diff --git a/libreswan-3.25-unbound-hook.patch b/libreswan-3.25-unbound-hook.patch new file mode 100644 index 0000000..007ae73 --- /dev/null +++ b/libreswan-3.25-unbound-hook.patch @@ -0,0 +1,35 @@ +commit 9dce290a0d2df5c278ed9442b10954d65cc238e4 +Author: Paul Wouters +Date: Sun Jul 8 22:29:52 2018 -0400 + + _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1 + +diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in +index 0d266d5..38279de 100755 +--- a/programs/_unbound-hook/_unbound-hook.in ++++ b/programs/_unbound-hook/_unbound-hook.in +@@ -29,14 +29,17 @@ try: + except: + sys.exit("Bad arguments to ipsec _unbound") + +-while (argv != []): ++# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list ++data = argv.pop(0).split(" ") ++ ++while (data != []): + try: +- gwprec = argv.pop(0) +- gwtype = argv.pop(0) +- gwalg = argv.pop(0) +- gwid = argv.pop(0) +- pubkey = argv.pop(0) +- addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) ++ gwprec = data.pop(0) ++ gwtype = data.pop(0) ++ gwalg = data.pop(0) ++ gwid = data.pop(0) ++ pubkey = data.pop(0) ++ addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) + addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) + print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) + print(subprocess.call(addkeyip, shell=True)) diff --git a/libreswan.spec b/libreswan.spec index a3dc5cd..ad826db 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -30,7 +30,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script Version: 3.25 -Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -41,6 +41,7 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch1: libreswan-3.25-relax-delete.patch +Patch2: libreswan-3.25-unbound-hook.patch Requires(post): bash coreutils systemd Requires(preun): systemd @@ -106,6 +107,7 @@ sed -i "s:/usr/bin/python:/usr/bin/python3:" testing/x509/dist_certs.py # enable crypto-policies support sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in %patch1 -p1 +%patch2 -p1 %build %if 0%{with_efence} @@ -202,7 +204,7 @@ export NSS_DISABLE_HW_GCM=1 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf %attr(0700,root,root) %dir %{_localstatedir}/log/pluto %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer -%attr(0700,root,root) %dir %{_rundir}/pluto +%attr(0755,root,root) %dir %{_rundir}/pluto %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf %attr(0644,root,root) %{_unitdir}/ipsec.service %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto @@ -212,6 +214,10 @@ export NSS_DISABLE_HW_GCM=1 %{_libdir}/fipscheck/pluto.hmac %changelog +* Mon Jul 09 2018 Paul Wouters - 3.25-3 +- Fix Opportunistic IPsec _unbound-hook argument parsing +- Make rundir readable for all (so we can hand out permissions later) + * Mon Jul 02 2018 Paul Wouters - 3.25-2 - Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors