rpms/libreswan
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Updated to 4.2

Browse Source
This commit is contained in:
Paul Wouters 2021-02-02 20:53:35 -05:00
parent 534953ce2e
commit fdf40a922f
3 changed files with 33 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -37,3 +37,4 @@
/libreswan-4.0.tar.gz /libreswan-4.0.tar.gz
/libreswan-4.1.tar.gz /libreswan-4.1.tar.gz
/libreswan-4.2rc1.tar.gz /libreswan-4.2rc1.tar.gz
/libreswan-4.2.tar.gz

73
libreswan.spec
View File

@ -3,54 +3,50 @@
%global with_efence 0 %global with_efence 0
%global with_development 0 %global with_development 0
%global with_cavstests 1 %global with_cavstests 1
# minimum version for support for rhbz#1651314 %global nss_version 3.52
%global nss_version 3.44.0-8
%global unbound_version 1.6.6 %global unbound_version 1.6.6
# Libreswan config options. With these settings, libreswan # Libreswan config options
# does not require its own FIPS validation. Only the system
# and NSS needs to be FIPS validated.
%global libreswan_config \\\ %global libreswan_config \\\
SHELL_BINARY=/usr/bin/sh \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\ FINALMANDIR=%{_mandir} \\\
PREFIX=%{_prefix} \\\ PREFIX=%{_prefix} \\\
INITSYSTEM=systemd \\\ INITSYSTEM=systemd \\\
NSS_REQ_AVA_COPY=false \\\
NSS_HAS_IPSEC_PROFILE=true \\\
PYTHON_BINARY=%{__python3} \\\ PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\ USE_DNSSEC=true \\\
USE_FIPSCHECK=false \\\
USE_LABELED_IPSEC=true \\\ USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\ USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\ USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\ USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\ USE_LINUX_AUDIT=true \\\
USE_NM=true \\\ USE_NM=true \\\
USE_NSS_IPSEC_PROFILE=true \\\
USE_SECCOMP=true \\\ USE_SECCOMP=true \\\
USE_XAUTHPAM=true \\\ USE_AUTHPAM=true \\\
USE_NSS_KDF=false \\\
%{nil} %{nil}
%global prever rc1 #global prever dr1
Name: libreswan Name: libreswan
Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script # version is generated in the release script
Version: 4.2 Version: 4.2
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.1 Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: GPLv2 License: GPLv2
Url: https://libreswan.org/ Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
%if 0%{with_cavstests} %if 0%{with_cavstests}
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif %endif
BuildRequires: audit-libs-devel BuildRequires: audit-libs-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: curl-devel BuildRequires: curl-devel
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: hostname
BuildRequires: ldns-devel BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel BuildRequires: libevent-devel
@ -58,12 +54,10 @@ BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: nspr-devel BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version} BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools BuildRequires: nss-tools >= %{nss_version}
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: hostname
BuildRequires: redhat-rpm-config
BuildRequires: systemd-devel BuildRequires: systemd-devel
BuildRequires: unbound-devel >= %{unbound_version} BuildRequires: unbound-devel >= %{unbound_version}
BuildRequires: xmlto BuildRequires: xmlto
@ -82,7 +76,7 @@ Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
%description %description
Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing to build secure tunnels through untrusted networks. Everything passing
@ -99,41 +93,31 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep %prep
%setup -q -n libreswan-%{version}%{?prever} %setup -q -n libreswan-%{version}%{?prever}
# replace unsupported KLIPS README
echo "KLIPS is not supported with RHEL8" > README.KLIPS
# linking to freebl is not needed
sed -i "s/-lfreebl //" mk/config.mk
# enable crypto-policies support # enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
# Restore -DALLOW_MICROSOFT_BAD_PROPOSAL for L2TP/IPsec
sed -i "s/-pthread$/-DALLOW_MICROSOFT_BAD_PROPOSAL -pthread/" mk/config.mk
%build %build
# link flags disable hardening because it fails on arm with what looks like gcc bugs in -Werror=lto-type-mismatch
make %{?_smp_mflags} \ make %{?_smp_mflags} \
%if 0%{with_development} %if 0%{with_development}
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \ OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
%else %else
OPTIMIZE_CFLAGS="%{optflags}" \ OPTIMIZE_CFLAGS="%{optflags}" \
%endif %endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence} %if 0%{with_efence}
USE_EFENCE=true \ USE_EFENCE=true \
%endif %endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \ USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
USERLINK="-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
%{libreswan_config} \ %{libreswan_config} \
programs programs
FS=$(pwd) FS=$(pwd)
%install %install
make \ make \
DESTDIR=%{buildroot} \ DESTDIR=%{buildroot} \
%{libreswan_config} \ %{libreswan_config} \
install install
FS=$(pwd) FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
@ -143,10 +127,10 @@ install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/sysctl.d install -d %{buildroot}%{_sysconfdir}/sysctl.d
install -m 0644 packaging/fedora/libreswan-sysctl.conf \ install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \ echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
> %{buildroot}%{_sysconfdir}/ipsec.secrets > %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%if 0%{with_cavstests} %if 0%{with_cavstests}
@ -167,9 +151,12 @@ bunzip2 *.fax.bz2
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed : CAVS tests passed
%endif
# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } %{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
: Algorithm parser tests passed
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode # self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
@ -177,8 +164,6 @@ certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
%endif
%post %post
%systemd_post ipsec.service %systemd_post ipsec.service
@ -198,16 +183,20 @@ certutil -N -d sql:$tmpdir --empty-password
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto %attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service %attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec %{_sbindir}/ipsec
%{_libexecdir}/ipsec %{_libexecdir}/ipsec
%attr(0644,root,root) %doc %{_mandir}/*/* %doc %{_mandir}/*/*
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%changelog %changelog
* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
- Update to 4.2
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

2
sources
View File

@ -1,4 +1,4 @@
SHA512 (libreswan-4.2rc1.tar.gz) = e218a3edc0d16dcf12fac7e59d4672fa96e867b6d739e05f54db6646af00092c25980aaeb0d93285ce147329d90a4e998cfc2d8b86d69aa885e0e464b4869ea0 SHA512 (libreswan-4.2.tar.gz) = 290be2e36fb41959c9889597aad8ab5df1edc1999ed7315e8f2e50213de073732c91ad497a2b5634f7bc83bca84089ef9f711420a77309c6cce243f1419a2d0f
SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e