/[smecontribs]/rpms/libreswan/contribs10/libreswan.spec
ViewVC logotype

Annotation of /rpms/libreswan/contribs10/libreswan.spec

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Sat Feb 10 13:45:39 2024 UTC (9 months, 1 week ago) by jcrisp
Branch: MAIN
CVS Tags: libreswan-4_12-2_el7_sme
Changes since 1.1: +150 -355 lines
Import libreswan 4.12

1 jcrisp 1.2 # These are rpm macros and are 0 or 1
2     %global _hardened_build 1
3     %global with_efence 0
4     %global with_development 0
5     %global with_cavstests 1
6     # There is no new enough unbound on rhel7
7     %global with_dnssec 0
8     %global nss_version 3.79-4
9     # Libreswan config options
10     # For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true
11     # Note that this means libreswan needs its own FIPS certification
12     %global libreswan_config \\\
13     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
14     FINALMANDIR=%{_mandir} \\\
15     FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
16     INITSYSTEM=systemd \\\
17     PREFIX=%{_prefix} \\\
18     PYTHON_BINARY=%{__python2} \\\
19     SHELL_BINARY=/bin/sh \\\
20     USE_AUTHPAM=true \\\
21     USE_DNSSEC=%{USE_DNSSEC} \\\
22     USE_FIPSCHECK=true \\\
23     USE_LABELED_IPSEC=true \\\
24     USE_LDAP=true \\\
25     USE_LIBCAP_NG=true \\\
26     USE_LIBCURL=true \\\
27     USE_NM=true \\\
28     USE_NSS_IPSEC_PROFILE=true \\\
29     USE_NSS_KDF=false \\\
30     USE_SECCOMP=true \\\
31     USE_XFRM_INTERFACE_IFLA_HEADER=true \\\
32     %{nil}
33 brianr 1.1
34 jcrisp 1.2 #global prever dr1
35 brianr 1.1
36     Name: libreswan
37 jcrisp 1.2 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
38     Version: 4.12
39     Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
40 brianr 1.1 License: GPLv2
41     Url: https://libreswan.org/
42 jcrisp 1.2 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
43     %if 0%{with_cavstests}
44     Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
45     Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
46     Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2
47     %endif
48 brianr 1.1
49 jcrisp 1.2 BuildRequires: gcc make
50     BuildRequires: audit-libs-devel
51     BuildRequires: bison
52     BuildRequires: curl-devel
53     BuildRequires: fipscheck-devel
54     BuildRequires: flex
55     BuildRequires: hostname
56     BuildRequires: libcap-ng-devel
57     BuildRequires: libevent-devel
58     BuildRequires: libseccomp-devel
59     BuildRequires: libselinux-devel
60     BuildRequires: nspr-devel
61     BuildRequires: nss-devel >= %{nss_version}
62     BuildRequires: nss-tools
63     BuildRequires: openldap-devel
64 brianr 1.1 BuildRequires: pam-devel
65 jcrisp 1.2 BuildRequires: pkgconfig
66     BuildRequires: redhat-rpm-config
67     BuildRequires: systemd-devel
68 brianr 1.1 BuildRequires: xmlto
69 jcrisp 1.2 %if 0%{with_efence}
70     BuildRequires: ElectricFence
71     %endif
72     %if 0%{with_dnssec}
73     BuildRequires: ldns-devel
74     BuildRequires: unbound-devel >= 1.6.0
75     Requires: unbound-libs >= 1.6.0
76     %global USE_DNSSEC true
77 brianr 1.1 %else
78 jcrisp 1.2 %global USE_DNSSEC false
79 brianr 1.1 %endif
80 jcrisp 1.2 Requires: coreutils
81 brianr 1.1 Requires: fipscheck%{_isa}
82 jcrisp 1.2 Requires: iproute
83     Requires: logrotate
84     Requires: nss >= %{nss_version}
85     Requires: nss-softokn
86     Requires: nss-tools
87     %{?systemd_requires}
88 brianr 1.1
89     Conflicts: openswan < %{version}-%{release}
90 jcrisp 1.2 Obsoletes: openswan < %{version}-%{release}
91 brianr 1.1 Provides: openswan = %{version}-%{release}
92     Provides: openswan-doc = %{version}-%{release}
93 jcrisp 1.2
94    
95 brianr 1.1
96     %description
97     Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
98     the Internet Protocol Security and uses strong cryptography to provide
99     both authentication and encryption services. These services allow you
100     to build secure tunnels through untrusted networks. Everything passing
101     through the untrusted net is encrypted by the ipsec gateway machine and
102     decrypted by the gateway at the other end of the tunnel. The resulting
103     tunnel is a virtual private network or VPN.
104    
105     This package contains the daemons and userland tools for setting up
106 jcrisp 1.2 Libreswan.
107 brianr 1.1
108 jcrisp 1.2 Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
109 brianr 1.1
110     Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
111    
112     %prep
113     %setup -q -n libreswan-%{version}%{?prever}
114    
115     %build
116     make %{?_smp_mflags} \
117 jcrisp 1.2 %if 0%{with_development}
118     OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
119 brianr 1.1 %else
120 jcrisp 1.2 OPTIMIZE_CFLAGS="%{optflags}" \
121 brianr 1.1 %endif
122 jcrisp 1.2 %if 0%{with_efence}
