nixpkgs/pkgs/tools/networking/libreswan/default.nix
Leona Maroni eee733a88d
libreswan: 4.12 -> 4.15
https://download.libreswan.org/CHANGES

fixes CVE-2024-2357, CVE-2024-3652
2024-04-19 13:55:56 +02:00

153 lines
3.8 KiB
Nix

{ lib
, stdenv
, fetchurl
, nixosTests
, pkg-config
, systemd
, gmp
, unbound
, bison
, flex
, pam
, libevent
, libcap_ng
, libxcrypt
, curl
, nspr
, bash
, runtimeShell
, iproute2
, iptables
, procps
, coreutils
, gnused
, gawk
, nss
, which
, python3
, libselinux
, ldns
, xmlto
, docbook_xml_dtd_412
, docbook_xsl
, findXMLCatalogs
, dns-root-data
}:
let
# Tools needed by ipsec scripts
binPath = lib.makeBinPath [
iproute2 iptables procps
coreutils gnused gawk
nss.tools which
];
in
stdenv.mkDerivation rec {
pname = "libreswan";
version = "4.15";
src = fetchurl {
url = "https://download.libreswan.org/${pname}-${version}.tar.gz";
hash = "sha256-/mDX2zmMjuIlBV2zZeyWiiSuvLxcNQYRMfz/2tG+BK8=";
};
strictDeps = true;
nativeBuildInputs = [
bison
flex
pkg-config
xmlto
docbook_xml_dtd_412
docbook_xsl
findXMLCatalogs
];
buildInputs = [
systemd coreutils
gnused gawk gmp unbound pam libevent
libcap_ng libxcrypt curl nspr nss ldns
# needed to patch shebangs
python3 bash
] ++ lib.optional stdenv.isLinux libselinux;
prePatch = ''
# Correct iproute2 and iptables path
sed -e 's|/sbin/ip|${iproute2}/bin/ip|g' \
-e 's|/sbin/\(ip6\?tables\)|${iptables}/bin/\1|' \
-e 's|/bin/bash|${runtimeShell}|g' \
-i initsystems/systemd/ipsec.service.in \
programs/barf/barf.in \
programs/verify.linux/verify.in
sed -e 's|\([[:blank:]]\)\(ip6\?tables\(-save\)\? -\)|\1${iptables}/bin/\2|' \
-i programs/verify.linux/verify.in
# Prevent the makefile from trying to
# reload the systemd daemon or create tmpfiles
sed -e 's|systemctl|true|g' \
-e 's|systemd-tmpfiles|true|g' \
-i initsystems/systemd/Makefile
# Fix systemd detection on NixOS
sed -e 's|\(-a ! -x /bin/journalctl\)|\1 -a ! -x /run/current-system/sw/bin/journalctl|g' \
-e 's|\(-o ! -x /bin/journalctl\)|\1 -o ! -x /run/current-system/sw/bin/journalctl|g' \
-i programs/barf/barf.in
# Fix the ipsec program from crushing the PATH
sed -e 's|\(PATH=".*"\):.*$|\1:$PATH|' -i programs/ipsec/ipsec.in
# Fix python script to use the correct python
sed -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' \
-i programs/verify.linux/verify.in
# Replace wget with curl to save a dependency
curlArgs='-s --remote-name-all --output-dir'
sed -e "s|wget -q -P|${curl}/bin/curl $curlArgs|g" \
-i programs/letsencrypt/letsencrypt.in
# Patch the Makefile:
# 1. correct the pam.d directory install path
# 2. do not create the /var/lib/ directory
sed -e 's|$(DESTDIR)/etc/pam.d|$(out)/etc/pam.d|' \
-e '/test ! -d $(NSSDIR)/,+3d' \
-i configs/Makefile
'';
makeFlags = [
"PREFIX=$(out)"
"INITSYSTEM=systemd"
"UNITDIR=$(out)/etc/systemd/system/"
"TMPFILESDIR=$(out)/lib/tmpfiles.d/"
"LINUX_VARIANT=nixos"
"DEFAULT_DNSSEC_ROOTKEY_FILE=${dns-root-data}/root.key"
];
# Hack to make install work
installFlags = [
"FINALVARDIR=\${out}/var"
"FINALSYSCONFDIR=\${out}/etc"
];
postInstall = ''
# Install examples directory (needed for letsencrypt)
cp -r docs/examples $out/share/doc/libreswan/examples
'';
postFixup = ''
# Add a PATH to the main "ipsec" script
sed -e '0,/^$/{s||export PATH=${binPath}:$PATH|}' \
-i $out/bin/ipsec
'';
passthru.tests.libreswan = nixosTests.libreswan;
meta = with lib; {
homepage = "https://libreswan.org";
description = "A free software implementation of the VPN protocol based on IPSec and the Internet Key Exchange";
platforms = platforms.linux ++ platforms.freebsd;
license = with licenses; [ gpl2Plus mpl20 ] ;
maintainers = with maintainers; [ afranchuk rnhmjoj ];
mainProgram = "ipsec";
};
}