- Updated to 4.2

.gitignore

@@ -37,3 +37,4 @@
 /libreswan-4.0.tar.gz
 /libreswan-4.1.tar.gz
 /libreswan-4.2rc1.tar.gz
+/libreswan-4.2.tar.gz

libreswan.spec

@@ -3,54 +3,50 @@
 %global with_efence 0
 %global with_development 0
 %global with_cavstests 1
-# minimum version for support for rhbz#1651314
-%global nss_version 3.44.0-8
+%global nss_version 3.52
 %global unbound_version 1.6.6
-# Libreswan config options. With these settings, libreswan
-# does not require its own FIPS validation. Only the system
-# and NSS needs to be FIPS validated.
+# Libreswan config options
 %global libreswan_config \\\
-    SHELL_BINARY=/usr/bin/sh \\\
     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
     FINALMANDIR=%{_mandir} \\\
     PREFIX=%{_prefix} \\\
     INITSYSTEM=systemd \\\
-    NSS_REQ_AVA_COPY=false \\\
-    NSS_HAS_IPSEC_PROFILE=true \\\
     PYTHON_BINARY=%{__python3} \\\
+    SHELL_BINARY=%{_bindir}/sh \\\
     USE_DNSSEC=true \\\
-    USE_FIPSCHECK=false \\\
     USE_LABELED_IPSEC=true \\\
     USE_LDAP=true \\\
     USE_LIBCAP_NG=true \\\
     USE_LIBCURL=true \\\
     USE_LINUX_AUDIT=true \\\
     USE_NM=true \\\
+    USE_NSS_IPSEC_PROFILE=true \\\
     USE_SECCOMP=true \\\
-    USE_XAUTHPAM=true \\\
-    USE_NSS_KDF=false \\\
+    USE_AUTHPAM=true \\\
 %{nil}
 
-%global prever rc1
+#global prever dr1
 
 Name: libreswan
-Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support
+Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
 Version: 4.2
-Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.1
+Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
-Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
+Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
 %if 0%{with_cavstests}
 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
+
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
 BuildRequires: flex
 BuildRequires: gcc make
+BuildRequires: hostname
 BuildRequires: ldns-devel
 BuildRequires: libcap-ng-devel
 BuildRequires: libevent-devel
@@ -58,12 +54,10 @@ BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
 BuildRequires: nspr-devel
 BuildRequires: nss-devel >= %{nss_version}
-BuildRequires: nss-tools
+BuildRequires: nss-tools >= %{nss_version}
 BuildRequires: openldap-devel
 BuildRequires: pam-devel
 BuildRequires: pkgconfig
-BuildRequires: hostname
-BuildRequires: redhat-rpm-config
 BuildRequires: systemd-devel
 BuildRequires: unbound-devel >= %{unbound_version}
 BuildRequires: xmlto
@@ -82,7 +76,7 @@ Requires(preun): systemd
 Requires(postun): systemd
 
 %description
-Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is
+Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
 the Internet Protocol Security and uses strong cryptography to provide
 both authentication and encryption services.  These services allow you
 to build secure tunnels through untrusted networks.  Everything passing
@@ -99,41 +93,31 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %prep
 %setup -q -n libreswan-%{version}%{?prever}
-
-# replace unsupported KLIPS README
-echo "KLIPS is not supported with RHEL8" > README.KLIPS
-
-# linking to freebl is not needed
-sed -i "s/-lfreebl //" mk/config.mk
-
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
 
-# Restore -DALLOW_MICROSOFT_BAD_PROPOSAL for L2TP/IPsec
-sed -i "s/-pthread$/-DALLOW_MICROSOFT_BAD_PROPOSAL -pthread/" mk/config.mk
-
 %build
-# link flags disable hardening because it fails on arm with what looks like gcc bugs in -Werror=lto-type-mismatch
 make %{?_smp_mflags} \
 %if 0%{with_development}
     OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
 %else
     OPTIMIZE_CFLAGS="%{optflags}" \
 %endif
+    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
 %if 0%{with_efence}
     USE_EFENCE=true \
 %endif
-    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
-    USERLINK="-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -flto --no-lto" \
+    USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -flto --no-lto" \
     %{libreswan_config} \
     programs
 FS=$(pwd)
 
+
 %install
 make \
-  DESTDIR=%{buildroot} \
-  %{libreswan_config} \
-  install
+    DESTDIR=%{buildroot} \
+    %{libreswan_config} \
+    install
 FS=$(pwd)
 rm -rf %{buildroot}/usr/share/doc/libreswan
 rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
@@ -143,10 +127,10 @@ install -d %{buildroot}%{_sbindir}
 
 install -d %{buildroot}%{_sysconfdir}/sysctl.d
 install -m 0644 packaging/fedora/libreswan-sysctl.conf \
-  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+    %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
 
 echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
-     > %{buildroot}%{_sysconfdir}/ipsec.secrets
+    > %{buildroot}%{_sysconfdir}/ipsec.secrets
 rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
 %if 0%{with_cavstests}
@@ -167,9 +151,12 @@ bunzip2 *.fax.bz2
 %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
     diff -u ikev1_psk.fax - > /dev/null
 : CAVS tests passed
+%endif
 
+# Some of these tests will show ERROR for negative testing - it will exit on real errors
 %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
 %{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
+: Algorithm parser tests passed
 
 # self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
 tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
@@ -177,8 +164,6 @@ certutil -N -d sql:$tmpdir --empty-password
 %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
 : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
 
-%endif
-
 %post
 %systemd_post ipsec.service
 
@@ -198,16 +183,20 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
 %attr(0755,root,root) %dir %{_rundir}/pluto
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
 %attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
-%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
+%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
-%attr(0644,root,root) %doc %{_mandir}/*/*
-%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
+%doc %{_mandir}/*/*
 
 %changelog
+* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
+- Update to 4.2
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 

sources

@@ -1,4 +1,4 @@
-SHA512 (libreswan-4.2rc1.tar.gz) = e218a3edc0d16dcf12fac7e59d4672fa96e867b6d739e05f54db6646af00092c25980aaeb0d93285ce147329d90a4e998cfc2d8b86d69aa885e0e464b4869ea0
+SHA512 (libreswan-4.2.tar.gz) = 290be2e36fb41959c9889597aad8ab5df1edc1999ed7315e8f2e50213de073732c91ad497a2b5634f7bc83bca84089ef9f711420a77309c6cce243f1419a2d0f
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
 SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e