32be2a6df3
- Resolves rhbz#2274448 CVE-2024-3652 libreswan: IKEv1 default AH/ESP responder can crash and restart - Allow "ipsec import" to try importing PKCS#12 non-interactively if there is no password Resolves: RHEL-32481
220 lines
7.1 KiB
RPMSpec
220 lines
7.1 KiB
RPMSpec
%global _hardened_build 1
|
|
# These are rpm macros and are 0 or 1
|
|
%global with_efence 0
|
|
%global with_development 0
|
|
%global with_cavstests 1
|
|
%global nss_version 3.52
|
|
%global unbound_version 1.6.6
|
|
# Libreswan config options
|
|
%global libreswan_config \\\
|
|
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
|
|
FINALMANDIR=%{_mandir} \\\
|
|
PREFIX=%{_prefix} \\\
|
|
INITSYSTEM=systemd \\\
|
|
SHELL_BINARY=%{_bindir}/sh \\\
|
|
USE_DNSSEC=true \\\
|
|
USE_LABELED_IPSEC=true \\\
|
|
USE_LDAP=true \\\
|
|
USE_LIBCAP_NG=true \\\
|
|
USE_LIBCURL=true \\\
|
|
USE_LINUX_AUDIT=true \\\
|
|
USE_NM=true \\\
|
|
USE_NSS_IPSEC_PROFILE=true \\\
|
|
USE_SECCOMP=true \\\
|
|
USE_AUTHPAM=true \\\
|
|
%{nil}
|
|
|
|
#global prever dr1
|
|
|
|
Name: libreswan
|
|
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
|
|
# version is generated in the release script
|
|
Version: 4.15
|
|
Release: %autorelease
|
|
# The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
|
|
# rest is under GPL-2.0-or-later
|
|
License: GPL-2.0-or-later AND MPL-2.0
|
|
Url: https://libreswan.org/
|
|
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
|
|
Source1: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz.asc
|
|
Source2: https://download.libreswan.org/LIBRESWAN-OpenPGP-KEY.txt
|
|
%if 0%{with_cavstests}
|
|
Source3: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
|
|
Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
|
|
Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
|
%endif
|
|
|
|
Patch1: libreswan-4.15-ipsec_import.patch
|
|
|
|
BuildRequires: audit-libs-devel
|
|
BuildRequires: bison
|
|
BuildRequires: curl-devel
|
|
BuildRequires: flex
|
|
BuildRequires: gcc
|
|
BuildRequires: gnupg2
|
|
BuildRequires: hostname
|
|
BuildRequires: ldns-devel
|
|
BuildRequires: libcap-ng-devel
|
|
BuildRequires: libevent-devel
|
|
BuildRequires: libseccomp-devel
|
|
BuildRequires: libselinux-devel
|
|
BuildRequires: make
|
|
BuildRequires: nspr-devel
|
|
BuildRequires: nss-devel >= %{nss_version}
|
|
BuildRequires: nss-tools >= %{nss_version}
|
|
BuildRequires: openldap-devel
|
|
BuildRequires: pam-devel
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: systemd
|
|
BuildRequires: systemd-devel
|
|
BuildRequires: systemd-rpm-macros
|
|
BuildRequires: unbound-devel >= %{unbound_version}
|
|
BuildRequires: xmlto
|
|
%if 0%{with_efence}
|
|
BuildRequires: ElectricFence
|
|
%endif
|
|
Requires: iproute >= 2.6.8
|
|
Requires: nss >= %{nss_version}
|
|
Requires: nss-softokn
|
|
Requires: nss-tools
|
|
Requires: unbound-libs >= %{unbound_version}
|
|
Requires: logrotate
|
|
# for pidof
|
|
Requires: procps-ng
|
|
|
|
|
|
Requires(post): bash
|
|
Requires(post): coreutils
|
|
Requires(post): systemd
|
|
Requires(preun): systemd
|
|
Requires(postun): systemd
|
|
|
|
%description
|
|
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
|
|
the Internet Protocol Security and uses strong cryptography to provide
|
|
both authentication and encryption services. These services allow you
|
|
to build secure tunnels through untrusted networks. Everything passing
|
|
through the untrusted net is encrypted by the ipsec gateway machine and
|
|
decrypted by the gateway at the other end of the tunnel. The resulting
|
|
tunnel is a virtual private network or VPN.
|
|
|
|
This package contains the daemons and userland tools for setting up
|
|
Libreswan.
|
|
|
|
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
|
|
|
|
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
|
|
|
%prep
|
|
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
|
%setup -q -n libreswan-%{version}%{?prever}
|
|
# enable crypto-policies support
|
|
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
|
|
%ifarch s390x
|
|
# throws error on s390x
|
|
sed -i "s/SUBDIRS += hunkcheck/#SUBDIRS += hunkcheck/" testing/programs/Makefile
|
|
%endif
|
|
%autopatch -p1
|
|
|
|
%build
|
|
%make_build \
|
|
%if 0%{with_development}
|
|
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
|
|
%else
|
|
OPTIMIZE_CFLAGS="%{optflags}" \
|
|
%endif
|
|
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
|
|
%if 0%{with_efence}
|
|
USE_EFENCE=true \
|
|
%endif
|
|
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
|
|
%{libreswan_config} \
|
|
programs
|
|
FS=$(pwd)
|
|
|
|
|
|
%install
|
|
%make_install \
|
|
%{libreswan_config} \
|
|
FS=$(pwd)
|
|
rm -rf %{buildroot}/usr/share/doc/libreswan
|
|
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
|
|
# avoids python depency and are old / aging tools that are not very useful
|
|
rm -rf %{buildroot}%{_libexecdir}/ipsec/show
|
|
rm -rf %{buildroot}%{_libexecdir}/ipsec/verify
|
|
|
|
install -d -m 0755 %{buildroot}%{_rundir}/pluto
|
|
install -d %{buildroot}%{_sbindir}
|
|
|
|
install -d %{buildroot}%{_sysctldir}
|
|
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
|
|
%{buildroot}%{_sysctldir}/50-libreswan.conf
|
|
|
|
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
|
|
> %{buildroot}%{_sysconfdir}/ipsec.secrets
|
|
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
|
|
|
|
%if 0%{with_cavstests}
|
|
%check
|
|
# There is an elaborate upstream testing infrastructure which we do not
|
|
# run here - it takes hours and uses kvm
|
|
# We only run the CAVS tests and startup selftest
|
|
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} .
|
|
bunzip2 *.fax.bz2
|
|
|
|
: starting CAVS test for IKEv2
|
|
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
|
|
diff -u ikev2.fax - > /dev/null
|
|
: starting CAVS test for IKEv1 RSASIG
|
|
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
|
|
diff -u ikev1_dsa.fax - > /dev/null
|
|
: starting CAVS test for IKEv1 PSK
|
|
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
|
|
diff -u ikev1_psk.fax - > /dev/null
|
|
: CAVS tests passed
|
|
%endif
|
|
|
|
# Some of these tests will show ERROR for negative testing - it will exit on real errors
|
|
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
|
|
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
|
|
: Algorithm parser tests passed
|
|
|
|
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
|
|
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
|
|
certutil -N -d sql:$tmpdir --empty-password
|
|
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
|
|
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
|
|
|
|
%post
|
|
%systemd_post ipsec.service
|
|
%sysctl_apply 50-libreswan.conf
|
|
|
|
%preun
|
|
%systemd_preun ipsec.service
|
|
|
|
%postun
|
|
%systemd_postun_with_restart ipsec.service
|
|
|
|
%files
|
|
%doc CHANGES COPYING CREDITS README* LICENSE
|
|
%doc docs/*.* docs/examples
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
|
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
|
|
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
|
|
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
|
|
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
|
|
%attr(0755,root,root) %dir %{_rundir}/pluto
|
|
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
|
|
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
|
|
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
|
|
%attr(0644,root,root) %{_unitdir}/ipsec.service
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
|
|
%{_sbindir}/ipsec
|
|
%{_libexecdir}/ipsec
|
|
%doc %{_mandir}/*/*
|
|
|
|
%changelog
|
|
%autochangelog
|