libreswan/contribs10/libreswan.spec

# These are rpm macros and are 0 or 1
%global _hardened_build 1
%global with_efence 0
%global with_development 0
%global with_cavstests 1
# There is no new enough unbound on rhel7
%global with_dnssec 0
%global nss_version 3.79-4
# Libreswan config options
# For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true
# Note that this means libreswan needs its own FIPS certification
%global libreswan_config \\\
    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
    FINALMANDIR=%{_mandir} \\\
    FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
    INITSYSTEM=systemd \\\
    PREFIX=%{_prefix} \\\
    PYTHON_BINARY=%{__python2} \\\
    SHELL_BINARY=/bin/sh \\\
    USE_AUTHPAM=true \\\
    USE_DNSSEC=%{USE_DNSSEC} \\\
    USE_FIPSCHECK=true \\\
    USE_LABELED_IPSEC=true \\\
    USE_LDAP=true \\\
    USE_LIBCAP_NG=true \\\
    USE_LIBCURL=true \\\
    USE_NM=true \\\
    USE_NSS_IPSEC_PROFILE=true \\\
    USE_NSS_KDF=false \\\
    USE_SECCOMP=true \\\
    USE_XFRM_INTERFACE_IFLA_HEADER=true \\\
%{nil}

#global prever dr1

Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
Version: 4.15
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
%if 0%{with_cavstests}
Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif

BuildRequires: gcc make
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: fipscheck-devel
BuildRequires: flex
BuildRequires: hostname
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: redhat-rpm-config
BuildRequires: systemd-devel
BuildRequires: xmlto
%if 0%{with_efence}
BuildRequires: ElectricFence
%endif
%if 0%{with_dnssec}
BuildRequires: ldns-devel
BuildRequires: unbound-devel >= 1.6.0
Requires: unbound-libs >= 1.6.0
%global USE_DNSSEC true
%else
%global USE_DNSSEC false
%endif
Requires: coreutils
Requires: fipscheck%{_isa}
Requires: iproute
Requires: logrotate
Requires: nss >= %{nss_version}
Requires: nss-softokn
Requires: nss-tools
%{?systemd_requires}

Conflicts: openswan < %{version}-%{release}
Obsoletes: openswan < %{version}-%{release}
Provides: openswan = %{version}-%{release}
Provides: openswan-doc = %{version}-%{release}


%description
Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services.  These services allow you
to build secure tunnels through untrusted networks.  Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel.  The resulting
tunnel is a virtual private network or VPN.

This package contains the daemons and userland tools for setting up
Libreswan.

Libreswan also supports IKEv2 (RFC7296) and Secure Labeling

Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04

%prep
%setup -q -n libreswan-%{version}%{?prever}

%build
make %{?_smp_mflags} \
%if 0%{with_development}
    OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
%else
    OPTIMIZE_CFLAGS="%{optflags}" \
%endif
%if 0%{with_efence}
    USE_EFENCE=true \
%endif
    USERLINK="%{?__global_ldflags}" \
    WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \
    %{libreswan_config} \
    programs
FS=$(pwd)

# Add generation of HMAC checksums of the final stripped binaries
%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto
%{nil}

%install
make \
    DESTDIR=%{buildroot} \
    %{libreswan_config} \
    install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check

install -d -m 0755 %{buildroot}%{_rundir}/pluto
install -d %{buildroot}%{_sbindir}

install -d %{buildroot}%{_sysctldir}
install -m 0644 packaging/rhel/libreswan-sysctl.conf \
    %{buildroot}%{_sysctldir}/50-libreswan.conf

mkdir -p %{buildroot}%{_libdir}/fipscheck
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
install -m644 packaging/rhel/libreswan-prelink.conf \
    %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf

echo "include /etc/ipsec.d/*.secrets" \
    > %{buildroot}%{_sysconfdir}/ipsec.secrets


%if 0%{with_cavstests}
%check
# There is an elaborate upstream testing infrastructure which we do not
# run here.
# We only run the CAVS tests here.
cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .
bunzip2 *.fax.bz2

