1 |
%global USE_FIPSCHECK true |
# These are rpm macros and are 0 or 1 |
|
%global USE_LIBCAP_NG true |
|
|
%global USE_LABELED_IPSEC true |
|
|
%global USE_CRL_FETCHING true |
|
|
%global USE_DNSSEC true |
|
|
%global USE_NM true |
|
|
%global USE_LINUX_AUDIT true |
|
|
|
|
2 |
%global _hardened_build 1 |
%global _hardened_build 1 |
3 |
%global buildefence 0 |
%global with_efence 0 |
4 |
%global development 0 |
%global with_development 0 |
5 |
%global cavstests 1 |
%global with_cavstests 1 |
6 |
|
# There is no new enough unbound on rhel7 |
7 |
#%if 0%{?fedora} |
%global with_dnssec 0 |
8 |
#%global rhel 7 |
%global nss_version 3.79-4 |
9 |
#%endif |
# Libreswan config options |
10 |
%global rhel 6 |
# For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true |
11 |
#global prever rc1 |
# Note that this means libreswan needs its own FIPS certification |
12 |
|
%global libreswan_config \\\ |
13 |
|
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ |
14 |
|
FINALMANDIR=%{_mandir} \\\ |
15 |
|
FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\ |
16 |
|
INITSYSTEM=systemd \\\ |
17 |
|
PREFIX=%{_prefix} \\\ |
18 |
|
PYTHON_BINARY=%{__python2} \\\ |
19 |
|
SHELL_BINARY=/bin/sh \\\ |
20 |
|
USE_AUTHPAM=true \\\ |
21 |
|
USE_DNSSEC=%{USE_DNSSEC} \\\ |
22 |
|
USE_FIPSCHECK=true \\\ |
23 |
|
USE_LABELED_IPSEC=true \\\ |
24 |
|
USE_LDAP=true \\\ |
25 |
|
USE_LIBCAP_NG=true \\\ |
26 |
|
USE_LIBCURL=true \\\ |
27 |
|
USE_NM=true \\\ |
28 |
|
USE_NSS_IPSEC_PROFILE=true \\\ |
29 |
|
USE_NSS_KDF=false \\\ |
30 |
|
USE_SECCOMP=true \\\ |
31 |
|
USE_XFRM_INTERFACE_IFLA_HEADER=true \\\ |
32 |
|
%{nil} |
33 |
|
|
34 |
|
#global prever dr1 |
35 |
|
|
36 |
Name: libreswan |
Name: libreswan |
37 |
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols |
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec |
38 |
Version: 3.16 |
Version: 4.14 |
39 |
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} |
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} |
40 |
License: GPLv2 |
License: GPLv2 |
|
Group: System Environment/Daemons |
|
41 |
Url: https://libreswan.org/ |
Url: https://libreswan.org/ |
42 |
Source: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz |
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz |
43 |
Source1: ikev1_dsa.fax.bz2 |
%if 0%{with_cavstests} |
44 |
Source2: ikev1_psk.fax.bz2 |
Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 |
45 |
Source3: ikev2.fax.bz2 |
Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 |
46 |
|
Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2 |
|
Requires: iproute >= 2.6.8 nss-tools nss-softokn |
|
|
|
|
|
BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig |
|
|
BuildRequires: nss-devel >= 3.16.1 nspr-devel |
|
|
BuildRequires: pam-devel |
|
|
BuildRequires: xmlto |
|
|
|
|
|
%if %{?rhel} <= 6 |
|
|
BuildRequires: libevent2-devel net-tools |
|
|
|
|
|
Requires(post): coreutils bash |
|
|
Requires(preun): initscripts chkconfig |
|
|
Requires(post): /sbin/chkconfig |
|
|
Requires(preun): /sbin/chkconfig |
|
|
Requires(preun): /sbin/service |
|
|
%else |
|
|
BuildRequires: libevent-devel hostname |
|
|
|
|
|
BuildRequires: systemd |
|
|
Requires(post): coreutils bash systemd |
|
|
Requires(preun): systemd |
|
|
Requires(postun): systemd |
|
47 |
%endif |
%endif |
48 |
|
|
49 |
%if %{USE_DNSSEC} |
BuildRequires: gcc make |
50 |
BuildRequires: unbound-devel |
BuildRequires: audit-libs-devel |
51 |
%endif |
BuildRequires: bison |
52 |
|
BuildRequires: curl-devel |
