%global USE_FIPSCHECK true
%global USE_LIBCAP_NG true
%global USE_LABELED_IPSEC true
%global USE_CRL_FETCHING true
%global USE_DNSSEC true
%global USE_NM true
%global USE_LINUX_AUDIT true
%global fipscheck_version 1.2.0-1
%global buildefence 0
%global development 0
#global prever rc1
Name: libreswan
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
Version: 3.12libevent
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://www.libreswan.org/
Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz
Group: System Environment/Daemons
BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig libevent2-devel
Requires(post): coreutils bash
Requires(preun): initscripts chkconfig
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
Conflicts: openswan < %{version}-%{release}
Obsoletes: openswan < %{version}-%{release}
Provides: openswan = %{version}-%{release}
Provides: openswan-doc = %{version}-%{release}
BuildRequires: pkgconfig net-tools
BuildRequires: nss-devel >= 3.14.3, nspr-devel
BuildRequires: pam-devel
%if %{USE_DNSSEC}
BuildRequires: unbound-devel
%endif
%if %{USE_FIPSCHECK}
# we need fipshmac
BuildRequires: fipscheck-devel >= %{fipscheck_version}
Requires: fipscheck%{_isa} >= %{fipscheck_version}
%endif
%if %{USE_LINUX_AUDIT}
Buildrequires: audit-libs-devel
%endif
%if %{USE_LIBCAP_NG}
BuildRequires: libcap-ng-devel
%endif
%if %{USE_CRL_FETCHING}
BuildRequires: openldap-devel curl-devel
%endif
%if %{buildefence}
BuildRequires: ElectricFence
%endif
# Only needed if xml man pages are modified and need regeneration
BuildRequires: xmlto
Requires: nss-tools, nss-softokn
Requires: iproute >= 2.6.8
%description
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel. The resulting
tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up
Libreswan. To build KLIPS, see the kmod-libreswan.spec file.
Libreswan also supports IKEv2 (RFC4309) and Secure Labeling
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%setup -q -n libreswan-%{version}%{?prever}
# remove man page for ipsec.conf so it is forced to regenerate
rm ./programs/configs/ipsec.conf.5
%build
%if %{buildefence}
%global efence "-lefence"
%endif
#796683: -fno-strict-aliasing
%{__make} \
%if %{development}
USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
%else
USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
%endif
INITSYSTEM=sysvinit \
USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
USE_NM=%{USE_NM} \
USE_XAUTHPAM=true \
USE_FIPSCHECK=%{USE_FIPSCHECK} \
FIPSPRODUCTCHECK="%{_sysconfdir}/system-fips" \
USE_LIBCAP_NG=%{USE_LIBCAP_NG} \
USE_LABELED_IPSEC=%{USE_LABELED_IPSEC} \
USE_LDAP=%{USE_CRL_FETCHING} \
USE_LIBCURL=%{USE_CRL_FETCHING} \
USE_DNSSEC=%{USE_DNSSEC} \
INC_USRLOCAL=%{_prefix} \
FINALLIBEXECDIR=%{_libexecdir}/ipsec \
MANTREE=%{_mandir} \
INC_RCDEFAULT=%{_initrddir} \
programs
FS=$(pwd)
%if %{USE_FIPSCHECK}
# Add generation of HMAC checksums of the final stripped binaries
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
fipshmac %{buildroot}%{_sbindir}/ipsec \
fipshmac %{buildroot}%{_libexecdir}/ipsec/* \
%{nil}
%endif
%install
rm -rf %{buildroot}
%{__make} \
DESTDIR=%{buildroot} \
INITSYSTEM=sysvinit \
INC_USRLOCAL=%{_prefix} \
FINALLIBEXECDIR=%{_libexecdir}/ipsec \
MANTREE=%{buildroot}%{_mandir} \
INC_RCDEFAULT=%{_initrddir} \
INSTMANFLAGS="-m 644" \
install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto
# used when setting --perpeerlog without --perpeerlogbase
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
install -d %{buildroot}%{_sbindir}
# replace with rhel[56] specific version
install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec
echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%files
%doc CHANGES COPYING CREDITS README* LICENSE
%doc docs/*.* docs/examples
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/cacerts
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/crls
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
%attr(0755,root,root) %dir %{_localstatedir}/run/pluto
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%{_initrddir}/ipsec
%{_libexecdir}/ipsec
%{_sbindir}/ipsec
%attr(0644,root,root) %{_mandir}/*/*.gz
%if %{USE_FIPSCHECK}
%{_sbindir}/.ipsec.hmac
%endif
%preun
if [ $1 -eq 0 ]; then
/sbin/service ipsec stop > /dev/null 2>&1 || :
/sbin/chkconfig --del ipsec
fi
%postun
if [ $1 -ge 1 ] ; then
/sbin/service ipsec condrestart 2>&1 >/dev/null || :
fi
%post
/sbin/chkconfig --add ipsec || :
%if %{USE_FIPSCHECK}
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :
%endif
if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db -a \
! -f %{_sysconfdir}/ipsec.d/cert9.db ] ; then
certutil -N -d %{_sysconfdir}/ipsec.d --empty-password
restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
fi
%changelog
* Tue Jan 01 2013 Team Libreswan <team@libreswan.org> - 3.12libevent-1
- Automated build from release tar ball