Blame SPECS/libreswan.spec

89d32f
%global _hardened_build 1
89d32f
# These are rpm macros and are 0 or 1
89d32f
%global with_efence 0
89d32f
%global with_development 0
89d32f
%global with_cavstests 1
e84ee2
# minimum version for support for rhbz#1651314
e84ee2
# should prob update for nss with IKEv1 quick mode support
7aef00
%global nss_version 3.53.1
e84ee2
%global unbound_version 1.6.6
89d32f
%global libreswan_config \\\
89d32f
    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
89d32f
    FINALMANDIR=%{_mandir} \\\
7aef00
    FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
89d32f
    INITSYSTEM=systemd \\\
89d32f
    NSS_HAS_IPSEC_PROFILE=true \\\
7aef00
    NSS_REQ_AVA_COPY=false \\\
7aef00
    PREFIX=%{_prefix} \\\
e84ee2
    PYTHON_BINARY=%{__python3} \\\
7aef00
    SHELL_BINARY=%{_bindir}/sh \\\
89d32f
    USE_DNSSEC=true \\\
e84ee2
    USE_FIPSCHECK=false \\\
89d32f
    USE_LABELED_IPSEC=true \\\
89d32f
    USE_LDAP=true \\\
89d32f
    USE_LIBCAP_NG=true \\\
89d32f
    USE_LIBCURL=true \\\
89d32f
    USE_LINUX_AUDIT=true \\\
89d32f
    USE_NM=true \\\
7aef00
    USE_NSS_KDF=true \\\
89d32f
    USE_SECCOMP=true \\\
7aef00
    USE_AUTHPAM=true \\\
e84ee2
    USE_DH2=true \\\
89d32f
%{nil}
89d32f
89d32f
#global prever rc1
89d32f
89d32f
Name: libreswan
89d32f
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
89d32f
# version is generated in the release script
7aef00
Version: 4.3
7aef00
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
89d32f
License: GPLv2
89d32f
Url: https://libreswan.org/
e84ee2
89d32f
Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
89d32f
%if 0%{with_cavstests}
89d32f
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
89d32f
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
89d32f
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
89d32f
%endif
89d32f
7aef00
Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
7aef00
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
7aef00
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
7aef00
Patch4: libreswan-4.3-labeled-ipsec.patch
7aef00
Patch5: libreswan-4.3-ikev2-tcp.patch
7aef00
Patch6: libreswan-4.3-1934186-config.patch
e84ee2
e84ee2
BuildRequires: audit-libs-devel
e84ee2
BuildRequires: bison
e84ee2
BuildRequires: curl-devel
e84ee2
BuildRequires: flex
7aef00
BuildRequires: gcc make
e84ee2
BuildRequires: ldns-devel
e84ee2
BuildRequires: libcap-ng-devel
89d32f
BuildRequires: libevent-devel
89d32f
BuildRequires: libseccomp-devel
89d32f
BuildRequires: libselinux-devel
e84ee2
BuildRequires: nspr-devel
e84ee2
BuildRequires: nss-devel >= %{nss_version}
7aef00
BuildRequires: nss-tools
e84ee2
BuildRequires: openldap-devel
e84ee2
BuildRequires: pam-devel
e84ee2
BuildRequires: pkgconfig
e84ee2
BuildRequires: hostname
e84ee2
BuildRequires: redhat-rpm-config
e84ee2
BuildRequires: systemd-devel
e84ee2
BuildRequires: unbound-devel >= %{unbound_version}
e84ee2
BuildRequires: xmlto
89d32f
%if 0%{with_efence}
89d32f
BuildRequires: ElectricFence
89d32f
%endif
89d32f
Requires: iproute >= 2.6.8
e84ee2
Requires: nss >= %{nss_version}
e84ee2
Requires: nss-softokn
e84ee2
Requires: nss-tools
e84ee2
Requires: unbound-libs >= %{unbound_version}
e84ee2
Requires(post): bash
e84ee2
Requires(post): coreutils
e84ee2
Requires(post): systemd
e84ee2
Requires(preun): systemd
e84ee2
Requires(postun): systemd
89d32f
89d32f
%description
89d32f
Libreswan is a free implementation of IKE/IPsec for Linux.  IPsec is
89d32f
the Internet Protocol Security and uses strong cryptography to provide
89d32f
both authentication and encryption services.  These services allow you
89d32f
to build secure tunnels through untrusted networks.  Everything passing
89d32f
through the untrusted net is encrypted by the ipsec gateway machine and
89d32f
decrypted by the gateway at the other end of the tunnel.  The resulting
89d32f
tunnel is a virtual private network or VPN.
89d32f
89d32f
This package contains the daemons and userland tools for setting up
89d32f
Libreswan.
89d32f
89d32f
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
89d32f
89d32f
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
89d32f
89d32f
%prep
89d32f
%setup -q -n libreswan-%{version}%{?prever}
8008c3
%patch1 -p1
8008c3
%patch2 -p1
8008c3
%patch3 -p1
8008c3
%patch4 -p1
8008c3
%patch5 -p1
8008c3
%patch6 -p1
89d32f
89d32f
# linking to freebl is not needed
89d32f
sed -i "s/-lfreebl //" mk/config.mk
89d32f
89d32f
# enable crypto-policies support
7aef00
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
89d32f
89d32f
%build
89d32f
make %{?_smp_mflags} \
89d32f
%if 0%{with_development}
e84ee2
    OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
89d32f
%else
e84ee2
    OPTIMIZE_CFLAGS="%{optflags}" \
89d32f
%endif
e84ee2
%if 0%{with_efence}
e84ee2
    USE_EFENCE=true \
e84ee2
%endif
e84ee2
    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers" \
e84ee2
    USERLINK="%{?__global_ldflags}" \
e84ee2
    %{libreswan_config} \
e84ee2
    programs
89d32f
FS=$(pwd)
89d32f
89d32f
%install
89d32f
make \
89d32f
  DESTDIR=%{buildroot} \
89d32f
  %{libreswan_config} \
89d32f
  install
89d32f
FS=$(pwd)
89d32f
rm -rf %{buildroot}/usr/share/doc/libreswan
e84ee2
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
89d32f
89d32f
install -d -m 0755 %{buildroot}%{_rundir}/pluto
89d32f
install -d %{buildroot}%{_sbindir}
89d32f
89d32f
install -d %{buildroot}%{_sysconfdir}/sysctl.d
89d32f
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
89d32f
  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
89d32f
89d32f
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
89d32f
     > %{buildroot}%{_sysconfdir}/ipsec.secrets
89d32f
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
89d32f
89d32f
%if 0%{with_cavstests}
89d32f
%check
89d32f
# There is an elaborate upstream testing infrastructure which we do not
89d32f
# run here - it takes hours and uses kvm
89d32f
# We only run the CAVS tests.
89d32f
cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
89d32f
bunzip2 *.fax.bz2
89d32f
89d32f
: starting CAVS test for IKEv2
89d32f
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
89d32f
    diff -u ikev2.fax - > /dev/null
89d32f
: starting CAVS test for IKEv1 RSASIG
89d32f
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
89d32f
    diff -u ikev1_dsa.fax - > /dev/null
89d32f
: starting CAVS test for IKEv1 PSK
89d32f
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
89d32f
    diff -u ikev1_psk.fax - > /dev/null
89d32f
: CAVS tests passed
89d32f
8008c3
# Some of these tests will show ERROR for negative testing - it will exit on real errors
89d32f
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
89d32f
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
8008c3
: Algorithm parser tests passed
8008c3
8008c3
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
8008c3
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
8008c3
certutil -N -d sql:$tmpdir --empty-password
8008c3
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
8008c3
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
89d32f
89d32f
%endif
89d32f
89d32f
%post
89d32f
%systemd_post ipsec.service
89d32f
89d32f
%preun
89d32f
%systemd_preun ipsec.service
89d32f
89d32f
%postun
89d32f
%systemd_postun_with_restart ipsec.service
89d32f
89d32f
%files
89d32f
%doc CHANGES COPYING CREDITS README* LICENSE
89d32f
%doc docs/*.* docs/examples
89d32f
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
89d32f
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
89d32f
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
89d32f
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
89d32f
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
89d32f
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
89d32f
%attr(0755,root,root) %dir %{_rundir}/pluto
89d32f
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
89d32f
%attr(0644,root,root) %{_unitdir}/ipsec.service
89d32f
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
7aef00
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
89d32f
%{_sbindir}/ipsec
89d32f
%{_libexecdir}/ipsec
89d32f
%attr(0644,root,root) %doc %{_mandir}/*/*
89d32f
89d32f
%changelog
7aef00
* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
7aef00
- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229
7aef00
- Resolves: rhbz#1934186 virtual_private setting is missing in the default config
7aef00
7aef00
* Mon Mar 01 2021 Paul Wouters <pwouters@redhat.com> - 4.3-2
7aef00
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
7aef00
7aef00
* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
7aef00
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
7aef00
7aef00
* Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
7aef00
- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
7aef00
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
7aef00
7aef00
* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
7aef00
- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
7aef00
- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
ac410a
e84ee2
* Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
e84ee2
- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss
e84ee2
e84ee2
* Wed Jul 22 2020 Paul Wouters <pwouters@redhat.com> - 3.32-5
e84ee2
- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF]
e84ee2
e84ee2
* Wed Jul 01 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
e84ee2
- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled
e84ee2
e84ee2
* Wed Jun 17 2020 Paul Wouters <pwouters@redhat.com> - 3.32-3
e84ee2
- Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script
e84ee2
- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly
e84ee2
- Resolves: rhbz#1840212 protect libreswan against unannounced nss ABI change
e84ee2
e84ee2
* Thu Jun 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
e84ee2
- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [addconn fix]
e84ee2
e84ee2
* Thu Apr 30 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
e84ee2
- Resolves: rhbz#1820206 Rebase to libreswan 3.32
e84ee2
- Resolves: rhbz#1816265 Use NSS to check whether FIPS mode is enabled
e84ee2
- Resolves: rhbz#1826337 libreswan in FIPS mode rejects ECDSA keys based on faulty RSA key size check being applied
04cc82
8008c3
* Tue Aug 13 2019 Paul Wouters <pwouters@redhat.com> - 3.29-6
8008c3
- Resolves: rhbz#1714331 support NSS based IKE KDF's [require updated nss for rhbz 1738689, memleak fix]
8008c3
8008c3
* Thu Aug 08 2019 Paul Wouters <pwouters@redhat.com> - 3.29-5
8008c3
- Resolves: rhbz#1714331 support NSS based IKE KDF's so libreswan does not need FIPS certification
8008c3
8008c3
* Thu Aug 01 2019 Paul Wouters <pwouters@redhat.com> - 3.29-4
8008c3
- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
8008c3
8008c3
* Thu Jul 04 2019 Paul Wouters <pwouters@redhat.com> - 3.29-3
8008c3
- Resolves: rhbz#1725205 XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire
8008c3
8008c3
* Thu Jun 27 2019 Paul Wouters <pwouters@redhat.com> - 3.29-2
8008c3
- Resolves: rhbz#1723957 libreswan is missing linux audit calls for failed IKE SAs and failed IPsec SAs required for Common Criteria
8008c3
8008c3
* Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
8008c3
- Resolves: rhbz#1712555 libreswan rebase to 3.29
8008c3
8008c3
* Tue May 28 2019 Paul Wouters <pwouters@redhat.com> - 3.28-2
8008c3
- Resolves: rhbz#1713734: barf: shell syntax error in barf diagnostic tool
8008c3
8008c3
* Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
8008c3
- Resolves: rhbz#1712555 libreswan rebase to 3.28
8008c3
- Resolves: rhbz#1683706 Libreswan shows incorrect error messages
8008c3
- Resolves: rhbz#1706180 Remove last usage of old (unused) PF_KEY API
8008c3
- Resolves: rhbz#1677045 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart
8008c3
- Resolves: rhbz#1686990 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE
8008c3
- Resolves: rhbz#1608353 /usr/sbin/ipsec part of the libreswan packages still invokes commands that were deprecated a decade ago
8008c3
- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
8008c3
- Resolves: rhbz#1679394 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure
8008c3
89d32f
* Thu Feb 21 2019 Paul Wouters <pwouters@redhat.com> - 3.27-9
89d32f
- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default [man page update]
89d32f
89d32f
* Fri Feb 15 2019 Paul Wouters <pwouters@redhat.com> - 3.27-8
89d32f
- Resolves: rhbz#1664101 system wide crypto policies causing IKE_INIT packet fragmentation
89d32f
89d32f
* Tue Feb 05 2019 Paul Wouters <pwouters@redhat.com> - 3.27-7
89d32f
- Resolves: rhbz#1671793 proessing ISAKMP_NEXT_D with additional payloads causes dangling pointer to deleted state
89d32f
89d32f
* Fri Feb 01 2019 Paul Wouters <pwouters@redhat.com> - 3.27-6
89d32f
- Resolves: rhbz#1668342 SELinux prevents libreswan from using some outbound ports causing DNS resolution failures at connection at load time
