diff --git a/SOURCES/0006-add-support-leftsubnet.patch b/SOURCES/0006-add-support-leftsubnet.patch new file mode 100644 index 0000000..d8310c1 --- /dev/null +++ b/SOURCES/0006-add-support-leftsubnet.patch @@ -0,0 +1,71 @@ +From 2045cdf3dec79ae7d7b03ca7a081b8c444e242ef Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Wed, 10 Apr 2024 13:23:56 +0200 +Subject: [PATCH] service,properties: support "leftsubnet" + +https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/merge_requests/30 +--- + properties/nm-libreswan-dialog.ui | 42 ++++++++++++++++++++----- + properties/nm-libreswan-editor-plugin.c | 2 ++ + properties/nm-libreswan-editor.c | 12 +++++++ + shared/nm-service-defines.h | 1 + + shared/utils.c | 5 +++ + src/nm-libreswan-service.c | 1 + + 6 files changed, 56 insertions(+), 7 deletions(-) + +diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c +index fe85c81..bb1685d 100644 +--- a/properties/nm-libreswan-editor-plugin.c ++++ b/properties/nm-libreswan-editor-plugin.c +@@ -215,6 +215,8 @@ import_from_file (NMVpnEditorPlugin *self, + else if (g_str_has_prefix (str, "rightsubnet=")) { + if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0")) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]); ++ } else if (g_str_has_prefix (str, "leftsubnet=")) { ++ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LOCALNETWORK, str + NM_STRLEN("leftsubnet=")); + } else if (g_str_has_prefix (str, "leftrsasigkey=")) { + if (str[14] != '%') + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY, &str[14]); +diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h +index 95e19d4..96e5c71 100644 +--- a/shared/nm-service-defines.h ++++ b/shared/nm-service-defines.h +@@ -62,6 +62,7 @@ + #define NM_LIBRESWAN_KEY_SALIFETIME "salifetime" + #define NM_LIBRESWAN_KEY_VENDOR "vendor" + #define NM_LIBRESWAN_KEY_REMOTENETWORK "rightsubnet" ++#define NM_LIBRESWAN_KEY_LOCALNETWORK "leftsubnet" + #define NM_LIBRESWAN_KEY_IKEV2 "ikev2" + #define NM_LIBRESWAN_KEY_NARROWING "narrowing" + #define NM_LIBRESWAN_KEY_REKEY "rekey" +diff --git a/shared/utils.c b/shared/utils.c +index 9e616f8..926d12d 100644 +--- a/shared/utils.c ++++ b/shared/utils.c +@@ -222,6 +222,11 @@ nm_libreswan_config_write (gint fd, + WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=%s", + remote_network); + ++ item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LOCALNETWORK); ++ if (item) { ++ WRITE_CHECK (fd, debug_write_fcn, error, " leftsubnet=%s", item); ++ } ++ + if (!is_ikev2) { + /* When IKEv1 is in place, we enforce XAUTH: so, use IKE version + * also to check if XAUTH conf options should be passed to Libreswan. +diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c +index 7e96230..88c07d7 100644 +--- a/src/nm-libreswan-service.c ++++ b/src/nm-libreswan-service.c +@@ -271,6 +271,7 @@ static ValidProperty valid_properties[] = { + { NM_LIBRESWAN_KEY_SALIFETIME, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_VENDOR, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_REMOTENETWORK, G_TYPE_STRING, 0, 0 }, ++ { NM_LIBRESWAN_KEY_LOCALNETWORK, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_IKEV2, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_NARROWING, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_REKEY, G_TYPE_STRING, 0, 0 }, +-- +2.44.0 + diff --git a/SOURCES/0007-add-rightcert-property.patch b/SOURCES/0007-add-rightcert-property.patch new file mode 100644 index 0000000..6c4e8dc --- /dev/null +++ b/SOURCES/0007-add-rightcert-property.patch @@ -0,0 +1,107 @@ +0001-properties-service-suppor-rightcert-configuration.patch +0002-properties-add-Remote-certificate-field-to-the-dialo.patch +From a980e399694c0a9887d98f1e0f0f24a201cb29c7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= +Date: Mon, 15 Apr 2024 10:42:08 +0200 +Subject: [PATCH 1/2] properties, service: suppor rightcert configuration + +This configuration allows to specify a certificate from the NSS database +to identify the remote, instead of pulling it. + +(cherry picked from commit 2684233fd1c65c221d1f18c9d5b779c616c6d091) +--- + properties/nm-libreswan-editor-plugin.c | 2 ++ + shared/nm-service-defines.h | 1 + + shared/utils.c | 7 +++++++ + src/nm-libreswan-service.c | 8 ++++++-- + 4 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c +index bb1685d..fe473d1 100644 +--- a/properties/nm-libreswan-editor-plugin.c ++++ b/properties/nm-libreswan-editor-plugin.c +@@ -182,6 +182,8 @@ import_from_file (NMVpnEditorPlugin *self, + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTUSERNAME, &str[13]); + else if (g_str_has_prefix (str, "leftcert=")) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT, &str[9]); ++ else