/[smecontribs]/rpms/libreswan/contribs10/libreswan.spec
ViewVC logotype

Diff of /rpms/libreswan/contribs10/libreswan.spec

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

Revision 1.1 by brianr, Mon Mar 1 10:43:07 2021 UTC Revision 1.4 by jcrisp, Tue Apr 16 11:38:41 2024 UTC
# Line 1  Line 1 
1  %global USE_FIPSCHECK true  # These are rpm macros and are 0 or 1
 %global USE_LIBCAP_NG true  
 %global USE_LABELED_IPSEC true  
 %global USE_CRL_FETCHING true  
 %global USE_DNSSEC true  
 %global USE_NM true  
 %global USE_LINUX_AUDIT true  
   
2  %global _hardened_build 1  %global _hardened_build 1
3  %global buildefence 0  %global with_efence 0
4  %global development 0  %global with_development 0
5  %global cavstests 1  %global with_cavstests 1
6    # There is no new enough unbound on rhel7
7  #%if 0%{?fedora}  %global with_dnssec 0
8  #%global rhel 7  %global nss_version 3.79-4
9  #%endif  # Libreswan config options
10  %global rhel 6  # For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true
11  #global prever rc1  # Note that this means libreswan needs its own FIPS certification
12    %global libreswan_config \\\
13        FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
14        FINALMANDIR=%{_mandir} \\\
15        FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
16        INITSYSTEM=systemd \\\
17        PREFIX=%{_prefix} \\\
18        PYTHON_BINARY=%{__python2} \\\
19        SHELL_BINARY=/bin/sh \\\
20        USE_AUTHPAM=true \\\
21        USE_DNSSEC=%{USE_DNSSEC} \\\
22        USE_FIPSCHECK=true \\\
23        USE_LABELED_IPSEC=true \\\
24        USE_LDAP=true \\\
25        USE_LIBCAP_NG=true \\\
26        USE_LIBCURL=true \\\
27        USE_NM=true \\\
28        USE_NSS_IPSEC_PROFILE=true \\\
29        USE_NSS_KDF=false \\\
30        USE_SECCOMP=true \\\
31        USE_XFRM_INTERFACE_IFLA_HEADER=true \\\
32    %{nil}
33    
34    #global prever dr1
35    
36  Name: libreswan  Name: libreswan
37  Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols  Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
38  Version: 3.16  Version: 4.15
39  Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}  Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
40  License: GPLv2  License: GPLv2
 Group: System Environment/Daemons  
41  Url: https://libreswan.org/  Url: https://libreswan.org/
42  Source: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz  Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
43  Source1: ikev1_dsa.fax.bz2  %if 0%{with_cavstests}
44  Source2: ikev1_psk.fax.bz2  Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
45  Source3: ikev2.fax.bz2  Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
46    Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2
 Requires: iproute >= 2.6.8 nss-tools nss-softokn  
   
 BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig  
 BuildRequires: nss-devel >= 3.16.1 nspr-devel  
 BuildRequires: pam-devel  
 BuildRequires: xmlto  
   
 %if %{?rhel} <= 6  
 BuildRequires: libevent2-devel net-tools  
   
 Requires(post): coreutils bash  
 Requires(preun): initscripts chkconfig  
 Requires(post): /sbin/chkconfig  
 Requires(preun): /sbin/chkconfig  
 Requires(preun): /sbin/service  
 %else  
 BuildRequires: libevent-devel hostname  
   
 BuildRequires: systemd  
 Requires(post): coreutils bash systemd  
 Requires(preun): systemd  
 Requires(postun): systemd  
47  %endif  %endif
48    
49  %if %{USE_DNSSEC}  BuildRequires: gcc make
50  BuildRequires: unbound-devel  BuildRequires: audit-libs-devel
51  %endif  BuildRequires: bison
52    BuildRequires: curl-devel
 %if %{USE_FIPSCHECK}  
53  BuildRequires: fipscheck-devel  BuildRequires: fipscheck-devel
54  # we need fipshmac  BuildRequires: flex
55  Requires: fipscheck%{_isa}  BuildRequires: hostname
 %endif  
   
