File openswan.spec of Package openswan

#
# spec file for package openswan (Version 2.6.16)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#

# norootforbuild


Name:           openswan
Version:        2.6.16
Release:        1
%define irel    2.6.16
License:        GPL v2 or later
Group:          Productivity/Networking/Security
Summary:        IPsec Implementation which Allows Building of VPNs
Url:            http://www.openswan.org/
Provides:       pluto klips ipsec VPN freeswan
Obsoletes:      freeswan
PreReq:         gmp %insserv_prereq %fillup_prereq perl
Requires:       ipsec-tools iproute2
AutoReqProv:    on
Source:         http://www.openswan.org/download/%{name}-%{irel}.tar.gz
Source1:        http://www.openswan.org/download/%{name}-%{irel}.tar.gz.asc
Source10:       openswan.README.SUSE
Source30:       openswan.ipsec_1_to_2.pl
#
Patch0:         openswan_00_features.dif
Patch1:         openswan_01_build-paths.dif
Patch2:         openswan_02_build-flags.dif
Patch3:         openswan_03_build-groff.dif
Patch4:         openswan_04_build_fixes.dif
Patch10:        openswan_10_install-perms.dif
Patch30:        openswan_30_rcscript.dif
Patch31:        openswan_31_config.dif
#
Prefix:         /usr
BuildRequires:  bison flex gmp-devel libcurl-devel libpcap-devel
BuildRequires:  groff xmlto
BuildRoot:      %{_tmppath}/%{name}-%{version}-build

%description
OpenS/WAN is the successor of FreeS/WAN.

OpenS/WAN is an IPsec implementation which allows building Virtual
Private Networks (VPNs). A typical VPN setup consists of two trusted
networks connected over an insecure network, typically the Internet.
OpenS/WAN allows you to create an encrypted tunnel through the insecure
area. Unlike CIPE, it is interoperable with other operating systems or
even router IPsec implementations



Authors:
--------
    John Gilmore <gnu@toad.com>
    Henry Spencer <henry@spsystems.net>
    Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
    Hugh Redelmeier <hugh@mimosa.com>
    Sandy Harris <sandy.harris@sympatico.ca>
    Hugh Daniels <hugh@toad.com>

%package doc
License:        GPL v2 or later
Summary:        OpenSWAN documentation
Group:          Productivity/Networking/Security

%description doc
This package provides OpenSWAN HTML documentation and development
(section 3) manual pages.



Authors:
--------
    John Gilmore <gnu@toad.com>
    Henry Spencer <henry@spsystems.net>
    Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
    Hugh Redelmeier <hugh@mimosa.com>
    Sandy Harris <sandy.harris@sympatico.ca>
    Hugh Daniels <hugh@toad.com>

%prep
%setup -q -n %{name}-%{irel}
%patch0
%patch1
%patch2
%patch3
%patch4
%patch10
%patch30
%patch31

%build
make programs prefix=%{prefix} LIBD=%{_lib} USERCOMPILE="$RPM_OPT_FLAGS -W"
ls -1 OBJ.linux.*/programs/pluto/pluto

