diff --git a/SOURCES/0004-sanitize-before-exporting-RHEL-only.patch b/SOURCES/0004-sanitize-before-exporting-RHEL-only.patch deleted file mode 100644 index f396d31..0000000 --- a/SOURCES/0004-sanitize-before-exporting-RHEL-only.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 15946667c771ba88d38f82cc467fd52d268e44bb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= -Date: Tue, 21 Oct 2025 08:37:35 +0200 -Subject: [PATCH] export: sanitize before exporting (RHEL only) - -The commit referenced below moved the responsibility of sanitizing the -connection from nm_libreswan_get_ipsec_conf to its caller, but it forgot -to sanitize in export_to_file(). Fix it. - -This is a RHEL-only patch, as this is fixed by a later commit that we -didn't want to backport yet. When we rebase, this patch can be dropped. - -Fixes: 50d0fc5a265b ('Fix PSK authentication when leftid starts with `@`') ---- - properties/nm-libreswan-editor-plugin.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c -index 2b455ba..7a75e09 100644 ---- a/properties/nm-libreswan-editor-plugin.c -+++ b/properties/nm-libreswan-editor-plugin.c -@@ -91,6 +91,7 @@ export_to_file (NMVpnEditorPlugin *self, - GError **error) - { - NMSettingVpn *s_vpn; -+ gs_unref_object NMSettingVpn *s_vpn_sanitized = NULL; - gboolean openswan = FALSE; - gs_free_error GError *local = NULL; - gs_free char *ipsec_conf = NULL; -@@ -98,8 +99,19 @@ export_to_file (NMVpnEditorPlugin *self, - int version; - - s_vpn = nm_connection_get_setting_vpn (connection); -- if (s_vpn) -- openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN); -+ if (!s_vpn) { -+ g_set_error_literal (error, -+ NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION, -+ _("Empty VPN setting.")); -+ return FALSE; -+ } -+ -+ s_vpn_sanitized = sanitize_setting_vpn (s_vpn, error); -+ if (!s_vpn_sanitized) -+ return FALSE; -+ -+ s_vpn = s_vpn_sanitized; -+ openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN); - - nm_libreswan_detect_version (nm_libreswan_find_helper_bin ("ipsec", NULL), - &is_openswan, &version, NULL); --- -2.51.0 - diff --git a/SOURCES/0005-service-don-t-crash-with-malformed-connections.patch b/SOURCES/0005-service-don-t-crash-with-malformed-connections.patch deleted file mode 100644 index e5f1a54..0000000 --- a/SOURCES/0005-service-don-t-crash-with-malformed-connections.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 397096f85c155d18834e8f7b90b1ea439344cd32 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= -Date: Thu, 23 Oct 2025 11:54:46 +0200 -Subject: [PATCH] service: don't crash with malformed connections - -If a connection is malformed, i.e. by having incorrect values, a crash -(or something worse) could happen in _connect_common because we were -assuming that the value returned from sanitize_setting_vpn() must be -non-NULL. If the connection is malformed, it will be NULL. - -Fix it by gracefully handling this scenario. - -This is a RHEL-only patch, as this is fixed by a later commit that we -didn't want to backport yet. When we rebase, this patch can be dropped. - -Fixes: 50d0fc5a265b ('Fix PSK authentication when leftid starts with `@`') ---- - src/nm-libreswan-service.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c -index 58ada03..a093547 100644 ---- a/src/nm-libreswan-service.c -+++ b/src/nm-libreswan-service.c -@@ -1756,7 +1756,8 @@ _connect_common (NMVpnServicePlugin *plugin, - { - NMLibreswanPlugin *self = NM_LIBRESWAN_PLUGIN (plugin); - NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (self); -- gs_unref_object NMSettingVpn *s_vpn = NULL; -+ NMSettingVpn *s_vpn; -+ gs_unref_object NMSettingVpn *s_vpn_sanitized = NULL; - const char *con_name = nm_connection_get_uuid (connection); - gs_free char *ipsec_banner = NULL; - gs_free char *ifupdown_script = NULL; -@@ -1794,9 +1795,20 @@ _connect_common (NMVpnServicePlugin *plugin, - return FALSE; - } - -- s_vpn = sanitize_setting_vpn(nm_connection_get_setting_vpn (connection), -- error); -- g_assert (s_vpn); -+ s_vpn = nm_connection_get_setting_vpn(connection); -+ if (!s_vpn) { -+ g_set_error_literal(error, -+ NM_VPN_PLUGIN_ERROR, -+ NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION, -+ _("Empty VPN setting.")); -+ return FALSE; -+ } -+ -+ s_vpn_sanitized = sanitize_setting_vpn(s_vpn, error); -+ if (!s_vpn_sanitized) -+ return FALSE; -+ -+ s_vpn = s_vpn_sanitized; - - g_object_get (self, NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, &bus_name, NULL); - --- -2.51.0 - diff --git a/SPECS/NetworkManager-libreswan.spec b/SPECS/NetworkManager-libreswan.spec index fbab3c0..64f1e7a 100644 --- a/SPECS/NetworkManager-libreswan.spec +++ b/SPECS/NetworkManager-libreswan.spec @@ -30,8 +30,6 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_ve Patch0: 0001-Export-esp-option.patch Patch1: 0002-fix-psk-auth-when-leftid-starts-with-at.patch Patch2: 0003-import-export-nm-auto-defaults-no.patch -Patch3: 0004-sanitize-before-exporting-RHEL-only.patch -Patch4: 0005-service-don-t-crash-with-malformed-connections.patch BuildRequires: make BuildRequires: gcc @@ -133,15 +131,20 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %endif %changelog -* Thu Oct 23 2025 Vladimír Beneš - 1.2.27-2 +* Symetric import/export with nm-auto-default (RHEL-122306) +* Esp param properly exported (RHEL-122626) +* Correct leftid export when it contains @ -* Tue Oct 21 2025 Vladimír Beneš - 1.2.27-1 +- Update to later upstream release to address regressions (RHEL-56551) +- Support rightca in ipsec section (RHEL-118819) + +* Tue Jul 01 2025 Gris Ge - 1.2.26-3 +- Fix regression on phase2alg/esp for IKEv1 (RHEL-85768) + +* Mon May 12 2025 Lubomir Rintel - 1.2.26-2 +- Add support for nm-auto-defaults (RHEL-85768) * Tue Jan 28 2025 Lubomir Rintel - 1.2.26-1 - Update to 1.2.26 release