1 |
jcrisp |
1.2 |
# These are rpm macros and are 0 or 1 |
2 |
|
|
%global _hardened_build 1 |
3 |
|
|
%global with_efence 0 |
4 |
|
|
%global with_development 0 |
5 |
|
|
%global with_cavstests 1 |
6 |
|
|
# There is no new enough unbound on rhel7 |
7 |
|
|
%global with_dnssec 0 |
8 |
|
|
%global nss_version 3.79-4 |
9 |
|
|
# Libreswan config options |
10 |
|
|
# For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true |
11 |
|
|
# Note that this means libreswan needs its own FIPS certification |
12 |
|
|
%global libreswan_config \\\ |
13 |
|
|
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ |
14 |
|
|
FINALMANDIR=%{_mandir} \\\ |
15 |
|
|
FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\ |
16 |
|
|
INITSYSTEM=systemd \\\ |
17 |
|
|
PREFIX=%{_prefix} \\\ |
18 |
|
|
PYTHON_BINARY=%{__python2} \\\ |
19 |
|
|
SHELL_BINARY=/bin/sh \\\ |
20 |
|
|
USE_AUTHPAM=true \\\ |
21 |
|
|
USE_DNSSEC=%{USE_DNSSEC} \\\ |
22 |
|
|
USE_FIPSCHECK=true \\\ |
23 |
|
|
USE_LABELED_IPSEC=true \\\ |
24 |
|
|
USE_LDAP=true \\\ |
25 |
|
|
USE_LIBCAP_NG=true \\\ |
26 |
|
|
USE_LIBCURL=true \\\ |
27 |
|
|
USE_NM=true \\\ |
28 |
|
|
USE_NSS_IPSEC_PROFILE=true \\\ |
29 |
|
|
USE_NSS_KDF=false \\\ |
30 |
|
|
USE_SECCOMP=true \\\ |
31 |
|
|
USE_XFRM_INTERFACE_IFLA_HEADER=true \\\ |
32 |
|
|
%{nil} |
33 |
brianr |
1.1 |
|
34 |
jcrisp |
1.2 |
#global prever dr1 |
35 |
brianr |
1.1 |
|
36 |
|
|
Name: libreswan |
37 |
jcrisp |
1.2 |
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec |
38 |
|
|
Version: 4.12 |
39 |
|
|
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} |
40 |
brianr |
1.1 |
License: GPLv2 |
41 |
|
|
Url: https://libreswan.org/ |
42 |
jcrisp |
1.2 |
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz |
43 |
|
|
%if 0%{with_cavstests} |
44 |
|
|
Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 |
45 |
|
|
Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 |
46 |
|
|
Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2 |
47 |
|
|
%endif |
48 |
brianr |
1.1 |
|
49 |
jcrisp |
1.2 |
BuildRequires: gcc make |
50 |
|
|
BuildRequires: audit-libs-devel |
51 |
|
|
BuildRequires: bison |
52 |
|
|
BuildRequires: curl-devel |
53 |
|
|
BuildRequires: fipscheck-devel |
54 |
|
|
BuildRequires: flex |
55 |
|
|
BuildRequires: hostname |
56 |
|
|
BuildRequires: libcap-ng-devel |
57 |
|
|
BuildRequires: libevent-devel |
58 |
|
|
BuildRequires: libseccomp-devel |
59 |
|
|
BuildRequires: libselinux-devel |
60 |
|
|
BuildRequires: nspr-devel |
61 |
|
|
BuildRequires: nss-devel >= %{nss_version} |
62 |
|
|
BuildRequires: nss-tools |
63 |
|
|
BuildRequires: openldap-devel |
64 |
brianr |
1.1 |
BuildRequires: pam-devel |
65 |
jcrisp |
1.2 |
BuildRequires: pkgconfig |
66 |
|
|
BuildRequires: redhat-rpm-config |
67 |
|
|
BuildRequires: systemd-devel |
68 |
brianr |
1.1 |
BuildRequires: xmlto |
69 |
jcrisp |
1.2 |
%if 0%{with_efence} |
70 |
|
|
BuildRequires: ElectricFence |
71 |
|
|
%endif |
72 |
|
|
%if 0%{with_dnssec} |
73 |
|
|
BuildRequires: ldns-devel |
74 |
|
|
BuildRequires: unbound-devel >= 1.6.0 |
75 |
|
|
Requires: unbound-libs >= 1.6.0 |
76 |
|
|
%global USE_DNSSEC true |
77 |
brianr |
1.1 |
%else |
78 |
jcrisp |
1.2 |
%global USE_DNSSEC false |
79 |
brianr |
1.1 |
%endif |
80 |
jcrisp |
1.2 |
Requires: coreutils |
81 |
brianr |
1.1 |
Requires: fipscheck%{_isa} |
82 |
jcrisp |
1.2 |
Requires: iproute |
83 |
|
|
Requires: logrotate |
84 |
|
|
Requires: nss >= %{nss_version} |
85 |
|
|
Requires: nss-softokn |
86 |
|
|
Requires: nss-tools |
87 |
|
|
%{?systemd_requires} |
88 |
brianr |
1.1 |
|
89 |
|
|
Conflicts: openswan < %{version}-%{release} |
90 |
jcrisp |
1.2 |
Obsoletes: openswan < %{version}-%{release} |
91 |
brianr |
1.1 |
Provides: openswan = %{version}-%{release} |
92 |
|
|
Provides: openswan-doc = %{version}-%{release} |
93 |
jcrisp |
1.2 |
|
94 |
|
|
|
95 |
brianr |
1.1 |
|
96 |
|
|
%description |
97 |
|
|
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is |
98 |
|
|
the Internet Protocol Security and uses strong cryptography to provide |
99 |
|
|
both authentication and encryption services. These services allow you |
100 |
|
|
to build secure tunnels through untrusted networks. Everything passing |
101 |
|
|
through the untrusted net is encrypted by the ipsec gateway machine and |
102 |
|
|
decrypted by the gateway at the other end of the tunnel. The resulting |
103 |
|
|
tunnel is a virtual private network or VPN. |
104 |
|
|
|
105 |
|
|
This package contains the daemons and userland tools for setting up |
106 |
jcrisp |
1.2 |
Libreswan. |
107 |
brianr |
1.1 |
|
108 |
jcrisp |
1.2 |
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling |
109 |
brianr |
1.1 |
|
110 |
|
|
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 |
111 |
|
|
|
112 |
|
|
%prep |
113 |
|
|
%setup -q -n libreswan-%{version}%{?prever} |
114 |
|
|
|
115 |
|
|
%build |
116 |
|
|
make %{?_smp_mflags} \ |
117 |
jcrisp |
1.2 |
%if 0%{with_development} |
118 |
|
|
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \ |
119 |
brianr |
1.1 |
%else |
120 |
jcrisp |
1.2 |
OPTIMIZE_CFLAGS="%{optflags}" \ |
121 |
brianr |
1.1 |
%endif |
122 |
jcrisp |
1.2 |
%if 0%{with_efence} |
123 |
|
|
USE_EFENCE=true \ |
124 |
brianr |
1.1 |
%endif |
125 |
jcrisp |
1.2 |
USERLINK="%{?__global_ldflags}" \ |
126 |
|
|
WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \ |
127 |
|
|
%{libreswan_config} \ |
128 |
|
|
programs |
129 |
brianr |
1.1 |
FS=$(pwd) |
130 |
|
|
|
131 |
|
|
# Add generation of HMAC checksums of the final stripped binaries |
132 |
|
|
%define __spec_install_post \ |
133 |
|
|
%{?__debug_package:%{__debug_install_post}} \ |
134 |
|
|
%{__arch_install_post} \ |
135 |
|
|
%{__os_install_post} \ |
136 |
jcrisp |
1.2 |
fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto |
137 |
brianr |
1.1 |
%{nil} |
138 |
|
|
|
139 |
|
|
%install |
140 |
|
|
make \ |
141 |
jcrisp |
1.2 |
DESTDIR=%{buildroot} \ |
142 |
|
|
%{libreswan_config} \ |
143 |
|
|
install |
144 |
brianr |
1.1 |
FS=$(pwd) |
145 |
|
|
rm -rf %{buildroot}/usr/share/doc/libreswan |
146 |
jcrisp |
1.2 |
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check |
147 |
brianr |
1.1 |
|
148 |
jcrisp |
1.2 |
install -d -m 0755 %{buildroot}%{_rundir}/pluto |
149 |
brianr |
1.1 |
install -d %{buildroot}%{_sbindir} |
150 |
|
|
|
151 |
jcrisp |
1.2 |
install -d %{buildroot}%{_sysctldir} |
152 |
|
|
install -m 0644 packaging/rhel/libreswan-sysctl.conf \ |
153 |
|
|
%{buildroot}%{_sysctldir}/50-libreswan.conf |
154 |
|
|
|
155 |
brianr |
1.1 |
mkdir -p %{buildroot}%{_libdir}/fipscheck |
156 |
|
|
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ |
157 |
jcrisp |
1.2 |
install -m644 packaging/rhel/libreswan-prelink.conf \ |
158 |
|
|
%{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
159 |
brianr |
1.1 |
|
160 |
jcrisp |
1.2 |
echo "include /etc/ipsec.d/*.secrets" \ |
161 |
|
|
> %{buildroot}%{_sysconfdir}/ipsec.secrets |
162 |
brianr |
1.1 |
|
163 |
|
|
|
164 |
jcrisp |
1.2 |
%if 0%{with_cavstests} |
165 |
brianr |
1.1 |
%check |
166 |
jcrisp |
1.2 |
