From 1dee0d4262c2aaf6a68719ac60b7e29d7b86695b Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Wed, 11 Nov 2020 01:10:27 -0600
Subject: [PATCH] Update upgrade scripts

- Support upgrading to Libreswan 4.1
---
 .github/workflows/main.yml  | 24 +++++++++---------
 extras/vpnupgrade.sh        | 43 ++++++++++++++++++--------------
 extras/vpnupgrade_centos.sh | 49 +++++++++++++++++++++----------------
 3 files changed, 65 insertions(+), 51 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 5751a64..20578b7 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -181,15 +181,15 @@ jobs:
             systemctl restart ipsec
             sleep 10
             grep pluto /var/log/secure
-            grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
           else
             sleep 10
             grep pluto /var/log/auth.log
-            grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
           fi
 
           ls -ld vpnsetup.sh
@@ -373,14 +373,14 @@ jobs:
           sleep 10
           if [ "$OS_NAME" = "centos" ]; then
             grep pluto /var/log/secure
-            grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
           else
             grep pluto /var/log/auth.log
-            grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
           fi
 
           ls -ld vpnsetup.sh
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 63136cf..9d041cf 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=3.32
+SWAN_VER=4.1
 
 ### DO NOT edit below this line ###
 
@@ -46,14 +46,14 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case "$SWAN_VER" in
-  3.19|3.2[01235679]|3.3[12])
+  3.19|3.2[01235679]|3.3[12]|4.1)
     /bin/true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
   This script can install one of the following versions:
-  3.19-3.23, 3.25-3.27, 3.29, 3.31 and 3.32
+  3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
 EOF
     exit 1
     ;;
@@ -61,7 +61,7 @@ esac
 
 dns_state=0
 case "$SWAN_VER" in
-  3.2[35679]|3.3[12])
+  3.2[35679]|3.3[12]|4.1)
     DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
     DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
     [ -n "$DNS_SRV1" ] && dns_state=2
@@ -119,8 +119,7 @@ cat <<'EOF'
 NOTE: Libreswan versions 3.19 and newer require some configuration changes.
     This script will make the following updates to your /etc/ipsec.conf:
 
-    - Replace "auth=esp" with "phase2=esp"
-    - Replace "forceencaps=yes" with "encapsulation=yes"
+    - Replace obsolete ipsec.conf options
     - Optimize VPN ciphers for "ike=" and "phase2alg="
 EOF
 
@@ -136,7 +135,8 @@ cat <<'EOF'
 EOF
 fi
 
-if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
+if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
+  || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
 cat <<'EOF'
     - Move "ikev2=never" to section "conn shared"
 EOF
@@ -149,7 +149,7 @@ cat <<'EOF'
 EOF
 
 case "$SWAN_VER" in
-  3.19|3.2[01235679]|3.31)
+  3.19|3.2[01235679]|3.3[12])
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
     See: https://libreswan.org/security/
@@ -218,19 +218,23 @@ if [ "$SWAN_VER" = "3.31" ]; then
     programs/pluto/ikev2_message.c
 fi
 cat > Makefile.inc.local <<'EOF'
-WERROR_CFLAGS = -w
-USE_DNSSEC = false
-USE_DH31 = false
-USE_NSS_AVA_COPY = true
-USE_NSS_IPSEC_PROFILE = false
-USE_GLIBC_KERN_FLIP_HEADERS = true
+WERROR_CFLAGS=-w
+USE_DNSSEC=false
+USE_DH31=false
+USE_NSS_AVA_COPY=true
+USE_NSS_IPSEC_PROFILE=false
+USE_GLIBC_KERN_FLIP_HEADERS=true
 EOF
-if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
-  echo "USE_DH2 = true" >> Makefile.inc.local
+if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
+  echo "USE_DH2=true" >> Makefile.inc.local
   if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
-    echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
+    echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
   fi
 fi
+if [ "$SWAN_VER" = "4.1" ]; then
+  echo "USE_NSS_KDF=false" >> Makefile.inc.local
+  echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
+fi
 if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
   apt-get -yq install libsystemd-dev || exiterr2
 fi
@@ -258,6 +262,8 @@ fi
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/g" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/g" \
+    -e "s/^[[:space:]]\+sha2_truncbug=/  sha2-truncbug=/g" \
+    -e "s/^[[:space:]]\+ike-frag=/  fragmentation=/g" \
     -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
 
@@ -273,7 +279,8 @@ elif [ "$dns_state" = "4" ]; then
   sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
 fi
 
-if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
+if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
+  || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
   sed -i "/ikev2=never/d" /etc/ipsec.conf
   sed -i "/conn shared/a \  ikev2=never" /etc/ipsec.conf
 fi
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index d8075a8..d837aa9 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=3.32
+SWAN_VER=4.1
 
 ### DO NOT edit below this line ###
 
@@ -37,14 +37,14 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case "$SWAN_VER" in
-  3.19|3.2[01235679]|3.3[12])
+  3.19|3.2[01235679]|3.3[12]|4.1)
     /bin/true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
   This script can install one of the following versions:
-  3.19-3.23, 3.25-3.27, 3.29, 3.31 and 3.32
+  3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
 EOF
     exit 1
     ;;
@@ -52,7 +52,7 @@ esac
 
 dns_state=0
 case "$SWAN_VER" in
-  3.2[35679]|3.3[12])
+  3.2[35679]|3.3[12]|4.1)
     DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
     DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
     [ -n "$DNS_SRV1" ] && dns_state=2
@@ -110,8 +110,7 @@ cat <<'EOF'
 NOTE: Libreswan versions 3.19 and newer require some configuration changes.
     This script will make the following updates to your /etc/ipsec.conf:
 
-    - Replace "auth=esp" with "phase2=esp"
-    - Replace "forceencaps=yes" with "encapsulation=yes"
+    - Replace obsolete ipsec.conf options
     - Optimize VPN ciphers for "ike=" and "phase2alg="
 EOF
 
@@ -127,7 +126,8 @@ cat <<'EOF'
 EOF
 fi
 
-if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
+if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
+  || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
 cat <<'EOF'
     - Move "ikev2=never" to section "conn shared"
 EOF
@@ -140,7 +140,7 @@ cat <<'EOF'
 EOF
 
 case "$SWAN_VER" in
-  3.19|3.2[01235679]|3.31)
+  3.19|3.2[01235679]|3.3[12])
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
     See: https://libreswan.org/security/
@@ -225,19 +225,23 @@ if [ "$SWAN_VER" = "3.31" ]; then
     programs/pluto/ikev2_message.c
 fi
 cat > Makefile.inc.local <<'EOF'
-WERROR_CFLAGS = -w
-USE_DNSSEC = false
-USE_DH31 = false
-USE_NSS_AVA_COPY = true
-USE_NSS_IPSEC_PROFILE = false
-USE_GLIBC_KERN_FLIP_HEADERS = true
+WERROR_CFLAGS=-w
+USE_DNSSEC=false
+USE_DH31=false
+USE_NSS_AVA_COPY=true
+USE_NSS_IPSEC_PROFILE=false
+USE_GLIBC_KERN_FLIP_HEADERS=true
 EOF
-if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
-  echo "USE_DH2 = true" >> Makefile.inc.local
+if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
+  echo "USE_DH2=true" >> Makefile.inc.local
   if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
-    echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
+    echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
   fi
 fi
+if [ "$SWAN_VER" = "4.1" ]; then
+  echo "USE_NSS_KDF=false" >> Makefile.inc.local
+  echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
+fi
 NPROCS=$(grep -c ^processor /proc/cpuinfo)
 [ -z "$NPROCS" ] && NPROCS=1
 make "-j$((NPROCS+1))" -s base && make -s install-base
@@ -250,9 +254,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
 fi
 
 # Restore SELinux contexts
-restorecon /etc/ipsec.d/*db >/dev/null 2>&1
-restorecon /usr/local/sbin -Rv >/dev/null 2>&1
-restorecon /usr/local/libexec/ipsec -Rv >/dev/null 2>&1
+restorecon /etc/ipsec.d/*db 2>/dev/null
+restorecon /usr/local/sbin -Rv 2>/dev/null
+restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 # Update ipsec.conf
 IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
@@ -261,6 +265,8 @@ PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes
 sed -i".old-$(date +%F-%T)" \
     -e "s/^[[:space:]]\+auth=esp\$/  phase2=esp/g" \
     -e "s/^[[:space:]]\+forceencaps=yes\$/  encapsulation=yes/g" \
+    -e "s/^[[:space:]]\+sha2_truncbug=/  sha2-truncbug=/g" \
+    -e "s/^[[:space:]]\+ike-frag=/  fragmentation=/g" \
     -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
     -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
 
@@ -276,7 +282,8 @@ elif [ "$dns_state" = "4" ]; then
   sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
 fi
 
-if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
+if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
+  || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
   sed -i "/ikev2=never/d" /etc/ipsec.conf
   sed -i "/conn shared/a \  ikev2=never" /etc/ipsec.conf
 fi