libreswan/libreswan.spec

223 lines
7.3 KiB
RPMSpec
Raw Normal View History

2020-07-18 14:54:43 +00:00
%global _hardened_build 1
# These are rpm macros and are 0 or 1
%global with_efence 0
%global with_development 0
%global with_cavstests 1
2021-02-03 01:53:35 +00:00
%global nss_version 3.52
2020-09-28 02:54:09 +00:00
%global unbound_version 1.6.6
2021-02-03 01:53:35 +00:00
# Libreswan config options
%global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
2020-09-28 02:54:09 +00:00
PREFIX=%{_prefix} \\\
INITSYSTEM=systemd \\\
2021-02-03 01:53:35 +00:00
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\
USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\
USE_NM=true \\\
2021-02-03 01:53:35 +00:00
USE_NSS_IPSEC_PROFILE=true \\\
USE_SECCOMP=true \\\
2021-02-03 01:53:35 +00:00
USE_AUTHPAM=true \\\
%{nil}
2021-02-03 01:53:35 +00:00
#global prever dr1
Name: libreswan
2021-02-03 01:53:35 +00:00
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
2017-08-10 02:53:01 +00:00
# version is generated in the release script
Version: 4.15
Release: %autorelease
# The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
# rest is under GPL-2.0-or-later
License: GPL-2.0-or-later AND MPL-2.0
2015-12-18 20:41:52 +00:00
Url: https://libreswan.org/
2021-02-03 01:53:35 +00:00
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
Source1: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz.asc
Source2: https://download.libreswan.org/LIBRESWAN-OpenPGP-KEY.txt
%if 0%{with_cavstests}
Source3: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
2021-02-03 01:53:35 +00:00
Patch1: libreswan-4.15-ipsec_import.patch
Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Patch3: libreswan-4.15-ondemand-tcp.patch
Patch4: libreswan-4.15-netlink-extack.patch
2020-09-28 02:54:09 +00:00
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gnupg2
2021-02-03 01:53:35 +00:00
BuildRequires: hostname
BuildRequires: ldns-devel
2020-09-28 02:54:09 +00:00
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: make
2020-09-28 02:54:09 +00:00
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
2021-02-03 01:53:35 +00:00
BuildRequires: nss-tools >= %{nss_version}
BuildRequires: openldap-devel
2020-09-28 02:54:09 +00:00
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: systemd
2020-09-28 02:54:09 +00:00
BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
2020-09-28 02:54:09 +00:00
BuildRequires: unbound-devel >= %{unbound_version}
BuildRequires: xmlto
%if 0%{with_efence}
BuildRequires: ElectricFence
%endif
Requires: iproute >= 2.6.8
2020-09-28 02:54:09 +00:00
Requires: nss >= %{nss_version}
Requires: nss-softokn
Requires: nss-tools
Requires: unbound-libs >= %{unbound_version}
2021-08-03 00:58:31 +00:00
Requires: logrotate
# for pidof
Requires: procps-ng
2020-09-28 02:54:09 +00:00
Requires(post): bash
Requires(post): coreutils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
2021-02-03 01:53:35 +00:00
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel. The resulting
tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up
Libreswan.
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%setup -q -n libreswan-%{version}%{?prever}
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
%ifarch s390x
# throws error on s390x
sed -i "s/SUBDIRS += hunkcheck/#SUBDIRS += hunkcheck/" testing/programs/Makefile
%endif
%autopatch -p1
2020-09-28 02:54:09 +00:00
%build
%make_build \
%if 0%{with_development}
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
2017-08-10 02:53:01 +00:00
%else
OPTIMIZE_CFLAGS="%{optflags}" \
%endif
2021-02-03 01:53:35 +00:00
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence}
USE_EFENCE=true \
%endif
2021-02-03 01:53:35 +00:00
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
%{libreswan_config} \
programs
FS=$(pwd)
2021-02-03 01:53:35 +00:00
%install
%make_install \
2021-02-03 01:53:35 +00:00
%{libreswan_config} \
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
2020-09-28 02:54:09 +00:00
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
# avoids python depency and are old / aging tools that are not very useful
rm -rf %{buildroot}%{_libexecdir}/ipsec/show
rm -rf %{buildroot}%{_libexecdir}/ipsec/verify
install -d -m 0755 %{buildroot}%{_rundir}/pluto
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysctldir}
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysctldir}/50-libreswan.conf
2017-08-10 02:53:01 +00:00
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
2021-02-03 01:53:35 +00:00
> %{buildroot}%{_sysconfdir}/ipsec.secrets
2013-12-11 01:30:56 +00:00
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%if 0%{with_cavstests}
%check
# There is an elaborate upstream testing infrastructure which we do not
# run here - it takes hours and uses kvm
# We only run the CAVS tests and startup selftest
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} .
bunzip2 *.fax.bz2
: starting CAVS test for IKEv2
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
diff -u ikev2.fax - > /dev/null
: starting CAVS test for IKEv1 RSASIG
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
diff -u ikev1_dsa.fax - > /dev/null
: starting CAVS test for IKEv1 PSK
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed
2021-02-03 01:53:35 +00:00
%endif
2020-09-28 02:54:09 +00:00
2021-02-03 01:53:35 +00:00
# Some of these tests will show ERROR for negative testing - it will exit on real errors
2020-09-28 02:54:09 +00:00
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
2021-02-03 01:53:35 +00:00
: Algorithm parser tests passed
2020-09-28 02:54:09 +00:00
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
%post
%systemd_post ipsec.service
%sysctl_apply 50-libreswan.conf
%preun
%systemd_preun ipsec.service
%postun
%systemd_postun_with_restart ipsec.service
%files
%doc CHANGES COPYING CREDITS README* LICENSE
%doc docs/*.* docs/examples
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto
2021-02-03 01:53:35 +00:00
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
2021-02-03 01:53:35 +00:00
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
2021-02-03 01:53:35 +00:00
%doc %{_mandir}/*/*
%changelog
%autochangelog