import libreswan-4.3-1.el8

2021-03-30 07:22:45 -04:00 · 2021-03-30 07:22:45 -04:00 · ccb65ec817
commit ccb65ec817
parent 8bef08924d
10 changed files with 221 additions and 184 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
 SOURCES/ikev1_dsa.fax.bz2
 SOURCES/ikev1_psk.fax.bz2
 SOURCES/ikev2.fax.bz2
-SOURCES/libreswan-3.32.tar.gz
+SOURCES/libreswan-4.3.tar.gz
--- a/.libreswan.metadata
+++ b/.libreswan.metadata
@ -1,4 +1,4 @@
 b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
-d752c8df37c90733a01c24849d439733acd4e8f0 SOURCES/libreswan-3.32.tar.gz
+6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz
--- a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch
+++ b/SOURCES/libreswan-3.32-1840212-nss-gcm.patch
@ -1,16 +0,0 @@
-diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c	2020-06-17 15:06:12.340210966 -0400
-@@ -16,6 +16,12 @@
- #include <stdio.h>
- #include <stdlib.h>
- 
-+/*
-+ * Special advise from Bob Relyea - needs to go before any nss include
-+ *
-+ */
-+#define NSS_PKCS11_2_0_COMPAT 1
-+
- #include "lswlog.h"
- #include "lswnss.h"
- #include "prmem.h"
--- a/SOURCES/libreswan-3.32-1842597-accounting.patch
+++ b/SOURCES/libreswan-3.32-1842597-accounting.patch
@ -1,15 +0,0 @@
-diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
-index 28726cf82a..25ee52179a 100644
--- a/programs/pluto/kernel.c
-+++ b/programs/pluto/kernel.c
-@@ -600,8 +600,8 @@ bool fmt_common_shell_out(char *buf, size_t blen, const struct connection *c,
- 	 * true==inbound: inbound updates OUR_BYTES; !inbound updates
- 	 * PEER_BYTES.
- 	 */
-	bool outbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, false, NULL);
-	bool inbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, true, NULL);
-+	bool outbytes = st != NULL && get_sa_info(st, false, NULL);
-+	bool inbytes = st != NULL && get_sa_info(st, true, NULL);
- 	jambuf_t jambuf = array_as_jambuf(buf, blen);
- 	jam_common_shell_out(&jambuf, c, sr, st, inbytes, outbytes);
- 	return jambuf_ok(&jambuf);
--- a/SOURCES/libreswan-3.32-1847766-xfrmi.patch
+++ b/SOURCES/libreswan-3.32-1847766-xfrmi.patch
@ -1,24 +0,0 @@
-commit 790a79ba9f8f16532040d9c8a51a27c20e13c154
-Author: Paul Wouters <pwouters@redhat.com>
-Date:   Tue Jun 16 20:57:01 2020 -0400
-
-    pluto: find_pluto_xfrmi_interface() would only check first interface
-
-diff --git a/programs/pluto/kernel_xfrm_interface.c b/programs/pluto/kernel_xfrm_interface.c
-index 8fc27b727d..0dc1a7ec8c 100644
--- a/programs/pluto/kernel_xfrm_interface.c
-+++ b/programs/pluto/kernel_xfrm_interface.c
-@@ -586,9 +586,10 @@ static struct pluto_xfrmi *find_pluto_xfrmi_interface(uint32_t if_id)
- 	struct pluto_xfrmi *ret = NULL;
- 
- 	for (h = pluto_xfrm_interfaces;  h != NULL; h = h->next) {
-		if (h->if_id == if_id)
-		ret = h;
-		break;
-+		if (h->if_id == if_id) {
-+			ret = h;
-+			break;
-+		}
- 	}
- 
- 	return ret;
--- a/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch
+++ b/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch
@ -0,0 +1,18 @@
+diff -Naur libreswan-3.32-orig/lib/libipsecconf/confread.c libreswan-3.32/lib/libipsecconf/confread.c
+--- libreswan-3.32-orig/lib/libipsecconf/confread.c	2020-07-28 20:25:54.618261606 -0400
+++ libreswan-3.32/lib/libipsecconf/confread.c	2020-07-28 20:28:03.952421236 -0400
+@@ -1498,9 +1498,14 @@
+ 			} else if (streq(val, "rsasig") || streq(val, "rsa")) {
+ 				conn->policy |= POLICY_RSASIG;
+ 				conn->policy |= POLICY_RSASIG_v1_5;
+				/*
+				 * These cause failure with RSA 1024 bits because it uses RSA-PSS
+				 */
+#if 0
+ 				conn->sighash_policy |= POL_SIGHASH_SHA2_256;
+ 				conn->sighash_policy |= POL_SIGHASH_SHA2_384;
+ 				conn->sighash_policy |= POL_SIGHASH_SHA2_512;
+#endif
+ 			} else if (streq(val, "never")) {
+ 				conn->policy |= POLICY_AUTH_NEVER;
+ 			/* everything else is only supported for IKEv2 */
--- a/SOURCES/libreswan-3.32-rebase-fixups.patch
+++ b/SOURCES/libreswan-3.32-rebase-fixups.patch
@ -1,53 +0,0 @@
-diff -Naur libreswan-3.32-orig/lib/libipsecconf/interfaces.c libreswan-3.32/lib/libipsecconf/interfaces.c
--- libreswan-3.32-orig/lib/libipsecconf/interfaces.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/lib/libipsecconf/interfaces.c	2020-06-04 18:51:39.508280352 -0400
-@@ -71,7 +71,11 @@
- 		if (sa->sa.sa_family == af) {
- 			/* XXX: sizeof right? */
- 			ip_endpoint nhe;
-			happy(sockaddr_to_endpoint(sa, sizeof(*sa), &nhe));
-+			err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &nhe);
-+			if (e != NULL) {
-+			 	pexpect(e != NULL);
-+				return false;
-+			}
- 			pexpect(endpoint_hport(&nhe) == 0);
- 			*nh = endpoint_address(&nhe);
- 		}
-@@ -84,7 +88,11 @@
- 		if (sa->sa.sa_family == af) {
- 			/* XXX: sizeof right? */
- 			ip_endpoint dste;
-			happy(sockaddr_to_endpoint(sa, sizeof(*sa), &dste));
-+			err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &dste);
-+			if (e != NULL) {
-+			 	pexpect(e != NULL);
-+				return false;
-+			}
- 			pexpect(endpoint_hport(&dste) == 0);
- 			*dst = endpoint_address(&dste);
- 		}
-diff -Naur libreswan-3.32-orig/lib/libswan/ip_endpoint.c libreswan-3.32/lib/libswan/ip_endpoint.c
--- libreswan-3.32-orig/lib/libswan/ip_endpoint.c	2020-05-11 10:13:41.000000000 -0400
-+++ libreswan-3.32/lib/libswan/ip_endpoint.c	2020-06-04 18:51:39.508280352 -0400
-@@ -54,20 +54,12 @@
- 	switch (sa->sa.sa_family) {
- 	case AF_INET:
- 	{
-		/* XXX: to strict? */
-		if (sa_len != sizeof(sa->sin)) {
-			return "wrong length";
-		}
- 		address = address_from_in_addr(&sa->sin.sin_addr);
- 		port = ntohs(sa->sin.sin_port);
- 		break;
- 	}
- 	case AF_INET6:
- 	{
-		/* XXX: to strict? */
-		if (sa_len != sizeof(sa->sin6)) {
-			return "wrong length";
-		}
- 		address = address_from_in6_addr(&sa->sin6.sin6_addr);
- 		port = ntohs(sa->sin6.sin6_port);
- 		break;
--- a/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
+++ b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
@ -0,0 +1,123 @@
+diff -Naur libreswan-4.2-orig/lib/libipsecconf/keywords.c libreswan-4.2/lib/libipsecconf/keywords.c
+--- libreswan-4.2-orig/lib/libipsecconf/keywords.c	2021-02-02 20:36:01.000000000 -0500
+++ libreswan-4.2/lib/libipsecconf/keywords.c	2021-02-04 19:22:05.880228930 -0500
+@@ -374,6 +374,8 @@
+   { "interfaces",  kv_config,  kt_string,  KSF_INTERFACES, NULL, NULL, },
+   { "curl-iface",  kv_config,  kt_string,  KSF_CURLIFACE, NULL, NULL, },
+   { "curl-timeout",  kv_config,  kt_time,  KBF_CURLTIMEOUT, NULL, NULL, },
+  { "curl_iface",  kv_config | kv_alias,  kt_string,  KSF_CURLIFACE, NULL, NULL, },  /* obsolete _ */
+  { "curl_timeout",  kv_config | kv_alias,  kt_time,  KBF_CURLTIMEOUT, NULL, NULL, },  /* obsolete _ */
+ 
+   { "myvendorid",  kv_config,  kt_string,  KSF_MYVENDORID, NULL, NULL, },
+   { "syslog",  kv_config,  kt_string,  KSF_SYSLOG, NULL, NULL, },
+@@ -381,6 +383,7 @@
+   { "logfile",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, },
+   { "plutostderrlog",  kv_config,  kt_filename,  KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
+   { "logtime",  kv_config,  kt_bool,  KBF_LOGTIME, NULL, NULL, },
+  { "plutostderrlogtime",  kv_config | kv_alias,  kt_bool,  KBF_LOGTIME, NULL, NULL, },  /* obsolete */
+   { "logappend",  kv_config,  kt_bool,  KBF_LOGAPPEND, NULL, NULL, },
+   { "logip",  kv_config,  kt_bool,  KBF_LOGIP, NULL, NULL, },
+   { "audit-log",  kv_config,  kt_bool,  KBF_AUDIT_LOG, NULL, NULL, },
+@@ -400,13 +403,20 @@
+   { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
+ 
+   { "crl-strict",  kv_config,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },
+  { "crl_strict",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete _ */
+   { "crlcheckinterval",  kv_config,  kt_time,  KBF_CRL_CHECKINTERVAL, NULL, NULL, },
+  { "strictcrlpolicy",  kv_config | kv_alias,  kt_bool,  KBF_CRL_STRICT, NULL, NULL, },  /* obsolete; used on openswan */
+ 
+   { "ocsp-strict",  kv_config,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },
+  { "ocsp_strict",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_STRICT, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-enable",  kv_config,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },
+  { "ocsp_enable",  kv_config | kv_alias,  kt_bool,  KBF_OCSP_ENABLE, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-uri",  kv_config,  kt_string,  KSF_OCSP_URI, NULL, NULL, },
+  { "ocsp_uri",  kv_config | kv_alias,  kt_string,  KSF_OCSP_URI, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-timeout",  kv_config,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },
+  { "ocsp_timeout",  kv_config | kv_alias,  kt_number,  KBF_OCSP_TIMEOUT, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-trustname",  kv_config,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },
+  { "ocsp_trust_name",  kv_config | kv_alias,  kt_string,  KSF_OCSP_TRUSTNAME, NULL, NULL, },  /* obsolete _ */
+   { "ocsp-cache-size",  kv_config,  kt_number,  KBF_OCSP_CACHE_SIZE, NULL, NULL, },
+   { "ocsp-cache-min-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MIN, NULL, NULL, },
+   { "ocsp-cache-max-age",  kv_config,  kt_time,  KBF_OCSP_CACHE_MAX, NULL, NULL, },
+@@ -426,6 +436,7 @@
+   { "virtual_private",  kv_config,  kt_string,  KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
+   { "seedbits",  kv_config,  kt_number,  KBF_SEEDBITS, NULL, NULL, },
+   { "keep-alive",  kv_config,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },
+  { "keep_alive",  kv_config | kv_alias,  kt_number,  KBF_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
+ 
+   { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
+   { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
+@@ -437,6 +448,8 @@
+ #ifdef HAVE_LABELED_IPSEC
+   { "ikev1-secctx-attr-type",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
+   { "secctx-attr-type",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },
+  { "secctx_attr_value",  kv_config | kv_alias,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete _ */
+  { "secctx-attr-value",  kv_config,  kt_number,  KBF_SECCTX, NULL, NULL, },  /* obsolete: not a value, a type */
+ #endif
+ 
+   /* these options are obsoleted (and not old aliases) */
+@@ -467,6 +480,7 @@
+   { "username",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, },
+   /* xauthusername is still used in NetworkManager-libreswan :/ */
+   { "xauthusername",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
+  { "xauthname",  kv_conn | kv_leftright,  kt_string,  KSCF_USERNAME, NULL, NULL, }, /* old alias */
+   { "addresspool",  kv_conn | kv_leftright,  kt_range,  KSCF_ADDRESSPOOL, NULL, NULL, },
+   { "auth",  kv_conn | kv_leftright, kt_enum,  KNCF_AUTH,  &kw_authby_lr_list, NULL, },
+   { "cat",  kv_conn | kv_leftright,  kt_bool,  KNCF_CAT, NULL, NULL, },
+@@ -489,6 +503,8 @@
+   { "esn",  kv_conn | kv_processed,  kt_enum,  KNCF_ESN,  &kw_esn_list, NULL, },
+   { "decap-dscp",  kv_conn | kv_processed,  kt_bool,  KNCF_DECAP_DSCP,  NULL, NULL, },
+   { "nopmtudisc",  kv_conn | kv_processed,  kt_bool,  KNCF_NOPMTUDISC,  NULL, NULL, },
+  { "ike_frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },  /* obsolete _ */
+  { "ike-frag",  kv_conn | kv_processed | kv_alias,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },  /* obsolete name */
+   { "fragmentation",  kv_conn | kv_processed,  kt_enum,  KNCF_IKE_FRAG,  &kw_ynf_list, NULL, },
+   { "mobike",  kv_conn,  kt_bool,  KNCF_MOBIKE, NULL, NULL, },
+   { "narrowing",  kv_conn,  kt_bool,  KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
+@@ -499,13 +515,18 @@
+   { "accept-redirect-to",  kv_conn,  kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
+   { "pfs",  kv_conn,  kt_bool,  KNCF_PFS, NULL, NULL, },
+ 
+  { "nat_keepalive",  kv_conn | kv_alias,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },  /* obsolete _ */
+   { "nat-keepalive",  kv_conn,  kt_bool,  KNCF_NAT_KEEPALIVE, NULL, NULL, },
+ 
+  { "initial_contact",  kv_conn | kv_alias,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },  /* obsolete _ */
+   { "initial-contact",  kv_conn,  kt_bool,  KNCF_INITIAL_CONTACT, NULL, NULL, },
+  { "cisco_unity",  kv_conn | kv_alias,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },  /* obsolete _ */
+   { "cisco-unity",  kv_conn,  kt_bool,  KNCF_CISCO_UNITY, NULL, NULL, },
+   { "send-no-esp-tfc",  kv_conn,  kt_bool,  KNCF_NO_ESP_TFC, NULL, NULL, },
+   { "fake-strongswan",  kv_conn,  kt_bool,  KNCF_VID_STRONGSWAN, NULL, NULL, },
+  { "send_vendorid",  kv_conn | kv_alias,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },  /* obsolete _ */
+   { "send-vendorid",  kv_conn,  kt_bool,  KNCF_SEND_VENDORID, NULL, NULL, },
+  { "sha2_truncbug",  kv_conn | kv_alias,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },  /* obsolete _ */
+   { "sha2-truncbug",  kv_conn,  kt_bool,  KNCF_SHA2_TRUNCBUG, NULL, NULL, },
+   { "ms-dh-downgrade",  kv_conn,  kt_bool,  KNCF_MSDH_DOWNGRADE, NULL, NULL, },
+   { "require-id-on-certificate",  kv_conn,  kt_bool,  KNCF_SAN_ON_CERT, NULL, NULL, },
+@@ -520,7 +541,10 @@
+   {"ikepad",  kv_conn,  kt_bool,  KNCF_IKEPAD, NULL, NULL, },
+   { "nat-ikev1-method",  kv_conn | kv_processed,  kt_enum,  KNCF_IKEV1_NATT,  &kw_ikev1natt_list, NULL, },
+ 
+  { "labeled_ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+  { "labeled-ipsec",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+   { "policy-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
+  { "policy_label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
+   { "sec-label",  kv_conn,  kt_string,  KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
+ 
+   /* Cisco interop: remote peer type */
+@@ -531,13 +555,17 @@
+   /* Network Manager support */
+ #ifdef HAVE_NM
+   { "nm-configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, },
+  { "nm_configured",  kv_conn,  kt_bool,  KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
+ #endif
+ 
+   { "xauthby",  kv_conn,  kt_enum,  KNCF_XAUTHBY,  &kw_xauthby, NULL, },
+   { "xauthfail",  kv_conn,  kt_enum,  KNCF_XAUTHFAIL,  &kw_xauthfail, NULL, },
+   { "modecfgpull",  kv_conn,  kt_invertbool,  KNCF_MODECONFIGPULL, NULL, NULL, },
+   { "modecfgdns",  kv_conn,  kt_string,  KSCF_MODECFGDNS, NULL, NULL, },
+  { "modecfgdns1",  kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
+  { "modecfgdns2",  kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+   { "modecfgdomains",  kv_conn,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, },
+  { "modecfgdomain",  kv_conn | kv_alias,  kt_string,  KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
+   { "modecfgbanner",  kv_conn,  kt_string,  KSCF_MODECFGBANNER, NULL, NULL, },
+   { "ignore-peer-dns",  kv_conn,  kt_bool,  KNCF_IGNORE_PEER_DNS, NULL, NULL, },
+   { "mark",  kv_conn,  kt_string,  KSCF_CONN_MARK_BOTH, NULL, NULL, },
--- a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch
+++ b/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch
@ -1,28 +1,6 @@
-diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c
--- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c	2020-04-28 22:27:20.000000000 -0400
-+++ libreswan-3.32rc1/lib/libipsecconf/confread.c	2020-04-30 13:41:18.612751661 -0400
-@@ -1332,13 +1332,16 @@
- 
- 		switch (conn->options[KNCF_IKEv2]) {
- 		case fo_never:
-		case fo_permit:
- 			conn->policy |= POLICY_IKEV1_ALLOW;
- 			/* clear any inherited default */
- 			conn->policy &= ~POLICY_IKEV2_ALLOW;
- 			break;
-
-+		case fo_permit:
-+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return TRUE;
- 		case fo_propose:
-+			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+			return TRUE;
- 		case fo_insist:
- 			conn->policy |= POLICY_IKEV2_ALLOW;
- 			/* clear any inherited default */
-diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml
--- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml	2020-04-28 22:27:20.000000000 -0400
-+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml	2020-04-30 13:45:14.847694267 -0400
+diff -Naur libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml libreswan-4.3/configs/d.ipsec.conf/ikev2.xml
+--- libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml	2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/configs/d.ipsec.conf/ikev2.xml	2021-02-21 12:33:36.226284499 -0500
@@ -1,15 +1,15 @@
   <varlistentry>
   <term><emphasis remap='B'>ikev2</emphasis></term>
@ -47,24 +25,46 @@ diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libres
 </para>
   </listitem>
   </varlistentry>
-diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c
--- libreswan-3.32rc1-orig/programs/whack/whack.c	2020-04-28 22:27:20.000000000 -0400
-+++ libreswan-3.32rc1/programs/whack/whack.c	2020-04-30 13:41:18.615751749 -0400
-@@ -775,7 +775,7 @@
+diff -Naur libreswan-4.3-orig/lib/libipsecconf/confread.c libreswan-4.3/lib/libipsecconf/confread.c
+--- libreswan-4.3-orig/lib/libipsecconf/confread.c	2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/lib/libipsecconf/confread.c	2021-02-21 12:37:43.138031929 -0500
+@@ -1310,11 +1310,17 @@
 
- 	PS("ikev1-allow", IKEV1_ALLOW),
- 	PS("ikev2-allow", IKEV2_ALLOW),
-	PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */
-+	/* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/
+ 		switch (conn->options[KNCF_IKEv2]) {
+ 		case fo_never:
+-		case fo_permit:
+ 			conn->ike_version = IKEv1;
+ 			break;
+ 
+		case fo_permit:
+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
+			return TRUE;
+
+ 		case fo_propose:
+			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
+			return TRUE;
+
+ 		case fo_insist:
+ 			conn->ike_version = IKEv2;
+ 			break;
+diff -Naur libreswan-4.3-orig/programs/whack/whack.c libreswan-4.3/programs/whack/whack.c
+--- libreswan-4.3-orig/programs/whack/whack.c	2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/whack/whack.c	2021-02-21 12:39:27.066188354 -0500
+@@ -801,7 +801,7 @@
+ 	{ "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
+ 	{ "ikev2", no_argument, NULL, CD_IKEv2 +OO },
+ 	{ "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
+-	{ "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
+	/* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
 
 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
- #ifdef XAUTH_HAVE_PAM
-@@ -1737,7 +1737,7 @@
+ #ifdef AUTH_HAVE_PAM
+@@ -1762,7 +1762,7 @@
+ 			end_seen = LEMPTY;
+ 			continue;
 
- 		/* --ikev1-allow */
- 		case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
-		/* --ikev2-allow (now also --ikev2-propose) */
-+		/* --ikev2-allow */
- 		case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
- 
- 		/* --allow-narrowing */
+-		/* --ikev1 --ikev2 --ikev2-propose */
+		/* --ikev1 --ikev2  */
+ 		case CD_IKEv1:
+ 		case CD_IKEv2:
+ 		{
--- a/SPECS/libreswan.spec
+++ b/SPECS/libreswan.spec
@ -5,18 +5,18 @@
 %global with_cavstests 1
 # minimum version for support for rhbz#1651314
 # should prob update for nss with IKEv1 quick mode support
-%global nss_version 3.39.0-1.4
+%global nss_version 3.53.1
 %global unbound_version 1.6.6
-# Libreswan config options - temporarilly without USE_NSS_PRF while waiting for updated nss to become available
 %global libreswan_config \\\
    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
    FINALMANDIR=%{_mandir} \\\
-    INC_RCDEFAULT=%{_initrddir} \\\
-    INC_USRLOCAL=%{_prefix} \\\
+    FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
    INITSYSTEM=systemd \\\
-    NSS_REQ_AVA_COPY=false \\\
    NSS_HAS_IPSEC_PROFILE=true \\\
+    NSS_REQ_AVA_COPY=false \\\
+    PREFIX=%{_prefix} \\\
    PYTHON_BINARY=%{__python3} \\\
+    SHELL_BINARY=%{_bindir}/sh \\\
    USE_DNSSEC=true \\\
    USE_FIPSCHECK=false \\\
    USE_LABELED_IPSEC=true \\\
@ -25,11 +25,9 @@
    USE_LIBCURL=true \\\
    USE_LINUX_AUDIT=true \\\
    USE_NM=true \\\
+    USE_NSS_KDF=true \\\
    USE_SECCOMP=true \\\
-    USE_XAUTHPAM=true \\\
-    USE_KLIPS=false \\\
-    USE_NSS_PRF=false \\\
-    USE_PRF_AES_XCBC=true \\\
+    USE_AUTHPAM=true \\\
    USE_DH2=true \\\
 %{nil}

@ -38,8 +36,8 @@
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
-Version: 3.32
-Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
+Version: 4.3
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/

@ -50,17 +48,15 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif

-Patch1: libreswan-3.32-maintain-different-v1v2-split.patch
-Patch2: libreswan-3.32-rebase-fixups.patch
-Patch3: libreswan-3.32-1842597-accounting.patch
-Patch4: libreswan-3.32-1847766-xfrmi.patch
-Patch5: libreswan-3.32-1840212-nss-gcm.patch
+Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
+Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
+Patch3: libreswan-4.1-maintain-obsolete-keywords.patch

 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
 BuildRequires: flex
-BuildRequires: gcc
+BuildRequires: gcc make
 BuildRequires: ldns-devel
 BuildRequires: libcap-ng-devel
 BuildRequires: libevent-devel
@ -68,7 +64,7 @@ BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
 BuildRequires: nspr-devel
 BuildRequires: nss-devel >= %{nss_version}
-buildRequires: nss-tools
+BuildRequires: nss-tools
 BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: pkgconfig
@ -112,21 +108,12 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1
-
-pathfix.py -i %{__python3} -pn testing/cert_verify/usage_test \
-  testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py \
-  testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
-
-# replace unsupported KLIPS README
-echo "KLIPS is not supported with RHEL8" > README.KLIPS

 # linking to freebl is not needed
 sed -i "s/-lfreebl //" mk/config.mk

 # enable crypto-policies support
-sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
+sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in

 %build
 make %{?_smp_mflags} \
@ -154,8 +141,6 @@ rm -rf %{buildroot}/usr/share/doc/libreswan
 rm -rf %{buildroot}%{_libexecdir}/ipsec/*check

 install -d -m 0755 %{buildroot}%{_rundir}/pluto
-# used when setting --perpeerlog without --perpeerlogbase
-install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
 install -d %{buildroot}%{_sbindir}

 install -d %{buildroot}%{_sysconfdir}/sysctl.d
@ -216,17 +201,36 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto
-%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
 %attr(0755,root,root) %dir %{_rundir}/pluto
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
+%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
 %attr(0644,root,root) %doc %{_mandir}/*/*

 %changelog
+* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
+- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
+
+* Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
+- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
+- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
+
+* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
+- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
+- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
+
+* Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
+- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss
+
+* Wed Jul 22 2020 Paul Wouters <pwouters@redhat.com> - 3.32-5
+- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF]
+
+* Wed Jul 01 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
+- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled
+
 * Wed Jun 17 2020 Paul Wouters <pwouters@redhat.com> - 3.32-3
 - Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script
 - Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly