From 43d43de158431354c18efcc3d29dd20ff93f7e60 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Mon, 24 Aug 2015 23:23:01 -0400
Subject: [PATCH] * Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
 - Updated to 3.15 (see http://download.libreswan.org/CHANGES) - Resolves:
 rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx - NSS
 database creation moved from spec file to service file - Run CAVS tests on
 package build - Added BuildRequire systemd-units and xmlto - Bumped minimum
 required nss to 3.16.1 - Install tmpfiles - Install sysctl file - Update doc
 files to include

---
 .gitignore     |   5 ++
 libreswan.spec | 132 +++++++++++++++++++++++++++++++------------------
 sources        |   5 +-
 3 files changed, 94 insertions(+), 48 deletions(-)

diff --git a/.gitignore b/.gitignore
index cffd43b..c6ad332 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,8 @@
 /libreswan-3.11.tar.gz
 /libreswan-3.12.tar.gz
 /libreswan-3.13.tar.gz
+/libreswan-3.14.tar.gz
+/ikev1_dsa.fax.bz2
+/ikev1_psk.fax.bz2
+/ikev2.fax.bz2
+/libreswan-3.15.tar.gz
diff --git a/libreswan.spec b/libreswan.spec
index 5126d49..98b9bb4 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -11,19 +11,25 @@
 %global fipscheck_version 1.3.0
 %global buildefence 0
 %global development 0
+%global cavstests 1
 
 #global prever rc1
 
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
-Version: 3.13
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Version: 3.15
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://www.libreswan.org/
-Source: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz
+Source0: https://download.libreswan.org/%{name}-%{version}%{?prever}.tar.gz
+%if %{cavstests}
+Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
+Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
+Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
+%endif
 Group: System Environment/Daemons
 BuildRequires: gmp-devel bison flex pkgconfig
-BuildRequires: systemd
+BuildRequires: systemd systemd-units
 Requires(post): coreutils bash systemd
 Requires(preun): systemd
 Requires(postun): systemd
@@ -34,8 +40,9 @@ Provides: openswan = %{version}-%{release}
 Provides: openswan-doc = %{version}-%{release}
 
 BuildRequires: pkgconfig hostname
-BuildRequires: nss-devel >= 3.14.3, nspr-devel
+BuildRequires: nss-devel >= 3.16.1, nspr-devel
 BuildRequires: pam-devel
+BuildRequires: libevent-devel
 %if %{USE_DNSSEC}
 BuildRequires: unbound-devel
 %endif
@@ -56,8 +63,7 @@ BuildRequires: openldap-devel curl-devel
 %if %{buildefence}
 BuildRequires: ElectricFence
 %endif
-# Only needed if xml man pages are modified and need regeneration
-# BuildRequires: xmlto
+BuildRequires: xmlto
 
 Requires: nss-tools, nss-softokn
 Requires: iproute >= 2.6.8
@@ -84,11 +90,11 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in
 
 %build
 %if %{buildefence}
- %define efence "-lefence"
+ %global efence "-lefence"
 %endif
 
 #796683: -fno-strict-aliasing
-%{__make} \
+make %{?_smp_mflags} \
 %if %{development}
    USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
 %else
@@ -128,8 +134,7 @@ FS=$(pwd)
 %endif
 
 %install
-rm -rf %{buildroot}
-%{__make} \
+make \
   DESTDIR=%{buildroot} \
   INC_USRLOCAL=%{_prefix} \
   FINALLIBEXECDIR=%{_libexecdir}/ipsec \
@@ -142,63 +147,96 @@ FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
 
 install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto
-# used when setting --perpeerlog without --perpeerlogbase 
+# used when setting --perpeerlog without --perpeerlogbase
 install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}
 
+install -d %{buildroot}%{_sysconfdir}/sysctl.d
+install -m 0644 packaging/fedora/libreswan-sysctl.conf \
+  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+
+install -d %{buildroot}%{_tmpfilesdir}
+install -m 0644 packaging/fedora/libreswan-tmpfiles.conf  \
+  %{buildroot}%{_tmpfilesdir}/libreswan.conf
+
 %if %{USE_FIPSCHECK}
 mkdir -p %{buildroot}%{_libdir}/fipscheck
 install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/
-install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
+install -m644 packaging/fedora/libreswan-prelink.conf \
+   %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
 %endif
 
