From cf1fe0e2340a179e792ef1b8066679c37ea25b74 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 30 Mar 2026 10:13:03 -0400 Subject: [PATCH] import CS NetworkManager-libreswan-1.2.30-1.el9 --- .NetworkManager-libreswan.metadata | 2 +- .gitignore | 2 +- .../0001-Add-nm-auto-defaults-option.patch | 165 ------------------ ...gserver-differently-according-to-nm-.patch | 62 ------- ...y-set-phase2alg-esp-for-ikev1-in-agg.patch | 69 -------- SPECS/NetworkManager-libreswan.spec | 38 +++- 6 files changed, 32 insertions(+), 306 deletions(-) delete mode 100644 SOURCES/0001-Add-nm-auto-defaults-option.patch delete mode 100644 SOURCES/0002-Treat-leftmodecfgserver-differently-according-to-nm-.patch delete mode 100644 SOURCES/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch diff --git a/.NetworkManager-libreswan.metadata b/.NetworkManager-libreswan.metadata index fdc10fd..43f5bf7 100644 --- a/.NetworkManager-libreswan.metadata +++ b/.NetworkManager-libreswan.metadata @@ -1 +1 @@ -4854976a318a9f8511cd70dd2fb6ac172f64bb54 SOURCES/NetworkManager-libreswan-1.2.26.tar.xz +d505ff4980f72d7bcfd47dc2b51d4de79dd5cc09 SOURCES/NetworkManager-libreswan-1.2.30.tar.xz diff --git a/.gitignore b/.gitignore index 5f260fb..7d45363 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/NetworkManager-libreswan-1.2.26.tar.xz +SOURCES/NetworkManager-libreswan-1.2.30.tar.xz diff --git a/SOURCES/0001-Add-nm-auto-defaults-option.patch b/SOURCES/0001-Add-nm-auto-defaults-option.patch deleted file mode 100644 index a37ce49..0000000 --- a/SOURCES/0001-Add-nm-auto-defaults-option.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 3ea80883fefc620d1ee60e594b3735fb7be92801 Mon Sep 17 00:00:00 2001 -From: Gris Ge -Date: Mon, 23 Sep 2024 20:07:13 +0800 -Subject: [PATCH] Add `nm-auto-defaults` option - -The NetworkManager-libreswan add additional values when user undefined -which is causing incapability `ipsec.conf` and NM-libreswan config. - -Instead of breaking existing users, this introduced `nm-auto-defaults` -option and set default to yes preserving previous behaviour. For other -user wish NM-libreswan do not add default values, explicit -`nm-auto-defaults: no` is required in NetworkManager `vpn.data`. - -These are for advanced use cases, no GUI access required. - -[lkundrak@v3.sk: rebased this on top of reworked ipsec.conf configuration -writer/serializer, added test cases, wrote docs.] ---- - man/nm-settings-libreswan.5.in | 11 +++++++++-- - shared/nm-service-defines.h | 1 + - shared/test-utils.c | 34 ++++++++++++++++++++++++++++++++++ - shared/utils.c | 12 +++++++++++- - 4 files changed, 55 insertions(+), 3 deletions(-) - -diff --git a/man/nm-settings-libreswan.5.in b/man/nm-settings-libreswan.5.in -index c98fe77..6152590 100644 ---- a/man/nm-settings-libreswan.5.in -+++ b/man/nm-settings-libreswan.5.in -@@ -19,9 +19,9 @@ - .\" with this manual; if not, write to the Free Software Foundation, Inc., - .\" 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - .\" --.\" Copyright (C) 2018 Red Hat, Inc. -+.\" Copyright (C) 2018,2025 Red Hat, Inc. - .\" --.TH NM-SETTINGS-LIBRESWAN "5" "9 July 2018" -+.TH NM-SETTINGS-LIBRESWAN "5" "7 Apr 2025" - - .SH NAME - nm\-setting\-libreswan \- NetworkManager Libreswan plugin supported options -@@ -167,6 +167,13 @@ parameter of the same name. - .I "pskinputmodes" - where the 'pskvalue' can be retrieved. Used internally by the plugin. Allowed values are: 'unused', 'save', 'ask'. - .TP -+.I "nm-auto-defaults" -+Allowed values are: 'yes' and 'no'. -+This options indicates that the VPN plugin should not substitute default values for keys that are not -+present in \fBvpn.data\fR or alter the values for the keys that are specified. Malformed values will be -+rejected for security reasons, but other than that the user is responsible for ensuring the configuration -+will work. This is mainly useful when connections are created with a management tool like \fBnmstatectl\fR(8). -+.TP - .I "xauthpasswordinputmodes" - where the 'xauthpassword' can be retrieved. Used internally by the plugin. Allowed values are: 'unused', 'save', 'ask'. - .TP -diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h -index f29923f..736fa56 100644 ---- a/shared/nm-service-defines.h -+++ b/shared/nm-service-defines.h -@@ -76,6 +76,7 @@ - #define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily" - #define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily" - #define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate" -+#define NM_LIBRESWAN_KEY_NM_AUTO_DEFAULTS "nm-auto-defaults" - - #define NM_LIBRESWAN_IKEV2_NO "no" - #define NM_LIBRESWAN_IKEV2_NEVER "never" -diff --git a/shared/test-utils.c b/shared/test-utils.c -index c7ad8dd..2dc4532 100644 ---- a/shared/test-utils.c -+++ b/shared/test-utils.c -@@ -164,6 +164,23 @@ test_config_write (void) - g_free (str); - g_object_unref (s_vpn); - -+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ()); -+ nm_setting_vpn_add_data_item (s_vpn, "ikev2", "insist"); -+ nm_setting_vpn_add_data_item (s_vpn, "leftrsasigkey", "hello"); -+ nm_setting_vpn_add_data_item (s_vpn, "rightrsasigkey", "world"); -+ nm_setting_vpn_add_data_item (s_vpn, "right", "11.12.13.14"); -+ nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false"); -+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error); -+ g_assert_no_error (error); -+ g_assert_cmpstr (str, ==, -+ "conn conn\n" -+ " ikev2=insist\n" -+ " right=11.12.13.14\n" -+ " rightrsasigkey=\"world\"\n" -+ " leftrsasigkey=\"hello\"\n"); -+ g_free (str); -+ g_object_unref (s_vpn); -+ - s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ()); - str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error); - g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT); -@@ -195,6 +212,23 @@ test_config_write (void) - g_assert_null (str); - g_clear_error (&error); - g_object_unref (s_vpn); -+ -+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ()); -+ nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false"); -+ nm_setting_vpn_add_data_item (s_vpn, "rightcert", "\"cert\""); -+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error); -+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT); -+ g_assert_null (str); -+ g_clear_error (&error); -+ g_object_unref (s_vpn); -+ -+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ()); -+ nm_setting_vpn_add_data_item (s_vpn, "nm-auto-defaults", "false"); -+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error); -+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT); -+ g_assert_null (str); -+ g_clear_error (&error); -+ g_object_unref (s_vpn); - } - - static void -diff --git a/shared/utils.c b/shared/utils.c -index e6dec8a..9c33315 100644 ---- a/shared/utils.c -+++ b/shared/utils.c -@@ -341,6 +341,7 @@ static const struct LibreswanParam params[] = { - { NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, add, PARAM_IGNORE }, - { NM_LIBRESWAN_KEY_PSK_VALUE "-flags", add, PARAM_IGNORE }, - { NM_LIBRESWAN_KEY_XAUTH_PASSWORD "-flags", add, PARAM_IGNORE }, -+ { NM_LIBRESWAN_KEY_NM_AUTO_DEFAULTS, add, PARAM_IGNORE }, - - { NULL } - }; -@@ -368,6 +369,7 @@ sanitize_setting_vpn (NMSettingVpn *s_vpn, - GError **error) - { - gs_unref_object NMSettingVpn *sanitized = NULL; -+ gboolean auto_defaults = TRUE; - int handled_items = 0; - const char *val; - int i; -@@ -380,6 +382,10 @@ sanitize_setting_vpn (NMSettingVpn *s_vpn, - NM_SETTING_VPN_SERVICE_TYPE, NM_VPN_SERVICE_TYPE_LIBRESWAN, - NULL); - -+ auto_defaults = _nm_utils_ascii_str_to_bool ( -+ nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_NM_AUTO_DEFAULTS), -+ TRUE); -+ - for (i = 0; params[i].name != NULL; i++) { - val = nm_setting_vpn_get_data_item (s_vpn, params[i].name); - if (val != NULL) { -@@ -393,7 +399,11 @@ sanitize_setting_vpn (NMSettingVpn *s_vpn, - return NULL; - } - -- params[i].add_sanitized (sanitized, params[i].name, val); -+ if (auto_defaults) { -+ params[i].add_sanitized (sanitized, params[i].name, val); -+ } else { -+ nm_setting_vpn_add_data_item (sanitized, params[i].name, val); -+ } - - val = nm_setting_vpn_get_data_item (sanitized, params[i].name); - if (val == NULL) --- -GitLab - diff --git a/SOURCES/0002-Treat-leftmodecfgserver-differently-according-to-nm-.patch b/SOURCES/0002-Treat-leftmodecfgserver-differently-according-to-nm-.patch deleted file mode 100644 index 2c30dc7..0000000 --- a/SOURCES/0002-Treat-leftmodecfgserver-differently-according-to-nm-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 9b4467bd226d5a6819b9bfa9fc337c64dc61c293 Mon Sep 17 00:00:00 2001 -From: Gris Ge -Date: Fri, 25 Apr 2025 16:28:52 +0800 -Subject: [PATCH] Treat leftmodecfgserver differently according to - nm-auto-defaults - -When `nm-auto-defaults: no` defined, the default value of -`leftmodecfgserver` should be `no`. - -Signed-off-by: Gris Ge ---- - src/nm-libreswan-service.c | 23 +++++++++++++++++++++-- - 1 file changed, 21 insertions(+), 2 deletions(-) - -diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c -index e58bc9e..7987ada 100644 ---- a/src/nm-libreswan-service.c -+++ b/src/nm-libreswan-service.c -@@ -65,6 +65,7 @@ typedef NMVpnServicePlugin NMLibreswanPlugin; - typedef NMVpnServicePluginClass NMLibreswanPluginClass; - - static GType nm_libreswan_plugin_get_type (void); -+static bool is_leftmodecfgserver_enabled(NMSettingVpn *s_vpn); - - G_DEFINE_TYPE (NMLibreswanPlugin, nm_libreswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN) - -@@ -1296,8 +1297,8 @@ handle_callback (NMDBusLibreswanHelper *object, - - if ( priv->connection - && (s_vpn = nm_connection_get_setting_vpn (priv->connection)) -- && (cstr = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT)) -- && nm_streq (cstr, "no")) { -+ && !is_leftmodecfgserver_enabled(s_vpn) -+ ) { - /* no dynamic address needed */ - } else { - /* IP address */ -@@ -2179,3 +2180,21 @@ main (int argc, char *argv[]) - - exit (0); - } -+ -+static bool -+is_leftmodecfgserver_enabled(NMSettingVpn *s_vpn) -+{ -+ const char *auto_value; -+ const char *cstr; -+ -+ auto_value = nm_setting_vpn_get_data_item(s_vpn, NM_LIBRESWAN_KEY_NM_AUTO_DEFAULTS); -+ if (auto_value && nm_streq(auto_value, "no")) { -+ // undefined means false when `nm-auto-defaults: no` -+ cstr = nm_setting_vpn_get_data_item(s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT); -+ return (cstr && nm_streq(cstr, "yes")); -+ } else { -+ // undefined means true -+ cstr = nm_setting_vpn_get_data_item(s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT); -+ return !(cstr && nm_streq(cstr, "no")); -+ } -+} --- -GitLab - diff --git a/SOURCES/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch b/SOURCES/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch deleted file mode 100644 index 0eb9756..0000000 --- a/SOURCES/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 43f3df676e827e343bae9455dc1eb82c5a805574 Mon Sep 17 00:00:00 2001 -From: Beniamino Galvani -Date: Fri, 27 Jun 2025 18:21:51 +0200 -Subject: [PATCH] shared/utils: only set phase2alg/esp for ikev1 in aggressive - mode - -Commit f3c6f38f3be3 ("shared: make ipsec.conf formatting declarative") -changed the logic to write option phase2alg/esp. Before the commit, it -was automatically set to NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP only for -IKEv1 in aggressive mode ("leftid" set). After, the option is set for -IKEv2. Restore the old behavior. - -Fixes: f3c6f38f3be3 ("shared: make ipsec.conf formatting declarative") -Signed-off-by: Gris Ge ---- - shared/test-utils.c | 3 --- - shared/utils.c | 5 ++++- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/shared/test-utils.c b/shared/test-utils.c -index 2dc4532..ec47fe5 100644 ---- a/shared/test-utils.c -+++ b/shared/test-utils.c -@@ -103,7 +103,6 @@ test_config_write (void) - " leftmodecfgclient=yes\n" - " rightsubnet=0.0.0.0/0\n" - " rekey=yes\n" -- " phase2alg=aes256-sha1\n" - " keyingtries=1\n" - " rightmodecfgserver=yes\n" - " modecfgpull=yes\n"); -@@ -127,7 +126,6 @@ test_config_write (void) - " leftmodecfgclient=yes\n" - " rightsubnet=0.0.0.0/0\n" - " rekey=yes\n" -- " phase2alg=aes256-sha1\n" - " keyingtries=1\n" - " rightmodecfgserver=yes\n" - " modecfgpull=yes\n"); -@@ -372,7 +370,6 @@ test_config_read (void) - " leftmodecfgclient=yes\n" - " rightsubnet=0.0.0.0/0\n" - " rekey=yes\n" -- " phase2alg=aes256-sha1\n" - " keyingtries=1\n" - " rightmodecfgserver=yes\n" - " modecfgpull=yes\n", -diff --git a/shared/utils.c b/shared/utils.c -index 9c33315..a2e5b9a 100644 ---- a/shared/utils.c -+++ b/shared/utils.c -@@ -223,10 +223,13 @@ add_ike (NMSettingVpn *s_vpn, const char *key, const char *val) - static void - add_phase2alg (NMSettingVpn *s_vpn, const char *key, const char *val) - { -+ const char *leftid; -+ - if (val == NULL || val[0] == '\0') - val = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_ESP); - if (val == NULL || val[0] == '\0') { -- if (nm_libreswan_utils_setting_is_ikev2 (s_vpn)) -+ leftid = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTID); -+ if (!nm_libreswan_utils_setting_is_ikev2 (s_vpn) && leftid && leftid[0] != '\0') - val = NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP; - } - nm_setting_vpn_add_data_item (s_vpn, key, val); --- -2.50.0 - diff --git a/SPECS/NetworkManager-libreswan.spec b/SPECS/NetworkManager-libreswan.spec index 731548b..fd22765 100644 --- a/SPECS/NetworkManager-libreswan.spec +++ b/SPECS/NetworkManager-libreswan.spec @@ -7,11 +7,11 @@ %bcond_with gtk4 %else %bcond_without gtk4 -%endif +%endif -%global real_version 1.2.26 -%global rpm_version 1.2.26 -%global release_version 3 +%global real_version 1.2.30 +%global rpm_version 1.2.30 +%global release_version 1 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p') @@ -27,10 +27,6 @@ License: GPLv2+ URL: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_version_major}/%{name}-%{real_version}.tar.xz -Patch0: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/3ea80883fefc.patch#/0001-Add-nm-auto-defaults-option.patch -Patch1: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/9b4467bd226d.patch#/0002-Treat-leftmodecfgserver-differently-according-to-nm-.patch -Patch2: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/-/commit/43f3df676e82.patch#/0003-shared-utils-only-set-phase2alg-esp-for-ikev1-in-agg.patch - BuildRequires: make BuildRequires: gcc BuildRequires: gtk3-devel @@ -131,6 +127,32 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %endif %changelog +* Mon Jan 12 2026 Vladimír Beneš - 1.2.30-1 +- Upgrade to 1.2.30 +- Declare supports-safe-private-file-access (RHEL-140610) + +* Tue Dec 09 2025 Gris Ge - 1.2.29-1 +- Upgrade to 1.2.29 +- Support creating both ends of IPsec (Libreswan) tunnels. (RHEL-85789) +- Support leftprotoport and rightprotoport options. (RHEL-130907) +- Fix error on duplicate key 'phase2alg'. (RHEL-131233) +- Fix import connection with RSA key. (RHEL-127863) + +* Thu Oct 23 2025 Vladimír Beneš - 1.2.27-4 +- Fix potentional crash in malformed items import + +* Tue Oct 21 2025 Vladimír Beneš - 1.2.27-3 +- Fix small nm-auto-defaults issue + +* Mon Oct 20 2025 Vladimír Beneš - 1.2.27-2 +- Symetric import/export with nm-auto-default (RHEL-122306) +- Esp param properly exported (RHEL-122626) +- Correct leftid export when it contains @ + +* Thu Oct 02 2025 Vladimír Beneš - 1.2.27-1 +- Update to later upstream release to address regressions (RHEL-56551) +- Support rightca in ipsec section (RHEL-118819) + * Tue Jul 01 2025 Gris Ge - 1.2.26-3 - Fix regression on phase2alg/esp for IKEv1 (RHEL-85768)