Update to 4.1

0001-fix-libselinux-deprecated.patch

@@ -1,86 +0,0 @@
-From 54b0f3bf7c87ccd8e9f7c74872371d571f0c118c Mon Sep 17 00:00:00 2001
-From: si-gui <245140120@qq.com>
-Date: Tue, 15 Sep 2020 19:57:58 +0800
-Subject: [PATCH] fix libselinux deprecated
-
-Signed-off-by: si-gui <245140120@qq.com>
----
- contrib/labeled-ipsec/getpeercon_server.c | 4 ++--
- programs/pluto/security_selinux.c         | 7 ++-----
- programs/pluto/security_selinux.h         | 2 +-
- 3 files changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/contrib/labeled-ipsec/getpeercon_server.c b/contrib/labeled-ipsec/getpeercon_server.c
-index 57a24d0..aa2e2b4 100644
---- a/contrib/labeled-ipsec/getpeercon_server.c
-+++ b/contrib/labeled-ipsec/getpeercon_server.c
-@@ -64,7 +64,7 @@ int main(int argc, char *argv[])
- 		srv_sock_path = argv[1];
- 
- 	{
--		security_context_t ctx;
-+		char *ctx;
- 		int rc = getcon(&ctx);
- 
- 		fprintf(stderr, "-> running as %s\n",
-@@ -136,7 +136,7 @@ int main(int argc, char *argv[])
- 		struct sockaddr_in6 *const cli_sock_6addr = (struct sockaddr_in6 *)&cli_sock_saddr;
- 		socklen_t cli_sock_addr_len;
- 		char cli_sock_addr_str[INET6_ADDRSTRLEN + 1];
--		security_context_t ctx;
-+		char *ctx;
- 		char *ctx_str;
- 
- 		//fflush(stdout);
-diff --git a/programs/pluto/security_selinux.c b/programs/pluto/security_selinux.c
-index ac5028e..c09a2d0 100644
---- a/programs/pluto/security_selinux.c
-+++ b/programs/pluto/security_selinux.c
-@@ -27,13 +27,13 @@ void init_avc(void)
- 		DBG_log("selinux support is enabled.");
- 	}
- 
--	if (avc_init("libreswan", NULL, NULL, NULL, NULL) == 0)
-+	if (avc_open(NULL, 0) == 0)
- 		selinux_ready = 1;
- 	else
- 		DBG_log("selinux: could not initialize avc.");
- }
- 
--int within_range(security_context_t sl, security_context_t range)
-+int within_range(char *sl, char *range)
- {
- 	int rtn = 1;
- 	security_id_t slsid;
-@@ -61,7 +61,6 @@ int within_range(security_context_t sl, security_context_t range)
- 	if (rtn != 0) {
- 		DBG_log("within_range: Unable to retrieve sid for range context (%s)",
- 			range);
--		sidput(slsid);
- 		return 0;
- 	}
- 
-@@ -74,8 +73,6 @@ int within_range(security_context_t sl, security_context_t range)
- 	if (rtn != 0) {
- 		DBG_log("within_range: The sl (%s) is not within range of (%s)", sl,
- 			range);
--		sidput(slsid);
--		sidput(rangesid);
- 		return 0;
- 	}
- 	DBG_log("within_range: The sl (%s) is within range of (%s)", sl,
-diff --git a/programs/pluto/security_selinux.h b/programs/pluto/security_selinux.h
-index cccd60f..7c07bd8 100644
---- a/programs/pluto/security_selinux.h
-+++ b/programs/pluto/security_selinux.h
-@@ -20,6 +20,6 @@
- #include <selinux/context.h>
- 
- void init_avc(void);
--int within_range(security_context_t sl, security_context_t range);
-+int within_range(char *sl, char *range);
- 
- #endif /* _SECURITY_SELINUX_H */
--- 
-2.23.0
-

0002-fix-pluto-abort.patch

@@ -1,31 +0,0 @@
-From 4c08ae4152c6dbd9ecc7126c2e32468dcf1a6589 Mon Sep 17 00:00:00 2001
-From: si-gui <245140120@qq.com>
-Date: Tue, 15 Sep 2020 20:19:26 +0800
-Subject: [PATCH] fix libselinux deprecated
-
-Signed-off-by: si-gui <245140120@qq.com>
----
- programs/pluto/ike_alg_encrypt_nss_gcm_ops.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/programs/pluto/ike_alg_encrypt_nss_gcm_ops.c b/programs/pluto/ike_alg_encrypt_nss_gcm_ops.c
-index 4352645..4143186 100644
---- a/programs/pluto/ike_alg_encrypt_nss_gcm_ops.c
-+++ b/programs/pluto/ike_alg_encrypt_nss_gcm_ops.c
-@@ -17,6 +17,13 @@
- 
- #include <libreswan.h>
- 
-+/*
-+ *Special advise from Bob Relyea - needs to go before any nss include
-+ *
-+ */
-+
-+#define NSS_PKCS11_2_0_COMPAT 1
-+
- #include "lswlog.h"
- #include "lswnss.h"
- #include "prmem.h"
--- 
-2.23.0
-

libreswan-3.25-relax-delete.patch

@@ -1,62 +0,0 @@
-diff --git a/programs/pluto/state.c b/programs/pluto/state.c
-index 7b33145..a3bcc3c 100644
---- a/programs/pluto/state.c
-+++ b/programs/pluto/state.c
-@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
- 			d = next;
- 		}
- 
--		if (c->newest_isakmp_sa != SOS_NOBODY &&
--			c->newest_isakmp_sa != pst->st_serialno) {
--				struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
-+		/*
-+		 * This only affects IKEv2, since we don't store any
-+		 * received INITIAL_CONTACT for IKEv1.
-+		 * We don't do this on IKEv1, because it seems to
-+		 * confuse various third parties (Windows, Cisco VPN 300,
-+		 * and juniper
-+		 * likely because this would be called before the IPsec SA
-+		 * of QuickMode is installed, so the remote endpoints view
-+		 * this IKE SA still as the active one?
-+		 */
-+		if (pst->st_seen_initialc) {
- 
--				DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
--					old_p1->st_connection->name));
--				old_p1->st_suppress_del_notify = TRUE;
--				event_force(EVENT_SA_EXPIRE, old_p1);
--		}
-+			if (c->newest_isakmp_sa != SOS_NOBODY &&
-+				c->newest_isakmp_sa != pst->st_serialno) {
-+					struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
- 
--		if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
--		{
--			struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
--			struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
-+					DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
-+						old_p1->st_connection->name));
-+					old_p1->st_suppress_del_notify = TRUE;
-+					event_force(EVENT_SA_EXPIRE, old_p1);
-+			}
- 
--			if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
-+			if (c->newest_ipsec_sa != SOS_NOBODY)
- 			{
--				DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
--					c->newest_ipsec_sa, c->name));
--				old_p2->st_suppress_del_notify = TRUE;
--				event_force(EVENT_SA_EXPIRE, old_p2);
-+				struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
-+				struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
-+
-+				if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
-+				{
-+					DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
-+						c->newest_ipsec_sa, c->name));
-+					old_p2->st_suppress_del_notify = TRUE;
-+					event_force(EVENT_SA_EXPIRE, old_p2);
-+				}
- 			}
- 		}
- 

libreswan-3.25-unbound-hook.patch

@@ -1,35 +0,0 @@
-commit 9dce290a0d2df5c278ed9442b10954d65cc238e4
-Author: Paul Wouters <pwouters@redhat.com>
-Date:   Sun Jul 8 22:29:52 2018 -0400
-
-    _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1
-
-diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in
-index 0d266d5..38279de 100755
---- a/programs/_unbound-hook/_unbound-hook.in
-+++ b/programs/_unbound-hook/_unbound-hook.in
-@@ -29,14 +29,17 @@ try:
- except:
-     sys.exit("Bad arguments to ipsec _unbound")
- 
--while (argv != []):
-+# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list
-+data = argv.pop(0).split(" ")
-+
-+while (data != []):
-     try:
--        gwprec = argv.pop(0)
--        gwtype = argv.pop(0)
--        gwalg = argv.pop(0)
--        gwid = argv.pop(0)
--        pubkey = argv.pop(0)
--        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
-+        gwprec = data.pop(0)
-+        gwtype = data.pop(0)
-+        gwalg = data.pop(0)
-+        gwid = data.pop(0)
-+        pubkey = data.pop(0)
-+        addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
-         addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
-         print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
-         print(subprocess.call(addkeyip, shell=True))

libreswan.spec

@@ -1,13 +1,16 @@
+%global nss_version 3.44.0-8
+%global unbound_version 1.6.6
 %global libreswan_config \\\
-    FINALMANDIR=%{_mandir} \\\
-    INC_USRLOCAL=%{_prefix} \\\
-    INC_RCDEFAULT=%{_initrddir} \\\
+    SHELL_BINARY=/usr/bin/sh \\\
     FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
-    FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \\\
+    FINALMANDIR=%{_mandir} \\\
+    PREFIX=%{_prefix} \\\
     INITSYSTEM=systemd \\\
     NSS_REQ_AVA_COPY=false \\\
+    NSS_HAS_IPSEC_PROFILE=true \\\
+    PYTHON_BINARY=%{__python3} \\\
     USE_DNSSEC=true \\\
-    USE_FIPSCHECK=true \\\
+    USE_FIPSCHECK=false \\\
     USE_LABELED_IPSEC=true \\\
     USE_LDAP=true \\\
     USE_LIBCAP_NG=true \\\
@@ -16,90 +19,142 @@
     USE_NM=true \\\
     USE_SECCOMP=true \\\
     USE_XAUTHPAM=true \\\
+    USE_NSS_KDF=true \\\
 %{nil}
 
-Name:             libreswan
-Version:          3.25
-Release:          10
-Summary:          A free implementation of IPsec & IKE for Linux
-License:          GPLv2
-Url:              https://github.com/libreswan/libreswan
-Source0:          https://github.com/libreswan/libreswan/archive/v%{version}.tar.gz
-Source1:          openeuler-libreswan-sysctl.conf
-Source2:          openeuler-libreswan-tmpfiles.conf
 
-Patch0001:        libreswan-3.25-relax-delete.patch
-Patch0002:        libreswan-3.25-unbound-hook.patch
-Patch0003:        0001-fix-libselinux-deprecated.patch
-Patch0004:        0002-fix-pluto-abort.patch
+Name: libreswan
+Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support
+Version: 4.1
+Release: 1
+License: GPLv2
+Url: https://libreswan.org/
+Source0: https://download.libreswan.org/%{name}-%{version}.tar.gz
+Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
+Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
+Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
+Source4: openeuler-libreswan-sysctl.conf
 
-BuildRequires:    gcc pkgconfig hostname bison flex systemd-devel nss-devel >= 3.16.1
-BuildRequires:    nspr-devel pam-devel libevent-devel unbound-devel >= 1.6.0-6 ldns-devel
-BuildRequires:    libseccomp-devel libselinux-devel fipscheck-devel audit-libs-devel
-BuildRequires:    libcap-ng-devel openldap-devel curl-devel xmlto
+BuildRequires: audit-libs-devel
+BuildRequires: bison
+BuildRequires: curl-devel
+BuildRequires: flex
+BuildRequires: gcc make
+BuildRequires: ldns-devel
+BuildRequires: libcap-ng-devel
+BuildRequires: libevent-devel
+BuildRequires: libseccomp-devel
+BuildRequires: libselinux-devel
+BuildRequires: nspr-devel
+BuildRequires: nss-devel >= %{nss_version}
+BuildRequires: nss-tools
+BuildRequires: openldap-devel
+BuildRequires: pam-devel
+BuildRequires: pkgconfig
+BuildRequires: hostname
+BuildRequires: systemd-devel
+BuildRequires: unbound-devel >= %{unbound_version}
+BuildRequires: xmlto
 
-Requires:         fipscheck nss-tools nss-softokn iproute >= 2.6.8 unbound-libs >= 1.6.6
-Requires(post):   bash coreutils systemd
-Requires(preun):  systemd
+Requires: %{name}-help = %{version}-%{release}
+Requires: iproute >= 2.6.8
+Requires: nss >= %{nss_version}
+Requires: nss-softokn
+Requires: nss-tools
+Requires: unbound-libs >= %{unbound_version}
+Requires(post): bash
+Requires(post): coreutils
+Requires(post): systemd
+Requires(preun): systemd
 Requires(postun): systemd
 
-Provides:         openswan = %{version}-%{release} openswan-doc = %{version}-%{release}
-Obsoletes:        openswan < %{version}-%{release}
-Conflicts:        openswan < %{version}-%{release}
-
 %description
-Libreswan is an Internet Key Exchange (IKE) implementation for Linux.
-It supports IKEv1 and IKEv2 and has support for most of the extensions
-(RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital
-Certificates, NAT Traversal, and many others. Libreswan uses the native
-Linux IPsec stack (NETKEY/XFRM) per default.
+Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is
+the Internet Protocol Security and uses strong cryptography to provide
+both authentication and encryption services.  These services allow you
+to build secure tunnels through untrusted networks.  Everything passing
+through the untrusted net is encrypted by the ipsec gateway machine and
+decrypted by the gateway at the other end of the tunnel.  The resulting
+tunnel is a virtual private network or VPN.
+
+This package contains the daemons and userland tools for setting up
+Libreswan.
+
+Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
+
+Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %package help
-Summary:          Help documents for libreswan
-Requires:         %{name} = %{version}-%{release}
+Summary:    Help documents for libreswan
 
 %description help
 Man pages and other related help documents for libreswan.
 
 %prep
-%autosetup -n %{name}-%{version} -p1
-sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/show/show.in
-sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py
-sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
-sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
+%setup -q -n libreswan-%{version}%{?prever}
+
+sed -i "s/-lfreebl //" mk/config.mk
+
+sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
+
+sed -i "s/-pthread$/-DALLOW_MICROSOFT_BAD_PROPOSAL -pthread/" mk/config.mk
+
+sed -i '/config setup/a\\t# Specifies a directory forNSS database files\n\tnssdir=/etc/ipsec.d' configs/ipsec.conf.in
+
+sed -i '/ipsec --checknss/s/$/ --nssdir \/etc\/ipsec.d/' ./initsystems/systemd/ipsec.service.in
 
 %build
-%make_build \
-    USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
-    USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" %{libreswan_config} programs
+make %{?_smp_mflags} \
+    OPTIMIZE_CFLAGS="%{optflags}" \
+    WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
+    USERLINK="-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -flto --no-lto" \
+    %{libreswan_config} \
+    programs
 FS=$(pwd)
 
-%define __spec_install_post \
-    %{?__debug_package:%{__debug_install_post}} \
-    %{__arch_install_post} \
-    %{__os_install_post} \
-    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto \
-%{nil}
-
 %install
-%make_install %{libreswan_config}
+make \
+  DESTDIR=%{buildroot} \
+  %{libreswan_config} \
+  install
 FS=$(pwd)
+rm -rf %{buildroot}/usr/share/doc/libreswan
+rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
 
-install -d -m 0700 %{buildroot}{%{_rundir}/pluto,%{_localstatedir}/log/pluto/peer}
-install -d %{buildroot}{%{_sbindir},%{_tmpfilesdir},%{_libdir}/fipscheck,%{_sysconfdir}/sysctl.d}
+install -d -m 0755 %{buildroot}%{_rundir}/pluto
+install -d %{buildroot}%{_sbindir}
 
-install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+install -d %{buildroot}%{_sysconfdir}/sysctl.d
+install -m 0644 %{SOURCE4} \
+  %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
 
-install -m 0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/libreswan.conf
-
-echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
+echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
+     > %{buildroot}%{_sysconfdir}/ipsec.secrets
+rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 
 %check
+cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
+bunzip2 *.fax.bz2
+
+: starting CAVS test for IKEv2
+%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
+    diff -u ikev2.fax - > /dev/null
+: starting CAVS test for IKEv1 RSASIG
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
+    diff -u ikev1_dsa.fax - > /dev/null
+: starting CAVS test for IKEv1 PSK
+%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
+    diff -u ikev1_psk.fax - > /dev/null
+: CAVS tests passed
+
+%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
+%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
+
+tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
+certutil -N -d sql:$tmpdir --empty-password
+%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
+: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
 
-export NSS_DISABLE_HW_GCM=1
 
 %post
 %systemd_post ipsec.service
@@ -111,27 +166,29 @@ export NSS_DISABLE_HW_GCM=1
 %systemd_postun_with_restart ipsec.service
 
 %files
-%doc COPYING CREDITS
-%{_sbindir}/ipsec
-%{_libexecdir}/ipsec
-%{_libdir}/fipscheck/pluto.hmac
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
-%attr(0644,root,root) %{_unitdir}/ipsec.service
-%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
+%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/{ipsec.conf,pam.d/pluto}
-%attr(0700,root,root) %dir %{_sysconfdir}/{ipsec.d,ipsec.d/policies}
-%attr(0700,root,root) %dir %{_localstatedir}/log/{pluto,pluto/peer}
 %attr(0755,root,root) %dir %{_rundir}/pluto
-%exclude /usr/share/doc/libreswan
-%exclude %{_sysconfdir}/rc.d/rc*
+%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
+%attr(0644,root,root) %{_unitdir}/ipsec.service
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
+%{_sbindir}/ipsec
+%{_libexecdir}/ipsec
 
 %files help
-%doc README* CHANGES docs/*.* docs/examples
-%doc %{_mandir}/*/*
+%doc CHANGES COPYING CREDITS README* LICENSE
+%doc docs/*.* docs/examples
+%attr(0644,root,root) %doc %{_mandir}/*/*
 
 %changelog
+* Fri Dec 04 2020 lingsheng <lingsheng@huawei.com> - 4.1-1
+- Update to 4.1
+
 * Tue Sep 15 2020 Guoshuai Sun <sunguoshuai@huawei.com> - 3.25-10
 - Fix pluto abort
 

libreswan.yaml

@@ -1,4 +1,4 @@
-version_control: github
-src_repo:  libreswan/libreswan
-tag_prefix: ^v
-seperator: .
+version_control: github
+src_repo:  libreswan/libreswan
+tag_prefix: "^v"
+separator: "."

openeuler-libreswan-tmpfiles.conf

@@ -1 +0,0 @@
-d /run/pluto 755 root root -