#%%define Werror_cflags %%nil %define _disable_ld_no_undefined 1 %bcond_without nm Summary: IPSEC implementation Name: strongswan Version: 5.7.2 Release: 1 License: GPLv2+ Group: System/Servers Url: https://www.strongswan.org/ Source0: http://download.strongswan.org/%{name}-%{version}.tar.bz2 Patch1: strongswan-5.6.0-uintptr_t.patch Patch3: strongswan-5.6.2-CVE-2018-5388.patch Source100: %{name}.rpmlintrc BuildRequires: gettext-devel BuildRequires: gmp-devel >= 4.1.4 BuildRequires: openldap-devel BuildRequires: trousers-devel BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(sqlite3) >= 3.3.1 BuildRequires: pkgconfig(systemd) %if %{with nm} BuildRequires: pkgconfig(NetworkManager) BuildRequires: pkgconfig(libnm-glib-vpn) BuildRequires: pkgconfig(libnm-util) BuildRequires: pkgconfig(libnm-glib) BuildRequires: pkgconfig(libnm) %endif Requires(post,preun): rpm-helper %description FreeS/WAN is a free implementation of IPSEC & IKE for Linux. IPSEC is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN. This package contains the daemons and userland tools for setting up FreeS/WAN on a freeswan enabled kernel. %files %doc README COPYING NEWS TODO %dir %{_sysconfdir}/%{name} %{_sysconfdir}/%{name}/ipsec.d/ %config(noreplace) %{_sysconfdir}/%{name}/ipsec.conf %config(noreplace) %{_sysconfdir}/%{name}/ipsec.secrets %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %{_sysconfdir}/dbus-1/system.d/nm-%{name}-service.conf %{_unitdir}/%{name}.service %{_sysconfdir}/%{name}/%{name}.d %{_sysconfdir}/%{name}/swanctl %{_datadir}/%{name}/templates/config/plugins/*.conf %{_datadir}/%{name}/templates/config/%{name}.conf %{_datadir}/%{name}/templates/config/%{name}.d/*.conf %{_datadir}/%{name}/templates/database/imv/*.sql %{_libdir}/%{name}/libcharon.so.0 %{_libdir}/%{name}/libcharon.so.0.0.0 %{_libdir}/%{name}/libtls.so.0 %{_libdir}/%{name}/libtls.so.0.0.0 %{_libdir}/%{name}/libpttls.so.0 %{_libdir}/%{name}/libpttls.so.0.0.0 %{_libdir}/%{name}/libtpmtss.so.0 %{_libdir}/%{name}/libtpmtss.so.0.0.0 %{_libdir}/%{name}/lib%{name}.so.0 %{_libdir}/%{name}/lib%{name}.so.0.0.0 %{_libdir}/%{name}/libvici.so.0 %{_libdir}/%{name}/libvici.so.0.0.0 %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/lib%{name}-aes.so %{_libdir}/%{name}/plugins/lib%{name}-attr.so %{_libdir}/%{name}/plugins/lib%{name}-cmac.so %{_libdir}/%{name}/plugins/lib%{name}-constraints.so %{_libdir}/%{name}/plugins/lib%{name}-counters.so %{_libdir}/%{name}/plugins/lib%{name}-curve25519.so %{_libdir}/%{name}/plugins/lib%{name}-des.so %{_libdir}/%{name}/plugins/lib%{name}-dnskey.so %{_libdir}/%{name}/plugins/lib%{name}-fips-prf.so %{_libdir}/%{name}/plugins/lib%{name}-gmp.so %{_libdir}/%{name}/plugins/lib%{name}-hmac.so %{_libdir}/%{name}/plugins/lib%{name}-kernel-netlink.so %{_libdir}/%{name}/plugins/lib%{name}-md5.so %{_libdir}/%{name}/plugins/lib%{name}-mgf1.so %{_libdir}/%{name}/plugins/lib%{name}-nonce.so %{_libdir}/%{name}/plugins/lib%{name}-openssl.so %{_libdir}/%{name}/plugins/lib%{name}-pem.so %{_libdir}/%{name}/plugins/lib%{name}-pgp.so %{_libdir}/%{name}/plugins/lib%{name}-pkcs1.so %{_libdir}/%{name}/plugins/lib%{name}-pkcs8.so %{_libdir}/%{name}/plugins/lib%{name}-pkcs12.so %{_libdir}/%{name}/plugins/lib%{name}-rc2.so %{_libdir}/%{name}/plugins/lib%{name}-sshkey.so %{_libdir}/%{name}/plugins/lib%{name}-pubkey.so %{_libdir}/%{name}/plugins/lib%{name}-random.so %{_libdir}/%{name}/plugins/lib%{name}-resolve.so %{_libdir}/%{name}/plugins/lib%{name}-revocation.so %{_libdir}/%{name}/plugins/lib%{name}-sha1.so %{_libdir}/%{name}/plugins/lib%{name}-sha2.so %{_libdir}/%{name}/plugins/lib%{name}-socket-default.so %{_libdir}/%{name}/plugins/lib%{name}-stroke.so %{_libdir}/%{name}/plugins/lib%{name}-updown.so %{_libdir}/%{name}/plugins/lib%{name}-x509.so %{_libdir}/%{name}/plugins/lib%{name}-xauth-generic.so %{_libdir}/%{name}/plugins/lib%{name}-xauth-eap.so %{_libdir}/%{name}/plugins/lib%{name}-xcbc.so %{_libdir}/%{name}/plugins/lib%{name}-md4.so %{_libdir}/%{name}/plugins/lib%{name}-eap-md5.so %{_libdir}/%{name}/plugins/lib%{name}-eap-gtc.so %{_libdir}/%{name}/plugins/lib%{name}-eap-tls.so %{_libdir}/%{name}/plugins/lib%{name}-eap-ttls.so %{_libdir}/%{name}/plugins/lib%{name}-eap-peap.so %{_libdir}/%{name}/plugins/lib%{name}-eap-mschapv2.so %{_libdir}/%{name}/plugins/lib%{name}-farp.so %{_libdir}/%{name}/plugins/lib%{name}-dhcp.so %{_libdir}/%{name}/plugins/lib%{name}-curl.so %{_libdir}/%{name}/plugins/lib%{name}-eap-identity.so %{_libdir}/%{name}/plugins/lib%{name}-vici.so %{_libdir}/%{name}/plugins/lib%{name}-systime-fix.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/_copyright %{_libexecdir}/%{name}/_updown %{_libexecdir}/%{name}/charon %{_libexecdir}/%{name}/scepclient %{_libexecdir}/%{name}/starter %{_libexecdir}/%{name}/stroke %{_libexecdir}/%{name}/_imv_policy %{_libexecdir}/%{name}/imv_policy_manager #{_libexecdir}/%%{name}/pt-tls-client %{_sbindir}/%{name} %{_sbindir}/swanctl %{_bindir}/pki %{_bindir}/pt-tls-client %{_mandir}/man5/%{name}.conf.5.* %{_mandir}/man1/%{name}*.1.* %{_mandir}/man5/%{name}_ipsec.conf.5.* %{_mandir}/man5/%{name}_ipsec.secrets.5.* %{_mandir}/man5/%{name}_swanctl.conf.5.* %{_mandir}/man8/%{name}.8.* %{_mandir}/man8/%{name}_scepclient.8.* %{_mandir}/man8/%{name}_swanctl.8.* %post %_post_service %{name} %preun %_preun_service %{name} #%%postun #%%_postun_userdel strongswan #---------------------------------------------------------------------------- %if %{with nm} %package charon-nm Summary: NetworkManager plugin for Strongswan Group: System/Servers %description charon-nm NetworkManager plugin integrates a subset of Strongswan capabilities to NetworkManager. %files charon-nm %doc COPYING %{_libexecdir}/%{name}/charon-nm %endif #---------------------------------------------------------------------------- %package tnc-imcvs Summary: Trusted network connect (TNC)'s IMC/IMV functionality Group: System/Servers Requires: %{name} = %{version} %description tnc-imcvs This package provides Trusted Network Connect's (TNC) IMC and IMV functionality. Specifically it includes PTS based IMC/IMV for TPM based remote attestation and scanner and test IMCs and IMVs. The Strongswan's IMC/IMV dynamic libraries can be used by any third party TNC Client/Server implementation possessing a standard IF-IMC/IMV interface. %files tnc-imcvs %doc COPYING %{_libdir}/%{name}/libimcv.so.0 %{_libdir}/%{name}/libimcv.so.0.0.0 %{_libdir}/%{name}/libtnccs.so.0 %{_libdir}/%{name}/libtnccs.so.0.0.0 %{_libdir}/%{name}/libradius.so.0 %{_libdir}/%{name}/libradius.so.0.0.0 %dir %{_libdir}/%{name}/imcvs %{_libdir}/%{name}/imcvs/imc-attestation.so %{_libdir}/%{name}/imcvs/imc-scanner.so %{_libdir}/%{name}/imcvs/imc-test.so %{_libdir}/%{name}/imcvs/imc-os.so %{_libdir}/%{name}/imcvs/imv-attestation.so %{_libdir}/%{name}/imcvs/imv-scanner.so %{_libdir}/%{name}/imcvs/imv-test.so %{_libdir}/%{name}/imcvs/imv-os.so %dir %{_libdir}/%{name}/plugins %{_libdir}/%{name}/plugins/lib%{name}-pkcs7.so %{_libdir}/%{name}/plugins/lib%{name}-sqlite.so %{_libdir}/%{name}/plugins/lib%{name}-eap-tnc.so %{_libdir}/%{name}/plugins/lib%{name}-tnc-imc.so %{_libdir}/%{name}/plugins/lib%{name}-tnc-imv.so %{_libdir}/%{name}/plugins/lib%{name}-tnc-tnccs.so %{_libdir}/%{name}/plugins/lib%{name}-tnccs-20.so %{_libdir}/%{name}/plugins/lib%{name}-tnccs-11.so %{_libdir}/%{name}/plugins/lib%{name}-tnccs-dynamic.so %{_libdir}/%{name}/plugins/lib%{name}-eap-radius.so %{_libdir}/%{name}/plugins/lib%{name}-tnc-ifmap.so %{_libdir}/%{name}/plugins/lib%{name}-tnc-pdp.so %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/attest #---------------------------------------------------------------------------- %prep %setup -q %patch1 -p1 %patch3 -p1 %build libtoolize --install --copy --force --automake aclocal -I m4 autoconf autoheader automake --add-missing --copy %serverbuild %configure2_5x \ --disable-static \ --with-ipsec-script=%{name} \ --sysconfdir=%{_sysconfdir}/%{name} \ --with-ipsecdir=%{_libexecdir}/%{name} \ --with-ipseclibdir=%{_libdir}/%{name} \ --with-fips-mode=2 \ --enable-openssl \ --enable-md4 \ --enable-xauth-eap \ --enable-eap-md5 \ --enable-eap-gtc \ --enable-eap-tls \ --enable-eap-ttls \ --enable-eap-peap \ --enable-eap-mschapv2 \ --enable-farp \ --enable-dhcp \ --enable-sqlite \ --enable-tnc-ifmap \ --enable-tnc-pdp \ --enable-imc-test \ --enable-imv-test \ --enable-imc-scanner \ --enable-imv-scanner \ --enable-imc-attestation \ --enable-imv-attestation \ --enable-imv-os \ --enable-imc-os \ --enable-eap-tnc \ --enable-tnccs-20 \ --enable-tnccs-11 \ --enable-tnccs-dynamic \ --enable-tnc-imc \ --enable-tnc-imv \ --enable-tss-trousers \ --enable-eap-radius \ --enable-curl \ --enable-eap-identity \ --enable-systime-fix \ %if %{with nm} --enable-nm \ %endif %make sed -i 's/\t/ /' src/starter/ipsec.conf %install %makeinstall_std # Prefix man pages for i in %{buildroot}%{_mandir}/*/*; do if echo "$i" | grep -vq '/%{name}[^\/]*$'; then mv "$i" "`echo "$i" | sed -re 's|/([^/]+)$|/%{name}_\1|'`" fi done # Delete unwanted library files rm %{buildroot}%{_libdir}/%{name}/*.so find %{buildroot} -type f -name '*.la' -delete # Fix config permissions chmod 644 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf # Protect configuration from ordinary user's eyes chmod 700 %{buildroot}%{_sysconfdir}/%{name} # Create ipsec.d directory tree. install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d for i in aacerts acerts certs cacerts crls ocspcerts private reqs; do install -d -m 700 %{buildroot}%{_sysconfdir}/%{name}/ipsec.d/${i} done # Put a conf file in the right spot mkdir -p %{buildroot}%{_sysconfdir}/dbus-1/system.d/ mv %{buildroot}%{_sysconfdir}/%{name}/dbus-1/system.d/nm-%{name}-service.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/ rm -rf %{buildroot}%{_sysconfdir}/%{name}/dbus-1/