* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3

- Fix Opportunistic IPsec _unbound-hook argument parsing - Make rundir readable for all (so we can hand out permissions later)
2018-07-08 22:37:04 -04:00 · 2018-07-08 22:37:04 -04:00 · bd8e3a558c
commit bd8e3a558c
parent c052b5d629
2 changed files with 43 additions and 2 deletions
--- a/libreswan-3.25-unbound-hook.patch
+++ b/libreswan-3.25-unbound-hook.patch
@ -0,0 +1,35 @@
 commit 9dce290a0d2df5c278ed9442b10954d65cc238e4
 Author: Paul Wouters <pwouters@redhat.com>
 Date:   Sun Jul 8 22:29:52 2018 -0400
    _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1
 diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in
 index 0d266d5..38279de 100755
 --- a/programs/_unbound-hook/_unbound-hook.in
 +++ b/programs/_unbound-hook/_unbound-hook.in
@@ -29,14 +29,17 @@ try:
 except:
     sys.exit("Bad arguments to ipsec _unbound")
 -while (argv != []):
 +# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list
 +data = argv.pop(0).split(" ")
 +
 +while (data != []):
     try:
 -        gwprec = argv.pop(0)
 -        gwtype = argv.pop(0)
 -        gwalg = argv.pop(0)
 -        gwid = argv.pop(0)
 -        pubkey = argv.pop(0)
 -        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
 +        gwprec = data.pop(0)
 +        gwtype = data.pop(0)
 +        gwalg = data.pop(0)
 +        gwid = data.pop(0)
 +        pubkey = data.pop(0)
 +        addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
         addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
         print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
         print(subprocess.call(addkeyip, shell=True))
--- a/libreswan.spec
+++ b/libreswan.spec
@ -30,7 +30,7 @@ Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
 Version: 3.25
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -41,6 +41,7 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 Patch1: libreswan-3.25-relax-delete.patch
 Patch2: libreswan-3.25-unbound-hook.patch
 Requires(post): bash coreutils systemd
 Requires(preun): systemd
@ -106,6 +107,7 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
 %patch1 -p1
 %patch2 -p1
 %build
 %if 0%{with_efence}
@ -202,7 +204,7 @@ export NSS_DISABLE_HW_GCM=1
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto
 %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
-%attr(0700,root,root) %dir %{_rundir}/pluto
+%attr(0755,root,root) %dir %{_rundir}/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
@ -212,6 +214,10 @@ export NSS_DISABLE_HW_GCM=1
 %{_libdir}/fipscheck/pluto.hmac
 %changelog
 * Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
 - Fix Opportunistic IPsec _unbound-hook argument parsing
 - Make rundir readable for all (so we can hand out permissions later)
 * Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
 - Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors