New Libreswan version

- Support upgrading to Libreswan 4.9.
- Compilation of Libreswan 4.9 on Ubuntu 18.04 requires newer
  versions of NSS packages. They are installed in a similar way
  as apply_ubuntu1804_nss_fix in ikev2setup.sh.
  Ref: https://github.com/libreswan/libreswan/issues/892

extras/vpnupgrade_alpine.sh

@@ -69,7 +69,7 @@ EOF
 }
 
 get_swan_ver() {
-  swan_ver_cur=4.7
+  swan_ver_cur=4.9
   base_url="https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0"
   swan_ver_url="$base_url/upg-v1-$os_type-$os_ver-swanver"
   swan_ver_latest=$(wget -t 2 -T 10 -qO- "$swan_ver_url" | head -n 1)
@@ -80,6 +80,9 @@ get_swan_ver() {
 }
 
 check_swan_ver() {
+  if [ "$SWAN_VER" = "4.8" ]; then
+    exiterr "Libreswan version 4.8 is not supported."
+  fi
   if ! printf '%s\n%s' "4.5" "$SWAN_VER" | sort -C -V \
     || ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; then
 cat 1>&2 <<EOF
@@ -174,8 +177,11 @@ WERROR_CFLAGS=-w -s
 USE_DNSSEC=false
 USE_DH2=true
 FINALNSSDIR=/etc/ipsec.d
-USE_GLIBC_KERN_FLIP_HEADERS=true
 EOF
+  if [ "$SWAN_VER" = "4.5" ] || [ "$SWAN_VER" = "4.6" ] \
+    || [ "$SWAN_VER" = "4.7" ]; then
+    echo "USE_GLIBC_KERN_FLIP_HEADERS=true" >> Makefile.inc.local
+  fi
   NPROCS=$(grep -c ^processor /proc/cpuinfo)
   [ -z "$NPROCS" ] && NPROCS=1
   (

extras/vpnupgrade_amzn.sh

@@ -52,7 +52,7 @@ EOF
 }
 
 get_swan_ver() {
-  swan_ver_cur=4.7
+  swan_ver_cur=4.9
   base_url="https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0"
   swan_ver_url="$base_url/upg-v1-amzn-2-swanver"
   swan_ver_latest=$(wget -t 2 -T 10 -qO- "$swan_ver_url" | head -n 1)
@@ -63,6 +63,9 @@ get_swan_ver() {
 }
 
 check_swan_ver() {
+  if [ "$SWAN_VER" = "4.8" ]; then
+    exiterr "Libreswan version 4.8 is not supported."
+  fi
   if [ "$SWAN_VER" != "3.32" ] \
     && { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \
     || ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then
@@ -156,15 +159,19 @@ install_libreswan() {
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS=-w -s
 USE_DNSSEC=false
+USE_DH2=true
 EOF
-  echo "USE_DH2=true" >> Makefile.inc.local
+  if [ "$SWAN_VER" != "3.32" ]; then
+cat >> Makefile.inc.local <<'EOF'
+USE_NSS_KDF=false
+USE_LINUX_AUDIT=false
+USE_SECCOMP=false
+FINALNSSDIR=/etc/ipsec.d
+EOF
+  fi
   if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
     echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
   fi
-  if [ "$SWAN_VER" != "3.32" ]; then
-    echo "USE_NSS_KDF=false" >> Makefile.inc.local
-    echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
-  fi
   NPROCS=$(grep -c ^processor /proc/cpuinfo)
   [ -z "$NPROCS" ] && NPROCS=1
   (

extras/vpnupgrade_centos.sh

@@ -85,7 +85,7 @@ EOF
 }
 
 get_swan_ver() {
-  swan_ver_cur=4.7
+  swan_ver_cur=4.9
   base_url="https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0"
   swan_ver_url="$base_url/upg-v1-$os_type-$os_ver-swanver"
   swan_ver_latest=$(wget -t 2 -T 10 -qO- "$swan_ver_url" | head -n 1)
@@ -96,6 +96,9 @@ get_swan_ver() {
 }
 
 check_swan_ver() {
+  if [ "$SWAN_VER" = "4.8" ]; then
+    exiterr "Libreswan version 4.8 is not supported."
+  fi
   if [ "$SWAN_VER" != "3.32" ] \
     && { ! printf '%s\n%s' "4.1" "$SWAN_VER" | sort -C -V \
     || ! printf '%s\n%s' "$SWAN_VER" "$swan_ver_cur" | sort -C -V; }; then
@@ -208,15 +211,19 @@ install_libreswan() {
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS=-w -s
 USE_DNSSEC=false
+USE_DH2=true
 EOF
-  echo "USE_DH2=true" >> Makefile.inc.local
+  if [ "$SWAN_VER" != "3.32" ]; then
+cat >> Makefile.inc.local <<'EOF'
+USE_NSS_KDF=false
+USE_LINUX_AUDIT=false
+USE_SECCOMP=false
+FINALNSSDIR=/etc/ipsec.d
+EOF
+  fi
   if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
     echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
   fi
-  if [ "$SWAN_VER" != "3.32" ]; then
-    echo "USE_NSS_KDF=false" >> Makefile.inc.local
-    echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
-  fi
   NPROCS=$(grep -c ^processor /proc/cpuinfo)
   [ -z "$NPROCS" ] && NPROCS=1
   (

extras/vpnupgrade_ubuntu.sh

@@ -75,7 +75,7 @@ EOF
 }
 
 get_swan_ver() {
-  swan_ver_cur=4.7
+  swan_ver_cur=4.9
   base_url="https://github.com/hwdsl2/vpn-extras/releases/download/v1.0.0"
   swan_ver_url="$base_url/upg-v1-$os_type-$os_ver-swanver"
   swan_ver_latest=$(wget -t 2 -T 10 -qO- "$swan_ver_url" | head -n 1)
@@ -86,6 +86,9 @@ get_swan_ver() {
 }
 
 check_swan_ver() {
+  if [ "$SWAN_VER" = "4.8" ]; then
+    exiterr "Libreswan version 4.8 is not supported."
+  fi
   if [ "$SWAN_VER" = "3.32" ] && [ "$os_ver" = "11" ]; then
     exiterr "Libreswan 3.32 is not supported on Debian 11."
   fi
@@ -168,6 +171,34 @@ install_pkgs() {
   ) || exiterr2
 }
 
+install_nss_pkgs() {
+  os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
+  if [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "bustersid" ] && [ "$os_arch" = "x86_64" ]; then
+    nss_url1="https://mirrors.kernel.org/ubuntu/pool/main/n/nss"
+    nss_url2="https://mirrors.kernel.org/ubuntu/pool/universe/n/nss"
+    nss_deb1="libnss3_3.49.1-1ubuntu1.8_amd64.deb"
+    nss_deb2="libnss3-dev_3.49.1-1ubuntu1.8_amd64.deb"
+    nss_deb3="libnss3-tools_3.49.1-1ubuntu1.8_amd64.deb"
+    bigecho "Installing NSS packages on Ubuntu 18.04..."
+    if tmpdir=$(mktemp --tmpdir -d vpn.XXXXX 2>/dev/null); then
+      nss_dl=0
+      if wget -t 3 -T 30 -q -O "$tmpdir/1.deb" "$nss_url1/$nss_deb1" \
+        && wget -t 3 -T 30 -q -O "$tmpdir/2.deb" "$nss_url1/$nss_deb2" \
+        && wget -t 3 -T 30 -q -O "$tmpdir/3.deb" "$nss_url2/$nss_deb3"; then
+        apt-get -yqq install "$tmpdir/1.deb" "$tmpdir/2.deb" "$tmpdir/3.deb" >/dev/null
+      else
+        nss_dl=1
+        echo "Error: Could not download NSS packages." >&2
+      fi
+      /bin/rm -f "$tmpdir/1.deb" "$tmpdir/2.deb" "$tmpdir/3.deb"
+      /bin/rmdir "$tmpdir"
+      [ "$nss_dl" = 1 ] && exit 1
+    else
+      exiterr "Could not create temporary directory."
+    fi
+  fi
+}
+
 get_libreswan() {
   bigecho "Downloading Libreswan..."
   cd /opt/src || exit 1
@@ -190,6 +221,7 @@ install_libreswan() {
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS=-w -s
 USE_DNSSEC=false
+USE_DH2=true
 EOF
   if [ "$SWAN_VER" = "3.32" ]; then
 cat >> Makefile.inc.local <<'EOF'
@@ -197,16 +229,16 @@ USE_DH31=false
 USE_NSS_AVA_COPY=true
 USE_NSS_IPSEC_PROFILE=false
 USE_GLIBC_KERN_FLIP_HEADERS=true
+EOF
+  else
+cat >> Makefile.inc.local <<'EOF'
+USE_NSS_KDF=false
+FINALNSSDIR=/etc/ipsec.d
 EOF
   fi
-  echo "USE_DH2=true" >> Makefile.inc.local
   if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
     echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
   fi
-  if [ "$SWAN_VER" != "3.32" ]; then
-    echo "USE_NSS_KDF=false" >> Makefile.inc.local
-    echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
-  fi
   NPROCS=$(grep -c ^processor /proc/cpuinfo)
   [ -z "$NPROCS" ] && NPROCS=1
   (
@@ -314,6 +346,7 @@ vpnupgrade() {
   start_setup
   update_apt_cache
   install_pkgs
+  install_nss_pkgs
   get_libreswan
   install_libreswan
   update_ikev2_script