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
-%files
-%doc CHANGES COPYING CREDITS README LICENSE
-%doc docs/*.*
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/cacerts
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/crls
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
-%attr(0755,root,root) %dir %{_localstatedir}/run/pluto
-%attr(0644,root,root) %{_unitdir}/ipsec.service
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
-%{_sbindir}/ipsec
-%{_libexecdir}/ipsec
-%doc %{_mandir}/*/*
-
-%if %{USE_FIPSCHECK}
-%{_libdir}/fipscheck/*.hmac
-# We own the directory so we don't have to require prelink
-%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
-%config(noreplace) %{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
+%if %{cavstests}
+%check
+# There is an elaborate upstream testing infrastructure which we do not
+# run here - it takes hours and uses kvm
+# We only run the CAVS tests.
+cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
+bunzip2 *.fax.bz2
+: starting CAVS test for IKEv2
+OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | \
+    diff -u ikev2.fax - > /dev/null
+: starting CAVS test for IKEv1 RSASIG
+OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | \
+    diff -u ikev1_dsa.fax - > /dev/null
+: starting CAVS test for IKEv1 PSK
+OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | \
+    diff -u ikev1_psk.fax - > /dev/null
+: CAVS tests passed
 %endif
 
+%post
+%systemd_post ipsec.service
+
 %preun
 %systemd_preun ipsec.service
 
 %postun
 %systemd_postun_with_restart ipsec.service
 
-%post
-%systemd_post ipsec.service
-if [ ! -f %{_sysconfdir}/ipsec.d/cert8.db ] ; then
-    TEMPFILE=$(/bin/mktemp %{_sysconfdir}/ipsec.d/nsspw.XXXXXXX)
-    [ $? -gt 0 ] && TEMPFILE=%{_sysconfdir}/ipsec.d/nsspw.$$
-    echo > ${TEMPFILE}
-    certutil -N -f ${TEMPFILE} -d %{_sysconfdir}/ipsec.d
-    restorecon %{_sysconfdir}/ipsec.d/*db 2>/dev/null || :
-    rm -f ${TEMPFILE}
-fi
+%files
+%doc CHANGES COPYING CREDITS README* LICENSE
+%doc docs/*.* docs/examples
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
+%attr(0700,root,root) %dir %{_localstatedir}/log/pluto
+%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
+%attr(0755,root,root) %dir %{_localstatedir}/run/pluto
+%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
+%attr(0644,root,root) %{_unitdir}/ipsec.service
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
+%{_sbindir}/ipsec
+%{_libexecdir}/ipsec
+%attr(0644,root,root) %doc %{_mandir}/*/*
+
+%if %{USE_FIPSCHECK}
+%{_libdir}/fipscheck/*.hmac
+# We own the directory so we don't have to require prelink
+%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/
+%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf
+%endif
 
 %changelog
+* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
+- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
+- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
+- NSS database creation moved from spec file to service file
+- Run CAVS tests on package build
+- Added BuildRequire systemd-units and xmlto
+- Bumped minimum required nss to 3.16.1
+- Install tmpfiles
+- Install sysctl file
+- Update doc files to include
+
 * Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
 - Resolves: rhbz#1238967 Switch libreswan to use python3
 
diff --git a/sources b/sources
index 82a1f23..98897db 100644
--- a/sources
+++ b/sources
@@ -1 +1,4 @@
-3dd97542c047f34ee0d5f3e61c3a4761  libreswan-3.13.tar.gz
+719f41125bed347a38298dac232ec477  libreswan-3.15.tar.gz
+d8b493de7179635a6ed2a4d0e1b35282  ikev1_dsa.fax.bz2
+c4fe7041300e6c21f4561ce818b5002f  ikev1_psk.fax.bz2
+7716c48a1a2b17ba25e89b79889d4004  ikev2.fax.bz2