%global _hardened_build 1
# These are rpm macros and are 0 or 1
%global with_efence 0
%global with_development 0
%global with_cavstests 1
%global nss_version 3.52
# Libreswan config options
%global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
PREFIX=%{_prefix} \\\
INITSYSTEM=systemd \\\
PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\
USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\
USE_NM=true \\\
USE_NSS_IPSEC_PROFILE=true \\\
USE_SECCOMP=true \\\
USE_AUTHPAM=true \\\
%{nil}
#global prever dr1
%define rel 1
Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.12
Release: %mkrel %{?prever:0.}%rel%{?prever:.%{prever}}
License: GPLv2
Group: System/Servers
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
Source1: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz.asc
Source2: https://download.libreswan.org/LIBRESWAN-GPG-KEY.txt
%if 0%{with_cavstests}
Source3: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Source6: libreswan-tmpfiles.conf
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gnupg2
BuildRequires: hostname
BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: make
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: systemd-devel
BuildRequires: xmlto
BuildRequires: pkgconfig(libunbound)
%if 0%{with_efence}
BuildRequires: ElectricFence
%endif
Requires: iproute >= 2.6.8
Requires: nss >= %{nss_version}
Requires: logrotate
# for pidof
Requires: procps-ng
Requires(post): bash
Requires(post): coreutils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel. The resulting
tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up
Libreswan.
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%setup -q -n libreswan-%{version}%{?prever}
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
%autopatch -p1
%build
make %{?_smp_mflags} \
%if 0%{with_development}
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
%else
OPTIMIZE_CFLAGS="%{optflags}" \
%endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence}
USE_EFENCE=true \
%endif
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
%{libreswan_config} \
programs
FS=$(pwd)
%install
make \
DESTDIR=%{buildroot} \
%{libreswan_config} \
install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
install -d -m 0755 %{buildroot}%{_rundir}/pluto
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysctldir}
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysctldir}/50-libreswan.conf
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
> %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
# Install tmpfiles
install -d %{buildroot}%{_tmpfilesdir}
install -D -p -m 644 %{S:6} %{buildroot}%{_tmpfilesdir}/%{name}.conf
%if 0%{with_cavstests}
%check
# There is an elaborate upstream testing infrastructure which we do not
# run here - it takes hours and uses kvm
# We only run the CAVS tests and startup selftest
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} .
bunzip2 *.fax.bz2
: starting CAVS test for IKEv2
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
diff -u ikev2.fax - > /dev/null
: starting CAVS test for IKEv1 RSASIG
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
diff -u ikev1_dsa.fax - > /dev/null
: starting CAVS test for IKEv1 PSK
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed
%endif
# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
: Algorithm parser tests passed
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
%post
%systemd_post ipsec.service
%sysctl_apply 50-libreswan.conf
%preun
%systemd_preun ipsec.service
%postun
%systemd_postun_with_restart ipsec.service
%files
%doc CHANGES COPYING CREDITS README* LICENSE
%doc docs/*.* docs/examples
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
%ghost %attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%doc %{_mandir}/*/*
%changelog
* Tue Aug 29 2023 kekepower <kekepower> 4.12-1.mga9
+ Revision: 1981046
- Update to version 4.12 (mga#31865)
* Thu May 04 2023 kekepower <kekepower> 4.11-1.mga9
+ Revision: 1955767
- Update to version 4.11
* Wed Mar 01 2023 kekepower <kekepower> 4.10-1.mga9
+ Revision: 1946151
- Update to version 4.10
* Fri Oct 14 2022 kekepower <kekepower> 4.9-1.mga9
+ Revision: 1896781
- Update to version 4.9
* Tue Oct 04 2022 kekepower <kekepower> 4.8-1.mga9
+ Revision: 1894796
- Update to version 4.8
* Thu May 26 2022 kekepower <kekepower> 4.7-1.mga9
+ Revision: 1860197
- Update to version 4.7
* Wed Mar 30 2022 umeabot <umeabot> 4.6-7.mga9
+ Revision: 1834311
- Mageia 9 Mass Rebuild
* Wed Jan 19 2022 kekepower <kekepower> 4.6-6.mga9
+ Revision: 1769069
- Deleted the BR for unbound by mistake
- Remove hard dependency on unbound-libs
* Tue Jan 18 2022 kekepower <kekepower> 4.6-4.mga9
+ Revision: 1768938
- Remove require for nss-softokn
* Tue Jan 18 2022 kekepower <kekepower> 4.6-3.mga9
+ Revision: 1768930
- Reenable tmpfiles correctly
* Tue Jan 18 2022 kekepower <kekepower> 4.6-2.mga9
+ Revision: 1768929
- Remove require for nss-tools
* Tue Jan 18 2022 kekepower <kekepower> 4.6-1.mga9
+ Revision: 1768923
- Update to version 4.6
* Mon Aug 23 2021 kekepower <kekepower> 4.5-1.mga9
+ Revision: 1742409
- Update to version 4.5
* Fri Apr 23 2021 kekepower <kekepower> 4.4-1.mga9
+ Revision: 1718202
- Add patch to fix build on arm and aarch64
- Update to version 4.4
* Sat Feb 27 2021 kekepower <kekepower> 4.3-1.mga9
+ Revision: 1692992
- Update to version 4.3
* Wed Feb 03 2021 kekepower <kekepower> 4.2-1.mga8
+ Revision: 1674599
- Update to version 4.2
* Wed Dec 30 2020 luigiwalser <luigiwalser> 4.1-3.mga8
+ Revision: 1665629
- fix l2tp connection to Windows VPN server (rhbz#1894381)
* Wed Dec 30 2020 luigiwalser <luigiwalser> 4.1-2.mga8
+ Revision: 1665628
- add missing nss dir (mga#27984)
* Mon Oct 19 2020 kekepower <kekepower> 4.1-1.mga8
+ Revision: 1637160
- Update to version 4.1
* Fri Oct 16 2020 kekepower <kekepower> 4.0-1.mga8
+ Revision: 1636384
- Update to version 4.0
* Tue Oct 13 2020 luigiwalser <luigiwalser> 3.32-2.mga8
+ Revision: 1635516
- add upstream patch via fedora to fix nss incompatibility (mga#26716)
* Tue May 12 2020 kekepower <kekepower> 3.32-1.mga8
+ Revision: 1583352
- Update to version 3.32
* Wed Mar 04 2020 kekepower <kekepower> 3.31-1.mga8
+ Revision: 1553811
- Update to version 3.31
* Sun Feb 16 2020 umeabot <umeabot> 3.29-5.mga8
+ Revision: 1535017
- Mageia 8 Mass Rebuild
* Sun Feb 16 2020 daviddavid <daviddavid> 3.29-4.mga8
+ Revision: 1532023
- rebuild for new libevent 2.1.11
* Tue Oct 08 2019 daviddavid <daviddavid> 3.29-3.mga8
+ Revision: 1450596
- rebuild for new ldns 1.7.1
* Sat Jul 06 2019 kekepower <kekepower> 3.29-2.mga8
+ Revision: 1419208
- Use tmpfilesdir to create /run/pluto
- Update to version 3.29 to fix CVE-2019-10155 (mga#25065)
* Tue Dec 25 2018 kekepower <kekepower> 3.27-4.mga7
+ Revision: 1344867
- Obsoletes openswan-doc
* Sun Dec 02 2018 kekepower <kekepower> 3.27-3.mga7
+ Revision: 1337506
- Fix Requires
* Sun Dec 02 2018 kekepower <kekepower> 3.27-2.mga7
+ Revision: 1337441
- Fix ghost files
- Fix file list
- Fix Release tag
- imported package libreswan
