/[smecontribs]/rpms/libreswan/contribs10/libreswan.spec

Diff of /rpms/libreswan/contribs10/libreswan.spec

Parent Directory | Revision Log | View Revision Graph Revision Graph | View Patch Patch

-Revision 1.1 by brianr,
Mon Mar  1 10:43:07 2021 UTC
+Revision 1.4 by jcrisp,
Tue Apr 16 11:38:41 2024 UTC
 Line 1
- %global USE_FIPSCHECK true
+ # These are rpm macros and are 0 or 1
- %global USE_LIBCAP_NG true
- %global USE_LABELED_IPSEC true
- %global USE_CRL_FETCHING true
- %global USE_DNSSEC true
- %global USE_NM true
- %global USE_LINUX_AUDIT true
  %global _hardened_build 1
- %global buildefence 0
+ %global with_efence 0
- %global development 0
+ %global with_development 0
- %global cavstests 1
+ %global with_cavstests 1
+ # There is no new enough unbound on rhel7
- #%if 0%{?fedora}
+ %global with_dnssec 0
- #%global rhel 7
+ %global nss_version 3.79-4
- #%endif
+ # Libreswan config options
- %global rhel 6
+ # For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true
- #global prever rc1
+ # Note that this means libreswan needs its own FIPS certification
+ %global libreswan_config \\\
+     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
+     FINALMANDIR=%{_mandir} \\\
+     FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
+     INITSYSTEM=systemd \\\
+     PREFIX=%{_prefix} \\\
+     PYTHON_BINARY=%{__python2} \\\
+     SHELL_BINARY=/bin/sh \\\
+     USE_AUTHPAM=true \\\
+     USE_DNSSEC=%{USE_DNSSEC} \\\
+     USE_FIPSCHECK=true \\\
+     USE_LABELED_IPSEC=true \\\
+     USE_LDAP=true \\\
+     USE_LIBCAP_NG=true \\\
+     USE_LIBCURL=true \\\
+     USE_NM=true \\\
+     USE_NSS_IPSEC_PROFILE=true \\\
+     USE_NSS_KDF=false \\\
+     USE_SECCOMP=true \\\
+     USE_XFRM_INTERFACE_IFLA_HEADER=true \\\
+ %{nil}
+ #global prever dr1
  Name: libreswan
- Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
+ Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
- Version: 3.16
+ Version: 4.15
- Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
+ Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
  License: GPLv2
- Group: System Environment/Daemons
  Url: https://libreswan.org/
- Source: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
+ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
- Source1: ikev1_dsa.fax.bz2
+ %if 0%{with_cavstests}
- Source2: ikev1_psk.fax.bz2
+ Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
- Source3: ikev2.fax.bz2
+ Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
+ Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2
- Requires: iproute >= 2.6.8 nss-tools nss-softokn
- BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig
- BuildRequires: nss-devel >= 3.16.1 nspr-devel
- BuildRequires: pam-devel
- BuildRequires: xmlto
- %if %{?rhel} <= 6
- BuildRequires: libevent2-devel net-tools
- Requires(post): coreutils bash
- Requires(preun): initscripts chkconfig
- Requires(post): /sbin/chkconfig
- Requires(preun): /sbin/chkconfig
- Requires(preun): /sbin/service
- %else
- BuildRequires: libevent-devel hostname
- BuildRequires: systemd
- Requires(post): coreutils bash systemd
- Requires(preun): systemd
- Requires(postun): systemd
  %endif
- %if %{USE_DNSSEC}
+ BuildRequires: gcc make
- BuildRequires: unbound-devel
+ BuildRequires: audit-libs-devel
- %endif
+ BuildRequires: bison
+ BuildRequires: curl-devel
- %if %{USE_FIPSCHECK}
  BuildRequires: fipscheck-devel
- # we need fipshmac
+ BuildRequires: flex
- Requires: fipscheck%{_isa}
+ BuildRequires: hostname
- %endif
- %if %{USE_LINUX_AUDIT}
- Buildrequires: audit-libs-devel
- %endif
- %if %{USE_LIBCAP_NG}
  BuildRequires: libcap-ng-devel
- %endif
+ BuildRequires: libevent-devel
+ BuildRequires: libseccomp-devel
- %if %{USE_CRL_FETCHING}
+ BuildRequires: libselinux-devel
- BuildRequires: openldap-devel curl-devel
+ BuildRequires: nspr-devel
- %endif
+ BuildRequires: nss-devel >= %{nss_version}
+ BuildRequires: nss-tools
- %if %{buildefence}
+ BuildRequires: openldap-devel
+ BuildRequires: pam-devel
+ BuildRequires: pkgconfig
+ BuildRequires: redhat-rpm-config
+ BuildRequires: systemd-devel
+ BuildRequires: xmlto
+ %if 0%{with_efence}
  BuildRequires: ElectricFence
  %endif
+ %if 0%{with_dnssec}
+ BuildRequires: ldns-devel
+ BuildRequires: unbound-devel >= 1.6.0
+ Requires: unbound-libs >= 1.6.0
