[strongswan/f18] Support for PT-TLS (RFC 6876)

Fri Nov 1 19:24:03 UTC 2013

commit 1c9aa914d819aa173f139617d97be923e3823be3
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Fri Nov 1 15:25:00 2013 -0400

    Support for PT-TLS  (RFC 6876)
    
    - Support for SWID IMC/IMV
    - Support for command line IKE client charon-cmd
    - Changed location of pki to /usr/bin
    - Added swid tags files
    - Added man pages for pki and charon-cmd
    - Renamed pki to strongswan-pki to avoid conflict with
      pki-core/pki-tools package.
    - Update local patches
    - Fixes CVE-2013-6075
    - Fixes CVE-2013-6076
    - Fixed autoconf/automake issue as configure.ac got changed
      and it required running autoreconf during the build process.
    - added strongswan signature file to the sources.
    - Fixed initialization crash of IMV and IMC particularly
      attestation imv/imc as libstrongswas was not getting
      initialized.
    - Enabled fips support
    - Enabled TNC's ifmap support
    - Enabled TNC's pdp support
    - Fixed hardocded package name in this spec file

 .gitignore                         |    2 +
 libstrongswan-plugin.patch         |    6 ++--
 libstrongswan-settings-debug.patch |    6 ++--
 malloc-speed-lrt.patch             |   24 --------------
 sources                            |    3 +-
 strongswan-init.patch              |   32 ++++++++++----------
 strongswan-pts-ecp-disable.patch   |    6 ++--
 strongswan.spec                    |   59 ++++++++++++++++++++++++++++++-----
 8 files changed, 79 insertions(+), 59 deletions(-)
---

diff --git a/.gitignore b/.gitignore
index ee1d37e..caf2c88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@
 /strongswan-5.0.3.tar.bz2
 /strongswan-5.0.4.tar.bz2
 /strongswan-5.1.0.tar.bz2
+/strongswan-5.1.1.tar.bz2
+/strongswan-5.1.1.tar.bz2.sig
diff --git a/libstrongswan-plugin.patch b/libstrongswan-plugin.patch
index ce0951d..f204a1e 100644
--- a/libstrongswan-plugin.patch
+++ b/libstrongswan-plugin.patch
@@ -1,6 +1,6 @@
-diff -urNp strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c
---- strongswan-5.1.0-patched/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:16:36.266031511 -0400
-+++ strongswan-5.1.0-current/src/libstrongswan/plugins/plugin_loader.c	2013-08-06 17:49:15.703354848 -0400
+diff -urNp strongswan-5.1.1-patched/src/libstrongswan/plugins/plugin_loader.c strongswan-5.1.1-current/src/libstrongswan/plugins/plugin_loader.c
+--- strongswan-5.1.1-patched/src/libstrongswan/plugins/plugin_loader.c	2013-11-01 13:12:06.046927153 -0400
++++ strongswan-5.1.1-current/src/libstrongswan/plugins/plugin_loader.c	2013-11-01 13:16:59.680916657 -0400
 @@ -353,7 +353,7 @@ static plugin_entry_t *load_plugin(priva
  			return NULL;
  		}
diff --git a/libstrongswan-settings-debug.patch b/libstrongswan-settings-debug.patch
index 66bca56..692690d 100644
--- a/libstrongswan-settings-debug.patch
+++ b/libstrongswan-settings-debug.patch
@@ -1,6 +1,6 @@
-diff -urNp strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c strongswan-5.1.0-current/src/libstrongswan/utils/settings.c
---- strongswan-5.1.0-patched/src/libstrongswan/utils/settings.c	2013-08-06 17:16:36.244031484 -0400
-+++ strongswan-5.1.0-current/src/libstrongswan/utils/settings.c	2013-08-06 17:52:43.272606717 -0400
+diff -urNp strongswan-5.1.1-patched/src/libstrongswan/utils/settings.c strongswan-5.1.1-current/src/libstrongswan/utils/settings.c
+--- strongswan-5.1.1-patched/src/libstrongswan/utils/settings.c	2013-11-01 13:12:06.034927154 -0400
++++ strongswan-5.1.1-current/src/libstrongswan/utils/settings.c	2013-11-01 13:18:56.230912491 -0400
 @@ -960,7 +960,7 @@ static bool parse_file(linked_list_t *co
  	{
  		if (errno == ENOENT)
diff --git a/sources b/sources
index 388cdfe..b3b0e07 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
-c1cd0a3ba9960f590cae28c8470800e8  strongswan-5.1.0.tar.bz2
+e3af3d493d22286be3cd794533a8966a  strongswan-5.1.1.tar.bz2
+5381c48d5cabec932aa2904abde93cd3  strongswan-5.1.1.tar.bz2.sig
diff --git a/strongswan-init.patch b/strongswan-init.patch
index ccd653a..eb29bdb 100644
--- a/strongswan-init.patch
+++ b/strongswan-init.patch
@@ -1,7 +1,7 @@
-diff -urNp strongswan-5.1.0-patched/configure.ac strongswan-5.1.0-current/configure.ac
---- strongswan-5.1.0-patched/configure.ac	2013-08-06 17:16:36.279031528 -0400
-+++ strongswan-5.1.0-current/configure.ac	2013-08-06 17:35:01.750380445 -0400
-@@ -1311,6 +1311,8 @@ AC_CONFIG_FILES([
+diff -urNp strongswan-5.1.1-patched/configure.ac strongswan-5.1.1-current/configure.ac
+--- strongswan-5.1.1-patched/configure.ac	2013-11-01 13:12:05.964927156 -0400
++++ strongswan-5.1.1-current/configure.ac	2013-11-01 13:12:24.357926499 -0400
+@@ -1330,6 +1330,8 @@ AC_CONFIG_FILES([
  	man/Makefile
  	init/Makefile
  	init/systemd/Makefile
@@ -10,9 +10,9 @@ diff -urNp strongswan-5.1.0-patched/configure.ac strongswan-5.1.0-current/config
  	src/Makefile
  	src/include/Makefile
  	src/libstrongswan/Makefile
-diff -urNp strongswan-5.1.0-patched/init/Makefile.am strongswan-5.1.0-current/init/Makefile.am
---- strongswan-5.1.0-patched/init/Makefile.am	2013-08-06 17:16:36.279031528 -0400
-+++ strongswan-5.1.0-current/init/Makefile.am	2013-08-06 17:36:19.905472912 -0400
+diff -urNp strongswan-5.1.1-patched/init/Makefile.am strongswan-5.1.1-current/init/Makefile.am
+--- strongswan-5.1.1-patched/init/Makefile.am	2013-11-01 13:12:05.966927156 -0400
++++ strongswan-5.1.1-current/init/Makefile.am	2013-11-01 13:12:24.357926499 -0400
 @@ -1,5 +1,5 @@
  
 -SUBDIRS =
@@ -20,14 +20,14 @@ diff -urNp strongswan-5.1.0-patched/init/Makefile.am strongswan-5.1.0-current/in
  
  if HAVE_SYSTEMD
    SUBDIRS += systemd
-diff -urNp strongswan-5.1.0-patched/init/sysvinit/Makefile.am strongswan-5.1.0-current/init/sysvinit/Makefile.am
---- strongswan-5.1.0-patched/init/sysvinit/Makefile.am	1969-12-31 19:00:00.000000000 -0500
-+++ strongswan-5.1.0-current/init/sysvinit/Makefile.am	2013-07-31 15:56:21.919959000 -0400
+diff -urNp strongswan-5.1.1-patched/init/sysvinit/Makefile.am strongswan-5.1.1-current/init/sysvinit/Makefile.am
+--- strongswan-5.1.1-patched/init/sysvinit/Makefile.am	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-5.1.1-current/init/sysvinit/Makefile.am	2013-11-01 13:12:24.358926499 -0400
 @@ -0,0 +1 @@
 +noinst_DATA = strongswan
-diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan strongswan-5.1.0-current/init/sysvinit/strongswan
---- strongswan-5.1.0-patched/init/sysvinit/strongswan	1969-12-31 19:00:00.000000000 -0500
-+++ strongswan-5.1.0-current/init/sysvinit/strongswan	2013-07-31 15:56:21.920958000 -0400
+diff -urNp strongswan-5.1.1-patched/init/sysvinit/strongswan strongswan-5.1.1-current/init/sysvinit/strongswan
+--- strongswan-5.1.1-patched/init/sysvinit/strongswan	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-5.1.1-current/init/sysvinit/strongswan	2013-11-01 13:12:24.358926499 -0400
 @@ -0,0 +1,100 @@
 +#!/bin/sh
 +#
@@ -129,9 +129,9 @@ diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan strongswan-5.1.0-cu
 +        exit 2
 +esac
 +exit $?
-diff -urNp strongswan-5.1.0-patched/init/sysvinit/strongswan.in strongswan-5.1.0-current/init/sysvinit/strongswan.in
---- strongswan-5.1.0-patched/init/sysvinit/strongswan.in	1969-12-31 19:00:00.000000000 -0500
-+++ strongswan-5.1.0-current/init/sysvinit/strongswan.in	2013-07-31 15:56:21.919959000 -0400
+diff -urNp strongswan-5.1.1-patched/init/sysvinit/strongswan.in strongswan-5.1.1-current/init/sysvinit/strongswan.in
+--- strongswan-5.1.1-patched/init/sysvinit/strongswan.in	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-5.1.1-current/init/sysvinit/strongswan.in	2013-11-01 13:12:24.359926499 -0400
 @@ -0,0 +1,100 @@
 +#!/bin/sh
 +#
diff --git a/strongswan-pts-ecp-disable.patch b/strongswan-pts-ecp-disable.patch
index 59054eb..4f5c141 100644
--- a/strongswan-pts-ecp-disable.patch
+++ b/strongswan-pts-ecp-disable.patch
@@ -1,6 +1,6 @@
-diff -urNp strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c
---- strongswan-5.1.0-patched/src/libpts/pts/pts_dh_group.c	2013-08-06 17:16:36.238031476 -0400
-+++ strongswan-5.1.0-current/src/libpts/pts/pts_dh_group.c	2013-08-06 17:44:48.005036651 -0400
+diff -urNp strongswan-5.1.1-patched/src/libpts/pts/pts_dh_group.c strongswan-5.1.1-current/src/libpts/pts/pts_dh_group.c
+--- strongswan-5.1.1-patched/src/libpts/pts/pts_dh_group.c	2013-11-01 13:12:05.985927156 -0400
++++ strongswan-5.1.1-current/src/libpts/pts/pts_dh_group.c	2013-11-01 13:15:12.192920500 -0400
 @@ -74,6 +74,16 @@ bool pts_dh_group_probe(pts_dh_group_t *
  	{
  		DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
diff --git a/strongswan.spec b/strongswan.spec
index 33ccdbd..b5f7226 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -8,8 +8,8 @@
 %endif
 
