diff --git a/.gitignore b/.gitignore index 300c5ab..c7810e6 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /libreswan-3.3.tar.gz /libreswan-3.4.tar.gz /libreswan-3.5.tar.gz +/libreswan-3.6.tar.gz diff --git a/libreswan.spec b/libreswan.spec index 34d8880..14de28f 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -8,6 +8,7 @@ %global _hardened_build 1 +%global fipscheck_version 1.3.0 %global buildefence 0 %global development 0 @@ -15,8 +16,8 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols -Version: 3.5 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} +Version: 3.6 +Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://www.libreswan.org/ Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz @@ -32,8 +33,6 @@ Obsoletes: openswan < %{version}-%{release} Provides: openswan = %{version}-%{release} Provides: openswan-doc = %{version}-%{release} -Patch1: libreswan-3.5-cisco-interop.patch - BuildRequires: pkgconfig hostname BuildRequires: nss-devel >= 3.12.6-2, nspr-devel BuildRequires: pam-devel @@ -41,9 +40,8 @@ BuildRequires: pam-devel BuildRequires: unbound-devel %endif %if %{USE_FIPSCHECK} -BuildRequires: fipscheck-devel -# we need fipshmac -Requires: fipscheck%{_isa} +BuildRequires: fipscheck-devel >= %{fipscheck_version} +Requires: fipscheck%{_isa} >= %{fipscheck_version} %endif %if %{USE_LINUX_AUDIT} Buildrequires: audit-libs-devel @@ -62,6 +60,7 @@ BuildRequires: ElectricFence # BuildRequires: xmlto Requires: nss-tools, nss-softokn +Requires: iproute >= 2.6.8 %description Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is @@ -81,7 +80,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} -%patch1 -p1 -b .ciscovpn %build %if %{buildefence} @@ -97,10 +95,12 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %endif USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \ INITSYSTEM=systemd \ - USE_DYNAMICDNS="true" \ USE_NM=%{USE_NM} \ USE_XAUTHPAM=true \ +%if %{USE_FIPSCHECK} USE_FIPSCHECK="%{USE_FIPSCHECK}" \ + FIPSPRODUCTCHECK=/etc/system-fips \ +%endif USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ %if %{USE_CRL_FETCHING} @@ -122,7 +122,7 @@ FS=$(pwd) %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - fipshmac -d %{buildroot}%{_libdir}/fipscheck ` ls %{buildroot}%{_libexecdir}/ipsec/*|grep -v setup` \ + fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \ fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \ %{nil} %endif @@ -143,12 +143,14 @@ FS=$(pwd) rm -rf %{buildroot}/usr/share/doc/libreswan install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto -# used when setting --perpeerlog without --perpeerlogbase +# used when setting --perpeerlog without --perpeerlogbase install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer install -d %{buildroot}%{_sbindir} %if %{USE_FIPSCHECK} mkdir -p %{buildroot}%{_libdir}/fipscheck +install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ +install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf %endif echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets @@ -175,6 +177,9 @@ rm -fr %{buildroot}/etc/rc.d/rc* %if %{USE_FIPSCHECK} %{_libdir}/fipscheck/*.hmac +# We own the directory so we don't have to require prelink +%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/ +%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf %endif %preun @@ -185,8 +190,18 @@ rm -fr %{buildroot}/etc/rc.d/rc* %post %systemd_post ipsec.service +if [ ! -f /etc/ipsec.d/cert8.db ] ; then +echo > /var/tmp/libreswan-nss-pwd +certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d +restorecon /etc/ipsec.d/*db 2>/dev/null || : +rm /var/tmp/libreswan-nss-pwd +fi %changelog +* Thu Oct 31 2013 Paul Wouters - 3.6-1 +- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes) +- Generate empty NSS db if none exists + * Mon Aug 19 2013 Paul Wouters - 3.5-3 - Add a Provides: for openswan-doc diff --git a/sources b/sources index 8f1dec2..c5d2082 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7dbf9dbd79836b567e3231006eed3109 libreswan-3.5.tar.gz +6c6f0ffec329e09d2d7fa24ae102c69b libreswan-3.6.tar.gz