%define LIBMAJ 0 %define libname %mklibname ipsec %LIBMAJ %define libnamedev %mklibname -d ipsec Name: ipsec-tools Version: 0.7.1 Release: %mkrel 1 Summary: Tools for configuring and using IPSEC License: BSD Group: Networking/Other URL: http://ipsec-tools.sourceforge.net/ Source: http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-%{version}.tar.bz2 Source3: racoon.conf Source4: psk.txt Source6: ipsec-setkey-initscript Source7: racoon-initscript Source8: racoon.sysconfig Patch: ipsec-tools-0.6.2b3-manfix.patch Patch1: ipsec-tools-0.5.2-includes.patch # fhimpe: from upstream CVS: http://marc.info/?l=oss-security&m=121856223016913&w=2 Patch2: ipsec-tools-0.7.1-CVE-2008-3652.patch BuildRequires: openssl-devel krb5-devel flex bison BuildRequires: libpam-devel BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Requires: %{libname} = %{version} Requires(pre): rpm-helper Requires: rpm-helper Provides: kvpnc-backend %description This is the IPsec-Tools package. You need this package in order to really use the IPsec functionality in the linux-2.6 and above kernels. This package builds: - libipsec, a PFKeyV2 library - setkey, a program to directly manipulate policies and SAs - racoon, an IKEv1 keying daemon %define old_libname %mklibname ipsec-tools 0 %define old_libname_devel %mklibname -d ipsec 0 %package -n %{libname} Summary: The shared libraries used by ipsec-tools Group: System/Libraries Requires(post): grep, coreutils Requires(preun): grep, coreutils Requires: grep, coreutils Provides: libipsec = %{version}-%{release} Provides: libipsec-tools = %{version}-%{release} Obsoletes: libipsec-tools Provides: %old_libname = %{version}-%{release} Obsoletes: %old_libname %description -n %{libname} These are the shared libraries for the IPsec-Tools package. %package -n %{libnamedev} Summary: Headers for programs for %libname Group: Development/C Requires: %{libname} = %{version} Provides: libipsec-tools-devel = %{version}-%{release} Provides: libipsec-devel = %{version}-%{release} Obsoletes: libipsec-tools-devel Provides: %{old_libname}-devel = %{version}-%{release} Obsoletes: %{old_libname}-devel Obsoletes: %{old_libname_devel} < 0.7 %description -n %{libnamedev} These are development headers for libipsec %prep %setup -q %patch0 -p1 -b .manfix %patch1 -p1 -b .includes %patch2 -p4 -b .CVE-2008-3652 %build ./configure \ --prefix=%{_prefix} \ --mandir=%{_mandir} \ --libdir=/%{_lib} \ --sbindir=/sbin \ --localstatedir=%{_localstatedir}/lib \ --sysconfdir=%{_sysconfdir}/racoon \ --with-kernel-headers=%{_includedir} \ --enable-shared \ --disable-rpath \ --enable-hybrid \ --enable-frag \ --enable-dpd \ --enable-adminport \ --enable-gssapi \ --enable-natt \ --with-libpam \ --enable-security-context=no # removed: 0.6.1 says it's not supported in linux # --enable-samode-unspec make %install rm -rf $RPM_BUILD_ROOT %makeinstall_std mkdir -p $RPM_BUILD_ROOT/etc/racoon/ install -m 0600 %{SOURCE3} $RPM_BUILD_ROOT/etc/racoon/racoon.conf install -m 0600 %{SOURCE4} $RPM_BUILD_ROOT/etc/racoon/psk.txt mkdir -m 0700 -p $RPM_BUILD_ROOT/etc/racoon/certs mkdir -p $RPM_BUILD_ROOT/%{_initrddir} install -m 0755 %{SOURCE6} $RPM_BUILD_ROOT/%{_initrddir}/ipsec-setkey install -m 0755 %{SOURCE7} $RPM_BUILD_ROOT/%{_initrddir}/racoon mkdir -p %{buildroot}%{_sysconfdir}/sysconfig # racoon.sysconfig install -m 0644 %{SOURCE8} %{buildroot}%{_sysconfdir}/sysconfig/racoon # pam file mkdir -p %{buildroot}%{_sysconfdir}/pam.d cat > %{buildroot}%{_sysconfdir}/pam.d/racoon <<EOF #%PAM-1.0 auth required pam_nologin.so %if %mdkversion < 200700 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth %else auth include system-auth account include system-auth %endif EOF # default ipsec.conf file cat > %{buildroot}%{_sysconfdir}/ipsec.conf <<EOF #!/usr/sbin/setkey -f # # File /etc/ipsec.conf # delete the SAD and SPD flush; spdflush; # Define here your security policies # Example # ipsec between two machines: 192.168.1.10 and 192.168.1.20 # # spdadd 192.168.1.10 192.168.1.20 any -P in ipsec # esp/transport//require # ah/transport//require; # # spdadd 192.168.1.20 192.168.1.10 any -P out ipsec # esp/transport//require # ah/transport//require; EOF # remove some files from the sample dir so we can include it # in %%doc. Also fix their permissions rm -f src/racoon/samples/*.in find src/racoon/samples -type f -exec chmod 0644 {} \; %clean rm -rf $RPM_BUILD_ROOT %post %_post_service ipsec-setkey %_post_service racoon %preun %_preun_service ipsec-setkey %_preun_service racoon %if %mdkversion < 200900 %post -n %{libname} -p /sbin/ldconfig %endif %if %mdkversion < 200900 %postun -n %{libname} -p /sbin/ldconfig %endif %files %defattr(-,root,root) %doc ChangeLog NEWS README %doc src/racoon/samples %doc src/racoon/doc/* /sbin/* %{_mandir}/man*/* %dir %{_sysconfdir}/racoon %dir %{_sysconfdir}/racoon/certs %config(noreplace) %{_sysconfdir}/sysconfig/racoon %config(noreplace) %{_sysconfdir}/racoon/psk.txt %config(noreplace) %{_sysconfdir}/racoon/racoon.conf %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/ipsec.conf %config(noreplace) %{_sysconfdir}/pam.d/racoon %attr (0755,root,root) %{_initrddir}/ipsec-setkey %attr (0755,root,root) %{_initrddir}/racoon %dir /var/lib/racoon %files -n %{libname} %defattr(-,root,root) %doc ChangeLog NEWS README /%{_lib}/*.so.* %files -n %{libnamedev} %defattr(-,root,root) /%{_lib}/libipsec.la /%{_lib}/libipsec.a /%{_lib}/libipsec.so /%{_lib}/libracoon.la /%{_lib}/libracoon.a /%{_lib}/libracoon.so %{_includedir}/* %changelog * Sat Aug 23 2008 Frederik Himpe <fhimpe@mandriva.org> 0.7.1-1mdv2009.0 + Revision: 275249 - Add patch fixing security problem CVE-2008-3652 - Update to version 0.7.1 (fixes CVE-2008-3651) * Tue Jun 17 2008 Thierry Vignaud <tvignaud@mandriva.com> 0.7-2mdv2009.0 + Revision: 221638 - rebuild - kill re-definition of %%buildroot on Pixel's request + Pixel <pixel@mandriva.com> - do not call ldconfig in %%post/%%postun, it is now handled by filetriggers - adapt to %%_localstatedir now being /var instead of /var/lib (#22312) + Olivier Blin <oblin@mandriva.com> - restore BuildRoot * Wed Oct 17 2007 Andreas Hasenack <andreas@mandriva.com> 0.7-1mdv2008.1 + Revision: 99702 - updated to version 0.7 - comply with new devel package policy (drop soname from it) - drop patches which are no longer needed (gcc-misc, werror) - disable security context or else we need selinux * Thu Aug 23 2007 Thierry Vignaud <tvignaud@mandriva.com> 0.6.7-1mdv2008.0 + Revision: 69963 - patch 4: fix build by disabling -Werror which make build randomly fails for no good reason when newer gcc spit out more warnings - fileutils, sh-utils & textutils have been obsoleted by coreutils a long time ago * Sat Apr 07 2007 Andreas Hasenack <andreas@mandriva.com> 0.6.7-1mdv2007.1 + Revision: 151144 - updated to version 0.6.7, fixing a DoS (CVE-2007-1841) * Thu Sep 14 2006 Andreas Hasenack <andreas@mandriva.com> 0.6.6-2mdv2007.0 + Revision: 61328 - added PAM configuration file (PAM auth tested) * Thu Sep 14 2006 Andreas Hasenack <andreas@mandriva.com> 0.6.6-1mdv2007.0 + Revision: 61275 - added buildrequires for libpam-devel due to new pam support - using mkrel - enabled pam support - added support for parallel initscripts - bunzipped patches and some source files - updated to version 0.6.6 - added gcc patch - don't run auto-tools, it's introducing a build error - Import ipsec-tools * Sun Feb 05 2006 Andreas Hasenack <andreas@mandriva.com> 0.6.5-1mdk - updated to version 0.6.5 * Wed Jan 25 2006 Andreas Hasenack <andreas@mandriva.com> 0.6.4-1mdk - updated to version 0.6.4 - removed openssl0.9.8 patch, not needed anymore * Sun Nov 13 2005 Oden Eriksson <oeriksson@mandriva.com> 0.6.2b3-2mdk - added P3 from fedora to make it build against openssl-0.9.8a * Wed Oct 05 2005 Andreas Hasenack <andreas@mandriva.com> 0.6.2b3-1mdk - updated to version 0.6.2b3 - removed signwarn patch, already applied - removed warning patch, no longer needed - redid x86_64 patch - redid manfix patch - removed --enable-samode-unspec ./configure option, it's said to not work with linux - added "remote anonymous" section to default racoon.conf, taken from sample file in the documentation directory - added libracoon to file list in devel package * Thu Sep 08 2005 Gwenole Beauchesne <gbeauchesne@mandriva.com> 0.5.2-5mdk - don't forcibly redefine bcopy() & bzero() * Wed Jun 29 2005 Andreas Hasenack <andreas@mandriva.com> 0.5.2-4mdk - added a sample ipsec.conf file - use proper exit codes in the ipsec-setkey and racoon initscripts - only load ipv6 ipsec related modules if NETWORKING_IPV6=yes (ipsec-setkey init script) - added more documentation to %%doc - removed reload option from the racoon initscript since it's not supported anyway (was equal to restart) * Thu Jun 23 2005 Andreas Hasenack <andreas@mandriva.com> 0.5.2-3mdk - more fixes for paths in the manpage * Tue Jun 14 2005 Andreas Hasenack <andreas@mandriva.com> 0.5.2-2mdk - fix patch referenced in manpage * Tue Jun 14 2005 Andreas Hasenack <andreas@mandriva.com> 0.5.2-1mdk - updated to version 0.5.2 - using /etc/racoon for sysconfdir directory (fixes #16234) - added patch to fix a signedess warning with gcc4 - included missing /var/lib/racoon directory, fixing #16409 (why isn't rpm warning about this directory which wasn't being packaged?) - added a sysconfig file so that the admin can give racoon some command line arguments if needed * Wed May 04 2005 Couriousous <couriousous@mandriva.org> 0.5.1-2mdk - Fix x86_64 build * Sun May 01 2005 Couriousous <couriousous@mandriva.org> 0.5.1-1mdk - 0.5.1 - Enable more features - Patch to fix gssapi warning * Fri Mar 25 2005 Couriousous <couriousous@mandrake.org> 0.5-4mdk - Security fix (CAN-2005-0398) * Thu Mar 03 2005 Couriousous <couriousous@mandrake.org> 0.5-3mdk - Fix conflict with openswan ( #14133 ) * Wed Feb 23 2005 Christiaan Welvaart <cjw@daneel.dyndns.org> 0.5-2mdk - add BuildRequires: bison * Sat Feb 19 2005 Couriousous <couriousous@mandrake.org> 0.5-1mdk - 0.5 - Change library name libipsec-tools to libipsec * Sun Dec 26 2004 Couriousous <couriousous@mandrake.org> 0.4-2mdk - Add Provide kvpnc-backend * Thu Sep 23 2004 Couriousous <couriousous@sceen.net> 0.4-1mdk - 0.4 - Add startup scripts - Enable -devel package * Fri Jul 16 2004 Christiaan Welvaart <cjw@daneel.dyndns.org> 0.2.5-2mdk - add BuildRequires: flex * Fri Apr 09 2004 Florin <florin@mandrakesoft.com> 0.2.5-1mdk - 0.2.5 (security update) - /sbin now contains the binaries and not /usr/sbin anymore