RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/libreswan#edf019da096d996a265210d164af9c89a6b637c9

.gitignore

@@ -0,0 +1,36 @@
+/libreswan-3.2.tar.gz
+/libreswan-3.3.tar.gz
+/libreswan-3.4.tar.gz
+/libreswan-3.5.tar.gz
+/libreswan-3.6.tar.gz
+/libreswan-3.7.tar.gz
+/libreswan-3.8.tar.gz
+/libreswan-3.9.tar.gz
+/libreswan-3.10.tar.gz
+/libreswan-3.11.tar.gz
+/libreswan-3.12.tar.gz
+/libreswan-3.13.tar.gz
+/libreswan-3.14.tar.gz
+/ikev1_dsa.fax.bz2
+/ikev1_psk.fax.bz2
+/ikev2.fax.bz2
+/libreswan-3.15.tar.gz
+/libreswan-3.16.tar.gz
+/libreswan-3.17.tar.gz
+/libreswan-3.18.tar.gz
+/libreswan-3.19.tar.gz
+/libreswan-3.20dr4.tar.gz
+/libreswan-3.20.tar.gz
+/libreswan-3.21.tar.gz
+/libreswan-3.22.tar.gz
+/libreswan-3.23.tar.gz
+/libreswan-3.24.tar.gz
+/libreswan-3.25.tar.gz
+/libreswan-3.26.tar.gz
+/libreswan-3.27.tar.gz
+/libreswan-3.28.tar.gz
+/libreswan-3.29.tar.gz
+/libreswan-3.30.tar.gz
+/libreswan-3.31.tar.gz
+/libreswan-3.32.tar.gz
+/libreswan-4.0rc1.tar.gz

libreswan-3.23-crypto-policies.patch

@@ -0,0 +1,66 @@
+diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
+index c41dd8048..cc2faf5c9 100644
+--- a/lib/libipsecconf/parser.l
++++ b/lib/libipsecconf/parser.l
+@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
+ 		char ebuf[128];
+ 
+ 		snprintf(ebuf, sizeof(ebuf),
+-			"cannot open include filename: '%s': %s",
++			(strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
++				"cannot open include filename: '%s': %s" :
++				"ignored loading default system-wide crypto-policies file '%s': %s",
+ 			iis->fileglob.gl_pathv[fcnt],
+ 			strerror(errno));
+ 		yyerror(ebuf);
+diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
+index 7374efc3c..974699f01 100644
+--- a/programs/configs/ipsec.conf.in
++++ b/programs/configs/ipsec.conf.in
+@@ -1,27 +1,18 @@
+ # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
+ #
+-# Manual:     ipsec.conf.5
++# see 'man ipsec.conf' and 'man pluto' for more information
++#
++# For example configurations and documentation, see https://libreswan.org/wiki/
+ 
+ config setup
+-	# Normally, pluto logs via syslog. If you want to log to a file,
+-	# specify below or to disable logging, eg for embedded systems, use
+-	# the file name /dev/null
+-	# Note: SElinux policies might prevent pluto writing to a log file at
+-	#       an unusual location.
++	# Normally, pluto logs via syslog.
+ 	#logfile=/var/log/pluto.log
+ 	#
+ 	# Do not enable debug options to debug configuration issues!
+ 	#
+-	# plutodebug "all", "none" or a combation from below:
+-	# "raw crypt parsing emitting control controlmore kernel pfkey
+-	#  natt x509 dpd dns oppo oppoinfo private".
+-	# Note: "private" is not included with "all", as it can show confidential
+-	#       information. It must be specifically specified
+-	# examples:
+ 	# plutodebug="control parsing"
+ 	# plutodebug="all crypt"
+-	# Again: only enable plutodebug when asked by a developer
+-	#plutodebug=none
++	plutodebug=none
+ 	#
+ 	# NAT-TRAVERSAL support
+ 	# exclude networks used on server side by adding %v4:!a.b.c.0/24
+@@ -30,10 +21,8 @@ config setup
+ 	# This range has never been announced via BGP (at least up to 2015)
+ 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
+ 
+-# For example connections, see your distribution's documentation directory,
+-# or https://libreswan.org/wiki/
+-#
+-# There is also a lot of information in the manual page, "man ipsec.conf"
+-#
++# if it exists, include system wide crypto-policy defaults
++include /etc/crypto-policies/back-ends/libreswan.config
++
+ # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
+ include @IPSEC_CONFDDIR@/*.conf

libreswan-3.23-fixups.patch

@@ -0,0 +1,507 @@
+diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c
+--- libreswan-3.23-orig/programs/pluto/connections.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/connections.c	2018-02-05 14:38:49.372280712 -0500
+@@ -3158,10 +3158,8 @@
+ 					matching_peer_id && matching_peer_ca && matching_requested_ca,
+ 					matching_peer_id, matching_peer_ca, matching_requested_ca);});
+ 
+-			/* Ignore template from which we instantiated - this should never happen */
+ 			if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) {
+-				libreswan_log("Warning: not switching back to template of current instance (FIXME)");
+-				continue;
++				DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance"));
+ 			}
+ 
+ 			/* 'You Tarzan, me Jane' check based on received IDr */
+diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c
+--- libreswan-3.23-orig/programs/pluto/hostpair.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/hostpair.c	2018-02-05 14:38:57.865635032 -0500
+@@ -144,17 +144,6 @@
+ 		hisport = pluto_port;
+ 
+ 	for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) {
+-		if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) &&
+-				(p->connections->spd.that.id.kind == ID_NULL))
+-		{
+-			DBG(DBG_CONTROLMORE, {
+-				char ci[CONN_INST_BUF];
+-				DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s",
+-					p->connections->name,
+-					fmt_conn_instance(p->connections, ci));
+-			});
+-			continue;
+-		}
+ 
+ 		DBG(DBG_CONTROLMORE, {
+ 			ipstr_buf b1;
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h
+--- libreswan-3.23-orig/programs/pluto/ikev2.h	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2.h	2018-02-05 14:39:11.171190105 -0500
+@@ -162,7 +162,9 @@
+ extern bool ikev2_calculate_rsa_sha1(struct state *st,
+ 				     enum original_role role,
+ 				     unsigned char *idhash,
+-				     pb_stream *a_pbs);
++				     pb_stream *a_pbs,
++				     bool calc_no_ppk_auth,
++				     chunk_t *no_ppk_auth);
+ 
+ extern bool ikev2_create_psk_auth(enum keyword_authby authby,
+ 				     struct state *st,
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c
+--- libreswan-3.23-orig/programs/pluto/ikev2_parent.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2_parent.c	2018-02-05 14:39:11.173190188 -0500
+@@ -2783,7 +2783,9 @@
+ 
+ 	switch (a.isaa_type) {
+ 	case IKEv2_AUTH_RSA:
+-		if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
++		if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
++			FALSE, /* store-only not set */
++			NULL /* store-only chunk unused */)) {
+ 			loglog(RC_LOG_SERIOUS, "Failed to find our RSA key");
+ 			return STF_FATAL;
+ 		}
+@@ -2792,7 +2794,7 @@
+ 	case IKEv2_AUTH_PSK:
+ 	case IKEv2_AUTH_NULL:
+ 		if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs,
+-			FALSE /* store-only not set */,
++			FALSE, /* store-only not set */
+ 			NULL /* store-only chunk unused */)) {
+ 			loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key");
+ 			return STF_FATAL;
+@@ -2812,7 +2814,9 @@
+ 					return STF_INTERNAL_ERROR;
+ 			}
+ 
+-			if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
++			if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
++				FALSE, /* store-only not set */
++				NULL /* store-only chunk unused */)) {
+ 				loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key");
+ 				return STF_FATAL;
+ 			}
+@@ -3224,7 +3228,7 @@
+ 		hmac_update(&id_ctx, id_start, id_len);
+ 		hmac_final(idhash, &id_ctx);
+ 
+-		if (pst->st_sk_pi_no_ppk != NULL) {
++		if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) {
+ 			struct hmac_ctx id_ctx_npa;
+ 
+ 			hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk);
+@@ -3371,7 +3375,7 @@
+ 			notifies++;
+ 
+ 		if (pst->st_seen_ppk)
+-			notifies++; /* used for two payloads */
++			notifies++; /* used for one or two payloads */
+ 
+ 		/* code does not support AH + ESP, not recommend rfc8221 section-4 */
+ 		struct ipsec_proto_info *proto_info
+@@ -3437,21 +3441,24 @@
+ 		}
+ 		if (pst->st_seen_ppk) {
+ 			chunk_t notify_data = create_unified_ppk_id(&ppk_id_p);
++			int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N;
+ 
+-			notifies--; /* used for 2 payloads */
+-				if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL,
+-						PROTO_v2_RESERVED, &empty_chunk,
+-						v2N_PPK_IDENTITY, &notify_data,
+-						&e_pbs_cipher))
+-					return STF_INTERNAL_ERROR;
++			notifies--; /* used for one or two payloads */
++			if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL,
++					PROTO_v2_RESERVED, &empty_chunk,
++					v2N_PPK_IDENTITY, &notify_data,
++					&e_pbs_cipher))
++				return STF_INTERNAL_ERROR;
+ 			freeanychunk(notify_data);
+ 
+-			ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
+-			if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
+-				PROTO_v2_RESERVED, &empty_chunk,
+-				v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
+-				&e_pbs_cipher))
+-					return STF_INTERNAL_ERROR;
++			if (!LIN(POLICY_PPK_INSIST, cc->policy)) {
++				ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
++				if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
++					PROTO_v2_RESERVED, &empty_chunk,
++					v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
++					&e_pbs_cipher))
++						return STF_INTERNAL_ERROR;
++			}
+ 		}
+ 
+ 		passert(notifies == 0);
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c
+--- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2_ppk.c	2018-02-05 14:39:11.173190188 -0500
+@@ -113,7 +113,24 @@
+ 	enum keyword_authby authby = c->spd.this.authby;
+ 	switch (authby) {
+ 	case AUTH_RSASIG:
+-		/* TODO */
++		if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) {
++			if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) {
++				/* make blobs separately, and somehow combine them and no_ppk_auth
++				 * to get an actual no_ppk_auth */
++				int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len;
++				u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH");
++				u_char *ret = blobs;
++				memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER);
++				blobs += ASN1_LEN_ALGO_IDENTIFIER;
++				memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE);
++				blobs += ASN1_SHA1_RSA_OID_SIZE;
++				memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len);
++				chunk_t release = *no_ppk_auth;
++				setchunk(*no_ppk_auth, ret, len);
++				freeanychunk(release);
++			}
++		}
++		return STF_OK;
+ 		break;
+ 	case AUTH_PSK:
+ 		if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth))
+diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c
+--- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/ikev2_rsa.c	2018-02-05 14:39:11.173190188 -0500
+@@ -101,7 +101,9 @@
+ bool ikev2_calculate_rsa_sha1(struct state *st,
+ 			      enum original_role role,
+ 			      unsigned char *idhash,
+-			      pb_stream *a_pbs)
++			      pb_stream *a_pbs,
++			      bool calc_no_ppk_auth,
++			      chunk_t *no_ppk_auth)
+ {
+ 	unsigned char signed_octets[SHA1_DIGEST_SIZE + 16];
+ 	size_t signed_len;
+@@ -136,8 +138,13 @@
+ 		if (shr == 0)
+ 			return FALSE;
+ 		passert(shr == (int)sz);
+-		if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
+-			return FALSE;
++		if (calc_no_ppk_auth == FALSE) {
++			if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
++				return FALSE;
++		} else {
++			clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk");
++			DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth));
++		}
+ 	}
+ 
+ 	return TRUE;
+diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c
+--- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/nss_cert_verify.c	2018-02-05 14:38:52.685418927 -0500
+@@ -498,60 +498,83 @@
+ 
+ bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name)
+ {
+-	SECStatus rv;
+ 	SECItem	subAltName;
+-	PLArenaPool *arena = NULL;
+-	CERTGeneralName *nameList = NULL;
+-	CERTGeneralName *current = NULL;
+-	bool san_ip = FALSE;
+-	unsigned int len = strlen(name);
+-	ip_address myip;
+-
+-	rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
++	SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
+ 			&subAltName);
+ 	if (rv != SECSuccess) {
+ 		DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension"));
+ 		return FALSE;
+ 	}
+ 
+-	if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL)
+-		san_ip = TRUE;
++	ip_address myip;
++	bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL);
+ 
+-	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++	PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ 	passert(arena != NULL);
+ 
+-	nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
+-	passert(current != NULL);
++	CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName);
+ 
+-	do
+-	{
++	if (nameList == NULL) {
++		loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode");
++		PORT_FreeArena(arena, PR_FALSE);
++		return FALSE;
++	}
++
++	/*
++	 * nameList is a pointer into a non-empty circular linked list.
++	 * This loop visits each entry.
++	 * We have visited each when we come back to the start.
++	 * We test only at the end, after we advance, because we want to visit
++	 * the first entry the first time we see it but stop when we get to it
++	 * the second time.
++	 */
++	CERTGeneralName *current = nameList;
++	do {
+ 		switch (current->type) {
+ 		case certDNSName:
+ 		case certRFC822Name:
+-			if (san_ip)
+-				break;
+-			if (current->name.other.len == len) {
+-				if (memcmp(current->name.other.data, name, len) == 0) {
+-					DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name));
+-					PORT_FreeArena(arena, PR_FALSE);
+-					return TRUE;
+-				}
+-			}
++		{
++			/*
++			 * Match the parameter name with the name in the certificate.
++			 * The name in the cert may start with "*."; that will match
++			 * any initial component in name (up to the first '.').
++			 */
++			/* we need to cast because name.other.data is unsigned char * */
++			const char *c_ptr = (const void *) current->name.other.data;
++			size_t c_len =  current->name.other.len;
++
++			const char *n_ptr = name;
++			static const char wild[] = "*.";
++			const size_t wild_len = sizeof(wild) - 1;
++
++			if (c_len > wild_len && startswith(c_ptr, wild)) {
++				/* wildcard in cert: ignore first component of name */
++				c_ptr += wild_len;
++				c_len -= wild_len;
++				n_ptr = strchr(n_ptr, '.');
++				if (n_ptr == NULL)
++					break;	/* cannot match */
+ 
+-			if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) {
+-				char osan[IDTOA_BUF];
++				n_ptr++;	/* skip . */
++			}
+ 
+-				memcpy(osan,current->name.other.data, current->name.other.len);
+-				osan[current->name.other.len] = '\0';
+-				DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name));
+-			} else {
+-				DBG(DBG_X509, DBG_log("subjectAltname <TOO BIG TO PRINT> does not match %s", name));
++			if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) {
++				/*
++				 * ??? if current->name.other.data contains bad characters,
++				 * what prevents them being logged?
++				 */
++				DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate",
++					name, current->name.other.len, current->name.other.data));
++				PORT_FreeArena(arena, PR_FALSE);
++				return TRUE;
+ 			}
+ 			break;
++		}
+ 
+ 		case certIPAddress:
+ 			if (!san_ip)
+ 				break;
++
+ 			if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) {
+ 				if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) {
+ 					DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name));
+@@ -572,7 +595,7 @@
+ 					break;
+ 				}
+ 			}
+-			DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name));
++			DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name));
+ 			break;
+ 
+ 		default:
+diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in
+--- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in	2018-02-05 14:38:49.373280754 -0500
+@@ -1,31 +1,52 @@
+ #!/usr/bin/python
++#
++# Copyright (C) 2018 Paul Wouters <pwouters@redhat.com>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
+ 
+ import sys
+-import base64
+-import commands
++import subprocess
+ 
+-log = ""
+-
+-status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1")
++# Get my %defaultroute IP address
++myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True)
+ myip = myip.split("src")[1].strip().split()[0]
+ 
+ argv = sys.argv
+-argc = len(sys.argv)
++ourself = argv.pop(0)
+ 
+-#log += "Number or arguments is %d\n"%argc
+-#if argc >= 4:
+-#	log += "QNAME:%s\n"%argv[1]
+-#	log += "TTL:%s\n"%argv[2]
+-#	log += "IP:%s\n"%argv[3]
+-#	log += "IPSECKEY:%s\n"%argv[4]
+-#	rr = argv[4]
+-#	pref, gwtype, algo, gw, pubkey = rr.split(" ")
+-#log += "-----------------------------\n"
+-
+-cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey)
+-cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey)
+-cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3])
+-ret, output = commands.getstatusoutput(cmdname)
+-ret, output = commands.getstatusoutput(cmdip)
+-ret, output = commands.getstatusoutput(cmdoe)
+-ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus")
++try:
++    qname = argv.pop(0)
++    ttl = argv.pop(0)
++    ip = argv.pop(0)
++except:
++    sys.exit("Bad arguments to ipsec _unbound")
++
++while (argv != []):
++    try:
++        gwprec = argv.pop(0)
++        gwtype = argv.pop(0)
++        gwalg = argv.pop(0)
++        gwid = argv.pop(0)
++        pubkey = argv.pop(0)
++        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
++        addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
++        print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
++        print(subprocess.call(addkeyip, shell=True))
++        print(subprocess.call(addkeyhostname, shell=True))
++    except:
++        sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
++
++# done injecting all IPSECKEY records into pluto - try actual OE now
++cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip)
++print(subprocess.check_output(cmdoeip, shell=True))
++#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname)
++#ret, output = commands.getstatusoutput(cmdoeqname)
++print(subprocess.check_output("ipsec whack --trafficstatus", shell=True))
+diff --git a/include/ietf_constants.h b/include/ietf_constants.h
+index 8a1ba5d..38fa4de 100644
+--- a/include/ietf_constants.h
++++ b/include/ietf_constants.h
+@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type {
+ 	IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23,
+ 	IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24,
+ 	IKEv2_INTERNAL_DNS_DOMAIN = 25,
+-	/* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */
++	IKEv2_INTERNAL_DNSSEC_TA = 26
+ };
+ 
+ 
+diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
+index 9ea9872..ab6db3e 100644
+--- a/lib/libswan/constants.c
++++ b/lib/libswan/constants.c
+@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = {
+ 	"IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */
+ 	"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */
+ 	"IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */
+-	/* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */
++	"IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */
+ };
+ 
+ enum_names ikev2_cp_attribute_type_names = {
+ 	IKEv2_CP_ATTR_RESERVED,
+-	IKEv2_INTERNAL_DNS_DOMAIN,
+-	/* IKEv2_INTERNAL_DNSSEC_TA, */
++	IKEv2_INTERNAL_DNSSEC_TA,
+ 	ARRAY_REF(ikev2_cp_attribute_type_name),
+ 	NULL, /* prefix */
+ 	NULL
+diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c
+index ae56972..e818e0e 100644
+--- a/programs/addconn/addconn.c
++++ b/programs/addconn/addconn.c
+@@ -416,12 +416,11 @@ int main(int argc, char *argv[])
+ 		if (verbose)
+ 			printf("  Pass #1: Loading auto=add, auto=route and auto=start connections\n");
+ 
+-		for (conn = cfg->conns.tqh_first;
+-			conn != NULL;
+-			conn = conn->link.tqe_next) {
++		for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
+ 			if (conn->desired_state == STARTUP_ADD ||
+ 				conn->desired_state == STARTUP_ONDEMAND ||
+-				conn->desired_state == STARTUP_START) {
++				conn->desired_state == STARTUP_START)
++			{
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+ 				resolve_defaultroute(conn);
+@@ -436,30 +435,22 @@ int main(int argc, char *argv[])
+ 		starter_whack_listen(cfg);
+ 
+ 		if (verbose)
+-			printf("  Pass #2: Routing auto=route and auto=start connections\n");
++			printf("  Pass #2: Routing auto=route connections\n");
+ 
+-		for (conn = cfg->conns.tqh_first;
+-			conn != NULL;
+-			conn = conn->link.tqe_next) {
+-			if (conn->desired_state == STARTUP_ADD ||
+-				conn->desired_state == STARTUP_ONDEMAND ||
+-				conn->desired_state == STARTUP_START) {
++		for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
++			if (conn->desired_state == STARTUP_ONDEMAND)
++			{
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+-				resolve_defaultroute(conn);
+-				if (conn->desired_state == STARTUP_ONDEMAND ||
+-				    conn->desired_state == STARTUP_START) {
++				if (conn->desired_state == STARTUP_ONDEMAND)
+ 					starter_whack_route_conn(cfg, conn);
+-				}
+ 			}
+ 		}
+ 
+ 		if (verbose)
+ 			printf("  Pass #3: Initiating auto=start connections\n");
+ 
+-		for (conn = cfg->conns.tqh_first;
+-			conn != NULL;
+-			conn = conn->link.tqe_next) {
++		for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
+ 			if (conn->desired_state == STARTUP_START) {
+ 				if (verbose)
+ 					printf(" %s", conn->name);
+diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
+index 64b2808..b343445 100644
+--- a/programs/_updown.netkey/_updown.netkey.in
++++ b/programs/_updown.netkey/_updown.netkey.in
+@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in
+     up-client)
+ 	# connection to my client subnet coming up
+ 	# If you are doing a custom version, firewall commands go here.
++	addvtiiface
+ 	updateresolvconf
+ 	addcat
+ 	addsource

libreswan-3.23-gcc8.patch

@@ -0,0 +1,82 @@
+diff -Naur libreswan-3.23-orig/programs/pluto/kernel_netlink.c libreswan-3.23/programs/pluto/kernel_netlink.c
+--- libreswan-3.23-orig/programs/pluto/kernel_netlink.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/kernel_netlink.c	2018-02-19 18:56:24.433527475 -0500
+@@ -51,8 +51,9 @@
+ #include <linux/if_addr.h>
+ #include <linux/if_link.h>
+ 
+-#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
++//#include <netinet/in.h>
+ #include "linux/xfrm.h" /* local (if configured) or system copy */
++#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
+ 
+ #include "libreswan/pfkeyv2.h"
+ #include "libreswan/pfkey.h"
+diff -Naur libreswan-3.23-orig/programs/pluto/linux_audit.c libreswan-3.23/programs/pluto/linux_audit.c
+--- libreswan-3.23-orig/programs/pluto/linux_audit.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/linux_audit.c	2018-02-19 18:58:51.356837932 -0500
+@@ -74,6 +74,15 @@
+ 
+ #include "pluto_stats.h"
+ 
++#if __GNUC__ >= 7
++	/*
++	 * GCC 7+ warns about the following calls that truncate a string using
++	 * snprintf().  We are truncating the log message for a reason.
++	 */
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wformat-truncation"
++#endif
++
+ static bool log_to_audit = FALSE;		/* audit log messages for kernel */
+ 
+ void linux_audit_init(void)
+@@ -159,13 +168,13 @@
+ 	char raddr[ADDRTOT_BUF];
+ 	char laddr[ADDRTOT_BUF];
+ 	char audit_str[AUDIT_LOG_SIZE];
+-	char cipher_str[AUDIT_LOG_SIZE];
+-	char spi_str[AUDIT_LOG_SIZE];
++	char cipher_str[20];
++	char spi_str[20];
+ 	struct connection *const c = st->st_connection;
+ 	bool initiator = FALSE;
+ 	char head[IDTOA_BUF];
+-	char integname[IDTOA_BUF];
+-	char prfname[IDTOA_BUF];
++	char integname[20];
++	char prfname[20];
+ 	struct esb_buf esb, esb2;
+ 	/* we need to free() this */
+ 	char *conn_encode = audit_encode_nv_string("conn-name",c->name,0);
+@@ -300,3 +309,6 @@
+ 			AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA,
+ 		audit_str, raddr, AUDIT_RESULT_OK);
+ }
++#if __GNUC__ >= 7
++#pragma GCC diagnostic pop
++#endif
+diff -Naur libreswan-3.23-orig/programs/pluto/log.h libreswan-3.23/programs/pluto/log.h
+--- libreswan-3.23-orig/programs/pluto/log.h	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/log.h	2018-02-19 18:56:24.433527475 -0500
+@@ -154,7 +154,7 @@
+ 
+ #ifdef USE_LINUX_AUDIT
+ #include <libaudit.h>	/* from audit-libs devel */
+-#define AUDIT_LOG_SIZE 256
++#define AUDIT_LOG_SIZE 512
+ /* should really be in libaudit.h */
+ #define AUDIT_RESULT_FAIL 0
+ #define AUDIT_RESULT_OK 1
+diff -Naur libreswan-3.23-orig/programs/pluto/pluto_constants.c libreswan-3.23/programs/pluto/pluto_constants.c
+--- libreswan-3.23-orig/programs/pluto/pluto_constants.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/pluto_constants.c	2018-02-19 18:56:24.434527471 -0500
+@@ -478,7 +478,7 @@
+ 				     policy &
+ 				     ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK),
+ 				     pbitnamesbuf, sizeof(pbitnamesbuf));
+-	static char buf[200]; /* NOT RE-ENTRANT!  I hope that it is big enough! */
++	static char buf[512]; /* NOT RE-ENTRANT!  I hope that it is big enough! */
+ 	lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
+ 	lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;
+ 

libreswan-3.23-ppk-update.patch

@@ -0,0 +1,116 @@
+diff --git a/include/ietf_constants.h b/include/ietf_constants.h
+index 38fa4de..08c8d9e 100644
+--- a/include/ietf_constants.h
++++ b/include/ietf_constants.h
+@@ -1486,12 +1486,14 @@ typedef enum {
+ 	v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */
+ 	v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */
+ 	v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */
+-
+-	v2N_USE_PPK = 40960,            /* draft-ietf-ipsecme-qr-ikev2-01 */
+-	v2N_PPK_IDENTITY = 40961,       /* draft-ietf-ipsecme-qr-ikev2-01 */
+-	v2N_NO_PPK_AUTH = 40962,        /* draft-ietf-ipsecme-qr-ikev2-01 */
+-
+-	/* 16432 - 40969 Unassigned */
++	v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */
++	v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */
++	v2N_PUZZLE = 16434, /* RFC-8019 */
++	v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */
++	v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */
++	v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */
++
++	/* 16438 - 40969 Unassigned */
+ 	/* 40960 - 65535 Private Use */
+ } v2_notification_t;
+ 
+diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
+index ab6db3e..a0dab63 100644
+--- a/lib/libswan/constants.c
++++ b/lib/libswan/constants.c
+@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = {
+ };
+ */
+ 
+-static const char *const ikev2_notify_name_private[] = {
+-	"v2N_USE_PPK",
+-	"v2N_PPK_IDENTITY",
+-	"v2N_NO_PPK_AUTH",
+-};
+-
+-static enum_names ikev2_notify_names_private = {
+-	v2N_USE_PPK,
+-	v2N_NO_PPK_AUTH,
+-	ARRAY_REF(ikev2_notify_name_private),
+-	"v2N_", /* prefix */
+-	NULL
+-};
+-
+ /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */
+ static const char *const ikev2_notify_name_16384[] = {
+ 	"v2N_INITIAL_CONTACT",    /* 16384 */
+@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = {
+ 	"v2N_SENDER_REQUEST_ID",
+ 	"v2N_IKEV2_FRAGMENTATION_SUPPORTED",    /* 16430 */
+ 	"v2N_SIGNATURE_HASH_ALGORITHMS",
++	"v2N_CLONE_IKE_SA_SUPPORTED",
++	"v2N_CLONE_IKE_SA",
++	"v2N_PUZZLE",
++	"v2N_USE_PPK", /* 16435 */
++	"v2N_PPK_IDENTITY",
++	"v2N_NO_PPK_AUTH",
+ };
+ 
+ static enum_names ikev2_notify_names_16384 = {
+ 	v2N_INITIAL_CONTACT,
+-	v2N_SIGNATURE_HASH_ALGORITHMS,
++	v2N_NO_PPK_AUTH,
+ 	ARRAY_REF(ikev2_notify_name_16384),
+ 	"v2N_", /* prefix */
+-	&ikev2_notify_names_private
++	NULL
+ };
+ 
+ static const char *const ikev2_notify_name[] = {
+diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
+index 258ba85..b86eea8 100644
+--- a/programs/pluto/ikev2_parent.c
++++ b/programs/pluto/ikev2_parent.c
+@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
+ 				break;
+ 			}
+ 
+-			if (LIN(POLICY_PPK_ALLOW, policy)) {
+-				no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
++			no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
+ 
+-				if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
+-					loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
+-					return STF_FATAL;
+-				}
+-				DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
+-				st->st_no_ppk_auth = no_ppk_auth;
+-			} else {
+-				libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK");
++			if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
++				loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
++				return STF_FATAL;
+ 			}
++			DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
++			st->st_no_ppk_auth = no_ppk_auth;
+ 			break;
+ 		}
+ 		case v2N_MOBIKE_SUPPORTED:
+@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
+ 		}
+ 	}
+ 
+-	/* if we found proper PPK ID, we should use that without fallback to no ppk */
+-	if (found_ppk)
++	/*
++	 * If we found proper PPK ID and policy allows PPK, use that.
++	 * Otherwise use NO_PPK_AUTH
++	 */
++	if (found_ppk && LIN(POLICY_PPK_ALLOW, policy))
+ 		freeanychunk(st->st_no_ppk_auth);
+ 
+ 	if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) {

libreswan-3.23-seccomp.patch

@@ -0,0 +1,24 @@
+diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c
+--- libreswan-3.23-orig/programs/addconn/addconn.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/addconn/addconn.c	2018-02-05 14:13:25.758711788 -0500
+@@ -140,7 +140,9 @@
+ 	rc |= S_RULE_ADD(set_robust_list);
+ 	rc |= S_RULE_ADD(set_tid_address);
+ 	rc |= S_RULE_ADD(socket);
++	rc |= S_RULE_ADD(socketcall);
+ 	rc |= S_RULE_ADD(socketpair);
++	rc |= S_RULE_ADD(stat);
+ 	rc |= S_RULE_ADD(statfs);
+ 	rc |= S_RULE_ADD(uname);
+ 	rc |= S_RULE_ADD(write);
+diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c
+--- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c	2018-01-25 15:19:46.000000000 -0500
++++ libreswan-3.23/programs/pluto/pluto_seccomp.c	2018-02-05 14:13:38.390239502 -0500
+@@ -109,6 +109,7 @@
+ 		rc |= S_RULE_ADD(set_robust_list);
+ 		rc |= S_RULE_ADD(setsockopt);
+ 		rc |= S_RULE_ADD(socket);
++		rc |= S_RULE_ADD(socketcall);
+ 		rc |= S_RULE_ADD(socketpair);
+ 		rc |= S_RULE_ADD(sysinfo);
+ 		rc |= S_RULE_ADD(uname);

libreswan-3.25-relax-delete.patch

@@ -0,0 +1,62 @@
+diff --git a/programs/pluto/state.c b/programs/pluto/state.c
+index 7b33145..a3bcc3c 100644
+--- a/programs/pluto/state.c
++++ b/programs/pluto/state.c
+@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
+ 			d = next;
+ 		}
+ 
+-		if (c->newest_isakmp_sa != SOS_NOBODY &&
+-			c->newest_isakmp_sa != pst->st_serialno) {
+-				struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
++		/*
++		 * This only affects IKEv2, since we don't store any
++		 * received INITIAL_CONTACT for IKEv1.
++		 * We don't do this on IKEv1, because it seems to
++		 * confuse various third parties (Windows, Cisco VPN 300,
++		 * and juniper
++		 * likely because this would be called before the IPsec SA
++		 * of QuickMode is installed, so the remote endpoints view
++		 * this IKE SA still as the active one?
++		 */
++		if (pst->st_seen_initialc) {
+ 
+-				DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
+-					old_p1->st_connection->name));
+-				old_p1->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p1);
+-		}
++			if (c->newest_isakmp_sa != SOS_NOBODY &&
++				c->newest_isakmp_sa != pst->st_serialno) {
++					struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
+ 
+-		if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
+-		{
+-			struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
+-			struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
++					DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
++						old_p1->st_connection->name));
++					old_p1->st_suppress_del_notify = TRUE;
++					event_force(EVENT_SA_EXPIRE, old_p1);
++			}
+ 
+-			if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
++			if (c->newest_ipsec_sa != SOS_NOBODY)
+ 			{
+-				DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
+-					c->newest_ipsec_sa, c->name));
+-				old_p2->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p2);
++				struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
++				struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
++
++				if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
++				{
++					DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
++						c->newest_ipsec_sa, c->name));
++					old_p2->st_suppress_del_notify = TRUE;
++					event_force(EVENT_SA_EXPIRE, old_p2);
++				}
+ 			}
+ 		}
+ 

libreswan-3.25-unbound-hook.patch

@@ -0,0 +1,35 @@
+commit 9dce290a0d2df5c278ed9442b10954d65cc238e4
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Sun Jul 8 22:29:52 2018 -0400
+
+    _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1
+
+diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in
+index 0d266d5..38279de 100755
+--- a/programs/_unbound-hook/_unbound-hook.in
++++ b/programs/_unbound-hook/_unbound-hook.in
+@@ -29,14 +29,17 @@ try:
+ except:
+     sys.exit("Bad arguments to ipsec _unbound")
+ 
+-while (argv != []):
++# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list
++data = argv.pop(0).split(" ")
++
++while (data != []):
+     try:
+-        gwprec = argv.pop(0)
+-        gwtype = argv.pop(0)
+-        gwalg = argv.pop(0)
+-        gwid = argv.pop(0)
+-        pubkey = argv.pop(0)
+-        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
++        gwprec = data.pop(0)
++        gwtype = data.pop(0)
++        gwalg = data.pop(0)
++        gwid = data.pop(0)
++        pubkey = data.pop(0)
++        addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+         addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
+         print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+         print(subprocess.call(addkeyip, shell=True))

libreswan-3.26-asn1-zu.patch

@@ -0,0 +1,21 @@
+diff -Naur libreswan-3.26-orig/lib/libswan/asn1.c libreswan-3.26/lib/libswan/asn1.c
+--- libreswan-3.26-orig/lib/libswan/asn1.c	2018-09-16 22:45:52.000000000 -0400
++++ libreswan-3.26/lib/libswan/asn1.c	2018-09-17 00:28:06.726985327 -0400
+@@ -164,7 +164,7 @@
+ 		sig_val->len = len_r;
+ 		/* XXX: need to check len_r and len_s fits in this */
+ 	        sig_val->ptr = alloc_bytes(len_r * 2, "ec points");
+-		DBG(DBG_PARSING, DBG_log(" sig_val  len is %ld",sig_val->len));
++		DBG(DBG_PARSING, DBG_log(" sig_val  len is %zu",sig_val->len));
+ 		/* copy the values of r into signature */
+ 		memcpy(sig_val->ptr,blob->ptr,len_r);
+ 
+@@ -184,7 +184,7 @@
+ 			}
+ 			DBG(DBG_PARSING, DBG_log("  len_s is %d",len_s));
+ 			sig_val->len += len_s;
+-			DBG(DBG_PARSING, DBG_log(" sig_val total len is %ld",sig_val->len));
++			DBG(DBG_PARSING, DBG_log(" sig_val total len is %zu",sig_val->len));
+ 			/* copy the values of r into signature */
+ 			memcpy(sig_val->ptr+len_r,blob->ptr,len_s);
+ 		}

libreswan-3.29-updown-syntax.patch

@@ -0,0 +1,13 @@
+diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
+index 9c76998233..21000b1ea4 100644
+--- a/programs/_updown.netkey/_updown.netkey.in
++++ b/programs/_updown.netkey/_updown.netkey.in
+@@ -446,7 +446,7 @@ delsource() {
+         return ${st}
+     fi
+     # Remove source ip if it's not used any more.
+-    if [ -z $(ip -o route list src ${PLUTO_MY_SOURCEIP}) ]; then
++    if [ -z "$(ip -o route list src ${PLUTO_MY_SOURCEIP})" ]; then
+ 	if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
+ 	    interface="${VTI_IFACE}"
+ 	fi

libreswan-3.30-s390x.patch

@@ -0,0 +1,21 @@
+commit 8b067b47b1e2306c83bed49ecada1bddfb1c1a38
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Fri Feb 14 15:22:21 2020 -0500
+
+    pluto: fixup: 'incl' may be used uninitialized in init_virtual_ip()
+    
+    For some reason, only the s390x compiler complains.
+
+diff --git a/programs/pluto/virtual.c b/programs/pluto/virtual.c
+index ce94d5a5ee..74d77a3ab0 100644
+--- a/programs/pluto/virtual.c
++++ b/programs/pluto/virtual.c
+@@ -172,7 +172,7 @@ void init_virtual_ip(const char *private_list)
+ 			if (next == NULL)
+ 				next = str + strlen(str);
+ 
+-			bool incl;
++			bool incl = FALSE;
+ 			if (read_subnet(str, next - str,
+ 					 &(private_net_incl[i_incl]),
+ 					 &(private_net_excl[i_excl]),

libreswan-3.32-nss-api.patch

@@ -0,0 +1,16 @@
+diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
+--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-05-11 10:13:41.000000000 -0400
++++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-05-26 10:23:26.563318038 -0400
+@@ -16,6 +16,12 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
++/*
++ * Special advise from Bob Relyea - needs to go before any nss include
++ *
++ */
++#define NSS_PKCS11_2_0_COMPAT 1
++
+ #include "lswlog.h"
+ #include "lswnss.h"
+ #include "prmem.h"

libreswan-3.32-uninitialized.patch

@@ -0,0 +1,13 @@
+diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
+index 702c9a8..3772508 100644
+--- a/programs/pluto/ikev2_parent.c
++++ b/programs/pluto/ikev2_parent.c
+@@ -2150,7 +2150,7 @@ static stf_status ikev2_parent_inR1outI2_tail(struct state *pst, struct msg_dige
+ 					      struct pluto_crypto_req *r)
+ {
+ 	struct connection *const pc = pst->st_connection;	/* parent connection */
+-	struct ppk_id_payload ppk_id_p;
++	struct ppk_id_payload ppk_id_p = { };
+ 	struct ike_sa *ike = pexpect_ike_sa(pst);
+ 
+ 	if (!finish_dh_v2(pst, r, FALSE)) {

libreswan.spec

@@ -0,0 +1,435 @@
+%global _hardened_build 1
+# These are rpm macros and are 0 or 1
+%global with_efence 0
+%global with_development 0
+%global with_cavstests 1
+# minimum version for support for rhbz#1651314
+%global nss_version 3.44.0-8
+%global unbound_version 1.6.6
+# Libreswan config options. With these settings, libreswan
+# does not require its own FIPS validation. Only the system
+# and NSS needs to be FIPS validated.
+%global libreswan_config \\\
+    SHELL_BINARY=/usr/bin/sh \\\
+    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
+    FINALMANDIR=%{_mandir} \\\
+    PREFIX=%{_prefix} \\\
+    INITSYSTEM=systemd \\\
+    NSS_REQ_AVA_COPY=false \\\
+    NSS_HAS_IPSEC_PROFILE=true \\\
+    PYTHON_BINARY=%{__python3} \\\
+    USE_DNSSEC=true \\\
+    USE_FIPSCHECK=false \\\
+    USE_LABELED_IPSEC=true \\\
+    USE_LDAP=true \\\
+    USE_LIBCAP_NG=true \\\
+    USE_LIBCURL=true \\\
+    USE_LINUX_AUDIT=true \\\
+    USE_NM=true \\\
+    USE_SECCOMP=true \\\
+    USE_XAUTHPAM=true \\\
+    USE_NSS_KDF=true \\\
+%{nil}
+
+%global prever rc1
+
+Name: libreswan
+Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support
+# version is generated in the release script
+Version: 4.0
+Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+License: GPLv2
+Url: https://libreswan.org/
+Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
+%if 0%{with_cavstests}
+Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
+Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
+Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
+%endif
+BuildRequires: audit-libs-devel
+BuildRequires: bison
+BuildRequires: curl-devel
+BuildRequires: flex
+BuildRequires: gcc make
+BuildRequires: ldns-devel
+BuildRequires: libcap-ng-devel
+BuildRequires: libevent-devel
+BuildRequires: libseccomp-devel
+BuildRequires: libselinux-devel
+BuildRequires: nspr-devel
+BuildRequires: nss-devel >= %{nss_version}
+BuildRequires: nss-tools
+BuildRequires: openldap-devel
+BuildRequires: pam-devel
+BuildRequires: pkgconfig
+BuildRequires: hostname
+BuildRequires: redhat-rpm-config
+BuildRequires: systemd-devel
+BuildRequires: unbound-devel >= %{unbound_version}
+BuildRequires: xmlto
+%if 0%{with_efence}
+BuildRequires: ElectricFence
+%endif
+Requires: iproute >= 2.6.8
+Requires: nss >= %{nss_version}
+Requires: nss-softokn
+Requires: nss-tools
+Requires: unbound-libs >= %{unbound_version}
+Requires(post): bash
+Requires(post): coreutils
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+
+%description
+Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is
+the Internet Protocol Security and uses strong cryptography to provide
+both authentication and encryption services.  These services allow you
+to build secure tunnels through untrusted networks.  Everything passing
+through the untrusted net is encrypted by the ipsec gateway machine and
+decrypted by the gateway at the other end of the tunnel.  The resulting
+tunnel is a virtual private network or VPN.
+
+This package contains the daemons and userland tools for setting up
+Libreswan.
+
+Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
+
+Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
+
+%prep
+%setup -q -n libreswan-%{version}%{?prever}
+
+# replace unsupported KLIPS README
+echo "KLIPS is not supported with RHEL8" > README.KLIPS
+
+# linking to freebl is not needed
+sed -i "s/-lfreebl //" mk/config.mk
+
+# enable crypto-policies support
+sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
+
+
+%build
+# link flags disable hardening because it fails on arm with what looks like gcc bugs in -Werror=lto-type-mismatch
+make %{?_smp_mflags} \
+%if 0%{with_development}
+    OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
+%else
+    OPTIMIZE_CFLAGS="%{optflags}" \
+%endif
+%if 0%{with_efence}
+    USE_EFENCE=true \
+%endif
+    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
+    USERLINK="-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -flto --no-lto" \
+    %{libreswan_config} \
+    programs
+FS=$(pwd)
+
+%install
+make \
+  DESTDIR=%{buildroot} \
+  %{libreswan_config} \
+  install
+FS=$(pwd)
+rm -rf %{buildroot}/usr/share/doc/libreswan
+rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
+
+install -d -m 0755 %{buildroot}%{_rundir}/pluto
+install -d %{buildroot}%{_sbindir}
+
+install -d %{buildroot}%{_sysconfdir}/sysctl.d
+install -m 0644 packaging/fedora/libreswan-sysctl.conf \
+  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+
+echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
+     > %{buildroot}%{_sysconfdir}/ipsec.secrets
+rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
+
+%if 0%{with_cavstests}
+%check
+# There is an elaborate upstream testing infrastructure which we do not
+# run here - it takes hours and uses kvm
+# We only run the CAVS tests.
+cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
+bunzip2 *.fax.bz2
+
+: starting CAVS test for IKEv2
+%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
+    diff -u ikev2.fax - > /dev/null
+: starting CAVS test for IKEv1 RSASIG
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
+    diff -u ikev1_dsa.fax - > /dev/null
+: starting CAVS test for IKEv1 PSK
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
+    diff -u ikev1_psk.fax - > /dev/null
+: CAVS tests passed
+
+%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
+%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
+
+# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
+tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
+certutil -N -d sql:$tmpdir --empty-password
+%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
+: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
+
+%endif
+
+%post
+%systemd_post ipsec.service
+
+%preun
+%systemd_preun ipsec.service
+
+%postun
+%systemd_postun_with_restart ipsec.service
+
+%files
+%doc CHANGES COPYING CREDITS README* LICENSE
+%doc docs/*.* docs/examples
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
+%attr(0755,root,root) %dir %{_rundir}/pluto
+%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
+%attr(0644,root,root) %{_unitdir}/ipsec.service
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
+%{_sbindir}/ipsec
+%{_libexecdir}/ipsec
+%attr(0644,root,root) %doc %{_mandir}/*/*
+
+%changelog
+* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.2.rc1
+- Rebuild for libevent 2.1.12 with a soname bump
+
+* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
+- Updated to 4.0rc1
+
+* Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
+- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.2
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 3.32-3
+- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
+  object
+
+* Tue May 26 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
+- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
+
+* Mon May 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
+- Resolves: rhbz#1809770 libreswan-3.32 is available
+
+* Tue Apr 14 2020 Paul Wouters <pwouters@redhat.com> - 3.31-2
+- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
+
+* Tue Mar 03 2020 Paul Wouters <pwouters@redhat.com> - 3.31-1
+- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
+
+* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
+- Resolves: rhbz#1802896 libreswan-3.30 is available
+- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
+- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
+- _updown.netkey: fix syntax error in checking routes
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
+- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
+
+* Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
+- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.27-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.27-1.1
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
+- Updated to 3.27 (various bugfixes)
+
+* Thu Sep 27 2018 Paul Wouters <pwouters@redhat.com> - 3.26-3
+- Add fedora python fixup for _unbound-hook
+
+* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-2
+- linking against freebl is no longer needed (and wasn't done in 3.25)
+
+* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
+- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.25-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
+- Fix Opportunistic IPsec _unbound-hook argument parsing
+- Make rundir readable for all (so we can hand out permissions later)
+
+* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
+- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
+
+* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
+- Updated to 3.25
+
+* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
+- Support crypto-policies package
+- Pull in some patches from upstream and IANA registry updates
+- gcc7 format-truncate fixes and workarounds
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.23-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Jan 25 2018 Paul Wouters <pwouters@redhat.com> - 3.23-1
+- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 3.22-1.1
+- Rebuilt for switch to libxcrypt
+
+* Mon Oct 23 2017 Paul Wouters <pwouters@redhat.com> - 3.22-1
+- Updated to 3.22 - many bugfixes, and unbound ipsecmod support
+
+* Wed Aug  9 2017 Paul Wouters <pwouters@redhat.com> - 3.21-1
+- Updated to 3.21
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Mar 14 2017 Paul Wouters <pwouters@redhat.com> - 3.20-1
+- Updated to 3.20
+
+* Fri Mar 03 2017 Paul Wouters <pwouters@redhat.com> - 3.20-0.1.dr4
+- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.19-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Feb 03 2017 Paul Wouters <pwouters@redhat.com> - 3.19-2
+- Resolves: rhbz#1392191 libreswan: crash when OSX client connects
+- Improved uniqueid and session replacing support
+- Test Buffer warning fix on size_t
+- Re-introduce --configdir for backwards compatibility
+
+* Sun Jan 15 2017 Paul Wouters <pwouters@redhat.com> - 3.19-1
+- Updated to 3.19 (see download.libreswan.org/CHANGES)
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 3.18-1.1
+- Rebuild for Python 3.6
+
+* Fri Jul 29 2016 Paul Wouters <pwouters@redhat.com> - 3.18-1
+- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support
+- Remove support for /etc/sysconfig/pluto (use native systemd instead)
+
+* Thu May 05 2016 Paul Wouters <pwouters@redhat.com> - 3.17-2
+- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
+
+* Thu Apr 07 2016 Paul Wouters <pwouters@redhat.com> - 3.17-1
+- Updated to 3.17 for CVE-2016-3071
+- Disable LIBCAP_NG as it prevents unbound-control from working properly
+- Temporarilly disable WERROR due to a few minor known issues
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.16-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Dec 18 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
+- Updated to 3.16 (see https://download.libreswan.org/CHANGES)
+
+* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
+- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
+- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
+- NSS database creation moved from spec file to service file
+- Run CAVS tests on package build
+- Added BuildRequire systemd-units and xmlto
+- Bumped minimum required nss to 3.16.1
+- Install tmpfiles
+- Install sysctl file
+- Update doc files to include
+
+* Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
+- Resolves: rhbz#1238967 Switch libreswan to use python3
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Jun 01 2015 Paul Wouters <pwouters@redhat.com> - 3.13-1
+- Updated to 3.13 for CVE-2015-3204
+
+* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
+- Updated to 3.12 Various IKEv2 fixes
+
+* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
+- Updated to 3.11 (many fixes, including startup fixes)
+- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs
+- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade
+- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running
+
+* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
+- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines
+
+* Mon Sep 01 2014 Paul Wouters <pwouters@redhat.com> - 3.10-1
+- Updated to 3.10, major bugfix release, new xauth status options
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Jul 10 2014 Paul Wouters <pwouters@redhat.com> - 3.9-1
+- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements
+- Mark libreswan-fips.conf as config file
+- attr modifier for man pages no longer needed
+- BUGS file no longer exists upstream
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Jan 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
+- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102)
+
+* Wed Dec 11 2013 Paul Wouters <pwouters@redhat.com> - 3.7-1
+- Updated to 3.7, fixes CVE-2013-4564
+- Fixes creating a bogus NSS db on startup (rhbz#1005410)
+
+* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
+- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes)
+- Generate empty NSS db if none exists
+
+* Mon Aug 19 2013 Paul Wouters <pwouters@redhat.com> - 3.5-3
+- Add a Provides: for openswan-doc
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.5-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
+- Added interop patch for (some?) Cisco VPN clients sending 16 zero
+  bytes of extraneous IKE data
+- Removed fipscheck_version
+
+* Sat Jul 13 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
+- Updated to 3.5
+
+* Thu Jun 06 2013 Paul Wouters <pwouters@redhat.com> - 3.4-1
+- Updated to 3.4, which only contains style changes to kernel coding style
+- IN MEMORIAM: June 3rd, 2013 Hugh Daniel
+
+* Mon May 13 2013 Paul Wouters <pwouters@redhat.com> - 3.3-1
+- Updated to 3.3, which resolves CVE-2013-2052
+
+* Sat Apr 13 2013 Paul Wouters <pwouters@redhat.com> - 3.2-1
+- Initial package for Fedora

sources

@@ -0,0 +1,4 @@
+SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
+SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
+SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e
+SHA512 (libreswan-4.0rc1.tar.gz) = 3ae36e477c6891f94b5d82b1a0ecb05a8413eab96125e6ae92289164b797538cf53cf6825dd1d4699bfdd4c49f68cc65097024f5b1ea9464226dae75abc5c669

tests/tests.yml

@@ -0,0 +1,14 @@
+# Tests for libreswan using NM's tests
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci"
+      dest: "NetworkManager-ci"
+    tests:
+    - sanity-tests:
+        dir: NetworkManager-ci
+        run: run/osci/run-tests libreswan
+