* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1

- Updated to 3.15 (see http://download.libreswan.org/CHANGES) - Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx - NSS database creation moved from spec file to service file - Run CAVS tests on package build - Added BuildRequire systemd-units and xmlto - Bumped minimum required nss to 3.16.1 - Install tmpfiles - Install sysctl file - Update doc files to include
2015-08-24 23:23:01 -04:00 · 2015-08-24 23:23:01 -04:00 · 43d43de158
commit 43d43de158
parent 15c749115b
3 changed files with 94 additions and 48 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,3 +10,8 @@
 /libreswan-3.11.tar.gz
 /libreswan-3.12.tar.gz
 /libreswan-3.13.tar.gz
 /libreswan-3.14.tar.gz
 /ikev1_dsa.fax.bz2
 /ikev1_psk.fax.bz2
 /ikev2.fax.bz2
 /libreswan-3.15.tar.gz
--- a/libreswan.spec
+++ b/libreswan.spec
@ -11,19 +11,25 @@
 %global fipscheck_version 1.3.0
 %global buildefence 0
 %global development 0
 %global cavstests 1
 #global prever rc1
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
-Version: 3.13
+Version: 3.15
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://www.libreswan.org/
-Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz
+Source0: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz
 %if %{cavstests}
 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 Group: System Environment/Daemons
 BuildRequires: gmp-devel bison flex pkgconfig
-BuildRequires: systemd
+BuildRequires: systemd systemd-units
 Requires(post): coreutils bash systemd
 Requires(preun): systemd
 Requires(postun): systemd
@ -34,8 +40,9 @@ Provides: openswan = %{version}-%{release}
 Provides: openswan-doc = %{version}-%{release}
 BuildRequires: pkgconfig hostname
-BuildRequires: nss-devel >= 3.14.3, nspr-devel
+BuildRequires: nss-devel >= 3.16.1, nspr-devel
 BuildRequires: pam-devel
 BuildRequires: libevent-devel
 %if %{USE_DNSSEC}
 BuildRequires: unbound-devel
 %endif
@ -56,8 +63,7 @@ BuildRequires: openldap-devel curl-devel
 %if %{buildefence}
 BuildRequires: ElectricFence
 %endif
-# Only needed if xml man pages are modified and need regeneration
+BuildRequires: xmlto
 # BuildRequires: xmlto
 Requires: nss-tools, nss-softokn
 Requires: iproute >= 2.6.8
@ -84,11 +90,11 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in
 %build
 %if %{buildefence}
- %define efence "-lefence"
+ %global efence "-lefence"
 %endif
 #796683: -fno-strict-aliasing
-%{__make} \
+make %{?_smp_mflags} \
 %if %{development}
   USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
 %else
@ -128,8 +134,7 @@ FS=$(pwd)
 %endif
 %install
-rm -rf %{buildroot}
+make \
 %{__make} \
  DESTDIR=%{buildroot} \
  INC_USRLOCAL=%{_prefix} \
  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
@ -142,63 +147,96 @@ FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
 install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto
-# used when setting --perpeerlog without --perpeerlogbase 
+# used when setting --perpeerlog without --perpeerlogbase
 install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}
 install -d %{buildroot}%{_sysconfdir}/sysctl.d
 install -m 0644 packaging/fedora/libreswan-sysctl.conf \
  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
 install -d %{buildroot}%{_tmpfilesdir}
 install -m 0644 packaging/fedora/libreswan-tmpfiles.conf  \
  %{buildroot}%{_tmpfilesdir}/libreswan.conf
 %if %{USE_FIPSCHECK}
 mkdir -p %{buildroot}%{_libdir}/fipscheck
 install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
-install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
+install -m644 packaging/fedora/libreswan-prelink.conf \
   %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
 %endif
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
-%files
+%if %{cavstests}
-%doc CHANGES COPYING CREDITS README LICENSE
+%check
-%doc docs/*.*
+# There is an elaborate upstream testing infrastructure which we do not
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
+# run here - it takes hours and uses kvm
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
+# We only run the CAVS tests.
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
+cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
+bunzip2 *.fax.bz2
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/cacerts
+: starting CAVS test for IKEv2
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/crls
+OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | \
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
+    diff -u ikev2.fax - > /dev/null
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
+: starting CAVS test for IKEv1 RSASIG
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
+OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | \
-%attr(0755,root,root) %dir %{_localstatedir}/run/pluto
+    diff -u ikev1_dsa.fax - > /dev/null
-%attr(0644,root,root) %{_unitdir}/ipsec.service
+: starting CAVS test for IKEv1 PSK
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
+OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | \
-%{_sbindir}/ipsec
+    diff -u ikev1_psk.fax - > /dev/null
-%{_libexecdir}/ipsec
+: CAVS tests passed
 %doc %{_mandir}/*/*
 %if %{USE_FIPSCHECK}
 %{_libdir}/fipscheck/*.hmac
 # We own the directory so we don't have to require prelink
 %attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
 %config(noreplace) %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
 %endif
 %post
 %systemd_post ipsec.service
 %preun
 %systemd_preun ipsec.service
 %postun
 %systemd_postun_with_restart ipsec.service
-%post
+%files
-%systemd_post ipsec.service
+%doc CHANGES COPYING CREDITS README* LICENSE
-if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
+%doc docs/*.* docs/examples
-    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
-    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
-    echo > ${TEMPFILE}
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
-    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
-    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf
-    rm -f ${TEMPFILE}
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
-fi
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
 %attr(0755,root,root) %dir %{_localstatedir}/run/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
 %attr(0644,root,root) %doc %{_mandir}/*/*
 %if %{USE_FIPSCHECK}
 %{_libdir}/fipscheck/*.hmac
 # We own the directory so we don't have to require prelink
 %attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
 %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
 %endif
 %changelog
 * Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
 - Updated to 3.15 (see http://download.libreswan.org/CHANGES)
 - Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
 - NSS database creation moved from spec file to service file
 - Run CAVS tests on package build
 - Added BuildRequire systemd-units and xmlto
 - Bumped minimum required nss to 3.16.1
 - Install tmpfiles
 - Install sysctl file
 - Update doc files to include
 * Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
 - Resolves: rhbz#1238967 Switch libreswan to use python3
--- a/5
+++ b/5
@ -1 +1,4 @@
-3dd97542c047f34ee0d5f3e61c3a4761  libreswan-3.13.tar.gz
+719f41125bed347a38298dac232ec477  libreswan-3.15.tar.gz
 d8b493de7179635a6ed2a4d0e1b35282  ikev1_dsa.fax.bz2
 c4fe7041300e6c21f4561ce818b5002f  ikev1_psk.fax.bz2
 7716c48a1a2b17ba25e89b79889d4004  ikev2.fax.bz2