# work around for older xen based machines
export NSS_DISABLE_HW_GCM=1

: starting CAVS test for IKEv2
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
    diff -u ikev2.fax - > /dev/null
: starting CAVS test for IKEv1 RSASIG
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
    diff -u ikev1_dsa.fax - > /dev/null
: starting CAVS test for IKEv1 PSK
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
    diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed

# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
: Algorithm parser tests passed

# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST

%endif

%post
%systemd_post ipsec.service
%sysctl_apply 50-libreswan.conf
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :

%preun
%systemd_preun ipsec.service

%postun
%systemd_postun_with_restart ipsec.service

%files
%license LICENSE COPYING
%doc CHANGES CREDITS README*
%doc docs/*.* docs/examples
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%doc %{_mandir}/*/*
%{_libdir}/fipscheck/pluto.hmac
# We own the directory so we don't have to require prelink
%dir %{_sysconfdir}/prelink.conf.d/
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf

%changelog
* Tue Apr 16 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.15-2
- build for Koozali Server
- needs libreswan-prelink.conf adding to the tar

* Mon Apr 15 2024 Team Libreswan <team@libreswan.org> - 4.15-1
- Automated build from release tar ball

* Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2
- build for Koozali SME Server
- needs libreswan-prelink.conf adding to the tar

* Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1
- Automated build from release tar ball

* Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2
- build for Koozali SME Server
- needs libreswan-sysctl.conf adding to the tar

