- Updated to 4.0rc1

.gitignore

@@ -33,3 +33,4 @@
 /libreswan-3.30.tar.gz
 /libreswan-3.31.tar.gz
 /libreswan-3.32.tar.gz
+/libreswan-4.0rc1.tar.gz

libreswan.spec

@@ -3,88 +3,86 @@
 %global with_efence 0
 %global with_development 0
 %global with_cavstests 1
-# Libreswan config options
+# minimum version for support for rhbz#1651314
+%global nss_version 3.44.0-8
+%global unbound_version 1.6.6
+# Libreswan config options. With these settings, libreswan
+# does not require its own FIPS validation. Only the system
+# and NSS needs to be FIPS validated.
 %global libreswan_config \\\
+    SHELL_BINARY=/usr/bin/sh \\\
     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
     FINALMANDIR=%{_mandir} \\\
-    INC_RCDEFAULT=%{_initrddir} \\\
+    PREFIX=%{_prefix} \\\
-    INC_USRLOCAL=%{_prefix} \\\
     INITSYSTEM=systemd \\\
+    NSS_REQ_AVA_COPY=false \\\
+    NSS_HAS_IPSEC_PROFILE=true \\\
     PYTHON_BINARY=%{__python3} \\\
-    SHELL_BINARY=%{_bindir}/sh \\\
     USE_DNSSEC=true \\\
     USE_FIPSCHECK=false \\\
-    USE_KLIPS=false \\\
     USE_LABELED_IPSEC=true \\\
     USE_LDAP=true \\\
     USE_LIBCAP_NG=true \\\
     USE_LIBCURL=true \\\
     USE_LINUX_AUDIT=true \\\
     USE_NM=true \\\
-    USE_NSS_IPSEC_PROFILE=true \\\
-    USE_NSS_PRF=true \\\
     USE_SECCOMP=true \\\
     USE_XAUTHPAM=true \\\
+    USE_NSS_KDF=true \\\
 %{nil}
 
-#global prever rc1
+%global prever rc1
 
 Name: libreswan
-Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
+Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support
 # version is generated in the release script
-Version: 3.32
+Version: 4.0
-Release: %{?prever:0.}4%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
-Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
+Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
 %if 0%{with_cavstests}
 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
-
+BuildRequires: audit-libs-devel
-Patch1: libreswan-3.30-s390x.patch
+BuildRequires: bison
-Patch2: libreswan-3.32-nss-api.patch
+BuildRequires: curl-devel
-Patch3: libreswan-3.32-uninitialized.patch
+BuildRequires: flex
-Patch4: libreswan-3.32-selinux.patch
+BuildRequires: gcc make
-
-Requires(post): bash coreutils systemd
-Requires(preun): systemd
-Requires(postun): systemd
-
-Conflicts: openswan < %{version}-%{release}
-Obsoletes: openswan < %{version}-%{release}
-Provides: openswan = %{version}-%{release}
-Provides: openswan-doc = %{version}-%{release}
-
-BuildRequires:  gcc
-BuildRequires: pkgconfig hostname
-BuildRequires: bison flex
-BuildRequires: systemd-devel
-BuildRequires: nss-devel >= 3.52
-BuildRequires: nspr-devel
-BuildRequires: pam-devel
-BuildRequires: libevent-devel
-BuildRequires: unbound-devel >= 1.6.0-6
 BuildRequires: ldns-devel
+BuildRequires: libcap-ng-devel
+BuildRequires: libevent-devel
 BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
-Buildrequires: audit-libs-devel
+BuildRequires: nspr-devel
-BuildRequires: libcap-ng-devel
+BuildRequires: nss-devel >= %{nss_version}
+BuildRequires: nss-tools
 BuildRequires: openldap-devel
-BuildRequires: curl-devel
+BuildRequires: pam-devel
+BuildRequires: pkgconfig
+BuildRequires: hostname
+BuildRequires: redhat-rpm-config
+BuildRequires: systemd-devel
+BuildRequires: unbound-devel >= %{unbound_version}
+BuildRequires: xmlto
 %if 0%{with_efence}
 BuildRequires: ElectricFence
 %endif
-BuildRequires: xmlto
-
-Requires: nss-tools
-Requires: nss-softokn
 Requires: iproute >= 2.6.8
-Requires: unbound-libs >= 1.6.6
+Requires: nss >= %{nss_version}
+Requires: nss-softokn
+Requires: nss-tools
+Requires: unbound-libs >= %{unbound_version}
+Requires(post): bash
+Requires(post): coreutils
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
 
 %description
-Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
+Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is
 the Internet Protocol Security and uses strong cryptography to provide
 both authentication and encryption services.  These services allow you
 to build secure tunnels through untrusted networks.  Everything passing
@@ -101,20 +99,16 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %prep
 %setup -q -n libreswan-%{version}%{?prever}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
 
-# Fedora should really figure this versioning out itself, not burden upstream
+# replace unsupported KLIPS README
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test
+echo "KLIPS is not supported with RHEL8" > README.KLIPS
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py
+
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
+# linking to freebl is not needed
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
+sed -i "s/-lfreebl //" mk/config.mk
+
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
-# linking to freebl is no longer needed
+
-sed -i "s/-lfreebl //" mk/config.mk
 
 %build
 make %{?_smp_mflags} \
@@ -126,6 +120,7 @@ make %{?_smp_mflags} \
 %if 0%{with_efence}
     USE_EFENCE=true \
 %endif
+    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch" \
     USERLINK="%{?__global_ldflags}" \
     %{libreswan_config} \
     programs
@@ -133,23 +128,22 @@ FS=$(pwd)
 
 %install
 make \
-    DESTDIR=%{buildroot} \
+  DESTDIR=%{buildroot} \
-    %{libreswan_config} \
+  %{libreswan_config} \
-    install
+  install
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
+rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
 
 install -d -m 0755 %{buildroot}%{_rundir}/pluto
-# used when setting --perpeerlog without --perpeerlogbase
-install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}
 
 install -d %{buildroot}%{_sysconfdir}/sysctl.d
 install -m 0644 packaging/fedora/libreswan-sysctl.conf \
-    %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
 
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
-    > %{buildroot}%{_sysconfdir}/ipsec.secrets
+     > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
 %if 0%{with_cavstests}
@@ -160,9 +154,6 @@ rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
 bunzip2 *.fax.bz2
 
-# work around for older xen based machines
-export NSS_DISABLE_HW_GCM=1
-
 : starting CAVS test for IKEv2
 %{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
     diff -u ikev2.fax - > /dev/null
@@ -173,6 +164,16 @@ export NSS_DISABLE_HW_GCM=1
 %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
     diff -u ikev1_psk.fax - > /dev/null
 : CAVS tests passed
+
+%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
+%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
+
+# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
+tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
+certutil -N -d sql:$tmpdir --empty-password
+%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
+: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
+
 %endif
 
 %post
@@ -193,17 +194,18 @@ export NSS_DISABLE_HW_GCM=1
 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
 %attr(0755,root,root) %dir %{_rundir}/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
-%doc %{_mandir}/*/*
+%attr(0644,root,root) %doc %{_mandir}/*/*
 
 %changelog
+* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
+- Updated to 4.0rc1
+
 * Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
 - Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
 

sources

@@ -1,4 +1 @@
-SHA512 (libreswan-3.32.tar.gz) = bb65512351059e2fac6f1c3ed1e291eabd6835faacf6d9c58649dd71dab1bb4fe6d6074178dea6dea01f24d39f3fbefd84c6060e4d8436b5d057fa55ae4467f3
+SHA512 (libreswan-4.0rc1.tar.gz) = 3ae36e477c6891f94b5d82b1a0ecb05a8413eab96125e6ae92289164b797538cf53cf6825dd1d4699bfdd4c49f68cc65097024f5b1ea9464226dae75abc5c669
-SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
-SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
-SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e