libreswan: update cu 3.32

CVE and NSS fix Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2021-03-28 21:47:50 +03:00 · 2021-03-28 21:47:50 +03:00 · 5a8a7aeab1
parent 7436ea3fb1
commit 5a8a7aeab1
8 changed files with 123 additions and 1197 deletions
--- a/net/libreswan/Makefile
+++ b/net/libreswan/Makefile
@ -7,15 +7,17 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=libreswan
-PKG_VERSION:=3.27
-PKG_RELEASE:=3
+PKG_VERSION:=3.32
+PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.libreswan.org/
-PKG_HASH:=ead07dd701116094b483dc57e54e2a5ee9a06d3982bb142260bcbf3d1faf7b82
+PKG_HASH:=236b57fee8f562302c54f2b16d8a839a9039fcb5893668e61b398ec6b179432e

-PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_LICENSE_FILES:=COPYING LICENSE
+PKG_CPE_ID:=cpe:/a:libreswan:libreswan

 PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
@ -39,9 +41,11 @@ $(call Package/libreswan/Default)
  SUBMENU:=VPN
  SECTION:=net
  CATEGORY:=Network
-  DEPENDS:= +libnss +librt +libevent2 +libevent2-pthreads +kmod-crypto-authenc \
-	+kmod-crypto-hash +kmod-ipt-ipsec +iptables-mod-ipsec +ip-full +kmod-ip-vti \
-	+kmod-ipsec +kmod-ipsec4 +kmod-crypto-rng +IPV6:kmod-ipsec6 +IPV6:kmod-ip6-vti
+  DEPENDS:= +IPV6:kmod-ip6-vti +IPV6:kmod-ipsec6 +ip-full +iptables-mod-ipsec \
+	+kmod-crypto-aead +kmod-crypto-authenc +kmod-crypto-gcm \
+	+kmod-crypto-hash +kmod-crypto-rng +kmod-ip-vti +kmod-ipsec \
+	+kmod-ipsec4 +kmod-ipt-ipsec +libevent2 +libevent2-pthreads \
+	+libldns +librt +libunbound +nss-utils +nspr
  PROVIDES:=openswan
  CONFLICTS:=strongswan
  TITLE+= IPsec Server
@ -60,24 +64,29 @@ define Package/libreswan/conffiles
 /etc/ipsec.conf
 /etc/ipsec.secrets
 endef
+TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed
+TARGET_CFLAGS += -flto

-TARGET_CFLAGS+= -Wno-error=format-nonliteral
 MAKE_FLAGS+= \
    WERROR_CFLAGS=" " \
-    USE_DNSSEC=false \
+    NSS_REQ_AVA_COPY=false \
    USE_LINUX_AUDIT=false \
    USE_LABELED_IPSEC=false \
+    USE_XFRM_INTERFACE_IFLA_HEADER=true \
+    USE_XFRM_HEADER_COPY=true \
    USE_NM=false \
+    USE_NSS_KDF=true \
+    USE_NSS_PRF=true \
    USE_LIBCURL=false \
    USE_GLIBC_KERN_FLIP_HEADERS=true \
    USE_XAUTHPAM=false \
-    USE_FIPSCHECK=false \
    USE_LIBCAP_NG=false \
    USE_SYSTEMD_WATCHDOG=false \
+    USE_SECCOMP=false\
    INC_USRLOCAL="/usr" \
    FINALRUNDIR="/var/run/pluto" \
+    MODPROBEARGS="-q" \
    ARCH="$(LINUX_KARCH)" \
-    KERNELSRC="$(LINUX_DIR)"

 define Build/Prepare
 	$(call Build/Prepare/Default)
--- a/net/libreswan/files/ipsec.init
+++ b/net/libreswan/files/ipsec.init
@ -3,205 +3,34 @@
 START=90
 STOP=10

-#USE_PROCD=1
+USE_PROCD=1
+PROG="/usr/libexec/ipsec/pluto"
+IPSEC_SECRETS=/etc/ipsec.secrets
+IPSEC_CONF=/etc/ipsec.conf
+IPSEC_BIN=/usr/sbin/ipsec

-. $IPKG_INSTROOT/lib/functions.sh
-
-EXTRA_COMMANDS=status
-EXTRA_HELP="	status	Show the status of the service"
-
-# Check that networking is up.
-[ "${NETWORKING}" = "no" ] && exit 6
-
-if [ $(id -u) -ne 0 ]; then
-    echo "permission denied (must be superuser)" | \
-	logger -s -p daemon.error -t ipsec_setup 2>&1
-    exit 4
-fi
-
-# where the private directory and the config files are
-IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
-IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
-IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}"
-unset PLUTO_OPTIONS
-
-rundir=/var/run/pluto
-plutopid=${rundir}/pluto.pid
-plutoctl=${rundir}/pluto.ctl
-lockdir=/var/lock
-lockfile=${lockdir}/ipsec
-ipsecversion=/proc/net/ipsec_version
-kamepfkey=/proc/net/pfkey
-
-# /etc/resolv.conf related paths
-LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
-ORIG_RESOLV_CONF=/etc/resolv.conf
-
-# misc setup
-umask 022
-
-# standardize PATH, and export it for everything else's benefit
-PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
-export PATH
-
-mkdir -p ${rundir}
-chmod 700 ${rundir}
-
-verify_config() {
-	[ -f ${IPSEC_CONF} ] || exit 6
-	config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1)
-	RETVAL=$?
-	if [ ${RETVAL} -gt 0 ]; then
-		echo "Configuration error - the following error occurred:"
-		echo ${config_error}
-		echo "IKE daemon status was not modified"
-		exit ${RETVAL}
-	fi
+checkconfig() {
+    ${IPSEC_BIN} addconn --checkconfig || return 1
+    mkdir -p /var/run/pluto
 }

-start() {
-	echo -n "Starting pluto IKE daemon for IPsec: "
+start_service() {
+	checkconfig || return 1
+
 	ipsec _stackmanager start
-	# pluto searches the current directory, so this is required for making it selinux compliant
-	cd /
-	# Create nss db or convert from old format to new sql format
-	ipsec --checknss
 	# Enable nflog if configured
 	ipsec --checknflog > /dev/null
-	# This script will enter an endless loop to ensure pluto restarts on crash
-	ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir}
-	touch ${lockfile}
-	# Because _plutorun starts pluto at background we need to make sure pluto is started
-	# before we know if start was successful or not
-	for waitsec in 1 2 3 4 5; do
-	    if status >/dev/null; then
-		RETVAL=0
-		break
-		else
-		echo -n "."
-		sleep 1
-		RETVAL=1
-	    fi
-	done
-	if [ ${RETVAL} -ge 1 ]; then
-	    rm -f ${lockfile}
-	fi
-	echo
-	return ${RETVAL}
+
+	procd_open_instance
+	procd_set_param command $PROG --config ${IPSEC_CONF} --nofork --secretsfile ${IPSEC_SECRETS}
+	procd_set_param respawn
+	procd_close_instance
 }

-stop() {
-    if [ -e ${plutoctl} ]; then
-	echo "Shutting down pluto IKE daemon"
-	ipsec whack --shutdown 2>/dev/null
-	# don't use seq, might not exist on embedded
-	for waitsec in 1 2 3 4 5 6 7 8 9 10; do
-	    if [ -s ${plutopid} ]; then
-		echo -n "."
-		sleep 1
-	    else
-		break
-	    fi
-	done
-	echo
-	rm -f ${plutoctl} # we won't be using this anymore
-    fi
-    if [ -s ${plutopid} ]; then
-	# pluto did not die peacefully
-	pid=$(cat ${plutopid})
-	if [ -d /proc/${pid} ]; then
-	    kill -TERM ${pid}
-	    RETVAL=$?
-	    sleep 5;
-	    if [ -d /proc/${pid} ]; then
-		kill -KILL ${pid}
-		RETVAL=$?
-	    fi
-	    if [ ${RETVAL} -ne 0 ]; then
-		echo "Kill failed - removing orphaned ${plutopid}"
-	    fi
-	else
-	    echo "Removing orphaned ${plutopid}"
-	fi
-	rm -f ${plutopid}
-    fi
+stop_service() {
+	ipsec whack --shutdown
+	ipsec _stackmanager stop
+	ipsec --stopnflog > /dev/null

-    ipsec _stackmanager stop
-    ipsec --stopnflog > /dev/null
-
-    # cleaning up backup resolv.conf
-    if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
-	if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then
-	    cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF}
-	fi
-	rm -f  ${LIBRESWAN_RESOLV_CONF}
-    fi
-
-    rm -f ${lockfile}
-    return ${RETVAL}
 }

-restart() {
-    verify_config
-    stop
-    start
-    return $?
-}
-
-status() {
-    local RC
-    if [ -f ${plutopid} ]; then
-	if [ -r ${plutopid} ]; then
-	    pid=$(cat ${plutopid})
-	    if [ -n "$pid" -a -d /proc/${pid} ]; then
-		RC=0    # running
-	    else
-		RC=1    # not running but pid exists
-	    fi
-	else
-	    RC=4        # insufficient privileges
-	fi
-    fi
-    if [ -z "${RC}" ]; then
-	if [ -f ${lockfile} ]; then
-	    RC=2
-	else
-	    RC=3
-	fi
-    fi
-    case "${RC}" in
-	0)
-	    echo "ipsec: pluto (pid ${pid}) is running..."
-	    return 0
-	    ;;
-	1)
-	    echo "ipsec: pluto dead but pid file exits"
-	    return 1
-	    ;;
-	2)
-	    echo "ipsec: pluto dead but subsys locked"
-	    return 2
-	    ;;
-	4)
-	    echo "ipsec: pluto status unknown due to insufficient privileges."
-	    return 4
-	    ;;
-    esac
-    echo "ipsec: pluto is stopped"
-    return 3
-}
-
-condrestart() {
-    verify_config
-    RETVAL=$?
-    if [ -f ${lockfile} ]; then
-	restart
-	RETVAL=$?
-    fi
-    return ${RETVAL}
-}
-
-version() {
-    ipsec version
-    return $?
-}
--- a/net/libreswan/patches/001-move_kernel_klips_to_mk_kernel.mk.patch
+++ b/net/libreswan/patches/001-move_kernel_klips_to_mk_kernel.mk.patch
@ -1,973 +0,0 @@
-From 010a9f2bbdaa97024933be04eff1a48ff1f9b657 Mon Sep 17 00:00:00 2001
-From: Andrew Cagney <cagney@gnu.org>
-Date: Thu, 25 Oct 2018 21:00:59 -0400
-Subject: [PATCH] building: move kernel (klips) rules to mk/kernel.mk
-
---
- Makefile     | 448 +-----------------------------------------------
- mk/kernel.mk | 468 +++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 474 insertions(+), 442 deletions(-)
- create mode 100644 mk/kernel.mk
-
-diff --git a/Makefile b/Makefile
-index b706defd0f..0b070966e6 100644
--- a/Makefile
-+++ b/Makefile
-@@ -97,119 +97,14 @@ KERNELREL=$(shell ${KVSHORTUTIL} ${KERNELSRC}/Makefile)
- 
- # directories visited by all recursion
- 
-# declaration for make's benefit
-.PHONY:	def insert kpatch patches _patches _patches2.4 \
-	klipsdefaults programs man install \
-	precheck verset confcheck kernel \
-	module module24 module26 kinstall minstall minstall24 minstall26 \
-	moduleclean mod24clean module24clean mod26clean module26clean \
-	backup unpatch uninstall \
-	check \
-
-kpatch: unapplypatch applypatch klipsdefaults
-npatch: unapplynpatch applynpatch
-sarefpatch: unapplysarefpatch applysarefpatch
-
-unapplypatch:
-	@echo "info: making unapplypatch in `pwd` and KERNELSRC=\"${KERNELSRC}\";"
-	-@if [ -f ${KERNELSRC}/libreswan.patch ]; then \
-		echo Undoing previous patches; \
-		cat ${KERNELSRC}/libreswan.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preipsec --reverse --ignore-whitespace ); \
-	fi
-
-applypatch:
-	@echo "info: Now performing forward patches in `pwd`";
-	${MAKE} kernelpatch${KERNELREL} | tee ${KERNELSRC}/libreswan.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preipsec --forward --ignore-whitespace )
-
-unapplynpatch:
-	@echo "info: making unapplynpatch (note the second N) in `pwd`";
-	-@if [ -f ${KERNELSRC}/natt.patch ]; then \
-		echo Undoing previous NAT patches; \
-		cat ${KERNELSRC}/natt.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preipsec --reverse --ignore-whitespace ); \
-	fi
-
-applynpatch:
-	@echo "info: Now performing forward NAT patches in `pwd`";
-	${MAKE} nattpatch${KERNELREL} | tee ${KERNELSRC}/natt.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preipsec --forward --ignore-whitespace )
-
-unapplysarefpatch:
-	@echo "info: making unapplysarefpatch in `pwd`";
-	-@if [ -f ${KERNELSRC}/saref.patch ]; then \
-		echo Undoing previous saref patches; \
-		cat ${KERNELSRC}/saref.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preng --reverse --ignore-whitespace ); \
-	fi
-
-applysarefpatch:
-	@echo "info: Now performing SAref patches in `pwd`";
-	${MAKE} sarefpatch${KERNELREL} | tee ${KERNELSRC}/klipsng.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preng --forward --ignore-whitespace )
-
-# patch kernel
-PATCHER=packaging/utils/patcher
-
-_patches:
-	echo "===============" >>out.kpatch
-	echo "`date` `cd $(KERNELSRC) ; pwd`" >>out.kpatch
-	$(MAKE) __patches$(KERNELREL) >>out.kpatch
-
-# Linux-2.4.0 version
-__patches2.4:
-	@$(PATCHER) -v -c $(KERNELSRC) Documentation/Configure.help \
-		'CONFIG_KLIPS' $(PATCHES)/Documentation/Configure.help.fs2_2.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Config.in \
-		'CONFIG_KLIPS' $(PATCHES)/net/Config.in.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Makefile \
-		'CONFIG_KLIPS' $(PATCHES)/net/Makefile.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
-		'CONFIG_KLIPS' $(PATCHES)/net/ipv4/af_inet.c.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/udp.c \
-		'CONFIG_KLIPS' $(PATCHES)/net/ipv4/udp.c.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) include/net/sock.h \
-		'CONFIG_KLIPS' $(PATCHES)/include/net/sock.h.fs2_4.patch
-# Removed patches, will unpatch automatically.
-	@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
-	@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
-	@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
-	@$(PATCHER) -v $(KERNELSRC) include/linux/netlink.h
-	@$(PATCHER) -v $(KERNELSRC) net/netlink/af_netlink.c
-	@$(PATCHER) -v $(KERNELSRC) net/netlink/netlink_dev.c
-	@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
-
-klipsdefaults:
-	@KERNELDEFCONFIG=$(KERNELSRC)/arch/$(ARCH)/defconfig ; \
-	KERNELCONFIG=$(KCFILE) ; \
-	if ! egrep -q 'CONFIG_KLIPS' $$KERNELDEFCONFIG ; \
-	then \
-		set -x ; \
-		cp -a $$KERNELDEFCONFIG $$KERNELDEFCONFIG.orig ; \
-		chmod u+w $$KERNELDEFCONFIG ; \
-		cat $$KERNELDEFCONFIG $(KERNELKLIPS)/defconfig \
-			>$$KERNELDEFCONFIG.tmp ; \
-		rm -f $$KERNELDEFCONFIG ; \
-		cp -a $$KERNELDEFCONFIG.tmp $$KERNELDEFCONFIG ; \
-		rm -f $$KERNELDEFCONFIG.tmp ; \
-	fi ; \
-	if ! egrep -q 'CONFIG_KLIPS' $$KERNELCONFIG ; \
-	then \
-		set -x ; \
-		cp -a $$KERNELCONFIG $$KERNELCONFIG.orig ; \
-		chmod u+w $$KERNELCONFIG ; \
-		cat $$KERNELCONFIG $(KERNELKLIPS)/defconfig \
-			>$$KERNELCONFIG.tmp ; \
-		rm -f $$KERNELCONFIG ; \
-		cp -a $$KERNELCONFIG.tmp $$KERNELCONFIG ; \
-		rm -f $$KERNELCONFIG.tmp ; \
-	fi
-
-
-
- # programs
- 
- ABSOBJDIR:=$(shell mkdir -p ${OBJDIR}; cd ${OBJDIR} && pwd)
- OBJDIRTOP=${ABSOBJDIR}
- 
- # Recursive clean dealt with elsewhere.
-local-clean-base: moduleclean
-+.PHONY: local-clean-base
-+local-clean-base:
- 	$(foreach file,$(RPMTMPDIR) $(RPMDEST) out.*build out.*install, \
- 		rm -rf $(file) ; )	# but leave out.kpatch
- 
-@@ -219,339 +114,13 @@ local-clean-base: moduleclean
- # $(OBJDIR), "distclean" does not depend on it.  If it did, "make
- # distclean" would have the quirky behaviour of first creating
- # $(OBJDIR) only to then delete it.
-distclean: moduleclean module24clean module26clean clean-kvm-keys
-+.PHONY: distclean
-+distclean: clean-kvm-keys
- 	rm -f $(RPMTMPDIR) $(RPMDEST) out.*
- 	rm -rf testing/pluto/*/OUTPUT*
- 	rm -rf OBJ.* $(OBJDIR)
- 	rm -rf BACKUP
- 
-# proxies for major kernel make operations
-
-# do-everything entries
-KINSERT_PRE=precheck verset insert
-PRE=precheck verset kpatch
-POST=confcheck programs kernel install
-MPOST=confcheck programs module install
-
-# preliminaries
-precheck:
-	@if test ! -d $(KERNELSRC) -a ! -L $(KERNELSRC) ; \
-	then \
-		echo '*** cannot find directory "$(KERNELSRC)"!!' ; \
-		echo '*** may be necessary to add symlink to kernel source' ; \
-		exit 1 ; \
-	fi
-	@if ! cd $(KERNELSRC) ; \
-	then \
-		echo '*** cannot "cd $(KERNELSRC)"!!' ; \
-		echo '*** may be necessary to add symlink to kernel source' ; \
-		exit 1 ; \
-	fi
-	@if test ! -f $(KCFILE) ; \
-	then \
-		echo '*** cannot find "$(KCFILE)"!!' ; \
-		echo '*** perhaps kernel has never been configured?' ; \
-		echo '*** please do that first; the results are necessary.' ; \
-		exit 1 ; \
-	fi
-	@if test ! -f $(VERFILE) ; \
-	then \
-		echo '*** cannot find "$(VERFILE)"!!' ; \
-		echo '*** perhaps kernel has never been compiled?' ; \
-		echo '*** please do that first; the results are necessary.' ; \
-		exit 1 ; \
-	fi
-
-# configuring (exit statuses disregarded, something fishy here sometimes)
-xcf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) xconfig
-mcf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) menuconfig
-pcf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) config
-
-ocf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) oldconfig
-
-rcf:
-	cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) ${NONINTCONFIG} </dev/null
-	cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) dep >/dev/null
-
-kclean:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) clean
-
-confcheck:
-	@if test ! -f $(KCFILE) ; \
-	then echo '*** no kernel configuration file written!!' ; exit 1 ; \
-	fi
-	@if ! egrep -q '^CONFIG_KLIPS=[my]' $(KCFILE) ; \
-	then echo '*** IPsec not in kernel config ($(KCFILE))!!' ; exit 1 ; \
-	fi
-	@if ! egrep -q 'CONFIG_KLIPS[ 	]+1' $(ACFILE) && \
-		! egrep -q 'CONFIG_KLIPS_MODULE[ 	]+1' $(ACFILE) ; \
-	then echo '*** IPsec in kernel config ($(KCFILE)),' ; \
-		echo '***	but not in config header file ($(ACFILE))!!' ; \
-		exit 1 ; \
-	fi
-	@if egrep -q '^CONFIG_KLIPS=m' $(KCFILE) && \
-		! egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-	then echo '*** IPsec configured as module in kernel with no module support!!' ; exit 1 ; \
-	fi
-	@if ! egrep -q 'CONFIG_KLIPS_AH[ 	]+1' $(ACFILE) && \
-		! egrep -q 'CONFIG_KLIPS_ESP[ 	]+1' $(ACFILE) ; \
-	then echo '*** IPsec configuration must include AH or ESP!!' ; exit 1 ; \
-	fi
-
-# kernel building, with error checks
-kernel:
-	rm -f out.kbuild out.kinstall
-	# undocumented kernel folklore: clean BEFORE dep.
-	# we run make dep separately, because there is no point in running ERRCHECK
-	# on the make dep output.
-	# see LKML thread "clean before or after dep?"
-	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) $(KERNCLEAN) $(KERNDEP) )
-	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) $(KERNEL) ) 2>&1 | tee out.kbuild
-	@if egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-	then set -x ; \
-		( cd $(KERNELSRC) ; \
-		$(MAKE) $(KERNMAKEOPTS) modules 2>&1 ) | tee -a out.kbuild ; \
-	fi
-	${ERRCHECK} out.kbuild
-
-# module-only building, with error checks
-ifneq ($(strip $(MOD24BUILDDIR)),)
-${MOD24BUILDDIR}/Makefile : ${LIBRESWANSRCDIR}/packaging/makefiles/module24.make
-	mkdir -p ${MOD24BUILDDIR}
-	cp ${LIBRESWANSRCDIR}/packaging/makefiles/module24.make ${MOD24BUILDDIR}/Makefile
-
-module:
-	@if [ -f ${KERNELSRC}/README.libreswan-2 ] ; then \
-                echo "WARNING: Kernel source ${KERNELSRC} has already been patched with libreswan-2, out of tree build might fail!"; \
-        fi;
-	@if [ -f ${KERNELSRC}/README.openswan ] ; then \
-                echo "WARNING: Kernel source ${KERNELSRC} has already been patched with openswan, out of tree build might fail!"; \
-        fi;
-	@if [ -f ${KERNELSRC}/README.openswan-2 ] ; then \
-                echo "WARNING: Kernel source ${KERNELSRC} has already been patched with openswan-2, out of tree build might fail!"; \
-        fi;
-	@if [ -f ${KERNELSRC}/README.freeswan ] ; then \
-                echo "ERROR: Kernel source ${KERNELSRC} has already been patched with freeswan, out of tree build will fail!"; \
-        fi;
-	@if [ -f ${KERNELSRC}/Rules.make ] ; then \
-                echo "Building module for a 2.4 kernel"; ${MAKE} module24 ; \
-        else echo "Building module for a 2.6 kernel"; ${MAKE} module26; \
-        fi;
-
-modclean moduleclean:
-	@if [ -f ${KERNELSRC}/Rules.make ] ; then \
-		echo "Cleaning module for a 2.4 kernel"; ${MAKE} module24clean ; \
-	else echo "Cleaning module for a 2.6 kernel"; ${MAKE} module26clean; \
-	fi;
-
-module24:
-	@if [ ! -f ${KERNELSRC}/Rules.make ] ; then \
-                echo "Warning: Building for a 2.4 kernel in what looks like a 2.6 tree"; \
-        fi ; \
-        ${MAKE} ${MOD24BUILDDIR}/Makefile
-	${MAKE} -C ${MOD24BUILDDIR}  LIBRESWANSRCDIR=${LIBRESWANSRCDIR} ARCH=${ARCH} V=${V} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} TOPDIR=${KERNELSRC} -f Makefile ipsec.o
-	@echo
-	@echo '========================================================='
-	@echo
-	@echo 'KLIPS24 module built successfully. '
-	@echo ipsec.o is in ${MOD24BUILDDIR}
-	@echo
-	@(cd ${MOD24BUILDDIR}; ls -l ipsec.o)
-	@(cd ${MOD24BUILDDIR}; size ipsec.o)
-	@echo
-	@echo 'use make minstall as root to install it'
-	@echo
-	@echo '========================================================='
-	@echo
-
-mod24clean module24clean:
-	rm -rf ${MOD24BUILDDIR}
-
-#autoodetect 2.4 and 2.6
-module_install minstall install-module:
-	@if [ -f $(KERNELSRC)/Rules.make ] ; then \
-                $(MAKE) minstall24 ; \
-	else \
-		$(MAKE) minstall26 ; \
-        fi;
-
-# Extract the value of MODLIB from the output of $(MAKE).  Also hide
-# the sup-process $(MAKE) so that GNU Make doesn't always invoke the
-# target ("make -n" ignored).
