From b803f32b71debbdb5d1060b899a9dea86acb8589 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Fri, 21 Sep 2018 23:44:29 -0500
Subject: [PATCH] New Libreswan version

- Upgrade to new Libreswan version 3.26
- Ref: https://github.com/libreswan/libreswan/issues/202
- Cleanup
---
 extras/vpnupgrade.sh        | 46 ++++++++++++++++++++++---------------
 extras/vpnupgrade_centos.sh | 46 ++++++++++++++++++++++---------------
 vpnsetup.sh                 | 27 ++++------------------
 vpnsetup_centos.sh          | 27 ++++------------------
 4 files changed, 64 insertions(+), 82 deletions(-)

diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index a551c8c..7f2d422 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=3.22
+SWAN_VER=3.26
 
 ### DO NOT edit below this line ###
 
@@ -44,11 +44,16 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case "$SWAN_VER" in
-  3.19|3.2[01235])
+  3.19|3.2[012356])
     /bin/true
     ;;
   *)
-    exiterr "Libreswan version '$SWAN_VER' is not supported."
+cat 1>&2 <<EOF
+Error: Libreswan version '$SWAN_VER' is not supported.
+  This script can install one of these Libreswan versions:
+  3.19-3.23, 3.25 and 3.26
+EOF
+    exit 1
     ;;
 esac
 
@@ -77,8 +82,8 @@ fi
 
 is_upgrade_to_323_or_newer=0
 case "$SWAN_VER" in
-  3.2[35])
-    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+  3.2[356])
+    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
       is_upgrade_to_323_or_newer=1
     fi
     ;;
@@ -87,7 +92,7 @@ esac
 is_downgrade_to_322_or_older=0
 case "$SWAN_VER" in
   3.19|3.2[012])
-    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
       is_downgrade_to_322_or_older=1
     fi
     ;;
@@ -171,10 +176,13 @@ fi
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
 [ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
-sed -i '/docker-targets\.mk/d' Makefile
+[ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile
+[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
+[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
+USE_DH31 = false
 USE_GLIBC_KERN_FLIP_HEADERS = true
 EOF
 if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
@@ -220,34 +228,34 @@ EOF
 
 if [ "$is_upgrade_to_323_or_newer" = "1" ]; then
 cat <<'EOF'
-IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
-    and replace these two lines:
+IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit
+    /etc/ipsec.conf and replace these two lines:
 
-      modecfgdns1=DNS_SERVER_1
-      modecfgdns2=DNS_SERVER_2
+      modecfgdns1=8.8.8.8
+      modecfgdns2=8.8.4.4
 
     with a single line like this:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="8.8.8.8, 8.8.4.4"
 
-    Then run "service ipsec restart".
+    Then run "sudo service ipsec restart".
 
 EOF
 fi
 
 if [ "$is_downgrade_to_322_or_older" = "1" ]; then
 cat <<'EOF'
-IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
-    and replace this line:
+IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit
+    /etc/ipsec.conf and replace this line:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="8.8.8.8, 8.8.4.4"
 
     with two lines like this:
 
-      modecfgdns1=DNS_SERVER_1
-      modecfgdns2=DNS_SERVER_2
+      modecfgdns1=8.8.8.8
+      modecfgdns2=8.8.4.4
 
-    Then run "service ipsec restart".
+    Then run "sudo service ipsec restart".
 
 EOF
 fi
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 45d068f..7f95d1a 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=3.22
+SWAN_VER=3.26
 
 ### DO NOT edit below this line ###
 
@@ -35,11 +35,16 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case "$SWAN_VER" in
-  3.19|3.2[01235])
+  3.19|3.2[012356])
     /bin/true
     ;;
   *)
-    exiterr "Libreswan version '$SWAN_VER' is not supported."
+cat 1>&2 <<EOF
+Error: Libreswan version '$SWAN_VER' is not supported.
+  This script can install one of these Libreswan versions:
+  3.19-3.23, 3.25 and 3.26
+EOF
+    exit 1
     ;;
 esac
 
@@ -68,8 +73,8 @@ fi
 
 is_upgrade_to_323_or_newer=0
 case "$SWAN_VER" in
-  3.2[35])
-    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+  3.2[356])
+    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
       is_upgrade_to_323_or_newer=1
     fi
     ;;
@@ -78,7 +83,7 @@ esac
 is_downgrade_to_322_or_older=0
 case "$SWAN_VER" in
   3.19|3.2[012])
-    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25" -e "3.26"; then
       is_downgrade_to_322_or_older=1
     fi
     ;;
@@ -173,10 +178,13 @@ fi
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
 [ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
-sed -i '/docker-targets\.mk/d' Makefile
+[ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile
+[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
+[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
+USE_DH31 = false
 USE_GLIBC_KERN_FLIP_HEADERS = true
 EOF
 NPROCS="$(grep -c ^processor /proc/cpuinfo)"
@@ -221,34 +229,34 @@ EOF
 
 if [ "$is_upgrade_to_323_or_newer" = "1" ]; then
 cat <<'EOF'
-IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
-    and replace these two lines:
+IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit
+    /etc/ipsec.conf and replace these two lines:
 
-      modecfgdns1=DNS_SERVER_1
-      modecfgdns2=DNS_SERVER_2
+      modecfgdns1=8.8.8.8
+      modecfgdns2=8.8.4.4
 
     with a single line like this:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="8.8.8.8, 8.8.4.4"
 
-    Then run "service ipsec restart".
+    Then run "sudo service ipsec restart".
 
 EOF
 fi
 
 if [ "$is_downgrade_to_322_or_older" = "1" ]; then
 cat <<'EOF'
-IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
-    and replace this line:
+IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit
+    /etc/ipsec.conf and replace this line:
 
-      modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+      modecfgdns="8.8.8.8, 8.8.4.4"
 
     with two lines like this:
 
-      modecfgdns1=DNS_SERVER_1
-      modecfgdns2=DNS_SERVER_2
+      modecfgdns1=8.8.8.8
+      modecfgdns2=8.8.4.4
 
-    Then run "service ipsec restart".
+    Then run "sudo service ipsec restart".
 
 EOF
 fi
diff --git a/vpnsetup.sh b/vpnsetup.sh
index c1d692c..cd1fddf 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -36,8 +36,6 @@ YOUR_PASSWORD=''
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 SYS_DT="$(date +%F-%T)"
 
-SWAN_VER=3.22
-
 exiterr()  { echo "Error: $1" >&2; exit 1; }
 exiterr2() { exiterr "'apt-get install' failed."; }
 conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
@@ -71,15 +69,6 @@ if [ "$(id -u)" != 0 ]; then
   exiterr "Script must be run as root. Try 'sudo sh $0'"
 fi
 
-case "$SWAN_VER" in
-  3.19|3.2[01235])
-    /bin/true
-    ;;
-  *)
-    exiterr "Libreswan version '$SWAN_VER' is not supported."
-    ;;
-esac
-
 NET_IFACE=${VPN_NET_IFACE:-'eth0'}
 def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
 [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
@@ -207,6 +196,7 @@ apt-get -yq install fail2ban || exiterr2
 
 bigecho "Compiling and installing Libreswan..."
 
+SWAN_VER=3.26
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -216,11 +206,12 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
-[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
-sed -i '/docker-targets\.mk/d' Makefile
+sed -i 's/-lfreebl //' mk/config.mk
+sed -i '/blapi\.h/d' programs/pluto/keys.c
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
+USE_DH31 = false
 USE_GLIBC_KERN_FLIP_HEADERS = true
 EOF
 if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
@@ -285,8 +276,7 @@ conn xauth-psk
   auto=add
   leftsubnet=0.0.0.0/0
   rightaddresspool=$XAUTH_POOL
-  modecfgdns1=$DNS_SRV1
-  modecfgdns2=$DNS_SRV2
+  modecfgdns="$DNS_SRV1, $DNS_SRV2"
   leftxauthserver=yes
   rightxauthclient=yes
   leftmodecfgserver=yes
@@ -299,13 +289,6 @@ conn xauth-psk
   also=shared
 EOF
 
-case "$SWAN_VER" in
-  3.2[35])
-    sed -i "/modecfgdns/d" /etc/ipsec.conf
-    echo "  modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf
-    ;;
-esac
-
 if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then
   PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}')
   check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index f2b12ed..45649e5 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -36,8 +36,6 @@ YOUR_PASSWORD=''
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 SYS_DT="$(date +%F-%T)"
 
-SWAN_VER=3.22
-
 exiterr()  { echo "Error: $1" >&2; exit 1; }
 exiterr2() { exiterr "'yum install' failed."; }
 conf_bk() { /bin/cp -f "$1" "$1.old-$SYS_DT" 2>/dev/null; }
@@ -62,15 +60,6 @@ if [ "$(id -u)" != 0 ]; then
   exiterr "Script must be run as root. Try 'sudo sh $0'"
 fi
 
-case "$SWAN_VER" in
-  3.19|3.2[01235])
-    /bin/true
-    ;;
-  *)
-    exiterr "Libreswan version '$SWAN_VER' is not supported."
-    ;;
-esac
-
 NET_IFACE=${VPN_NET_IFACE:-'eth0'}
 def_iface="$(route 2>/dev/null | grep '^default' | grep -o '[^ ]*$')"
 [ -z "$def_iface" ] && def_iface="$(ip -4 route list 0/0 2>/dev/null | grep -Po '(?<=dev )(\S+)')"
@@ -197,6 +186,7 @@ yum "$REPO1" -y install fail2ban || exiterr2
 
 bigecho "Compiling and installing Libreswan..."
 
+SWAN_VER=3.26
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -206,11 +196,12 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
-[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
-sed -i '/docker-targets\.mk/d' Makefile
+sed -i 's/-lfreebl //' mk/config.mk
+sed -i '/blapi\.h/d' programs/pluto/keys.c
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
+USE_DH31 = false
 USE_GLIBC_KERN_FLIP_HEADERS = true
 EOF
 NPROCS="$(grep -c ^processor /proc/cpuinfo)"
@@ -272,8 +263,7 @@ conn xauth-psk
   auto=add
   leftsubnet=0.0.0.0/0
   rightaddresspool=$XAUTH_POOL
-  modecfgdns1=$DNS_SRV1
-  modecfgdns2=$DNS_SRV2
+  modecfgdns="$DNS_SRV1, $DNS_SRV2"
   leftxauthserver=yes
   rightxauthclient=yes
   leftmodecfgserver=yes
@@ -286,13 +276,6 @@ conn xauth-psk
   also=shared
 EOF
 
-case "$SWAN_VER" in
-  3.2[35])
-    sed -i "/modecfgdns/d" /etc/ipsec.conf
-    echo "  modecfgdns=\"$DNS_SRV1, $DNS_SRV2\"" >> /etc/ipsec.conf
-    ;;
-esac
-
 if ip -4 route list 0/0 2>/dev/null | grep -qs ' src '; then
   PRIVATE_IP=$(ip -4 route get 1 | sed 's/ uid .*//' | awk '{print $NF;exit}')
   check_ip "$PRIVATE_IP" && sed -i "s/left=%defaultroute/left=$PRIVATE_IP/" /etc/ipsec.conf