From 444620748c1731b3a989396ce0fb4db02be1c390 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Tue, 26 May 2020 10:25:11 -0400 Subject: [PATCH] - Backport NSS guarding fix for unannounced changed api in NSS causing segfault --- libreswan-3.32-nss-api.patch | 16 ++++++++++++++++ libreswan.spec | 8 +++++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 libreswan-3.32-nss-api.patch diff --git a/libreswan-3.32-nss-api.patch b/libreswan-3.32-nss-api.patch new file mode 100644 index 0000000..efd10ba --- /dev/null +++ b/libreswan-3.32-nss-api.patch @@ -0,0 +1,16 @@ +diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c +--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400 ++++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-26 10:23:26.563318038 -0400 +@@ -16,6 +16,12 @@ + #include + #include + ++/* ++ * Special advise from Bob Relyea - needs to go before any nss include ++ * ++ */ ++#define NSS_PKCS11_2_0_COMPAT 1 ++ + #include "lswlog.h" + #include "lswnss.h" + #include "prmem.h" diff --git a/libreswan.spec b/libreswan.spec index c386d65..5e94a1d 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -33,7 +33,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script Version: 3.32 -Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -44,6 +44,7 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch1: libreswan-3.30-s390x.patch +Patch2: libreswan-3.32-nss-api.patch Requires(post): bash coreutils systemd Requires(preun): systemd @@ -99,6 +100,8 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} %patch1 -p1 +%patch2 -p1 + # Fedora should really figure this versioning out itself, not burden upstream sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py @@ -197,6 +200,9 @@ export NSS_DISABLE_HW_GCM=1 %doc %{_mandir}/*/* %changelog +* Tue May 26 2020 Paul Wouters - 3.32-2 +- Backport NSS guarding fix for unannounced changed api in NSS causing segfault + * Mon May 11 2020 Paul Wouters - 3.32-1 - Resolves: rhbz#1809770 libreswan-3.32 is available