 %if %{USE_LINUX_AUDIT}  
 Buildrequires: audit-libs-devel  
 %endif  
   
 %if %{USE_LIBCAP_NG}  
56  BuildRequires: libcap-ng-devel  BuildRequires: libcap-ng-devel
57  %endif  BuildRequires: libevent-devel
58    BuildRequires: libseccomp-devel
59  %if %{USE_CRL_FETCHING}  BuildRequires: libselinux-devel
60  BuildRequires: openldap-devel curl-devel  BuildRequires: nspr-devel
61  %endif  BuildRequires: nss-devel >= %{nss_version}
62    BuildRequires: nss-tools
63  %if %{buildefence}  BuildRequires: openldap-devel
64    BuildRequires: pam-devel
65    BuildRequires: pkgconfig
66    BuildRequires: redhat-rpm-config
67    BuildRequires: systemd-devel
68    BuildRequires: xmlto
69    %if 0%{with_efence}
70  BuildRequires: ElectricFence  BuildRequires: ElectricFence
71  %endif  %endif
72    %if 0%{with_dnssec}
73    BuildRequires: ldns-devel
74    BuildRequires: unbound-devel >= 1.6.0
75    Requires: unbound-libs >= 1.6.0
76    %global USE_DNSSEC true
77    %else
78    %global USE_DNSSEC false
79    %endif
80    Requires: coreutils
81    Requires: fipscheck%{_isa}
82    Requires: iproute
83    Requires: logrotate
84    Requires: nss >= %{nss_version}
85    Requires: nss-softokn
86    Requires: nss-tools
87    %{?systemd_requires}
88    
89  Conflicts: openswan < %{version}-%{release}  Conflicts: openswan < %{version}-%{release}
90    Obsoletes: openswan < %{version}-%{release}
91  Provides: openswan = %{version}-%{release}  Provides: openswan = %{version}-%{release}
92  Provides: openswan-doc = %{version}-%{release}  Provides: openswan-doc = %{version}-%{release}
93  Obsoletes: openswan < %{version}-%{release}  
94    
95    
96  %description  %description
97  Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is  Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
# Line 94  decrypted by the gateway at the other en Line 103  decrypted by the gateway at the other en
103  tunnel is a virtual private network or VPN.  tunnel is a virtual private network or VPN.
104    
105  This package contains the daemons and userland tools for setting up  This package contains the daemons and userland tools for setting up
106  Libreswan. It supports the NETKEY/XFRM IPsec kernel stack that exists  Libreswan.
 in the default Linux kernel.  
107    
108  Libreswan also supports IKEv2 (RFC-7296) and Secure Labeling  Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
109    
110  Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04  Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
111    
# Line 105  Libreswan is based on Openswan-2.6.38 wh Line 113  Libreswan is based on Openswan-2.6.38 wh
113  %setup -q -n libreswan-%{version}%{?prever}  %setup -q -n libreswan-%{version}%{?prever}
114    
115  %build  %build
 %if %{buildefence}  
  %define efence "-lefence"  
 %endif  
   
116  make %{?_smp_mflags} \  make %{?_smp_mflags} \
117  %if %{development}  %if 0%{with_development}
118     USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \      OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
 %else  
   USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \  
 %endif  
   USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \  
 %if %{?rhel} <= 6  
   INITSYSTEM=sysvinit \  
119  %else  %else
120    INITSYSTEM=systemd \      OPTIMIZE_CFLAGS="%{optflags}" \
121  %endif  %endif
122    USE_NM=%{USE_NM} \  %if 0%{with_efence}
123    USE_XAUTHPAM=true \      USE_EFENCE=true \
 %if %{USE_FIPSCHECK}  
   USE_FIPSCHECK="%{USE_FIPSCHECK}" \  
   FIPSPRODUCTCHECK=/etc/system-fips \  
124  %endif  %endif
125    USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \      USERLINK="%{?__global_ldflags}" \
126    USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \      WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \
127    USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \      %{libreswan_config} \
128  %if %{USE_CRL_FETCHING}      programs
   USE_LDAP=true \  
   USE_LIBCURL=true \  
 %endif  
   USE_DNSSEC="%{USE_DNSSEC}" \  
   INC_USRLOCAL=%{_prefix} \  
   FINALLIBDIR=%{_libexecdir}/ipsec \  
   FINALLIBEXECDIR=%{_libexecdir}/ipsec \  
   MANTREE=%{_mandir} \  
   INC_RCDEFAULT=%{_initrddir} \  
   MODPROBE="modprobe -q -b" \  
   programs  
129  FS=$(pwd)  FS=$(pwd)
130    
 %if %{USE_FIPSCHECK}  
131  # Add generation of HMAC checksums of the final stripped binaries  # Add generation of HMAC checksums of the final stripped binaries
 %if %{?rhel} <= 6  
 %define __spec_install_post \  
     %{?__debug_package:%{__debug_install_post}} \  
     %{__arch_install_post} \  
     %{__os_install_post} \  
     fipshmac %{buildroot}%{_libexecdir}/ipsec/* \  
     fipshmac %{buildroot}%{_sbindir}/ipsec \  
 %{nil}  
   
