strongswan/strongswan.spec

#
# spec file for package strongswan
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


Name:           strongswan
Version:        5.0.1
Release:        0
%define         upstream_version   %{version}
%define         strongswan_docdir  %{_docdir}/%{name}
%define         strongswan_libdir  %{_libdir}/ipsec
%define         strongswan_plugins %{strongswan_libdir}/plugins
%if 0
%bcond_without  tests
%else
%bcond_with     tests
%endif
%if 1
%bcond_without  mysql
%else
%bcond_with     mysql
%endif
%if 0%{suse_version} >= 1110
%bcond_without  sqlite
%bcond_without  gcrypt
%bcond_without  nm
%else
%bcond_with     sqlite
%bcond_with     gcrypt
%bcond_with     nm
%endif
%if 0%{suse_version} > 1220
%bcond_without  systemd
%else
%bcond_with     systemd
%endif
Summary:        OpenSource IPsec-based VPN Solution
License:        GPL-2.0+
Group:          Productivity/Networking/Security
Url:            http://www.strongswan.org/
Requires:       strongswan-ipsec = %{version}
Source0:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2
Source1:        http://download.strongswan.org/strongswan-%{upstream_version}.tar.bz2.sig
Source2:        %{name}.init.in
Source3:        %{name}-%{version}-rpmlintrc
Source4:        README.SUSE
Source5:        %{name}.keyring
Patch1:         %{name}_modprobe_syslog.patch
Patch2:         %{name}_ipsec_service.patch
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
BuildRequires:  bison
BuildRequires:  curl-devel
BuildRequires:  flex
BuildRequires:  gmp-devel
BuildRequires:  gperf
BuildRequires:  gpg-offline
BuildRequires:  libcap-devel
BuildRequires:  libopenssl-devel
BuildRequires:  libsoup-devel
BuildRequires:  openldap2-devel
BuildRequires:  pam-devel
BuildRequires:  pcsc-lite-devel
BuildRequires:  pkg-config
%if %{with mysql}
BuildRequires:  libmysqlclient-devel
%endif
%if %{with sqlite}
BuildRequires:  sqlite3-devel
%endif
%if %{with gcrypt}
BuildRequires:  libgcrypt-devel
%endif
%if %{with nm}
BuildRequires:  NetworkManager-devel
%endif
%if %{with systemd}
BuildRequires:  systemd-devel
%endif
BuildRequires:  iptables
BuildRequires:  libnl >= 1.1

%description
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

* runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
* implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
* Fully tested support of IPv6 IPsec tunnel and transport connections
* Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
* Automatic insertion and deletion of IPsec-policy-based firewall rules
* Strong 128/192/256 bit AES or Camellia encryption, 3DES support
* NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
* Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
* Static virtual IPs and IKEv1 ModeConfig pull and push modes
* XAUTH server and client functionality on top of IKEv1 Main Mode authentication
* Virtual IP address pool managed by IKE daemon or SQL database
* Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.)
* Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
* Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
* Authentication based on X.509 certificates or preshared keys
* Generation of a default self-signed certificate during first strongSwan startup
* Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
* Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
* CA management (OCSP and CRL URIs, default LDAP server)
* Powerful IPsec policies based on wildcards or intermediate CAs
* Group policies based on X.509 attribute certificates (RFC 3281)
* Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
* Modular plugins for crypto algorithms and relational database interfaces
* Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
* Optional built-in integrity and crypto tests for plugins and libraries
* Smooth Linux desktop integration via the strongSwan NetworkManager applet

This package triggers the installation of both, IKEv1 and IKEv2 daemons.

Authors:
--------
    Andreas Steffen
    and others

%package doc
BuildArch:      noarch
Summary:        OpenSource IPsec-based VPN Solution
Group:          Productivity/Networking/Security

%description doc
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

This package provides the StrongSwan documentation.



Authors:
--------
    Andreas Steffen
    and others

%package libs0
Summary:        OpenSource IPsec-based VPN Solution
Group:          Productivity/Networking/Security
Conflicts:      strongswan < %{version}

%description libs0
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

This package provides the strongswan library and plugins.

%package ipsec
Summary:        OpenSource IPsec-based VPN Solution
Group:          Productivity/Networking/Security
PreReq:         grep %insserv_prereq %fillup_prereq
Requires:       strongswan-libs0 = %{version}
Provides:       VPN
Provides:       ipsec
Provides:       strongswan = %{version}
Obsoletes:      strongswan < %{version}
Conflicts:      freeswan openswan

%description ipsec
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

This package provides the /etc/init.d/ipsec service script and allows
to maintain both, IKEv1 and IKEv2, using the /etc/ipsec.conf and the
/etc/ipsec.sectes files.

%if %{with mysql}

%package mysql
Summary:        OpenSource IPsec-based VPN Solution
Group:          Productivity/Networking/Security
Requires:       strongswan-libs0 = %{version}

%description mysql
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

This package provides the strongswan mysql plugin.

%endif

%if %{with sqlite}

%package sqlite
Summary:        OpenSource IPsec-based VPN Solution
Group:          Productivity/Networking/Security
Requires:       strongswan-libs0 = %{version}

%description sqlite
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

This package provides the strongswan sqlite plugin.

%endif

%if %{with nm}

%package nm
Summary:        OpenSource IPsec-based VPN Solution
Group:          Productivity/Networking/Security
Requires:       strongswan-libs0 = %{version}

%description nm
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

This package provides the NetworkManager plugin to control the
charon IKEv2 daemon through D-Bus, designed to work using the
NetworkManager-strongswan graphical user interface.

%endif

%if %{with tests}

%package tests

Summary:        OpenSource IPsec-based VPN Solution
Group:          Productivity/Networking/Security
Requires:       strongswan-libs0 = %{version}

%description tests
StrongSwan is an OpenSource IPsec-based VPN Solution for Linux

This package provides the strongswan crypto test-vectors plugin
and the load testing plugin for IKEv2 daemon.

%endif

%prep
%gpg_verify %{S:1}
%setup -q -n %{name}-%{upstream_version}
%patch1 -p0
%patch2 -p0
sed -e 's|@libexecdir@|%_libexecdir|g'    \
     < $RPM_SOURCE_DIR/strongswan.init.in \
     > strongswan.init

%build
CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing"
export RPM_OPT_FLAGS CFLAGS
#libtoolize --force
#autoreconf
%configure \
	--enable-conftest \
	--enable-integrity-test \
	--with-capabilities=libcap \
	--with-plugindir=%{strongswan_plugins} \
	--with-resolv-conf=%{_localstatedir}/run/strongswan/resolv.conf \
	--enable-pkcs11 \
	--enable-openssl \
	--enable-agent \
	--enable-gcrypt \
	--enable-blowfish \
	--enable-ctr \
	--enable-ccm \
	--enable-gcm \
	--enable-unity \
	--enable-md4 \
	--enable-af-alg \
	--enable-eap-sim \
	--enable-eap-sim-file \
	--enable-eap-sim-pcsc \
	--enable-eap-aka \
	--enable-eap-aka-3gpp2 \
	--enable-eap-simaka-sql \
	--enable-eap-simaka-pseudonym \
	--enable-eap-simaka-reauth \
	--enable-eap-identity \
	--enable-eap-md5 \
	--enable-eap-gtc \
	--enable-eap-mschapv2 \
	--enable-eap-tls \
	--enable-eap-ttls \
	--enable-eap-peap \
	--enable-eap-tnc \
	--enable-eap-dynamic \
	--enable-eap-radius \
	--enable-xauth-eap \
	--enable-xauth-pam \
	--enable-tnc-pdp \
	--enable-tnc-imc \
	--enable-tnc-imv \
	--enable-tnccs-11 \
	--enable-tnccs-20 \
	--enable-tnccs-dynamic \
	--enable-imc-test \
	--enable-imv-test \
	--enable-imc-scanner \
	--enable-imv-scanner \
	--enable-ha \
	--enable-dhcp \
	--enable-farp \
	--enable-smp \
	--enable-sql \
	--enable-attr-sql \
	--enable-addrblock \
	--enable-radattr \
	--enable-mediation \
	--enable-led \
	--enable-certexpire \
	--enable-duplicheck \
	--enable-coupling \
%if %{with mysql}
	--enable-mysql \
%endif
%if %{with sqlite}
	--enable-sqlite \
%endif
%if %{with gcrypt}
	--enable-gcrypt \
%endif
%if %{with nm}
	--enable-nm \
%endif
%if %{with tests}
	--enable-load-tester \
	--enable-test-vectors \
%endif
	--enable-ldap \
	--enable-soup \
	--enable-curl
make %{?_smp_mflags:%_smp_mflags}

%install
export RPM_BUILD_ROOT
install -d -m755              ${RPM_BUILD_ROOT}%{_sbindir}/
install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/
%if ! %{with systemd}
install -d -m755              ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/
install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec
ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec
%endif
#
make install DESTDIR="$RPM_BUILD_ROOT"
#
rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets
#
# ipsec.secrets
#
# This file holds the RSA private keys or the PSK preshared secrets for
# the IKE/IPsec authentication. See the ipsec.secrets(5) manual page.
#
EOT
#
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan}.so
rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so
find  $RPM_BUILD_ROOT%{strongswan_libdir} \
      -name "*.a" -o -name "*.la" | xargs -r rm -f
#
install -d -m755 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -c -m644 TODO NEWS README COPYING LICENSE \
		 AUTHORS ChangeLog \
		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \
		 ${RPM_BUILD_ROOT}%{strongswan_docdir}/
install -d -m755 $RPM_BUILD_ROOT%{_localstatedir}/run/strongswan

%post libs0
%{run_ldconfig}
test -d %{_localstatedir}/run/strongswan || \
%{__mkdir_p} %{_localstatedir}/run/strongswan

%postun libs0
%{run_ldconfig}

%post ipsec
%if ! %{with systemd}
%{fillup_and_insserv ipsec}
%endif

%preun ipsec
%if ! %{with systemd}
%{stop_on_removal ipsec}
%endif
if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then
	cp -p --backup=numbered %{_sysconfdir}/ipsec.secrets.rpmsave \
	                        %{_sysconfdir}/ipsec.secrets.rpmsave.old
fi
if test -s %{_sysconfdir}/ipsec.conf.rpmsave ; then
	cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \
	                        %{_sysconfdir}/ipsec.conf.rpmsave.old
fi

%postun ipsec
%if ! %{with systemd}
%{insserv_cleanup}
%endif

%files
%defattr(-,root,root)
%dir %{strongswan_docdir}
%{strongswan_docdir}/README.SUSE

%files ipsec
%defattr(-,root,root)
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets
%dir %{_sysconfdir}/ipsec.d
%dir %{_sysconfdir}/ipsec.d/crls
%dir %{_sysconfdir}/ipsec.d/reqs
%dir %{_sysconfdir}/ipsec.d/certs
%dir %{_sysconfdir}/ipsec.d/acerts
%dir %{_sysconfdir}/ipsec.d/aacerts
%dir %{_sysconfdir}/ipsec.d/cacerts
%dir %{_sysconfdir}/ipsec.d/ocspcerts
%dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private
%if %{with systemd}
%{_unitdir}/strongswan.service
%else
%config %{_sysconfdir}/init.d/ipsec
%{_sbindir}/rcipsec
%endif
%{_sbindir}/ipsec
%{_mandir}/man8/ipsec.8*
%{_mandir}/man5/ipsec.conf.5*
%{_mandir}/man5/ipsec.secrets.5*
%{_mandir}/man5/strongswan.conf.5*
%dir %{_libexecdir}/ipsec
%{_libexecdir}/ipsec/_copyright
%{_libexecdir}/ipsec/_updown
%{_libexecdir}/ipsec/_updown_espmark
%{_libexecdir}/ipsec/conftest
%{_libexecdir}/ipsec/duplicheck
%{_libexecdir}/ipsec/openac
%{_libexecdir}/ipsec/pki
%{_libexecdir}/ipsec/pool
%{_libexecdir}/ipsec/scepclient
%{_libexecdir}/ipsec/starter
%{_libexecdir}/ipsec/stroke
%{_libexecdir}/ipsec/charon
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-stroke.so
%{strongswan_plugins}/libstrongswan-updown.so

