libreswan: 3.18 -> 3.29 (security)

addressing CVE-2019-12312 & CVE-2019-10155

pkgs/tools/networking/libreswan/default.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, makeWrapper,
   pkgconfig, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr,
   bash, iproute, iptables, procps, coreutils, gnused, gawk, nss, which, python,
-  docs ? false, xmlto
+  docs ? false, xmlto, libselinux, ldns
   }:
 
 let
   optional = stdenv.lib.optional;
-  version = "3.18";
+  version = "3.29";
   name = "libreswan-${version}";
   binPath = stdenv.lib.makeBinPath [
     bash iproute iptables procps coreutils gnused gawk nss.tools which python
@@ -14,6 +14,7 @@ let
 in
 
 assert docs -> xmlto != null;
+assert stdenv.isLinux -> libselinux != null;
 
 stdenv.mkDerivation {
   inherit name;
@@ -21,7 +22,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://download.libreswan.org/${name}.tar.gz";
-    sha256 = "0zginnakxw7m79zrdvfdvliaiyg78zgqfqkks9z5d1rjj5w13xig";
+    sha256 = "0gmbb1m5in5dvnbk1n31r8myrdankzvi6yk9gcqbcwijyih423nn";
   };
 
   # These flags were added to compile v3.18. Try to lift them when updating.
@@ -34,15 +35,21 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ makeWrapper pkgconfig ];
   buildInputs = [ bash iproute iptables systemd coreutils gnused gawk gmp unbound bison flex pam libevent
-                  libcap_ng curl nspr nss python ]
-                ++ optional docs xmlto;
+                  libcap_ng curl nspr nss python ldns ]
+                ++ optional docs xmlto
+                ++ optional stdenv.isLinux libselinux;
 
   prePatch = ''
     # Correct bash path
     sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk
 
-    # Fix systemd unit directory, and prevent the makefile from trying to reload the systemd daemon
-    sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|' -e 's|systemctl --system daemon-reload|true|' initsystems/systemd/Makefile
+    # Fix systemd unit directory, and prevent the makefile from trying to reload the
+    # systemd daemon or create tmpfiles
+    sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|g' \
+      -e 's|TMPFILESDIR=.*$|TMPFILESDIR=$\{out}/tmpfiles.d/|g' \
+      -e 's|systemctl|true|g' \
+      -e 's|systemd-tmpfiles|true|g' \
+      initsystems/systemd/Makefile
 
     # Fix the ipsec program from crushing the PATH
     sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in
@@ -51,8 +58,6 @@ stdenv.mkDerivation {
     sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in
   '';
 
-  patches = [ ./libreswan-3.18-glibc-2.26.patch ];
-
   # Set appropriate paths for build
   preBuild = "export INC_USRLOCAL=\${out}";
 

pkgs/tools/networking/libreswan/libreswan-3.18-glibc-2.26.patch

@@ -1,36 +0,0 @@
-diff --git a/lib/libswan/id.c b/lib/libswan/id.c
-index 8f06275..efb0394 100644
---- a/lib/libswan/id.c
-+++ b/lib/libswan/id.c
-@@ -22,6 +22,7 @@
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-+#include <limits.h>
- #include <unistd.h>
- #ifndef HOST_NAME_MAX	/* POSIX 1003.1-2001 says <unistd.h> defines this */
- #define HOST_NAME_MAX 255	/* upper bound, according to SUSv2 */
-diff --git a/linux/include/libreswan.h b/linux/include/libreswan.h
-index c5efc6a..b0af4d7 100644
---- a/linux/include/libreswan.h
-+++ b/linux/include/libreswan.h
-@@ -211,6 +211,7 @@ static inline deltatime_t monotimediff(monotime_t a, monotime_t b) {
- #include <assert.h>
- #define user_assert(foo) assert(foo)
- #include <stdio.h>
-+#include <stdint.h>
- 
- #  define uint8_t u_int8_t
- #  define uint16_t u_int16_t
-diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c
-index 588c66c..4fc6289 100644
---- a/programs/pluto/rcv_whack.c
-+++ b/programs/pluto/rcv_whack.c
-@@ -24,6 +24,7 @@
- #include <stddef.h>
- #include <stdlib.h>
- #include <string.h>
-+#include <limits.h>
- #include <unistd.h>
- #ifndef HOST_NAME_MAX           /* POSIX 1003.1-2001 says <unistd.h> defines this */
- # define HOST_NAME_MAX  255     /* upper bound, according to SUSv2 */