* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1

- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
- NSS database creation moved from spec file to service file
- Run CAVS tests on package build
- Added BuildRequire systemd-units and xmlto
- Bumped minimum required nss to 3.16.1
- Install tmpfiles
- Install sysctl file
- Update doc files to include
This commit is contained in:
Paul Wouters 2015-08-24 23:23:01 -04:00
parent 15c749115b
commit 43d43de158
3 changed files with 94 additions and 48 deletions

5
.gitignore vendored
View File

@ -10,3 +10,8 @@
/libreswan-3.11.tar.gz /libreswan-3.11.tar.gz
/libreswan-3.12.tar.gz /libreswan-3.12.tar.gz
/libreswan-3.13.tar.gz /libreswan-3.13.tar.gz
/libreswan-3.14.tar.gz
/ikev1_dsa.fax.bz2
/ikev1_psk.fax.bz2
/ikev2.fax.bz2
/libreswan-3.15.tar.gz

View File

@ -11,19 +11,25 @@
%global fipscheck_version 1.3.0 %global fipscheck_version 1.3.0
%global buildefence 0 %global buildefence 0
%global development 0 %global development 0
%global cavstests 1
#global prever rc1 #global prever rc1
Name: libreswan Name: libreswan
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
Version: 3.13 Version: 3.15
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: GPLv2 License: GPLv2
Url: https://www.libreswan.org/ Url: https://www.libreswan.org/
Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz Source0: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz
%if %{cavstests}
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Group: System Environment/Daemons Group: System Environment/Daemons
BuildRequires: gmp-devel bison flex pkgconfig BuildRequires: gmp-devel bison flex pkgconfig
BuildRequires: systemd BuildRequires: systemd systemd-units
Requires(post): coreutils bash systemd Requires(post): coreutils bash systemd
Requires(preun): systemd Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
@ -34,8 +40,9 @@ Provides: openswan = %{version}-%{release}
Provides: openswan-doc = %{version}-%{release} Provides: openswan-doc = %{version}-%{release}
BuildRequires: pkgconfig hostname BuildRequires: pkgconfig hostname
BuildRequires: nss-devel >= 3.14.3, nspr-devel BuildRequires: nss-devel >= 3.16.1, nspr-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: libevent-devel
%if %{USE_DNSSEC} %if %{USE_DNSSEC}
BuildRequires: unbound-devel BuildRequires: unbound-devel
%endif %endif
@ -56,8 +63,7 @@ BuildRequires: openldap-devel curl-devel
%if %{buildefence} %if %{buildefence}
BuildRequires: ElectricFence BuildRequires: ElectricFence
%endif %endif
# Only needed if xml man pages are modified and need regeneration BuildRequires: xmlto
# BuildRequires: xmlto
Requires: nss-tools, nss-softokn Requires: nss-tools, nss-softokn
Requires: iproute >= 2.6.8 Requires: iproute >= 2.6.8
@ -84,11 +90,11 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in
%build %build
%if %{buildefence} %if %{buildefence}
%define efence "-lefence" %global efence "-lefence"
%endif %endif
#796683: -fno-strict-aliasing #796683: -fno-strict-aliasing
%{__make} \ make %{?_smp_mflags} \
%if %{development} %if %{development}
USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \ USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
%else %else
@ -128,8 +134,7 @@ FS=$(pwd)
%endif %endif
%install %install
rm -rf %{buildroot} make \
%{__make} \
DESTDIR=%{buildroot} \ DESTDIR=%{buildroot} \
INC_USRLOCAL=%{_prefix} \ INC_USRLOCAL=%{_prefix} \
FINALLIBEXECDIR=%{_libexecdir}/ipsec \ FINALLIBEXECDIR=%{_libexecdir}/ipsec \
@ -146,59 +151,92 @@ install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/sysctl.d
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
install -d %{buildroot}%{_tmpfilesdir}
install -m 0644 packaging/fedora/libreswan-tmpfiles.conf \
%{buildroot}%{_tmpfilesdir}/libreswan.conf
%if %{USE_FIPSCHECK} %if %{USE_FIPSCHECK}
mkdir -p %{buildroot}%{_libdir}/fipscheck mkdir -p %{buildroot}%{_libdir}/fipscheck
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf install -m644 packaging/fedora/libreswan-prelink.conf \
%{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
%endif %endif
echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%files %if %{cavstests}
%doc CHANGES COPYING CREDITS README LICENSE %check
%doc docs/*.* # There is an elaborate upstream testing infrastructure which we do not
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf # run here - it takes hours and uses kvm
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto # We only run the CAVS tests.
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d bunzip2 *.fax.bz2
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/cacerts : starting CAVS test for IKEv2
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/crls OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | \
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies diff -u ikev2.fax - > /dev/null
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* : starting CAVS test for IKEv1 RSASIG
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | \
%attr(0755,root,root) %dir %{_localstatedir}/run/pluto diff -u ikev1_dsa.fax - > /dev/null
%attr(0644,root,root) %{_unitdir}/ipsec.service : starting CAVS test for IKEv1 PSK
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | \
%{_sbindir}/ipsec diff -u ikev1_psk.fax - > /dev/null
%{_libexecdir}/ipsec : CAVS tests passed
%doc %{_mandir}/*/*
%if %{USE_FIPSCHECK}
%{_libdir}/fipscheck/*.hmac
# We own the directory so we don't have to require prelink
%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
%config(noreplace) %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
%endif %endif
%post
%systemd_post ipsec.service
%preun %preun
%systemd_preun ipsec.service %systemd_preun ipsec.service
%postun %postun
%systemd_postun_with_restart ipsec.service %systemd_postun_with_restart ipsec.service
%post %files
%systemd_post ipsec.service %doc CHANGES COPYING CREDITS README* LICENSE
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then %doc docs/*.* docs/examples
TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
[ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$ %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
echo > ${TEMPFILE} %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || : %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf
rm -f ${TEMPFILE} %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
fi %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
%attr(0755,root,root) %dir %{_localstatedir}/run/pluto
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%attr(0644,root,root) %doc %{_mandir}/*/*
%if %{USE_FIPSCHECK}
%{_libdir}/fipscheck/*.hmac
# We own the directory so we don't have to require prelink
%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
%endif
%changelog %changelog
* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
- NSS database creation moved from spec file to service file
- Run CAVS tests on package build
- Added BuildRequire systemd-units and xmlto
- Bumped minimum required nss to 3.16.1
- Install tmpfiles
- Install sysctl file
- Update doc files to include
* Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2 * Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
- Resolves: rhbz#1238967 Switch libreswan to use python3 - Resolves: rhbz#1238967 Switch libreswan to use python3

View File

@ -1 +1,4 @@
3dd97542c047f34ee0d5f3e61c3a4761 libreswan-3.13.tar.gz 719f41125bed347a38298dac232ec477 libreswan-3.15.tar.gz
d8b493de7179635a6ed2a4d0e1b35282 ikev1_dsa.fax.bz2
c4fe7041300e6c21f4561ce818b5002f ikev1_psk.fax.bz2
7716c48a1a2b17ba25e89b79889d4004 ikev2.fax.bz2