Overview

File ipsec-tools.spec of Package ipsec-tools

#
# spec file for package ipsec-tools (Version 0.7.1)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#

# norootforbuild


Name:           ipsec-tools
BuildRequires:  bison flex kernel-source krb5-devel openssl-devel pam pam-devel readline-devel
Version:        0.7.1
Release:        10.<RELEASE49>
License:        BSD 3-Clause
Group:          Productivity/Networking/Security
Provides:       racoon
PreReq:         %insserv_prereq %fillup_prereq
AutoReqProv:    on
Summary:        IPsec Utilities
Source:         http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-%{version}.tar.bz2
Patch0:         no_werror.patch
Patch1:         fix-ph1-leak.patch
Patch3:         racoon.conf_macros.patch
Patch4:         fix_leak_in_crypto_openssl.c.diff
Patch5:         fix_leak_in_nattraversal.c.diff
Patch6:         fix_null_dereference_in_isakmp_frag.c.diff
Patch7:         fix_sockaddr_overflow_in_ipsec_doi.c.diff
Source1:        racoon.init
Source2:        sysconfig.racoon
Source3:        setkey.conf.sample
Url:            http://ipsec-tools.sourceforge.net/
Prefix:         /usr
BuildRoot:      %{_tmppath}/%{name}-%{version}-build

%description
This is the IPsec-Tools package.  This package is needed to really make
use of the IPsec functionality in the version 2.5 and 2.6 Linux
kernels.  This package builds:

- libipsec, a PFKeyV2 library

- setkey, a program to directly manipulate policies and SAs

- racoon, an IKEv1 keying daemon

These sources can be found at the IPsec-Tools home page at:
http://ipsec-tools.sourceforge.net/



Authors:
--------
    Derek Atkins  <derek@ihtfp.com>
    Michal Ludvig <michal@logix.cz>
    Emmanuel Dreyfus <manu@netbsd.org>
    Yvan Vanhullebus <vanhu@free.fr>

%prep
%setup
%patch0 -p1 
%patch1 -p1 
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7	-p1

%build
%{suse_update_config -f . src/racoon}
export PATH=$PATH:/usr/lib/mit/bin
CFLAGS="$RPM_OPT_FLAGS" \
./configure --prefix=/usr --disable-shared \
	--mandir=%{_mandir} --infodir=%{_infodir} --libdir=%{_libdir} \
	--libexecdir=%{_libdir} --sysconfdir=/etc/racoon \
	--sharedstatedir=/var/run --localstatedir=/var/run \
	--enable-dpd --enable-hybrid --enable-frag \
	--enable-natt=yes --enable-gssapi=yes --enable-stats=yes \
	--enable-adminport --with-libpam --enable-security-context=no
make 
make check

%install
rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
rm $RPM_BUILD_ROOT/usr/include/racoon/admin.h		\
   $RPM_BUILD_ROOT/usr/include/racoon/evt.h		\
   $RPM_BUILD_ROOT/usr/include/racoon/gcmalloc.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/ipsec_doi.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/isakmp.h		\
   $RPM_BUILD_ROOT/usr/include/racoon/isakmp_cfg.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/isakmp_unity.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/isakmp_var.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/isakmp_xauth.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/misc.h		\
   $RPM_BUILD_ROOT/usr/include/racoon/racoonctl.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/schedule.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/sockmisc.h	\
   $RPM_BUILD_ROOT/usr/include/racoon/var.h		\
   $RPM_BUILD_ROOT/usr/include/racoon/vmbuf.h		\
   $RPM_BUILD_ROOT/usr/%{_lib}/libracoon.a		\
   $RPM_BUILD_ROOT/usr/%{_lib}/libracoon.la		
mkdir -p $RPM_BUILD_ROOT/etc/init.d
install -m 0755 $RPM_SOURCE_DIR/racoon.init $RPM_BUILD_ROOT/etc/init.d/racoon
ln -sf /etc/init.d/racoon $RPM_BUILD_ROOT/usr/sbin/rcracoon
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 $RPM_SOURCE_DIR/sysconfig.racoon $RPM_BUILD_ROOT/var/adm/fillup-templates/
mkdir -p $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
cp -rv src/racoon/samples $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
cp -v src/setkey/sample* $RPM_BUILD_ROOT/usr/share/doc/packages/%{name}/
mkdir -p $RPM_BUILD_ROOT/etc/racoon
install -m 0600 src/racoon/samples/psk.txt $RPM_BUILD_ROOT/etc/racoon/
install -m 0644 src/racoon/samples/racoon.conf $RPM_BUILD_ROOT/etc/racoon/
cp -v $RPM_SOURCE_DIR/setkey.conf.sample $RPM_BUILD_ROOT/etc/racoon/setkey.conf
touch $RPM_BUILD_ROOT/var/run/racoon/racoon.sock

%post
%{fillup_and_insserv racoon}

%postun
%{insserv_cleanup}

%clean
if test ! -z "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != "/"; then
  rm -rf $RPM_BUILD_ROOT
fi

%files
%defattr(-,root,root)
%dir /etc/racoon
%config(noreplace) /etc/racoon/psk.txt
%config(noreplace) /etc/racoon/racoon.conf
%config(noreplace) /etc/racoon/setkey.conf
%config /etc/init.d/racoon
/usr/sbin/rcracoon
%dir /usr/include/libipsec/
%doc /usr/share/doc/packages/%{name}/
/var/adm/fillup-templates/sysconfig.racoon
/usr/include/libipsec/libpfkey.h
/usr/%{_lib}/libipsec.a
/usr/%{_lib}/libipsec.la
/usr/sbin/racoon
/usr/sbin/racoonctl
/usr/sbin/setkey
/usr/sbin/plainrsa-gen
/var/run/racoon
%ghost /var/run/racoon/racoon.sock
%{_mandir}/man*/*

%changelog
* Thu Jun 11 2009 jbohac@suse.cz
- fix_leak_in_crypto_openssl.c.diff (bnc#504186)
- fix_leak_in_nattraversal.c.diff (bnc#504186)
- fix_null_dereference_in_isakmp_frag.c.diff (bnc#498859, CVE-2009-1574)
- fix_sockaddr_overflow_in_ipsec_doi.c.diff (bnc#506710)
* Tue Sep 23 2008 jbohac@suse.cz
- fixed a memory leak in PH1 (bnc#416906, CVE-2008-3652)
* Thu Aug 14 2008 jbohac@suse.cz
- Upgrade to 0.7.1
  o Fixes a memory leak when invalid proposal received
  o Some fixes in DPD
  o do not set default gss id if xauth is used
  o fixed hybrid enabled builds
  o fixed compilation on FreeBSD8
  o cleanup in network port value manipulation
  o gets ports from SADB_X_EXT_NAT_T_[SD]PORT if present in purge_ipsec_spi()
  o Generates a log if cert validation has been disabled by configuration
  o better handling for pfkey socket read errors
  o Fixes in yacc / bison stuff
  o new plog() macro (reduced CPU usage when logging is disabled)
  o Try to works better with huge SPD/SAD
  o Corrected modecfg option syntax
  o Many other various fixes...
* Wed Nov 07 2007 jbohac@suse.cz
- Upgrade to 0.7
* Thu Apr 12 2007 jbohac@jikos.cz
- Fix a DoS in isakmp_info_recv (CVE-2007-1841, 260791)
* Thu Mar 29 2007 aj@suse.de
- Add flex and bison to BuildRequires.
* Thu May 04 2006 jbohac@suse.cz
- fixed a segfault in GSSAPI initialization (#172196)
- the /var/run/racoon directory was missing from the package
  which prevented racoon from starting (#170552) - fixed
- fixed unexpanded macros in racoon.conf (#170552)
* Tue Mar 21 2006 jbohac@suse.cz
- upgrade to 0.6.5 (bugfix release)
  - Fixed zombie PH1 handler when isakmp_send() fails in
  isakmp_ph1resend()
  - Temporary fix for /32 subnets parsing.
  - make software behave as the documentation advertise for
  INTERNAL_NETMASK4. Keep the old INTERNAL_MASK4 to
  avoid breaking backward compatibility.
  - Fixed / cleaned up signal handling.
- added --with-libpam and --enable-adminport (#159647)
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Tue Dec 13 2005 jbohac@suse.cz
- fixed build
* Tue Dec 13 2005 jbohac@suse.cz
- upgrade to 0.6.4
- added krb5 support ( --enable-gssapi)
- added statistics logging support ( --enable-stats)
* Wed Nov 23 2005 jbohac@suse.cz
- upgrade to 0.6.3 - fixes #134834 and an openssl incompatibility
  issue
* Tue Nov 08 2005 jbohac@suse.cz
- fixed build for s390
* Thu Oct 20 2005 jbohac@suse.cz
- upgraded to version 0.6.2
- enabled NAT-T
- fixed build with current openssl
* Wed Aug 31 2005 jbohac@suse.cz
- fixed permissions for /etc/racoon/psk.txt (bug #114383)
* Tue Aug 23 2005 jbohac@suse.cz
- upgrade to version 0.6.1
* Wed Aug 03 2005 jbohac@suse.cz
- fixed build on beta (disabled -Werror again)
* Tue Aug 02 2005 cthiel@suse.de
- fixed build
* Tue Aug 02 2005 jbohac@suse.cz
- upgrade to version 0.6
* Thu May 05 2005 jbohac@suse.cz
- upgrade to version 0.5.2
- disabled -Werror, because bison-generated code would not compile
* Wed Apr 13 2005 jbohac@suse.cz
- upgrade to version 0.5.1
- fixed compilation warning/errors regarding char/int signedness
* Wed Apr 13 2005 jbohac@suse.cz
- upgrade to version 0.5.1
- fixed compilation warning/errors regarding char/int signedness
* Wed Mar 16 2005 jbohac@suse.cz
  The patch in the previous release was not applied correctly; fixed.
* Tue Mar 15 2005 jbohac@suse.cz
- security fix - insecure header parsing (Bug ID: 64726)
* Sat Feb 19 2005 lmuelle@suse.de
- Update to version 0.5.
* Wed Jan 05 2005 jbohac@suse.cz
- update to ipsec-tools-0.5-rc1
* Thu Nov 18 2004 mludvig@suse.cz
- Update to version 0.4
* Tue Sep 14 2004 ro@suse.de
- undef __P first to make it build
* Tue Aug 10 2004 mludvig@suse.cz
- Update to 0.4rc1
* Tue Jun 15 2004 mludvig@suse.cz
- Update to 0.3.3 to fix a X.509 cert verification security bug.
  (http://marc.theaimsgroup.com/?l=bugtraq&m=108726102304507&w=2)
* Mon May 17 2004 mludvig@suse.cz
- Fixed comment in racoon.conf (#40576)
* Wed Apr 21 2004 mludvig@suse.cz
- Update to 0.3.1 to fix CAN-2004-0403
* Thu Apr 15 2004 mludvig@suse.cz
- Update to final 0.3. We had all patches in the
  package anyway...
* Thu Apr 08 2004 mludvig@suse.cz
- Fixed setkey to support multiline commands in interactive mode.
- Added 'exit' command to setkey.
  The two changes fix TAHI/ipsec tests.
- Emit messages about Keep-Alive packets with DEBUG severity
  instead of INFO. With INFO it only polutes syslog every 20s.
* Mon Apr 05 2004 mludvig@suse.cz
- Fixed X.509 security bug (#38373)
* Thu Apr 01 2004 mludvig@suse.cz
- Report received SADB_X_NAT_T_NEW_MAPPING message.
- Avoid segfault with unknown PF_KEY messages.
- Move encmode update out of the loop. NAT-T now works
  even with more than one proposal.
* Tue Mar 30 2004 mludvig@suse.cz
- Rewritten the testsuite to avoid
  failures on 32b platforms.
* Fri Mar 26 2004 mludvig@suse.cz
- Handle input lines one by one in interactive mode
  (preventing premature exit on syntax error).
* Thu Mar 25 2004 mludvig@suse.cz
- Update to 0.3rc4:
  - Fixed adding "null" encryption via 'setkey'.
  - Fixed segfault when using AES in Phase1 with OpenSSL>=0.9.7
  - Fixed NAT-T in aggresive mode.
  - Fixed testsuite and added testsuite run into make check.
* Tue Mar 23 2004 mludvig@suse.cz
- Fix segfault with AES.
- Enable testsuite.
* Mon Mar 22 2004 mludvig@suse.cz
- Fix "null" encryption setup in setkey.
* Fri Mar 19 2004 mludvig@suse.cz
- Fix duplicate ipsec service (#36575)
- Update to 0.3rc3
* Thu Mar 11 2004 mludvig@suse.cz
- Update to 0.3rc2
* Mon Mar 08 2004 mludvig@suse.cz
- Add sysconfig and init.d files.
* Fri Mar 05 2004 mludvig@suse.cz
- Include samples config files in the RPM.
* Thu Mar 04 2004 mludvig@suse.cz
- update to 0.3rc1
* Tue Feb 03 2004 mludvig@suse.cz
- Update to 0.2.4
* Mon Jan 26 2004 ro@suse.de
- updated neededforbuild "kernel-source-26" -> "kernel-source"
* Thu Jan 15 2004 mludvig@suse.cz
- update to ipsec-tools-0.2.3
* Sat Jan 10 2004 adrian@suse.de
- remove obsolete %%run_ldconfig
* Tue Dec 23 2003 mludvig@suse.cz
- Recognize IPSEC_DIR_FWD when dumping SPD.
* Fri Dec 19 2003 mludvig@suse.cz
- Added many fixes gathered from the mailing list.
- Added support for specifying SA lifebytes.
* Wed Dec 17 2003 garloff@suse.de
- Package ipsec-tools 0.2.2.
openSUSE Build Service is sponsored by
Places