/[smecontribs]/rpms/libreswan/contribs10/libreswan.spec
ViewVC logotype

Contents of /rpms/libreswan/contribs10/libreswan.spec

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.4 - (show annotations) (download)
Tue Apr 16 11:38:41 2024 UTC (7 months, 2 weeks ago) by jcrisp
Branch: MAIN
CVS Tags: libreswan-4_15-2_el7_sme, HEAD
Changes since 1.3: +8 -1 lines
Libreswan 4.15 new sources

1 # These are rpm macros and are 0 or 1
2 %global _hardened_build 1
3 %global with_efence 0
4 %global with_development 0
5 %global with_cavstests 1
6 # There is no new enough unbound on rhel7
7 %global with_dnssec 0
8 %global nss_version 3.79-4
9 # Libreswan config options
10 # For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true
11 # Note that this means libreswan needs its own FIPS certification
12 %global libreswan_config \\\
13 FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
14 FINALMANDIR=%{_mandir} \\\
15 FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
16 INITSYSTEM=systemd \\\
17 PREFIX=%{_prefix} \\\
18 PYTHON_BINARY=%{__python2} \\\
19 SHELL_BINARY=/bin/sh \\\
20 USE_AUTHPAM=true \\\
21 USE_DNSSEC=%{USE_DNSSEC} \\\
22 USE_FIPSCHECK=true \\\
23 USE_LABELED_IPSEC=true \\\
24 USE_LDAP=true \\\
25 USE_LIBCAP_NG=true \\\
26 USE_LIBCURL=true \\\
27 USE_NM=true \\\
28 USE_NSS_IPSEC_PROFILE=true \\\
29 USE_NSS_KDF=false \\\
30 USE_SECCOMP=true \\\
31 USE_XFRM_INTERFACE_IFLA_HEADER=true \\\
32 %{nil}
33
34 #global prever dr1
35
36 Name: libreswan
37 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
38 Version: 4.15
39 Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
40 License: GPLv2
41 Url: https://libreswan.org/
42 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
43 %if 0%{with_cavstests}
44 Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
45 Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
46 Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2
47 %endif
48
49 BuildRequires: gcc make
50 BuildRequires: audit-libs-devel
51 BuildRequires: bison
52 BuildRequires: curl-devel
53 BuildRequires: fipscheck-devel
54 BuildRequires: flex
55 BuildRequires: hostname
56 BuildRequires: libcap-ng-devel
57 BuildRequires: libevent-devel
58 BuildRequires: libseccomp-devel
59 BuildRequires: libselinux-devel
60 BuildRequires: nspr-devel
61 BuildRequires: nss-devel >= %{nss_version}
62 BuildRequires: nss-tools
63 BuildRequires: openldap-devel
64 BuildRequires: pam-devel
65 BuildRequires: pkgconfig
66 BuildRequires: redhat-rpm-config
67 BuildRequires: systemd-devel
68 BuildRequires: xmlto
69 %if 0%{with_efence}
70 BuildRequires: ElectricFence
71 %endif
72 %if 0%{with_dnssec}
73 BuildRequires: ldns-devel
74 BuildRequires: unbound-devel >= 1.6.0
75 Requires: unbound-libs >= 1.6.0
76 %global USE_DNSSEC true
77 %else
78 %global USE_DNSSEC false
79 %endif
80 Requires: coreutils
81 Requires: fipscheck%{_isa}
82 Requires: iproute
83 Requires: logrotate
84 Requires: nss >= %{nss_version}
85 Requires: nss-softokn
86 Requires: nss-tools
87 %{?systemd_requires}
88
89 Conflicts: openswan < %{version}-%{release}
90 Obsoletes: openswan < %{version}-%{release}
91 Provides: openswan = %{version}-%{release}
92 Provides: openswan-doc = %{version}-%{release}
93
94
95
96 %description
97 Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
98 the Internet Protocol Security and uses strong cryptography to provide
99 both authentication and encryption services. These services allow you
100 to build secure tunnels through untrusted networks. Everything passing
101 through the untrusted net is encrypted by the ipsec gateway machine and
102 decrypted by the gateway at the other end of the tunnel. The resulting
103 tunnel is a virtual private network or VPN.
104
105 This package contains the daemons and userland tools for setting up
106 Libreswan.
107
108 Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
109
110 Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
111
112 %prep
113 %setup -q -n libreswan-%{version}%{?prever}
114
115 %build
116 make %{?_smp_mflags} \
117 %if 0%{with_development}
118 OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
119 %else
120 OPTIMIZE_CFLAGS="%{optflags}" \
121 %endif
122 %if 0%{with_efence}
123 USE_EFENCE=true \
124 %endif
125 USERLINK="%{?__global_ldflags}" \
126 WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \
127 %{libreswan_config} \
128 programs
129 FS=$(pwd)
130
131 # Add generation of HMAC checksums of the final stripped binaries
