Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libreswan.git#fdf40a922fca638095ac7dda5b8df75d296c967e
This commit is contained in:
DistroBaker 2021-02-06 07:23:36 +00:00
parent 902fc9ebcb
commit 33ba4cfac8
3 changed files with 35 additions and 42 deletions

1
.gitignore vendored
View File

@ -37,3 +37,4 @@
/libreswan-4.0.tar.gz
/libreswan-4.1.tar.gz
/libreswan-4.2rc1.tar.gz
/libreswan-4.2.tar.gz

View File

@ -3,54 +3,50 @@
%global with_efence 0
%global with_development 0
%global with_cavstests 1
# minimum version for support for rhbz#1651314
%global nss_version 3.44.0-8
%global nss_version 3.52
%global unbound_version 1.6.6
# Libreswan config options. With these settings, libreswan
# does not require its own FIPS validation. Only the system
# and NSS needs to be FIPS validated.
# Libreswan config options
%global libreswan_config \\\
SHELL_BINARY=/usr/bin/sh \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
PREFIX=%{_prefix} \\\
INITSYSTEM=systemd \\\
NSS_REQ_AVA_COPY=false \\\
NSS_HAS_IPSEC_PROFILE=true \\\
PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\
USE_FIPSCHECK=false \\\
USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\
USE_NM=true \\\
USE_NSS_IPSEC_PROFILE=true \\\
USE_SECCOMP=true \\\
USE_XAUTHPAM=true \\\
USE_NSS_KDF=false \\\
USE_AUTHPAM=true \\\
%{nil}
%global prever rc1
#global prever dr1
Name: libreswan
Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.2
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
%if 0%{with_cavstests}
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gcc make
BuildRequires: hostname
BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
@ -58,12 +54,10 @@ BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools
BuildRequires: nss-tools >= %{nss_version}
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: hostname
BuildRequires: redhat-rpm-config
BuildRequires: systemd-devel
BuildRequires: unbound-devel >= %{unbound_version}
BuildRequires: xmlto
@ -82,7 +76,7 @@ Requires(preun): systemd
Requires(postun): systemd
%description
Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
@ -99,41 +93,31 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%setup -q -n libreswan-%{version}%{?prever}
# replace unsupported KLIPS README
echo "KLIPS is not supported with RHEL8" > README.KLIPS
# linking to freebl is not needed
sed -i "s/-lfreebl //" mk/config.mk
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
# Restore -DALLOW_MICROSOFT_BAD_PROPOSAL for L2TP/IPsec
sed -i "s/-pthread$/-DALLOW_MICROSOFT_BAD_PROPOSAL -pthread/" mk/config.mk
%build
# link flags disable hardening because it fails on arm with what looks like gcc bugs in -Werror=lto-type-mismatch
make %{?_smp_mflags} \
%if 0%{with_development}
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
%else
OPTIMIZE_CFLAGS="%{optflags}" \
%endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence}
USE_EFENCE=true \
%endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
USERLINK="-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
%{libreswan_config} \
programs
FS=$(pwd)
%install
make \
DESTDIR=%{buildroot} \
%{libreswan_config} \
install
DESTDIR=%{buildroot} \
%{libreswan_config} \
install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
@ -143,10 +127,10 @@ install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/sysctl.d
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
%{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
> %{buildroot}%{_sysconfdir}/ipsec.secrets
> %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%if 0%{with_cavstests}
@ -167,9 +151,12 @@ bunzip2 *.fax.bz2
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed
%endif
# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
: Algorithm parser tests passed
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
@ -177,8 +164,6 @@ certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
%endif
%post
%systemd_post ipsec.service
@ -198,16 +183,23 @@ certutil -N -d sql:$tmpdir --empty-password
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%attr(0644,root,root) %doc %{_mandir}/*/*
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%doc %{_mandir}/*/*
%changelog
* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
- Update to 4.2
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Dec 19 19:59:55 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.2-0.1.rc1
- Resolves: rhbz#1867580 pluto process frequently dumps core
(disable USE_NSS_KDF until nss fixes have propagated)

View File

@ -1,4 +1,4 @@
SHA512 (libreswan-4.2rc1.tar.gz) = e218a3edc0d16dcf12fac7e59d4672fa96e867b6d739e05f54db6646af00092c25980aaeb0d93285ce147329d90a4e998cfc2d8b86d69aa885e0e464b4869ea0
SHA512 (libreswan-4.2.tar.gz) = 290be2e36fb41959c9889597aad8ab5df1edc1999ed7315e8f2e50213de073732c91ad497a2b5634f7bc83bca84089ef9f711420a77309c6cce243f1419a2d0f
SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e