%files doc
%defattr(-,root,root)
%dir %{strongswan_docdir}
%{strongswan_docdir}/TODO
%{strongswan_docdir}/NEWS
%{strongswan_docdir}/README
%{strongswan_docdir}/COPYING
%{strongswan_docdir}/LICENSE
%{strongswan_docdir}/AUTHORS
%{strongswan_docdir}/ChangeLog
%{_mandir}/man8/_updown.8*
%{_mandir}/man8/_updown_espmark.8*
%{_mandir}/man8/openac.8*
%{_mandir}/man8/scepclient.8*

%files libs0
%defattr(-,root,root)
%config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf
%dir %{_libexecdir}/ipsec
%dir %{strongswan_libdir}
%{strongswan_libdir}/libchecksum.so
%{strongswan_libdir}/libcharon.so.*
%{strongswan_libdir}/libhydra.so.*
%{strongswan_libdir}/libradius.so.*
%{strongswan_libdir}/libsimaka.so.*
%{strongswan_libdir}/libstrongswan.so.*
%{strongswan_libdir}/libtls.so.*
%{strongswan_libdir}/libtnccs.so.*
%{strongswan_libdir}/libimcv.so.*
%dir %{strongswan_libdir}/imcvs
%{strongswan_libdir}/imcvs/imc-scanner.so
%{strongswan_libdir}/imcvs/imc-test.so
%{strongswan_libdir}/imcvs/imv-scanner.so
%{strongswan_libdir}/imcvs/imv-test.so
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-addrblock.so
%{strongswan_plugins}/libstrongswan-aes.so
%{strongswan_plugins}/libstrongswan-af-alg.so
%{strongswan_plugins}/libstrongswan-agent.so
%{strongswan_plugins}/libstrongswan-attr.so
%{strongswan_plugins}/libstrongswan-attr-sql.so
%{strongswan_plugins}/libstrongswan-blowfish.so
%{strongswan_plugins}/libstrongswan-ccm.so
%{strongswan_plugins}/libstrongswan-certexpire.so
%{strongswan_plugins}/libstrongswan-cmac.so
%{strongswan_plugins}/libstrongswan-constraints.so
%{strongswan_plugins}/libstrongswan-coupling.so
%{strongswan_plugins}/libstrongswan-ctr.so
%{strongswan_plugins}/libstrongswan-curl.so
%{strongswan_plugins}/libstrongswan-des.so
%{strongswan_plugins}/libstrongswan-dhcp.so
%{strongswan_plugins}/libstrongswan-dnskey.so
%{strongswan_plugins}/libstrongswan-duplicheck.so
%{strongswan_plugins}/libstrongswan-eap-aka-3gpp2.so
%{strongswan_plugins}/libstrongswan-eap-aka.so
%{strongswan_plugins}/libstrongswan-eap-dynamic.so
%{strongswan_plugins}/libstrongswan-eap-gtc.so
%{strongswan_plugins}/libstrongswan-eap-identity.so
%{strongswan_plugins}/libstrongswan-eap-md5.so
%{strongswan_plugins}/libstrongswan-eap-mschapv2.so
%{strongswan_plugins}/libstrongswan-eap-peap.so
%{strongswan_plugins}/libstrongswan-eap-radius.so
%{strongswan_plugins}/libstrongswan-eap-sim-file.so
%{strongswan_plugins}/libstrongswan-eap-sim-pcsc.so
%{strongswan_plugins}/libstrongswan-eap-sim.so
%{strongswan_plugins}/libstrongswan-eap-simaka-pseudonym.so
%{strongswan_plugins}/libstrongswan-eap-simaka-reauth.so
%{strongswan_plugins}/libstrongswan-eap-simaka-sql.so
%{strongswan_plugins}/libstrongswan-eap-tls.so
%{strongswan_plugins}/libstrongswan-eap-tnc.so
%{strongswan_plugins}/libstrongswan-eap-ttls.so
%{strongswan_plugins}/libstrongswan-farp.so
%{strongswan_plugins}/libstrongswan-fips-prf.so
%{strongswan_plugins}/libstrongswan-gcm.so
%if %{with gcrypt}
%{strongswan_plugins}/libstrongswan-gcrypt.so
%endif
%{strongswan_plugins}/libstrongswan-gmp.so
%{strongswan_plugins}/libstrongswan-ha.so
%{strongswan_plugins}/libstrongswan-hmac.so
%{strongswan_plugins}/libstrongswan-kernel-netlink.so
%{strongswan_plugins}/libstrongswan-ldap.so
%{strongswan_plugins}/libstrongswan-led.so
%{strongswan_plugins}/libstrongswan-md4.so
%{strongswan_plugins}/libstrongswan-md5.so
%{strongswan_plugins}/libstrongswan-nonce.so
%{strongswan_plugins}/libstrongswan-openssl.so
%{strongswan_plugins}/libstrongswan-pem.so
%{strongswan_plugins}/libstrongswan-pgp.so
%{strongswan_plugins}/libstrongswan-pkcs1.so
%{strongswan_plugins}/libstrongswan-pkcs11.so
%{strongswan_plugins}/libstrongswan-pkcs8.so
%{strongswan_plugins}/libstrongswan-pubkey.so
%{strongswan_plugins}/libstrongswan-radattr.so
%{strongswan_plugins}/libstrongswan-random.so
%{strongswan_plugins}/libstrongswan-resolve.so
%{strongswan_plugins}/libstrongswan-revocation.so
%{strongswan_plugins}/libstrongswan-sha1.so
%{strongswan_plugins}/libstrongswan-sha2.so
%{strongswan_plugins}/libstrongswan-smp.so
%{strongswan_plugins}/libstrongswan-socket-default.so
%{strongswan_plugins}/libstrongswan-soup.so
%{strongswan_plugins}/libstrongswan-sql.so
%{strongswan_plugins}/libstrongswan-tnc-imc.so
%{strongswan_plugins}/libstrongswan-tnc-imv.so
%{strongswan_plugins}/libstrongswan-tnc-pdp.so
%{strongswan_plugins}/libstrongswan-tnc-tnccs.so
%{strongswan_plugins}/libstrongswan-tnccs-11.so
%{strongswan_plugins}/libstrongswan-tnccs-20.so
%{strongswan_plugins}/libstrongswan-tnccs-dynamic.so
%{strongswan_plugins}/libstrongswan-unity.so
%{strongswan_plugins}/libstrongswan-x509.so
%{strongswan_plugins}/libstrongswan-xauth-eap.so
%{strongswan_plugins}/libstrongswan-xauth-generic.so
%{strongswan_plugins}/libstrongswan-xauth-pam.so
%{strongswan_plugins}/libstrongswan-xcbc.so
%dir %ghost %{_localstatedir}/run/strongswan

%if %{with nm}

%files nm
%defattr(-,root,root)
%dir %{_libexecdir}/ipsec
%dir %{strongswan_plugins}
%{_libexecdir}/ipsec/charon-nm
%endif

%if %{with mysql}

%files mysql
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-mysql.so
%endif

%if %{with sqlite}

%files sqlite
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-sqlite.so
%endif

%if %{with tests}

%files tests
%defattr(-,root,root)
%dir %{strongswan_plugins}
%{strongswan_plugins}/libstrongswan-load-tester.so
%{strongswan_plugins}/libstrongswan-test-vectors.so
%endif

%changelog