From f742a55ad3fd6457027b700ba91274172b8318a8 Mon Sep 17 00:00:00 2001 From: Giovanni Mariani Date: Thu, 12 Oct 2017 20:18:32 +0200 Subject: [PATCH] Updated to release 5.6.0, update configure options, updated file lists and added S100 to kill a boatload of wrong rpmlint output --- .abf.yml | 2 +- strongswan.rpmlintrc | 13 ++++++++ strongswan.spec | 71 +++++++++++++++++++++++++++----------------- 3 files changed, 58 insertions(+), 28 deletions(-) create mode 100644 strongswan.rpmlintrc diff --git a/.abf.yml b/.abf.yml index 8ffda65..6b75c64 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,2 +1,2 @@ sources: - strongswan-5.5.0.tar.bz2: d76306a48f622ec4212413fa93dd858675ebf267 + strongswan-5.6.0.tar.bz2: 97c1658791a13776c5d588649c2c8304f51f2a9f diff --git a/strongswan.rpmlintrc b/strongswan.rpmlintrc new file mode 100644 index 0000000..7dd8612 --- /dev/null +++ b/strongswan.rpmlintrc @@ -0,0 +1,13 @@ +# For /etc/strongswan, /etc/strongswan/ipsec.d and the dirs +# below the latter, actually we marked them as "0700". +# The build process marked /etc/strongswan/swanctl and the dirs +# below as "0750": perhaps also this is OK... +addFilter("E: non-standard-dir-perm") + +# Security-related files: so it is OK +# be not readable by the world +addFilter("E: non-readable") + +# Sorry: all the files flagged with this warning +# are really config files +addFilter("W: non-conffile-in-etc") diff --git a/strongswan.spec b/strongswan.spec index 8185b82..959c6ab 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,24 +1,25 @@ -#%%define Werror_cflags %nil -%define _disable_ld_no_undefined 1 +#%%define Werror_cflags %%nil +%define _disable_ld_no_undefined 1 %bcond_without nm Summary: IPSEC implementation Name: strongswan -Version: 5.5.0 -Release: 5 +Version: 5.6.0 +Release: 1 License: GPLv2+ Group: System/Servers Url: https://www.strongswan.org/ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 +Source100: %{name}.rpmlintrc BuildRequires: gettext-devel -BuildRequires: gmp-devel +BuildRequires: gmp-devel >= 4.1.4 BuildRequires: openldap-devel BuildRequires: trousers-devel BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(openssl) -BuildRequires: pkgconfig(sqlite3) +BuildRequires: pkgconfig(sqlite3) >= 3.3.1 BuildRequires: pkgconfig(systemd) %if %{with nm} BuildRequires: pkgconfig(NetworkManager) @@ -26,25 +27,27 @@ BuildRequires: pkgconfig(libnm-glib-vpn) BuildRequires: pkgconfig(libnm-util) BuildRequires: pkgconfig(libnm-glib) %endif +Requires(post,preun): rpm-helper %description -FreeS/WAN is a free implementation of IPSEC & IKE for Linux. IPSEC is -the Internet Protocol Security and uses strong cryptography to provide -both authentication and encryption services. These services allow you -to build secure tunnels through untrusted networks. Everything passing -through the untrusted net is encrypted by the ipsec gateway machine and -decrypted by the gateway at the other end of the tunnel. The resulting -tunnel is a virtual private network or VPN. - -This package contains the daemons and userland tools for setting up -FreeS/WAN on a freeswan enabled kernel. +FreeS/WAN is a free implementation of IPSEC & IKE for Linux. IPSEC is the +Internet Protocol Security and uses strong cryptography to provide both +authentication and encryption services. These services allow you to build +secure tunnels through untrusted networks. Everything passing through the +untrusted net is encrypted by the ipsec gateway machine and decrypted by the +gateway at the other end of the tunnel. The resulting tunnel is a virtual +private network or VPN. +This package contains the daemons and userland tools for setting up FreeS/WAN +on a freeswan enabled kernel. %files %doc README COPYING NEWS TODO %dir %{_sysconfdir}/%{name} %{_sysconfdir}/%{name}/ipsec.d/ %config(noreplace) %{_sysconfdir}/%{name}/ipsec.conf +%config(noreplace) %{_sysconfdir}/%{name}/ipsec.secrets %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf +%{_sysconfdir}/dbus-1/system.d/nm-%{name}-service.conf %{_unitdir}/%{name}.service %{_sysconfdir}/%{name}/%{name}.d %{_sysconfdir}/%{name}/swanctl @@ -69,6 +72,7 @@ FreeS/WAN on a freeswan enabled kernel. %{_libdir}/%{name}/plugins/lib%{name}-attr.so %{_libdir}/%{name}/plugins/lib%{name}-cmac.so %{_libdir}/%{name}/plugins/lib%{name}-constraints.so +%{_libdir}/%{name}/plugins/lib%{name}-curve25519.so %{_libdir}/%{name}/plugins/lib%{name}-des.so %{_libdir}/%{name}/plugins/lib%{name}-dnskey.so %{_libdir}/%{name}/plugins/lib%{name}-fips-prf.so @@ -110,6 +114,7 @@ FreeS/WAN on a freeswan enabled kernel. %{_libdir}/%{name}/plugins/lib%{name}-curl.so %{_libdir}/%{name}/plugins/lib%{name}-eap-identity.so %{_libdir}/%{name}/plugins/lib%{name}-vici.so +%{_libdir}/%{name}/plugins/lib%{name}-systime-fix.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/_copyright %{_libexecdir}/%{name}/_updown @@ -119,10 +124,11 @@ FreeS/WAN on a freeswan enabled kernel. %{_libexecdir}/%{name}/stroke %{_libexecdir}/%{name}/_imv_policy %{_libexecdir}/%{name}/imv_policy_manager -%{_libexecdir}/%{name}/pt-tls-client +#{_libexecdir}/%%{name}/pt-tls-client %{_sbindir}/%{name} %{_sbindir}/swanctl %{_bindir}/pki +%{_bindir}/pt-tls-client %{_mandir}/man5/%{name}.conf.5.* %{_mandir}/man1/%{name}*.1.* %{_mandir}/man5/%{name}_ipsec.conf.5.* @@ -138,8 +144,8 @@ FreeS/WAN on a freeswan enabled kernel. %preun %_preun_service %{name} -#%postun -#%_postun_userdel strongswan +#%%postun +#%%_postun_userdel strongswan #---------------------------------------------------------------------------- @@ -172,6 +178,7 @@ IMC/IMV dynamic libraries can be used by any third party TNC Client/Server implementation possessing a standard IF-IMC/IMV interface. %files tnc-imcvs +%doc COPYING %{_libdir}/%{name}/libimcv.so.0 %{_libdir}/%{name}/libimcv.so.0.0.0 %{_libdir}/%{name}/libtnccs.so.0 @@ -225,7 +232,6 @@ automake --add-missing --copy --with-ipsecdir=%{_libexecdir}/%{name} \ --with-ipseclibdir=%{_libdir}/%{name} \ --with-fips-mode=2 \ - --with-tss=trousers \ --enable-openssl \ --enable-md4 \ --enable-xauth-eap \ @@ -254,9 +260,11 @@ automake --add-missing --copy --enable-tnccs-dynamic \ --enable-tnc-imc \ --enable-tnc-imv \ + --enable-tss-trousers \ --enable-eap-radius \ --enable-curl \ --enable-eap-identity \ + --enable-systime-fix \ %if %{with nm} --enable-nm \ %endif @@ -264,20 +272,25 @@ automake --add-missing --copy %make sed -i 's/\t/ /' src/starter/ipsec.conf + %install %makeinstall_std -# prefix man pages + +# Prefix man pages for i in %{buildroot}%{_mandir}/*/*; do - if echo "$i" | grep -vq '/%{name}[^\/]*$'; then - mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/%{name}_\1|'`" - fi + if echo "$i" | grep -vq '/%{name}[^\/]*$'; then + mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/%{name}_\1|'`" + fi done -# delete unwanted library files + +# Delete unwanted library files rm %{buildroot}%{_libdir}/%{name}/*.so find %{buildroot} -type f -name '*.la' -delete -# fix config permissions + +# Fix config permissions chmod 644 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf -# protect configuration from ordinary user's eyes + +# Protect configuration from ordinary user's eyes chmod 700 %{buildroot}%{_sysconfdir}/%{name} # Create ipsec.d directory tree. @@ -286,3 +299,7 @@ for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d/${i} done +# Put a conf file in the right spot +mkdir -p %{buildroot}%{_sysconfdir}/dbus-1/system.d/ +mv %{buildroot}%{_sysconfdir}/%{name}/dbus-1/system.d/nm-%{name}-service.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/ +rm -rf %{buildroot}%{_sysconfdir}/%{name}/dbus-1/