_SA's key material. + * The swanctl --initiate command may be used to initiate only the IKE_SA via --ike + option if --child is omitted and the peer supports this extension. + * The NetworkManager backend and plugin support IPv6. + * The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks to Sean + Parkinson of wolfSSL Inc. for the initial patch. + * IKE SPIs may optionally be labeled via the charon.spi_mask|label options in + strongswan.conf. This feature was extracted from charon-tkm, however, now applies the + mask/label in network order. + * The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0. + * The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not correctly + implemented when sending either a CRETRY or SRETRY batch. These batches can only be sent + in the "Decided" state and a CRETRY batch can immediately carry all messages usually + transported by a CDATA batch. It is currently not possible to send a SRETRY batch since + full-duplex mode for PT-TLS transport is not supported. + * Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink plugin now uses + address labels to avoid that such addresses are used for non-VPN traffic (00a953d090). + * The agent plugin now creates sockets to the ssh/gpg-agent dynamically and does not keep + them open, which otherwise might prevent the agent from getting terminated. + * To avoid broadcast loops the forecast plugin now only reinjects packets that are marked + or received from the configured interface. + * UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses an UTF-16LE + encoding to calculate the NT hash (#3014). + * Properly delete temporary drop policies (used when updating IP addresses of SAs) if manual + priorities are used, which was broken since 5.6.2 (8e31d65730). + * Avoid overwriting start_action when parsing the inactivity timeout in the vici plugin (#2954). + * Fixed the automatic termination of reloaded vici connections with start_action=start, + which was broken since 5.6.3 (71b22c250f). + * The lookup for shared secrets for IKEv1 SAs via sql plugin should now work better + (6ec9f68f32). + * Fixed a race condition in the trap manager between installation and removal of a policy + (69cbe2ca3f). + * Compilation of the kernel-netlink plugin has been fixed on old kernels (< 2.6.39), which + was caused by the HW offload changes (c7f579fa17). + * The IPsec stack detection and module loading in starter has been removed (it wasn't + enforced anyway and loading modules doesn't seem necessary, also KLIPS hasn't been + supported for a long time and PF_KEY will eventually be removed from the Linux kernel, + ba817d2917). + * Several IKEv2 protocol details are now handled more strictly: Unrequested virtual IPs are + ignored, CFG_REPLY payloads are ignored if no CFG_REQUEST payloads were sent, a USE + TRANSPORT_MODE notify received from the responder is checked against the local configuration. + * The keys and certificates used by the scenarios in the testing environment are now generated + dynamically. Running the testing/scripts/build-certs script after creating the base and root + images uses the pki utility installed in the latter to create the keys and certificates for + all the CAs and in some cases for individual scenarios. These credentials are stored in the + source tree, not the image, so this has to be called only once even if the images are later + rebuilt. The script automatically (re-)rebuilds the guest images as that generates fresh + CRLs and signs the DNS zones. The only keys/certificates currently not generated are the + very large ones used by the ikev2/rw-eap-tls-fragments scenario. + + - Version 5.7.2 + =============== + * For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt length + (as defined by the length of the key and hash). However, if the TPM is FIPS-168-4 compliant, + the salt length equals the hash length. This is assumed for FIPS-140-2 compliant TPMs, but + if that's not the case, it might be necessary to manually enable charon.plugins.tpm.fips_186_4 + if the TPM doesn't use the maximum salt length. + * Directories for credentials loaded by swanctl are now accessed relative to the loaded + swanctl.conf file, in particular, when loading it from a custom location via --file argument. + * The base directory, which is used if no custom location for swanctl.conf is specified, is now + also configurable at runtime via SWANCTL_DIR environment variable. + * If RADIUS Accounting is enabled, the eap-radius plugin will add the session ID (Acct-Session-Id) + to Access-Request messages, which e.g. simplifies associating database entries for IP leases and + accounting with sessions (the session ID does not change when IKE_SAs are rekeyed, #2853). + * All IP addresses assigned by a RADIUS server are included in Accounting-Stop messages even if + the client did not claim them, allowing to release them early in case of connection errors (#2856). + * Selectors installed on transport mode SAs by the kernel-netlink plugin are now updated if an + IP address changes (e.g. via MOBIKE) and it was part of the selectors. + * No deletes are sent anymore when a rekeyed CHILD_SA expires (#2815). + * The bypass-lan plugin now tracks interfaces to handle subnets that move from one interface + to another and properly update associated routes (#2820). + * Only valid and expected inbound IKEv2 messages are used to update the timestamp of the + last received message (previously, retransmits also triggered an update). + * IKEv2 requests from responders are now ignored until the IKE_SA is fully established (e.g. if a + DPD request from the peer arrives before the IKE_AUTH response does, 46bea1add9). + Delayed IKE_SA_INIT responses with COOKIE notifies we already recevied are ignored, they caused + another reset of the IKE_SA previously (#2837). + * Active and queued Quick Mode tasks are now adopted if the peer reauthenticates an IKEv1 SA + while creating lots of CHILD_SAs. + * Newer versions of the FreeBSD kernel add an SADB_X_EXT_SA2 extension to SADB_ACQUIRE + messages, which allows the kernel-pfkey plugin to determine the reqid of the policy even if it + wasn't installed by the daemon previously (e.g. when using FreeBSD's if_ipsec(4) VTIs, which + install policies themselves, 872b9b3e8d). + * Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin. For older + versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature authentication has to be + disabled via charon.signature_authentication. + * The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures. + * The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys and + signatures when built against OpenSSL 1.1.1. + * Support for Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin. + * The mysql plugin now properly handles database connections with transactions + under heavy load (#2779). + * IP addresses in ha pools are now distributed evenly among all segments (#2828). ++++ 262 more lines (skipped) ++++ between /work/SRC/openSUSE:Leap:15.2/strongswan/strongswan.changes ++++ and /work/SRC/openSUSE:Leap:15.2/.strongswan.new.26092/strongswan.changes Old: ---- 0006-fix-compilation-error-by-adding-stdint.h.patch 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch strongswan-5.6.0-rpmlintrc strongswan-5.6.0.tar.bz2 strongswan-5.6.0.tar.bz2.sig strongswan_fipsfilter.patch strongswan_modprobe_syslog.patch New: ---- strongswan-5.8.2.tar.bz2 strongswan-5.8.2.tar.bz2.sig strongswan-rpmlintrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.5Evsvp/_old 2020-01-30 14:51:45.150945611 +0100 +++ /var/tmp/diff_new_pack.5Evsvp/_new 2020-01-30 14:51:45.154945613 +0100 @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.6.0 +Version: 5.8.2 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -64,30 +64,22 @@ Summary: OpenSource IPsec-based VPN Solution License: GPL-2.0+ Group: Productivity/Networking/Security -Url: http://www.strongswan.org/ -Requires: strongswan-ipsec = %{version} +URL: https://www.strongswan.org/ Source0: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2 Source1: http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig Source2: %{name}.init.in -Source3: %{name}-%{version}-rpmlintrc +Source3: %{name}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring %if %{with fipscheck} Source6: fipscheck.sh.in Source7: fips-enforce.conf %endif -Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch %if %{with fipscheck} Patch3: %{name}_fipscheck.patch -Patch4: %{name}_fipsfilter.