 %else  
132  %define __spec_install_post \  %define __spec_install_post \
133      %{?__debug_package:%{__debug_install_post}} \      %{?__debug_package:%{__debug_install_post}} \
134      %{__arch_install_post} \      %{__arch_install_post} \
135      %{__os_install_post} \      %{__os_install_post} \
136      mkdir -p %{buildroot}%{_libdir}/fipscheck/ \      fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto
     fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \  
     fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \  
137  %{nil}  %{nil}
 %endif  
 %endif  
138    
139  %install  %install
 rm -rf ${RPM_BUILD_ROOT}  
140  make \  make \
141    DESTDIR=%{buildroot} \      DESTDIR=%{buildroot} \
142    INC_USRLOCAL=%{_prefix} \      %{libreswan_config} \
143    FINALLIBDIR=%{_libexecdir}/ipsec \      install
   FINALLIBEXECDIR=%{_libexecdir}/ipsec \  
   MANTREE=%{buildroot}%{_mandir} \  
   INC_RCDEFAULT=%{_initrddir} \  
   INSTMANFLAGS="-m 644" \  
 %if %{?rhel} <= 6  
   INITSYSTEM=sysvinit \  
 %else  
   INITSYSTEM=systemd \  
 %endif  
   install  
144  FS=$(pwd)  FS=$(pwd)
145  rm -rf %{buildroot}/usr/share/doc/libreswan  rm -rf %{buildroot}/usr/share/doc/libreswan
146  # needed to activate v6neighbor-hole.conf  rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
 sed -i "s:^#include /etc/ipsec.d/\*.conf$:include /etc/ipsec.d/*.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf  
147    
148  install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto  install -d -m 0755 %{buildroot}%{_rundir}/pluto
 # used when setting --perpeerlog without --perpeerlogbase  
 install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer  
149  install -d %{buildroot}%{_sbindir}  install -d %{buildroot}%{_sbindir}
 %if %{?rhel} <= 6  
 # replace with rhel6 specific version  
 install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec  
 rm -fr %{buildroot}/etc/rc.d/rc*  
 %endif  
150    
151  %if %{USE_FIPSCHECK}  install -d %{buildroot}%{_sysctldir}
152  %if %{?rhel} == 7  install -m 0644 packaging/rhel/libreswan-sysctl.conf \
153        %{buildroot}%{_sysctldir}/50-libreswan.conf
154    
155  mkdir -p %{buildroot}%{_libdir}/fipscheck  mkdir -p %{buildroot}%{_libdir}/fipscheck
 %endif  
156  install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/  install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
157  install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf  install -m644 packaging/rhel/libreswan-prelink.conf \
158  %endif      %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
159    
160  echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets  echo "include /etc/ipsec.d/*.secrets" \
161        > %{buildroot}%{_sysconfdir}/ipsec.secrets
162    
 # cavs testing  
 cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec  
163    
164  %if %{cavstests}  %if 0%{with_cavstests}
165  %check  %check
166  # There is an elaborate upstream testing infrastructure which we do not run here  # There is an elaborate upstream testing infrastructure which we do not
167  # We only run the CAVS tests here  # run here.
168  cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .  # We only run the CAVS tests here.
169    cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .
170  bunzip2 *.fax.bz2  bunzip2 *.fax.bz2
171    
172  # work around for rhel6 builders on xen  # work around for older xen based machines
173  export NSS_DISABLE_HW_GCM=1  export NSS_DISABLE_HW_GCM=1
174    
175  : "starting CAVS test for IKEv2"  : starting CAVS test for IKEv2
176  OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null  %{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
177  : "starting CAVS test for IKEv1 RSASIG"      diff -u ikev2.fax - > /dev/null
178  OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null  : starting CAVS test for IKEv1 RSASIG
179  : "starting CAVS test for IKEv1 PSK"  %{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
180  OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null      diff -u ikev1_dsa.fax - > /dev/null
181  : "CAVS tests passed"  : starting CAVS test for IKEv1 PSK
182    %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
183        diff -u ikev1_psk.fax - > /dev/null
184    : CAVS tests passed
185    
186    # Some of these tests will show ERROR for negative testing - it will exit on real errors
187    %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
188    %{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
189    : Algorithm parser tests passed
190    
191    # self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
192    tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
193    certutil -N -d sql:$tmpdir --empty-password
194    %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
195    : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
196    
197  %endif  %endif
198    
 %if %{?rhel} <= 6  
199  %post  %post
200  /sbin/chkconfig --add ipsec || :  %systemd_post ipsec.service
201  %if %{USE_FIPSCHECK}  %sysctl_apply 50-libreswan.conf
202  prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :  prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
 %endif  
203    
204  %preun  %preun
 if [ $1 -eq 0 ]; then  
     /sbin/service ipsec stop > /dev/null 2>&1 || :  
     /sbin/chkconfig --del ipsec  
 fi  
   
 %postun  
 if [ $1 -ge 1 ] ; then  
      /sbin/service ipsec condrestart 2>&1 >/dev/null || :  
 fi  
 %else  
 %preun  
205  %systemd_preun ipsec.service  %systemd_preun ipsec.service
206    
207  %postun  %postun
208  %systemd_postun_with_restart ipsec.service  %systemd_postun_with_restart ipsec.service
209    
 %post  
 %systemd_post ipsec.service  
 %endif  
   
210  %files  %files
211  %doc CHANGES COPYING CREDITS README* LICENSE  %license LICENSE COPYING
212  %doc docs/*.* docs/examples packaging/rhel/libreswan-sysctl.conf  %doc CHANGES CREDITS README*
213    %doc docs/*.* docs/examples
214  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
215  %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets  %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto  
216  %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d  %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
 %attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf  
217  %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies  %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
218  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
219  %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer  %attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
220  %attr(0755,root,root) %dir %{_localstatedir}/run/pluto  %attr(0755,root,root) %dir %{_rundir}/pluto
221    %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
222    %attr(0644,root,root) %{_unitdir}/ipsec.service
223  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
224    %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
225  %{_sbindir}/ipsec  %{_sbindir}/ipsec
226  %attr(0755,root,root) %dir %{_libexecdir}/ipsec  %{_libexecdir}/ipsec
227  %{_libexecdir}/ipsec/*  %doc %{_mandir}/*/*
228  %attr(0644,root,root) %{_mandir}/*/*.gz  %{_libdir}/fipscheck/pluto.hmac
 %if %{?rhel} <= 6  
 %{_initrddir}/ipsec  
 %else  
 %attr(0644,root,root) %{_unitdir}/ipsec.service  
 %endif  
   
 %if %{USE_FIPSCHECK}  
 %if %{?rhel} <= 6  
 %{_sbindir}/.ipsec.hmac  
 %{_libexecdir}/ipsec/.*.hmac  
 %else  
 %{_libdir}/fipscheck/*.hmac  
 %endif  
   
229  # We own the directory so we don't have to require prelink  # We own the directory so we don't have to require prelink
230  %attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/  %dir %{_sysconfdir}/prelink.conf.d/
231  %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf  %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
 %endif  
232    
233  %changelog  %changelog
234  * Sat Dec 19 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1  * Tue Apr 16 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.15-2
235  - Updated to libreswan-3.16  - build for Koozali Server
236    - needs libreswan-prelink.conf adding to the tar
237    
238    * Mon Apr 15 2024 Team Libreswan <team@libreswan.org> - 4.15-1
239    - Automated build from release tar ball
240    
241    * Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2
242    - build for Koozali SME Server
243    - needs libreswan-prelink.conf adding to the tar
244    
245    * Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1
246    - Automated build from release tar ball
247    
248    * Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2
249    - build for Koozali SME Server
250    - needs libreswan-sysctl.conf adding to the tar
251    
252  * Thu Oct 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-5  * Tue Aug  8 2023 Team Libreswan <team@libreswan.org> - 4.12-1
253  - Resolves: rhbz#1272317 libreswan FIPS test mistakenly looks for non-existent file hashes  - Automated build from release tar ball
 - Resolves: rhbz#1271778 ipsec whack man page discrepancies  
   
 * Tue Sep 29 2015 Paul Wouters <pwouters@redhat.com> - 3.15-4  
 - Updates: rhbz#1233303 add libreswan to RHEL6 (fix source confusion)  
   
 * Mon Sep 28 2015 Paul Wouters <pwouters@redhat.com> - 3.15-3  
 - Updates: rhbz#1233303 add libreswan to RHEL6  
   
 * Tue Sep 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-2  
 - Resolves: rhbz#1259208 CVE-2015-3240  
 - Merge rhel6 and rhel7 spec into one  
 - Be lenient for racoon padding behaviour  
 - Fix seedev option to /dev/random  
 - Some IKEv1 PAM methods always gave 'Permission denied'  
 - Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7  
 - Parser fix to allow specifying time without unit (openswan compat)  
 - Fix Labeled IPsec on rekeyed IPsec SA's  
 - Workaround for wrong padding by racoon2  
 - Disable NSS HW GCM to workaround rhel6 xen builers bug  
   
 * Wed Aug 19 2015 Paul Wouters <pwouters@redhat.com> - 3.14-1  
 - Resolves: rhbz#1233303 add libreswan to RHEL6  
 - Resolves: CVE-2015-3240 denial of service via IKE daemon restart when receiving a bad DH gx  
   
 * Fri May 29 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10.1  
 - Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart  
   
 * Tue May 05 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10  
 - Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix]  
   
 * Tue Apr 28 2015 Paul Wouters <pwouters@redhat.com> - 3.12-9  
 - Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()]  
 - Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster]  
 - Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling]  
   
 * Mon Apr 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-8  
 - Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions  
   
 * Mon Apr 13 2015 Paul Wouters <pwouters@redhat.com> - 3.12-7  
 - Resolves: rhbz#1208022 libreswan ignores module blacklist rules  
 - Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot  
 - Resolves: rhbz#1211146 pluto crashes in fips mode  
   
