Hello community, here is the log from the commit of package strongswan.3365 for openSUSE:13.1:Update checked in at 2015-01-23 10:07:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/strongswan.3365 (Old) and /work/SRC/openSUSE:13.1:Update/.strongswan.3365.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "strongswan.3365" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.strongswan.3365.new/strongswan.changes 2015-01-23 10:07:57.000000000 +0100 @@ -0,0 +1,1123 @@ +------------------------------------------------------------------- +Thu Dec 11 10:21:01 UTC 2014 - m...@suse.de + +- Applied an upstream fix for a denial-of-service vulnerability, + which can be triggered by an IKEv2 Key Exchange payload, that + contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221). + [+ 0005-strongswan-5.1.1_modp_custom.CVE-2014-9221.patch] + +------------------------------------------------------------------- +Wed May 14 06:53:36 UTC 2014 - m...@suse.de + +- Applied fix for DoS vulnerability by a crafted ID_DER_ASN1_DN ID + payload caused by a NULL-pointer dereference when such identities + are parsed (bnc#876449, CVE-2014-2891). + [+0004-strongswan-4.3.3-5.1.1_asn1_unwrap-CVE-2014-2891.patch] + +------------------------------------------------------------------- +Wed Apr 2 05:53:21 UTC 2014 - m...@suse.de + +- Applied fix for a authentication bypass vulnerability in the + strongSwan IKEv2 code. The bug can be triggered by rekeying an + unestablished IKE_SA while it gets actively initiated allowing + an attacker to trick a peer's IKE_SA state to established. + IKEv1 is not not affected. (CVE-2014-2338, bnc#870572). + [+0003-strongswan-CVE-2014-2338-5.x.patch] + +------------------------------------------------------------------- +Fri Nov 1 12:28:39 UTC 2013 - m...@suse.de + +- Updated to strongSwan 5.1.1 minor release addressing two security + fixes (bnc#847506,CVE-2013-6075, bnc#847509,CVE-2013-6076): + - Fixed a denial-of-service vulnerability and potential authorization + bypass triggered by a crafted ID_DER_ASN1_DN ID payload. The cause + is an insufficient length check when comparing such identities. The + vulnerability has been registered as CVE-2013-6075. + - Fixed a denial-of-service vulnerability triggered by a crafted IKEv1 + fragmentation payload. The cause is a NULL pointer dereference. The + vulnerability has been registered as CVE-2013-6076. + - The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS + session with a strongSwan policy enforcement point which uses the + tnc-pdp charon plugin. + - The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests + for either full SWID Tag or concise SWID Tag ID inventories. + - The XAuth backend in eap-radius now supports multiple XAuth + exchanges for different credential types and display messages. + All user input gets concatenated and verified with a single + User-Password RADIUS attribute on the AAA. With an AAA supporting + it, one for example can implement Password+Token authentication with + proper dialogs on iOS and OS X clients. - charon supports IKEv1 Mode + Config exchange in push mode. The ipsec.conf modeconfig=push option + enables it for both client and server, the same way as pluto used it. + - Using the "ah" ipsec.conf keyword on both IKEv1 and IKEv2 + connections, charon can negotiate and install Security Associations + integrity-protected by the Authentication Header protocol. Supported + are plain AH(+IPComp) SAs only, but not the deprecated RFC2401 style + ESP+AH bundles. + - The generation of initialization vectors for IKE and ESP (when using + libipsec) is now modularized and IVs for e.g. AES-GCM are now correctly + allocated sequentially, while other algorithms like AES-CBC still + use random IVs. + - The left and right options in ipsec.conf can take multiple address + ranges and subnets. This allows connection matching against a larger + set of addresses, for example to use a different connection for clients + connecting from a internal network. + - For all those who have a queasy feeling about the NIST elliptic curve + set, the Brainpool curves introduced for use with IKE by RFC 6932 might + be a more trustworthy alternative. + - The kernel-libipsec userland IPsec backend now supports usage + statistics, volume based rekeying and accepts ESPv3 style TFC padded + packets. + - With two new strongswan.conf options fwmarks can be used to implement + host-to-host tunnels with kernel-libipsec. + - load-tester supports transport mode connections and more complex + traffic selectors, including such using unique ports for each tunnel. + - The new dnscert plugin provides support for authentication via CERT + RRs that are protected via DNSSEC. The plugin was created by Ruslan + N. Marchenko. + - The eap-radius plugin supports forwarding of several Cisco Unity + specific RADIUS attributes in corresponding configuration payloads. + - Database transactions are now abstracted and implemented by the two + backends. If you use MySQL make sure all tables use the InnoDB engine. + - libstrongswan now can provide an experimental custom implementation + of the printf family functions based on klibc if neither Vstr nor + glibc style printf hooks are available. This can avoid the Vstr + dependency on some systems at the cost of slower and less complete + printf functions. +- Adjusted file lists: this version installs the pki utility and manuals + in common /usr directories and additional ipsec/pt-tls-client helper. + +------------------------------------------------------------------- +Mon Aug 5 13:48:11 UTC 2013 - m...@suse.de + +- Updated to strongSwan 5.1.0 release (bnc#833278, CVE-2013-5018): + - Fixed a denial-of-service vulnerability triggered by specific XAuth + usernames and EAP identities (since 5.0.3), and PEM files (since + 4.1.11). The crash was caused by insufficient error handling in the + is_asn1() function. The vulnerability has been registered as + CVE-2013-5018. + - The new charon-cmd command line IKE client can establish road + warrior connections using IKEv1 or IKEv2 with different + authentication profiles. It does not depend on any configuration + files and can be configured using a few simple command line options. + - The kernel-pfroute networking backend has been greatly improved. + It now can install virtual IPs on TUN devices on OS X and FreeBSD, + allowing these systems to act as a client in common road warrior + scenarios. + - The new kernel-libipsec plugin uses TUN devices and libipsec to + provide IPsec processing in userland on Linux, FreeBSD and Mac OS X. + - The eap-radius plugin can now serve as an XAuth backend called + xauth-radius, directly verifying XAuth credentials using RADIUS + User-Name/User-Password attributes. This is more efficient than the + existing xauth-eap+eap-radius combination, and allows RADIUS servers + without EAP support to act as AAA backend for IKEv1. + - The new osx-attr plugin installs configuration attributes (currently + DNS servers) via SystemConfiguration on Mac OS X. The keychain + plugin provides certificates from the OS X keychain service. + - The sshkey plugin parses SSH public keys, which, together with the + --agent option for charon-cmd, allows the use of ssh-agent for + authentication. To configure SSH keys in ipsec.conf the + left|rightrsasigkey options are replaced