+ %global USE_DNSSEC true
+ %else
+ %global USE_DNSSEC false
+ %endif
+ Requires: coreutils
+ Requires: fipscheck%{_isa}
+ Requires: iproute
+ Requires: logrotate
+ Requires: nss >= %{nss_version}
+ Requires: nss-softokn
+ Requires: nss-tools
+ %{?systemd_requires}
  Conflicts: openswan < %{version}-%{release}
+ Obsoletes: openswan < %{version}-%{release}
  Provides: openswan = %{version}-%{release}
  Provides: openswan-doc = %{version}-%{release}
- Obsoletes: openswan < %{version}-%{release}
  %description
  Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
-Line 94 
 decrypted by the gateway at the other en
+Line 103 
 decrypted by the gateway at the other en
  tunnel is a virtual private network or VPN.
  This package contains the daemons and userland tools for setting up
- Libreswan. It supports the NETKEY/XFRM IPsec kernel stack that exists
+ Libreswan.
- in the default Linux kernel.
- Libreswan also supports IKEv2 (RFC-7296) and Secure Labeling
+ Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
  Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
-Line 105 
 Libreswan is based on Openswan-2.6.38 wh
+Line 113 
 Libreswan is based on Openswan-2.6.38 wh
  %setup -q -n libreswan-%{version}%{?prever}
  %build
- %if %{buildefence}
-  %define efence "-lefence"
- %endif
  make %{?_smp_mflags} \
- %if %{development}
+ %if 0%{with_development}
-    USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \
+     OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
- %else
-   USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \
- %endif
-   USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
- %if %{?rhel} <= 6
-   INITSYSTEM=sysvinit \
  %else
-   INITSYSTEM=systemd \
+     OPTIMIZE_CFLAGS="%{optflags}" \
  %endif
-   USE_NM=%{USE_NM} \
+ %if 0%{with_efence}
-   USE_XAUTHPAM=true \
+     USE_EFENCE=true \
- %if %{USE_FIPSCHECK}
-   USE_FIPSCHECK="%{USE_FIPSCHECK}" \
-   FIPSPRODUCTCHECK=/etc/system-fips \
  %endif
-   USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
+     USERLINK="%{?__global_ldflags}" \
-   USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
+     WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \
-   USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \
+     %{libreswan_config} \
- %if %{USE_CRL_FETCHING}
+     programs
-   USE_LDAP=true \
-   USE_LIBCURL=true \
- %endif
-   USE_DNSSEC="%{USE_DNSSEC}" \
-   INC_USRLOCAL=%{_prefix} \
-   FINALLIBDIR=%{_libexecdir}/ipsec \
-   FINALLIBEXECDIR=%{_libexecdir}/ipsec \
-   MANTREE=%{_mandir} \
-   INC_RCDEFAULT=%{_initrddir} \
-   MODPROBE="modprobe -q -b" \
-   programs
  FS=$(pwd)
- %if %{USE_FIPSCHECK}
  # Add generation of HMAC checksums of the final stripped binaries
- %if %{?rhel} <= 6
- %define __spec_install_post \
-     %{?__debug_package:%{__debug_install_post}} \
-     %{__arch_install_post} \
-     %{__os_install_post} \
-     fipshmac %{buildroot}%{_libexecdir}/ipsec/* \
-     fipshmac %{buildroot}%{_sbindir}/ipsec \
- %{nil}
- %else
  %define __spec_install_post \
      %{?__debug_package:%{__debug_install_post}} \
      %{__arch_install_post} \
      %{__os_install_post} \
-     mkdir -p %{buildroot}%{_libdir}/fipscheck/ \
+     fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto
-     fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \
-     fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \
  %{nil}
- %endif
- %endif
  %install
- rm -rf ${RPM_BUILD_ROOT}
  make \
-   DESTDIR=%{buildroot} \
+     DESTDIR=%{buildroot} \
-   INC_USRLOCAL=%{_prefix} \
+     %{libreswan_config} \
-   FINALLIBDIR=%{_libexecdir}/ipsec \
+     install
-   FINALLIBEXECDIR=%{_libexecdir}/ipsec \
-   MANTREE=%{buildroot}%{_mandir} \
-   INC_RCDEFAULT=%{_initrddir} \
-   INSTMANFLAGS="-m 644" \
- %if %{?rhel} <= 6
-   INITSYSTEM=sysvinit \
- %else
-   INITSYSTEM=systemd \
- %endif
-   install
  FS=$(pwd)
  rm -rf %{buildroot}/usr/share/doc/libreswan
- # needed to activate v6neighbor-hole.conf
+ rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
- sed -i "s:^#include /etc/ipsec.d/\*.conf$:include /etc/ipsec.d/*.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf
- install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto
+ install -d -m 0755 %{buildroot}%{_rundir}/pluto
