From 9aec852f63ec41dce124d3e15cd1f0606576b83c Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Sun, 27 Sep 2020 22:54:09 -0400 Subject: [PATCH] - Updated to 4.0rc1 --- .gitignore | 1 + libreswan.spec | 140 +++++++++++++++++++++++++------------------------ sources | 5 +- 3 files changed, 73 insertions(+), 73 deletions(-) diff --git a/.gitignore b/.gitignore index 222e702..ee35485 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ /libreswan-3.30.tar.gz /libreswan-3.31.tar.gz /libreswan-3.32.tar.gz +/libreswan-4.0rc1.tar.gz diff --git a/libreswan.spec b/libreswan.spec index 40ef43d..09a2838 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -3,88 +3,86 @@ %global with_efence 0 %global with_development 0 %global with_cavstests 1 -# Libreswan config options +# minimum version for support for rhbz#1651314 +%global nss_version 3.44.0-8 +%global unbound_version 1.6.6 +# Libreswan config options. With these settings, libreswan +# does not require its own FIPS validation. Only the system +# and NSS needs to be FIPS validated. %global libreswan_config \\\ + SHELL_BINARY=/usr/bin/sh \\\ FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ FINALMANDIR=%{_mandir} \\\ - INC_RCDEFAULT=%{_initrddir} \\\ - INC_USRLOCAL=%{_prefix} \\\ + PREFIX=%{_prefix} \\\ INITSYSTEM=systemd \\\ + NSS_REQ_AVA_COPY=false \\\ + NSS_HAS_IPSEC_PROFILE=true \\\ PYTHON_BINARY=%{__python3} \\\ - SHELL_BINARY=%{_bindir}/sh \\\ USE_DNSSEC=true \\\ USE_FIPSCHECK=false \\\ - USE_KLIPS=false \\\ USE_LABELED_IPSEC=true \\\ USE_LDAP=true \\\ USE_LIBCAP_NG=true \\\ USE_LIBCURL=true \\\ USE_LINUX_AUDIT=true \\\ USE_NM=true \\\ - USE_NSS_IPSEC_PROFILE=true \\\ - USE_NSS_PRF=true \\\ USE_SECCOMP=true \\\ USE_XAUTHPAM=true \\\ + USE_NSS_KDF=true \\\ %{nil} -#global prever rc1 +%global prever rc1 Name: libreswan -Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec +Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support # version is generated in the release script -Version: 3.32 -Release: %{?prever:0.}4%{?prever:.%{prever}}%{?dist} +Version: 4.0 +Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ -Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz +Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz %if 0%{with_cavstests} Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif - -Patch1: libreswan-3.30-s390x.patch -Patch2: libreswan-3.32-nss-api.patch -Patch3: libreswan-3.32-uninitialized.patch -Patch4: libreswan-3.32-selinux.patch - -Requires(post): bash coreutils systemd -Requires(preun): systemd -Requires(postun): systemd - -Conflicts: openswan < %{version}-%{release} -Obsoletes: openswan < %{version}-%{release} -Provides: openswan = %{version}-%{release} -Provides: openswan-doc = %{version}-%{release} - -BuildRequires: gcc -BuildRequires: pkgconfig hostname -BuildRequires: bison flex -BuildRequires: systemd-devel -BuildRequires: nss-devel >= 3.52 -BuildRequires: nspr-devel -BuildRequires: pam-devel -BuildRequires: libevent-devel -BuildRequires: unbound-devel >= 1.6.0-6 +BuildRequires: audit-libs-devel +BuildRequires: bison +BuildRequires: curl-devel +BuildRequires: flex +BuildRequires: gcc make BuildRequires: ldns-devel +BuildRequires: libcap-ng-devel +BuildRequires: libevent-devel BuildRequires: libseccomp-devel BuildRequires: libselinux-devel -Buildrequires: audit-libs-devel -BuildRequires: libcap-ng-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel >= %{nss_version} +BuildRequires: nss-tools BuildRequires: openldap-devel -BuildRequires: curl-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: hostname +BuildRequires: redhat-rpm-config +BuildRequires: systemd-devel +BuildRequires: unbound-devel >= %{unbound_version} +BuildRequires: xmlto %if 0%{with_efence} BuildRequires: ElectricFence %endif -BuildRequires: xmlto - -Requires: nss-tools -Requires: nss-softokn Requires: iproute >= 2.6.8 -Requires: unbound-libs >= 1.6.6 +Requires: nss >= %{nss_version} +Requires: nss-softokn +Requires: nss-tools +Requires: unbound-libs >= %{unbound_version} +Requires(post): bash +Requires(post): coreutils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd %description -Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is +Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing @@ -101,20 +99,16 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -# Fedora should really figure this versioning out itself, not burden upstream -sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test -sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py -sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_bad_packets.py -sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py +# replace unsupported KLIPS README +echo "KLIPS is not supported with RHEL8" > README.KLIPS + +# linking to freebl is not needed +sed -i "s/-lfreebl //" mk/config.mk + # enable crypto-policies support sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in -# linking to freebl is no longer needed -sed -i "s/-lfreebl //" mk/config.mk + %build make %{?_smp_mflags} \ @@ -126,6 +120,7 @@ make %{?_smp_mflags} \ %if 0%{with_efence} USE_EFENCE=true \ %endif + WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch" \ USERLINK="%{?__global_ldflags}" \ %{libreswan_config} \ programs @@ -133,23 +128,22 @@ FS=$(pwd) %install make \ - DESTDIR=%{buildroot} \ - %{libreswan_config} \ - install + DESTDIR=%{buildroot} \ + %{libreswan_config} \ + install FS=$(pwd) rm -rf %{buildroot}/usr/share/doc/libreswan +rm -rf %{buildroot}%{_libexecdir}/ipsec/*check install -d -m 0755 %{buildroot}%{_rundir}/pluto -# used when setting --perpeerlog without --perpeerlogbase -install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_sysconfdir}/sysctl.d install -m 0644 packaging/fedora/libreswan-sysctl.conf \ - %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf + %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf echo "include %{_sysconfdir}/ipsec.d/*.secrets" \ - > %{buildroot}%{_sysconfdir}/ipsec.secrets + > %{buildroot}%{_sysconfdir}/ipsec.secrets rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* %if 0%{with_cavstests} @@ -160,9 +154,6 @@ rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . bunzip2 *.fax.bz2 -# work around for older xen based machines -export NSS_DISABLE_HW_GCM=1 - : starting CAVS test for IKEv2 %{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \ diff -u ikev2.fax - > /dev/null @@ -173,6 +164,16 @@ export NSS_DISABLE_HW_GCM=1 %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ diff -u ikev1_psk.fax - > /dev/null : CAVS tests passed + +%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } +%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } + +# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode +tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) +certutil -N -d sql:$tmpdir --empty-password +%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir +: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST + %endif %post @@ -193,17 +194,18 @@ export NSS_DISABLE_HW_GCM=1 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf -%attr(0700,root,root) %dir %{_localstatedir}/log/pluto -%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer %attr(0755,root,root) %dir %{_rundir}/pluto %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf %attr(0644,root,root) %{_unitdir}/ipsec.service %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto %{_sbindir}/ipsec %{_libexecdir}/ipsec -%doc %{_mandir}/*/* +%attr(0644,root,root) %doc %{_mandir}/*/* %changelog +* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters - 4.0-0.1.rc1 +- Updated to 4.0rc1 + * Thu Aug 27 2020 Paul Wouters - 3.32-4 - Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33 diff --git a/sources b/sources index 51c7d81..e4c2fe6 100644 --- a/sources +++ b/sources @@ -1,4 +1 @@ -SHA512 (libreswan-3.32.tar.gz) = bb65512351059e2fac6f1c3ed1e291eabd6835faacf6d9c58649dd71dab1bb4fe6d6074178dea6dea01f24d39f3fbefd84c6060e4d8436b5d057fa55ae4467f3 -SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac -SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467 -SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e +SHA512 (libreswan-4.0rc1.tar.gz) = 3ae36e477c6891f94b5d82b1a0ecb05a8413eab96125e6ae92289164b797538cf53cf6825dd1d4699bfdd4c49f68cc65097024f5b1ea9464226dae75abc5c669