|
%if %{USE_FIPSCHECK} |
|
53 |
BuildRequires: fipscheck-devel |
BuildRequires: fipscheck-devel |
54 |
# we need fipshmac |
BuildRequires: flex |
55 |
Requires: fipscheck%{_isa} |
BuildRequires: hostname |
|
%endif |
|
|
|
|
|
%if %{USE_LINUX_AUDIT} |
|
|
Buildrequires: audit-libs-devel |
|
|
%endif |
|
|
|
|
|
%if %{USE_LIBCAP_NG} |
|
56 |
BuildRequires: libcap-ng-devel |
BuildRequires: libcap-ng-devel |
57 |
%endif |
BuildRequires: libevent-devel |
58 |
|
BuildRequires: libseccomp-devel |
59 |
%if %{USE_CRL_FETCHING} |
BuildRequires: libselinux-devel |
60 |
BuildRequires: openldap-devel curl-devel |
BuildRequires: nspr-devel |
61 |
%endif |
BuildRequires: nss-devel >= %{nss_version} |
62 |
|
BuildRequires: nss-tools |
63 |
%if %{buildefence} |
BuildRequires: openldap-devel |
64 |
|
BuildRequires: pam-devel |
65 |
|
BuildRequires: pkgconfig |
66 |
|
BuildRequires: redhat-rpm-config |
67 |
|
BuildRequires: systemd-devel |
68 |
|
BuildRequires: xmlto |
69 |
|
%if 0%{with_efence} |
70 |
BuildRequires: ElectricFence |
BuildRequires: ElectricFence |
71 |
%endif |
%endif |
72 |
|
%if 0%{with_dnssec} |
73 |
|
BuildRequires: ldns-devel |
74 |
|
BuildRequires: unbound-devel >= 1.6.0 |
75 |
|
Requires: unbound-libs >= 1.6.0 |
76 |
|
%global USE_DNSSEC true |
77 |
|
%else |
78 |
|
%global USE_DNSSEC false |
79 |
|
%endif |
80 |
|
Requires: coreutils |
81 |
|
Requires: fipscheck%{_isa} |
82 |
|
Requires: iproute |
83 |
|
Requires: logrotate |
84 |
|
Requires: nss >= %{nss_version} |
85 |
|
Requires: nss-softokn |
86 |
|
Requires: nss-tools |
87 |
|
%{?systemd_requires} |
88 |
|
|
89 |
Conflicts: openswan < %{version}-%{release} |
Conflicts: openswan < %{version}-%{release} |
90 |
|
Obsoletes: openswan < %{version}-%{release} |
91 |
Provides: openswan = %{version}-%{release} |
Provides: openswan = %{version}-%{release} |
92 |
Provides: openswan-doc = %{version}-%{release} |
Provides: openswan-doc = %{version}-%{release} |
93 |
Obsoletes: openswan < %{version}-%{release} |
|
94 |
|
|
95 |
|
|
96 |
%description |
%description |
97 |
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is |
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is |
103 |
tunnel is a virtual private network or VPN. |
tunnel is a virtual private network or VPN. |
104 |
|
|
105 |
This package contains the daemons and userland tools for setting up |
This package contains the daemons and userland tools for setting up |
106 |
Libreswan. It supports the NETKEY/XFRM IPsec kernel stack that exists |
Libreswan. |
|
in the default Linux kernel. |
|
107 |
|
|
108 |
Libreswan also supports IKEv2 (RFC-7296) and Secure Labeling |
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling |
109 |
|
|
110 |
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 |
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 |
111 |
|
|
113 |
%setup -q -n libreswan-%{version}%{?prever} |
%setup -q -n libreswan-%{version}%{?prever} |
114 |
|
|
115 |
%build |
%build |
|
%if %{buildefence} |
|
|
%define efence "-lefence" |
|
|
%endif |
|
|
|
|
116 |
make %{?_smp_mflags} \ |
make %{?_smp_mflags} \ |
117 |
%if %{development} |
%if 0%{with_development} |
118 |
USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \ |
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \ |
|
%else |
|
|
USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \ |
|
|
%endif |
|
|
USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \ |
|
|
%if %{?rhel} <= 6 |
|
|
INITSYSTEM=sysvinit \ |
|
119 |
%else |
%else |
120 |
INITSYSTEM=systemd \ |
OPTIMIZE_CFLAGS="%{optflags}" \ |
121 |
%endif |
%endif |
122 |
USE_NM=%{USE_NM} \ |
%if 0%{with_efence} |
123 |
USE_XAUTHPAM=true \ |
USE_EFENCE=true \ |
|
%if %{USE_FIPSCHECK} |
|
|
USE_FIPSCHECK="%{USE_FIPSCHECK}" \ |
|
|
FIPSPRODUCTCHECK=/etc/system-fips \ |
|
124 |
%endif |
%endif |
125 |
USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ |
USERLINK="%{?__global_ldflags}" \ |
126 |
USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ |
WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \ |
127 |
USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \ |
%{libreswan_config} \ |
128 |
%if %{USE_CRL_FETCHING} |
programs |
|
USE_LDAP=true \ |
|
|
USE_LIBCURL=true \ |
|
|
%endif |
|
|
USE_DNSSEC="%{USE_DNSSEC}" \ |
|
|
INC_USRLOCAL=%{_prefix} \ |
|
|
FINALLIBDIR=%{_libexecdir}/ipsec \ |
|
|
FINALLIBEXECDIR=%{_libexecdir}/ipsec \ |
|
|
MANTREE=%{_mandir} \ |
|
|
INC_RCDEFAULT=%{_initrddir} \ |
|
|
MODPROBE="modprobe -q -b" \ |
|
|
programs |
|
129 |
FS=$(pwd) |
FS=$(pwd) |
130 |
|
|
|
%if %{USE_FIPSCHECK} |
|
131 |
# Add generation of HMAC checksums of the final stripped binaries |
# Add generation of HMAC checksums of the final stripped binaries |
|
%if %{?rhel} <= 6 |
|
|
%define __spec_install_post \ |
|
|
%{?__debug_package:%{__debug_install_post}} \ |
|
|
%{__arch_install_post} \ |
|
|
%{__os_install_post} \ |
|
|
fipshmac %{buildroot}%{_libexecdir}/ipsec/* \ |
|
|
fipshmac %{buildroot}%{_sbindir}/ipsec \ |
|
|
%{nil} |
|
|
|
|
|
%else |
|
132 |
%define __spec_install_post \ |
%define __spec_install_post \ |
133 |
%{?__debug_package:%{__debug_install_post}} \ |
%{?__debug_package:%{__debug_install_post}} \ |
134 |
%{__arch_install_post} \ |
%{__arch_install_post} \ |
135 |
%{__os_install_post} \ |
%{__os_install_post} \ |
136 |
mkdir -p %{buildroot}%{_libdir}/fipscheck/ \ |
fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto |
|
fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \ |
|
|
fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \ |
|
137 |
%{nil} |
%{nil} |
|
%endif |
|
|
%endif |
|
138 |
|
|
139 |
%install |
%install |
|
rm -rf ${RPM_BUILD_ROOT} |
|
140 |
make \ |
make \ |
141 |
DESTDIR=%{buildroot} \ |
DESTDIR=%{buildroot} \ |
142 |
INC_USRLOCAL=%{_prefix} \ |
%{libreswan_config} \ |
143 |
FINALLIBDIR=%{_libexecdir}/ipsec \ |
install |
|
FINALLIBEXECDIR=%{_libexecdir}/ipsec \ |
|
|
MANTREE=%{buildroot}%{_mandir} \ |
|
|
INC_RCDEFAULT=%{_initrddir} \ |
|
|
INSTMANFLAGS="-m 644" \ |
|
|
%if %{?rhel} <= 6 |
|
|
INITSYSTEM=sysvinit \ |
|
|
%else |
|
|
INITSYSTEM=systemd \ |
|
|
%endif |
|
|
install |
|
144 |
FS=$(pwd) |
FS=$(pwd) |
145 |
rm -rf %{buildroot}/usr/share/doc/libreswan |
rm -rf %{buildroot}/usr/share/doc/libreswan |
146 |
# needed to activate v6neighbor-hole.conf |
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check |
|
sed -i "s:^#include /etc/ipsec.d/\*.conf$:include /etc/ipsec.d/*.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf |
|
147 |
|
|
148 |
install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto |
install -d -m 0755 %{buildroot}%{_rundir}/pluto |
|
# used when setting --perpeerlog without --perpeerlogbase |
|
|
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer |
|
149 |
install -d %{buildroot}%{_sbindir} |
install -d %{buildroot}%{_sbindir} |
|
%if %{?rhel} <= 6 |
|
|
# replace with rhel6 specific version |
|
|
install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec |
|
|
rm -fr %{buildroot}/etc/rc.d/rc* |
|
|
%endif |
|
150 |
|
|
151 |
%if %{USE_FIPSCHECK} |
install -d %{buildroot}%{_sysctldir} |
152 |
%if %{?rhel} == 7 |
install -m 0644 packaging/rhel/libreswan-sysctl.conf \ |
153 |
|
%{buildroot}%{_sysctldir}/50-libreswan.conf |
154 |
|
|
155 |
mkdir -p %{buildroot}%{_libdir}/fipscheck |
mkdir -p %{buildroot}%{_libdir}/fipscheck |
|
%endif |
|
156 |
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ |
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ |
157 |
install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
install -m644 packaging/rhel/libreswan-prelink.conf \ |
158 |
%endif |
%{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
159 |
|
|
160 |
echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets |
echo "include /etc/ipsec.d/*.secrets" \ |
161 |
|
> %{buildroot}%{_sysconfdir}/ipsec.secrets |
162 |
|
|
|
# cavs testing |
|
|
cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec |
|
163 |
|
|
164 |
%if %{cavstests} |
%if 0%{with_cavstests} |
165 |
%check |
%check |
166 |
# There is an elaborate upstream testing infrastructure which we do not run here |
# There is an elaborate upstream testing infrastructure which we do not |
167 |
# We only run the CAVS tests here |
# run here. |
168 |
cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . |
# We only run the CAVS tests here. |
169 |
|
cp %{SOURCE10} %{SOURCE11} %{SOURCE12} . |
170 |
bunzip2 *.fax.bz2 |
bunzip2 *.fax.bz2 |
171 |
|
|
172 |
# work around for rhel6 builders on xen |
# work around for older xen based machines |
173 |
export NSS_DISABLE_HW_GCM=1 |
export NSS_DISABLE_HW_GCM=1 |
174 |
|
|
175 |
: "starting CAVS test for IKEv2" |
: starting CAVS test for IKEv2 |
176 |
OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null |
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \ |
177 |
: "starting CAVS test for IKEv1 RSASIG" |
diff -u ikev2.fax - > /dev/null |
178 |
OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null |
: starting CAVS test for IKEv1 RSASIG |
179 |
: "starting CAVS test for IKEv1 PSK" |
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \ |
180 |
OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null |
diff -u ikev1_dsa.fax - > /dev/null |
181 |
: "CAVS tests passed" |
: starting CAVS test for IKEv1 PSK |
182 |
|
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ |
183 |
|
diff -u ikev1_psk.fax - > /dev/null |
184 |
|
: CAVS tests passed |
185 |
|
|
186 |
|
# Some of these tests will show ERROR for negative testing - it will exit on real errors |
187 |
|
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } |
188 |
|
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } |
189 |
|
: Algorithm parser tests passed |
190 |
|
|
191 |
|
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode |
192 |
|
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) |
193 |
|
certutil -N -d sql:$tmpdir --empty-password |
194 |
|
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir |
195 |
|
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST |
196 |
|
|
197 |
%endif |
%endif |
198 |
|
|
|
%if %{?rhel} <= 6 |
|
199 |
%post |
%post |
200 |
/sbin/chkconfig --add ipsec || : |
%systemd_post ipsec.service |
201 |
%if %{USE_FIPSCHECK} |
%sysctl_apply 50-libreswan.conf |
202 |
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || : |
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || : |
|
%endif |
|
203 |
|
|
204 |
%preun |
%preun |
|
if [ $1 -eq 0 ]; then |
|
|
/sbin/service ipsec stop > /dev/null 2>&1 || : |
|
|
/sbin/chkconfig --del ipsec |
|
|
fi |
|
|
|
|
|
%postun |
|
|
if [ $1 -ge 1 ] ; then |
|
|
/sbin/service ipsec condrestart 2>&1 >/dev/null || : |
|
|
fi |
|
|
%else |
|
|
%preun |
|
205 |
%systemd_preun ipsec.service |
%systemd_preun ipsec.service |
206 |
|
|
207 |
%postun |
%postun |
208 |
%systemd_postun_with_restart ipsec.service |
%systemd_postun_with_restart ipsec.service |
209 |
|
|
|
%post |
|
|
%systemd_post ipsec.service |
|
|
%endif |
|
|
|
|
210 |
%files |
%files |
211 |
%doc CHANGES COPYING CREDITS README* LICENSE |
%license LICENSE COPYING |
212 |
%doc docs/*.* docs/examples packaging/rhel/libreswan-sysctl.conf |
%doc CHANGES CREDITS README* |
213 |
|
%doc docs/*.* docs/examples |
214 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf |
215 |
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets |
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets |
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto |
|
216 |
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d |
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d |
|
%attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf |
|
217 |
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies |
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies |
218 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* |
219 |
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer |
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf |
220 |
%attr(0755,root,root) %dir %{_localstatedir}/run/pluto |
%attr(0755,root,root) %dir %{_rundir}/pluto |
221 |
|
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf |
222 |
|
%attr(0644,root,root) %{_unitdir}/ipsec.service |
223 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto |
224 |
|
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan |
225 |
%{_sbindir}/ipsec |
%{_sbindir}/ipsec |
226 |
%attr(0755,root,root) %dir %{_libexecdir}/ipsec |
%{_libexecdir}/ipsec |
227 |
%{_libexecdir}/ipsec/* |
%doc %{_mandir}/*/* |
228 |
%attr(0644,root,root) %{_mandir}/*/*.gz |
%{_libdir}/fipscheck/pluto.hmac |
|
%if %{?rhel} <= 6 |
|
|
%{_initrddir}/ipsec |
|
|
%else |
|
|
%attr(0644,root,root) %{_unitdir}/ipsec.service |
|
|
%endif |
|
|
|
|
|
%if %{USE_FIPSCHECK} |
|
|
%if %{?rhel} <= 6 |
|
|
%{_sbindir}/.ipsec.hmac |
|
|
%{_libexecdir}/ipsec/.*.hmac |
|
|
%else |
|
|
%{_libdir}/fipscheck/*.hmac |
|
|
%endif |
|
|
|
|
229 |
# We own the directory so we don't have to require prelink |
# We own the directory so we don't have to require prelink |
230 |
%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/ |
%dir %{_sysconfdir}/prelink.conf.d/ |
231 |
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
|
%endif |
|
232 |
|
|
233 |
%changelog |
%changelog |
234 |
* Sat Dec 19 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1 |
* Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2 |
235 |
- Updated to libreswan-3.16 |
- build for Koozali SME Server |
236 |
|
- needs libreswan-prelink.conf adding to the tar |
237 |
|
|
238 |
|
* Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1 |
239 |
|
- Automated build from release tar ball |
240 |
|
|
241 |
|
* Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2 |
242 |
|
- build for Koozali SME Server |
243 |
|
- needs libreswan-sysctl.conf adding to the tar |
244 |
|
|
245 |
* Thu Oct 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-5 |
* Tue Aug 8 2023 Team Libreswan <team@libreswan.org> - 4.12-1 |
246 |
- Resolves: rhbz#1272317 libreswan FIPS test mistakenly looks for non-existent file hashes |
- Automated build from release tar ball |
|
- Resolves: rhbz#1271778 ipsec whack man page discrepancies |
|
|
|
|
|
* Tue Sep 29 2015 Paul Wouters <pwouters@redhat.com> - 3.15-4 |
|
|
- Updates: rhbz#1233303 add libreswan to RHEL6 (fix source confusion) |
|
|
|
|
|
* Mon Sep 28 2015 Paul Wouters <pwouters@redhat.com> - 3.15-3 |
|
|
- Updates: rhbz#1233303 add libreswan to RHEL6 |
|
|
|
|
|
* Tue Sep 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-2 |
|
|
- Resolves: rhbz#1259208 CVE-2015-3240 |
|
|
- Merge rhel6 and rhel7 spec into one |
|
|
- Be lenient for racoon padding behaviour |
|
|
- Fix seedev option to /dev/random |
|
|
- Some IKEv1 PAM methods always gave 'Permission denied' |
|
|
- Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7 |
|
|
- Parser fix to allow specifying time without unit (openswan compat) |
|
|
- Fix Labeled IPsec on rekeyed IPsec SA's |
|
|
- Workaround for wrong padding by racoon2 |
|
|
- Disable NSS HW GCM to workaround rhel6 xen builers bug |
|
|
|
|
|
* Wed Aug 19 2015 Paul Wouters <pwouters@redhat.com> - 3.14-1 |
|
|
- Resolves: rhbz#1233303 add libreswan to RHEL6 |
|
|
- Resolves: CVE-2015-3240 denial of service via IKE daemon restart when receiving a bad DH gx |
|
|
|
|
|
* Fri May 29 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10.1 |
|
|
- Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart |
|
|
|
|
|
* Tue May 05 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10 |
|
|
- Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix] |
|
|
|
|
|
* Tue Apr 28 2015 Paul Wouters <pwouters@redhat.com> - 3.12-9 |
|
|
- Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()] |
|
|
- Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster] |
|
|
- Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling] |
|
|
|
|
|
* Mon Apr 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-8 |
|
|
- Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions |
|
|
|
|
|
* Mon Apr 13 2015 Paul Wouters <pwouters@redhat.com> - 3.12-7 |
|
|
- Resolves: rhbz#1208022 libreswan ignores module blacklist rules |
|
|
- Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot |
|
|
- Resolves: rhbz#1211146 pluto crashes in fips mode |
|
|
|
|
|
* Tue Mar 17 2015 Paul Wouters <pwouters@redhat.com> - 3.12-6 |
|
|
- Resolves: rhbz#1198650 SELinux context string size limit |
|
|
- Resolves: rhbz#1198649 Add new option for BSI random requirement |
|
|
|
|
|
* Tue Jan 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-5 |
|
|
- Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2) |
|
|
- Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup) |
|
|
|
|
|
* Tue Dec 30 2014 Paul Wouters <pwouters@redhat.com> - 3.12-4 |
|
|
- Resolves: rhbz#1134297 aes-ctr cipher is not supported |
|
|
- Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling) |
|
|
|
|
|
* Thu Dec 04 2014 Paul Wouters <pwouters@redhat.com> - 3.12-2 |
|
|
- Resolves: rhbz#1105171 (Update man page entry) |
|
|
- Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2) |
|
|
- Resolves: rhbz#1074018 Audit key agreement |
|
|
|
|
|
* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.12 |
|
|
- Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header) |
|
|
- Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request |
|
|
|
|
|
* Mon Oct 27 2014 Paul Wouters <pwouters@redhat.com> - 3.11-2 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix) |
|
|
|
|
|
* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.11 |