- # used when setting --perpeerlog without --perpeerlogbase
- install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
  install -d %{buildroot}%{_sbindir}
- %if %{?rhel} <= 6
- # replace with rhel6 specific version
- install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec
- rm -fr %{buildroot}/etc/rc.d/rc*
- %endif
- %if %{USE_FIPSCHECK}
+ install -d %{buildroot}%{_sysctldir}
- %if %{?rhel} == 7
+ install -m 0644 packaging/rhel/libreswan-sysctl.conf \
+     %{buildroot}%{_sysctldir}/50-libreswan.conf
  mkdir -p %{buildroot}%{_libdir}/fipscheck
- %endif
  install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
- install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
+ install -m644 packaging/rhel/libreswan-prelink.conf \
- %endif
+     %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
- echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
+ echo "include /etc/ipsec.d/*.secrets" \
+     > %{buildroot}%{_sysconfdir}/ipsec.secrets
- # cavs testing
- cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec
- %if %{cavstests}
+ %if 0%{with_cavstests}
  %check
- # There is an elaborate upstream testing infrastructure which we do not run here
+ # There is an elaborate upstream testing infrastructure which we do not
- # We only run the CAVS tests here
+ # run here.
- cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
+ # We only run the CAVS tests here.
+ cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .
  bunzip2 *.fax.bz2
- # work around for rhel6 builders on xen
+ # work around for older xen based machines
  export NSS_DISABLE_HW_GCM=1
- : "starting CAVS test for IKEv2"
+ : starting CAVS test for IKEv2
- OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null
+ %{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
- : "starting CAVS test for IKEv1 RSASIG"
+     diff -u ikev2.fax - > /dev/null
- OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null
+ : starting CAVS test for IKEv1 RSASIG
- : "starting CAVS test for IKEv1 PSK"
+ %{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
- OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null
+     diff -u ikev1_dsa.fax - > /dev/null
- : "CAVS tests passed"
+ : starting CAVS test for IKEv1 PSK
+ %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
+     diff -u ikev1_psk.fax - > /dev/null
+ : CAVS tests passed
+ # Some of these tests will show ERROR for negative testing - it will exit on real errors
+ %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
+ %{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
+ : Algorithm parser tests passed
+ # self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
+ tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
+ certutil -N -d sql:$tmpdir --empty-password
+ %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
+ : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
  %endif
- %if %{?rhel} <= 6
  %post
- /sbin/chkconfig --add ipsec || :
+ %systemd_post ipsec.service
- %if %{USE_FIPSCHECK}
+ %sysctl_apply 50-libreswan.conf
  prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
- %endif
  %preun
- if [ $1 -eq 0 ]; then
-     /sbin/service ipsec stop > /dev/null 2>&1 || :
-     /sbin/chkconfig --del ipsec
- fi
- %postun
- if [ $1 -ge 1 ] ; then
-      /sbin/service ipsec condrestart 2>&1 >/dev/null || :
- fi
- %else
- %preun
  %systemd_preun ipsec.service
  %postun
  %systemd_postun_with_restart ipsec.service
- %post
- %systemd_post ipsec.service
- %endif
  %files
- %doc CHANGES COPYING CREDITS README* LICENSE
+ %license LICENSE COPYING
- %doc docs/*.* docs/examples packaging/rhel/libreswan-sysctl.conf
+ %doc CHANGES CREDITS README*
+ %doc docs/*.* docs/examples
  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
  %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
- %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
  %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
- %attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf
  %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
- %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
+ %attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
- %attr(0755,root,root) %dir %{_localstatedir}/run/pluto
+ %attr(0755,root,root) %dir %{_rundir}/pluto
+ %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
+ %attr(0644,root,root) %{_unitdir}/ipsec.service
  %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
+ %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
  %{_sbindir}/ipsec
- %attr(0755,root,root) %dir %{_libexecdir}/ipsec
+ %{_libexecdir}/ipsec
- %{_libexecdir}/ipsec/*
+ %doc %{_mandir}/*/*
- %attr(0644,root,root) %{_mandir}/*/*.gz
+ %{_libdir}/fipscheck/pluto.hmac
- %if %{?rhel} <= 6
- %{_initrddir}/ipsec
- %else
- %attr(0644,root,root) %{_unitdir}/ipsec.service
- %endif
- %if %{USE_FIPSCHECK}
- %if %{?rhel} <= 6
- %{_sbindir}/.ipsec.hmac
- %{_libexecdir}/ipsec/.*.hmac
- %else
- %{_libdir}/fipscheck/*.hmac
- %endif
  # We own the directory so we don't have to require prelink
- %attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
+ %dir %{_sysconfdir}/prelink.conf.d/
  %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
- %endif
  %changelog
- * Sat Dec 19 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
+ * Tue Apr 16 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.15-2
- - Updated to libreswan-3.16
+ - build for Koozali Server
+ - needs libreswan-prelink.conf adding to the tar
+ * Mon Apr 15 2024 Team Libreswan <team@libreswan.org> - 4.15-1
+ - Automated build from release tar ball
+ * Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2
+ - build for Koozali SME Server
+ - needs libreswan-prelink.conf adding to the tar
+ * Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1
+ - Automated build from release tar ball
+ * Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2
+ - build for Koozali SME Server
+ - needs libreswan-sysctl.conf adding to the tar
- * Thu Oct 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-5
+ * Tue Aug  8 2023 Team Libreswan <team@libreswan.org> - 4.12-1
- - Resolves: rhbz#1272317 libreswan FIPS test mistakenly looks for non-existent file hashes
+ - Automated build from release tar ball
- - Resolves: rhbz#1271778 ipsec whack man page discrepancies
- * Tue Sep 29 2015 Paul Wouters <pwouters@redhat.com> - 3.15-4
- - Updates: rhbz#1233303 add libreswan to RHEL6 (fix source confusion)
- * Mon Sep 28 2015 Paul Wouters <pwouters@redhat.com> - 3.15-3
- - Updates: rhbz#1233303 add libreswan to RHEL6
- * Tue Sep 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-2
- - Resolves: rhbz#1259208 CVE-2015-3240
- - Merge rhel6 and rhel7 spec into one
- - Be lenient for racoon padding behaviour
- - Fix seedev option to /dev/random
- - Some IKEv1 PAM methods always gave 'Permission denied'
- - Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7
- - Parser fix to allow specifying time without unit (openswan compat)
- - Fix Labeled IPsec on rekeyed IPsec SA's
- - Workaround for wrong padding by racoon2
- - Disable NSS HW GCM to workaround rhel6 xen builers bug
- * Wed Aug 19 2015 Paul Wouters <pwouters@redhat.com> - 3.14-1
- - Resolves: rhbz#1233303 add libreswan to RHEL6
- - Resolves: CVE-2015-3240 denial of service via IKE daemon restart when receiving a bad DH gx
- * Fri May 29 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10.1
- - Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart
- * Tue May 05 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10
- - Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix]
- * Tue Apr 28 2015 Paul Wouters <pwouters@redhat.com> - 3.12-9
- - Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()]
- - Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster]
- - Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling]
- * Mon Apr 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-8
- - Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions
- * Mon Apr 13 2015 Paul Wouters <pwouters@redhat.com> - 3.12-7
- - Resolves: rhbz#1208022 libreswan ignores module blacklist rules
- - Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot
- - Resolves: rhbz#1211146 pluto crashes in fips mode
- * Tue Mar 17 2015 Paul Wouters <pwouters@redhat.com> - 3.12-6
- - Resolves: rhbz#1198650 SELinux context string size limit
- - Resolves: rhbz#1198649 Add new option for BSI random requirement
- * Tue Jan 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-5
- - Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2)
- - Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup)
- * Tue Dec 30 2014 Paul Wouters <pwouters@redhat.com> - 3.12-4
