libreswan/contribs9/libreswan.spec

%global USE_FIPSCHECK true
%global USE_LIBCAP_NG true
%global USE_LABELED_IPSEC true
%global USE_CRL_FETCHING true
%global USE_DNSSEC true
%global USE_NM true
%global USE_LINUX_AUDIT true

%global _hardened_build 1
%global buildefence 0
%global development 0
%global cavstests 1

#%if 0%{?fedora}
#%global rhel 7
#%endif
%global rhel 6
#global prever rc1

Name: libreswan
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
Version: 3.16
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: GPLv2
Group: System Environment/Daemons
Url: https://libreswan.org/
Source: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
Source1: ikev1_dsa.fax.bz2
Source2: ikev1_psk.fax.bz2
Source3: ikev2.fax.bz2

Requires: iproute >= 2.6.8 nss-tools nss-softokn

BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig
BuildRequires: nss-devel >= 3.16.1 nspr-devel
BuildRequires: pam-devel
BuildRequires: xmlto

%if %{?rhel} <= 6
BuildRequires: libevent2-devel net-tools

Requires(post): coreutils bash
Requires(preun): initscripts chkconfig
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
%else
BuildRequires: libevent-devel hostname

BuildRequires: systemd
Requires(post): coreutils bash systemd
Requires(preun): systemd
Requires(postun): systemd
%endif

%if %{USE_DNSSEC}
BuildRequires: unbound-devel
%endif

%if %{USE_FIPSCHECK}
BuildRequires: fipscheck-devel
# we need fipshmac
Requires: fipscheck%{_isa}
%endif

%if %{USE_LINUX_AUDIT}
Buildrequires: audit-libs-devel
%endif

%if %{USE_LIBCAP_NG}
BuildRequires: libcap-ng-devel
%endif

%if %{USE_CRL_FETCHING}
BuildRequires: openldap-devel curl-devel
%endif

%if %{buildefence}
BuildRequires: ElectricFence
%endif

Conflicts: openswan < %{version}-%{release}
Provides: openswan = %{version}-%{release}
Provides: openswan-doc = %{version}-%{release}
Obsoletes: openswan < %{version}-%{release}

%description
Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services.  These services allow you
to build secure tunnels through untrusted networks.  Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel.  The resulting
tunnel is a virtual private network or VPN.

This package contains the daemons and userland tools for setting up
Libreswan. It supports the NETKEY/XFRM IPsec kernel stack that exists
in the default Linux kernel.

Libreswan also supports IKEv2 (RFC-7296) and Secure Labeling

Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04

%prep
%setup -q -n libreswan-%{version}%{?prever}

%build
%if %{buildefence}
 %define efence "-lefence"
%endif

make %{?_smp_mflags} \
%if %{development}
   USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \
%else
  USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \
%endif
  USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
%if %{?rhel} <= 6
  INITSYSTEM=sysvinit \
%else
  INITSYSTEM=systemd \
%endif
  USE_NM=%{USE_NM} \
  USE_XAUTHPAM=true \
%if %{USE_FIPSCHECK}
  USE_FIPSCHECK="%{USE_FIPSCHECK}" \
  FIPSPRODUCTCHECK=/etc/system-fips \
%endif
  USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
  USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
  USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \
%if %{USE_CRL_FETCHING}
  USE_LDAP=true \
  USE_LIBCURL=true \
%endif
  USE_DNSSEC="%{USE_DNSSEC}" \
  INC_USRLOCAL=%{_prefix} \
  FINALLIBDIR=%{_libexecdir}/ipsec \
  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
  MANTREE=%{_mandir} \
  INC_RCDEFAULT=%{_initrddir} \
  MODPROBE="modprobe -q -b" \
  programs
FS=$(pwd)

%if %{USE_FIPSCHECK}
# Add generation of HMAC checksums of the final stripped binaries
%if %{?rhel} <= 6
%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    fipshmac %{buildroot}%{_libexecdir}/ipsec/* \
    fipshmac %{buildroot}%{_sbindir}/ipsec \
%{nil}

%else
%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    mkdir -p %{buildroot}%{_libdir}/fipscheck/ \
    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \
    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \
%{nil}
%endif
%endif

%install
rm -rf ${RPM_BUILD_ROOT}
make \
  DESTDIR=%{buildroot} \
  INC_USRLOCAL=%{_prefix} \
  FINALLIBDIR=%{_libexecdir}/ipsec \
  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
  MANTREE=%{buildroot}%{_mandir} \
  INC_RCDEFAULT=%{_initrddir} \
  INSTMANFLAGS="-m 644" \
%if %{?rhel} <= 6
  INITSYSTEM=sysvinit \
%else
  INITSYSTEM=systemd \
%endif
  install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
# needed to activate v6neighbor-hole.conf
sed -i "s:^#include /etc/ipsec.d/\*.conf$:include /etc/ipsec.d/*.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf

install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto
# used when setting --perpeerlog without --perpeerlogbase
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
install -d %{buildroot}%{_sbindir}
%if %{?rhel} <= 6
# replace with rhel6 specific version
install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec
rm -fr %{buildroot}/etc/rc.d/rc*
%endif

%if %{USE_FIPSCHECK}
%if %{?rhel} == 7
mkdir -p %{buildroot}%{_libdir}/fipscheck
%endif
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
%endif

echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets

# cavs testing
cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec

%if %{cavstests}
%check
# There is an elaborate upstream testing infrastructure which we do not run here
# We only run the CAVS tests here
cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
bunzip2 *.fax.bz2

# work around for rhel6 builders on xen
export NSS_DISABLE_HW_GCM=1

: "starting CAVS test for IKEv2"
OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null
: "starting CAVS test for IKEv1 RSASIG"
OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null
: "starting CAVS test for IKEv1 PSK"
OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null
: "CAVS tests passed"
%endif

%if %{?rhel} <= 6
%post
/sbin/chkconfig --add ipsec || :
%if %{USE_FIPSCHECK}
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
%endif

%preun
if [ $1 -eq 0 ]; then
    /sbin/service ipsec stop > /dev/null 2>&1 || :
    /sbin/chkconfig --del ipsec
fi

%postun
if [ $1 -ge 1 ] ; then
     /sbin/service ipsec condrestart 2>&1 >/dev/null || :
fi
%else
%preun
%systemd_preun ipsec.service

%postun
%systemd_postun_with_restart ipsec.service

%post
%systemd_post ipsec.service
%endif

%files
%doc CHANGES COPYING CREDITS README* LICENSE
%doc docs/*.* docs/examples packaging/rhel/libreswan-sysctl.conf

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
%attr(0755,root,root) %dir %{_localstatedir}/run/pluto
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%{_sbindir}/ipsec
%attr(0755,root,root) %dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/*
%attr(0644,root,root) %{_mandir}/*/*.gz
%if %{?rhel} <= 6
%{_initrddir}/ipsec
%else
%attr(0644,root,root) %{_unitdir}/ipsec.service
%endif

%if %{USE_FIPSCHECK}
%if %{?rhel} <= 6
%{_sbindir}/.ipsec.hmac
%{_libexecdir}/ipsec/.*.hmac
%else
%{_libdir}/fipscheck/*.hmac
%endif

# We own the directory so we don't have to require prelink
%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
%endif

%changelog
* Sat Dec 19 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
- Updated to libreswan-3.16

* Thu Oct 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-5
- Resolves: rhbz#1272317 libreswan FIPS test mistakenly looks for non-existent file hashes
- Resolves: rhbz#1271778 ipsec whack man page discrepancies

* Tue Sep 29 2015 Paul Wouters <pwouters@redhat.com> - 3.15-4
- Updates: rhbz#1233303 add libreswan to RHEL6 (fix source confusion)

* Mon Sep 28 2015 Paul Wouters <pwouters@redhat.com> - 3.15-3
- Updates: rhbz#1233303 add libreswan to RHEL6

