- Resolves: CVE-2022-23094

- Resolves: rhbz#2039604 libreswan-4.6 is available
- Add gpg key and signature check for build
- Temporarilly disable USE_DNSSEC in rawhide while we figure out openssl vs nss include clash
This commit is contained in:
Paul Wouters 2022-01-11 22:41:45 -05:00
parent 30bf23be45
commit a47e3c9245
No known key found for this signature in database
GPG Key ID: DB48D2E5122468BF
3 changed files with 26 additions and 9 deletions

3
.gitignore vendored
View File

@ -41,3 +41,6 @@
/libreswan-4.3.tar.gz /libreswan-4.3.tar.gz
/libreswan-4.4.tar.gz /libreswan-4.4.tar.gz
/libreswan-4.5.tar.gz /libreswan-4.5.tar.gz
/libreswan-4.6.tar.gz
/libreswan-4.6.tar.gz.asc
/LIBRESWAN-GPG-KEY.txt

View File

@ -13,7 +13,7 @@
INITSYSTEM=systemd \\\ INITSYSTEM=systemd \\\
PYTHON_BINARY=%{__python3} \\\ PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\ SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\ USE_DNSSEC=false \\\
USE_LABELED_IPSEC=true \\\ USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\ USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\ USE_LIBCAP_NG=true \\\
@ -30,28 +30,32 @@
Name: libreswan Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script # version is generated in the release script
Version: 4.5 Version: 4.6
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: GPLv2 License: GPLv2
Url: https://libreswan.org/ Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
Source1: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz.asc
Source2: https://download.libreswan.org/LIBRESWAN-GPG-KEY.txt
%if 0%{with_cavstests} %if 0%{with_cavstests}
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif %endif
BuildRequires: audit-libs-devel BuildRequires: audit-libs-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: curl-devel BuildRequires: curl-devel
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc make BuildRequires: gcc
BuildRequires: gnupg2
BuildRequires: hostname BuildRequires: hostname
BuildRequires: ldns-devel BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel BuildRequires: libevent-devel
BuildRequires: libseccomp-devel BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: make
BuildRequires: nspr-devel BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version} BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools >= %{nss_version} BuildRequires: nss-tools >= %{nss_version}
@ -96,10 +100,12 @@ Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep %prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%setup -q -n libreswan-%{version}%{?prever} %setup -q -n libreswan-%{version}%{?prever}
# enable crypto-policies support # enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
%autopatch -p1
%build %build
make %{?_smp_mflags} \ make %{?_smp_mflags} \
@ -142,8 +148,8 @@ rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%check %check
# There is an elaborate upstream testing infrastructure which we do not # There is an elaborate upstream testing infrastructure which we do not
# run here - it takes hours and uses kvm # run here - it takes hours and uses kvm
# We only run the CAVS tests. # We only run the CAVS tests and startup selftest
cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . cp %{SOURCE3} %{SOURCE4} %{SOURCE5} .
bunzip2 *.fax.bz2 bunzip2 *.fax.bz2
: starting CAVS test for IKEv2 : starting CAVS test for IKEv2
@ -200,6 +206,12 @@ certutil -N -d sql:$tmpdir --empty-password
%doc %{_mandir}/*/* %doc %{_mandir}/*/*
%changelog %changelog
* Wed Jan 12 2022 Paul Wouters <paul.wouters@aiven.io> - 4.6-1
- Resolves: CVE-2022-23094
- Resolves: rhbz#2039604 libreswan-4.6 is available
- Add gpg key and signature check for build
- Temporarilly disable USE_DNSSEC in rawhide while we figure out openssl vs nss include clash
* Thu Aug 26 2021 Paul Wouters <paul.wouters@aiven.io> - 4.5-1 * Thu Aug 26 2021 Paul Wouters <paul.wouters@aiven.io> - 4.5-1
- Resolves rhbz#1996250 libreswan-4.5 is available - Resolves rhbz#1996250 libreswan-4.5 is available

View File

@ -1,4 +1,6 @@
SHA512 (LIBRESWAN-GPG-KEY.txt) = 4df07b77a8026b071dbd99723cf475f76948364c7e63c59ad59444595e042b6c426e28106ba614806c11f0f1d1f32570b60d5cfbaf0beada0621dd242a399000
SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
SHA512 (ikev2.fax.bz2) = 65c65d86fd1a7539c0ad516b0f49546d5722b710225857ee2d2f5f3415ac7d023264746398f3637fd248a4ce2364957c516c31214ee33faefe58ac8e4e333a10 SHA512 (ikev2.fax.bz2) = 65c65d86fd1a7539c0ad516b0f49546d5722b710225857ee2d2f5f3415ac7d023264746398f3637fd248a4ce2364957c516c31214ee33faefe58ac8e4e333a10
SHA512 (libreswan-4.5.tar.gz) = 451a4f71099aa4776624a4c127fdaff492acc38a44228255dcbf955efa0982fd963c989d63522f56279eec6a9ef738febb573dde34aa541724ab11e37a554f9e SHA512 (libreswan-4.6.tar.gz.asc) = c8dca0e0800124603ec8d41ef2edcf6d9d1df999aa4127861223b9af8e376e2afd7cdbf71449299fa12a5ce7e53fb0e3bf04566f069e6543507accc88559940b
SHA512 (libreswan-4.6.tar.gz) = c1c3efd7665dee6caaf08cb5aa50fcd37c299acad4b62648284fdb04edd50ba8fc8d33a9fb210edaf2312697f8cd251f33a6b16587eb2cfefd1269b4482dd499