|
|
- Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer |
|
|
- Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN |
|
|
- Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit |
|
|
- Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used |
|
|
- Resolves: rhbz#1108256 addconn compatibility with openswan |
|
|
- Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail |
|
|
- Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail |
|
|
- Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA |
|
|
- Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator |
|
|
- Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response |
|
|
- Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly |
|
|
- Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running. |
|
|
- Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs |
|
|
- Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance |
|
|
- Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance |
|
|
- Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual |
|
|
- Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA |
|
|
|
|
|
* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3 |
|
|
- Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup) |
|
|
|
|
|
* Mon Sep 08 2014 Paul Wouters <pwouters@redhat.com> - 3.10-2 |
|
|
- Resolves: rhbz#1136124 rebase to libreswan 3.10 |
|
|
|
|
|
* Mon Jul 14 2014 Paul Wouters <pwouters@redhat.com> - 3.8-6 |
|
|
- Resolves: rhbz#1092047 pluto cannot write to directories not owned by root |
|
|
|
|
|
* Thu Apr 10 2014 Paul Wouters <pwouters@redhat.com> - 3.8-5 |
|
|
- Resolves: rhbz#1052834 create_child_sa message ID handling |
|
|
|
|
|
|
|
|
* Tue Mar 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-4 |
|
|
- Resolves: rhbz#1052834 create_child_sa response |
|
|
|
|
|
* Wed Mar 05 2014 Paul Wouters <pwouters@redhat.com> - 3.8-3 |
|
|
- Resolves: rhbz#1069024 erroneous debug line with mixture [...] |
|
|
- Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts |
|
|
- Resolves: rhbz#1058813 newhostkey returns zero value when it fails |
|
|
|
|
|
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.8-2 |
|
|
- Mass rebuild 2014-01-24 |
|
|
|
|
|
* Thu Jan 16 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1 |
|
|
- Resolves: rhbz#CVE-2013-6467 |
|
|
- Resolves: rhbz#1043642 rebase to version 3.8 |
|
|
- Resolves: rhbz#1029912 ipsec force-reload doesn't work |
|
|
- Resolves: rhbz#826261 Implement SHA384/512 support for Openswan |
|
|
- Resolves: rhbz#1039655 ipsec newhostkey generates false configuration |
|
|
|
|
|
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.6-3 |
|
|
- Mass rebuild 2013-12-27 |
|
|
|
|
|
* Fri Nov 08 2013 Paul Wouters <pwouters@redhat.com> - 3.6-2 |
|
|
- Fix race condition in post for creating nss db |
|
|
|
|
|
* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1 |
|
|
- Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes) |
|
|
- Generate empty NSS db if none exists |
|
|
- FIPS update using /etc/system-fips |
|
|
- Provide: openswan-doc |
|
|
|
|
|
* Fri Aug 09 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2 |
|
|
- rebuilt and bumped EVR to avoid confusion of import->delete->import |
|
|
- require iproute |
|
|
|
|
|
* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1 |
|
|
- Initial package for RHEL7 |
|
|
- Added interop patch for (some?) Cisco VPN clients sending 16 zero |
|
|
bytes of extraneous IKE data |
|
|
- Removed fipscheck_version |
|