From 3e830d5800fd8dd8a8cea197e929609d3f9f0d16 Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Nov 08 2013 20:46:31 +0000 Subject: import libreswan-3.6-2.el7.src.rpm --- diff --git a/.libreswan.metadata b/.libreswan.metadata new file mode 100644 index 0000000..2d97f7c --- /dev/null +++ b/.libreswan.metadata @@ -0,0 +1 @@ +1a7758b1d992a794b5ab7d9300ab9330184af77c SOURCES/libreswan-3.6.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec new file mode 100644 index 0000000..f39cb05 --- /dev/null +++ b/SPECS/libreswan.spec @@ -0,0 +1,220 @@ +%global USE_FIPSCHECK true +%global USE_LIBCAP_NG true +%global USE_LABELED_IPSEC true +%global USE_CRL_FETCHING true +%global USE_DNSSEC true +%global USE_NM true +%global USE_LINUX_AUDIT true + +%global _hardened_build 1 + +%global buildefence 0 +%global development 0 + +#global prever rc1 + +Name: libreswan +Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols +Version: 3.6 +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} +License: GPLv2 +Url: https://www.libreswan.org/ +Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz +Group: System Environment/Daemons +BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig +BuildRequires: systemd +Requires(post): coreutils bash systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: iproute + +Conflicts: openswan < %{version}-%{release} +Obsoletes: openswan < %{version}-%{release} +Provides: openswan = %{version}-%{release} +Provides: openswan-doc = %{version}-%{release} + +BuildRequires: pkgconfig hostname +BuildRequires: nss-devel >= 3.12.6-2, nspr-devel +BuildRequires: pam-devel +%if %{USE_DNSSEC} +BuildRequires: unbound-devel +%endif +%if %{USE_FIPSCHECK} +BuildRequires: fipscheck-devel +# we need fipshmac +Requires: fipscheck%{_isa} +%endif +%if %{USE_LINUX_AUDIT} +Buildrequires: audit-libs-devel +%endif + +%if %{USE_LIBCAP_NG} +BuildRequires: libcap-ng-devel +%endif +%if %{USE_CRL_FETCHING} +BuildRequires: openldap-devel curl-devel +%endif +%if %{buildefence} +BuildRequires: ElectricFence +%endif +# Only needed if xml man pages are modified and need regeneration +# BuildRequires: xmlto + +Requires: nss-tools, nss-softokn + +%description +Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is +the Internet Protocol Security and uses strong cryptography to provide +both authentication and encryption services. These services allow you +to build secure tunnels through untrusted networks. Everything passing +through the untrusted net is encrypted by the ipsec gateway machine and +decrypted by the gateway at the other end of the tunnel. The resulting +tunnel is a virtual private network or VPN. + +This package contains the daemons and userland tools for setting up +Libreswan. To build KLIPS, see the kmod-libreswan.spec file. + +Libreswan also supports IKEv2 (RFC4309) and Secure Labeling + +Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 + +%prep +%setup -q -n libreswan-%{version}%{?prever} + +%build +%if %{buildefence} + %define efence "-lefence" +%endif + +#796683: -fno-strict-aliasing +%{__make} \ +%if %{development} + USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \ +%else + USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \ +%endif + USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \ + INITSYSTEM=systemd \ + USE_NM=%{USE_NM} \ + USE_XAUTHPAM=true \ +%if %{USE_FIPSCHECK} + USE_FIPSCHECK="%{USE_FIPSCHECK}" \ + FIPSPRODUCTCHECK=/etc/system-fips \ +%endif + USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ + USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ +%if %{USE_CRL_FETCHING} + USE_LDAP=true \ + USE_LIBCURL=true \ +%endif + USE_DNSSEC="%{USE_DNSSEC}" \ + INC_USRLOCAL=%{_prefix} \ + FINALLIBDIR=%{_libexecdir}/ipsec \ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + MANTREE=%{_mandir} \ + INC_RCDEFAULT=%{_initrddir} \ + programs +FS=$(pwd) + +%if %{USE_FIPSCHECK} +# Add generation of HMAC checksums of the final stripped binaries +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \ + fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \ +%{nil} +%endif + +%install +rm -rf ${RPM_BUILD_ROOT} +%{__make} \ + DESTDIR=%{buildroot} \ + INC_USRLOCAL=%{_prefix} \ + FINALLIBDIR=%{_libexecdir}/ipsec \ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + MANTREE=%{buildroot}%{_mandir} \ + INC_RCDEFAULT=%{_initrddir} \ + INSTMANFLAGS="-m 644" \ + INITSYSTEM=systemd \ + install +FS=$(pwd) +rm -rf %{buildroot}/usr/share/doc/libreswan + +install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto +# used when setting --perpeerlog without --perpeerlogbase +install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer +install -d %{buildroot}%{_sbindir} + +%if %{USE_FIPSCHECK} +mkdir -p %{buildroot}%{_libdir}/fipscheck +install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ +install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf +%endif + +echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets +rm -fr %{buildroot}/etc/rc.d/rc* + +%files +%doc BUGS CHANGES COPYING CREDITS README LICENSE +%doc docs/*.* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/cacerts +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/crls +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* +%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer +%attr(0755,root,root) %dir %{_localstatedir}/run/pluto +%attr(0644,root,root) %{_unitdir}/ipsec.service +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto +%{_sbindir}/ipsec +%{_libexecdir}/ipsec +%attr(0644,root,root) %doc %{_mandir}/*/* + +%if %{USE_FIPSCHECK} +%{_libdir}/fipscheck/*.hmac +# We own the directory so we don't have to require prelink +%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/ +%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf +%endif + +%preun +%systemd_preun ipsec.service + +%postun +%systemd_postun_with_restart ipsec.service + +%post +%systemd_post ipsec.service +if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then + TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX) + [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$ + echo > ${TEMPFILE} + certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d + restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || : + rm -f ${TEMPFILE} +fi + +%changelog +* Fri Nov 08 2013 Paul Wouters - 3.6-2 +- Fix race condition in post for creating nss db + +* Thu Oct 31 2013 Paul Wouters - 3.6-1 +- Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes) +- Generate empty NSS db if none exists +- FIPS update using /etc/system-fips +- Provide: openswan-doc + +* Fri Aug 09 2013 Paul Wouters - 3.5-2 +- rebuilt and bumped EVR to avoid confusion of import->delete->import +- require iproute + +* Mon Jul 15 2013 Paul Wouters - 3.5-1 +- Initial package for RHEL7 +- Added interop patch for (some?) Cisco VPN clients sending 16 zero + bytes of extraneous IKE data +- Removed fipscheck_version