-#
-# If $(MAKE) directly appears in a target (for instance in minstall26)
-# then GNU Make will assume that it is a recursive make invocation and
-# invoke the target regardless of -n.
-#
-# XXX: minstall24 should also use this.
-
-osmodlib-from-make = \
-	OSMODLIB=$$($(MAKE) $(1) 2>/dev/null | sed -n -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/p' | head -1) ; \
-	test -z "$$OSMODLIB" || echo "OSMODLIB=$$OSMODLIB ($(MAKE) $(1))"
-
-# module-only install, with error checks
-minstall24:
-	( OSMODLIB=`${MAKE} -C $(KERNELSRC) -p dummy | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-	if [ -z "$$OSMODLIB" ] ; then \
-		OSMODLIB=`${MAKE} -C $(KERNELSRC) -n -p modules_install | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-	fi ; \
-	if [ -z "$$OSMODLIB" ] ; then \
-		echo "No known place to install module. Aborting." ; \
-		exit 93 ; \
-	fi ; \
-	set -x ; \
-	mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-	cp $(MOD24BUILDDIR)/ipsec.o $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-	if [ -f /sbin/depmod ] ; then /sbin/depmod -a ; fi; \
-	if [ -n "$(OSMOD_DESTDIR)" ] ; then \
-        mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-                if [ -f $$OSMODLIB/kernel/ipsec.o -a -f $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.o ] ; then \
-                        echo "WARNING: two ipsec.o modules found in $$OSMODLIB/kernel:" ; \
-                        ls -l $$OSMODLIB/kernel/ipsec.o $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.o ; \
-                        exit 1; \
-                fi ; \
-        fi ; \
-        set -x ) ;
-
-
-else
-module:
-	echo 'Building in place is no longer supported. Please set MOD24BUILDDIR='
-	exit 1
-
-endif
-
-# module-only building, with error checks
-ifneq ($(strip $(MODBUILDDIR)),)
-${MODBUILDDIR}/Makefile : ${LIBRESWANSRCDIR}/packaging/makefiles/module.make
-	mkdir -p ${MODBUILDDIR}
-	echo ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/des/*.S ${MODBUILDDIR}
-	(rm -f ${MODBUILDDIR}/des; mkdir -p ${MODBUILDDIR}/des && cd ${MODBUILDDIR}/des && ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/des/* . && ln -s -f Makefile.fs2_6 Makefile)
-	(rm -f ${MODBUILDDIR}/aes; mkdir -p ${MODBUILDDIR}/aes && cd ${MODBUILDDIR}/aes && ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/aes/* . && ln -s -f Makefile.fs2_6 Makefile)
-	mkdir -p ${MODBUILDDIR}/aes
-	cp ${LIBRESWANSRCDIR}/packaging/makefiles/module.make ${MODBUILDDIR}/Makefile
-	ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/match*.S ${MODBUILDDIR}
-
-module26:
-	@if [ -f ${KERNELSRC}/Rules.make ] ; then \                 echo "Warning: Building for a 2.6+ kernel in what looks like a 2.4 tree"; \
-        fi ; \
-        ${MAKE}  ${MODBUILDDIR}/Makefile
-	${MAKE} -C ${KERNELSRC} ${KERNELBUILDMFLAGS} BUILDDIR=${MODBUILDDIR} SUBDIRS=${MODBUILDDIR} INITSYSTEM=$(INITSYSTEM) MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} MODULE_DEFCONFIG=${MODULE_DEFCONFIG}  MODULE_EXTRA_INCLUDE=${MODULE_EXTRA_INCLUDE} ARCH=${ARCH} V=${V} modules
-	@echo
-	@echo '========================================================='
-	@echo
-	@echo 'KLIPS module built successfully. '
-	@echo ipsec.ko is in ${MODBUILDDIR}
-	@echo
-	@(cd ${MODBUILDDIR}; ls -l ipsec.ko)
-	@(cd ${MODBUILDDIR}; size ipsec.ko)
-	@echo
-	@echo 'use make minstall as root to install it'
-	@echo
-	@echo '========================================================='
-	@echo
-
-mod26clean module26clean:
-	rm -rf ${MODBUILDDIR}
-
-# module-only install, with error checks
-minstall26:
-	$(call osmodlib-from-make,-C $(KERNELSRC) -p help) ; \
-	if [ -z "$$OSMODLIB" ] ; then \
-		$(call osmodlib-from-make,-C $(KERNELSRC) -n -p modules_install) ; \
-	fi ; \
-	if [ -z "$$OSMODLIB" ] ; then \
-		echo "No known place to install module. Aborting." ; \
-		exit 93 ; \
-	fi ; \
-	set -x ; \
-	mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-	cp $(MODBUILDDIR)/ipsec.ko $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-	if [ -f /sbin/depmod ] ; then \
-		/sbin/depmod -a ; \
-	fi ; \
-	if [ -n "$(OSMOD_DESTDIR)" ] ; then \
-		mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-		if [ -f $$OSMODLIB/kernel/ipsec.ko -a -f $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.ko ] ; then \
-			echo "WARNING: two ipsec.ko modules found in $$OSMODLIB/kernel:" ; \
-			ls -l $$OSMODLIB/kernel/ipsec.ko $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.ko ; \
-			exit 1; \
-		fi ; \
-	fi
-
-
-else
-module26:
-	echo 'Building in place is no longer supported. Please set MODBUILDDIR='
-	exit 1
-
-endif
-
-# kernel install, with error checks
-kinstall:
-	rm -f out.kinstall
-	>out.kinstall
-	# undocumented kernel folklore: modules_install must precede install (observed on RHL8.0)
-	@if egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-	then set -x ; \
-		( cd $(KERNELSRC) ; \
-		$(MAKE) $(KERNMAKEOPTS) modules_install 2>&1 ) | tee -a out.kinstall ; \
-	fi
-	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) install ) 2>&1 | tee -a out.kinstall
-	${ERRCHECK} out.kinstall
-
-kernelpatch3 kernelpatch3.5 kernelpatch2.6 kernelpatch:
-	packaging/utils/kernelpatch 2.6
-
-kernelpatch2.4:
-	packaging/utils/kernelpatch 2.4
-
-nattpatch:
-	if [ -f ${KERNELSRC}/Makefile ]; then \
-		${MAKE} nattpatch${KERNELREL}; \
-	else	echo "Cannot determine Linux kernel version. Perhaps you need to set KERNELSRC? (eg: export KERNELSRC=/usr/src/linux-`uname -r`/)"; exit 1; \
-	fi;
-
-sarefpatch2.6:
-	#cat patches/kernel/2.6.38/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch
-	#packaging/utils/sarefpatch 2.6
-	echo ""
-
-nattpatch2.6:
-	packaging/utils/nattpatch 2.6
-
-nattpatch2.4:
-	packaging/utils/nattpatch 2.4
-
-nattupdate:
-	(cd UMLPOOL && diff -u plain26/net/ipv4/udp.c.orig plain26/net/ipv4/udp.c; exit 0) >nat-t/net/ipv4/udp.c.os2_6.patch
-
-# take all the patches out of the kernel
-# (Note, a couple of files are modified by non-patch means; they are
-# included in "make backup".)