* Tue Sep 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-2
- Resolves: rhbz#1259208 CVE-2015-3240
- Merge rhel6 and rhel7 spec into one
- Be lenient for racoon padding behaviour
- Fix seedev option to /dev/random
- Some IKEv1 PAM methods always gave 'Permission denied'
- Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7
- Parser fix to allow specifying time without unit (openswan compat)
- Fix Labeled IPsec on rekeyed IPsec SA's
- Workaround for wrong padding by racoon2
- Disable NSS HW GCM to workaround rhel6 xen builers bug

* Wed Aug 19 2015 Paul Wouters <pwouters@redhat.com> - 3.14-1
- Resolves: rhbz#1233303 add libreswan to RHEL6
- Resolves: CVE-2015-3240 denial of service via IKE daemon restart when receiving a bad DH gx

* Fri May 29 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10.1
- Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart

* Tue May 05 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10
- Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix]

* Tue Apr 28 2015 Paul Wouters <pwouters@redhat.com> - 3.12-9
- Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()]
- Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster]
- Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling]

* Mon Apr 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-8
- Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions

* Mon Apr 13 2015 Paul Wouters <pwouters@redhat.com> - 3.12-7
- Resolves: rhbz#1208022 libreswan ignores module blacklist rules
- Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot
- Resolves: rhbz#1211146 pluto crashes in fips mode

* Tue Mar 17 2015 Paul Wouters <pwouters@redhat.com> - 3.12-6
- Resolves: rhbz#1198650 SELinux context string size limit
- Resolves: rhbz#1198649 Add new option for BSI random requirement

* Tue Jan 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-5
- Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2)
- Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup)

* Tue Dec 30 2014 Paul Wouters <pwouters@redhat.com> - 3.12-4
- Resolves: rhbz#1134297 aes-ctr cipher is not supported
- Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling)

* Thu Dec 04 2014 Paul Wouters <pwouters@redhat.com> - 3.12-2
- Resolves: rhbz#1105171 (Update man page entry)
- Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2)
- Resolves: rhbz#1074018 Audit key agreement

* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
- Resolves: rhbz#1136124 rebase to libreswan 3.12
- Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header)
- Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request

* Mon Oct 27 2014 Paul Wouters <pwouters@redhat.com> - 3.11-2
- Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix)

* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
- Resolves: rhbz#1136124 rebase to libreswan 3.11
- Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer
- Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN
- Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit
- Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used
- Resolves: rhbz#1108256 addconn compatibility with openswan
- Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail
- Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail
- Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA
- Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator
- Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response
- Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly
- Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running.
- Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs
- Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance
- Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance
- Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual
- Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA

* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
- Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup)

* Mon Sep 08 2014 Paul Wouters <pwouters@redhat.com> - 3.10-2
- Resolves: rhbz#1136124 rebase to libreswan 3.10

* Mon Jul 14 2014 Paul Wouters <pwouters@redhat.com> - 3.8-6
- Resolves: rhbz#1092047 pluto cannot write to directories not owned by root

* Thu Apr 10 2014 Paul Wouters <pwouters@redhat.com> - 3.8-5
- Resolves: rhbz#1052834 create_child_sa message ID handling


* Tue Mar 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-4
- Resolves: rhbz#1052834 create_child_sa response

* Wed Mar 05 2014 Paul Wouters <pwouters@redhat.com> - 3.8-3
- Resolves: rhbz#1069024  erroneous debug line with mixture [...]
- Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts
- Resolves: rhbz#1058813 newhostkey returns zero value when it fails

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.8-2
- Mass rebuild 2014-01-24

* Thu Jan 16 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
- Resolves: rhbz#CVE-2013-6467 
- Resolves: rhbz#1043642 rebase to version 3.8
- Resolves: rhbz#1029912 ipsec force-reload doesn't work
- Resolves: rhbz#826261 Implement SHA384/512 support for Openswan
- Resolves: rhbz#1039655 ipsec newhostkey generates false configuration

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.6-3
- Mass rebuild 2013-12-27

* Fri Nov 08 2013 Paul Wouters <pwouters@redhat.com> - 3.6-2
- Fix race condition in post for creating nss db

* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
- Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes)
- Generate empty NSS db if none exists
- FIPS update using /etc/system-fips
- Provide: openswan-doc