if (g_str_has_prefix (str, "rightcert=")) ++ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, &str[10]); + else if (nm_streq0 (str, "leftmodecfgclient=no")) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, "no"); + else if (g_str_has_prefix (str, "pfs=no")) +diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h +index 96e5c71..167b837 100644 +--- a/shared/nm-service-defines.h ++++ b/shared/nm-service-defines.h +@@ -37,6 +37,7 @@ + #define NM_LIBRESWAN_KEY_RIGHT "right" + #define NM_LIBRESWAN_KEY_RIGHTID "rightid" + #define NM_LIBRESWAN_KEY_RIGHTRSASIGKEY "rightrsasigkey" ++#define NM_LIBRESWAN_KEY_RIGHTCERT "rightcert" + #define NM_LIBRESWAN_KEY_LEFT "left" + #define NM_LIBRESWAN_KEY_LEFTID "leftid" + #define NM_LIBRESWAN_KEY_LEFTRSASIGKEY "leftrsasigkey" +diff --git a/shared/utils.c b/shared/utils.c +index 926d12d..5e19316 100644 +--- a/shared/utils.c ++++ b/shared/utils.c +@@ -108,6 +108,7 @@ nm_libreswan_config_write (gint fd, + const char *left; + const char *leftid; + const char *leftcert; ++ const char *rightcert; + const char *leftrsasigkey; + const char *rightrsasigkey; + const char *authby; +@@ -165,7 +166,13 @@ nm_libreswan_config_write (gint fd, + leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY); + rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY); + leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT); ++ rightcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT); + authby = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_AUTHBY); ++ if (rightcert && strlen (rightcert)) { ++ WRITE_CHECK (fd, debug_write_fcn, error, " rightcert=%s", rightcert); ++ if (!rightrsasigkey) ++ rightrsasigkey = "%cert"; ++ } + if (leftcert && strlen (leftcert)) { + WRITE_CHECK (fd, debug_write_fcn, error, " leftcert=%s", leftcert); + if (!leftrsasigkey) +diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c +index 88c07d7..516eaac 100644 +--- a/src/nm-libreswan-service.c ++++ b/src/nm-libreswan-service.c +@@ -250,6 +250,7 @@ static ValidProperty valid_properties[] = { + { NM_LIBRESWAN_KEY_RIGHT, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_RIGHTID, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_RIGHTRSASIGKEY, G_TYPE_STRING, 0, 0 }, ++ { NM_LIBRESWAN_KEY_RIGHTCERT, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_LEFT, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_LEFTID, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_LEFTXAUTHUSER, G_TYPE_STRING, 0, 0 }, +@@ -1801,6 +1802,7 @@ real_need_secrets (NMVpnServicePlugin *plugin, + NMSettingVpn *s_vpn; + const char *leftcert; + const char *leftrsasigkey; ++ const char *rightcert; + const char *rightrsasigkey; + const char *pw_type; + +@@ -1821,10 +1823,12 @@ real_need_secrets (NMVpnServicePlugin *plugin, + if (leftcert) + goto xauth_check; + +- /* If authentication is done through rsasigkeys, only the public keys are required */ ++ /* If authentication is done through rsasigkeys, only the public keys are required. ++ * If rightcert is specified, rightrsasigkey is assumed to be '%cert' */ + leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY); + rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY); +- if (leftrsasigkey && rightrsasigkey) ++ rightcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT); ++ if (leftrsasigkey && (rightrsasigkey || rightcert)) + goto xauth_check; + + pw_type = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_PSK_INPUT_MODES); +-- +2.44.0 + diff --git a/SPECS/NetworkManager-libreswan.spec b/SPECS/NetworkManager-libreswan.spec index dae30a1..8f2a72d 100644 --- a/SPECS/NetworkManager-libreswan.spec +++ b/SPECS/NetworkManager-libreswan.spec @@ -11,7 +11,7 @@ %global real_version 1.2.18 %global rpm_version 1.2.18 -%global release_version 2 +%global release_version 3 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p') @@ -32,6 +32,8 @@ Patch2: 0002-service-use-new-API-to-send-configuration-to-NM.patch Patch3: 0003-service-don-t-send-IPv4-config-if-mode-config-client.patch Patch4: 0004-service-fix-wrong-refcounting-in-D-Bus-handler-for-C.patch Patch5: 0005-service-properties-support-type-hostaddrfamily-clien.patch +Patch6: 0006-add-support-leftsubnet.patch +Patch7: 0007-add-rightcert-property.patch BuildRequires: make BuildRequires: gcc @@ -133,6 +135,10 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %endif %changelog +* Tue May 07 2024 Fernando Fernandez Mancera - 1.2.18-3 +- Support leftsubnet property (RHEL-33376) +- Support rightcert property (RHEL-33372) + * Wed Jan 17 2024 Fernando Fernandez Mancera - 1.2.18-2 - Support point-to-point IPSec tunnel (RHEL-20690) - Fix crash in libreswan_nmstate_iface_dpd_rsa (RHEL-21221)