-unpatch:
-	@echo \"make unpatch\" is obsolete. See make unapplypatch.
-	exit 1
-
-_unpatch:
-	for f in `find $(KERNELSRC)/. -name '*.preipsec' -print` ; \
-	do \
-		echo "restoring $$f:" ; \
-		dir=`dirname $$f` ; \
-		core=`basename $$f .preipsec` ; \
-		cd $$dir ; \
-		mv -f $$core.preipsec $$core ; \
-		rm -f $$core.wipsec $$core.ipsecmd5 ; \
-	done
-
-# at the moment there is no difference between snapshot and release build
-snapready:	buildready
-relready:	buildready
-ready:		devready
- 
- # set up for build
- buildready:
-@@ -604,13 +173,6 @@ deb:
- 	#debuild -S -sa
- 	@echo "to build optional KLIPS kernel module, run make deb-klips"
- 
-deb-klips:
-	sudo module-assistant prepare -u .
-	sudo dpkg -i ../libreswan-modules-source_`make -s showdebversion`_all.deb
-	sudo module-assistant -u . prepare
-	sudo module-assistant -u . build libreswan
-
-
- release:
- 	packaging/utils/makerelease
- 
-@@ -654,3 +216,5 @@ install-fipshmac:
- include ${LIBRESWANSRCDIR}/mk/docker-targets.mk
- include ${LIBRESWANSRCDIR}/mk/kvm-targets.mk
- include ${LIBRESWANSRCDIR}/mk/web-targets.mk
-+include ${LIBRESWANSRCDIR}/mk/kernel.mk
-+
-diff --git a/mk/kernel.mk b/mk/kernel.mk
-new file mode 100644
-index 0000000000..187167d440
--- /dev/null
-+++ b/mk/kernel.mk
-@@ -0,0 +1,468 @@
-+# Libreswan master makefile
-+#
-+# Copyright (C) 1998-2002  Henry Spencer.
-+# Copyright (C) 2003-2004  Xelerance Corporation
-+# Copyright (C) 2017, Richard Guy Briggs <rgb@tricolour.ca>
-+# Copyright (C) 2015-2018  Andrew Cagney
-+#
-+# This program is free software; you can redistribute it and/or modify it
-+# under the terms of the GNU General Public License as published by the
-+# Free Software Foundation; either version 2 of the License, or (at your
-+# option) any later version.  See <https://www.gnu.org/licenses/gpl2.txt>.
-+#
-+# This program is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+# for more details.
-+#
-+
-+PATCHES=linux
-+# where KLIPS goes in the kernel
-+# note, some of the patches know the last part of this path
-+KERNELKLIPS=$(KERNELSRC)/net/ipsec
-+KERNELCRYPTODES=$(KERNELSRC)/crypto/ciphers/des
-+KERNELLIBFREESWAN=$(KERNELSRC)/lib/libfreeswan
-+KERNELLIBZLIB=$(KERNELSRC)/lib/zlib
-+KERNELINCLUDE=$(KERNELSRC)/include
-+
-+MAKEUTILS=packaging/utils
-+ERRCHECK=${MAKEUTILS}/errcheck
-+KVUTIL=${MAKEUTILS}/kernelversion
-+KVSHORTUTIL=${MAKEUTILS}/kernelversion-short
-+
-+# kernel details
-+# what variant of our patches should we use, and where is it
-+KERNELREL=$(shell ${KVSHORTUTIL} ${KERNELSRC}/Makefile)
-+
-+# directories visited by all recursion
-+
-+# declaration for make's benefit
-+.PHONY:	def insert kpatch patches _patches _patches2.4 \
-+	klipsdefaults programs man install \
-+	precheck verset confcheck kernel \
-+	module module24 module26 kinstall minstall minstall24 minstall26 \
-+	moduleclean mod24clean module24clean mod26clean module26clean \
-+	backup unpatch uninstall \
-+	check \
-+
-+kpatch: unapplypatch applypatch klipsdefaults
-+npatch: unapplynpatch applynpatch
-+sarefpatch: unapplysarefpatch applysarefpatch
-+
-+unapplypatch:
-+	@echo "info: making unapplypatch in `pwd` and KERNELSRC=\"${KERNELSRC}\";"
-+	-@if [ -f ${KERNELSRC}/libreswan.patch ]; then \
-+		echo Undoing previous patches; \
-+		cat ${KERNELSRC}/libreswan.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preipsec --reverse --ignore-whitespace ); \
-+	fi
-+
-+applypatch:
-+	@echo "info: Now performing forward patches in `pwd`";
-+	${MAKE} kernelpatch${KERNELREL} | tee ${KERNELSRC}/libreswan.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preipsec --forward --ignore-whitespace )
-+
-+unapplynpatch:
-+	@echo "info: making unapplynpatch (note the second N) in `pwd`";
-+	-@if [ -f ${KERNELSRC}/natt.patch ]; then \
-+		echo Undoing previous NAT patches; \
-+		cat ${KERNELSRC}/natt.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preipsec --reverse --ignore-whitespace ); \
-+	fi
-+
-+applynpatch:
-+	@echo "info: Now performing forward NAT patches in `pwd`";
-+	${MAKE} nattpatch${KERNELREL} | tee ${KERNELSRC}/natt.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preipsec --forward --ignore-whitespace )
-+
-+unapplysarefpatch:
-+	@echo "info: making unapplysarefpatch in `pwd`";
-+	-@if [ -f ${KERNELSRC}/saref.patch ]; then \
-+		echo Undoing previous saref patches; \
-+		cat ${KERNELSRC}/saref.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preng --reverse --ignore-whitespace ); \
-+	fi
-+
-+applysarefpatch:
-+	@echo "info: Now performing SAref patches in `pwd`";
-+	${MAKE} sarefpatch${KERNELREL} | tee ${KERNELSRC}/klipsng.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preng --forward --ignore-whitespace )
-+
-+# patch kernel
-+PATCHER=packaging/utils/patcher
-+
-+_patches:
-+	echo "===============" >>out.kpatch
-+	echo "`date` `cd $(KERNELSRC) ; pwd`" >>out.kpatch
-+	$(MAKE) __patches$(KERNELREL) >>out.kpatch
-+
-+# Linux-2.4.0 version
-+__patches2.4:
-+	@$(PATCHER) -v -c $(KERNELSRC) Documentation/Configure.help \
-+		'CONFIG_KLIPS' $(PATCHES)/Documentation/Configure.help.fs2_2.patch
-+	@$(PATCHER) -v $(KERNELSRC) net/Config.in \
-+		'CONFIG_KLIPS' $(PATCHES)/net/Config.in.fs2_4.patch
-+	@$(PATCHER) -v $(KERNELSRC) net/Makefile \
-+		'CONFIG_KLIPS' $(PATCHES)/net/Makefile.fs2_4.patch
-+	@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
-+		'CONFIG_KLIPS' $(PATCHES)/net/ipv4/af_inet.c.fs2_4.patch
-+	@$(PATCHER) -v $(KERNELSRC) net/ipv4/udp.c \
-+		'CONFIG_KLIPS' $(PATCHES)/net/ipv4/udp.c.fs2_4.patch
-+	@$(PATCHER) -v $(KERNELSRC) include/net/sock.h \
-+		'CONFIG_KLIPS' $(PATCHES)/include/net/sock.h.fs2_4.patch
-+# Removed patches, will unpatch automatically.
-+	@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
-+	@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
-+	@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
-+	@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
-+	@$(PATCHER) -v $(KERNELSRC) include/linux/netlink.h
-+	@$(PATCHER) -v $(KERNELSRC) net/netlink/af_netlink.c
-+	@$(PATCHER) -v $(KERNELSRC) net/netlink/netlink_dev.c
-+	@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
-+
-+klipsdefaults:
-+	@KERNELDEFCONFIG=$(KERNELSRC)/arch/$(ARCH)/defconfig ; \
-+	KERNELCONFIG=$(KCFILE) ; \
-+	if ! egrep -q 'CONFIG_KLIPS' $$KERNELDEFCONFIG ; \
-+	then \
-+		set -x ; \
-+		cp -a $$KERNELDEFCONFIG $$KERNELDEFCONFIG.orig ; \
-+		chmod u+w $$KERNELDEFCONFIG ; \
-+		cat $$KERNELDEFCONFIG $(KERNELKLIPS)/defconfig \
-+			>$$KERNELDEFCONFIG.tmp ; \
-+		rm -f $$KERNELDEFCONFIG ; \
-+		cp -a $$KERNELDEFCONFIG.tmp $$KERNELDEFCONFIG ; \
-+		rm -f $$KERNELDEFCONFIG.tmp ; \
-+	fi ; \
-+	if ! egrep -q 'CONFIG_KLIPS' $$KERNELCONFIG ; \
-+	then \
-+		set -x ; \
-+		cp -a $$KERNELCONFIG $$KERNELCONFIG.orig ; \
-+		chmod u+w $$KERNELCONFIG ; \
-+		cat $$KERNELCONFIG $(KERNELKLIPS)/defconfig \
-+			>$$KERNELCONFIG.tmp ; \
-+		rm -f $$KERNELCONFIG ; \
-+		cp -a $$KERNELCONFIG.tmp $$KERNELCONFIG ; \
-+		rm -f $$KERNELCONFIG.tmp ; \
-+	fi
-+
-+
-+local-clean-base: moduleclean
-+distclean: moduleclean module24clean module26clean clean-kvm-keys
-+
-+# proxies for major kernel make operations
-+
-+# do-everything entries
-+KINSERT_PRE=precheck verset insert
-+PRE=precheck verset kpatch
-+POST=confcheck programs kernel install
-+MPOST=confcheck programs module install
-+
-+# preliminaries
-+precheck:
-+	@if test ! -d $(KERNELSRC) -a ! -L $(KERNELSRC) ; \
-+	then \
-+		echo '*** cannot find directory "$(KERNELSRC)"!!' ; \
-+		echo '*** may be necessary to add symlink to kernel source' ; \
-+		exit 1 ; \
-+	fi
-+	@if ! cd $(KERNELSRC) ; \
-+	then \
-+		echo '*** cannot "cd $(KERNELSRC)"!!' ; \
-+		echo '*** may be necessary to add symlink to kernel source' ; \
-+		exit 1 ; \
-+	fi
-+	@if test ! -f $(KCFILE) ; \
-+	then \
-+		echo '*** cannot find "$(KCFILE)"!!' ; \
-+		echo '*** perhaps kernel has never been configured?' ; \
-+		echo '*** please do that first; the results are necessary.' ; \
-+		exit 1 ; \
-+	fi
-+	@if test ! -f $(VERFILE) ; \
-+	then \
-+		echo '*** cannot find "$(VERFILE)"!!' ; \
-+		echo '*** perhaps kernel has never been compiled?' ; \
-+		echo '*** please do that first; the results are necessary.' ; \
-+		exit 1 ; \
-+	fi
-+
-+# configuring (exit statuses disregarded, something fishy here sometimes)
-+xcf:
-+	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) xconfig
-+mcf:
-+	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) menuconfig
-+pcf:
-+	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) config
-+
-+ocf:
-+	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) oldconfig
-+
-+rcf:
-+	cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) ${NONINTCONFIG} </dev/null
-+	cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) dep >/dev/null
-+
-+kclean:
-+	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) clean
-+
-+confcheck:
-+	@if test ! -f $(KCFILE) ; \
-+	then echo '*** no kernel configuration file written!!' ; exit 1 ; \
-+	fi
-+	@if ! egrep -q '^CONFIG_KLIPS=[my]' $(KCFILE) ; \
-+	then echo '*** IPsec not in kernel config ($(KCFILE))!!' ; exit 1 ; \
-+	fi
-+	@if ! egrep -q 'CONFIG_KLIPS[ 	]+1' $(ACFILE) && \
-+		! egrep -q 'CONFIG_KLIPS_MODULE[ 	]+1' $(ACFILE) ; \
-+	then echo '*** IPsec in kernel config ($(KCFILE)),' ; \
-+		echo '***	but not in config header file ($(ACFILE))!!' ; \
-+		exit 1 ; \
-+	fi
-+	@if egrep -q '^CONFIG_KLIPS=m' $(KCFILE) && \
-+		! egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-+	then echo '*** IPsec configured as module in kernel with no module support!!' ; exit 1 ; \
-+	fi
-+	@if ! egrep -q 'CONFIG_KLIPS_AH[ 	]+1' $(ACFILE) && \
-+		! egrep -q 'CONFIG_KLIPS_ESP[ 	]+1' $(ACFILE) ; \
-+	then echo '*** IPsec configuration must include AH or ESP!!' ; exit 1 ; \
-+	fi
-+
-+# kernel building, with error checks
-+kernel:
-+	rm -f out.kbuild out.kinstall
-+	# undocumented kernel folklore: clean BEFORE dep.
-+	# we run make dep separately, because there is no point in running ERRCHECK
-+	# on the make dep output.
-+	# see LKML thread "clean before or after dep?"
-+	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) $(KERNCLEAN) $(KERNDEP) )
-+	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) $(KERNEL) ) 2>&1 | tee out.kbuild
-+	@if egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-+	then set -x ; \
-+		( cd $(KERNELSRC) ; \
-+		$(MAKE) $(KERNMAKEOPTS) modules 2>&1 ) | tee -a out.kbuild ; \
-+	fi
-+	${ERRCHECK} out.kbuild
-+
-+# module-only building, with error checks
-+ifneq ($(strip $(MOD24BUILDDIR)),)
-+${MOD24BUILDDIR}/Makefile : ${LIBRESWANSRCDIR}/packaging/makefiles/module24.make
-+	mkdir -p ${MOD24BUILDDIR}
-+	cp ${LIBRESWANSRCDIR}/packaging/makefiles/module24.make ${MOD24BUILDDIR}/Makefile
-+
-+module:
-+	@if [ -f ${KERNELSRC}/README.libreswan-2 ] ; then \
-+                echo "WARNING: Kernel source ${KERNELSRC} has already been patched with libreswan-2, out of tree build might fail!"; \
-+        fi;
-+	@if [ -f ${KERNELSRC}/README.openswan ] ; then \
-+                echo "WARNING: Kernel source ${KERNELSRC} has already been patched with openswan, out of tree build might fail!"; \
-+        fi;
-+	@if [ -f ${KERNELSRC}/README.openswan-2 ] ; then \
-+                echo "WARNING: Kernel source ${KERNELSRC} has already been patched with openswan-2, out of tree build might fail!"; \
-+        fi;
-+	@if [ -f ${KERNELSRC}/README.freeswan ] ; then \
-+                echo "ERROR: Kernel source ${KERNELSRC} has already been patched with freeswan, out of tree build will fail!"; \
-+        fi;
-+	@if [ -f ${KERNELSRC}/Rules.make ] ; then \
-+                echo "Building module for a 2.4 kernel"; ${MAKE} module24 ; \
-+        else echo "Building module for a 2.6 kernel"; ${MAKE} module26; \
-+        fi;
-+
-+modclean moduleclean:
-+	@if [ -f ${KERNELSRC}/Rules.make ] ; then \
-+		echo "Cleaning module for a 2.4 kernel"; ${MAKE} module24clean ; \
-+	else echo "Cleaning module for a 2.6 kernel"; ${MAKE} module26clean; \
-+	fi;
-+
-+module24:
-+	@if [ ! -f ${KERNELSRC}/Rules.make ] ; then \
-+                echo "Warning: Building for a 2.4 kernel in what looks like a 2.6 tree"; \
-+        fi ; \
-+        ${MAKE} ${MOD24BUILDDIR}/Makefile
-+	${MAKE} -C ${MOD24BUILDDIR}  LIBRESWANSRCDIR=${LIBRESWANSRCDIR} ARCH=${ARCH} V=${V} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} TOPDIR=${KERNELSRC} -f Makefile ipsec.o
-+	@echo
-+	@echo '========================================================='
-+	@echo
-+	@echo 'KLIPS24 module built successfully. '
-+	@echo ipsec.o is in ${MOD24BUILDDIR}
-+	@echo
-+	@(cd ${MOD24BUILDDIR}; ls -l ipsec.o)
-+	@(cd ${MOD24BUILDDIR}; size ipsec.o)
-+	@echo
-+	@echo 'use make minstall as root to install it'
-+	@echo
-+	@echo '========================================================='
-+	@echo
-+
-+mod24clean module24clean:
-+	rm -rf ${MOD24BUILDDIR}
-+
-+#autoodetect 2.4 and 2.6
-+module_install minstall install-module:
-+	@if [ -f $(KERNELSRC)/Rules.make ] ; then \
-+                $(MAKE) minstall24 ; \
-+	else \
-+		$(MAKE) minstall26 ; \
-+        fi;
-+
-+# Extract the value of MODLIB from the output of $(MAKE).  Also hide
-+# the sup-process $(MAKE) so that GNU Make doesn't always invoke the
-+# target ("make -n" ignored).
-+#
-+# If $(MAKE) directly appears in a target (for instance in minstall26)
-+# then GNU Make will assume that it is a recursive make invocation and
-+# invoke the target regardless of -n.
-+#
-+# XXX: minstall24 should also use this.
-+
-+osmodlib-from-make = \
-+	OSMODLIB=$$($(MAKE) $(1) 2>/dev/null | sed -n -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/p' | head -1) ; \
-+	test -z "$$OSMODLIB" || echo "OSMODLIB=$$OSMODLIB ($(MAKE) $(1))"
-+
-+# module-only install, with error checks
-+minstall24:
-+	( OSMODLIB=`${MAKE} -C $(KERNELSRC) -p dummy | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-+	if [ -z "$$OSMODLIB" ] ; then \
-+		OSMODLIB=`${MAKE} -C $(KERNELSRC) -n -p modules_install | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-+	fi ; \
-+	if [ -z "$$OSMODLIB" ] ; then \
-+		echo "No known place to install module. Aborting." ; \
-+		exit 93 ; \
-+	fi ; \
-+	set -x ; \
-+	mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-+	cp $(MOD24BUILDDIR)/ipsec.o $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-+	if [ -f /sbin/depmod ] ; then /sbin/depmod -a ; fi; \
-+	if [ -n "$(OSMOD_DESTDIR)" ] ; then \
-+        mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-+                if [ -f $$OSMODLIB/kernel/ipsec.o -a -f $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.o ] ; then \
-+                        echo "WARNING: two ipsec.o modules found in $$OSMODLIB/kernel:" ; \
-+                        ls -l $$OSMODLIB/kernel/ipsec.o $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.o ; \
-+                        exit 1; \
-+                fi ; \
-+        fi ; \
-+        set -x ) ;
-+
-+
-+else
-+module:
-+	echo 'Building in place is no longer supported. Please set MOD24BUILDDIR='
-+	exit 1
-+
-+endif
-+
-+# module-only building, with error checks
-+ifneq ($(strip $(MODBUILDDIR)),)
-+${MODBUILDDIR}/Makefile : ${LIBRESWANSRCDIR}/packaging/makefiles/module.make
-+	mkdir -p ${MODBUILDDIR}
-+	echo ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/des/*.S ${MODBUILDDIR}
-+	(rm -f ${MODBUILDDIR}/des; mkdir -p ${MODBUILDDIR}/des && cd ${MODBUILDDIR}/des && ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/des/* . && ln -s -f Makefile.fs2_6 Makefile)
-+	(rm -f ${MODBUILDDIR}/aes; mkdir -p ${MODBUILDDIR}/aes && cd ${MODBUILDDIR}/aes && ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/aes/* . && ln -s -f Makefile.fs2_6 Makefile)
-+	mkdir -p ${MODBUILDDIR}/aes
-+	cp ${LIBRESWANSRCDIR}/packaging/makefiles/module.make ${MODBUILDDIR}/Makefile
-+	ln -s -f ${LIBRESWANSRCDIR}/linux/net/ipsec/match*.S ${MODBUILDDIR}
-+
-+module26:
-+	@if [ -f ${KERNELSRC}/Rules.make ] ; then \                 echo "Warning: Building for a 2.6+ kernel in what looks like a 2.4 tree"; \
-+        fi ; \
-+        ${MAKE}  ${MODBUILDDIR}/Makefile
-+	${MAKE} -C ${KERNELSRC} ${KERNELBUILDMFLAGS} BUILDDIR=${MODBUILDDIR} SUBDIRS=${MODBUILDDIR} INITSYSTEM=$(INITSYSTEM) MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} MODULE_DEFCONFIG=${MODULE_DEFCONFIG}  MODULE_EXTRA_INCLUDE=${MODULE_EXTRA_INCLUDE} ARCH=${ARCH} V=${V} modules
-+	@echo
-+	@echo '========================================================='
-+	@echo
-+	@echo 'KLIPS module built successfully. '
-+	@echo ipsec.ko is in ${MODBUILDDIR}
-+	@echo
-+	@(cd ${MODBUILDDIR}; ls -l ipsec.ko)
-+	@(cd ${MODBUILDDIR}; size ipsec.ko)
-+	@echo
-+	@echo 'use make minstall as root to install it'
-+	@echo
-+	@echo '========================================================='
-+	@echo
-+
-+mod26clean module26clean:
-+	rm -rf ${MODBUILDDIR}
-+
-+# module-only install, with error checks
-+minstall26:
-+	$(call osmodlib-from-make,-C $(KERNELSRC) -p help) ; \
-+	if [ -z "$$OSMODLIB" ] ; then \
-+		$(call osmodlib-from-make,-C $(KERNELSRC) -n -p modules_install) ; \
-+	fi ; \
-+	if [ -z "$$OSMODLIB" ] ; then \
-+		echo "No known place to install module. Aborting." ; \
-+		exit 93 ; \
-+	fi ; \
-+	set -x ; \
-+	mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-+	cp $(MODBUILDDIR)/ipsec.ko $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-+	if [ -f /sbin/depmod ] ; then \
-+		/sbin/depmod -a ; \
-+	fi ; \
-+	if [ -n "$(OSMOD_DESTDIR)" ] ; then \
-+		mkdir -p $$OSMODLIB/kernel/$(OSMOD_DESTDIR) ; \
-+		if [ -f $$OSMODLIB/kernel/ipsec.ko -a -f $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.ko ] ; then \
-+			echo "WARNING: two ipsec.ko modules found in $$OSMODLIB/kernel:" ; \
-+			ls -l $$OSMODLIB/kernel/ipsec.ko $$OSMODLIB/kernel/$(OSMOD_DESTDIR)/ipsec.ko ; \
-+			exit 1; \
-+		fi ; \
-+	fi
-+
-+
-+else
-+module26:
-+	echo 'Building in place is no longer supported. Please set MODBUILDDIR='
-+	exit 1
-+
-+endif
-+
-+# kernel install, with error checks
-+kinstall:
-+	rm -f out.kinstall
-+	>out.kinstall
-+	# undocumented kernel folklore: modules_install must precede install (observed on RHL8.0)
-+	@if egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-+	then set -x ; \
-+		( cd $(KERNELSRC) ; \
-+		$(MAKE) $(KERNMAKEOPTS) modules_install 2>&1 ) | tee -a out.kinstall ; \
-+	fi
-+	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) install ) 2>&1 | tee -a out.kinstall
-+	${ERRCHECK} out.kinstall
-+
-+kernelpatch3 kernelpatch3.5 kernelpatch2.6 kernelpatch:
-+	packaging/utils/kernelpatch 2.6
-+
-+kernelpatch2.4:
-+	packaging/utils/kernelpatch 2.4
-+
-+nattpatch:
-+	if [ -f ${KERNELSRC}/Makefile ]; then \
-+		${MAKE} nattpatch${KERNELREL}; \
-+	else	echo "Cannot determine Linux kernel version. Perhaps you need to set KERNELSRC? (eg: export KERNELSRC=/usr/src/linux-`uname -r`/)"; exit 1; \
-+	fi;
-+
-+sarefpatch2.6:
-+	#cat patches/kernel/2.6.38/0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch
-+	#packaging/utils/sarefpatch 2.6
-+	echo ""
-+
-+nattpatch2.6:
-+	packaging/utils/nattpatch 2.6
-+
-+nattpatch2.4:
-+	packaging/utils/nattpatch 2.4
-+
-+nattupdate:
-+	(cd UMLPOOL && diff -u plain26/net/ipv4/udp.c.orig plain26/net/ipv4/udp.c; exit 0) >nat-t/net/ipv4/udp.c.os2_6.patch
-+
-+# take all the patches out of the kernel
-+# (Note, a couple of files are modified by non-patch means; they are
-+# included in "make backup".)
-+unpatch:
-+	@echo \"make unpatch\" is obsolete. See make unapplypatch.
-+	exit 1
-+
-+_unpatch:
-+	for f in `find $(KERNELSRC)/. -name '*.preipsec' -print` ; \
-+	do \
-+		echo "restoring $$f:" ; \
-+		dir=`dirname $$f` ; \
-+		core=`basename $$f .preipsec` ; \
-+		cd $$dir ; \
-+		mv -f $$core.preipsec $$core ; \
-+		rm -f $$core.wipsec $$core.ipsecmd5 ; \
-+	done
--- a/net/libreswan/patches/002-cripple_klips_klips_kernel_rules.patch
+++ b/net/libreswan/patches/002-cripple_klips_klips_kernel_rules.patch
@ -1,22 +0,0 @@
-From fa00316e8c5151747f3e80895e6afd9ee1a9c0cd Mon Sep 17 00:00:00 2001
-From: Andrew Cagney <cagney@gnu.org>
-Date: Thu, 25 Oct 2018 21:02:45 -0400
-Subject: [PATCH] building: when !USE_KLIPS=true cripple klips kernel module
- rules
-
---
- Makefile | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 0b070966e6..2fcf0229fd 100644
--- a/Makefile
-+++ b/Makefile
-@@ -216,5 +216,6 @@ install-fipshmac:
- include ${LIBRESWANSRCDIR}/mk/docker-targets.mk
- include ${LIBRESWANSRCDIR}/mk/kvm-targets.mk
- include ${LIBRESWANSRCDIR}/mk/web-targets.mk
-+ifeq ($(USE_KLIPS),true)
- include ${LIBRESWANSRCDIR}/mk/kernel.mk
-
-+endif
--- a/net/libreswan/patches/010-nanosleep.patch
+++ b/net/libreswan/patches/010-nanosleep.patch
@ -0,0 +1,21 @@
+--- a/programs/pluto/send.c
+++ b/programs/pluto/send.c
+@@ -26,7 +26,7 @@
+  *
+  */
+ 
+-#include <unistd.h>	/* for usleep() */
+#include <time.h>	/* for nanosleep() */
+ #include <errno.h>
+ 
+ #include "defs.h"
+@@ -172,7 +172,8 @@
+ 	/* Send a duplicate packet when this impair is enabled - used for testing */
+ 	if (IMPAIR(JACOB_TWO_TWO)) {
+ 		/* sleep for half a second, and second another packet */
+-		usleep(500000);
+		const struct timespec req = {0, 500 * 1000 * 1000};
+		nanosleep(&req, NULL);
+ 		endpoint_buf b;
+ 		endpoint_buf ib;
+ 		DBG_log("JACOB 2-2: resending %zu bytes for %s through %s from %s to %s:",
--- a/net/libreswan/patches/020-limits.patch
+++ b/net/libreswan/patches/020-limits.patch
@ -0,0 +1,20 @@
+--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
+@@ -34,6 +34,7 @@
+ #include <stdio.h>
+ #include <stddef.h>
+ #include <stdlib.h>
+#include <limits.h>
+ #include <unistd.h>
+ #include <netinet/in.h>
+ #include <sys/socket.h>
+--- a/programs/pluto/rcv_whack.c
+++ b/programs/pluto/rcv_whack.c
+@@ -36,6 +36,7 @@
+ #include <resolv.h>
+ #include <fcntl.h>
+ #include <unistd.h>		/* for gethostname() */
+#include <limits.h>
+ 
+ #include <libreswan.h>
+ #include "libreswan/pfkeyv2.h"
--- a/net/libreswan/patches/030-fix_nss_3.52.patch
+++ b/net/libreswan/patches/030-fix_nss_3.52.patch
@ -0,0 +1,30 @@
+From db7715407efa43cd2a66caed67c02d8f7bb90b35 Mon Sep 17 00:00:00 2001
+From: Paul Wouters <pwouters@redhat.com>
+Date: Tue, 12 May 2020 12:56:38 -0400
+Subject: [PATCH] nss: move NSS_PKCS11_2_0_COMPAT define to
+ ike_alg_encrypt_nss_gcm_ops.c
+
+It needs to go before any nss includes are done, and those includes are
+all over the place. But CK_GCM_PARAMS is only used in one file, so
+just define it there instead before the nss includes.
+---
+ lib/libswan/ike_alg_encrypt_nss_gcm_ops.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c b/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
+index 93a027089a..571913cc1e 100644
+--- a/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
+++ b/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
+@@ -16,6 +16,12 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ 
+/*
+ * Special advise from Bob Relyea - needs to go before any nss include
+ *
+ */
+#define NSS_PKCS11_2_0_COMPAT 1
+
+ #include "lswlog.h"
+ #include "lswnss.h"
+ #include "prmem.h"
--- a/net/libreswan/patches/099-continue_on_missing_ipv6.patch
+++ b/net/libreswan/patches/099-continue_on_missing_ipv6.patch
@ -0,0 +1,12 @@
+--- a/programs/pluto/kernel_xfrm.c	2020-05-16 19:12:30.107226478 +0300
+++ b/programs/pluto/kernel_xfrm.c	2020-05-16 19:20:25.735522574 +0300
+@@ -2759,7 +2759,8 @@
+ 			LOG_ERRNO(errno, "\"%s\"", proc_f);
+ 		}
+ 	} else {
+-		LOG_ERRNO(errno, "could not stat \"%s\"", proc_f);
+		DBG(DBG_KERNEL, DBG_log("starting without ipv6 support!"));
+		disable_ipv6 = 1;
+ 	}
+ 
+ 	if (disable_ipv6 == 1) {