diff options
author | thermi | 2015-11-20 11:21:05 +0100 |
---|---|---|
committer | thermi | 2015-11-20 11:21:05 +0100 |
commit | 4aac09dc6b739bfa18a316408506d38d11277ea2 (patch) | |
tree | ebfba041d02962d0e67a2062d545fc3d403715c8 | |
parent | 7ae13cafb83e1968f03cafa2d4c9b132c5833acb (diff) | |
download | aur-4aac09dc6b739bfa18a316408506d38d11277ea2.tar.gz |
strongswan: Bump to 5.3.4-2
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | CHANGELOG | 101 | ||||
-rw-r--r-- | PKGBUILD | 13 |
3 files changed, 13 insertions, 105 deletions
@@ -1,7 +1,7 @@ pkgbase = strongswan pkgdesc = open source IPsec implementation pkgver = 5.3.4 - pkgrel = 1 + pkgrel = 2 url = http://www.strongswan.org arch = i686 arch = x86_64 @@ -82,7 +82,9 @@ pkgbase = strongswan backup = etc/strongswan.d/charon/xcbc.conf backup = etc/strongswan.d/charon/chapoly.conf source = https://download.strongswan.org/strongswan-5.3.4.tar.bz2 + source = sigfix.patch sha256sums = 938ad1f7b612e039f1d32333f4865160be70f9fb3c207a31127d0168116459aa + sha256sums = 9f12c48bd4a82802107c0d171468e7e6a8a9d303df7838433b398add7d2cd25e pkgname = strongswan diff --git a/CHANGELOG b/CHANGELOG deleted file mode 100644 index dc57b2145f4b..000000000000 --- a/CHANGELOG +++ /dev/null @@ -1,101 +0,0 @@ -Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and -RFC 7634 using the chacha20poly1305 ike/esp proposal keyword. - -The new chapoly plugin implements the cipher, if possible SSE-accelerated on x86/x64 -architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP backend. -On Linux 4.2 or newer the kernel-netlink plugin can configure the cipher for ESP SAs. -The vici/swanctl interface now supports the configuration of auxiliary certification -authority information as CRL and OCSP URIs. - -In the bliss plugin the c_indices derivation using a SHA-512 based random oracle -has been fixed, generalized and standardized by employing the MGF1 mask generation -function with SHA-512. As a consequence BLISS signatures unsing the improved oracle -are not compatible with the earlier implementation. - -Support for auto=route with right=%any for transport mode connections has been -added (refer to #196-6 for details and some examples). - -The starter daemon does not flush IPsec policies and SAs anymore when it is stopped. -Already existing duplicate policies are now overwritten by the IKE daemon when it -installs its policies (695112d7b8, dc2fa791e4). Usually, there shouldn't be any -leftovers after the IKE daemon has been properly terminated, but if it crashes the kernel -state won't be cleaned up. Because earlier releases couldn't handle already existing -duplicate policies in the kernel, the starter daemon flushed them during shutdown so -the daemon would find a clean slate when was restarted. Since existing policies are not -a problem anymore this is no longer necessary. And in situations where installpolicies=no -is used policies shouldn't be flushed blindly anyway. - -Init limits can now optionally be enforced when initiating SAs via VICI. For this IKE_SAs -initiated by the daemon are now also counted as half-open SAs, which, as a side-effect, -fixes the status output while connecting (e.g. in ipsec status). - -Symmetric configuration of EAP methods in left|rightauth is now possible when mutual -EAP-only authentication is used (previously, the client had to configure rightauth=eap -or rightauth=any, which prevented it from using this same config as responder). - -The initiator flag in the IKEv2 header is compared again (wasn't the case since 5.0.0) and -packets that have the flag set incorrectly are again ignored (47a340e1f7, 5fee79d854). - -Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy Device Health -Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE -Printer Working Group (PWG), see HCD-IMC and HCD-IMV. - -Fixed IF-M segmentation which failed in the presence of multiple small attributes in front -of a huge attribute to be segmented (10f25a3dd9). - -Refcounting for allocated reqids has been fixed for situations where make-before-break -reauthentication is used and CHILD_SAs have already been rekeyed (3665adef19). - -Fixed a crash when retrying CHILD_SA rekeying due to a DH group mismatch (1729df9275). - -If multiple CA certificates are set in swanctl.conf (connections.<conn>.remote<suffix>.cacerts) -it is now enough if the certificate chain contains at least one of them, not all (774c8c3847). - -Referring to a CA certificate in ipsec.d/cacerts in a ca section does not cause duplicate -certificate requests anymore (was the case since 5.3.0, #842-10). CA certificates are -now atomically reloaded by ipsec rereadcacerts so unchanged certificates are always -available. The command now also reloads certificates referenced in CA sections. - -Inbound IKEv1 messages are now handled with different job priorities (a5c07be058). - -When strongSwan creates ASN.1 DN identities from strings, it now uses UTF8String -instead of T61String to encode RDNs that contain characters outside the character set -of PrintableString. - -The new pki --dn command extracts subject DistinguishedNames from certificates, -which is useful if the automatic identity parsing is unable to produce the correct -binary ASN.1 encoding of the DN from its string representation. - -To implement IPv6 NDP proxying via updown script (e.g. via ip -6 neigh add proxy) -the virtual IPs assigned to a client are now passed to the script (#1008). - -RADIUS Accounting Start messages are now correctly triggered for IKEv1 SAs when clients -don't do any Mode Config or XAuth exchanges during reauthentication (#937). - -Support for the Framed-IPv6-Address and DNS-Server-IPv6-Address RADIUS attributes has -been added. Virtual IPv6 addresses are now sent in Framed-IPv6-Address attributes in -RADIUS Accounting messages (#1001). - -Some fixes went into the HA plugin and related code: The jhash() function was updated -for Linux 4.1+ (93caf23e1b), NAT keepalives (edaba56ec7) and CHILD_SA rekeying -(e095d87bb6) are now disabled for passive SAs, and the remote address is synced -when an SA is first added (3434709460). Also, the use of AEAD algorithms in CHILD_SAs -has been fixed (#1051) and the control FIFO is recreated if it is no FIFO (fffee7c759). - -The buffer size for the Netlink receive buffer has been changed, the default is now the same -as in the kernel (a6896b6149, 197de6e66b). - -In particular for hosts with lots of routes an alternative faster source address lookup may be -used by setting charon.plugins.kernel-netlink.fwmark=!<mark> (6bd1216e7a). - -The kernel-pfkey plugin now can configure AES-GCM, which is supported on FreeBSD 11. - -Fixed some potential race conditions during shutdown of the daemon (#1014). - -Address resolution has been improved: If a local address is configured we use the same -address family when resolving the remote address (#993). If the remote address resolves -to %any during reauthentication or when reestablishing an SA we keep the current -address (#1027). - -A new option allows disabling the side-swapping based on the addresses/hostnames in -left|right, when the stroke plugin loads a config from ipsec.conf. @@ -10,7 +10,7 @@ pkgname=strongswan pkgver=5.3.4 -pkgrel=1 +pkgrel=2 pkgdesc="open source IPsec implementation" url='http://www.strongswan.org' license=("GPL") @@ -33,16 +33,23 @@ revocation.conf,sha1.conf,sha2.conf,socket-default.conf,sql.conf,sqlite.conf,ssh vici.conf,x509.conf,xauth-eap.conf,xauth-generic.conf,xcbc.conf,chapoly.conf} ) -source=("https://download.strongswan.org/strongswan-${pkgver}.tar.bz2") +source=("https://download.strongswan.org/strongswan-${pkgver}.tar.bz2" + "sigfix.patch") # md5 is broken. We use sha256 now. Alternatively, we could check the signature of the file, but that # doesn't yield any more security and just increases the work users initially have to invest. -sha256sums=('938ad1f7b612e039f1d32333f4865160be70f9fb3c207a31127d0168116459aa') +sha256sums=('938ad1f7b612e039f1d32333f4865160be70f9fb3c207a31127d0168116459aa' + '9f12c48bd4a82802107c0d171468e7e6a8a9d303df7838433b398add7d2cd25e') # We don't build libipsec because it would get loaded before kernel-netlink and netkey, which # would case processing to be handled in user space. Also, the plugin is experimental. If you need it, # add --enable-libipsec and --enable-kernel-libipsec +prepare() { + cd ${srcdir}/${pkgname}-${pkgver} + patch -p1 < ${srcdir}/sigfix.patch +} + build() { cd ${srcdir}/${pkgname}-${pkgver} |