 Name:           strongswan
-Version:        5.1.0
-Release:        2%{?dist}
+Version:        5.1.1
+Release:        1%{?dist}
 Summary:        An OpenSource IPsec-based VPN Solution
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -19,9 +19,8 @@ Patch0:         strongswan-init.patch
 Patch1:         strongswan-pts-ecp-disable.patch
 Patch2:         libstrongswan-plugin.patch
 Patch3:         libstrongswan-settings-debug.patch
-Patch4:         malloc-speed-lrt.patch
 
-BuildRequires:  gmp-devel
+BuildRequires:  gmp-devel autoconf automake
 BuildRequires:  libcurl-devel
 BuildRequires:  openldap-devel
 BuildRequires:  openssl-devel
@@ -80,18 +79,18 @@ implementation possessing a standard IF-IMC/IMV interface.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
 
 echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1" > README.Fedora
 
 %build
 # for initscript patch to work
-#autoreconf
+autoreconf
 %configure --disable-static \
     --with-ipsec-script=%{name} \
     --sysconfdir=%{_sysconfdir}/%{name} \
     --with-ipsecdir=%{_libexecdir}/%{name} \
     --with-ipseclibdir=%{_libdir}/%{name} \
+    --with-fips-mode=2 \
     --with-tss=trousers \
     --enable-openssl \
     --enable-md4 \
@@ -105,6 +104,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
     --enable-farp \
     --enable-dhcp \
     --enable-sqlite \
+    --enable-tnc-ifmap \
+    --enable-tnc-pdp \
     --enable-imc-test \
     --enable-imv-test \
     --enable-imc-scanner \
@@ -113,6 +114,8 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
     --enable-imv-attestation \
     --enable-imv-os \
     --enable-imc-os \
+    --enable-imc-swid \
+    --enable-imv-swid \
     --enable-eap-tnc \
     --enable-tnccs-20 \
     --enable-tnccs-11 \
@@ -122,6 +125,7 @@ echo "For migration from 4.6 to 5.0 see http://wiki.strongswan.org/projects/stro
     --enable-eap-radius \
     --enable-curl \
     --enable-eap-identity \
+    --enable-cmd \
     %{?_enable_nm}
 
 
@@ -132,8 +136,8 @@ sed -i 's/\t/    /' src/strongswan.conf src/starter/ipsec.conf
 make install DESTDIR=%{buildroot}
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
-    if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
-        mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/strongswan_\1|'`"
+    if echo "$i" | grep -vq '/%{name}[^\/]*$'; then
+        mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/%{name}_\1|'`"
     fi
 done
 # delete unwanted library files
@@ -148,6 +152,8 @@ chmod 700 %{buildroot}%{_sysconfdir}/%{name}
 %else
 install -D -m 755 init/sysvinit/%{name} %{buildroot}/%{_initddir}/%{name}
 %endif
+#rename /usr/bin/pki to avoid conflict with pki-core/pki-tools
+mv %{buildroot}%{_bindir}/pki %{buildroot}%{_bindir}/%{name}-pki
 