* Tue Aug  8 2023 Team Libreswan <team@libreswan.org> - 4.12-1
- Automated build from release tar ball
1	jcrisp	1.2	# These are rpm macros and are 0 or 1
2			%global _hardened_build 1
3			%global with_efence 0
4			%global with_development 0
5			%global with_cavstests 1
6			# There is no new enough unbound on rhel7
7			%global with_dnssec 0
8			%global nss_version 3.79-4
9			# Libreswan config options
10			# For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true
11			# Note that this means libreswan needs its own FIPS certification
12			%global libreswan_config \\\
13			FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
14			FINALMANDIR=%{_mandir} \\\
15			FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
16			INITSYSTEM=systemd \\\
17			PREFIX=%{_prefix} \\\
18			PYTHON_BINARY=%{__python2} \\\
19			SHELL_BINARY=/bin/sh \\\
20			USE_AUTHPAM=true \\\
21			USE_DNSSEC=%{USE_DNSSEC} \\\
22			USE_FIPSCHECK=true \\\
23			USE_LABELED_IPSEC=true \\\
24			USE_LDAP=true \\\
25			USE_LIBCAP_NG=true \\\
26			USE_LIBCURL=true \\\
27			USE_NM=true \\\
28			USE_NSS_IPSEC_PROFILE=true \\\
29			USE_NSS_KDF=false \\\
30			USE_SECCOMP=true \\\
31			USE_XFRM_INTERFACE_IFLA_HEADER=true \\\
32			%{nil}
33	brianr	1.1
34	jcrisp	1.2	#global prever dr1
35	brianr	1.1
36			Name: libreswan
37	jcrisp	1.2	Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
38	jcrisp	1.4	Version: 4.15
39	jcrisp	1.2	Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
40	brianr	1.1	License: GPLv2
41			Url: https://libreswan.org/
42	jcrisp	1.2	Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
43			%if 0%{with_cavstests}
44			Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
45			Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
46			Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2
47			%endif
48	brianr	1.1
49	jcrisp	1.2	BuildRequires: gcc make
50			BuildRequires: audit-libs-devel
51			BuildRequires: bison
52			BuildRequires: curl-devel
53			BuildRequires: fipscheck-devel
54			BuildRequires: flex
55			BuildRequires: hostname
56			BuildRequires: libcap-ng-devel
57			BuildRequires: libevent-devel
58			BuildRequires: libseccomp-devel
59			BuildRequires: libselinux-devel
60			BuildRequires: nspr-devel
61			BuildRequires: nss-devel >= %{nss_version}
62			BuildRequires: nss-tools
63			BuildRequires: openldap-devel
64	brianr	1.1	BuildRequires: pam-devel
65	jcrisp	1.2	BuildRequires: pkgconfig
66			BuildRequires: redhat-rpm-config
67			BuildRequires: systemd-devel
68	brianr	1.1	BuildRequires: xmlto
69	jcrisp	1.2	%if 0%{with_efence}
70			BuildRequires: ElectricFence
71			%endif
72			%if 0%{with_dnssec}
73			BuildRequires: ldns-devel
74			BuildRequires: unbound-devel >= 1.6.0
75			Requires: unbound-libs >= 1.6.0
76			%global USE_DNSSEC true
77	brianr	1.1	%else
78	jcrisp	1.2	%global USE_DNSSEC false
79	brianr	1.1	%endif
80	jcrisp	1.2	Requires: coreutils
81	brianr	1.1	Requires: fipscheck%{_isa}
82	jcrisp	1.2	Requires: iproute
83			Requires: logrotate
84			Requires: nss >= %{nss_version}
85			Requires: nss-softokn
86			Requires: nss-tools
87			%{?systemd_requires}
88	brianr	1.1
89			Conflicts: openswan < %{version}-%{release}
90	jcrisp	1.2	Obsoletes: openswan < %{version}-%{release}
91	brianr	1.1	Provides: openswan = %{version}-%{release}
92			Provides: openswan-doc = %{version}-%{release}
93	jcrisp	1.2
94
95	brianr	1.1
96			%description
97			Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
98			the Internet Protocol Security and uses strong cryptography to provide
99			both authentication and encryption services. These services allow you
100			to build secure tunnels through untrusted networks. Everything passing
101			through the untrusted net is encrypted by the ipsec gateway machine and
102			decrypted by the gateway at the other end of the tunnel. The resulting
103			tunnel is a virtual private network or VPN.
104
105			This package contains the daemons and userland tools for setting up
106	jcrisp	1.2	Libreswan.
107	brianr	1.1
108	jcrisp	1.2	Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
109	brianr	1.1
110			Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
111
112			%prep
113			%setup -q -n libreswan-%{version}%{?prever}
114
115			%build
116			make %{?_smp_mflags} \
117	jcrisp	1.2	%if 0%{with_development}
118			OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
119	brianr	1.1	%else
120	jcrisp	1.2	OPTIMIZE_CFLAGS="%{optflags}" \
121	brianr	1.1	%endif
122	jcrisp	1.2	%if 0%{with_efence}
123			USE_EFENCE=true \
124	brianr	1.1	%endif
125	jcrisp	1.2	USERLINK="%{?__global_ldflags}" \
126			WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \
127			%{libreswan_config} \
128			programs
129	brianr	1.1	FS=$(pwd)
130
131			# Add generation of HMAC checksums of the final stripped binaries
132			%define __spec_install_post \
133			%{?__debug_package:%{__debug_install_post}} \
134			%{__arch_install_post} \
135			%{__os_install_post} \