123     USE_EFENCE=true \
124 brianr 1.1 %endif
125 jcrisp 1.2 USERLINK="%{?__global_ldflags}" \
126     WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \
127     %{libreswan_config} \
128     programs
129 brianr 1.1 FS=$(pwd)
130    
131     # Add generation of HMAC checksums of the final stripped binaries
132     %define __spec_install_post \
133     %{?__debug_package:%{__debug_install_post}} \
134     %{__arch_install_post} \
135     %{__os_install_post} \
136 jcrisp 1.2 fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto
137 brianr 1.1 %{nil}
138    
139     %install
140     make \
141 jcrisp 1.2 DESTDIR=%{buildroot} \
142     %{libreswan_config} \
143     install
144 brianr 1.1 FS=$(pwd)
145     rm -rf %{buildroot}/usr/share/doc/libreswan
146 jcrisp 1.2 rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
147 brianr 1.1
148 jcrisp 1.2 install -d -m 0755 %{buildroot}%{_rundir}/pluto
149 brianr 1.1 install -d %{buildroot}%{_sbindir}
150    
151 jcrisp 1.2 install -d %{buildroot}%{_sysctldir}
152     install -m 0644 packaging/rhel/libreswan-sysctl.conf \
153     %{buildroot}%{_sysctldir}/50-libreswan.conf
154    
155 brianr 1.1 mkdir -p %{buildroot}%{_libdir}/fipscheck
156     install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
157 jcrisp 1.2 install -m644 packaging/rhel/libreswan-prelink.conf \
158     %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
159 brianr 1.1
160 jcrisp 1.2 echo "include /etc/ipsec.d/*.secrets" \
161     > %{buildroot}%{_sysconfdir}/ipsec.secrets
162 brianr 1.1
163    
164 jcrisp 1.2 %if 0%{with_cavstests}
165 brianr 1.1 %check
166 jcrisp 1.2 # There is an elaborate upstream testing infrastructure which we do not
167     # run here.
168     # We only run the CAVS tests here.
169     cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .
170 brianr 1.1 bunzip2 *.fax.bz2
171    
172 jcrisp 1.2 # work around for older xen based machines
173 brianr 1.1 export NSS_DISABLE_HW_GCM=1
174    
175 jcrisp 1.2 : starting CAVS test for IKEv2
176     %{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
177     diff -u ikev2.fax - > /dev/null
178     : starting CAVS test for IKEv1 RSASIG
179     %{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
180     diff -u ikev1_dsa.fax - > /dev/null
181     : starting CAVS test for IKEv1 PSK
182     %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
183     diff -u ikev1_psk.fax - > /dev/null
184     : CAVS tests passed
185    
186     # Some of these tests will show ERROR for negative testing - it will exit on real errors
187     %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
188     %{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
189     : Algorithm parser tests passed
190    
191     # self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
192     tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
193     certutil -N -d sql:$tmpdir --empty-password
194     %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
195     : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
196    
197 brianr 1.1 %endif
198    
199     %post
200 jcrisp 1.2 %systemd_post ipsec.service
201     %sysctl_apply 50-libreswan.conf
202 brianr 1.1 prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
203    
204     %preun
205     %systemd_preun ipsec.service
206    
207     %postun
208     %systemd_postun_with_restart ipsec.service
209    
210     %files
211 jcrisp 1.2 %license LICENSE COPYING
212     %doc CHANGES CREDITS README*
213     %doc docs/*.* docs/examples
214 brianr 1.1 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
215     %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
216     %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
217     %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
218     %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
219 jcrisp 1.2 %attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
220     %attr(0755,root,root) %dir %{_rundir}/pluto
221     %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
222     %attr(0644,root,root) %{_unitdir}/ipsec.service
223 brianr 1.1 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
224 jcrisp 1.2 %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
225 brianr 1.1 %{_sbindir}/ipsec
226 jcrisp 1.2 %{_libexecdir}/ipsec
227     %doc %{_mandir}/*/*
228     %{_libdir}/fipscheck/pluto.hmac
229 brianr 1.1 # We own the directory so we don't have to require prelink
230 jcrisp 1.2 %dir %{_sysconfdir}/prelink.conf.d/
231 brianr 1.1 %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
232    
233     %changelog
234 jcrisp 1.2 * Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2
235     - build for Koozali SME Server
236 brianr 1.1
237 jcrisp 1.2 * Tue Aug 8 2023 Team Libreswan <team@libreswan.org> - 4.12-1
238     - Automated build from release tar ball

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed