From f69a0a9c97b9049dc4d0d7fc58fb1bb4775db4b4 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sun, 9 Jun 2019 00:15:11 -0500
Subject: [PATCH] New Libreswan version

- Upgrade Libreswan to 3.28
- Patches applied for Debian and CentOS 6. See 1659d03
---
 vpnsetup.sh        | 15 +++++++++++++--
 vpnsetup_centos.sh |  9 +++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/vpnsetup.sh b/vpnsetup.sh
index 5767e5e..a8664db 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2
 
 bigecho "Compiling and installing Libreswan..."
 
-SWAN_VER=3.27
+SWAN_VER=3.28
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -180,10 +180,21 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
+if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then
+  apt-get -yq install patch || exiterr2
+  patch_url1="https://raw.githubusercontent.com/libreswan/libreswan/37c4736/programs/barf/barf.in"
+  patch_url2="https://github.com/libreswan/libreswan/commit/716f4b7.patch"
+  wget -t 3 -T 30 -nv -O programs/barf/barf.in "$patch_url1" || exit 1
+  wget -t 3 -T 30 -nv -O xfrm.patch "$patch_url2" || exit 1
+  patch -s -p1 < xfrm.patch || exit 1
+  /bin/rm -f xfrm.patch
+fi
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
 USE_DH31 = false
+USE_NSS_AVA_COPY = true
+USE_NSS_IPSEC_PROFILE = false
 USE_GLIBC_KERN_FLIP_HEADERS = true
 EOF
 if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
@@ -234,6 +245,7 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
+  ikev2=never
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   sha2-truncbug=yes
@@ -258,7 +270,6 @@ conn xauth-psk
   modecfgpull=yes
   xauthby=file
   ike-frag=yes
-  ikev2=never
   cisco-unity=yes
   also=shared
 EOF
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 21588f4..44592f1 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -160,7 +160,7 @@ yum "$REPO1" -y install fail2ban || exiterr2
 
 bigecho "Compiling and installing Libreswan..."
 
-SWAN_VER=3.27
+SWAN_VER=3.28
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -170,10 +170,15 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
+if grep -qs "release 6" /etc/redhat-release; then
+  sed -i '28iLDFLAGS += -lrt' testing/timecheck/Makefile
+fi
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
 USE_DH31 = false
+USE_NSS_AVA_COPY = true
+USE_NSS_IPSEC_PROFILE = false
 USE_GLIBC_KERN_FLIP_HEADERS = true
 EOF
 NPROCS=$(grep -c ^processor /proc/cpuinfo)
@@ -221,6 +226,7 @@ conn shared
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
+  ikev2=never
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
   sha2-truncbug=yes
@@ -245,7 +251,6 @@ conn xauth-psk
   modecfgpull=yes
   xauthby=file
   ike-frag=yes
-  ikev2=never
   cisco-unity=yes
   also=shared
 EOF