with left|rightsigkey, + which now take public keys in one of three formats: SSH (RFC 4253, + ssh: prefix), DNSKEY (RFC 3110, dns: prefix), and PKCS#1 (the + default, no prefix). + - Extraction of certificates and private keys from PKCS#12 files is + now provided by the new pkcs12 plugin or the openssl plugin. + charon-cmd (--p12) as well as charon (via P12 token in + ipsec.secrets) can make use of this. + - IKEv2 can now negotiate transport mode and IPComp in NAT situations. + - IKEv2 exchange initiators now properly close an established IKE or + CHILD_SA on error conditions using an additional exchange, keeping + state in sync between peers. + - Using a SQL database interface a Trusted Network Connect (TNC) + Policy Manager can generate specific measurement workitems for an + arbitrary number of Integrity Measurement Verifiers (IMVs) based on + the history of the VPN user and/or device. + - Several core classes in libstrongswan are now tested with unit + tests. These can be enabled with --enable-unit-tests and run with + 'make check'. + Coverage reports can be generated with --enable-coverage and 'make + coverage' (this disables any optimization, so it should not be + enabled when building production releases). + - The leak-detective developer tool has been greatly improved. It + works much faster/stabler with multiple threads, does not use + deprecated malloc hooks anymore and has been ported to OS X. + - chunk_hash() is now based on SipHash-2-4 with a random key. This + provides better distribution and prevents hash flooding attacks + when used with hashtables. + - All default plugins implement the get_features() method to define + features and their dependencies. The plugin loader has been + improved, so that plugins in a custom load statement can be ordered + freely or to express preferences without being affected by + dependencies between plugin features. + - A centralized thread can take care for watching multiple file + descriptors concurrently. This removes the need for a dedicated + listener threads in various plugins. The number of "reserved" + threads for such tasks has been reduced to about five, depending on + the plugin configuration. + - Plugins that can be controlled by a UNIX socket IPC mechanism gained + network transparency. Third party applications querying these + plugins now can use TCP connections from a different host. + - libipsec now supports AES-GCM. + +------------------------------------------------------------------- +Tue Apr 30 12:48:44 UTC 2013 - m...@suse.de + +- Updated to strongSwan 5.0.4 release (bnc#815236, CVE-2013-2944): + - Fixed a security vulnerability in the openssl plugin which was + reported by Kevin Wojtysiak. The vulnerability has been registered + as CVE-2013-2944. Before the fix, if the openssl plugin's ECDSA + signature verification was used, due to a misinterpretation of the + error code returned by the OpenSSL ECDSA_verify() function, an empty + or zeroed signature was accepted as a legitimate one. Refer to our + blog for details. + - The handling of a couple of other non-security relevant OpenSSL + return codes was fixed as well. + - The tnc_ifmap plugin now publishes virtual IPv4 and IPv6 addresses + via its TCG TNC IF-MAP 2.1 interface. + - The charon.initiator_only strongswan.conf option causes charon to + ignore IKE initiation requests. + - The openssl plugin can now use the openssl-fips library. + The version 5.0.3 provides new ipseckey plugin, enabling authentication + based on trustworthy public keys stored as IPSECKEY resource records in + the DNS and protected by DNSSEC and new openssl plugin using the AES-NI + accelerated version of AES-GCM if the hardware supports it. + See http://wiki.strongswan.org/projects/strongswan/wiki/Changelog50 + for a list of all changes since the 5.0.1 release. + +------------------------------------------------------------------- +Thu Nov 29 19:13:40 CET 2012 - sbra...@suse.cz + +- Verify GPG signature. + +------------------------------------------------------------------- +Fri Nov 16 04:02:32 UTC 2012 - crrodrig...@opensuse.org + +- Fix systemd unit dir + ++++ 926 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.strongswan.3365.new/strongswan.changes New: ---- 0003-strongswan-CVE-2014-2338-5.x.patch 0004-strongswan-4.3.3-5.1.1_asn1_unwrap-CVE-2014-2891.patch 0005-strongswan-5.1.1_modp_custom.CVE-2014-9221.patch README.SUSE strongswan-5.1.1-rpmlintrc strongswan-5.1.1.tar.bz2 strongswan-5.1.1.tar.bz2.sig strongswan.changes strongswan.init.in strongswan.keyring strongswan.spec strongswan_ipsec_service.patch strongswan_modprobe_syslog.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ ++++ 613 lines (skipped) ++++++ 0003-strongswan-CVE-2014-2338-5.x.patch ++++++ >From b980ba7757dcfedd756aa055b3271ea58cf85aa6 Mon Sep 17 00:00:00 2001 From: Martin Willi <mar...@revosec.ch> Date: Thu, 20 Feb 2014 16:08:43 +0100 Upstream: yes References: CVE-2014-2338, bnc#870572 Subject: [PATCH] ikev2: Reject CREATE_CHILD_SA exchange on unestablished IKE_SAs Prevents a responder peer to trick us into established state by starting IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH. Fixes CVE-2014-2338 for 5.x versions of strongSwan. --- src/libcharon/sa/ikev2/task_manager_v2.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index ac3be90..a5252ab 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -778,6 +778,15 @@ static status_t process_request(private_task_manager_t *this, case CREATE_CHILD_SA: { /* FIXME: we should prevent this on mediation connections */ bool notify_found = FALSE, ts_found = FALSE; + + if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || + this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING) + { + DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " + "unestablished IKE_SA, rejected"); + return FAILED; + } + enumerator = message->create_payload_enumerator(message); while (enumerator->enumerate(enumerator, &payload)) { -- 1.8.1.2 ++++++ 0004-strongswan-4.3.3-5.1.1_asn1_unwrap-CVE-2014-2891.patch ++++++ >From 4609d5384c187aef2e58f91f53f5889f25faeaeb Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tob...@strongswan.org> Date: Thu, 24 Apr 2014 17:04:10 +0200 Upstream: yes References: bnc#876449,CVE-2014-2891 Subject: [PATCH] asn1: Properly check length in asn1_unwrap() Fixes CVE-2014-2891 in strongSwan releases 4.3.3-5.1.1. --- src/libstrongswan/asn1/asn1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index d860ad9..9a5f5c5 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -296,7 +296,7 @@ int asn1_unwrap(chunk_t *blob, chunk_t *inner) else { /* composite length, determine number of length octets */ len &= 0x7f; - if (len == 0 || len > sizeof(res.len)) + if (len == 0 || len > blob->len || len > sizeof(res.len)) { return ASN1_INVALID; } -- 1.7.10.4 ++++++ 0005-strongswan-5.1.1_modp_custom.CVE-2014-9221.patch ++++++ >From e2fc0c80b3432d69fcda7e9e52b091584a91430b Mon Sep 17 00:00:00 2001 From: Tobias Brunner <tob...@strongswan.org> Date: Thu, 4 Dec 2014 11:56:09 +0100 Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range References: bsc#910491,CVE-2014-9221 Upstream: yes Before this fix it was possible to crash charon with an IKE_SA_INIT message containing a KE payload with DH group MODP_CUSTOM(1025). Defining MODP_CUSTOM outside of the two byte IKE DH identifier range prevents it from getting negotiated. Fixes CVE-2014-9221 in version 5.1.1. --- src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 2 +- src/libstrongswan/crypto/diffie_hellman.c | 5 +++-- src/libstrongswan/crypto/diffie_hellman.h | 5 +++-- src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 2 +- src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 2 +- src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 2 +- src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c | 2 +- src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 2 +- 8 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c index 19f57de01666..4ee748247c27 100644 --- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c @@ -38,7 +38,7 @@ struct private_tkm_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * Diffie Hellman public value. diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c index 3d319d2d4b0b..873a31c135b5 100644 --- a/src/libstrongswan/crypto/diffie_hellman.c +++ b/src/libstrongswan/crypto/diffie_hellman.c @@ -42,8 +42,9 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT, "ECP_256_BP", "ECP_384_BP", "ECP_512_BP"); -ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP, - "MODP_NULL", +ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP, + "MODP_NULL"); +ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, MODP_NULL, "MODP_CUSTOM"); ENUM_END(diffie_hellman_group_names, MODP_CUSTOM); diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h index edf6bbd6da74..d864da35967c 100644 --- a/src/libstrongswan/crypto/diffie_hellman.h +++ b/src/libstrongswan/crypto/diffie_hellman.h @@ -62,8 +62,9 @@ enum diffie_hellman_group_t { ECP_512_BP = 30, /** insecure NULL diffie hellman group for testing, in PRIVATE USE */ MODP_NULL = 1024, - /** MODP group with custom generator/prime */ - MODP_CUSTOM = 1025, + /** internally used DH group with additional parameters g and p, outside + * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */ + MODP_CUSTOM = 65536, }; /** diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c index f418b941db86..299865da2e09 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c @@ -35,7 +35,7 @@ struct private_gcrypt_dh_t { /** * Diffie Hellman group number */ - u_int16_t group; + diffie_hellman_group_t group; /* * Generator value diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c index b74d35169f44..9936f7e4518f 100644 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c @@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /* * Generator value. diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c index ff3382473666..1e68ac59b838 100644 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c @@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * Diffie Hellman object diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index c43fe455a804..c382b704abda 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * EC private (public) key diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c index 2e5af95fff0d..068ce7d2a74b 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c @@ -47,7 +47,7 @@ struct private_pkcs11_dh_t { /** * Diffie Hellman group number. */ - u_int16_t group; + diffie_hellman_group_t group; /** * Handle for own private value -- 1.9.1 ++++++ README.SUSE ++++++ Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The strongswan package does no provide any files any more, but triggers the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the traditional starter scripts inclusive of the /etc/init.d/ipsec init script and /etc/ipsec.conf file. There is a new strongswan-nm package with a NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. Have a lot of fun... ++++++ strongswan-5.1.1-rpmlintrc ++++++ ### Known warnings: # - traditional name addFilter("strongswan.* incoherent-init-script-name ipsec") # - readme only, triggers full ipsec + ikev1&ikev2 install addFilter("strongswan.* no-binary") # - link to init script, covered by service(8) addFilter("strongswan.* no-manual-page-for-binary rcipsec") # - no, restating tunnels on update may break the update addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec") ++++++ strongswan.init.in ++++++ #!/bin/bash # # SUSE/LSB system startup script for strongswan ipsec # # Copyright (C) 2007 Marius Tomaschewski, SUSE / Novell Inc. # based on /etc/init.d/skeleton.compat by Kurt Garloff. # # This library is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or (at # your option) any later version. # # This library is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, # USA. # # /etc/init.d/ipsec # and its symbolic link # /usr/sbin/rcipsec # # LSB compatible service control script; see http://www.linuxbase.org/spec/ # Please send feedback to http://www.suse.de/feedback/ # # Note: This script uses functions rc_XXX defined in /etc/rc.status on # UnitedLinux/SUSE/Novell based Linux distributions. However, it shoule # work on other distributions as well, by using the LSB (Linux Standard # Base) or RH functions or by open coding the needed functions. # # chkconfig: 345 99 00 # description: StrongSwan IPsec # ### BEGIN INIT INFO # Provides: ipsec # Required-Start: $syslog $remote_fs $named # Should-Start: $time # Required-Stop: $syslog $remote_fs $named # Should-Stop: $time # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: StrongSwan IPsec # Description: StrongSwan IPsec provides encrypted and authenticated # communication via a unsafe network, such as the internet. # This scripts loads the kernel modules and starts the user-space setup. ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) # Note: Special treatment of stop for LSB conformance IPSEC_CMD="/usr/sbin/ipsec" test -x $IPSEC_CMD || { echo "$IPSEC_CMD not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } IPSEC_STARTER="@libexecdir@/ipsec/starter" test -x $IPSEC_STARTER || { echo "$IPSEC_STARTER not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # The pid file of the ipsec starter IPSEC_PIDFILE="/var/run/starter.pid" # Check for existence of needed config files IPSEC_CONFIG="/etc/ipsec.conf" test -r $IPSEC_CONFIG || { echo "$IPSEC_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } IPSEC_SECRET="/etc/ipsec.secrets" test -r $IPSEC_SECRET || { echo "$IPSEC_SECRET not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks # Use the SUSE rc_ init script functions; # emulate them on LSB, RH and other systems # Default: Assume sysvinit binaries exist start_daemon() { /sbin/start_daemon ${1+"$@"}; } killproc() { /sbin/killproc ${1+"$@"}; } pidofproc() { /sbin/pidofproc ${1+"$@"}; } checkproc() { /sbin/checkproc ${1+"$@"}; } if test -e /etc/rc.status; then # SUSE rc script library . /etc/rc.status else export LC_ALL=POSIX _cmd=$1 declare -a _SMSG if test "${_cmd}" = "status"; then _SMSG=(running dead dead unused unknown reserved) _RC_UNUSED=3 else _SMSG=(done failed failed missed failed skipped unused failed failed reserved) _RC_UNUSED=6 fi if test -e /lib/lsb/init-functions; then # LSB . /lib/lsb/init-functions echo_rc() { if test ${_RC_RV} = 0; then log_success_msg " [${_SMSG[${_RC_RV}]}] " else log_failure_msg " [${_SMSG[${_RC_RV}]}] " fi } # TODO: Add checking for lockfiles checkproc() { pidofproc ${1+"$@"} >/dev/null 2>&1; } elif test -e /etc/init.d/functions; then # RHAT . /etc/init.d/functions echo_rc() { #echo -n " [${_SMSG[${_RC_RV}]}] " if test ${_RC_RV} = 0; then success " [${_SMSG[${_RC_RV}]}] " else failure " [${_SMSG[${_RC_RV}]}] " fi } checkproc() { status ${1+"$@"}; } start_daemon() { daemon ${1+"$@"}; } else # emulate it echo_rc() { echo " [${_SMSG[${_RC_RV}]}] "; } fi rc_reset() { _RC_RV=0; } rc_failed() { if test -z "$1"; then _RC_RV=1; elif test "$1" != "0"; then _RC_RV=$1; fi return ${_RC_RV} } rc_check() { rc_failed $? } rc_status() { rc_failed $? if test "$1" = "-r"; then _RC_RV=0; shift; fi if test "$1" = "-s"; then rc_failed 5; echo_rc; rc_failed 3; shift; fi if test "$1" = "-u"; then rc_failed ${_RC_UNUSED}; echo_rc; rc_failed 3; shift; fi if test "$1" = "-v"; then echo_rc; shift; fi if test "$1" = "-r"; then _RC_RV=0; shift; fi return ${_RC_RV} } rc_exit() { exit ${_RC_RV}; } rc_active() { local x for x in /etc/rc.d/rc[0-9].d/S[0-9][0-9]${1} ; do test -e $x && return 0 || break done return 1 } fi # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. case "$1" in start) $IPSEC_CMD start 2>&1 rc_status -v1 ;; stop) $IPSEC_CMD stop 2>&1 rc_status -v1 ;; try-restart|condrestart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. if test "$1" = "condrestart"; then echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" fi $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop sleep 2 $0 start # Remember status and be quiet rc_status ;; reload|force-reload) $IPSEC_CMD reload rc_status -v1 ;; status) # Return value is slightly different for the status command: # 0 - service up and running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running (unused) # 4 - service status unknown :-( # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) echo -n "Checking for service strongSwan IPsec " #checkproc $IPSEC_STARTER $IPSEC_CMD status 2>&1 >/dev/null # NOTE: rc_status knows that we called this init script with # "status" option and adapts its messages accordingly. rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, print out the ## argument to this init script which is required for a reload. ## Note: probe is not (yet) part of LSB (as of 1.9) test $IPSEC_CONFIG -nt $IPSEC_PIDFILE || \ test $IPSEC_SECRET -nt $IPSEC_PIDFILE && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit ++++++ strongswan.keyring ++++++ pub 3072R/B34DBA77 2009-06-12 uid Andreas Steffen <andreas.stef...@strongswan.org> sub 3072g/0E10E91A 2009-08-20 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) mQGNBEoycP0BDACzL8ymURD7gnaNbGx2VGieNQr/gNISWhqgHaeUxuSkrInxl89A ClvN7DoF2cD7slEqIMQh/8t6xVzmh9teu5uyeV1eyG/CuFMUqawXqpn/sYa2SkgX C/qHB2hIbFg2K4k5LJHxzqHb1OdtOcU6lHg9yrvYcoO+FTVR+rYaVgYbbbziTB/v hAAzvdTdgwMgoQMSXA7FsJ0mALny4IeiCoi6S6qRVDm4zcu11UFT9g1VmhmeHqtU SQso72bPKKhYvu7ZaQrLhkvY9inWr6m9dxV8Zgb1ivZGhzsNzrhGAsz9jmiB5POF Mfph0hREMiS33ph/YMJducGQHYGEza9mKBdUaaAAEL3fCpde7vRa+c5Gc/Y5RUB7 iUsb2KQY+7xTiSUnCHbsMwhndG0dJspVXcz6X+2S3Ty4GaiqkvxI9KLiwiECNl0I oLX5s/FIW6KW+GnxJTp/3h6vvqm8i0+yIwk+ETM4XfhHMwuPkDyf6km1ag3nIUw6 pSSfnQMPhj5rXIMAEQEAAbQwQW5kcmVhcyBTdGVmZmVuIDxhbmRyZWFzLnN0ZWZm ZW5Ac3Ryb25nc3dhbi5vcmc+iQG3BBMBAgAhBQJKMnD9AhsDBwsJCAcDAgEEFQII AwQWAgMBAh4BAheAAAoJEN9CwXCzTbp3t5AL/jrXnnGIHLn8M9rmyoeNe7JQUE5A GSV3UFaZHgHmjbvIHA+dRvh1MPlHuWbaZkHVPtRFvFtEgksc944+XcKoNoExKGKr wLQcUExUiQ0IyNwH70u7f1uFNcbY85Oue5ASzm+wAntnmIlNsN+MHewRWC6f6gYn 1aHwsvh09fz0A34v9wdtim2ek/Voxe3AIDIw2MTNmwF61pXEsrH0wqYnGhYLZ7Qb thnDnHQaUd3IPSa6uAgOOiCoCbKCvP4u/iVm0rmXN9uzmm/i4Y0cE3DopGsqrR5D fWYJjgP4KBCln0LgWtYI8pcYcmA5E+l+fijNcMidtzWHMW2Mj0oZZsO+wlRUYLGh /jRASgq7rXuxV+oGKcBn4RqSHlZ5/BYlvowUxnNFC4tLLlneHidS8TurjacM3fwR MP5NMmcS5d9sVLG1uxl+/g2cRMtphHiziz+79jDc+tSxqRO5lhqyItAD6LC2GxB3 iC5afnMx49+YWzhUTeL/KfkrD9w3/n7O00kLtLkDDQRKjOHDEAwAxdh8W7j/QhE3 KZNmJGsK/QtJ72zZRGRcdUPH6GG//GaAG5hSCjM8q+0MR/G+31uk32RbzRIj1sHQ 8fY0znxPmaeD1wow0hCbDTq+Ep3K8ouaqoqjlP4rd+I94OtxNfXgmllf7BDOZ6lI wUY8ba8cFCPYsv8ZvRXo82XfwFYevQ9kTLqkJT52mMyPZLwYx4DNwuqFtQQEBLKg IVXVgpK6SE72MFP8vyFsdrL0ORgxoWI6PIHbnIRY1KiWUzOSrqirZUHH9MPuzFuB R0+jEAajeKoxycn0ILLM5PBAEFXFgBdtNNCtshe1fR5aPsXcGZsZRjc7mbAHLRqa pVhk7oX31WrGqGHkSM/GAnf3aAzsnCkO5+Tje2iyuoG5OhQbHsvMBOtdvQrwnorl 56EguzuK1mGDsczNsuAYRcKiasCWpsjoytDH+dGEQmKXydD9r06cxPx+mWmWKLo4 w+k4mMC0lFRYKi83cwTpaMpHOeW4+3d1tJfkCQy+vjUz4aZJ/WSXAAMFDACqmeXA Al7WssHkjVZ/vwQfHLHNMZsGEEucvV7KNqMF4Fe6nRbbE6GJOuz6taeFkJIppBqV xhSNOsf5soOXfGp0IgYoC37GPI6AAb4UnG5GVcaAMQAXUYcwfDGGuV/EO5pPrEyP jy++GvjhxcKV3HmUuAfcgyhTGhDOVPxU28Roz3+8Eig085v+lyqAsgFduBrf+ZV+ lHjIOSXSWmTiT8EVSA3fpN14/qhltudhdGIZ/pCW303H9Bd9c4Uc9OzYhRr1VpO6 lpYfTFNey8KQL4z9Kjt0RPscz2hYDOJ1cTFWs/4Z+9mBJODwrnIiORLlgV2NlP5E ZY4MccVFd9K7E/OPQdt3Uv6+6BjYRntY7wsX617T5Rmj8n6AhbpngmWg2D6wRfm7 TyI0Wtz5icCoJIEHQwB/3EhBzQl7tBc0cClwCYm7nTYRt+SL2tfylWy9Leail+ay M6zwMW0klV42E4u8DCy/aJrwmEiVwuwGbXL6z46M9EZguof38MTEmLsHls+JAZ8E GAECAAkFAkqM4cMCGwwACgkQ30LBcLNNunffBgv/b/v3eQoZTWgOB5MnXhIrg/Ki kYTYbnEG9wWM7XIST8bpP7f/UKyD44CCVJH7SVTGAXeyjglnuYXy4FwaTdFmm6al W0sCp4rnmADi5BLLzQlCUa5J0iZ+oAZnAH60BezUM+CYz/QBW3NJmP3323PeM4H4 MZ0vLv3wgaLkFlaK/eASBoC7KuZWAnvsNOdLQ29L4BYgW2Jwk1+PxszjT369DsMU Y3iY6gM9rM71Ajd8x98hd1r26LILGntAEEXxs+13Kka7J4GCqf8/J9ZR01dDp8QM +M9EHFLnthpAyUuSXm5Qlglavnf7tU6AA0SFuA0pP5CXVLG1DLT1fJvNOqjdzPsf u/48AM2Lpxj0gKt1yDQc890GxwnOL1iZ6+XMh9/ujWy7Q7dI4M2mthwYFXldWrPS CmMToWfl62BxPdY5FIECXeRwTIO9sI0LQVc2eAG8lDsge05q1nJFxo9WKr7ewAdF b/fMIr7XMwoMj2SQSy/tZVCBnDXR5Gw5HSxRnIAS =ze82 -----END PGP PUBLIC KEY BLOCK----- ++++++ strongswan_ipsec_service.patch ++++++ --- init/systemd/strongswan.service.in +++ init/systemd/strongswan.service.in 2012/10/31 15:21:11 @@ -8,3 +8,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=ipsec.service ++++++ strongswan_modprobe_syslog.patch ++++++ --- src/starter/klips.c +++ src/starter/klips.c 2012/10/30 17:07:23 @@ -30,7 +30,7 @@ bool starter_klips_init(void) /* ipsec module makes the pf_key proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv ipsec")); + ignore_result(system("modprobe -s ipsec")); } /* now test again */ @@ -42,9 +42,9 @@ bool starter_klips_init(void) } /* load crypto algorithm modules */ - ignore_result(system("modprobe -qv ipsec_aes")); - ignore_result(system("modprobe -qv ipsec_blowfish")); - ignore_result(system("modprobe -qv ipsec_sha2")); + ignore_result(system("modprobe -s ipsec_aes")); + ignore_result(system("modprobe -s ipsec_blowfish")); + ignore_result(system("modprobe -s ipsec_sha2")); DBG2(DBG_APP, "found KLIPS IPsec stack"); return TRUE; --- src/starter/netkey.c +++ src/starter/netkey.c 2012/10/30 17:07:02 @@ -31,7 +31,7 @@ bool starter_netkey_init(void) /* af_key module makes the netkey proc interface visible */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv af_key")); + ignore_result(system("modprobe -s af_key")); } /* now test again */ @@ -45,11 +45,11 @@ bool starter_netkey_init(void) /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) { - ignore_result(system("modprobe -qv ah4")); - ignore_result(system("modprobe -qv esp4")); - ignore_result(system("modprobe -qv ipcomp")); - ignore_result(system("modprobe -qv xfrm4_tunnel")); - ignore_result(system("modprobe -qv xfrm_user")); + ignore_result(system("modprobe -s ah4")); + ignore_result(system("modprobe -s esp4")); + ignore_result(system("modprobe -s ipcomp")); + ignore_result(system("modprobe -s xfrm4_tunnel")); + ignore_result(system("modprobe -s xfrm_user")); } DBG2(DBG_APP, "found netkey IPsec stack"); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org