%install
install -d -m 755 %{buildroot}/usr/lib
make install prefix=%{prefix} LIBD=%{_lib} DESTDIR=$RPM_BUILD_ROOT
rm -f  ${RPM_BUILD_ROOT}/etc/init.d/setup
ln -sf /etc/init.d/ipsec ${RPM_BUILD_ROOT}%{prefix}/sbin/rcipsec
touch $RPM_BUILD_ROOT/etc/ipsec.secrets
#
install -m 755 %{SOURCE30} ${RPM_BUILD_ROOT}%{_libdir}/ipsec/ipsec_1_to_2.pl
install -m 644 %SOURCE10 %{buildroot}/%{_docdir}/%{name}/README.SUSE
install -m 644 programs/_confread/README.conf.V2 %{buildroot}/%{_docdir}/%{name}/
install -m 644 BUGS CHANGES CREDITS README %{buildroot}%{_docdir}/%{name}/
install -m 644 COPYING LICENSE             %{buildroot}%{_docdir}/%{name}/
install -m 644 docs/debugging-tcpdump.txt  %{buildroot}%{_docdir}/%{name}/
install -m 644 docs/KNOWN_BUGS*.txt        %{buildroot}%{_docdir}/%{name}/
install -m 644 docs/RELEASE-NOTES.txt      %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/GOING-AWAY
rm -f %{buildroot}%{_docdir}/%{name}/doxygen.cfg
rm -f %{buildroot}%{_docdir}/%{name}/impl.notes
mv -f %{buildroot}/etc/ipsec.d/examples %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}/etc/rc?.d/[KS]*ipsec
%if "%{_lib}" != "lib"
# this is a 64 bit binary
mv %{buildroot}/usr/lib/ipsec/_copyright %{buildroot}/usr/%{_lib}/ipsec/
ln -sf ../../%{_lib}/ipsec/_copyright %{buildroot}/usr/lib/ipsec/_copyright
%endif
rm -f %{buildroot}/usr/lib*/ipsec/_updown.*.old
rm -f %{buildroot}/usr/lib*/ipsec/_startklips.old
#
base="%{buildroot}%{_mandir}"
rm -f ${base}/man5/pf_key.5*
rm -f ${base}/man8/ipsec_ipsec.8*
rm -f ${base}/man5/ipsec_ipsec.conf.5*
rm -f ${base}/man5/ipsec_ipsec.secrets.5*
rm -f ${base}/man5/ipsec_showpolicy.8*
ln -sf ipsec__updown.8           ${base}/man8/ipsec__updown.mast.8
ln -sf ipsec__updown.8           ${base}/man8/ipsec__updown.bsdkame.8
ln -sf ipsec__updown.netkey.8    ${base}/man8/ipsec__updown.klips.8
#
base="%{buildroot}%{_docdir}/%{name}"
ln -sf ipsec_version.3.html        ${base}/ipsec_version_code.3.html
ln -sf ipsec_version.3.html        ${base}/ipsec_version_string.3.html
ln -sf ipsec_initsubnet.3.html     ${base}/ipsec_addrtosubnet.3.html
ln -sf ipsec_initsubnet.3.html     ${base}/ipsec_maskof.3.html 
ln -sf ipsec_initsubnet.3.html     ${base}/ipsec_networkof.3.html
ln -sf ipsec_initsubnet.3.html     ${base}/ipsec_masktocount.3.html
ln -sf ipsec_initaddr.3.html       ${base}/ipsec_addrlenof.3.html
ln -sf ipsec_initaddr.3.html       ${base}/ipsec_addrbytesptr.3.html
ln -sf ipsec_initaddr.3.html       ${base}/ipsec_addrbytesof.3.html
ln -sf ipsec_initaddr.3.html       ${base}/ipsec_addrtypeof.3.html
ln -sf ipsec_atoaddr.3.html        ${base}/ipsec_addrtoa.3.html
ln -sf ipsec_atoaddr.3.html        ${base}/ipsec_atosubnet.3.html
ln -sf ipsec_bitstomask.3.html     ${base}/ipsec_goodmask.3.html
ln -sf ipsec_bitstomask.3.html     ${base}/ipsec_masktobits.3.html
ln -sf ipsec__updown.8.html        ${base}/ipsec__updown.mast.8.html
ln -sf ipsec__updown.netkey.8.html ${base}/ipsec__updown.klips.8.html
ln -sf ipsec_ttoul.3.html          ${base}/ipsec_ultot.3.html
ln -sf ipsec_ttoaddr.3.html        ${base}/ipsec_ttosubnet.3.html
ln -sf ipsec_ttoaddr.3.html        ${base}/ipsec_tnatoaddr.3.html
ln -sf ipsec_ttoaddr.3.html        ${base}/ipsec_subnettot.3.html
ln -sf ipsec_prng.3.html           ${base}/ipsec_prng_bytes.3.html
ln -sf ipsec_prng.3.html           ${base}/ipsec_prng_init.3.html
ln -sf ipsec_prng.3.html           ${base}/ipsec_prng_final.3.html
ln -sf ipsec_hostof.3.html         ${base}/ipsec_broadcastof.3.html
ln -sf ipsec_samesaid.3.html       ${base}/ipsec_sameaddr.3.html
ln -sf ipsec_samesaid.3.html       ${base}/ipsec_sameaddrtype.3.html
ln -sf ipsec_samesaid.3.html       ${base}/ipsec_samesubnettype.3.html
ln -sf ipsec_samesaid.3.html       ${base}/ipsec_samesubnet.3.html
ln -sf ipsec_samesaid.3.html       ${base}/ipsec_subnetinsubnet.3.html
ln -sf ipsec_addrcmp.3.html        ${base}/ipsec_addrinsubnet.3.html
ln -sf ipsec_isunspecaddr.3.html   ${base}/ipsec_isanyaddr.3.html
ln -sf ipsec_isunspecaddr.3.html   ${base}/ipsec_loopbackaddr.3.html
ln -sf ipsec_isunspecaddr.3.html   ${base}/ipsec_isloopbackaddr.3.html
ln -sf ipsec_subnetinsubnet.3.html ${base}/ipsec_subnetishost.3.html
ln -sf ipsec_sockaddrof.3.html     ${base}/ipsec_sockaddrlenof.3.html
ln -sf ipsec_sockaddrof.3.html     ${base}/ipsec_setportof.3.html
#
find "%{buildroot}%{_docdir}/%{name}" -type f -exec chmod a-x,go-w \{\} \;

%files
%defattr(-,root,root)
/usr/sbin/ipsec
/usr/sbin/rcipsec
/usr/lib/ipsec
%if "%{_lib}" != "lib"
/usr/%{_lib}/ipsec/
%endif
%config /etc/init.d/ipsec
%config(noreplace) /etc/ipsec.conf
%ghost %attr(600,root,root) %config(noreplace) /etc/ipsec.secrets
%dir /etc/ipsec.d/
%dir /etc/ipsec.d/cacerts
%dir /etc/ipsec.d/certs
%dir /etc/ipsec.d/crls
/etc/ipsec.d/policies
%dir %attr(700,root,root) /etc/ipsec.d/private
%doc %{_mandir}/man8/ipsec*
%doc %{_mandir}/man5/ipsec*
%dir %doc %{_docdir}/%{name}
%doc %{_docdir}/%{name}/BUGS
%doc %{_docdir}/%{name}/CHANGES
%doc %{_docdir}/%{name}/CREDITS
%doc %{_docdir}/%{name}/COPYING
%doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README*
%doc %{_docdir}/%{name}/ipsec.conf-sample

%files doc
%defattr(-,root,root)
%dir %doc %{_docdir}/%{name}
%doc %{_docdir}/%{name}/examples
%doc %{_docdir}/%{name}/KNOWN_BUGS.txt
%doc %{_docdir}/%{name}/KNOWN_BUGS_NETKEY.txt
%doc %{_docdir}/%{name}/RELEASE-NOTES.txt
%doc %{_docdir}/%{name}/debugging-tcpdump.txt
%doc %{_docdir}/%{name}/*.html
%doc %{_mandir}/man3/ipsec*

%clean
#test -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" || rm -rf $RPM_BUILD_ROOT

%post
%{fillup_and_insserv ipsec}
if test ! -s etc/ipsec.secrets; then
  cat >etc/ipsec.secrets << EOF
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
#
# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
#
# Generate pem certificates using "yast2 ca_mgm" module or plain RSA keys
# using the "ipsec newhostkey --output /etc/ipsec.secrets" command.
#
EOF
fi
if ! grep -q "version[	 ]*2\.0" /etc/ipsec.conf; then
  echo "Migrate config to v2.0 ..."
  mv --backup=numbered /etc/ipsec.conf /etc/ipsec.conf.v1
  /usr/lib/ipsec/ipsec_1_to_2.pl </etc/ipsec.conf.v1 >/etc/ipsec.conf
  PEMS=/etc/ipsec.d/*.pem
  if test "$PEMS" != "/etc/ipsec.d/*.pem"; then
    cp -p --backup=numbered $PEMS /etc/ipsec/certs/
    echo -e "The certificates\n$PEMS\nhave been copied to /etc/ipsec/certs/" \
	>>/var/adm/notify/messages/openswan 
    echo "You may want to remove the old copies as soon as you stopped" \
	>>/var/adm/notify/messages/openswan 
    echo -e "using OpenSwan-2.6.x\n" >>/var/adm/notify/messages/openswan 
  fi
fi

%preun
%{stop_on_removal ipsec}
# Some people expect to not loose their secrets even after multiple rpm -e.
if test -s etc/ipsec.secrets.rpmsave; then
  cp -p --backup=numbered etc/ipsec.secrets.rpmsave etc/ipsec.secrets.rpmsave.old
fi
exit 0

%postun
%{restart_on_update ipsec}
%{insserv_cleanup}

%changelog
* Fri Sep 05 2008 mt@suse.de
- Updated from openswan-2.4.7 to 2.6.16, a new version series. It
  adopts to the actual NETKEY code in the linux kernel, provides
  many fixes and implements new features, as IKEv2 / IPv6 support.
  Review the CHANGES file for all details.
- Dropped obsolete patches and hooks, adopted other patches and
  the spec file.
* Mon Sep 10 2007 mt@suse.de
- Moved html and man3 documentation into openswan-doc
- Added a Short-Description LSB tag and $remote_fs start
  requirement to the init script (openswan_40_rcscript.dif)
- Added stop_on_removal/restart_on_update to rpm pre/postun
- Cleaned up installation of the documentation as well as
  another problems mentioned by rpmlint.
* Thu Jun 21 2007 adrian@suse.de
- fix changelog entry order
* Fri Mar 23 2007 mt@suse.de
- Bug #234042: Changed back internal nhelpers option default to
  use number of CPU-1 crypto worker. Added fallback to perform
  inline calculations in main process, when all worker are busy.
  Obsolete patch file: openswan_16_nhelpers_default.dif
  New patch file name: openswan_16_crypto_inline_fallback.dif
* Fri Mar 16 2007 mt@suse.de
- Bug #234042: Applied proposed patch fixing bogus crypto helper
  management code. The number of crypto helpers (nhelpers option)
  has to be set at least to number of tunnels/2 + 1 to take effect.
  New patch file: openswan_15_crypto_helper_fix.dif
- Bug #234042: Applied fix to display correct crypto helper number
  in debug output of the pluto_do_crypto_op function. Changed the
  default of the nhelpers option to 0 (instead of number of CPU-1).
  This disables the crypto helpers by default (inline calculation).
  New patch file: openswan_16_nhelpers_default.dif
* Fri Jan 19 2007 mt@suse.de
- Updated to openswan-2.4.7, providing interop fix for Sonicwall
  and many other fixes and cleanups, see CHANGES file.
- Adopted patches, removed obsolete patches:
  openswan_35_quiet-insmod.dif, openswan_37_aes_insmod.dif
* Thu Jan 18 2007 mt@suse.de
- Minimal patch fixing strncat calls and casts breaking strict
  aliasing rules as mentioned by the compiler, Bug #233586
* Wed Aug 30 2006 mt@suse.de
- updated to openswan-2.4.6, adopted patches. Now, the default
  ipsec.conf file contains "nhelpers=0" to avoid "failed to find
  any available worker" problems -- see also Bug #186061.
* Thu Mar 16 2006 mt@suse.de
- Bug #148385, fixed further documentation inconsistence
  pointed out by Martin Mrazik.
* Thu Mar 09 2006 mt@suse.de
- Bug #148385, fixed "ipsec auto" parameter in html docs
  (different file, same bug).
* Wed Feb 08 2006 mt@suse.de
- Bug #148385, fixed "ipsec auto" parameter in html docs.
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Sat Jan 14 2006 kukuk@suse.de
- Add gmp-devel to nfb
* Mon Dec 19 2005 ro@suse.de
- remove unpackaged symlinks
* Fri Nov 18 2005 mt@suse.de
- Updated to openswan-2.4.4 fixing 3DES and aggressive mode
  related deny of service (VU#226364, 273756/NISCC/ISAKMP)
  as well as other issues. Bug #134158.
- Fixed link generation regex (openswan_08_doc-man2html.dif)
- Removed man2html source - not used any more to generate docs.
* Thu Oct 27 2005 mt@suse.de
- Updated to openswan-2.4.0 (final). It does not provide any
  relevant changes in the source code (klips natt info only).
- Fixed Bug #116413 generation/installation of the html docs.
* Wed Sep 07 2005 mt@suse.de
- Updated to openswan-2.4.0rc5 adding fix to dead peer
  detection cleanup and updown script. Adopted patches.
- Fixed return codes for "rcipsec status".
* Fri Aug 26 2005 mt@suse.de
- Updated to openswan 2.4.0rc4 adding minor fixes
- Added workaround "plutowait=yes" setting to avoid failures of a
  first connect attempt in case where all crypto helpers was busy
  with setup of an other tunnel (Bug #412 on openswan.org).
  new patch file: openswan_42_plutowait-yes.dif
* Tue Aug 23 2005 mt@suse.de
- Updated to openswan 2.4.0rc3 fixing a pluto crash when used
  with multiple L2TP/IPsec clients in transport mode behind NAT
* Fri Aug 19 2005 mt@suse.de
- Updated to openswan 2.4.0rc1; obsoletetes patches:
  openswan_05_checkv199.dif, openswan_11_yyerror.dif,
  openswan_13_system.dif, openswan_20_noslave.dif,
  openswan_21_sigmask.dif, openswan_25_noxauth.dif,
  openswan_30_newhostkey.dif, openswan_36_ipsec_look.dif
- Applied diverse fixes for signed issues from cvs head:
  new patch file: openswan_11_gcc4cvshead.dif
* Tue Aug 16 2005 mt@suse.de
- added dummy states if aggressive mode is disabled to
  avoid build dependend state numbering (from CVS head)
* Wed Aug 03 2005 mt@suse.de
- improved aggressive mode patch openswan_24_noaggressive.dif
- merged updown patches 32 and 33 into openswan_32_updown-nexthop.dif,
  added skiping to add a route in some host to host tunnel cases
- renamed 36_sourceip-mask patch to openswan_33_updown-srcmask.dif
- renamed 12_gcc4sign patch to openswan_12_socklen.dif, improved
- renamed 13_gcc4warn patch to openswan_13_system.dif, improved
- added checks to ipsec look command to avoid "no such file" errors.
  new patch file: openswan_36_ipsec_look.dif
- workaround to load aes-$arch crypto module if not aliased (x86_64)
  new patch file: openswan_37_aes_insmod.dif
* Mon Jul 04 2005 mt@suse.de
- Bug #66215: patch for updown script to solve SNAT/MASQUERADE
  problems with recent kernels, using netmask of the remote (peer)
  network instead of /32 for source address.
  New patch file: openswan_36_sourceip-mask.dif
* Mon Jul 04 2005 mt@suse.de
- removed most of the GCC4 patch (openswan_12_gcc4sign.dif)
  because it breaks at least the asn1 decoding (pem parsing).
* Thu Jun 30 2005 mt@suse.de
- added openswan_24_noaggressive.dif and openswan_25_noxauth.dif
  patches fixing dependencies to USE_AGGRESSIVE USE_XAUTH flags
- disabled AGGRESSIVE and XAUTH in openswan_00_features.dif
- added a openswan prefix to several source files
* Sat May 07 2005 mt@suse.de
- added openswan_13_gcc4warn.dif patch, fixing diverse unused
  system() return codes mentioned by gcc4 in code using -Werror
* Sat May 07 2005 mt@suse.de
- fixed GCC4 patch
* Sat May 07 2005 mt@suse.de
- started to update to openswan-2.3.1
- adopted patches to match new sources
- renamed all patches to contain a number for
  manual applying and end with a .dif suffix
* Wed May 04 2005 yxu@suse.de
- fixed for GCC4
* Mon Mar 21 2005 mt@suse.de
- Bug #73863: added patch for _updown script to skip using nexthop
  (via parameter for ip route) if it is not reachable through any
  directly connected network (but via default route only).
  new patch file: openswan-updown-nexthop-not-local.dif
* Fri Jan 14 2005 ro@suse.de
- use sigprocmask instead of sigsetmask in invokepluto
* Sun Sep 26 2004 garloff@suse.de
- Fix initscript exit codes and messages. [#42604]
* Sun Sep 19 2004 garloff@suse.de
- Update to openswan-2.2.0: Fixes for SA Selectors on 2.6.
- Add README.SUSE [#44368].
* Mon Sep 06 2004 garloff@suse.de
- Update to openswan-2.2.0dr4: NAT-T & X.509 security fixes
- Drop openswan-dont-try-espinudp-on-ipv6.diff (integrated upstream)
- Drop openswan-natt.diff (integrated upstream)
* Sun Aug 29 2004 garloff@suse.de
- Drop notification message.
* Thu Aug 19 2004 garloff@suse.de
- Fix _realsetup script.
* Mon Aug 16 2004 garloff@suse.de
- Fix noklips patch (but leave it disabled)
- NAT-T patch: The last message could have been wrongly be sent via
  the established tunnel.
* Fri Aug 13 2004 garloff@suse.de
- Initial creation of openswan-2.2.0dr3
- Reuse many of the freeswan2 patches