- - Resolves: rhbz#1134297 aes-ctr cipher is not supported
- - Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling)
- * Thu Dec 04 2014 Paul Wouters <pwouters@redhat.com> - 3.12-2
- - Resolves: rhbz#1105171 (Update man page entry)
- - Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2)
- - Resolves: rhbz#1074018 Audit key agreement
- * Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
- - Resolves: rhbz#1136124 rebase to libreswan 3.12
- - Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header)
- - Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request
- * Mon Oct 27 2014 Paul Wouters <pwouters@redhat.com> - 3.11-2
- - Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix)
- * Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
- - Resolves: rhbz#1136124 rebase to libreswan 3.11
- - Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer
- - Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN
- - Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit
- - Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used
- - Resolves: rhbz#1108256 addconn compatibility with openswan
- - Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail
- - Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail
- - Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA
- - Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator
- - Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response
- - Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly
- - Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running.
- - Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs
- - Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance
- - Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance
- - Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual
- - Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA
- * Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
- - Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup)
- * Mon Sep 08 2014 Paul Wouters <pwouters@redhat.com> - 3.10-2
- - Resolves: rhbz#1136124 rebase to libreswan 3.10
- * Mon Jul 14 2014 Paul Wouters <pwouters@redhat.com> - 3.8-6
- - Resolves: rhbz#1092047 pluto cannot write to directories not owned by root
- * Thu Apr 10 2014 Paul Wouters <pwouters@redhat.com> - 3.8-5
- - Resolves: rhbz#1052834 create_child_sa message ID handling
- * Tue Mar 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-4
- - Resolves: rhbz#1052834 create_child_sa response
- * Wed Mar 05 2014 Paul Wouters <pwouters@redhat.com> - 3.8-3
- - Resolves: rhbz#1069024  erroneous debug line with mixture [...]
- - Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts
- - Resolves: rhbz#1058813 newhostkey returns zero value when it fails
- * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.8-2
- - Mass rebuild 2014-01-24
- * Thu Jan 16 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
- - Resolves: rhbz#CVE-2013-6467
- - Resolves: rhbz#1043642 rebase to version 3.8
- - Resolves: rhbz#1029912 ipsec force-reload doesn't work
- - Resolves: rhbz#826261 Implement SHA384/512 support for Openswan
- - Resolves: rhbz#1039655 ipsec newhostkey generates false configuration
- * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.6-3
- - Mass rebuild 2013-12-27
- * Fri Nov 08 2013 Paul Wouters <pwouters@redhat.com> - 3.6-2
- - Fix race condition in post for creating nss db
- * Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
- - Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes)
- - Generate empty NSS db if none exists
- - FIPS update using /etc/system-fips
- - Provide: openswan-doc
- * Fri Aug 09 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
- - rebuilt and bumped EVR to avoid confusion of import->delete->import
- - require iproute
- * Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
- - Initial package for RHEL7
- - Added interop patch for (some?) Cisco VPN clients sending 16 zero
-   bytes of extraneous IKE data
- - Removed fipscheck_version

 Legend:



Removed lines/characters
 


Changed lines/characters


 
Added lines/characters
 Legend:



Removed lines/characters
 


Changed lines/characters


 
Added lines/characters
-Removed lines/characters
+Added lines/characters

admin@koozali.org	ViewVC Help
Powered by ViewVC 1.2.1