libreswan/libreswan.spec

# These are rpm macros and are 0 or 1
%global _hardened_build 1
%global with_efence 0
%global with_development 0
%global with_cavstests 1
# There is no new enough unbound on rhel7
%global with_dnssec 0
%global nss_version 3.79-4
# Libreswan config options
# For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true
# Note that this means libreswan needs its own FIPS certification
%global libreswan_config \\\
    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
    FINALMANDIR=%{_mandir} \\\
    FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
    INITSYSTEM=systemd \\\
    PREFIX=%{_prefix} \\\
    PYTHON_BINARY=%{__python2} \\\
    SHELL_BINARY=/bin/sh \\\
    USE_AUTHPAM=true \\\
    USE_DNSSEC=%{USE_DNSSEC} \\\
    USE_FIPSCHECK=true \\\
    USE_LABELED_IPSEC=true \\\
    USE_LDAP=true \\\
    USE_LIBCAP_NG=true \\\
    USE_LIBCURL=true \\\
    USE_NM=true \\\
    USE_NSS_IPSEC_PROFILE=true \\\
    USE_NSS_KDF=false \\\
    USE_SECCOMP=true \\\
    USE_XFRM_INTERFACE_IFLA_HEADER=true \\\
%{nil}

#global prever dr1

Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
Version: 4.15
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
%if 0%{with_cavstests}
Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif

BuildRequires: gcc make
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: fipscheck-devel
BuildRequires: flex
BuildRequires: hostname
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: redhat-rpm-config
BuildRequires: systemd-devel
BuildRequires: xmlto
%if 0%{with_efence}
BuildRequires: ElectricFence
%endif
%if 0%{with_dnssec}
BuildRequires: ldns-devel
BuildRequires: unbound-devel >= 1.6.0
Requires: unbound-libs >= 1.6.0
%global USE_DNSSEC true
%else
%global USE_DNSSEC false
%endif
Requires: coreutils
Requires: fipscheck%{_isa}
Requires: iproute
Requires: logrotate
Requires: nss >= %{nss_version}
Requires: nss-softokn
Requires: nss-tools
%{?systemd_requires}

Conflicts: openswan < %{version}-%{release}
Obsoletes: openswan < %{version}-%{release}
Provides: openswan = %{version}-%{release}
Provides: openswan-doc = %{version}-%{release}


%description
Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services.  These services allow you
to build secure tunnels through untrusted networks.  Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel.  The resulting
tunnel is a virtual private network or VPN.

This package contains the daemons and userland tools for setting up
Libreswan.

Libreswan also supports IKEv2 (RFC7296) and Secure Labeling

Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04

%prep
%setup -q -n libreswan-%{version}%{?prever}

%build
make %{?_smp_mflags} \
%if 0%{with_development}
    OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
%else
    OPTIMIZE_CFLAGS="%{optflags}" \
%endif
%if 0%{with_efence}
    USE_EFENCE=true \
%endif
    USERLINK="%{?__global_ldflags}" \
    WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \
    %{libreswan_config} \
    programs
FS=$(pwd)

# Add generation of HMAC checksums of the final stripped binaries
%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto
%{nil}

%install
make \
    DESTDIR=%{buildroot} \
    %{libreswan_config} \
    install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check

install -d -m 0755 %{buildroot}%{_rundir}/pluto
install -d %{buildroot}%{_sbindir}

install -d %{buildroot}%{_sysctldir}
install -m 0644 packaging/rhel/libreswan-sysctl.conf \
    %{buildroot}%{_sysctldir}/50-libreswan.conf

mkdir -p %{buildroot}%{_libdir}/fipscheck
install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
install -m644 packaging/rhel/libreswan-prelink.conf \
    %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf

echo "include /etc/ipsec.d/*.secrets" \
    > %{buildroot}%{_sysconfdir}/ipsec.secrets


%if 0%{with_cavstests}
%check
# There is an elaborate upstream testing infrastructure which we do not
# run here.
# We only run the CAVS tests here.
cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .
bunzip2 *.fax.bz2

# work around for older xen based machines
export NSS_DISABLE_HW_GCM=1

: starting CAVS test for IKEv2
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
    diff -u ikev2.fax - > /dev/null
: starting CAVS test for IKEv1 RSASIG
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
    diff -u ikev1_dsa.fax - > /dev/null
: starting CAVS test for IKEv1 PSK
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
    diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed

# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
: Algorithm parser tests passed

# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST

%endif

%post
%systemd_post ipsec.service
%sysctl_apply 50-libreswan.conf
prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || :

%preun
%systemd_preun ipsec.service

%postun
%systemd_postun_with_restart ipsec.service

%files
%license LICENSE COPYING
%doc CHANGES CREDITS README*
%doc docs/*.* docs/examples
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%doc %{_mandir}/*/*
%{_libdir}/fipscheck/pluto.hmac
# We own the directory so we don't have to require prelink
%dir %{_sysconfdir}/prelink.conf.d/
%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf

%changelog
* Thu Oct 09 2025 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
  by assuming the date is correct and changing the weekday.

* Tue Apr 16 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.15-2
- build for Koozali Server
- needs libreswan-prelink.conf adding to the tar

* Mon Apr 15 2024 Team Libreswan <team@libreswan.org> - 4.15-1
- Automated build from release tar ball

* Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2
- build for Koozali SME Server
- needs libreswan-prelink.conf adding to the tar

* Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1
- Automated build from release tar ball

* Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2
- build for Koozali SME Server
- needs libreswan-sysctl.conf adding to the tar

* Tue Aug  8 2023 Team Libreswan <team@libreswan.org> - 4.12-1
- Automated build from release tar ball
initial commit of file from CVS for libreswan on Thu Oct 9 11:50:37 AEDT 2025 2025-10-09 11:50:37 +11:00			`# These are rpm macros and are 0 or 1`
			`%global _hardened_build 1`
			`%global with_efence 0`
			`%global with_development 0`
			`%global with_cavstests 1`
			`# There is no new enough unbound on rhel7`
			`%global with_dnssec 0`
			`%global nss_version 3.79-4`
			`# Libreswan config options`
			`# For RHEL7 we need USE_NSS_KDF=false and USE_FIPSCHECK=true`
			`# Note that this means libreswan needs its own FIPS certification`
			`%global libreswan_config \\\`
			`FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\`
			`FINALMANDIR=%{_mandir} \\\`
			`FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\`
			`INITSYSTEM=systemd \\\`
			`PREFIX=%{_prefix} \\\`
			`PYTHON_BINARY=%{__python2} \\\`
			`SHELL_BINARY=/bin/sh \\\`
			`USE_AUTHPAM=true \\\`
			`USE_DNSSEC=%{USE_DNSSEC} \\\`
			`USE_FIPSCHECK=true \\\`
			`USE_LABELED_IPSEC=true \\\`
			`USE_LDAP=true \\\`
			`USE_LIBCAP_NG=true \\\`
			`USE_LIBCURL=true \\\`
			`USE_NM=true \\\`
			`USE_NSS_IPSEC_PROFILE=true \\\`
			`USE_NSS_KDF=false \\\`
			`USE_SECCOMP=true \\\`
			`USE_XFRM_INTERFACE_IFLA_HEADER=true \\\`
			`%{nil}`

			`#global prever dr1`

			`Name: libreswan`
			`Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec`
			`Version: 4.15`
			`Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}`
			`License: GPLv2`
			`Url: https://libreswan.org/`
			`Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz`
			`%if 0%{with_cavstests}`
			`Source10: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2`
			`Source11: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2`
			`Source12: https://download.libreswan.org/cavs/ikev2.fax.bz2`
			`%endif`

			`BuildRequires: gcc make`
			`BuildRequires: audit-libs-devel`
			`BuildRequires: bison`
			`BuildRequires: curl-devel`
			`BuildRequires: fipscheck-devel`
			`BuildRequires: flex`
			`BuildRequires: hostname`
			`BuildRequires: libcap-ng-devel`
			`BuildRequires: libevent-devel`
			`BuildRequires: libseccomp-devel`
			`BuildRequires: libselinux-devel`
			`BuildRequires: nspr-devel`
			`BuildRequires: nss-devel >= %{nss_version}`
			`BuildRequires: nss-tools`
			`BuildRequires: openldap-devel`
			`BuildRequires: pam-devel`
			`BuildRequires: pkgconfig`
			`BuildRequires: redhat-rpm-config`
			`BuildRequires: systemd-devel`
			`BuildRequires: xmlto`
			`%if 0%{with_efence}`
			`BuildRequires: ElectricFence`
			`%endif`
			`%if 0%{with_dnssec}`
			`BuildRequires: ldns-devel`
			`BuildRequires: unbound-devel >= 1.6.0`
			`Requires: unbound-libs >= 1.6.0`
			`%global USE_DNSSEC true`
			`%else`
			`%global USE_DNSSEC false`
			`%endif`
			`Requires: coreutils`
			`Requires: fipscheck%{_isa}`
			`Requires: iproute`
			`Requires: logrotate`
			`Requires: nss >= %{nss_version}`
			`Requires: nss-softokn`
			`Requires: nss-tools`
			`%{?systemd_requires}`

			`Conflicts: openswan < %{version}-%{release}`
			`Obsoletes: openswan < %{version}-%{release}`
			`Provides: openswan = %{version}-%{release}`
			`Provides: openswan-doc = %{version}-%{release}`



			`%description`
			`Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is`
			`the Internet Protocol Security and uses strong cryptography to provide`
			`both authentication and encryption services. These services allow you`
			`to build secure tunnels through untrusted networks. Everything passing`
			`through the untrusted net is encrypted by the ipsec gateway machine and`
			`decrypted by the gateway at the other end of the tunnel. The resulting`
			`tunnel is a virtual private network or VPN.`

			`This package contains the daemons and userland tools for setting up`
			`Libreswan.`

			`Libreswan also supports IKEv2 (RFC7296) and Secure Labeling`

			`Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04`

			`%prep`
			`%setup -q -n libreswan-%{version}%{?prever}`

			`%build`
			`make %{?_smp_mflags} \`
			`%if 0%{with_development}`
			`OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \`
			`%else`
			`OPTIMIZE_CFLAGS="%{optflags}" \`
			`%endif`
			`%if 0%{with_efence}`
			`USE_EFENCE=true \`
			`%endif`
			`USERLINK="%{?__global_ldflags}" \`
			`WERROR_CFLAGS="-Werror -Wno-error=address -Wno-missing-braces -Wno-missing-field-initializers" \`
			`%{libreswan_config} \`
			`programs`
			`FS=$(pwd)`

			`# Add generation of HMAC checksums of the final stripped binaries`
			`%define __spec_install_post \`
			`%{?__debug_package:%{__debug_install_post}} \`
			`%{__arch_install_post} \`
			`%{__os_install_post} \`
			`fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto`
			`%{nil}`

			`%install`
			`make \`
			`DESTDIR=%{buildroot} \`
			`%{libreswan_config} \`
			`install`
			`FS=$(pwd)`
			`rm -rf %{buildroot}/usr/share/doc/libreswan`
			`rm -rf %{buildroot}%{_libexecdir}/ipsec/*check`

			`install -d -m 0755 %{buildroot}%{_rundir}/pluto`
			`install -d %{buildroot}%{_sbindir}`

			`install -d %{buildroot}%{_sysctldir}`
			`install -m 0644 packaging/rhel/libreswan-sysctl.conf \`
			`%{buildroot}%{_sysctldir}/50-libreswan.conf`

