1 |
# These are rpm macros and are 0 or 1 |
2 |
%global _hardened_build 1 |
3 |
%global with_efence 0 |
4 |
%global with_development 0 |
5 |
%global with_cavstests 1 |
6 |
# There is no new enough unbound on rhel7 |
7 |
%global with_dnssec 0 |
8 |
%global nss_version 3.79-4 |
9 |
# Libreswan config options |
10 |
# For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true |
11 |
# Note that this means libreswan needs its own FIPS certification |
12 |
%global libreswan_config \\\ |
13 |
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ |
14 |
FINALMANDIR=%{_mandir} \\\ |
15 |
FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\ |
16 |
INITSYSTEM=systemd \\\ |
17 |
PREFIX=%{_prefix} \\\ |
18 |
PYTHON_BINARY=%{__python2} \\\ |
19 |
SHELL_BINARY=/bin/sh \\\ |
20 |
USE_AUTHPAM=true \\\ |
21 |
USE_DNSSEC=%{USE_DNSSEC} \\\ |
22 |
USE_FIPSCHECK=true \\\ |
23 |
USE_LABELED_IPSEC=true \\\ |
24 |
USE_LDAP=true \\\ |
25 |
USE_LIBCAP_NG=true \\\ |
26 |
USE_LIBCURL=true \\\ |
27 |
USE_NM=true \\\ |
28 |
USE_NSS_IPSEC_PROFILE=true \\\ |
29 |
USE_NSS_KDF=false \\\ |
30 |
USE_SECCOMP=true \\\ |
31 |
USE_XFRM_INTERFACE_IFLA_HEADER=true \\\ |
32 |
%{nil} |
33 |
|
34 |
#global prever dr1 |
35 |
|
36 |
Name: libreswan |
37 |
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec |
38 |
Version: 4.14 |
39 |
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} |
40 |
License: GPLv2 |
41 |
Url: https://libreswan.org/ |
42 |
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz |
43 |
%if 0%{with_cavstests} |
44 |
Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 |
45 |
Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 |
46 |
Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2 |
47 |
%endif |
48 |
|
49 |
BuildRequires: gcc make |
50 |
BuildRequires: audit-libs-devel |
51 |
BuildRequires: bison |
52 |
BuildRequires: curl-devel |
53 |
BuildRequires: fipscheck-devel |
54 |
BuildRequires: flex |
55 |
BuildRequires: hostname |
56 |
BuildRequires: libcap-ng-devel |
57 |
BuildRequires: libevent-devel |
58 |
BuildRequires: libseccomp-devel |
59 |
BuildRequires: libselinux-devel |
60 |
BuildRequires: nspr-devel |
61 |
BuildRequires: nss-devel >= %{nss_version} |
62 |
BuildRequires: nss-tools |
63 |
BuildRequires: openldap-devel |
64 |
BuildRequires: pam-devel |
65 |
BuildRequires: pkgconfig |
66 |
BuildRequires: redhat-rpm-config |
67 |
BuildRequires: systemd-devel |
68 |
BuildRequires: xmlto |
69 |
%if 0%{with_efence} |
70 |
BuildRequires: ElectricFence |
71 |
%endif |
72 |
%if 0%{with_dnssec} |
73 |
BuildRequires: ldns-devel |
74 |
BuildRequires: unbound-devel >= 1.6.0 |
75 |
Requires: unbound-libs >= 1.6.0 |
76 |
%global USE_DNSSEC true |
77 |
%else |
78 |
%global USE_DNSSEC false |
79 |
%endif |
80 |
Requires: coreutils |
81 |
Requires: fipscheck%{_isa} |
82 |
Requires: iproute |
83 |
Requires: logrotate |
84 |
Requires: nss >= %{nss_version} |
85 |
Requires: nss-softokn |
86 |
Requires: nss-tools |
87 |
%{?systemd_requires} |
88 |
|
89 |
Conflicts: openswan < %{version}-%{release} |
90 |
Obsoletes: openswan < %{version}-%{release} |
91 |
Provides: openswan = %{version}-%{release} |
92 |
Provides: openswan-doc = %{version}-%{release} |
93 |
|
94 |
|
95 |
|
96 |
%description |
97 |
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is |
98 |
the Internet Protocol Security and uses strong cryptography to provide |
99 |
both authentication and encryption services. These services allow you |
100 |
to build secure tunnels through untrusted networks. Everything passing |
101 |
through the untrusted net is encrypted by the ipsec gateway machine and |
102 |
decrypted by the gateway at the other end of the tunnel. The resulting |
103 |
tunnel is a virtual private network or VPN. |
104 |
|
105 |
This package contains the daemons and userland tools for setting up |
106 |
Libreswan. |
107 |
|
108 |
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling |
109 |
|
110 |
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 |
111 |
|
112 |
%prep |
113 |
%setup -q -n libreswan-%{version}%{?prever} |
114 |
|
115 |
%build |
116 |
make %{?_smp_mflags} \ |
117 |
%if 0%{with_development} |
118 |
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \ |
119 |
%else |
120 |
OPTIMIZE_CFLAGS="%{optflags}" \ |
121 |
%endif |
122 |
%if 0%{with_efence} |
123 |
USE_EFENCE=true \ |
124 |
%endif |
125 |
USERLINK="%{?__global_ldflags}" \ |
126 |
WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \ |
127 |
%{libreswan_config} \ |
128 |
programs |
129 |
FS=$(pwd) |
130 |
|
131 |
# Add generation of HMAC checksums of the final stripped binaries |
132 |
%define __spec_install_post \ |
133 |
%{?__debug_package:%{__debug_install_post}} \ |
134 |
%{__arch_install_post} \ |
135 |
%{__os_install_post} \ |
136 |
fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto |
137 |
%{nil} |
138 |
|
139 |
%install |
140 |
make \ |
141 |
DESTDIR=%{buildroot} \ |
142 |
%{libreswan_config} \ |
143 |
install |
144 |
FS=$(pwd) |
145 |
rm -rf %{buildroot}/usr/share/doc/libreswan |
146 |
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check |
147 |
|
148 |
install -d -m 0755 %{buildroot}%{_rundir}/pluto |
149 |
install -d %{buildroot}%{_sbindir} |
150 |
|
151 |
install -d %{buildroot}%{_sysctldir} |
152 |
install -m 0644 packaging/rhel/libreswan-sysctl.conf \ |
153 |
%{buildroot}%{_sysctldir}/50-libreswan.conf |
154 |
|
155 |
mkdir -p %{buildroot}%{_libdir}/fipscheck |
156 |
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ |
157 |
install -m644 packaging/rhel/libreswan-prelink.conf \ |
158 |
%{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
159 |
|
160 |
echo "include /etc/ipsec.d/*.secrets" \ |
161 |
> %{buildroot}%{_sysconfdir}/ipsec.secrets |
162 |
|
163 |
|
164 |
%if 0%{with_cavstests} |
165 |
%check |
166 |
# There is an elaborate upstream testing infrastructure which we do not |
167 |
# run here. |
168 |
# We only run the CAVS tests here. |
169 |
cp %{SOURCE10} %{SOURCE11} %{SOURCE12} . |
170 |
bunzip2 *.fax.bz2 |
171 |
|
172 |
# work around for older xen based machines |
173 |
export NSS_DISABLE_HW_GCM=1 |
174 |
|
175 |
: starting CAVS test for IKEv2 |
176 |
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \ |
177 |
diff -u ikev2.fax - > /dev/null |
178 |
: starting CAVS test for IKEv1 RSASIG |
179 |
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \ |
180 |
diff -u ikev1_dsa.fax - > /dev/null |
181 |
: starting CAVS test for IKEv1 PSK |
182 |
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ |
183 |
diff -u ikev1_psk.fax - > /dev/null |
184 |
: CAVS tests passed |
185 |
|
186 |
# Some of these tests will show ERROR for negative testing - it will exit on real errors |
187 |
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } |
188 |
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } |
189 |
: Algorithm parser tests passed |
190 |
|
191 |
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode |
192 |
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) |
193 |
certutil -N -d sql:$tmpdir --empty-password |
194 |
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir |
195 |
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST |
196 |
|
197 |
%endif |
198 |
|
199 |
%post |
200 |
%systemd_post ipsec.service |
201 |
%sysctl_apply 50-libreswan.conf |
202 |
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || : |
203 |
|
204 |
%preun |
205 |
%systemd_preun ipsec.service |
206 |
|
207 |
%postun |
208 |
%systemd_postun_with_restart ipsec.service |
209 |
|
210 |
%files |
211 |
%license LICENSE COPYING |
212 |
%doc CHANGES CREDITS README* |
213 |
%doc docs/*.* docs/examples |
214 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf |
215 |
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets |
216 |
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d |
217 |
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies |
218 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* |
219 |
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf |
220 |
%attr(0755,root,root) %dir %{_rundir}/pluto |
221 |
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf |
222 |
%attr(0644,root,root) %{_unitdir}/ipsec.service |
223 |
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto |
224 |
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan |
225 |
%{_sbindir}/ipsec |
226 |
%{_libexecdir}/ipsec |
227 |
%doc %{_mandir}/*/* |
228 |
%{_libdir}/fipscheck/pluto.hmac |
229 |
# We own the directory so we don't have to require prelink |
230 |
%dir %{_sysconfdir}/prelink.conf.d/ |
231 |
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf |
232 |
|
233 |
%changelog |
234 |
* Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2 |
235 |
- build for Koozali SME Server |
236 |
- needs libreswan-prelink.conf adding to the tar |
237 |
|
238 |
* Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1 |
239 |
- Automated build from release tar ball |
240 |
|
241 |
* Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2 |
242 |
- build for Koozali SME Server |
243 |
- needs libreswan-sysctl.conf adding to the tar |
244 |
|
245 |
* Tue Aug 8 2023 Team Libreswan <team@libreswan.org> - 4.12-1 |
246 |
- Automated build from release tar ball |