* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1

- Updated to 3.25
2018-06-27 14:09:50 -04:00 · 2018-06-27 14:09:50 -04:00 · 6ce6d0ad52
commit 6ce6d0ad52
parent 116877462f
3 changed files with 70 additions and 135 deletions
--- a/.gitignore
+++ b/.gitignore
@ -24,3 +24,5 @@
 /libreswan-3.21.tar.gz
 /libreswan-3.22.tar.gz
 /libreswan-3.23.tar.gz
 /libreswan-3.24.tar.gz
 /libreswan-3.25.tar.gz
--- a/libreswan.spec
+++ b/libreswan.spec
@ -1,48 +1,45 @@
 # These are rpm macros and are 0 or 1
 %global crl_fetching 1
 %global _hardened_build 1
-%global buildefence 0
+# These are rpm macros and are 0 or 1
-%global development 0
+%global with_efence 0
-%global cavstests 1
+%global with_development 0
-
+%global with_cavstests 1
-# These are libreswan/make macros and are false or true
+# Libreswan config options
-%global USE_FIPSCHECK true
+%global libreswan_config \\\
-%global USE_LIBCAP_NG true
+    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
-%global USE_LABELED_IPSEC true
+    FINALMANDIR=%{_mandir} \\\
-%global USE_DNSSEC true
+    FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \\\
-%global USE_NM true
+    INC_RCDEFAULT=%{_initrddir} \\\
-%global USE_LINUX_AUDIT true
+    INC_USRLOCAL=%{_prefix} \\\
-# not production ready yet
+    INITSYSTEM=systemd \\\
-%global USE_SECCOMP false
+    NSS_REQ_AVA_COPY=false \\\
    USE_DNSSEC=true \\\
    USE_FIPSCHECK=true \\\
    USE_LABELED_IPSEC=true \\\
    USE_LDAP=true \\\
    USE_LIBCAP_NG=true \\\
    USE_LIBCURL=true \\\
    USE_LINUX_AUDIT=true \\\
    USE_NM=true \\\
    USE_SECCOMP=true \\\
    USE_XAUTHPAM=true \\\
 %{nil}
 #global prever rc1
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
-Version: 3.23
+Version: 3.25
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
-%if %{cavstests}
+%if 0%{with_cavstests}
 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 Patch1: libreswan-3.23-seccomp.patch
 Patch2: libreswan-3.23-fixups.patch
 Patch3: libreswan-3.23-ppk-update.patch
 Patch4: libreswan-3.23-crypto-policies.patch
 Patch5: libreswan-3.23-gcc8.patch
 %endif
-Group: System Environment/Daemons
+Requires(post): bash coreutils systemd
 BuildRequires: bison flex pkgconfig
 BuildRequires: systemd systemd-units systemd-devel
 Requires(post): coreutils bash systemd
 Requires(preun): systemd
 Requires(postun): systemd
@ -52,39 +49,31 @@ Provides: openswan = %{version}-%{release}
 Provides: openswan-doc = %{version}-%{release}
 BuildRequires: pkgconfig hostname
-BuildRequires: nss-devel >= 3.16.1, nspr-devel
+BuildRequires: bison flex
 BuildRequires: systemd-devel
 BuildRequires: nss-devel >= 3.16.1
 BuildRequires: nspr-devel
 BuildRequires: pam-devel
 BuildRequires: libevent-devel
-%if %{USE_DNSSEC}
+BuildRequires: unbound-devel >= 1.6.0-6
-BuildRequires: unbound-devel >= 1.6.0-6 ldns-devel
+BuildRequires: ldns-devel
 %endif
 %if %{USE_SECCOMP}
 BuildRequires: libseccomp-devel
 %endif
 %if %{USE_LABELED_IPSEC}
 BuildRequires: libselinux-devel
 %endif
 %if %{USE_FIPSCHECK}
 BuildRequires: fipscheck-devel
 Requires: fipscheck%{_isa}
 %endif
 %if %{USE_LINUX_AUDIT}
 Buildrequires: audit-libs-devel
 %endif
 %if %{USE_LIBCAP_NG}
 BuildRequires: libcap-ng-devel
-%endif
+BuildRequires: openldap-devel
-%if %{crl_fetching}
+BuildRequires: curl-devel
-BuildRequires: openldap-devel curl-devel
+%if 0%{with_efence}
 %endif
 %if %{buildefence}
 BuildRequires: ElectricFence
 %endif
 BuildRequires: xmlto
-Requires: nss-tools, nss-softokn
+Requires: nss-tools
 Requires: nss-softokn
 Requires: iproute >= 2.6.8
 Requires: unbound-libs >= 1.6.6
 %description
 Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
@ -111,118 +100,62 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
-
+# enable crypto-policies support
-%patch1 -p1
+sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %build
-%if %{buildefence}
+%if 0%{with_efence}
- %global efence "-lefence"
+%global efence "-lefence"
 %endif
 #796683: -fno-strict-aliasing
 make %{?_smp_mflags} \
-%if %{development}
+%if 0%{with_development}
-   USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
+    USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
 %else
-  USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
+    USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
 %endif
-  USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
+    USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
-  INITSYSTEM=systemd \
+    %{libreswan_config} \
-  USE_NM=%{USE_NM} \
+    programs
  USE_XAUTHPAM=true \
 %if %{USE_FIPSCHECK}
  USE_FIPSCHECK="%{USE_FIPSCHECK}" \
  FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \
 %endif
  USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
  USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
 %if %{crl_fetching}
  USE_LDAP=true \
  USE_LIBCURL=true \
 %else
  USE_LDAP=false \
  USE_LIBCURL=false \
 %endif
  USE_DNSSEC="%{USE_DNSSEC}" \
  USE_SECCOMP="%{USE_SECCOMP}" \
  INC_USRLOCAL=%{_prefix} \
  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
  MANTREE=%{_mandir} \
  INC_RCDEFAULT=%{_initrddir} \
  NSS_REQ_AVA_COPY=false \
  programs
 FS=$(pwd)
 %if %{USE_FIPSCHECK}
 # Add generation of HMAC checksums of the final stripped binaries
 %define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
-  fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto \
+    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto \
 %{nil}
 %endif
 %install
 make \
-  DESTDIR=%{buildroot} \
+    DESTDIR=%{buildroot} \
-  INC_USRLOCAL=%{_prefix} \
+    %{libreswan_config} \
-  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
+    install
  MANTREE=%{buildroot}%{_mandir} \
  INC_RCDEFAULT=%{_initrddir} \
  INSTMANFLAGS="-m 644" \
  INITSYSTEM=systemd \
  USE_NM=%{USE_NM} \
  USE_XAUTHPAM=true \
 %if %{USE_FIPSCHECK}
  USE_FIPSCHECK="%{USE_FIPSCHECK}" \
  FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \
 %endif
  USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
  USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
 %if %{crl_fetching}
  USE_LDAP=true \
  USE_LIBCURL=true \
 %else
  USE_LDAP=false \
  USE_LIBCURL=false \
 %endif
  USE_DNSSEC="%{USE_DNSSEC}" \
  USE_SECCOMP="%{USE_SECCOMP}" \
  NSS_REQ_AVA_COPY=false \
  install
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
-# enable crypto-policies support
+install -d -m 0700 %{buildroot}%{_rundir}/pluto
 sed -i "s:# include\(.*\)/crypto-policies/back-ends/libreswan.config:include\1:" %{buildroot}/%{_sysconfdir}/ipsec.conf
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/pluto
 # used when setting --perpeerlog without --perpeerlogbase
 install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}
 install -d %{buildroot}%{_sysconfdir}/sysctl.d
 install -m 0644 packaging/fedora/libreswan-sysctl.conf \
-  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+    %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
 install -d %{buildroot}%{_tmpfilesdir}
 install -m 0644 packaging/fedora/libreswan-tmpfiles.conf  \
-  %{buildroot}%{_tmpfilesdir}/libreswan.conf
+    %{buildroot}%{_tmpfilesdir}/libreswan.conf
 %if %{USE_FIPSCHECK}
 mkdir -p %{buildroot}%{_libdir}/fipscheck
 %endif
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
-     > %{buildroot}%{_sysconfdir}/ipsec.secrets
+    > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
-%if %{cavstests}
+%if 0%{with_cavstests}
 %check
 # There is an elaborate upstream testing infrastructure which we do not
 # run here - it takes hours and uses kvm
@ -234,13 +167,13 @@ bunzip2 *.fax.bz2
 export NSS_DISABLE_HW_GCM=1
 : starting CAVS test for IKEv2
-OBJ.linux.%{_arch}/programs/cavp/cavp -v2 ikev2.fax | \
+%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
    diff -u ikev2.fax - > /dev/null
 : starting CAVS test for IKEv1 RSASIG
-OBJ.linux.%{_arch}/programs/cavp/cavp -v1sig ikev1_dsa.fax | \
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
    diff -u ikev1_dsa.fax - > /dev/null
 : starting CAVS test for IKEv1 PSK
-OBJ.linux.%{_arch}/programs/cavp/cavp -v1psk ikev1_psk.fax | \
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
    diff -u ikev1_psk.fax - > /dev/null
 : CAVS tests passed
 %endif
@ -265,19 +198,19 @@ OBJ.linux.%{_arch}/programs/cavp/cavp -v1psk ikev1_psk.fax | \
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
-%attr(0700,root,root) %dir %{_localstatedir}/run/pluto
+%attr(0700,root,root) %dir %{_rundir}/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
-%attr(0644,root,root) %doc %{_mandir}/*/*
+%doc %{_mandir}/*/*
 %if %{USE_FIPSCHECK}
 %{_libdir}/fipscheck/pluto.hmac
 %endif
 %changelog
 * Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
 - Updated to 3.25
 * Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
 - Support crypto-policies package
 - Pull in some patches from upstream and IANA registry updates
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-SHA512 (libreswan-3.23.tar.gz) = 3645af522ea9ac868c55bfadfd2cf27dc5acb247543f43290cbe677a90cd00316be6520ca2128b9aaecce2b0293710ae6a2bd710a7d93198b8cb81e32276ced8
+SHA512 (libreswan-3.25.tar.gz) = 246649cb5bef1d0690217d1080f3f6f175a0d7a5f27e5a7affdf291b2f418a11937e96b64716a33e6312530409a2c1b10b90e2fa5ec339a27c94c990d86ed517
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
 SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e