89d32f
89d32f
* Thu Jan 10 2019 Paul Wouters <pwouters@redhat.com> - 3.27-5
89d32f
- Resolves: rhbz#1664522 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits
89d32f
89d32f
* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 3.27-4
89d32f
- Resolves: rhbz#1657846 libreswan no longer needs to provide openswan in rhel8
89d32f
- Resolves: rhbz#1643388 libreswan: Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth
89d32f
- Resolves: rhbz#1657854 remove userland support for deprecated KLIPS IPsec stack support
89d32f
89d32f
* Sun Dec 09 2018 Paul Wouters <pwouters@redhat.com> - 3.27-3
89d32f
- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default
89d32f
89d32f
* Thu Nov 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-2
89d32f
- Resolves: rhbz#1645137 Libreswan segfaults when it loads configuration file with more then 5 connections
89d32f
89d32f
* Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
89d32f
- Resolves: rhbz#1566574 Rebase to libreswan 3.27
89d32f
89d32f
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
89d32f
- Resolves: rhbz#1566574 Rebase to libreswan 3.26
89d32f
- Resolves: rhbz#1527037 libreswan IPSEC implementation: should follow the policies of system-wide crypto policy
89d32f
- Resolves: rhbz#1375779 [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed
89d32f
- Resolves: rhbz#1085758 [TAHI][IKEv2] IKEv2.EN.I.1.2.1.1: Can't observe CREATE_CHILD_SA request for rekey
89d32f
- Resolves: rhbz#1053048 [TAHI][IKEv2] IKEv2.EN.I.1.2.4.1-7: libreswan doesn't sent CREATE_CHILD_SA after IKE_SA Lifetime timeout
89d32f
89d32f
* Mon Aug 13 2018 Paul Wouters <pwouters@redhat.com> - 3.25-4
89d32f
- Resolves: rhbz#1590823 libreswan: Use Python 3 in RHEL 8
89d32f
89d32f
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.25-3.1
89d32f
- Rebuild for platform-python
89d32f
89d32f
* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
89d32f
- Cleanup shebangs for python3
89d32f
- Use the same options via macro for make programs and make install
89d32f
- Remove old ifdefs
89d32f
- Sync up patches to new upstream version
89d32f
- Add Requires: for unbound-libs >= 1.6.6
89d32f
- Enable crypto-policies support
89d32f
- Make rundir world readable for easier permission granting for socket
89d32f
89d32f
* Tue Jun 26 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.23-2.2
89d32f
- Make python shebangs point to python3
89d32f
89d32f
* Fri Jun 22 2018 Troy Dawson <tdawson@redhat.com> - 3.23-2.1
89d32f
- Fix python shebangs (#1580773)
89d32f
89d32f
* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
89d32f
- Support crypto-policies package
89d32f
- Pull in some patches from upstream and IANA registry updates
89d32f
- gcc7 format-truncate fixes and workarounds
89d32f
89d32f
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.23-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
89d32f
89d32f
* Thu Jan 25 2018 Paul Wouters <pwouters@redhat.com> - 3.23-1
89d32f
- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements
89d32f
89d32f
* Sat Jan 20 2018 Bjƶrn Esser <besser82@fedoraproject.org> - 3.22-1.1
89d32f
- Rebuilt for switch to libxcrypt
89d32f
89d32f
* Mon Oct 23 2017 Paul Wouters <pwouters@redhat.com> - 3.22-1
89d32f
- Updated to 3.22 - many bugfixes, and unbound ipsecmod support
89d32f
89d32f
* Wed Aug  9 2017 Paul Wouters <pwouters@redhat.com> - 3.21-1
89d32f
- Updated to 3.21
89d32f
89d32f
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.2
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
89d32f
89d32f
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
89d32f
89d32f
* Tue Mar 14 2017 Paul Wouters <pwouters@redhat.com> - 3.20-1
89d32f
- Updated to 3.20
89d32f
89d32f
* Fri Mar 03 2017 Paul Wouters <pwouters@redhat.com> - 3.20-0.1.dr4
89d32f
- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA
89d32f
89d32f
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.19-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
89d32f
89d32f
* Fri Feb 03 2017 Paul Wouters <pwouters@redhat.com> - 3.19-2
89d32f
- Resolves: rhbz#1392191 libreswan: crash when OSX client connects
89d32f
- Improved uniqueid and session replacing support
89d32f
- Test Buffer warning fix on size_t
89d32f
- Re-introduce --configdir for backwards compatibility
89d32f
89d32f
* Sun Jan 15 2017 Paul Wouters <pwouters@redhat.com> - 3.19-1
89d32f
- Updated to 3.19 (see download.libreswan.org/CHANGES)
89d32f
89d32f
* Mon Dec 19 2016 Miro HronĨok <mhroncok@redhat.com> - 3.18-1.1
89d32f
- Rebuild for Python 3.6
89d32f
89d32f
* Fri Jul 29 2016 Paul Wouters <pwouters@redhat.com> - 3.18-1
89d32f
- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support
89d32f
- Remove support for /etc/sysconfig/pluto (use native systemd instead)
89d32f
89d32f
* Thu May 05 2016 Paul Wouters <pwouters@redhat.com> - 3.17-2
89d32f
- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used 
89d32f
89d32f
* Thu Apr 07 2016 Paul Wouters <pwouters@redhat.com> - 3.17-1
89d32f
- Updated to 3.17 for CVE-2016-3071
89d32f
- Disable LIBCAP_NG as it prevents unbound-control from working properly
89d32f
- Temporarilly disable WERROR due to a few minor known issues
89d32f
89d32f
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.16-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
89d32f
89d32f
* Fri Dec 18 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
89d32f
- Updated to 3.16 (see https://download.libreswan.org/CHANGES)
89d32f
89d32f
* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
89d32f
- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
89d32f
- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
89d32f
- NSS database creation moved from spec file to service file
89d32f
- Run CAVS tests on package build
89d32f
- Added BuildRequire systemd-units and xmlto
89d32f
- Bumped minimum required nss to 3.16.1
89d32f
- Install tmpfiles
89d32f
- Install sysctl file
89d32f
- Update doc files to include
89d32f
89d32f
* Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
89d32f
- Resolves: rhbz#1238967 Switch libreswan to use python3
89d32f
89d32f
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
89d32f
89d32f
* Mon Jun 01 2015 Paul Wouters <pwouters@redhat.com> - 3.13-1
89d32f
- Updated to 3.13 for CVE-2015-3204
89d32f
89d32f
* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
89d32f
- Updated to 3.12 Various IKEv2 fixes
89d32f
89d32f
* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
89d32f
- Updated to 3.11 (many fixes, including startup fixes)
89d32f
- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs
89d32f
- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade
89d32f
- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running
89d32f
89d32f
* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
89d32f
- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines
89d32f
89d32f
* Mon Sep 01 2014 Paul Wouters <pwouters@redhat.com> - 3.10-1
89d32f
- Updated to 3.10, major bugfix release, new xauth status options
89d32f
89d32f
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
89d32f
89d32f
* Thu Jul 10 2014 Paul Wouters <pwouters@redhat.com> - 3.9-1
89d32f
- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements
89d32f
- Mark libreswan-fips.conf as config file
89d32f
- attr modifier for man pages no longer needed
89d32f
- BUGS file no longer exists upstream
89d32f
89d32f
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
89d32f
89d32f
* Sat Jan 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
89d32f
- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102)
89d32f
89d32f
* Wed Dec 11 2013 Paul Wouters <pwouters@redhat.com> - 3.7-1
89d32f
- Updated to 3.7, fixes CVE-2013-4564
89d32f
- Fixes creating a bogus NSS db on startup (rhbz#1005410)
89d32f
89d32f
* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
89d32f
- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes)
89d32f
- Generate empty NSS db if none exists
89d32f
89d32f
* Mon Aug 19 2013 Paul Wouters <pwouters@redhat.com> - 3.5-3
89d32f
- Add a Provides: for openswan-doc
89d32f
89d32f
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.5-1.1
89d32f
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
89d32f
89d32f
* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
89d32f
- Added interop patch for (some?) Cisco VPN clients sending 16 zero
89d32f
  bytes of extraneous IKE data
89d32f
- Removed fipscheck_version
89d32f
89d32f
* Sat Jul 13 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
89d32f
- Updated to 3.5
89d32f
89d32f
* Thu Jun 06 2013 Paul Wouters <pwouters@redhat.com> - 3.4-1
89d32f
- Updated to 3.4, which only contains style changes to kernel coding style
89d32f
- IN MEMORIAM: June 3rd, 2013 Hugh Daniel
89d32f
89d32f
* Mon May 13 2013 Paul Wouters <pwouters@redhat.com> - 3.3-1
89d32f
- Updated to 3.3, which resolves CVE-2013-2052
89d32f
89d32f
* Sat Apr 13 2013 Paul Wouters <pwouters@redhat.com> - 3.2-1
89d32f
- Initial package for Fedora