136	jcrisp	1.2	fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto
137	brianr	1.1	%{nil}
138
139			%install
140			make \
141	jcrisp	1.2	DESTDIR=%{buildroot} \
142			%{libreswan_config} \
143			install
144	brianr	1.1	FS=$(pwd)
145			rm -rf %{buildroot}/usr/share/doc/libreswan
146	jcrisp	1.2	rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
147	brianr	1.1
148	jcrisp	1.2	install -d -m 0755 %{buildroot}%{_rundir}/pluto
149	brianr	1.1	install -d %{buildroot}%{_sbindir}
150
151	jcrisp	1.2	install -d %{buildroot}%{_sysctldir}
152			install -m 0644 packaging/rhel/libreswan-sysctl.conf \
153			%{buildroot}%{_sysctldir}/50-libreswan.conf
154
155	brianr	1.1	mkdir -p %{buildroot}%{_libdir}/fipscheck
156			install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
157	jcrisp	1.2	install -m644 packaging/rhel/libreswan-prelink.conf \
158			%{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
159	brianr	1.1
160	jcrisp	1.2	echo "include /etc/ipsec.d/*.secrets" \
161			> %{buildroot}%{_sysconfdir}/ipsec.secrets
162	brianr	1.1
163
164	jcrisp	1.2	%if 0%{with_cavstests}
165	brianr	1.1	%check
166	jcrisp	1.2	# There is an elaborate upstream testing infrastructure which we do not
167			# run here.
168			# We only run the CAVS tests here.
169			cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .
170	brianr	1.1	bunzip2 *.fax.bz2
171
172	jcrisp	1.2	# work around for older xen based machines
173	brianr	1.1	export NSS_DISABLE_HW_GCM=1
174
175	jcrisp	1.2	: starting CAVS test for IKEv2
176			%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax \| \
177			diff -u ikev2.fax - > /dev/null
178			: starting CAVS test for IKEv1 RSASIG
179			%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax \| \
180			diff -u ikev1_dsa.fax - > /dev/null
181			: starting CAVS test for IKEv1 PSK
182			%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax \| \
183			diff -u ikev1_psk.fax - > /dev/null
184			: CAVS tests passed
185
186			# Some of these tests will show ERROR for negative testing - it will exit on real errors
187			%{buildroot}%{_libexecdir}/ipsec/algparse -tp \|\| { echo prooposal test failed; exit 1; }
188			%{buildroot}%{_libexecdir}/ipsec/algparse -ta \|\| { echo algorithm test failed; exit 1; }
189			: Algorithm parser tests passed
190
191			# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
192			tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
193			certutil -N -d sql:$tmpdir --empty-password
194			%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
195			: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
196
197	brianr	1.1	%endif
198
199			%post
200	jcrisp	1.2	%systemd_post ipsec.service
201			%sysctl_apply 50-libreswan.conf
202	brianr	1.1	prelink -u %{_libexecdir}/ipsec/* 2>/dev/null \|\| :
203
204			%preun
205			%systemd_preun ipsec.service
206
207			%postun
208			%systemd_postun_with_restart ipsec.service
209
210			%files
211	jcrisp	1.2	%license LICENSE COPYING
212			%doc CHANGES CREDITS README*
213			%doc docs/. docs/examples
214	brianr	1.1	%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
215			%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
216			%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
217			%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
218			%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
219	jcrisp	1.2	%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
220			%attr(0755,root,root) %dir %{_rundir}/pluto
221			%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
222			%attr(0644,root,root) %{_unitdir}/ipsec.service
223	brianr	1.1	%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
224	jcrisp	1.2	%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
225	brianr	1.1	%{_sbindir}/ipsec
226	jcrisp	1.2	%{_libexecdir}/ipsec
227			%doc %{_mandir}//
228			%{_libdir}/fipscheck/pluto.hmac
229	brianr	1.1	# We own the directory so we don't have to require prelink
230	jcrisp	1.2	%dir %{_sysconfdir}/prelink.conf.d/
231	brianr	1.1	%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
232
233			%changelog
234	jcrisp	1.4	* Tue Apr 16 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.15-2
235			- build for Koozali Server
236			- needs libreswan-prelink.conf adding to the tar
237
238			* Mon Apr 15 2024 Team Libreswan <team@libreswan.org> - 4.15-1
239			- Automated build from release tar ball
240
241	jcrisp	1.3	* Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2
242			- build for Koozali SME Server
243			- needs libreswan-prelink.conf adding to the tar
244
245			* Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1
246			- Automated build from release tar ball
247
248	jcrisp	1.2	* Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2
249			- build for Koozali SME Server
250	jcrisp	1.3	- needs libreswan-sysctl.conf adding to the tar
251	brianr	1.1
252	jcrisp	1.2	* Tue Aug 8 2023 Team Libreswan <team@libreswan.org> - 4.12-1
253			- Automated build from release tar ball