Package strongswan: Specfile

%def_enable curl
%def_enable ldap
%def_disable mysql
%def_disable sqlite
%def_enable stroke
%def_disable medsrv
%def_enable medcli
%def_enable smp
%def_enable sql
%def_enable smartcard
%def_enable cisco-quirks
%def_disable unit-tests
%def_disable load-tests
%def_enable eap-sim
%def_enable eap-sim-file
%def_enable eap-md5
%def_enable eap-gtc
%def_enable eap-aka
%def_enable kernel-netlink
%def_enable kernel-pfkey
%def_enable kernel-klips
%def_enable nat-transport
%def_disable dumm
%def_disable manager
%def_enable mediation
%def_enable integrity-test
%def_enable self-test
%def_enable openssl
%def_enable agent
%def_disable uci
%def_disable nm

%ifarch %ix86
%def_enable padlock
%else
%def_disable padlock
%endif

Name: strongswan
Version: 4.3.7
Release: alt1.M51.1

Summary: StrongSWAN IPSEC implementation
License: GPLv2+
Group: System/Servers

Url: http://www.strongswan.org
Source: %name-%version.tar.bz2
Source1: ipsec.init
Patch0: strongswan-4.3.3-alt-tmpfile.patch
Patch1: strongswan-4.3.5-5.0.3_openssl_ecdsa_signature.patch
Packager: Michael Shigorin <mike@altlinux.org>

# Automatically added by buildreq on Sun Feb 21 2010
BuildRequires: flex gperf libcurl-devel libgmp-devel libldap-devel libxml2-devel

Provides: libstrongswan = %version-%release
Obsoletes: libstrongswan < 4.3

%define pkgdocdir %_docdir/%name-%version

%description
StrongSWAN is a free implementation of IPSEC & IKE for Linux.  IPSEC is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services.  These services allow you
to build secure tunnels through untrusted networks.  Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel.  The resulting
tunnel is a virtual private network or VPN.

This package contains the service and userland tools for setting up
StrongSWAN on a freeswan enabled kernel.

%package testing
Summary: %name testing
Group: Documentation
Requires: %name = %version
BuildArch: noarch

%description testing
This package contains testing scripts and configuration snippets
of StrongSWAN documentation

%prep
%setup
%patch0 -p1
%patch1 -p1

%build
#autoreconf
%configure \
	--sysconfdir=%_sysconfdir/%name \
	--libexecdir=%_libdir/%name \
	%{subst_enable curl} \
	%{subst_enable ldap} \
	%{subst_enable mysql} \
	%{subst_enable sqlite} \
	%{subst_enable stroke} \
	%{subst_enable medsrv} \
	%{subst_enable medcli} \
	%{subst_enable smp} \
	%{subst_enable sql} \
	%{subst_enable smartcard} \
	%{subst_enable cisco-quirks} \
	%{subst_enable unit-tests} \
	%{subst_enable load-tests} \
	%{subst_enable eap-sim} \
	%{subst_enable eap-sim-file} \
	%{subst_enable eap-md5} \
	%{subst_enable eap-gtc} \
	%{subst_enable eap-aka} \
	%{subst_enable kernel-netlink} \
	%{subst_enable kernel-pfkey} \
	%{subst_enable kernel-klips} \
	%{subst_enable nat-transport} \
	%{subst_enable dumm} \
	%{subst_enable manager} \
	%{subst_enable mediation} \
	%{subst_enable integrity-test} \
	%{subst_enable self-test} \
	%{subst_enable padlock} \
	%{subst_enable openssl} \
	%{subst_enable agent} \
	%{subst_enable uci} \
	%{subst_enable nm} \

%make_build

%install
%makeinstall_std
install -pDm755 %SOURCE1 %buildroot%_initdir/ipsec
rm -f %buildroot%_libdir/lib%name.{a,so}

mkdir -p %buildroot%pkgdocdir
install -pm644 CREDITS ChangeLog NEWS README TODO %buildroot%pkgdocdir/
rm -f testing/do-tests.in testing/Makefile.*
cp -a testing/ %buildroot%pkgdocdir/

%files
%dir %pkgdocdir
%pkgdocdir/[A-Z]*
%attr(700,root,root) %dir %_sysconfdir/%name
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/acerts
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/aacerts
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/ocspcerts
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/certs
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/cacerts
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/crls
%attr(700,root,root) %dir %_sysconfdir/%name/ipsec.d/private
%config(noreplace) %_sysconfdir/%name/ipsec.conf
%config(noreplace) %_sysconfdir/%name/%name.conf
%config(noreplace) %_initdir/ipsec
%dir %_libdir/%name/ipsec
%_libdir/%name/*
%_libdir/lib%name.so.*
%_sbindir/*
%_mandir/*/*

%files testing
%pkgdocdir/testing/

%changelog
* Tue Apr 30 2013 Michael Shigorin <mike@altlinux.org> 4.3.7-alt1.M51.1
- applied the upstream provided patch to fix CVE-2013-2944
  (ECDSA signature vulnerability if openssl backend is loaded)

* Tue Aug 03 2010 Michael Shigorin <mike@altlinux.org> 4.3.7-alt1
- 4.3.7: major security fix for snprintf() misuse
  introduced in 4.3.3

* Mon Feb 22 2010 Michael Shigorin <mike@altlinux.org> 4.3.6-alt1
- 4.3.6
  + NB: 4.3.5 has seen some plugin shuffling,
    check upstream changelog in case of doubt
- buildreq (including gperf)

* Tue Sep 15 2009 Michael Shigorin <mike@altlinux.org> 4.3.4-alt1
- 4.3.4

* Sun Jul 26 2009 Michael Shigorin <mike@altlinux.org> 4.3.3-alt3
- fixed incomplete patch (forgot to actually use prepared variable)

* Fri Jul 24 2009 Michael Shigorin <mike@altlinux.org> 4.3.3-alt2
- moved testing docs into a noarch subpackage (thanks repocop)
- patched testing script to avoid 100%% predictable /tmp paths

* Thu Jul 23 2009 Michael Shigorin <mike@altlinux.org> 4.3.3-alt1
- 4.3.3 (closes: #20849)
  + the RDN parser vulnerability discovered by Orange Labs research team
    was not completely fixed in version 4.3.2. Some more modifications
    had to be applied to the asn1_length() function to make it robust.
  + thanks crux@ for prompt notification

* Wed Jul 08 2009 Michael Shigorin <mike@altlinux.org> 4.3.2-alt1
- 4.3.2
  + disabled patch0 (applied upstream)
  + dropped patch1 (irrelevant with 4.3.x)
- finally got around to merging strongswan.git by ildar@
  (also closes: #18260)
  + including library subpackage removal
  + initscript status fix
- disabled VIA Padlock support on non-x86_32 (fails to build)
- spec cleanup
- buildreq

* Tue Jun 23 2009 Michael Shigorin <mike@altlinux.org> 4.2.16-alt1
- 4.2.16 fixes DoS vulnerability in the ASN.1 parser;
  thanks crux@ for notification (closes: #20527)

* Thu May 28 2009 Michael Shigorin <mike@altlinux.org> 4.2.15-alt1
- 4.2.15 fixes two DoS issues with charon
  + sending a malformed IKE_SA_INIT request leaved an incomplete state
    which caused a null pointer dereference if a subsequent
    CREATE_CHILD_SA request was sent
  + sending an IKE_AUTH request with either a missing TSi or TSr payload
    caused a null pointer derefence because the checks for TSi and TSr
    were interchanged
  + patch2 unneeded (included upstream)
- thanks crux@ for heads-up (closes: #20206)

* Wed May 13 2009 Michael Shigorin <mike@altlinux.org> 4.2.14-alt1
- 4.2.14 fixes CVE-2009-0790: DoS against dead peer detection code
- fixed FTBFS with glibc-2.9
- appled vendor patch fixing invalid IKE state issue

* Sat Jan 10 2009 Michael Shigorin <mike@altlinux.org> 4.2.10-alt3
- added a patch to avoid superfluous file dependencies

* Thu Jan 08 2009 Michael Shigorin <mike@altlinux.org> 4.2.10-alt2
- fixed ntpd comments in initscript ;-)

* Thu Jan 08 2009 Michael Shigorin <mike@altlinux.org> 4.2.10-alt1
- 4.2.10
- removed patches (builds as is)
- spec cleanup

* Sat Dec 20 2008 Ildar Mulyukov <ildar@altlinux.ru> 4.2.9-alt1
- new version
- many new features
- spec refactoring

* Wed Oct 10 2007 Grigory Milev <week@altlinux.ru> 4.1.6-alt2
- Rebuild for x86_64
- cleanup spec
- move libraries to separate package

* Mon Sep 03 2007 $inister <sinister@altlinux.ru> 4.1.6-alt1
- new version

* Tue Aug 28 2007 $inister <sinister@altlinux.ru> 4.1.5-alt1
- initial packaging
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.4.2