			`mkdir -p %{buildroot}%{_libdir}/fipscheck`
			`install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/`
			`install -m644 packaging/rhel/libreswan-prelink.conf \`
			`%{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf`

			`echo "include /etc/ipsec.d/*.secrets" \`
			`> %{buildroot}%{_sysconfdir}/ipsec.secrets`


			`%if 0%{with_cavstests}`
			`%check`
			`# There is an elaborate upstream testing infrastructure which we do not`
			`# run here.`
			`# We only run the CAVS tests here.`
			`cp %{SOURCE10} %{SOURCE11} %{SOURCE12} .`
			`bunzip2 *.fax.bz2`

			`# work around for older xen based machines`
			`export NSS_DISABLE_HW_GCM=1`

			`: starting CAVS test for IKEv2`
			`%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax \| \`
			`diff -u ikev2.fax - > /dev/null`
			`: starting CAVS test for IKEv1 RSASIG`
			`%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax \| \`
			`diff -u ikev1_dsa.fax - > /dev/null`
			`: starting CAVS test for IKEv1 PSK`
			`%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax \| \`
			`diff -u ikev1_psk.fax - > /dev/null`
			`: CAVS tests passed`

			`# Some of these tests will show ERROR for negative testing - it will exit on real errors`
			`%{buildroot}%{_libexecdir}/ipsec/algparse -tp \|\| { echo prooposal test failed; exit 1; }`
			`%{buildroot}%{_libexecdir}/ipsec/algparse -ta \|\| { echo algorithm test failed; exit 1; }`
			`: Algorithm parser tests passed`

			`# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode`
			`tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)`
			`certutil -N -d sql:$tmpdir --empty-password`
			`%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir`
			`: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST`

			`%endif`

			`%post`
			`%systemd_post ipsec.service`
			`%sysctl_apply 50-libreswan.conf`
			`prelink -u %{_libexecdir}/ipsec/* 2>/dev/null \|\| :`

			`%preun`
			`%systemd_preun ipsec.service`

			`%postun`
			`%systemd_postun_with_restart ipsec.service`

			`%files`
			`%license LICENSE COPYING`
			`%doc CHANGES CREDITS README*`
			`%doc docs/. docs/examples`
			`%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf`
			`%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets`
			`%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d`
			`%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies`
			`%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*`
			`%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf`
			`%attr(0755,root,root) %dir %{_rundir}/pluto`
			`%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf`
			`%attr(0644,root,root) %{_unitdir}/ipsec.service`
			`%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto`
			`%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan`
			`%{_sbindir}/ipsec`
			`%{_libexecdir}/ipsec`
			`%doc %{_mandir}//`
			`%{_libdir}/fipscheck/pluto.hmac`
			`# We own the directory so we don't have to require prelink`
			`%dir %{_sysconfdir}/prelink.conf.d/`
			`%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf`

			`%changelog`
			`* Thu Oct 09 2025 BogusDateBot`
			`- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,`
			`by assuming the date is correct and changing the weekday.`

			`* Tue Apr 16 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.15-2`
			`- build for Koozali Server`
			`- needs libreswan-prelink.conf adding to the tar`

			`* Mon Apr 15 2024 Team Libreswan <team@libreswan.org> - 4.15-1`
			`- Automated build from release tar ball`

			`* Wed Mar 13 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.14-2`
			`- build for Koozali SME Server`
			`- needs libreswan-prelink.conf adding to the tar`

			`* Mon Mar 11 2024 Team Libreswan <team@libreswan.org> - 4.14-1`
			`- Automated build from release tar ball`

			`* Sat Feb 10 2024 John Crisp <jcrisp@safeandsoundit.co.uk> 4.12-2`
			`- build for Koozali SME Server`
			`- needs libreswan-sysctl.conf adding to the tar`

			`* Tue Aug 8 2023 Team Libreswan <team@libreswan.org> - 4.12-1`
			`- Automated build from release tar ball`