132 %define __spec_install_post \
133 %{?__debug_package:%{__debug_install_post}} \
134 %{__arch_install_post} \
135 %{__os_install_post} \
136 fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto
137 %{nil}
138
139 %install
140 make \
141 DESTDIR=%{buildroot} \
142 %{libreswan_config} \
143 install
144 FS=$(pwd)
145 rm -rf %{buildroot}/usr/share/doc/libreswan
146 rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
147
148 install -d -m 0755 %{buildroot}%{_rundir}/pluto
149 install -d %{buildroot}%{_sbindir}
150
151 install -d %{buildroot}%{_sysctldir}
152 install -m 0644 packaging/rhel/libreswan-sysctl.conf \
153 %{buildroot}%{_sysctldir}/50-libreswan.conf
154
155 mkdir -p %{buildroot}%{_libdir}/fipscheck
156 install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
157 install -m644 packaging/rhel/libreswan-prelink.conf \
158 %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
159
160 echo "include /etc/ipsec.d/*.secrets" \
161 > %{buildroot}%{_sysconfdir}/ipsec.secrets
162
163
164 %if 0%{with_cavstests}
165 %check
166 # There is an elaborate upstream testing infrastructure which we do not
167 # run here.
168 # We only run the CAVS tests here.
169 cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .
170 bunzip2 *.fax.bz2
171
172 # work around for older xen based machines
173 export NSS_DISABLE_HW_GCM=1
174
175 : starting CAVS test for IKEv2
176 %{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
177 diff -u ikev2.fax - > /dev/null
178 : starting CAVS test for IKEv1 RSASIG
179 %{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
180 diff -u ikev1_dsa.fax - > /dev/null
181 : starting CAVS test for IKEv1 PSK
182 %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
183 diff -u ikev1_psk.fax - > /dev/null
184 : CAVS tests passed
185
186 # Some of these tests will show ERROR for negative testing - it will exit on real errors
187 %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
188 %{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
189 : Algorithm parser tests passed
190
191 # self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
192 tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
193 certutil -N -d sql:$tmpdir --empty-password
194 %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
195 : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
196
197 %endif
198
199 %post
200 %systemd_post ipsec.service
201 %sysctl_apply 50-libreswan.conf
202 prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
203
204 %preun
205 %systemd_preun ipsec.service
206
207 %postun
208 %systemd_postun_with_restart ipsec.service
209
210 %files
211 %license LICENSE COPYING
212 %doc CHANGES CREDITS README*
213 %doc docs/*.* docs/examples
214 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
215 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
216 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
217 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
218 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
219 %attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
220 %attr(0755,root,root) %dir %{_rundir}/pluto
221 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
222 %attr(0644,root,root) %{_unitdir}/ipsec.service
223 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
224 %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
225 %{_sbindir}/ipsec
226 %{_libexecdir}/ipsec
227 %doc %{_mandir}/*/*
228 %{_libdir}/fipscheck/pluto.hmac
229 # We own the directory so we don't have to require prelink
230 %dir %{_sysconfdir}/prelink.conf.d/
231 %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
232
233 %changelog
234 * Tue Apr 16 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.15-2
235 - build for Koozali Server
236 - needs libreswan-prelink.conf adding to the tar
237
238 * Mon Apr 15 2024 Team Libreswan <team@libreswan.org> - 4.15-1
239 - Automated build from release tar ball
240
241 * Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2
242 - build for Koozali SME Server
243 - needs libreswan-prelink.conf adding to the tar
244
245 * Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1
246 - Automated build from release tar ball
247
248 * Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2
249 - build for Koozali SME Server
250 - needs libreswan-sysctl.conf adding to the tar
251
252 * Tue Aug 8 2023 Team Libreswan <team@libreswan.org> - 4.12-1
253 - Automated build from release tar ball

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed