From 6ce6d0ad528dc3fda442f4db59a141232dabe77e Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Wed, 27 Jun 2018 14:09:50 -0400
Subject: [PATCH] * Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
 - Updated to 3.25

---
 .gitignore     |   2 +
 libreswan.spec | 201 +++++++++++++++++--------------------------------
 sources        |   2 +-
 3 files changed, 70 insertions(+), 135 deletions(-)

diff --git a/.gitignore b/.gitignore
index 02d3fc1..94447b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,5 @@
 /libreswan-3.21.tar.gz
 /libreswan-3.22.tar.gz
 /libreswan-3.23.tar.gz
+/libreswan-3.24.tar.gz
+/libreswan-3.25.tar.gz
diff --git a/libreswan.spec b/libreswan.spec
index af3f4bf..8acc140 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -1,48 +1,45 @@
-
-# These are rpm macros and are 0 or 1
-%global crl_fetching 1
 %global _hardened_build 1
-%global buildefence 0
-%global development 0
-%global cavstests 1
-
-# These are libreswan/make macros and are false or true
-%global USE_FIPSCHECK true
-%global USE_LIBCAP_NG true
-%global USE_LABELED_IPSEC true
-%global USE_DNSSEC true
-%global USE_NM true
-%global USE_LINUX_AUDIT true
-# not production ready yet
-%global USE_SECCOMP false
+# These are rpm macros and are 0 or 1
+%global with_efence 0
+%global with_development 0
+%global with_cavstests 1
+# Libreswan config options
+%global libreswan_config \\\
+    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
+    FINALMANDIR=%{_mandir} \\\
+    FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \\\
+    INC_RCDEFAULT=%{_initrddir} \\\
+    INC_USRLOCAL=%{_prefix} \\\
+    INITSYSTEM=systemd \\\
+    NSS_REQ_AVA_COPY=false \\\
+    USE_DNSSEC=true \\\
+    USE_FIPSCHECK=true \\\
+    USE_LABELED_IPSEC=true \\\
+    USE_LDAP=true \\\
+    USE_LIBCAP_NG=true \\\
+    USE_LIBCURL=true \\\
+    USE_LINUX_AUDIT=true \\\
+    USE_NM=true \\\
+    USE_SECCOMP=true \\\
+    USE_XAUTHPAM=true \\\
+%{nil}
 
 #global prever rc1
 
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
-Version: 3.23
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Version: 3.25
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
-%if %{cavstests}
+%if 0%{with_cavstests}
 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
-
-Patch1: libreswan-3.23-seccomp.patch
-Patch2: libreswan-3.23-fixups.patch
-Patch3: libreswan-3.23-ppk-update.patch
-Patch4: libreswan-3.23-crypto-policies.patch
-Patch5: libreswan-3.23-gcc8.patch
-
-
 %endif
-Group: System Environment/Daemons
-BuildRequires: bison flex pkgconfig
-BuildRequires: systemd systemd-units systemd-devel
-Requires(post): coreutils bash systemd
+Requires(post): bash coreutils systemd
 Requires(preun): systemd
 Requires(postun): systemd
 
@@ -52,39 +49,31 @@ Provides: openswan = %{version}-%{release}
 Provides: openswan-doc = %{version}-%{release}
 
 BuildRequires: pkgconfig hostname
-BuildRequires: nss-devel >= 3.16.1, nspr-devel
+BuildRequires: bison flex
+BuildRequires: systemd-devel
+BuildRequires: nss-devel >= 3.16.1
+BuildRequires: nspr-devel
 BuildRequires: pam-devel
 BuildRequires: libevent-devel
-%if %{USE_DNSSEC}
-BuildRequires: unbound-devel >= 1.6.0-6 ldns-devel
-%endif
-%if %{USE_SECCOMP}
+BuildRequires: unbound-devel >= 1.6.0-6
+BuildRequires: ldns-devel
 BuildRequires: libseccomp-devel
-%endif
-%if %{USE_LABELED_IPSEC}
 BuildRequires: libselinux-devel
-%endif
-%if %{USE_FIPSCHECK}
 BuildRequires: fipscheck-devel
 Requires: fipscheck%{_isa}
-%endif
-%if %{USE_LINUX_AUDIT}
 Buildrequires: audit-libs-devel
-%endif
-
-%if %{USE_LIBCAP_NG}
 BuildRequires: libcap-ng-devel
-%endif
-%if %{crl_fetching}
-BuildRequires: openldap-devel curl-devel
-%endif
-%if %{buildefence}
+BuildRequires: openldap-devel
+BuildRequires: curl-devel
+%if 0%{with_efence}
 BuildRequires: ElectricFence
 %endif
 BuildRequires: xmlto
 
-Requires: nss-tools, nss-softokn
+Requires: nss-tools
+Requires: nss-softokn
 Requires: iproute >= 2.6.8
+Requires: unbound-libs >= 1.6.6
 
 %description
 Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
@@ -111,118 +100,62 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
 sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
-
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+# enable crypto-policies support
+sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
 
 %build
-%if %{buildefence}
- %global efence "-lefence"
+%if 0%{with_efence}
+%global efence "-lefence"
 %endif
 
 #796683: -fno-strict-aliasing
 make %{?_smp_mflags} \
-%if %{development}
-   USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
+%if 0%{with_development}
+    USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
 %else
-  USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
+    USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
 %endif
-  USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
-  INITSYSTEM=systemd \
-  USE_NM=%{USE_NM} \
-  USE_XAUTHPAM=true \
-%if %{USE_FIPSCHECK}
-  USE_FIPSCHECK="%{USE_FIPSCHECK}" \
-  FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \
-%endif
-  USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
-  USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
-%if %{crl_fetching}
-  USE_LDAP=true \
-  USE_LIBCURL=true \
-%else
-  USE_LDAP=false \
-  USE_LIBCURL=false \
-%endif
-  USE_DNSSEC="%{USE_DNSSEC}" \
-  USE_SECCOMP="%{USE_SECCOMP}" \
-  INC_USRLOCAL=%{_prefix} \
-  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
-  MANTREE=%{_mandir} \
-  INC_RCDEFAULT=%{_initrddir} \
-  NSS_REQ_AVA_COPY=false \
-  programs
+    USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \
+    %{libreswan_config} \
+    programs
 FS=$(pwd)
 
-%if %{USE_FIPSCHECK}
 # Add generation of HMAC checksums of the final stripped binaries
 %define __spec_install_post \
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
     %{__os_install_post} \
-  fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto \
+    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto \
 %{nil}
-%endif
 
 %install
 make \
-  DESTDIR=%{buildroot} \
-  INC_USRLOCAL=%{_prefix} \
-  FINALLIBEXECDIR=%{_libexecdir}/ipsec \
-  MANTREE=%{buildroot}%{_mandir} \
-  INC_RCDEFAULT=%{_initrddir} \
-  INSTMANFLAGS="-m 644" \
-  INITSYSTEM=systemd \
-  USE_NM=%{USE_NM} \
-  USE_XAUTHPAM=true \
-%if %{USE_FIPSCHECK}
-  USE_FIPSCHECK="%{USE_FIPSCHECK}" \
-  FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \
-%endif
-  USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \
-  USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \
-%if %{crl_fetching}
-  USE_LDAP=true \
-  USE_LIBCURL=true \
-%else
-  USE_LDAP=false \
-  USE_LIBCURL=false \
-%endif
-  USE_DNSSEC="%{USE_DNSSEC}" \
-  USE_SECCOMP="%{USE_SECCOMP}" \
-  NSS_REQ_AVA_COPY=false \
-  install
+    DESTDIR=%{buildroot} \
+    %{libreswan_config} \
+    install
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
 
-# enable crypto-policies support
-sed -i "s:# include\(.*\)/crypto-policies/back-ends/libreswan.config:include\1:" %{buildroot}/%{_sysconfdir}/ipsec.conf
-
-install -d -m 0700 %{buildroot}%{_localstatedir}/run/pluto
+install -d -m 0700 %{buildroot}%{_rundir}/pluto
 # used when setting --perpeerlog without --perpeerlogbase
 install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}
 
 install -d %{buildroot}%{_sysconfdir}/sysctl.d
 install -m 0644 packaging/fedora/libreswan-sysctl.conf \
-  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+    %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
 
 install -d %{buildroot}%{_tmpfilesdir}
 install -m 0644 packaging/fedora/libreswan-tmpfiles.conf  \
-  %{buildroot}%{_tmpfilesdir}/libreswan.conf
+    %{buildroot}%{_tmpfilesdir}/libreswan.conf
 
-%if %{USE_FIPSCHECK}
 mkdir -p %{buildroot}%{_libdir}/fipscheck
-%endif
 
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
-     > %{buildroot}%{_sysconfdir}/ipsec.secrets
+    > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
-%if %{cavstests}
+%if 0%{with_cavstests}
 %check
 # There is an elaborate upstream testing infrastructure which we do not
 # run here - it takes hours and uses kvm
@@ -234,13 +167,13 @@ bunzip2 *.fax.bz2
 export NSS_DISABLE_HW_GCM=1
 
 : starting CAVS test for IKEv2
-OBJ.linux.%{_arch}/programs/cavp/cavp -v2 ikev2.fax | \
+%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
     diff -u ikev2.fax - > /dev/null
 : starting CAVS test for IKEv1 RSASIG
-OBJ.linux.%{_arch}/programs/cavp/cavp -v1sig ikev1_dsa.fax | \
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
     diff -u ikev1_dsa.fax - > /dev/null
 : starting CAVS test for IKEv1 PSK
-OBJ.linux.%{_arch}/programs/cavp/cavp -v1psk ikev1_psk.fax | \
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
     diff -u ikev1_psk.fax - > /dev/null
 : CAVS tests passed
 %endif
@@ -265,19 +198,19 @@ OBJ.linux.%{_arch}/programs/cavp/cavp -v1psk ikev1_psk.fax | \
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
-%attr(0700,root,root) %dir %{_localstatedir}/run/pluto
+%attr(0700,root,root) %dir %{_rundir}/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
-%attr(0644,root,root) %doc %{_mandir}/*/*
-
-%if %{USE_FIPSCHECK}
+%doc %{_mandir}/*/*
 %{_libdir}/fipscheck/pluto.hmac
-%endif
 
 %changelog
+* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
+- Updated to 3.25
+
 * Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
 - Support crypto-policies package
 - Pull in some patches from upstream and IANA registry updates
diff --git a/sources b/sources
index ffd3cde..4633056 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,4 @@
-SHA512 (libreswan-3.23.tar.gz) = 3645af522ea9ac868c55bfadfd2cf27dc5acb247543f43290cbe677a90cd00316be6520ca2128b9aaecce2b0293710ae6a2bd710a7d93198b8cb81e32276ced8
+SHA512 (libreswan-3.25.tar.gz) = 246649cb5bef1d0690217d1080f3f6f175a0d7a5f27e5a7affdf291b2f418a11937e96b64716a33e6312530409a2c1b10b90e2fa5ec339a27c94c990d86ed517
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
 SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e