 * Tue Mar 17 2015 Paul Wouters <pwouters@redhat.com> - 3.12-6  
 - Resolves: rhbz#1198650 SELinux context string size limit  
 - Resolves: rhbz#1198649 Add new option for BSI random requirement  
   
 * Tue Jan 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-5  
 - Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2)  
 - Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup)  
   
 * Tue Dec 30 2014 Paul Wouters <pwouters@redhat.com> - 3.12-4  
 - Resolves: rhbz#1134297 aes-ctr cipher is not supported  
 - Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling)  
   
 * Thu Dec 04 2014 Paul Wouters <pwouters@redhat.com> - 3.12-2  
 - Resolves: rhbz#1105171 (Update man page entry)  
 - Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2)  
 - Resolves: rhbz#1074018 Audit key agreement  
   
 * Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1  
 - Resolves: rhbz#1136124 rebase to libreswan 3.12  
 - Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header)  
 - Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request  
   
 * Mon Oct 27 2014 Paul Wouters <pwouters@redhat.com> - 3.11-2  
 - Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix)  
   
 * Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1  
 - Resolves: rhbz#1136124 rebase to libreswan 3.11  
 - Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer  
 - Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN  
 - Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit  
 - Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used  
 - Resolves: rhbz#1108256 addconn compatibility with openswan  
 - Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail  
 - Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail  
 - Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA  
 - Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator  
 - Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response  
 - Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly  
 - Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running.  
 - Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs  
 - Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance  
 - Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance  
 - Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual  
 - Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA  
   
 * Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3  
 - Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup)  
   
 * Mon Sep 08 2014 Paul Wouters <pwouters@redhat.com> - 3.10-2  
 - Resolves: rhbz#1136124 rebase to libreswan 3.10  
   
 * Mon Jul 14 2014 Paul Wouters <pwouters@redhat.com> - 3.8-6  
 - Resolves: rhbz#1092047 pluto cannot write to directories not owned by root  
   
 * Thu Apr 10 2014 Paul Wouters <pwouters@redhat.com> - 3.8-5  
 - Resolves: rhbz#1052834 create_child_sa message ID handling  
   
   
 * Tue Mar 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-4  
 - Resolves: rhbz#1052834 create_child_sa response  
   
 * Wed Mar 05 2014 Paul Wouters <pwouters@redhat.com> - 3.8-3  
 - Resolves: rhbz#1069024  erroneous debug line with mixture [...]  
 - Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts  
 - Resolves: rhbz#1058813 newhostkey returns zero value when it fails  
   
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.8-2  
 - Mass rebuild 2014-01-24  
   
 * Thu Jan 16 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1  
 - Resolves: rhbz#CVE-2013-6467  
 - Resolves: rhbz#1043642 rebase to version 3.8  
 - Resolves: rhbz#1029912 ipsec force-reload doesn't work  
 - Resolves: rhbz#826261 Implement SHA384/512 support for Openswan  
 - Resolves: rhbz#1039655 ipsec newhostkey generates false configuration  
   
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.6-3  
 - Mass rebuild 2013-12-27  
   
 * Fri Nov 08 2013 Paul Wouters <pwouters@redhat.com> - 3.6-2  
 - Fix race condition in post for creating nss db  
   
 * Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1  
 - Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes)  
 - Generate empty NSS db if none exists  
 - FIPS update using /etc/system-fips  
 - Provide: openswan-doc  
   
 * Fri Aug 09 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2  
 - rebuilt and bumped EVR to avoid confusion of import->delete->import  
 - require iproute  
   
 * Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1  
 - Initial package for RHEL7  
 - Added interop patch for (some?) Cisco VPN clients sending 16 zero  
   bytes of extraneous IKE data  
 - Removed fipscheck_version  


Legend:
Removed lines/characters  
Changed lines/characters
  Added lines/characters

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed