diff --git a/0004-sanitize-before-exporting-RHEL-only.patch b/0004-sanitize-before-exporting-RHEL-only.patch new file mode 100644 index 0000000..f396d31 --- /dev/null +++ b/0004-sanitize-before-exporting-RHEL-only.patch @@ -0,0 +1,54 @@ +From 15946667c771ba88d38f82cc467fd52d268e44bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= +Date: Tue, 21 Oct 2025 08:37:35 +0200 +Subject: [PATCH] export: sanitize before exporting (RHEL only) + +The commit referenced below moved the responsibility of sanitizing the +connection from nm_libreswan_get_ipsec_conf to its caller, but it forgot +to sanitize in export_to_file(). Fix it. + +This is a RHEL-only patch, as this is fixed by a later commit that we +didn't want to backport yet. When we rebase, this patch can be dropped. + +Fixes: 50d0fc5a265b ('Fix PSK authentication when leftid starts with `@`') +--- + properties/nm-libreswan-editor-plugin.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c +index 2b455ba..7a75e09 100644 +--- a/properties/nm-libreswan-editor-plugin.c ++++ b/properties/nm-libreswan-editor-plugin.c +@@ -91,6 +91,7 @@ export_to_file (NMVpnEditorPlugin *self, + GError **error) + { + NMSettingVpn *s_vpn; ++ gs_unref_object NMSettingVpn *s_vpn_sanitized = NULL; + gboolean openswan = FALSE; + gs_free_error GError *local = NULL; + gs_free char *ipsec_conf = NULL; +@@ -98,8 +99,19 @@ export_to_file (NMVpnEditorPlugin *self, + int version; + + s_vpn = nm_connection_get_setting_vpn (connection); +- if (s_vpn) +- openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN); ++ if (!s_vpn) { ++ g_set_error_literal (error, ++ NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION, ++ _("Empty VPN setting.")); ++ return FALSE; ++ } ++ ++ s_vpn_sanitized = sanitize_setting_vpn (s_vpn, error); ++ if (!s_vpn_sanitized) ++ return FALSE; ++ ++ s_vpn = s_vpn_sanitized; ++ openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN); + + nm_libreswan_detect_version (nm_libreswan_find_helper_bin ("ipsec", NULL), + &is_openswan, &version, NULL); +-- +2.51.0 + diff --git a/NetworkManager-libreswan.spec b/NetworkManager-libreswan.spec index 64f1e7a..0bd29fb 100644 --- a/NetworkManager-libreswan.spec +++ b/NetworkManager-libreswan.spec @@ -11,7 +11,7 @@ %global real_version 1.2.27 %global rpm_version 1.2.27 -%global release_version 2 +%global release_version 3 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p') @@ -30,6 +30,7 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_ve Patch0: 0001-Export-esp-option.patch Patch1: 0002-fix-psk-auth-when-leftid-starts-with-at.patch Patch2: 0003-import-export-nm-auto-defaults-no.patch +Patch3: 0004-sanitize-before-exporting-RHEL-only.patch BuildRequires: make BuildRequires: gcc @@ -131,6 +132,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %endif %changelog +* Tue Oct 21 2025 Vladimír Beneš - 1.2.27-3 +* Fix small nm-auto-defaults issue + * Mon Oct 20 2025 Vladimír Beneš - 1.2.27-2 * Symetric import/export with nm-auto-default (RHEL-122306) * Esp param properly exported (RHEL-122626)