1 |
brianr |
1.1 |
%global USE_FIPSCHECK true |
2 |
|
|
%global USE_LIBCAP_NG true |
3 |
|
|
%global USE_LABELED_IPSEC true |
4 |
|
|
%global USE_CRL_FETCHING true |
5 |
|
|
%global USE_DNSSEC true |
6 |
|
|
%global USE_NM true |
7 |
|
|
%global USE_LINUX_AUDIT true |
8 |
|
|
|
9 |
|
|
%global _hardened_build 1 |
10 |
|
|
%global buildefence 0 |
11 |
|
|
%global development 0 |
12 |
|
|
%global cavstests 1 |
13 |
|
|
|
14 |
|
|
#%if 0%{?fedora} |
15 |
|
|
#%global rhel 7 |
16 |
|
|
#%endif |
17 |
|
|
%global rhel 6 |
18 |
|
|
#global prever rc1 |
19 |
|
|
|
20 |
|
|
Name: libreswan |
21 |
|
|
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols |
22 |
|
|
Version: 3.16 |
23 |
|
|
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} |
24 |
|
|
License: GPLv2 |
25 |
|
|
Group: System Environment/Daemons |
26 |
|
|
Url: https://libreswan.org/ |
27 |
|
|
Source: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz |
28 |
|
|
Source1: ikev1_dsa.fax.bz2 |
29 |
|
|
Source2: ikev1_psk.fax.bz2 |
30 |
|
|
Source3: ikev2.fax.bz2 |
31 |
|
|
|
32 |
|
|
Requires: iproute >= 2.6.8 nss-tools nss-softokn |
33 |
|
|
|
34 |
|
|
BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig |
35 |
|
|
BuildRequires: nss-devel >= 3.16.1 nspr-devel |
36 |
|
|
BuildRequires: pam-devel |
37 |
|
|
BuildRequires: xmlto |
38 |
|
|
|
39 |
|
|
%if %{?rhel} <= 6 |
40 |
|
|
BuildRequires: libevent2-devel net-tools |
41 |
|
|
|
42 |
|
|
Requires(post): coreutils bash |
43 |
|
|
Requires(preun): initscripts chkconfig |
44 |
|
|
Requires(post): /sbin/chkconfig |
45 |
|
|
Requires(preun): /sbin/chkconfig |
46 |
|
|
Requires(preun): /sbin/service |
47 |
|
|
%else |
48 |
|
|
BuildRequires: libevent-devel hostname |
49 |
|
|
|
50 |
|
|
BuildRequires: systemd |
51 |
|
|
Requires(post): coreutils bash systemd |
52 |
|
|
Requires(preun): systemd |
53 |
|
|
Requires(postun): systemd |
54 |
|
|
%endif |
55 |
|
|
|
56 |
|
|
%if %{USE_DNSSEC} |
57 |
|
|
BuildRequires: unbound-devel |
58 |
|
|
%endif |
59 |
|
|
|
60 |
|
|
%if %{USE_FIPSCHECK} |
61 |
|
|
BuildRequires: fipscheck-devel |
62 |
|
|
# we need fipshmac |
63 |
|
|
Requires: fipscheck%{_isa} |
64 |
|
|
%endif |
65 |
|
|
|
66 |
|
|
%if %{USE_LINUX_AUDIT} |
67 |
|
|
Buildrequires: audit-libs-devel |
68 |
|
|
%endif |
69 |
|
|
|
70 |
|
|
%if %{USE_LIBCAP_NG} |
71 |
|
|
BuildRequires: libcap-ng-devel |
72 |
|
|
%endif |
73 |
|
|
|
74 |
|
|
%if %{USE_CRL_FETCHING} |
75 |
|
|
BuildRequires: openldap-devel curl-devel |
76 |
|
|
%endif |
77 |
|
|
|
78 |
|
|
%if %{buildefence} |
79 |
|
|
BuildRequires: ElectricFence |
80 |
|
|
%endif |
81 |
|
|
|
82 |
|
|
Conflicts: openswan < %{version}-%{release} |
83 |
|
|
Provides: openswan = %{version}-%{release} |
84 |
|
|
Provides: openswan-doc = %{version}-%{release} |
85 |
|
|
Obsoletes: openswan < %{version}-%{release} |
86 |
|
|
|
87 |
|
|
%description |
88 |
|
|
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is |
89 |
|
|
the Internet Protocol Security and uses strong cryptography to provide |
90 |
|
|
both authentication and encryption services. These services allow you |
91 |
|
|
to build secure tunnels through untrusted networks. Everything passing |
92 |
|
|
through the untrusted net is encrypted by the ipsec gateway machine and |
