rpms/NetworkManager-libreswan
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix regression on phase2alg/esp for IKEv1

Browse Source 
Resolves: RHEL-85768

Signed-off-by: Gris Ge <fge@redhat.com>
This commit is contained in:
Gris Ge 2025-07-01 19:52:15 +08:00
parent 603d8eb1bc
commit 4b89e4f85f
2 changed files with 74 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch Normal file
View File

@ -0,0 +1,69 @@
From 43f3df676e827e343bae9455dc1eb82c5a805574 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Fri, 27 Jun 2025 18:21:51 +0200
Subject: [PATCH] shared/utils: only set phase2alg/esp for ikev1 in aggressive
mode
Commit f3c6f38f3be3 ("shared: make ipsec.conf formatting declarative")
changed the logic to write option phase2alg/esp. Before the commit, it
was automatically set to NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP only for
IKEv1 in aggressive mode ("leftid" set). After, the option is set for
IKEv2. Restore the old behavior.
Fixes: f3c6f38f3be3 ("shared: make ipsec.conf formatting declarative")
Signed-off-by: Gris Ge <fge@redhat.com>
---
shared/test-utils.c | 3 ---
shared/utils.c | 5 ++++-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/shared/test-utils.c b/shared/test-utils.c
index 2dc4532..ec47fe5 100644
--- a/shared/test-utils.c
+++ b/shared/test-utils.c
@@ -103,7 +103,6 @@ test_config_write (void)
" leftmodecfgclient=yes\n"
" rightsubnet=0.0.0.0/0\n"
" rekey=yes\n"
- " phase2alg=aes256-sha1\n"
" keyingtries=1\n"
" rightmodecfgserver=yes\n"
" modecfgpull=yes\n");
@@ -127,7 +126,6 @@ test_config_write (void)
" leftmodecfgclient=yes\n"
" rightsubnet=0.0.0.0/0\n"
" rekey=yes\n"
- " phase2alg=aes256-sha1\n"
" keyingtries=1\n"
" rightmodecfgserver=yes\n"
" modecfgpull=yes\n");
@@ -372,7 +370,6 @@ test_config_read (void)
" leftmodecfgclient=yes\n"
" rightsubnet=0.0.0.0/0\n"
" rekey=yes\n"
- " phase2alg=aes256-sha1\n"
" keyingtries=1\n"
" rightmodecfgserver=yes\n"
" modecfgpull=yes\n",
diff --git a/shared/utils.c b/shared/utils.c
index 9c33315..a2e5b9a 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -223,10 +223,13 @@ add_ike (NMSettingVpn *s_vpn, const char *key, const char *val)
static void
add_phase2alg (NMSettingVpn *s_vpn, const char *key, const char *val)
{
+ const char *leftid;
+
if (val == NULL || val[0] == '\0')
val = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_ESP);
if (val == NULL || val[0] == '\0') {
- if (nm_libreswan_utils_setting_is_ikev2 (s_vpn))
+ leftid = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTID);
+ if (!nm_libreswan_utils_setting_is_ikev2 (s_vpn) && leftid && leftid[0] != '\0')
val = NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP;
}
nm_setting_vpn_add_data_item (s_vpn, key, val);
--
2.50.0

6
NetworkManager-libreswan.spec
View File

@ -11,7 +11,7 @@
%global real_version 1.2.26
%global rpm_version 1.2.26
%global release_version 2
%global release_version 3
%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')
@ -29,6 +29,7 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_ve
Patch0: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/3ea80883fefc.patch#/0001-Add-nm-auto-defaults-option.patch
Patch1: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/9b4467bd226d.patch#/0002-Treat-leftmodecfgserver-differently-according-to-nm-.patch
Patch2: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/43f3df676e82.patch#/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch
BuildRequires: make
BuildRequires: gcc
@ -130,6 +131,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
%endif
%changelog
* Tue Jul 01 2025 Gris Ge <fge@redhat.com> - 1.2.26-3
- Fix regression on phase2alg/esp for IKEv1 (RHEL-85768)
* Mon May 12 2025 Lubomir Rintel <lkundrak@v3.sk> - 1.2.26-2
- Add support for nm-auto-defaults (RHEL-85768)