init

2020-02-29 12:42:31 +08:00 · 2020-02-29 12:42:31 +08:00 · f8d20cef99
commit f8d20cef99
parent fcaf8576f5
4 changed files with 230 additions and 0 deletions
--- a/libreswan-3.25-relax-delete.patch
+++ b/libreswan-3.25-relax-delete.patch
@ -0,0 +1,62 @@
+diff --git a/programs/pluto/state.c b/programs/pluto/state.c
+index 7b33145..a3bcc3c 100644
+--- a/programs/pluto/state.c
+++ b/programs/pluto/state.c
+@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
+ 			d = next;
+ 		}
+ 
+-		if (c->newest_isakmp_sa != SOS_NOBODY &&
+-			c->newest_isakmp_sa != pst->st_serialno) {
+-				struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
+		/*
+		 * This only affects IKEv2, since we don't store any
+		 * received INITIAL_CONTACT for IKEv1.
+		 * We don't do this on IKEv1, because it seems to
+		 * confuse various third parties (Windows, Cisco VPN 300,
+		 * and juniper
+		 * likely because this would be called before the IPsec SA
+		 * of QuickMode is installed, so the remote endpoints view
+		 * this IKE SA still as the active one?
+		 */
+		if (pst->st_seen_initialc) {
+ 
+-				DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
+-					old_p1->st_connection->name));
+-				old_p1->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p1);
+-		}
+			if (c->newest_isakmp_sa != SOS_NOBODY &&
+				c->newest_isakmp_sa != pst->st_serialno) {
+					struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
+ 
+-		if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
+-		{
+-			struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
+-			struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
+					DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
+						old_p1->st_connection->name));
+					old_p1->st_suppress_del_notify = TRUE;
+					event_force(EVENT_SA_EXPIRE, old_p1);
+			}
+ 
+-			if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
+			if (c->newest_ipsec_sa != SOS_NOBODY)
+ 			{
+-				DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
+-					c->newest_ipsec_sa, c->name));
+-				old_p2->st_suppress_del_notify = TRUE;
+-				event_force(EVENT_SA_EXPIRE, old_p2);
+				struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
+				struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
+
+				if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
+				{
+					DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
+						c->newest_ipsec_sa, c->name));
+					old_p2->st_suppress_del_notify = TRUE;
+					event_force(EVENT_SA_EXPIRE, old_p2);
+				}
+ 			}
+ 		}
+ 
--- a/libreswan-3.25-unbound-hook.patch
+++ b/libreswan-3.25-unbound-hook.patch
@ -0,0 +1,35 @@
+commit 9dce290a0d2df5c278ed9442b10954d65cc238e4
+Author: Paul Wouters <pwouters@redhat.com>
+Date:   Sun Jul 8 22:29:52 2018 -0400
+
+    _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1
+
+diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in
+index 0d266d5..38279de 100755
+--- a/programs/_unbound-hook/_unbound-hook.in
+++ b/programs/_unbound-hook/_unbound-hook.in
+@@ -29,14 +29,17 @@ try:
+ except:
+     sys.exit("Bad arguments to ipsec _unbound")
+ 
+-while (argv != []):
+# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list
+data = argv.pop(0).split(" ")
+
+while (data != []):
+     try:
+-        gwprec = argv.pop(0)
+-        gwtype = argv.pop(0)
+-        gwalg = argv.pop(0)
+-        gwid = argv.pop(0)
+-        pubkey = argv.pop(0)
+-        addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+        gwprec = data.pop(0)
+        gwtype = data.pop(0)
+        gwalg = data.pop(0)
+        gwid = data.pop(0)
+        pubkey = data.pop(0)
+        addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+         addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
+         print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+         print(subprocess.call(addkeyip, shell=True))
--- a/libreswan-3.25.tar.gz
+++ b/libreswan-3.25.tar.gz
--- a/libreswan.spec
+++ b/libreswan.spec
@ -0,0 +1,133 @@
+%global libreswan_config \\\
+    FINALMANDIR=%{_mandir} \\\
+    INC_USRLOCAL=%{_prefix} \\\
+    INC_RCDEFAULT=%{_initrddir} \\\
+    FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