93 |
|
|
decrypted by the gateway at the other end of the tunnel. The resulting |
94 |
|
|
tunnel is a virtual private network or VPN. |
95 |
|
|
|
96 |
|
|
This package contains the daemons and userland tools for setting up |
97 |
|
|
Libreswan. It supports the NETKEY/XFRM IPsec kernel stack that exists |
98 |
|
|
in the default Linux kernel. |
99 |
|
|
|
100 |
|
|
Libreswan also supports IKEv2 (RFC-7296) and Secure Labeling |
101 |
|
|
|
102 |
|
|
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 |
103 |
|
|
|
104 |
|
|
%prep |
105 |
|
|
%setup -q -n libreswan-%{version}%{?prever} |
106 |
|
|
|
107 |
|
|
%build |
108 |
|
|
%if %{buildefence} |
109 |
|
|
%define efence "-lefence" |
110 |
|
|
%endif |
111 |
|
|
|
112 |
|
|
make %{?_smp_mflags} \ |
113 |
|
|
%if %{development} |
114 |
|
|
USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \ |
115 |
|
|
%else |
116 |
|
|
USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \ |
117 |
|
|
%endif |
118 |
|
|
USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \ |
119 |
|
|
%if %{?rhel} <= 6 |
120 |
|
|
INITSYSTEM=sysvinit \ |
121 |
|
|
%else |
122 |
|
|
INITSYSTEM=systemd \ |
123 |
|
|
%endif |
124 |
|
|
USE_NM=%{USE_NM} \ |
125 |
|
|
USE_XAUTHPAM=true \ |
126 |
|
|
%if %{USE_FIPSCHECK} |
127 |
|
|
USE_FIPSCHECK="%{USE_FIPSCHECK}" \ |
128 |
|
|
FIPSPRODUCTCHECK=/etc/system-fips \ |
129 |
|
|
%endif |
130 |
|
|
USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ |
131 |
|
|
USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ |
132 |
|
|
USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \ |
133 |
|
|
%if %{USE_CRL_FETCHING} |
134 |
|
|
USE_LDAP=true \ |
135 |
|
|
USE_LIBCURL=true \ |
136 |
|
|
%endif |
137 |
|
|
USE_DNSSEC="%{USE_DNSSEC}" \ |
138 |
|
|
INC_USRLOCAL=%{_prefix} \ |
139 |
|
|
FINALLIBDIR=%{_libexecdir}/ipsec \ |
140 |
|
|
FINALLIBEXECDIR=%{_libexecdir}/ipsec \ |
141 |
|
|
MANTREE=%{_mandir} \ |
142 |
|
|
INC_RCDEFAULT=%{_initrddir} \ |
143 |
|
|
MODPROBE="modprobe -q -b" \ |
144 |
|
|
programs |
145 |
|
|
FS=$(pwd) |
146 |
|
|
|
147 |
|
|
%if %{USE_FIPSCHECK} |
148 |
|
|
# Add generation of HMAC checksums of the final stripped binaries |
149 |
|
|
%if %{?rhel} <= 6 |
150 |
|
|
%define __spec_install_post \ |
151 |
|
|
%{?__debug_package:%{__debug_install_post}} \ |
152 |
|
|
%{__arch_install_post} \ |
153 |
|
|
%{__os_install_post} \ |
154 |
|
|
fipshmac %{buildroot}%{_libexecdir}/ipsec/* \ |
155 |
|
|
fipshmac %{buildroot}%{_sbindir}/ipsec \ |
156 |
|
|
%{nil} |
157 |
|
|
|
158 |
|
|
%else |
159 |
|
|
%define __spec_install_post \ |
160 |
|
|
%{?__debug_package:%{__debug_install_post}} \ |
161 |
|
|
%{__arch_install_post} \ |
162 |
|
|
%{__os_install_post} \ |
163 |
|
|
mkdir -p %{buildroot}%{_libdir}/fipscheck/ \ |
164 |
|
|
fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \ |
165 |
|
|
fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \ |
166 |
|
|
%{nil} |
167 |
|
|
%endif |
168 |
|
|
%endif |
169 |
|
|
|
170 |
|
|
%install |
171 |
|
|
rm -rf ${RPM_BUILD_ROOT} |
172 |
|
|
make \ |
173 |
|
|
DESTDIR=%{buildroot} \ |
174 |
|
|
INC_USRLOCAL=%{_prefix} \ |
175 |
|
|
FINALLIBDIR=%{_libexecdir}/ipsec \ |
176 |
|
|
FINALLIBEXECDIR=%{_libexecdir}/ipsec \ |
177 |
|
|
MANTREE=%{buildroot}%{_mandir} \ |
178 |
|
|
INC_RCDEFAULT=%{_initrddir} \ |
179 |
|
|
INSTMANFLAGS="-m 644" \ |
180 |
|
|
%if %{?rhel} <= 6 |
181 |
|
|
INITSYSTEM=sysvinit \ |
182 |
|
|
%else |
183 |
|
|
INITSYSTEM=systemd \ |
184 |
|
|
%endif |
185 |
|
|
install |
186 |
|
|
FS=$(pwd) |
187 |
|
|
rm -rf %{buildroot}/usr/share/doc/libreswan |
188 |
|
|
# needed to activate v6neighbor-hole.conf |
189 |
|
|
sed -i "s:^#include /etc/ipsec.d/\*.conf$:include /etc/ipsec.d/*.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf |
190 |
|
|
|
191 |
|
|
install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto |
192 |
|
|
# used when setting --perpeerlog without --perpeerlogbase |
193 |
|
|
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer |
194 |
|
|
install -d %{buildroot}%{_sbindir} |
195 |
|
|
%if %{?rhel} <= 6 |
196 |
|
|
# replace with rhel6 specific version |
197 |
|
|
install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec |
198 |
|
|
rm -fr %{buildroot}/etc/rc.d/rc* |
199 |
|
|
%endif |
200 |
|
|
|
201 |
|
|
%if %{USE_FIPSCHECK} |
202 |
|
|
%if %{?rhel} == 7 |
203 |
|
|
mkdir -p %{buildroot}%{_libdir}/fipscheck |
204 |
|
|
%endif |
205 |
|
|
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ |
206 |
|
|
install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
207 |
|
|
%endif |
208 |
|
|
|
209 |
|
|
echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets |
210 |
|
|
|
211 |
|
|
# cavs testing |
212 |
|
|
cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec |
213 |
|
|
|
214 |
|
|
%if %{cavstests} |
215 |
|
|
%check |
216 |
|
|
# There is an elaborate upstream testing infrastructure which we do not run here |
217 |
|
|
# We only run the CAVS tests here |
218 |
|
|
cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . |
219 |
|
|
bunzip2 *.fax.bz2 |
220 |
|
|
|
221 |
|
|
# work around for rhel6 builders on xen |
222 |
|
|
export NSS_DISABLE_HW_GCM=1 |
223 |
|
|
|
224 |
|
|
: "starting CAVS test for IKEv2" |
225 |
|
|
OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null |
226 |
|
|
: "starting CAVS test for IKEv1 RSASIG" |
227 |
|
|
OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null |
228 |
|
|
: "starting CAVS test for IKEv1 PSK" |
229 |
|
|
OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null |
230 |
|
|
: "CAVS tests passed" |
231 |
|
|
%endif |
232 |
|
|
|
233 |
|
|
%if %{?rhel} <= 6 |
234 |
|
|
%post |
235 |
|
|
/sbin/chkconfig --add ipsec || : |
236 |
|
|
%if %{USE_FIPSCHECK} |
237 |
|
|
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || : |
238 |
|
|
%endif |
239 |
|
|
|
240 |
|
|
%preun |
241 |
|
|
if [ $1 -eq 0 ]; then |
242 |
|
|
/sbin/service ipsec stop > /dev/null 2>&1 || : |
243 |
|
|
/sbin/chkconfig --del ipsec |
244 |
|
|
fi |
245 |
|
|
|
246 |
|
|
%postun |
247 |
|
|
if [ $1 -ge 1 ] ; then |
248 |
|
|
/sbin/service ipsec condrestart 2>&1 >/dev/null || : |
249 |
|
|
fi |
250 |
|
|
%else |
251 |
|
|
%preun |
252 |
|
|
%systemd_preun ipsec.service |
253 |
|
|
|
254 |
|
|
%postun |
255 |
|
|
%systemd_postun_with_restart ipsec.service |
256 |
|
|
|
257 |
|
|
%post |
258 |
|
|
%systemd_post ipsec.service |
259 |
|
|
%endif |
260 |
|
|
|
261 |
|
|
%files |
262 |
|
|
%doc CHANGES COPYING CREDITS README* LICENSE |
263 |
|
|
%doc docs/*.* docs/examples packaging/rhel/libreswan-sysctl.conf |
264 |
|
|
|
265 |
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf |
266 |
|
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets |
267 |
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto |
268 |
|
|
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d |
269 |
|
|
%attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf |
270 |
|
|
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies |
271 |
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* |
272 |
|
|
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer |
273 |
|
|
%attr(0755,root,root) %dir %{_localstatedir}/run/pluto |
274 |
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto |
275 |
|
|
%{_sbindir}/ipsec |
276 |
|
|
%attr(0755,root,root) %dir %{_libexecdir}/ipsec |
277 |
|
|
%{_libexecdir}/ipsec/* |
278 |
|
|
%attr(0644,root,root) %{_mandir}/*/*.gz |
279 |
|
|
%if %{?rhel} <= 6 |
280 |
|
|
%{_initrddir}/ipsec |
281 |
|
|
%else |
282 |
|
|
%attr(0644,root,root) %{_unitdir}/ipsec.service |
283 |
|
|
%endif |
284 |
|
|
|
285 |
|
|
%if %{USE_FIPSCHECK} |
286 |
|
|
%if %{?rhel} <= 6 |
287 |
|
|
%{_sbindir}/.ipsec.hmac |
288 |
|
|
%{_libexecdir}/ipsec/.*.hmac |
289 |
|
|
%else |
290 |
|
|
%{_libdir}/fipscheck/*.hmac |
291 |
|
|
%endif |
292 |
|
|
|
293 |
|
|
# We own the directory so we don't have to require prelink |
294 |
|
|
%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/ |
295 |
|
|
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
296 |
|
|
%endif |
297 |
|
|
|
298 |
|
|
%changelog |
299 |
|
|
* Sat Dec 19 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1 |
300 |
|
|
- Updated to libreswan-3.16 |
301 |
|
|
|
302 |
|
|
* Thu Oct 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-5 |
303 |
|
|
- Resolves: rhbz#1272317 libreswan FIPS test mistakenly looks for non-existent file hashes |
304 |
|
|
- Resolves: rhbz#1271778 ipsec whack man page discrepancies |
305 |
|
|
|
306 |
|
|
* Tue Sep 29 2015 Paul Wouters <pwouters@redhat.com> - 3.15-4 |
307 |
|
|
- Updates: rhbz#1233303 add libreswan to RHEL6 (fix source confusion) |
308 |
|
|
|
309 |
|
|
* Mon Sep 28 2015 Paul Wouters <pwouters@redhat.com> - 3.15-3 |
310 |
|
|
- Updates: rhbz#1233303 add libreswan to RHEL6 |
311 |
|
|
|
312 |
|
|
* Tue Sep 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-2 |
313 |
|
|
- Resolves: rhbz#1259208 CVE-2015-3240 |
314 |
|
|
- Merge rhel6 and rhel7 spec into one |
315 |
|
|
- Be lenient for racoon padding behaviour |
316 |
|
|
- Fix seedev option to /dev/random |
317 |
|
|
- Some IKEv1 PAM methods always gave 'Permission denied' |
318 |
|
|
- Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7 |
319 |
|
|
- Parser fix to allow specifying time without unit (openswan compat) |
320 |
|
|
- Fix Labeled IPsec on rekeyed IPsec SA's |
321 |
|
|
- Workaround for wrong padding by racoon2 |
322 |
|
|
- Disable NSS HW GCM to workaround rhel6 xen builers bug |
323 |
|
|
|
324 |
|
|
* Wed Aug 19 2015 Paul Wouters <pwouters@redhat.com> - 3.14-1 |
325 |
|
|
- Resolves: rhbz#1233303 add libreswan to RHEL6 |
326 |
|
|
- Resolves: CVE-2015-3240 denial of service via IKE daemon restart when receiving a bad DH gx |
327 |
|
|
|
328 |
|
|