 # Create ipsec.d directory tree.
 install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d
@@ -256,13 +262,15 @@ fi
 %{_libexecdir}/%{name}/_updown_espmark
 %{_libexecdir}/%{name}/charon
 %{_libexecdir}/%{name}/openac
-%{_libexecdir}/%{name}/pki
 %{_libexecdir}/%{name}/scepclient
 %{_libexecdir}/%{name}/starter
 %{_libexecdir}/%{name}/stroke
 %{_libexecdir}/%{name}/_imv_policy
 %{_libexecdir}/%{name}/imv_policy_manager
+%{_bindir}/%{name}-pki
+%{_sbindir}/charon-cmd
 %{_sbindir}/%{name}
+%{_mandir}/man1/%{name}_pki*.1.gz
 %{_mandir}/man5/%{name}.conf.5.gz
 %{_mandir}/man5/%{name}_ipsec.conf.5.gz
 %{_mandir}/man5/%{name}_ipsec.secrets.5.gz
@@ -271,6 +279,7 @@ fi
 %{_mandir}/man8/%{name}__updown_espmark.8.gz
 %{_mandir}/man8/%{name}_openac.8.gz
 %{_mandir}/man8/%{name}_scepclient.8.gz
+%{_mandir}/man8/%{name}_charon-cmd.8.gz
 
 %files tnc-imcvs
 %dir %{_libdir}/%{name}
@@ -287,10 +296,12 @@ fi
 %{_libdir}/%{name}/imcvs/imc-scanner.so
 %{_libdir}/%{name}/imcvs/imc-test.so
 %{_libdir}/%{name}/imcvs/imc-os.so
+%{_libdir}/%{name}/imcvs/imc-swid.so
 %{_libdir}/%{name}/imcvs/imv-attestation.so
 %{_libdir}/%{name}/imcvs/imv-scanner.so
 %{_libdir}/%{name}/imcvs/imv-test.so
 %{_libdir}/%{name}/imcvs/imv-os.so
+%{_libdir}/%{name}/imcvs/imv-swid.so
 %dir %{_libdir}/%{name}/plugins
 %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so
 %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so
@@ -302,9 +313,16 @@ fi
 %{_libdir}/%{name}/plugins/lib%{name}-tnccs-11.so
 %{_libdir}/%{name}/plugins/lib%{name}-tnccs-dynamic.so
 %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnc-ifmap.so
+%{_libdir}/%{name}/plugins/lib%{name}-tnc-pdp.so
 %dir %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/attest
 %{_libexecdir}/%{name}/pacman
+%{_libexecdir}/%{name}/pt-tls-client
+#swid files
+%{_libexecdir}/%{name}/*.swidtag
+%dir %{_datadir}/regid.2004-03.org.%{name}
+%{_datadir}/regid.2004-03.org.%{name}/*.swidtag
 
 %if 0%{?enable_nm}
 %files charon-nm
@@ -314,6 +332,29 @@ fi
 
 
 %changelog
+* Fri Nov 1 2013 Avesh Agarwal <avagarwa at redhat.com> - 5.1.1-1
+- Support for PT-TLS  (RFC 6876)
+- Support for SWID IMC/IMV
+- Support for command line IKE client charon-cmd
+- Changed location of pki to /usr/bin
+- Added swid tags files
+- Added man pages for pki and charon-cmd
+- Renamed pki to strongswan-pki to avoid conflict with
+  pki-core/pki-tools package.
+- Update local patches
+- Fixes CVE-2013-6075
+- Fixes CVE-2013-6076
+- Fixed autoconf/automake issue as configure.ac got changed
+  and it required running autoreconf during the build process.
+- added strongswan signature file to the sources.
+- Fixed initialization crash of IMV and IMC particularly
+  attestation imv/imc as libstrongswas was not getting
+  initialized.
+- Enabled fips support
+- Enabled TNC's ifmap support
+- Enabled TNC's pdp support
+- Fixed hardocded package name in this spec file
+
 * Wed Aug 7 2013 Avesh Agarwal <avagarwa at redhat.com> - 5.1.0-2
 - Fixed linker error when compilating malloc-speed that
   lrt is missing. Did not have this problem on f19 and F20.