# There is an elaborate upstream testing infrastructure which we do not |
167 |
|
|
# run here. |
168 |
|
|
# We only run the CAVS tests here. |
169 |
|
|
cp %{SOURCE10} %{SOURCE11} %{SOURCE12} . |
170 |
brianr |
1.1 |
bunzip2 *.fax.bz2 |
171 |
|
|
|
172 |
jcrisp |
1.2 |
# work around for older xen based machines |
173 |
brianr |
1.1 |
export NSS_DISABLE_HW_GCM=1 |
174 |
|
|
|
175 |
jcrisp |
1.2 |
: starting CAVS test for IKEv2 |
176 |
|
|
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \ |
177 |
|
|
diff -u ikev2.fax - > /dev/null |
178 |
|
|
: starting CAVS test for IKEv1 RSASIG |
179 |
|
|
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \ |
180 |
|
|
diff -u ikev1_dsa.fax - > /dev/null |
181 |
|
|
: starting CAVS test for IKEv1 PSK |
182 |
|
|
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ |
183 |
|
|
diff -u ikev1_psk.fax - > /dev/null |
184 |
|
|
: CAVS tests passed |
185 |
|
|
|
186 |
|
|
# Some of these tests will show ERROR for negative testing - it will exit on real errors |
187 |
|
|
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } |
188 |
|
|
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } |
189 |
|
|
: Algorithm parser tests passed |
190 |
|
|
|
191 |
|
|
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode |
192 |
|
|
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) |
193 |
|
|
certutil -N -d sql:$tmpdir --empty-password |
194 |
|
|
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir |
195 |
|
|
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST |
196 |
|
|
|
197 |
brianr |
1.1 |
%endif |
198 |
|
|
|
199 |
|
|
%post |
200 |
jcrisp |
1.2 |
%systemd_post ipsec.service |
201 |
|
|
%sysctl_apply 50-libreswan.conf |
202 |
brianr |
1.1 |
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || : |
203 |
|
|
|
204 |
|
|
%preun |
205 |
|
|
%systemd_preun ipsec.service |
206 |
|
|
|
207 |
|
|
%postun |
208 |
|
|
%systemd_postun_with_restart ipsec.service |
209 |
|
|
|
210 |
|
|
%files |
211 |
jcrisp |
1.2 |
%license LICENSE COPYING |
212 |
|
|
%doc CHANGES CREDITS README* |
213 |
|
|
%doc docs/*.* docs/examples |
214 |
brianr |
1.1 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf |
215 |
|
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets |
216 |
|
|
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d |
217 |
|
|
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies |
218 |
|
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* |
219 |
jcrisp |
1.2 |
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf |
220 |
|
|
%attr(0755,root,root) %dir %{_rundir}/pluto |
221 |
|
|
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf |
222 |
|
|
%attr(0644,root,root) %{_unitdir}/ipsec.service |
223 |
brianr |
1.1 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto |
224 |
jcrisp |
1.2 |
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan |
225 |
brianr |
1.1 |
%{_sbindir}/ipsec |
226 |
jcrisp |
1.2 |
%{_libexecdir}/ipsec |
227 |
|
|
%doc %{_mandir}/*/* |
228 |
|
|
%{_libdir}/fipscheck/pluto.hmac |
229 |
brianr |
1.1 |
# We own the directory so we don't have to require prelink |
230 |
jcrisp |
1.2 |
%dir %{_sysconfdir}/prelink.conf.d/ |
231 |
brianr |
1.1 |
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
232 |
|
|
|
233 |
|
|
%changelog |
234 |
jcrisp |
1.2 |
* Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2 |
235 |
|
|
- build for Koozali SME Server |
236 |
brianr |
1.1 |
|
237 |
jcrisp |
1.2 |
* Tue Aug 8 2023 Team Libreswan <team@libreswan.org> - 4.12-1 |
238 |
|
|
- Automated build from release tar ball |