From eae4995e599fc6d5bc407ea20203680d60f93714 Mon Sep 17 00:00:00 2001 From: Automatic Build System Date: Sat, 6 Jan 2024 08:17:14 +0100 Subject: [PATCH] automatic version update by autodist [release 2.6.39-1mamba;Wed Jun 05 2013] --- README.md | 5 ++ ipsec-gencert | 85 +++++++++++++++++++++ ipsec-initscript | 162 ++++++++++++++++++++++++++++++++++++++++ ipsec.conf | 82 ++++++++++++++++++++ openswan.spec | 191 +++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 525 insertions(+) create mode 100644 ipsec-gencert create mode 100644 ipsec-initscript create mode 100644 ipsec.conf create mode 100644 openswan.spec diff --git a/README.md b/README.md index cc9f50f..e3b65c2 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,7 @@ # openswan +Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including X.509 Digital Certificates, NAT Traversal, and many others. +Openswan was originally based on FreeS/WAN 2.04 CVS, along with some minor bug fixes from 2.05 and 2.06. See CREDITS for the history. + +It also includes Andreas Steffan's X.509 Digital Certificate patch, NAT-Traversal code (based on Mathieu Lafon's work for Arkoon) and XAUTH Server support (based on Columbris's code). + diff --git a/ipsec-gencert b/ipsec-gencert new file mode 100644 index 0000000..ba4c597 --- /dev/null +++ b/ipsec-gencert @@ -0,0 +1,85 @@ +#! /bin/bash +# +# ipsec-gencert.sh - Create a client certificate signed by localhost CA +# +# Copyright (c) 2004 by Silvan Calarco +# Copyright (c) 2004 by Davide Madrisan +# +# Release: 01/04/2004 + +test $UID = 0 || + { echo "error: $0: must be superuser" >&2 + { (exit 1); exit 1; }; } + +unset DESTHOSTNAME REQFILE +REQGENERATED=0 + +function usage() { + echo "error: $0: missing parameter" + echo + echo "Use: ipsec-gencert.sh hostname [-r cert.req]" + echo " -r: use the certificate request file specified" + echo + exit 1 +} + +while [ $# -gt 0 ]; do + case $1 in + -r*) + if echo $1 | grep -q '='; then + REQFILE=`echo $1 | sed 's/^-r=//'` + else + REQFILE=$2 + shift + fi ;; + *) + [ -z "$DESTHOSTNAME" ] && DESTHOSTNAME=$1 || usage ;; + esac + shift +done + +[ -z "$DESTHOSTNAME" ] && usage + +if [ -z "$REQFILE" ]; then + REQFILE="/etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem" + + openssl req -new -keyout /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \ + -out $REQFILE -days 365 || + { echo "error: failed to create certificate request." >&2 + { (exit 1); exit 1; }; } + + REQGENERATED=1 +fi + +# generate cert from request +openssl ca -policy policy_anything \ + -out /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \ + -infiles $REQFILE || + { echo "error: failed to sign request." >&2 + { (exit 1); exit 1; }; } + +# export pkcs cert +if [ "$REQGENERATED" = "1" ]; then + # remove request file + rm /var/ssl/ipsec-$DESTHOSTNAME-req.pem + openssl pkcs12 -export \ + -in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \ + -inkey /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem \ + -certfile /var/ssl/cacert.pem \ + -out /tmp/$DESTHOSTNAME.pl2 +else + openssl pkcs12 -export \ + -in /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem \ + -certfile /var/ssl/cacert.pem \ + -out /tmp/$DESTHOSTNAME.pl2 \ + -nokeys +fi + +[ $REQGENERATED -eq 1 ] && + echo "Generated private keyfile: /etc/ipsec.d/private/ipsec-$DESTHOSTNAME-key.pem" + +echo "Generated certificate: /etc/ipsec.d/certs/ipsec-$DESTHOSTNAME-cert.pem" +echo "Generated pkcs certificate: /tmp/$DESTHOSTNAME.pl2" + +exit 0 + diff --git a/ipsec-initscript b/ipsec-initscript new file mode 100644 index 0000000..edb852b --- /dev/null +++ b/ipsec-initscript @@ -0,0 +1,162 @@ +#!/bin/sh +# IPsec startup and shutdown script +# Copyright (C) 1998, 1999, 2001 Henry Spencer. +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: setup.in,v 1.118 2003/02/27 16:51:55 dhr Exp $ +# +# ipsec init.d script for starting and stopping +# the IPsec security subsystem (KLIPS and Pluto). +# +# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec) +# and is also accessible as "ipsec setup" (the preferred route for human +# invocation). +# +# The startup and shutdown times are a difficult compromise (in particular, +# it is almost impossible to reconcile them with the insanely early/late +# times of NFS filesystem startup/shutdown). Startup is after startup of +# syslog and pcmcia support; shutdown is just before shutdown of syslog. +# +# chkconfig: 2345 47 68 +# description: IPsec provides encrypted and authenticated communications; \ +# KLIPS is the kernel half of it, Pluto is the user-level management daemon. + +me='ipsec setup' # for messages + + +# where the private directory and the config files are +IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/lib/ipsec}" +IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}" +IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" +IPSEC_CONFS="${IPSEC_CONFS-/etc}" + +if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command +then + # we must establish a suitable PATH ourselves + PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin + export PATH + + IPSEC_DIR="$IPSEC_LIBDIR" + export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR +fi + +# Check that the ipsec command is available. +found= +for dir in `echo $PATH | tr ':' ' '` +do + if test -f $dir/ipsec -a -x $dir/ipsec + then + found=yes + break # NOTE BREAK OUT + fi +done +if ! test "$found" +then + echo "cannot find ipsec command -- \`$1' aborted" | + logger -s -p daemon.error -t ipsec_setup + exit 1 +fi + +# accept a few flags + +export IPSEC_setupflags +IPSEC_setupflags="" + +config="" + +for dummy +do + case "$1" in + --showonly|--show) IPSEC_setupflags="$1" ;; + --config) config="--config $2" ; shift ;; + *) break ;; + esac + shift +done + + +# Pick up IPsec configuration (until we have done this, successfully, we +# do not know where errors should go, hence the explicit "daemon.error"s.) +# Note the "--export", which exports the variables created. +eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup` +if test " $IPSEC_confreadstatus" != " " +then + echo "$IPSEC_confreadstatus -- \`$1' aborted" | + logger -s -p daemon.error -t ipsec_setup + exit 1 +fi + +IPSEC_confreadsection=${IPSEC_confreadsection:-setup} +export IPSEC_confreadsection + +IPSECsyslog=${IPSECsyslog-daemon.error} +export IPSECsyslog + +# misc setup +umask 022 + + +# do it +case "$1" in + start|--start|stop|--stop|_autostop|_autostart) + if test " `id -u`" != " 0" + then + echo "permission denied (must be superuser)" | + logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 + exit 1 + fi + tmp=/var/run/ipsec_setup.st + ( + ipsec _realsetup $1 + echo "$?" >$tmp + ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 + st=$? + if test -f $tmp + then + st=`cat $tmp` + rm -f $tmp + fi + exit $st + ;; + + restart|--restart|force-reload) + $0 $IPSEC_setupflags stop + $0 $IPSEC_setupflags start + ;; + + _autorestart) # for internal use only + $0 $IPSEC_setupflags _autostop + $0 $IPSEC_setupflags _autostart + ;; + + status|--status) + ipsec _realsetup $1 + exit + ;; + + --version) + echo "$me $IPSEC_VERSION" + exit 0 + ;; + + --help) + echo "Usage: $me {--start|--stop|--restart|--status}" + exit 0 + ;; + + *) + echo "Usage: $me {--start|--stop|--restart|--status}" >&2 + exit 2 +esac + +exit 0 diff --git a/ipsec.conf b/ipsec.conf new file mode 100644 index 0000000..eb33f8d --- /dev/null +++ b/ipsec.conf @@ -0,0 +1,82 @@ +# /etc/ipsec.conf - FreeS/WAN IPsec configuration file +# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $ + +# This file: /usr/share/doc/freeswan/ipsec.conf-sample +# +# Manual: ipsec.conf.5 +# +# Help: +# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/quickstart.html +# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/config.html +# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/adv_config.html +# +# Policy groups are enabled by default. See: +# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/policygroups.html +# +# Examples: +# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/examples + + +version 2.0 # conforms to second version of ipsec.conf specification + +# basic configuration +config setup + # Debug-logging controls: "none" for (almost) none, "all" for lots. + #klipsdebug=all + #plutodebug=dns + #interfaces="ipsec0=eth1" + # + # Note: default ipsec interface is take from %defaultroute + # if interfaces is modified from default %defaultroute is + # no longer valid + +# disable OE (eg. policy groups and packetdefault) +conn block + auto=ignore + +conn private + auto=ignore + +conn private-or-clear + auto=ignore + +conn clear + auto=ignore + +conn packetdefault + auto=ignore + +conn clear-or-private + auto=ignore + +# sample VPN connections + +#conn net2net +# left=10.10.10.5 +# leftsubnet=192.168.1.0/24 +# leftnexthop=10.10.10.1 +# right=10.20.20.2 +# rightsubnet=10.30.30.0/24 +# rightrsasigkey= # usually output of 'ipsec showhostkey --right' on remote host +# auto=add + +#conn net2host +# left=10.10.10.5 +# leftsubnet=192.168.1.0/24 +# leftnexthop=10.10.10.1 +# right=%any +# rightid=@jimhall.in-qinet.it +# rightrsasigkey= # usually output of 'ipsec showhostkey --right' on remote host +# auto=add + +#conn host2net +# left=%defaultroute +# leftid=@jimhall.in-qinet.it +# right=10.10.10.5 +# rightsubnet=192.168.1.0/24 +# rightrsasigkey= # usually output of 'ipsec showhostkey --right' on remote host +# auto=add + +# Add connections here + + diff --git a/openswan.spec b/openswan.spec new file mode 100644 index 0000000..f9ba00c --- /dev/null +++ b/openswan.spec @@ -0,0 +1,191 @@ +Name: openswan +Version: 2.6.39 +Release: 1mamba +Summary: openswan is an implementation of IPSEC & IKE for Linux +Group: Network/Security +Vendor: openmamba +Distribution: openmamba +Packager: Silvan Calarco +Source0: http://www.openswan.com/download/openswan-%{version}.tar.gz +Source1: ipsec-initscript +Source2: ipsec.conf +Source3: ipsec-gencert +URL: http://www.openswan.com/ +License: GPL + # BSD (DES library), redistributable (MD5 implementation) +BuildRequires: libgmp-devel >= 4.1.2 +BuildRequires: libopenldap-devel >= 2.1.23 +BuildRequires: bind-devel +Requires: libgmp >= 4.1.2 +Requires: iproute >= 2.4.7 +Requires: perl +Conflicts: freeswan +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +Openswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including X.509 Digital Certificates, NAT Traversal, and many others. +Openswan was originally based on FreeS/WAN 2.04 CVS, along with some minor bug fixes from 2.05 and 2.06. See CREDITS for the history. + +It also includes Andreas Steffan's X.509 Digital Certificate patch, NAT-Traversal code (based on Mathieu Lafon's work for Arkoon) and XAUTH Server support (based on Columbris's code). + +%prep +%setup -q + +%build +ln freeswan linux/include/openswan -s +make %{_smp_mflags} programs \ + INC_USRLOCAL=%{_prefix} \ + INC_MANDIR=/share/man \ + FINALLIBEXECDIR=%{_libdir}/ipsec + +%install +test x"$RPM_BUILD_ROOT" != x/ && rm -rf "$RPM_BUILD_ROOT" +make install \ + DESTDIR=$RPM_BUILD_ROOT \ + INC_USRLOCAL=%{_prefix} \ + INC_MANDIR=/share/man \ + INC_RCDEFAULT=%{_initrddir} \ + FINALLIBEXECDIR=%{_libdir}/ipsec + +#cp -f %{SOURCE1} $RPM_BUILD_ROOT%{_initrddir}/ipsec +#mv %{buildroot}%{_initrddir}/setup %{buildroot}%{_initrddir}/ipsec + +cp -f %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/ +cp %{SOURCE3} $RPM_BUILD_ROOT%{_sbindir} + +install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ipsec.d/cacerts +install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ipsec.d/certs +install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ipsec.d/crls +install -d -m700 $RPM_BUILD_ROOT%{_sysconfdir}/ipsec.d/private + +%post +# new install +if [ $1 -eq 1 ]; then + # generate a fresh RSA key pair + if [ ! -f /etc/ipsec.secrets ]; then + ipsec newhostkey --output /etc/ipsec.secrets --hostname `hostname -f` + chmod 600 /etc/ipsec.secrets + fi +fi +exit 0 + +%preun +#erase +if [ $1 -eq 0 ]; then + service ipsec stop + chkconfig --del ipsec +fi +exit 0 + +%postun +# upgrade +if [ $1 -eq 1 ]; then + chkconfig ipsec && service ipsec restart +fi +exit 0 + +%clean +test x"$RPM_BUILD_ROOT" != x/ && rm -rf "$RPM_BUILD_ROOT" + +%files +%defattr(-,root,root) +%{_sbindir}/ipsec +%{_sbindir}/ipsec-gencert +%{_initrddir}/ipsec +%dir %{_libdir}/ipsec +%{_libdir}/ipsec/* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf +%dir %{_sysconfdir}/ipsec.d +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/examples/* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* +%{_sysconfdir}/ipsec.d/cacerts/ +%{_sysconfdir}/ipsec.d/certs/ +%{_sysconfdir}/ipsec.d/crls +%attr(0700,root,root) %{_sysconfdir}/ipsec.d/private + +#%{_sysconfdir}/rc.d/rc0.d/* +#%{_sysconfdir}/rc.d/rc1.d/* +#%{_sysconfdir}/rc.d/rc2.d/* +#%{_sysconfdir}/rc.d/rc3.d/* +#%{_sysconfdir}/rc.d/rc4.d/* +#%{_sysconfdir}/rc.d/rc5.d/* +#%{_sysconfdir}/rc.d/rc6.d/* + +%dir %{_datadir}/doc/openswan +%{_datadir}/doc/openswan/* +%{_mandir}/man?/* +%doc BUGS CHANGES COPYING CREDITS README + +%changelog +* Wed Jun 05 2013 Automatic Build System 2.6.39-1mamba +- automatic version update by autodist + +* Sat Apr 28 2012 Automatic Build System 2.6.38-1mamba +- automatic version update by autodist + +* Mon Jul 25 2011 Automatic Build System 2.6.35-1mamba +- automatic version update by autodist + +* Sun Jun 19 2011 Automatic Build System 2.6.34-1mamba +- automatic update by autodist + +* Tue Feb 22 2011 Automatic Build System 2.6.33-1mamba +- automatic update by autodist + +* Thu Dec 23 2010 Automatic Build System 2.6.32-1mamba +- automatic update by autodist + +* Mon Dec 06 2010 Automatic Build System 2.6.31-1mamba +- automatic update by autodist + +* Mon Aug 16 2010 Automatic Build System 2.6.28-1mamba +- automatic update by autodist + +* Mon Jul 12 2010 Automatic Build System 2.6.27-2mamba +- automatic rebuild by autodist + +* Sat Jun 26 2010 Automatic Build System 2.6.27-1mamba +- automatic update by autodist + +* Tue Apr 27 2010 Automatic Build System 2.6.25-1mamba +- automatic update by autodist + +* Mon Jan 25 2010 Automatic Build System 2.6.24-1mamba +- automatic update by autodist + +* Tue Oct 13 2009 Automatic Build System 2.6.23-1mamba +- automatic update by autodist + +* Sat Jul 04 2009 Automatic Build System 2.6.22-1mamba +- automatic update by autodist + +* Sat Apr 04 2009 Silvan Calarco 2.6.21-1mamba +- automatic update by autodist + +* Sun Mar 01 2009 Silvan Calarco 2.6.20-1mamba +- automatic update by autodist + +* Sat Dec 13 2008 Silvan Calarco 2.6.19-1mamba +- update to 2.6.19 + +* Sat Oct 06 2007 Fabio Giani 2.4.6-1mamba +- update to 2.4.6 + +* Sun Jun 27 2004 Silvan Calarco 2.1.4-1qilnx +- new version build + +* Tue May 27 2004 Silvan Calarco 2.1.2-2qilnx +- some fixes to ipsec-gencert script + +* Thu May 20 2004 Silvan Calarco 2.1.2-1qilnx +- new version build + +* Mon Apr 19 2004 Silvan Calarco 2.1.2rc3-1qilnx +- new version build + +* Sun Apr 18 2004 Silvan Calarco 2.1.2rc2-1qilnx +- new version build + +* Fri Apr 02 2004 Davide Madrisan 2.1.1-1qilnx +- package creation +