+    FIPSPRODUCTCHECK=%{_sysconfdir}/system-fips \\\
+    INITSYSTEM=systemd \\\
+    NSS_REQ_AVA_COPY=false \\\
+    USE_DNSSEC=true \\\
+    USE_FIPSCHECK=true \\\
+    USE_LABELED_IPSEC=true \\\
+    USE_LDAP=true \\\
+    USE_LIBCAP_NG=true \\\
+    USE_LIBCURL=true \\\
+    USE_LINUX_AUDIT=true \\\
+    USE_NM=true \\\
+    USE_SECCOMP=true \\\
+    USE_XAUTHPAM=true \\\
+%{nil}
+
+Name:             libreswan
+Version:          3.25
+Release:          5
+Summary:          A free implementation of IPsec & IKE for Linux
+License:          GPLv2
+Url:              https://libreswan.org/
+Source0:          https://download.libreswan.org/%{name}-%{version}.tar.gz
+
+Patch0001:        libreswan-3.25-relax-delete.patch
+Patch0002:        libreswan-3.25-unbound-hook.patch
+
+BuildRequires:    gcc pkgconfig hostname bison flex systemd-devel nss-devel >= 3.16.1
+BuildRequires:    nspr-devel pam-devel libevent-devel unbound-devel >= 1.6.0-6 ldns-devel
+BuildRequires:    libseccomp-devel libselinux-devel fipscheck-devel audit-libs-devel
+BuildRequires:    libcap-ng-devel openldap-devel curl-devel xmlto
+
+Requires:         fipscheck nss-tools nss-softokn iproute >= 2.6.8 unbound-libs >= 1.6.6
+Requires(post):   bash coreutils systemd
+Requires(preun):  systemd
+Requires(postun): systemd
+
+Provides:         openswan = %{version}-%{release} openswan-doc = %{version}-%{release}
+Obsoletes:        openswan < %{version}-%{release}
+Conflicts:        openswan < %{version}-%{release}
+
+%description
+Libreswan is an Internet Key Exchange (IKE) implementation for Linux.
+It supports IKEv1 and IKEv2 and has support for most of the extensions
+(RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital
+Certificates, NAT Traversal, and many others. Libreswan uses the native
+Linux IPsec stack (NETKEY/XFRM) per default.
+
+%package help
+Summary:          Help documents for libreswan
+Requires:         %{name} = %{version}-%{release}
+
+%description help
+Man pages and other related help documents for libreswan.
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/show/show.in
+sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in
+sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py
+sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/cert_verify/usage_test
+sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py
+sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
+sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
+
+%build
+%make_build \
+    USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \
+    USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" %{libreswan_config} programs
+FS=$(pwd)
+
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto \
+%{nil}
+
+%install
+%make_install %{libreswan_config}
+FS=$(pwd)
+
+install -d -m 0700 %{buildroot}{%{_rundir}/pluto,%{_localstatedir}/log/pluto/peer}
+install -d %{buildroot}{%{_sbindir},%{_tmpfilesdir},%{_libdir}/fipscheck,%{_sysconfdir}/sysctl.d}
+
+install -m 0644 packaging/fedora/libreswan-sysctl.conf %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+
+install -m 0644 packaging/fedora/libreswan-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/libreswan.conf
+
+echo "include %{_sysconfdir}/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets
+
+%check
+
+export NSS_DISABLE_HW_GCM=1
+
+%post
+%systemd_post ipsec.service
+
+%preun
+%systemd_preun ipsec.service
+
+%postun
+%systemd_postun_with_restart ipsec.service
+
+%files
+%doc COPYING CREDITS
+%{_sbindir}/ipsec
+%{_libexecdir}/ipsec
+%{_libdir}/fipscheck/pluto.hmac
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
+%attr(0644,root,root) %{_unitdir}/ipsec.service
+%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/{ipsec.conf,pam.d/pluto}
+%attr(0700,root,root) %dir %{_sysconfdir}/{ipsec.d,ipsec.d/policies}
+%attr(0700,root,root) %dir %{_localstatedir}/log/{pluto,pluto/peer}
+%attr(0755,root,root) %dir %{_rundir}/pluto
+%exclude /usr/share/doc/libreswan
+%exclude %{_sysconfdir}/rc.d/rc*
+
+%files help
+%doc README* CHANGES docs/*.* docs/examples
+%doc %{_mandir}/*/*
+
+%changelog
+* Mon Oct 28 2019 yanzhihua <yanzhihua4@huawei.com> - 3.25-4
+- Package init
+