* Fri May 29 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10.1 |
329 |
|
|
- Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart |
330 |
|
|
|
331 |
|
|
* Tue May 05 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10 |
332 |
|
|
- Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix] |
333 |
|
|
|
334 |
|
|
* Tue Apr 28 2015 Paul Wouters <pwouters@redhat.com> - 3.12-9 |
335 |
|
|
- Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()] |
336 |
|
|
- Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster] |
337 |
|
|
- Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling] |
338 |
|
|
|
339 |
|
|
* Mon Apr 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-8 |
340 |
|
|
- Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions |
341 |
|
|
|
342 |
|
|
* Mon Apr 13 2015 Paul Wouters <pwouters@redhat.com> - 3.12-7 |
343 |
|
|
- Resolves: rhbz#1208022 libreswan ignores module blacklist rules |
344 |
|
|
- Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot |
345 |
|
|
- Resolves: rhbz#1211146 pluto crashes in fips mode |
346 |
|
|
|
347 |
|
|
* Tue Mar 17 2015 Paul Wouters <pwouters@redhat.com> - 3.12-6 |
348 |
|
|
- Resolves: rhbz#1198650 SELinux context string size limit |
349 |
|
|
- Resolves: rhbz#1198649 Add new option for BSI random requirement |
350 |
|
|
|
351 |
|
|
* Tue Jan 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-5 |
352 |
|
|
- Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2) |
353 |
|
|
- Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup) |
354 |
|
|
|
355 |
|
|
* Tue Dec 30 2014 Paul Wouters <pwouters@redhat.com> - 3.12-4 |
356 |
|
|
- Resolves: rhbz#1134297 aes-ctr cipher is not supported |
357 |
|
|
- Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling) |
358 |
|
|
|
359 |
|
|
* Thu Dec 04 2014 Paul Wouters <pwouters@redhat.com> - 3.12-2 |
360 |
|
|
- Resolves: rhbz#1105171 (Update man page entry) |
361 |
|
|
- Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2) |
362 |
|
|
- Resolves: rhbz#1074018 Audit key agreement |
363 |
|
|
|
364 |
|
|
* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1 |
365 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.12 |
366 |
|
|
- Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header) |
367 |
|
|
- Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request |
368 |
|
|
|
369 |
|
|
* Mon Oct 27 2014 Paul Wouters <pwouters@redhat.com> - 3.11-2 |
370 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix) |
371 |
|
|
|
372 |
|
|
* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1 |
373 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.11 |
374 |
|
|
- Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer |
375 |
|
|
- Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN |
376 |
|
|
- Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit |
377 |
|
|
- Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used |
378 |
|
|
- Resolves: rhbz#1108256 addconn compatibility with openswan |
379 |
|
|
- Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail |
380 |
|
|
- Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail |
381 |
|
|
- Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA |
382 |
|
|
- Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator |
383 |
|
|
- Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response |
384 |
|
|
- Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly |
385 |
|
|
- Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running. |
386 |
|
|
- Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs |
387 |
|
|
- Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance |
388 |
|
|
- Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance |
389 |
|
|
- Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual |
390 |
|
|
- Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA |
391 |
|
|
|
392 |
|
|
* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3 |
393 |
|
|
- Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup) |
394 |
|
|
|
395 |
|
|
* Mon Sep 08 2014 Paul Wouters <pwouters@redhat.com> - 3.10-2 |
396 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.10 |
397 |
|
|
|
398 |
|
|
* Mon Jul 14 2014 Paul Wouters <pwouters@redhat.com> - 3.8-6 |
399 |
|
|
- Resolves: rhbz#1092047 pluto cannot write to directories not owned by root |
400 |
|
|
|
401 |
|
|
* Thu Apr 10 2014 Paul Wouters <pwouters@redhat.com> - 3.8-5 |
402 |
|
|
- Resolves: rhbz#1052834 create_child_sa message ID handling |
403 |
|
|
|
404 |
|
|
|
405 |
|
|
* Tue Mar 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-4 |
406 |
|
|
- Resolves: rhbz#1052834 create_child_sa response |
407 |
|
|
|
408 |
|
|
* Wed Mar 05 2014 Paul Wouters <pwouters@redhat.com> - 3.8-3 |
409 |
|
|
- Resolves: rhbz#1069024 erroneous debug line with mixture [...] |
410 |
|
|
- Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts |
411 |
|
|
- Resolves: rhbz#1058813 newhostkey returns zero value when it fails |
412 |
|
|
|
413 |
|
|
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.8-2 |
414 |
|
|
- Mass rebuild 2014-01-24 |
415 |
|
|
|
416 |
|
|
* Thu Jan 16 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1 |
417 |
|
|
- Resolves: rhbz#CVE-2013-6467 |
418 |
|
|
- Resolves: rhbz#1043642 rebase to version 3.8 |
419 |
|
|
- Resolves: rhbz#1029912 ipsec force-reload doesn't work |
420 |
|
|
- Resolves: rhbz#826261 Implement SHA384/512 support for Openswan |
421 |
|
|
- Resolves: rhbz#1039655 ipsec newhostkey generates false configuration |
422 |
|
|
|
423 |
|
|
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.6-3 |
424 |
|
|
- Mass rebuild 2013-12-27 |
425 |
|
|
|
426 |
|
|
* Fri Nov 08 2013 Paul Wouters <pwouters@redhat.com> - 3.6-2 |
427 |
|
|
- Fix race condition in post for creating nss db |
428 |
|
|
|
429 |
|
|
* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1 |
430 |
|
|
- Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes) |
431 |
|
|
- Generate empty NSS db if none exists |
432 |
|
|
- FIPS update using /etc/system-fips |
433 |
|
|
- Provide: openswan-doc |
434 |
|
|
|
435 |
|
|
* Fri Aug 09 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2 |
436 |
|
|
- rebuilt and bumped EVR to avoid confusion of import->delete->import |
437 |
|
|
- require iproute |
438 |
|
|
|
439 |
|
|
* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1 |
440 |
|
|
- Initial package for RHEL7 |
441 |
|
|
- Added interop patch for (some?) Cisco VPN clients sending 16 zero |
442 |
|
|
bytes of extraneous IKE data |
443 |
|
|
- Removed fipscheck_version |