Home Explore Information Event License
Tool
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 5

ZoeDong/libreswan

forked from OpenCloudOS Stream/libreswan 
Code Issues 0 Pull Requests 0 Wiki 0 Insights
Create your Gitee Account
Explore and code with more than 12 million developers,Free private repositories !:)
Sign up
文件
This repository doesn't specify license. Please pay attention to the specific project description and its upstream code dependency when using it.
The license selected for the repository is subject to the license used by the main branch of the repository.
Clone or Download
libreswan.spec 6.36 KB
Copy Edit Raw Blame History
ZoeDong authored 2024-09-19 14:39 . Upgrade to 4.15 (Fix CVE-2024-3652)
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188
%bcond_with efence

%bcond_with development

%bcond_with cavstests



%global libreswan_config \\\

    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\

    FINALMANDIR=%{_mandir} \\\

    PREFIX=%{_prefix} \\\

    INITSYSTEM=systemd \\\

    SHELL_BINARY=%{_bindir}/sh \\\

    USE_DNSSEC=true \\\

    USE_LABELED_IPSEC=true \\\

    USE_LDAP=true \\\

    USE_LIBCAP_NG=true \\\

    USE_LIBCURL=true \\\

    USE_LINUX_AUDIT=true \\\

    USE_NM=true \\\

    USE_NSS_IPSEC_PROFILE=true \\\

    USE_SECCOMP=true \\\

    USE_AUTHPAM=true \\\

    DEFAULT_DNSSEC_ROOTKEY_FILE=/var/lib/unbound/root.key \\\

%{nil}



Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec

Name:    libreswan

Version: 4.15

Release: 1%{?dist}

License: GPL-2.0-or-later

Url:     https://github.com/libreswan/libreswan

Source0: %{url}/archive/refs/tags/v%{version}.tar.gz



%if 0%{with cavstests}

Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2

Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2

Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2

%endif

Source4: 50-libreswan.conf



BuildRequires: audit-libs-devel bison curl-devel flex gcc gnupg2 hostname ldns-devel

BuildRequires: libcap-ng-devel libevent-devel libseccomp-devel libselinux-devel make

BuildRequires: nspr-devel nss-devel nss-tools openldap-devel pam-devel pkgconfig systemd

BuildRequires: systemd-devel systemd-rpm-macros unbound-devel xmlto



%if 0%{with efence}

BuildRequires: ElectricFence

%endif



Requires: iproute nss nss-softokn nss-tools unbound-libs logrotate procps-ng

Requires(post): bash

Requires(post): coreutils

Requires(post): systemd

Requires(preun): systemd

Requires(postun): systemd



%description

Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is the Internet Protocol Security

and uses strong cryptography to provide both authentication and encryption services. These services

allow you to build secure tunnels through untrusted networks.  Everything passing through the untrusted

net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel.

The resulting tunnel is a virtual private network or VPN.



This package contains the daemons and userland tools for setting up Libreswan.



Libreswan also supports IKEv2 (RFC7296) and Secure Labeling



Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04



%prep

%autosetup -n %{name}-%{version} -p1

sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in

sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile



%build

%make_build \

%if 0%{with development}

    OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \

%else

    OPTIMIZE_CFLAGS="%{optflags}" \

%endif

    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \

%if 0%{with efence}

    USE_EFENCE=true \

%endif

    USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -flto --no-lto" \

    %{libreswan_config} \

    programs

FS=$(pwd)





%install

%make_install \

    %{libreswan_config} \

FS=$(pwd)

rm -rf %{buildroot}/usr/share/doc/libreswan

rm -rf %{buildroot}%{_libexecdir}/ipsec/*check



install -d -m 0755 %{buildroot}%{_rundir}/pluto

install -d %{buildroot}%{_sbindir}



install -Dm 0644 %{SOURCE4} %{buildroot}%{_sysctldir}/50-libreswan.conf



echo "include %{_sysconfdir}/ipsec.d/*.secrets" \

    > %{buildroot}%{_sysconfdir}/ipsec.secrets

rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*



%if 0%{with cavstests}

%check

cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .

bunzip2 *.fax.bz2



: starting CAVS test for IKEv2

%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \

    diff -u ikev2.fax - > /dev/null

: starting CAVS test for IKEv1 RSASIG

%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \

    diff -u ikev1_dsa.fax - > /dev/null

: starting CAVS test for IKEv1 PSK

%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \

    diff -u ikev1_psk.fax - > /dev/null

: CAVS tests passed

%endif



%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }

%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }

: Algorithm parser tests passed



tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)

certutil -N -d sql:$tmpdir --empty-password

%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir

: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST



%post

%systemd_post ipsec.service

%sysctl_apply 50-libreswan.conf



%preun

%systemd_preun ipsec.service



%postun

%systemd_postun_with_restart ipsec.service



%files

%license COPYING LICENSE

%doc CHANGES CREDITS README* docs/*.* docs/examples

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf

%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets

%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d

%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*

%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf

%attr(0755,root,root) %dir %{_rundir}/pluto

%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec

%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss

%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf

%attr(0644,root,root) %{_unitdir}/ipsec.service

%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto

%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan

%{_sbindir}/ipsec

%{_libexecdir}/ipsec

%doc %{_mandir}/*/*



%changelog

* Thu Sep 19 2024 Miaojun Dong <zoedong@tencent.com> - 4.15-1

- Upgrade to 4.15 (Fix CVE-2024-3652)



* Fri Aug 16 2024 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 4.14-2

- Rebuilt for loongarch release



* Mon Mar 25 2024 wynnfeng <wynnfeng@tencent.com> - 4.14-1

- upgrade to 4.14 and fix CVE-2024-2357



* Thu Oct 12 2023 Miaojun Dong <zoedong@tencent.com> - 4.12-3

- Rebuild for curl-8.4.0



* Fri Sep 08 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 4.12-2

- Rebuilt for OpenCloudOS Stream 23.09



* Mon Sep 4 2023 Shuo Wang <abushwang@tencent.com> - 4.12-1

- update to 4.12



* Fri Apr 28 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 4.9-3

- Rebuilt for OpenCloudOS Stream 23.05



* Fri Mar 31 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 4.9-2

- Rebuilt for OpenCloudOS Stream 23



* Tue Nov 29 2022 Shuo Wang <abushwang@tencent.com> - 4.9-1

- initial build
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化