* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3

- Fix Opportunistic IPsec _unbound-hook argument parsing
- Make rundir readable for all (so we can hand out permissions later)

libreswan-3.25-unbound-hook.patch

@@ -0,0 +1,35 @@
+commit 9dce290a0d2df5c278ed9442b10954d65cc238e4
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Sun Jul 8 22:29:52 2018 -0400
+
+    _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1
+
+diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in
+index 0d266d5..38279de 100755
+--- a/programs/_unbound-hook/_unbound-hook.in
++++ b/programs/_unbound-hook/_unbound-hook.in
+@@ -29,14 +29,17 @@ try:
+ except:
+     sys.exit("Bad arguments to ipsec _unbound")
+ 
+-while (argv != []):
++# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list
++data = argv.pop(0).split(" ")
++
++while (data != []):
+     try:
+-        gwprec = argv.pop(0)
+-        gwtype = argv.pop(0)
+-        gwalg = argv.pop(0)
+-        gwid = argv.pop(0)
+-        pubkey = argv.pop(0)
+-        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
++        gwprec = data.pop(0)
++        gwtype = data.pop(0)
++        gwalg = data.pop(0)
++        gwid = data.pop(0)
++        pubkey = data.pop(0)
++        addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+         addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
+         print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+         print(subprocess.call(addkeyip, shell=True))

libreswan.spec

@@ -30,7 +30,7 @@ Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
 Version: 3.25
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@@ -41,6 +41,7 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 
 Patch1: libreswan-3.25-relax-delete.patch
+Patch2: libreswan-3.25-unbound-hook.patch
 
 Requires(post): bash coreutils systemd
 Requires(preun): systemd
@@ -106,6 +107,7 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
 %patch1 -p1
+%patch2 -p1
 
 %build
 %if 0%{with_efence}
@@ -202,7 +204,7 @@ export NSS_DISABLE_HW_GCM=1
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
-%attr(0700,root,root) %dir %{_rundir}/pluto
+%attr(0755,root,root) %dir %{_rundir}/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
@@ -212,6 +214,10 @@ export NSS_DISABLE_HW_GCM=1
 %{_libdir}/fipscheck/pluto.hmac
 
 %changelog
+* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
+- Fix Opportunistic IPsec _unbound-hook argument parsing
+- Make rundir readable for all (so we can hand out permissions later)
+
 * Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
 - Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors