Tree - rpms/libreswan - CentOS Git server

rpms / libreswan

Files

Commit: 181bb5433db5c0923e8ba3fb620bcf9ef4761160
Blob Blame History Raw
diff -Naur libreswan-3.12-orig/Makefile.inc libreswan-3.12/Makefile.inc
--- libreswan-3.12-orig/Makefile.inc	2014-11-06 22:52:50.000000000 -0500
+++ libreswan-3.12/Makefile.inc	2015-04-28 23:18:45.781649956 -0400
@@ -176,7 +176,10 @@
 OSMOD_DESTDIR?=net/ipsec
 
 # What command to use to load the modules. openwrt does not have modprobe
-MODPROBE?=modprobe -q
+# Using -b enables blacklisting - this is needed for some known bad
+# versions of crypto acceleration modules.
+MODPROBEBIN?=modprobe
+MODPROBEARGS?=-q -b
 
 ### misc installation stuff
 
@@ -521,7 +524,8 @@
 			-e "s:@IPSEC_EXECDIR@:$(FINALLIBEXECDIR):g" \
 			-e "s:@IPSEC_VARDIR@:$(FINALVARDIR):g" \
 			-e "s:@IPSEC_SBINDIR@:$(FINALSBINDIR):g" \
-			-e "s:@MODPROBE@:$(MODPROBE):g" \
+			-e "s:@MODPROBEBIN@:$(MODPROBEBIN):g" \
+			-e "s:@MODPROBEARGS@:$(MODPROBEARGS):g" \
 			-e "s:@USE_DEFAULT_CONNS@:$(USE_DEFAULT_CONNS):g" \
 
 # For KVM testing setup
diff -Naur libreswan-3.12-orig/programs/_stackmanager/_stackmanager.in libreswan-3.12/programs/_stackmanager/_stackmanager.in
--- libreswan-3.12-orig/programs/_stackmanager/_stackmanager.in	2014-11-06 22:52:50.000000000 -0500
+++ libreswan-3.12/programs/_stackmanager/_stackmanager.in	2015-04-28 23:16:25.709947026 -0400
@@ -2,7 +2,7 @@
 # STACK startup script
 # Copyright (C) 2007 Ken Bantoft <ken@xelerance.com>
 # Copyright (C) 2007-2008 Paul Wouters <paul@xelerance.com>
-# Copyright (C) 2008-2014 Tuomo Soini <tis@foobar.fi>
+# Copyright (C) 2008-2015 Tuomo Soini <tis@foobar.fi>
 # Copyright (C) 2012-2014 Paul Wouters <paul@libreswan.org>
 #
 # This program is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
 export PATH
 
 test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x
+MODPROBE="@MODPROBEBIN@ @MODPROBEARGS@"
 
 kamepfkey=/proc/net/pfkey
 ipsecpfkey=/proc/net/ipsec/version
@@ -119,11 +120,11 @@
 	    xfrm4_mode_beet esp4 esp6 ah4 ah6 af_key ip_vti
 	do
 	    # echo -n "${mod} " >&2
-	    @MODPROBE@ ${mod} 2>/dev/null
+	    ${MODPROBE} ${mod} 2>/dev/null
 	done
 
 	# xfrm_user is the old name for xfrm4_tunnel - backwards compatibility
-	@MODPROBE@ xfrm_user 2>/dev/null
+	${MODPROBE} xfrm_user 2>/dev/null
 
     fi
     # Required for Labeled IPsec
@@ -184,19 +185,19 @@
 cryptomodules() {
     # load hardware random and crypto related modules.
     # some changed names over time
-    @MODPROBE@ hw_random 2>/dev/null
-    @MODPROBE@ hwrng 2>/dev/null
-    @MODPROBE@ virtio-rng 2>/dev/null
-    @MODPROBE@ amd-rng 2>/dev/null
-    @MODPROBE@ intel-rng 2>/dev/null
-    @MODPROBE@ geode-rng 2>/dev/null
-    @MODPROBE@ timeriomem-rng 2>/dev/null
-    @MODPROBE@ tpm-rng 2>/dev/null
+    ${MODPROBE} hw_random 2>/dev/null
+    ${MODPROBE} hwrng 2>/dev/null
+    ${MODPROBE} virtio-rng 2>/dev/null
+    ${MODPROBE} amd-rng 2>/dev/null
+    ${MODPROBE} intel-rng 2>/dev/null
+    ${MODPROBE} geode-rng 2>/dev/null
+    ${MODPROBE} timeriomem-rng 2>/dev/null
+    ${MODPROBE} tpm-rng 2>/dev/null
 
     # load any OCF and CryptoAPI modules we might need for acceleration
     # (OCF works for NETKEY and KLIPS/MAST)
     # OCF cryptosoft is for kernel acceleration (ESP/AH)
-    @MODPROBE@ cryptosoft 2>/dev/null
+    ${MODPROBE} cryptosoft 2>/dev/null
     # We skip cryptodev.ko because we no longer support /dev/crypto offloading
     # (the overhead of cryptodev is not worth it even on embedded platforms)
 
@@ -219,9 +220,9 @@
     # padlock must load before aes module - though does not exist on newer
     # kernels
     # padlock-aes must load before padlock-sha for some reason
-    @MODPROBE@ padlock 2>/dev/null
-    @MODPROBE@ padlock-aes 2>/dev/null
-    @MODPROBE@ padlock-sha 2>/dev/null
+    ${MODPROBE} padlock 2>/dev/null
+    ${MODPROBE} padlock-aes 2>/dev/null
+    ${MODPROBE} padlock-sha 2>/dev/null
     # load the most common ciphers/algo's
     # aes-x86_64 has higher priority in via crypto api
     # kernel directory does not match uname -m on x86_64 :(
@@ -234,7 +235,7 @@
     do
 	module=$(basename ${module} | sed "s/\.ko$//")
 	# echo -n "${module} " >&2
-	@MODPROBE@ ${module} 2>/dev/null
+	${MODPROBE} ${module} 2>/dev/null
     done
 }
 
@@ -264,10 +265,10 @@
 		;;
 	esac
 	# modprobe does not like specifying .o or .ko, but insmod needs it
-	if [ "$(basename @MODPROBE@)" = "modprobe" ]; then
-	    @MODPROBE@ ipsec
+	if [ "$(basename "@MODPROBEBIN@")" = "modprobe" ]; then
+	    ${MODPROBE} ipsec
 	else
-	    @MODPROBE@ ${modulename}
+	    ${MODPROBE} ${modulename}
 	fi
 
 	if [ ! -f ${ipsecpfkey} ]; then
@@ -418,7 +419,12 @@
     exit 4
 fi
 
-stack="$(ipsec addconn --config ${IPSEC_CONF} --liststack)"
+if [ "$2" = "--netkey" ]; then
+	# manual override for use in docker
+	stack=netkey
+else
+	stack="$(ipsec addconn --config ${IPSEC_CONF} --liststack)"
+fi
 
 case ${stack} in
     netkey|klips|mast|none)
@@ -435,15 +441,18 @@
 
 case ${action} in
     stop)
-	# We don't unload NETKEY/XFRM on stop - only when we detect a stack change.
+	# We don't unload NETKEY/XFRM on stop - only when we detect a stack
+	# change.
 	if [ -f ${ipsecpfkey} ]; then
 		ipsec eroute --clear
-		# this clears all IP addresses on ipsecX interfaces by unloading the module
+		# this clears all IP addresses on ipsecX interfaces by
+		# unloading the module
 		stopklips
 	elif [ -f ${kamepfkey} ]; then
 		ip xfrm state flush
 		ip xfrm policy flush
-		# module unloading skipped on purpose - can hang for a long time or fail
+		# module unloading skipped on purpose - can hang for a long
+		# time or fail
 	fi
 	;;
     start)
rpms / libreswan

Source Code

Files
