import CS NetworkManager-libreswan-1.2.27-2.el9_7

2025-11-11 18:02:11 +00:00 · 2025-11-11 18:02:11 +00:00 · 6eeed681cb
commit 6eeed681cb
parent 3f52597094
3 changed files with 13 additions and 125 deletions
--- a/SOURCES/0004-sanitize-before-exporting-RHEL-only.patch
+++ b/SOURCES/0004-sanitize-before-exporting-RHEL-only.patch
@ -1,54 +0,0 @@
-From 15946667c771ba88d38f82cc467fd52d268e44bb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@riseup.net>
-Date: Tue, 21 Oct 2025 08:37:35 +0200
-Subject: [PATCH] export: sanitize before exporting (RHEL only)
-
-The commit referenced below moved the responsibility of sanitizing the
-connection from nm_libreswan_get_ipsec_conf to its caller, but it forgot
-to sanitize in export_to_file(). Fix it.
-
-This is a RHEL-only patch, as this is fixed by a later commit that we
-didn't want to backport yet. When we rebase, this patch can be dropped.
-
-Fixes: 50d0fc5a265b ('Fix PSK authentication when leftid starts with `@`')
---
- properties/nm-libreswan-editor-plugin.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
-index 2b455ba..7a75e09 100644
--- a/properties/nm-libreswan-editor-plugin.c
-+++ b/properties/nm-libreswan-editor-plugin.c
-@@ -91,6 +91,7 @@ export_to_file (NMVpnEditorPlugin *self,
-                 GError **error)
- {
- 	NMSettingVpn *s_vpn;
-+	gs_unref_object NMSettingVpn *s_vpn_sanitized = NULL;
- 	gboolean openswan = FALSE;
- 	gs_free_error GError *local = NULL;
- 	gs_free char *ipsec_conf = NULL;
-@@ -98,8 +99,19 @@ export_to_file (NMVpnEditorPlugin *self,
- 	int version;
- 
- 	s_vpn = nm_connection_get_setting_vpn (connection);
-	if (s_vpn)
-		openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN);
-+	if (!s_vpn) {
-+		g_set_error_literal (error,
-+		                     NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION,
-+		                     _("Empty VPN setting."));
-+		return FALSE;
-+	}
-+
-+	s_vpn_sanitized = sanitize_setting_vpn (s_vpn, error);
-+	if (!s_vpn_sanitized)
-+		return FALSE;
-+
-+	s_vpn = s_vpn_sanitized;
-+	openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN);
- 
- 	nm_libreswan_detect_version (nm_libreswan_find_helper_bin ("ipsec", NULL),
- 	                             &is_openswan, &version, NULL);
-- 
-2.51.0
-
--- a/SOURCES/0005-service-don-t-crash-with-malformed-connections.patch
+++ b/SOURCES/0005-service-don-t-crash-with-malformed-connections.patch
@ -1,61 +0,0 @@
-From 397096f85c155d18834e8f7b90b1ea439344cd32 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@riseup.net>
-Date: Thu, 23 Oct 2025 11:54:46 +0200
-Subject: [PATCH] service: don't crash with malformed connections
-
-If a connection is malformed, i.e. by having incorrect values, a crash
-(or something worse) could happen in _connect_common because we were
-assuming that the value returned from sanitize_setting_vpn() must be
-non-NULL. If the connection is malformed, it will be NULL.
-
-Fix it by gracefully handling this scenario.
-
-This is a RHEL-only patch, as this is fixed by a later commit that we
-didn't want to backport yet. When we rebase, this patch can be dropped.
-
-Fixes: 50d0fc5a265b ('Fix PSK authentication when leftid starts with `@`')
---
- src/nm-libreswan-service.c | 20 ++++++++++++++++----
- 1 file changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
-index 58ada03..a093547 100644
--- a/src/nm-libreswan-service.c
-+++ b/src/nm-libreswan-service.c
-@@ -1756,7 +1756,8 @@ _connect_common (NMVpnServicePlugin   *plugin,
- {
- 	NMLibreswanPlugin *self = NM_LIBRESWAN_PLUGIN (plugin);
- 	NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (self);
-	gs_unref_object NMSettingVpn *s_vpn = NULL;
-+	NMSettingVpn *s_vpn;
-+	gs_unref_object NMSettingVpn *s_vpn_sanitized = NULL;
- 	const char *con_name = nm_connection_get_uuid (connection);
- 	gs_free char *ipsec_banner = NULL;
- 	gs_free char *ifupdown_script = NULL;
-@@ -1794,9 +1795,20 @@ _connect_common (NMVpnServicePlugin   *plugin,
- 			return FALSE;
- 	}
- 
-	s_vpn = sanitize_setting_vpn(nm_connection_get_setting_vpn (connection),
-				     error);
-	g_assert (s_vpn);
-+	s_vpn = nm_connection_get_setting_vpn(connection);
-+	if (!s_vpn) {
-+		g_set_error_literal(error,
-+		                    NM_VPN_PLUGIN_ERROR,
-+		                    NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION,
-+		                    _("Empty VPN setting."));
-+		return FALSE;
-+	}
-+
-+	s_vpn_sanitized = sanitize_setting_vpn(s_vpn, error);
-+	if (!s_vpn_sanitized)
-+		return FALSE;
-+
-+	s_vpn = s_vpn_sanitized;
- 
- 	g_object_get (self, NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, &bus_name, NULL);
- 
-- 
-2.51.0
-
--- a/SPECS/NetworkManager-libreswan.spec
+++ b/SPECS/NetworkManager-libreswan.spec
@ -30,8 +30,6 @@ Source0:   https://download.gnome.org/sources/NetworkManager-libreswan/%{real_ve
 Patch0:    0001-Export-esp-option.patch
 Patch1:    0002-fix-psk-auth-when-leftid-starts-with-at.patch
 Patch2:    0003-import-export-nm-auto-defaults-no.patch
-Patch3:    0004-sanitize-before-exporting-RHEL-only.patch
-Patch4:    0005-service-don-t-crash-with-malformed-connections.patch

 BuildRequires: make
 BuildRequires: gcc
@ -133,15 +131,20 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
 %endif

 %changelog
-* Thu Oct 23 2025 Vladimír Beneš <vbenes@redhat.com 1.2.27-2
- Fix potentional crash in malformed imports
+* Mon Oct 20 2025 Vladimír Beneš <vbenes@redhat.com> - 1.2.27-2
+* Symetric import/export with nm-auto-default (RHEL-122306)
+* Esp param properly exported (RHEL-122626)
+* Correct leftid export when it contains @

-* Tue Oct 21 2025 Vladimír Beneš <vbenes@redhat.com 1.2.27-1
- Update to 1.2.27 version
- Support leftsendcert in X.509-Based VPN (RHEL-110771)
- Add support for nm-auto-defaults + symetric import/export
- Support rightca in ipsec section
- Esp param properly exported
+* Thu Oct 02 2025 Vladimír Beneš <vbenes@redhat.com> - 1.2.27-1
+- Update to later upstream release to address regressions (RHEL-56551)
+- Support rightca in ipsec section (RHEL-118819)
+
+* Tue Jul 01 2025 Gris Ge <fge@redhat.com> - 1.2.26-3
+- Fix regression on phase2alg/esp for IKEv1 (RHEL-85768)
+
+* Mon May 12 2025 Lubomir Rintel <lkundrak@v3.sk> - 1.2.26-2
+- Add support for nm-auto-defaults (RHEL-85768)

 * Tue Jan 28 2025 Lubomir Rintel <lkundrak@v3.sk> - 1.2.26-1
 - Update to 1.2.26 release