From 3c8f3a8b8df25b1cd5c6f82dcafe040bc90876de Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Aug 13 2015 14:17:54 +0000 Subject: Merge branch 'f22' into f21 --- diff --git a/.gitignore b/.gitignore index cffd43b..c3616e3 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,7 @@ /libreswan-3.11.tar.gz /libreswan-3.12.tar.gz /libreswan-3.13.tar.gz +/libreswan-3.14.tar.gz +/ikev1_dsa.fax.bz2 +/ikev1_psk.fax.bz2 +/ikev2.fax.bz2 diff --git a/libreswan.spec b/libreswan.spec index 52940cf..5f2af27 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -11,19 +11,25 @@ %global fipscheck_version 1.3.0 %global buildefence 0 %global development 0 +%global cavstests 1 #global prever rc1 Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols -Version: 3.13 +Version: 3.14 Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} License: GPLv2 -Url: https://www.libreswan.org/ -Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz +Url: https://libreswan.org/ +Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz +%if %{cavstests} +Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 +Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 +Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2 +%endif Group: System Environment/Daemons -BuildRequires: gmp-devel bison flex pkgconfig -BuildRequires: systemd +BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig +BuildRequires: systemd systemd-units Requires(post): coreutils bash systemd Requires(preun): systemd Requires(postun): systemd @@ -33,9 +39,10 @@ Obsoletes: openswan < %{version}-%{release} Provides: openswan = %{version}-%{release} Provides: openswan-doc = %{version}-%{release} -BuildRequires: pkgconfig hostname -BuildRequires: nss-devel >= 3.14.3, nspr-devel +BuildRequires: hostname +BuildRequires: nss-devel >= 3.16.1, nspr-devel BuildRequires: pam-devel +BuildRequires: libevent-devel %if %{USE_DNSSEC} BuildRequires: unbound-devel %endif @@ -56,8 +63,7 @@ BuildRequires: openldap-devel curl-devel %if %{buildefence} BuildRequires: ElectricFence %endif -# Only needed if xml man pages are modified and need regeneration -# BuildRequires: xmlto +BuildRequires: xmlto Requires: nss-tools, nss-softokn Requires: iproute >= 2.6.8 @@ -83,15 +89,13 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %build %if %{buildefence} - %define efence "-lefence" + %global efence "-lefence" %endif #796683: -fno-strict-aliasing %{__make} \ %if %{development} - USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \ -%else - USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \ + USERCOMPILE="%(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wall" \ %endif USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \ INITSYSTEM=systemd \ @@ -115,6 +119,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 programs FS=$(pwd) + %if %{USE_FIPSCHECK} # Add generation of HMAC checksums of the final stripped binaries %define __spec_install_post \ @@ -141,6 +146,18 @@ FS=$(pwd) rm -rf %{buildroot}/usr/share/doc/libreswan install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto +# used when setting --perpeerlog without --perpeerlogbase +install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer +install -d %{buildroot}%{_sbindir} + +install -d %{buildroot}%{_sysconfdir}/sysctl.d +install -m 0644 packaging/fedora/libreswan-sysctl.conf \ + %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf + +install -d %{buildroot}%{_tmpfilesdir} +install -m 0644 packaging/fedora/libreswan-tmpfiles.conf \ + %{buildroot}%{_tmpfilesdir}/libreswan.conf +install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto # used when setting --perpeerlog without --perpeerlogbase install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer install -d %{buildroot}%{_sbindir} @@ -154,24 +171,54 @@ install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir} echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* +%if %{cavstests} +%check +# There is an elaborate upstream testing infrastructure which we do not +# run here. +# We only run the CAVS tests here. +cp %{SOURCE10} %{SOURCE11} %{SOURCE12} . +bunzip2 *.fax.bz2 +: starting CAVS test for IKEv2 +OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | \ + diff -u ikev2.fax - > /dev/null +: starting CAVS test for IKEv1 RSASIG +OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | \ + diff -u ikev1_dsa.fax - > /dev/null +: starting CAVS test for IKEv1 PSK +OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | \ + diff -u ikev1_psk.fax - > /dev/null +: CAVS tests passed +%endif + +%post +%systemd_post ipsec.service + +%preun +%systemd_preun ipsec.service + +%postun +%systemd_postun_with_restart ipsec.service + %files -%doc CHANGES COPYING CREDITS README LICENSE -%doc docs/*.* +%doc CHANGES COPYING CREDITS README* LICENSE +%doc docs/*.* docs/examples %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d -%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/cacerts -%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/crls +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf +%attr(0700,root,root) %dir %{_localstatedir}/log/pluto %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer %attr(0755,root,root) %dir %{_localstatedir}/run/pluto +%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf %attr(0644,root,root) %{_unitdir}/ipsec.service %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto %{_sbindir}/ipsec %{_libexecdir}/ipsec -%doc %{_mandir}/*/* +%attr(0644,root,root) %doc %{_mandir}/*/* %if %{USE_FIPSCHECK} %{_libdir}/fipscheck/*.hmac @@ -180,24 +227,12 @@ rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* %config(noreplace) %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf %endif -%preun -%systemd_preun ipsec.service - -%postun -%systemd_postun_with_restart ipsec.service - -%post -%systemd_post ipsec.service -if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then - TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX) - [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$ - echo > ${TEMPFILE} - certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d - restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || : - rm -f ${TEMPFILE} -fi - %changelog +* Thu Aug 13 2015 Paul Wouters - 3.14-1 +- Updated to 3.14 +- Include CAVS testing during build +- Bump nss minimum to 3.16.1 + * Mon Jun 01 2015 Paul Wouters - 3.13-1 - Updated to 3.13 for CVE-2015-3204 diff --git a/sources b/sources index 82a1f23..0e40e8f 100644 --- a/sources +++ b/sources @@ -1 +1,4 @@ -3dd97542c047f34ee0d5f3e61c3a4761 libreswan-3.13.tar.gz +d8b493de7179635a6ed2a4d0e1b35282 ikev1_dsa.fax.bz2 +c4fe7041300e6c21f4561ce818b5002f ikev1_psk.fax.bz2 +7716c48a1a2b17ba25e89b79889d4004 ikev2.fax.bz2 +da7a410afcfc2673f14f33f69fefca1f libreswan-3.14.tar.gz