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch -Patch6: 0006-fix-compilation-error-by-adding-stdint.h.patch -Patch7: 0007-strongswan-5.3.1-5.6.0_gmp-pkcs1-verify.patch -Patch8: 0008-strongswan-5.1.2-5.6.2_stroke_msg_len.patch -Patch9: 0009-strongswan-5.5.0-5.6.2_skeyseed_init.patch -Patch10: 0010-strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -111,10 +103,11 @@ BuildRequires: libgcrypt-devel %endif %if %{with nm} -BuildRequires: NetworkManager-devel +BuildRequires: pkgconfig(libnm) %endif %if %{with systemd} %{?systemd_requires} +BuildRequires: pkgconfig(libsystemd) %endif BuildRequires: iptables %if %{with systemd} @@ -129,6 +122,7 @@ BuildRequires: fipscheck %endif BuildRequires: libtool +Requires: strongswan-ipsec = %{version} %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -291,33 +285,26 @@ %prep %setup -q -n %{name}-%{upstream_version} -%patch1 -p0 %patch2 -p0 %if %{with fipscheck} %patch3 -p1 -%patch4 -p1 %endif %patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ - < $RPM_SOURCE_DIR/strongswan.init.in \ + < %{_sourcedir}/strongswan.init.in \ > strongswan.init %if %{with fipscheck} sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \ -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \ -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \ -e 's|@IPSEC_BINDIR@|%{_bindir}|g' \ - < $RPM_SOURCE_DIR/fipscheck.sh.in \ + < %{_sourcedir}/fipscheck.sh.in \ > _fipscheck %endif %build -CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" -export RPM_OPT_FLAGS CFLAGS +CFLAGS="%{optflags} -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" +export CFLAGS autoreconf --force --install %configure \ %if %{with integrity} @@ -328,6 +315,7 @@ --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \ --with-piddir=%{_rundir}/%{name} \ %if %{with systemd} + --enable-systemd \ --with-systemdsystemunitdir=%{_unitdir} \ %endif --enable-pkcs11 \ @@ -412,25 +400,24 @@ --enable-soup \ --enable-curl \ --disable-static -make %{?_smp_mflags:%_smp_mflags} +make %{?_smp_mflags} %install -export RPM_BUILD_ROOT -install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/ -install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ -%if %{with systemd} -ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan -%else -install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ -install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec -ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec +install -d -m755 %{buildroot}/%{_sbindir}/ +install -d -m755 %{buildroot}/%{_sysconfdir}/ipsec.d/ +%if %{with systemd} +ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rcstrongswan +%else +install -d -m755 %{buildroot}/%{_sysconfdir}/init.d/ +install -m755 strongswan.init %{buildroot}/%{_sysconfdir}/init.d/ipsec +ln -s %{_sysconfdir}/init.d/ipsec %{buildroot}/%{_sbindir}/rcipsec %endif # # Ensure, plugin -> library dependencies can be resolved # (e.g. libtls) to avoid plugin segment checksum errors. # -LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ -make install DESTDIR="$RPM_BUILD_ROOT" +LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ +%make_install # # checksums are calculated during make install using the # installed binaries/libraries... but find-debuginfo.sh @@ -441,23 +428,23 @@ %if %{with integrity} %{?__debug_package: if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then - cp -a "${RPM_BUILD_ROOT}" "${RPM_BUILD_ROOT}-$$" - RPM_BUILD_ROOT="$RPM_BUILD_ROOT-$$" \ + cp -a "%{buildroot}" "%{buildroot}-$$" + RPM_BUILD_ROOT="%{buildroot}-$$" \ %{_rpmconfigdir}/find-debuginfo.sh \ - %{?_find_debuginfo_opts} "${RPM_BUILD_ROOT}-$$" + %{?_find_debuginfo_opts} "%{buildroot}-$$" make -C src/checksum clean rm -f src/checksum/checksum_builder - LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ - make -C src/checksum install DESTDIR="$RPM_BUILD_ROOT-$$" - mv "$RPM_BUILD_ROOT-$$%{strongswan_libdir}/libchecksum.so" \ - "$RPM_BUILD_ROOT%{strongswan_libdir}/libchecksum.so" - rm -rf "${RPM_BUILD_ROOT}-$$" + LD_LIBRARY_PATH="%{buildroot}-$$/%{strongswan_libdir}" \ + make -C src/checksum install DESTDIR="%{buildroot}-$$" + mv "%{buildroot}-$$/%{strongswan_libdir}/libchecksum.so" \ + "%{buildroot}/%{strongswan_libdir}/libchecksum.so" + rm -rf "%{buildroot}-$$" fi } %endif # -rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets -cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets +rm -f %{buildroot}/%{_sysconfdir}/ipsec.secrets +cat << EOT > %{buildroot}/%{_sysconfdir}/ipsec.secrets # # ipsec.secrets # @@ -467,47 +454,47 @@ EOT # %if ! %{with mysql} -rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql +rm -f %{buildroot}/%{strongswan_templates}/database/sql/mysql.sql %endif %if ! %{with sqlite} -rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql +rm -f %{buildroot}/%{strongswan_templates}/database/sql/sqlite.sql %endif -rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so -rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so -find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete +rm -f %{buildroot}/%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so +rm -f %{buildroot}/%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so +find %{buildroot}/%{strongswan_libdir} -type f -name "*.la" -delete # -install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/ +install -d -m755 %{buildroot}/%{strongswan_docdir}/ install -c -m644 TODO NEWS README COPYING LICENSE \ AUTHORS ChangeLog \ - ${RPM_BUILD_ROOT}%{strongswan_docdir}/ -install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \ - ${RPM_BUILD_ROOT}%{strongswan_docdir}/ + %{buildroot}/%{strongswan_docdir}/ +install -c -m644 %{_sourcedir}/README.SUSE \ + %{buildroot}/%{strongswan_docdir}/ %if %{with systemd} -%{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -d -m 0755 %{buildroot}%{_tmpfilesdir} echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf %endif %if %{with fipscheck} # # note: keep the following, _fipscheck's and file lists in sync # -install -c -m750 _fipscheck ${RPM_BUILD_ROOT}%{_libexecdir}/ipsec/ -install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \ - ${RPM_BUILD_ROOT}%{strongswan_configs}/charon/zzz_fips-enforce.conf +install -c -m750 _fipscheck %{buildroot}/%{_libexecdir}/ipsec/ +install -c -m644 %{_sourcedir}/fips-enforce.conf \ + %{buildroot}/%{strongswan_configs}/charon/zzz_fips-enforce.conf # create fips hmac hashes _after_ install post run %{expand:%%global __os_install_post {%__os_install_post - for f in $RPM_BUILD_ROOT%{strongswan_libdir}/lib*.so.*.*.* \ - $RPM_BUILD_ROOT%{strongswan_libdir}/imcvs/*.so \ - $RPM_BUILD_ROOT%{strongswan_plugins}/*.so \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon-nm \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/stroke \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \ - $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \ - $RPM_BUILD_ROOT%{_bindir}/pt-tls-client \ - $RPM_BUILD_ROOT%{_sbindir}/ipsec \ + for f in %{buildroot}/%{strongswan_libdir}/lib*.so.*.*.* \ + %{buildroot}/%{strongswan_libdir}/imcvs/*.so \ + %{buildroot}/%{strongswan_plugins}/*.so \ + %{buildroot}/%{_libexecdir}/ipsec/charon \ + %{buildroot}/%{_libexecdir}/ipsec/charon-nm \ + %{buildroot}/%{_libexecdir}/ipsec/stroke \ + %{buildroot}/%{_libexecdir}/ipsec/starter \ + %{buildroot}/%{_libexecdir}/ipsec/pool \ + %{buildroot}/%{_libexecdir}/ipsec/scepclient \ + %{buildroot}/%{_libexecdir}/ipsec/imv_policy_manager \ + %{buildroot}/%{_libexecdir}/ipsec/_fipscheck \ + %{buildroot}/%{_bindir}/pt-tls-client \ + %{buildroot}/%{_sbindir}/ipsec \ ; do /usr/bin/fipshmac "$f" @@ -518,7 +505,7 @@ %post libs0 /sbin/ldconfig %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf} -%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}} +%{!?tmpfiles_create:test -d %{_rundir}/%{name} || mkdir -p %{_rundir}/%{name}} %postun libs0 -p /sbin/ldconfig @@ -592,9 +579,11 @@ %dir %{_sysconfdir}/ipsec.d/ocspcerts %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} +%{_unitdir}/strongswan-starter.service %{_unitdir}/strongswan.service -%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf +%{_datadir}/dbus-1/system.d/nm-strongswan-service.conf %{_sbindir}/rcstrongswan +%{_sbindir}/charon-systemd %else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec @@ -615,6 +604,7 @@ %if %{with test} %{_libexecdir}/ipsec/conftest %endif +%{_libexecdir}/ipsec/xfrmi %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/scepclient @@ -624,6 +614,7 @@ %{_libexecdir}/ipsec/_imv_policy %{_libexecdir}/ipsec/imv_policy_manager %dir %{strongswan_plugins} +%{strongswan_plugins}/libstrongswan-drbg.so %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so @@ -650,6 +641,9 @@ %dir %{strongswan_configs} %dir %{strongswan_configs}/charon %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon.conf +%if %{with systemd} +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-systemd.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon-logging.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/imcv.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/pki.conf @@ -660,7 +654,9 @@ %config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/counters.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/drbg.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf @@ -714,6 +710,7 @@ %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/led.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md4.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/md5.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/mgf1.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/nonce.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/openssl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/pem.conf @@ -785,6 +782,7 @@ %{strongswan_plugins}/libstrongswan-ccm.so %{strongswan_plugins}/libstrongswan-certexpire.so %{strongswan_plugins}/libstrongswan-cmac.so +%{strongswan_plugins}/libstrongswan-counters.so %{strongswan_plugins}/libstrongswan-constraints.so %{strongswan_plugins}/libstrongswan-coupling.so %{strongswan_plugins}/libstrongswan-ctr.so @@ -827,6 +825,7 @@ %{strongswan_plugins}/libstrongswan-led.so %{strongswan_plugins}/libstrongswan-md4.so %{strongswan_plugins}/libstrongswan-md5.so +%{strongswan_plugins}/libstrongswan-mgf1.so %{strongswan_plugins}/libstrongswan-nonce.so %{strongswan_plugins}/libstrongswan-openssl.so %{strongswan_plugins}/libstrongswan-pem.so @@ -885,6 +884,7 @@ %{strongswan_templates}/config/plugins/ccm.conf %{strongswan_templates}/config/plugins/certexpire.conf %{strongswan_templates}/config/plugins/cmac.conf +%{strongswan_templates}/config/plugins/counters.conf %{strongswan_templates}/config/plugins/constraints.conf %{strongswan_templates}/config/plugins/coupling.conf %{strongswan_templates}/config/plugins/ctr.conf @@ -892,6 +892,7 @@ %{strongswan_templates}/config/plugins/des.conf %{strongswan_templates}/config/plugins/dhcp.conf %{strongswan_templates}/config/plugins/dnskey.conf +%{strongswan_templates}/config/plugins/drbg.conf %{strongswan_templates}/config/plugins/duplicheck.conf %{strongswan_templates}/config/plugins/eap-aka-3gpp2.conf %{strongswan_templates}/config/plugins/eap-aka.conf @@ -927,6 +928,7 @@ %{strongswan_templates}/config/plugins/led.conf %{strongswan_templates}/config/plugins/md4.conf %{strongswan_templates}/config/plugins/md5.conf +%{strongswan_templates}/config/plugins/mgf1.conf %{strongswan_templates}/config/plugins/nonce.conf %{strongswan_templates}/config/plugins/openssl.conf %{strongswan_templates}/config/plugins/pem.conf @@ -966,6 +968,9 @@ %{strongswan_templates}/config/plugins/xcbc.conf %{strongswan_templates}/config/plugins/curve25519.conf %{strongswan_templates}/config/plugins/vici.conf +%if %{with systemd} +%{strongswan_templates}/config/strongswan.d/charon-systemd.conf +%endif %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf ++++++ strongswan-5.6.0.tar.bz2 -> strongswan-5.8.2.tar.bz2 ++++++ ++++ 282521 lines of diff (skipped) ++++++ strongswan-rpmlintrc ++++++ ### Known warnings: # - traditional name addFilter("strongswan.* incoherent-init-script-name ipsec") # - readme only, triggers full ipsec + ikev1&ikev2 install addFilter("strongswan.* no-binary") # - link to init script, covered by service(8) addFilter("strongswan.* no-manual-page-for-binary rcipsec") # - no, restating tunnels on update may break the update addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec") ++++++ strongswan_ipsec_service.patch ++++++ --- /var/tmp/diff_new_pack.5Evsvp/_old 2020-01-30 14:51:49.842948106 +0100 +++ /var/tmp/diff_new_pack.5Evsvp/_new 2020-01-30 14:51:49.842948106 +0100 @@ -1,6 +1,6 @@ ---- init/systemd/strongswan.service.in -+++ init/systemd/strongswan.service.in 2012/10/31 15:21:11 -@@ -8,3 +8,4 @@ StandardOutput=syslog +--- init/systemd-starter/strongswan-starter.service.in ++++ init/systemd-starter/strongswan-starter.service.in +@@ -9,3 +9,4 @@ [Install] WantedBy=multi-user.target