* Fri Aug 09 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
- rebuilt and bumped EVR to avoid confusion of import->delete->import
- require iproute

* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
- Initial package for RHEL7
- Added interop patch for (some?) Cisco VPN clients sending 16 zero
  bytes of extraneous IKE data
- Removed fipscheck_version
1	%global USE_FIPSCHECK true
2	%global USE_LIBCAP_NG true
3	%global USE_LABELED_IPSEC true
4	%global USE_CRL_FETCHING true
5	%global USE_DNSSEC true
6	%global USE_NM true
7	%global USE_LINUX_AUDIT true
8
9	%global _hardened_build 1
10	%global buildefence 0
11	%global development 0
12	%global cavstests 1
13
14	#%if 0%{?fedora}
15	#%global rhel 7
16	#%endif
17	%global rhel 6
18	#global prever rc1
19
20	Name: libreswan
21	Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
22	Version: 3.16
23	Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
24	License: GPLv2
25	Group: System Environment/Daemons
26	Url: https://libreswan.org/
27	Source: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
28	Source1: ikev1_dsa.fax.bz2
29	Source2: ikev1_psk.fax.bz2
30	Source3: ikev2.fax.bz2
31
32	Requires: iproute >= 2.6.8 nss-tools nss-softokn
33
34	BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig
35	BuildRequires: nss-devel >= 3.16.1 nspr-devel
36	BuildRequires: pam-devel
37	BuildRequires: xmlto
38
39	%if %{?rhel} <= 6
40	BuildRequires: libevent2-devel net-tools
41
42	Requires(post): coreutils bash
43	Requires(preun): initscripts chkconfig
44	Requires(post): /sbin/chkconfig
45	Requires(preun): /sbin/chkconfig
46	Requires(preun): /sbin/service
47	%else
48	BuildRequires: libevent-devel hostname
49
50	BuildRequires: systemd
51	Requires(post): coreutils bash systemd
52	Requires(preun): systemd
53	Requires(postun): systemd
54	%endif
55
56	%if %{USE_DNSSEC}
57	BuildRequires: unbound-devel
58	%endif
59
60	%if %{USE_FIPSCHECK}
61	BuildRequires: fipscheck-devel
62	# we need fipshmac
63	Requires: fipscheck%{_isa}
64	%endif
65
66	%if %{USE_LINUX_AUDIT}
67	Buildrequires: audit-libs-devel
68	%endif
69
70	%if %{USE_LIBCAP_NG}
71	BuildRequires: libcap-ng-devel
72	%endif
73
74	%if %{USE_CRL_FETCHING}
75	BuildRequires: openldap-devel curl-devel
76	%endif
77
78	%if %{buildefence}
79	BuildRequires: ElectricFence
80	%endif
81
82	Conflicts: openswan < %{version}-%{release}
83	Provides: openswan = %{version}-%{release}
84	Provides: openswan-doc = %{version}-%{release}
85	Obsoletes: openswan < %{version}-%{release}
86
87	%description
88	Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
89	the Internet Protocol Security and uses strong cryptography to provide
90	both authentication and encryption services. These services allow you
91	to build secure tunnels through untrusted networks. Everything passing
92	through the untrusted net is encrypted by the ipsec gateway machine and
93	decrypted by the gateway at the other end of the tunnel. The resulting
94	tunnel is a virtual private network or VPN.
95
96	This package contains the daemons and userland tools for setting up
97	Libreswan. It supports the NETKEY/XFRM IPsec kernel stack that exists
98	in the default Linux kernel.
99
100	Libreswan also supports IKEv2 (RFC-7296) and Secure Labeling
101
102	Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
103
104	%prep
105	%setup -q -n libreswan-%{version}%{?prever}
106
107	%build
108	%if %{buildefence}
109	%define efence "-lefence"
110	%endif
111
112	make %{?_smp_mflags} \
113	%if %{development}
114	USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} \| sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \
115	%else
116	USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \
117	%endif
118	USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
119	%if %{?rhel} <= 6
120	INITSYSTEM=sysvinit \
121	%else
122	INITSYSTEM=systemd \
123	%endif
124	USE_NM=%{USE_NM} \
125	USE_XAUTHPAM=true \
126	%if %{USE_FIPSCHECK}
127	USE_FIPSCHECK="%{USE_FIPSCHECK}" \
128	FIPSPRODUCTCHECK=/etc/system-fips \
129	%endif
130	USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
131	USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
132	USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \
133	%if %{USE_CRL_FETCHING}
134	USE_LDAP=true \
135	USE_LIBCURL=true \
136	%endif
137	USE_DNSSEC="%{USE_DNSSEC}" \
138	INC_USRLOCAL=%{_prefix} \
139	FINALLIBDIR=%{_libexecdir}/ipsec \
140	FINALLIBEXECDIR=%{_libexecdir}/ipsec \
141	MANTREE=%{_mandir} \
142	INC_RCDEFAULT=%{_initrddir} \
143	MODPROBE="modprobe -q -b" \
144	programs
145	FS=$(pwd)
146
147	%if %{USE_FIPSCHECK}
148	# Add generation of HMAC checksums of the final stripped binaries
149	%if %{?rhel} <= 6
150	%define __spec_install_post \
151	%{?__debug_package:%{__debug_install_post}} \
152	%{__arch_install_post} \
153	%{__os_install_post} \
154	fipshmac %{buildroot}%{_libexecdir}/ipsec/* \
155	fipshmac %{buildroot}%{_sbindir}/ipsec \
156	%{nil}
157
158	%else
159	%define __spec_install_post \
160	%{?__debug_package:%{__debug_install_post}} \
161	%{__arch_install_post} \
162	%{__os_install_post} \
163	mkdir -p %{buildroot}%{_libdir}/fipscheck/ \
164	fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \
165	fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \
166	%{nil}
167	%endif
168	%endif
169
170	%install
171	rm -rf ${RPM_BUILD_ROOT}
172	make \
173	DESTDIR=%{buildroot} \
174	INC_USRLOCAL=%{_prefix} \
175	FINALLIBDIR=%{_libexecdir}/ipsec \
176	FINALLIBEXECDIR=%{_libexecdir}/ipsec \
177	MANTREE=%{buildroot}%{_mandir} \
178	INC_RCDEFAULT=%{_initrddir} \
179	INSTMANFLAGS="-m 644" \
180	%if %{?rhel} <= 6
181	INITSYSTEM=sysvinit \
182	%else
183	INITSYSTEM=systemd \
184	%endif
185	install
186	FS=$(pwd)
187	rm -rf %{buildroot}/usr/share/doc/libreswan
188	# needed to activate v6neighbor-hole.conf
189	sed -i "s:^#include /etc/ipsec.d/\.conf$:include /etc/ipsec.d/.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf
190
191	install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto
192	# used when setting --perpeerlog without --perpeerlogbase
193	install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
194	install -d %{buildroot}%{_sbindir}
195	%if %{?rhel} <= 6
196	# replace with rhel6 specific version
197	install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec
198	rm -fr %{buildroot}/etc/rc.d/rc*
199	%endif
200
201	%if %{USE_FIPSCHECK}
202	%if %{?rhel} == 7
203	mkdir -p %{buildroot}%{_libdir}/fipscheck
204	%endif
205	install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
206	install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
207	%endif
208
209	echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
210
211	# cavs testing
212	cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec
213
214	%if %{cavstests}
215	%check
216	# There is an elaborate upstream testing infrastructure which we do not run here
217	# We only run the CAVS tests here
218	cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
219	bunzip2 *.fax.bz2
220
221	# work around for rhel6 builders on xen
222	export NSS_DISABLE_HW_GCM=1
223
224	: "starting CAVS test for IKEv2"
225	OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax \| diff -u ikev2.fax - > /dev/null
226	: "starting CAVS test for IKEv1 RSASIG"
227	OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax \| diff -u ikev1_dsa.fax - > /dev/null
228	: "starting CAVS test for IKEv1 PSK"
229	OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax \| diff -u ikev1_psk.fax - > /dev/null
230	: "CAVS tests passed"
231	%endif
232
233	%if %{?rhel} <= 6
234	%post
235	/sbin/chkconfig --add ipsec \|\| :
236	%if %{USE_FIPSCHECK}
237	prelink -u %{_libexecdir}/ipsec/* 2>/dev/null \|\| :
238	%endif
239
240	%preun
241	if [ $1 -eq 0 ]; then
242	/sbin/service ipsec stop > /dev/null 2>&1 \|\| :
243	/sbin/chkconfig --del ipsec
244	fi
245
246	%postun
247	if [ $1 -ge 1 ] ; then
248	/sbin/service ipsec condrestart 2>&1 >/dev/null \|\| :
249	fi
250	%else
251	%preun
252	%systemd_preun ipsec.service
253
254	%postun
255	%systemd_postun_with_restart ipsec.service
256
257	%post
258	%systemd_post ipsec.service
259	%endif
260
261	%files
262	%doc CHANGES COPYING CREDITS README* LICENSE
263	%doc docs/. docs/examples packaging/rhel/libreswan-sysctl.conf
264
265	%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
266	%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
267	%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
268	%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
269	%attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf
270	%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
271	%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
272	%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
273	%attr(0755,root,root) %dir %{_localstatedir}/run/pluto
274	%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
275	%{_sbindir}/ipsec
276	%attr(0755,root,root) %dir %{_libexecdir}/ipsec
277	%{_libexecdir}/ipsec/*
278	%attr(0644,root,root) %{_mandir}//.gz
279	%if %{?rhel} <= 6
280	%{_initrddir}/ipsec
281	%else
282	%attr(0644,root,root) %{_unitdir}/ipsec.service
283	%endif
284
285	%if %{USE_FIPSCHECK}
286	%if %{?rhel} <= 6
287	%{_sbindir}/.ipsec.hmac
288	%{_libexecdir}/ipsec/.*.hmac
289	%else
290	%{_libdir}/fipscheck/*.hmac
291	%endif
292
293	# We own the directory so we don't have to require prelink
294	%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
295	%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
296	%endif
297
298	%changelog
299	* Sat Dec 19 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
300	- Updated to libreswan-3.16
301
302	* Thu Oct 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-5
303	- Resolves: rhbz#1272317 libreswan FIPS test mistakenly looks for non-existent file hashes
304	- Resolves: rhbz#1271778 ipsec whack man page discrepancies
305
306	* Tue Sep 29 2015 Paul Wouters <pwouters@redhat.com> - 3.15-4
307	- Updates: rhbz#1233303 add libreswan to RHEL6 (fix source confusion)
308
309	* Mon Sep 28 2015 Paul Wouters <pwouters@redhat.com> - 3.15-3
310	- Updates: rhbz#1233303 add libreswan to RHEL6
311
312	* Tue Sep 15 2015 Paul Wouters <pwouters@redhat.com> - 3.15-2
313	- Resolves: rhbz#1259208 CVE-2015-3240
314	- Merge rhel6 and rhel7 spec into one
315	- Be lenient for racoon padding behaviour
316	- Fix seedev option to /dev/random
317	- Some IKEv1 PAM methods always gave 'Permission denied'
318	- Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7
319	- Parser fix to allow specifying time without unit (openswan compat)
320	- Fix Labeled IPsec on rekeyed IPsec SA's
321	- Workaround for wrong padding by racoon2
322	- Disable NSS HW GCM to workaround rhel6 xen builers bug
323
324	* Wed Aug 19 2015 Paul Wouters <pwouters@redhat.com> - 3.14-1
325	- Resolves: rhbz#1233303 add libreswan to RHEL6
326	- Resolves: CVE-2015-3240 denial of service via IKE daemon restart when receiving a bad DH gx
327
328	* Fri May 29 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10.1
329	- Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart
330
331	* Tue May 05 2015 Paul Wouters <pwouters@redhat.com> - 3.12-10
332	- Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix]
333
334	* Tue Apr 28 2015 Paul Wouters <pwouters@redhat.com> - 3.12-9
335	- Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()]
336	- Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster]
337	- Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling]
338
339	* Mon Apr 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-8
340	- Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions
341
342	* Mon Apr 13 2015 Paul Wouters <pwouters@redhat.com> - 3.12-7
343	- Resolves: rhbz#1208022 libreswan ignores module blacklist rules
344	- Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot
345	- Resolves: rhbz#1211146 pluto crashes in fips mode
346
347	* Tue Mar 17 2015 Paul Wouters <pwouters@redhat.com> - 3.12-6
348	- Resolves: rhbz#1198650 SELinux context string size limit
349	- Resolves: rhbz#1198649 Add new option for BSI random requirement
350
351	* Tue Jan 20 2015 Paul Wouters <pwouters@redhat.com> - 3.12-5
352	- Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2)
353	- Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup)
354
355	* Tue Dec 30 2014 Paul Wouters <pwouters@redhat.com> - 3.12-4
356	- Resolves: rhbz#1134297 aes-ctr cipher is not supported
357	- Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling)
358
359	* Thu Dec 04 2014 Paul Wouters <pwouters@redhat.com> - 3.12-2
360	- Resolves: rhbz#1105171 (Update man page entry)
361	- Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2)
362	- Resolves: rhbz#1074018 Audit key agreement
363
364	* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
365	- Resolves: rhbz#1136124 rebase to libreswan 3.12
366	- Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header)
367	- Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request
368
369	* Mon Oct 27 2014 Paul Wouters <pwouters@redhat.com> - 3.11-2
370	- Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix)
371
372	* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
373	- Resolves: rhbz#1136124 rebase to libreswan 3.11
374	- Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer
375	- Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN
376	- Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit
377	- Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used
378	- Resolves: rhbz#1108256 addconn compatibility with openswan
379	- Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail
380	- Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail
381	- Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA
382	- Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator
383	- Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response
384	- Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly
385	- Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running.
386	- Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs
387	- Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance
388	- Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance
389	- Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual
390	- Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA
391
392	* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
393	- Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup)
394
395	* Mon Sep 08 2014 Paul Wouters <pwouters@redhat.com> - 3.10-2
396	- Resolves: rhbz#1136124 rebase to libreswan 3.10
397
398	* Mon Jul 14 2014 Paul Wouters <pwouters@redhat.com> - 3.8-6
399	- Resolves: rhbz#1092047 pluto cannot write to directories not owned by root
400
401	* Thu Apr 10 2014 Paul Wouters <pwouters@redhat.com> - 3.8-5
402	- Resolves: rhbz#1052834 create_child_sa message ID handling
403
404
405	* Tue Mar 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-4
406	- Resolves: rhbz#1052834 create_child_sa response
407
408	* Wed Mar 05 2014 Paul Wouters <pwouters@redhat.com> - 3.8-3
409	- Resolves: rhbz#1069024 erroneous debug line with mixture [...]
410	- Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts
411	- Resolves: rhbz#1058813 newhostkey returns zero value when it fails
412
413	* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.8-2
414	- Mass rebuild 2014-01-24
415
416	* Thu Jan 16 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
417	- Resolves: rhbz#CVE-2013-6467
418	- Resolves: rhbz#1043642 rebase to version 3.8
419	- Resolves: rhbz#1029912 ipsec force-reload doesn't work
420	- Resolves: rhbz#826261 Implement SHA384/512 support for Openswan
421	- Resolves: rhbz#1039655 ipsec newhostkey generates false configuration
422
423	* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.6-3
424	- Mass rebuild 2013-12-27
425
426	* Fri Nov 08 2013 Paul Wouters <pwouters@redhat.com> - 3.6-2
427	- Fix race condition in post for creating nss db
428
429	* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
430	- Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes)
431	- Generate empty NSS db if none exists
432	- FIPS update using /etc/system-fips
433	- Provide: openswan-doc
434
435	* Fri Aug 09 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
436	- rebuilt and bumped EVR to avoid confusion of import->delete->import
437	- require iproute
438
439	* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
440	- Initial package for RHEL7
441	- Added interop patch for (some?) Cisco VPN clients sending 16 zero
442	bytes of extraneous IKE data
443	- Removed fipscheck_version