libreswan/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch

diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c
--- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c	2020-04-28 22:27:20.000000000 -0400
+++ libreswan-3.32rc1/lib/libipsecconf/confread.c	2020-04-30 13:41:18.612751661 -0400
@@ -1332,13 +1332,16 @@
 
 		switch (conn->options[KNCF_IKEv2]) {
 		case fo_never:
-		case fo_permit:
 			conn->policy |= POLICY_IKEV1_ALLOW;
 			/* clear any inherited default */
 			conn->policy &= ~POLICY_IKEV2_ALLOW;
 			break;
-
+		case fo_permit:
+			starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
+			return TRUE;
 		case fo_propose:
+			starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
+			return TRUE;
 		case fo_insist:
 			conn->policy |= POLICY_IKEV2_ALLOW;
 			/* clear any inherited default */
diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml
--- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml	2020-04-28 22:27:20.000000000 -0400
+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml	2020-04-30 13:45:14.847694267 -0400
@@ -1,15 +1,15 @@
   <varlistentry>
   <term><emphasis remap='B'>ikev2</emphasis></term>
   <listitem>
-<para>Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used.
-Currently the accepted values are <emphasis remap='B'>no</emphasis>(the default),
-signifying only IKEv1 is accepted, or <emphasis remap='B'>yes</emphasis>,
+<para>Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.
+Currently the accepted values are <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>)
+signifying only IKEv1 is accepted, or <emphasis remap='B'>insist</emphasis>(the default),
 signifying only IKEv2 is accepted. Previous versions allowed the keywords
-<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>
-that would allow either IKEv1 or IKEv2, but this is no longer supported. The
-permit option is interpreted as no and the propose option is interpreted as
-yes. Older versions also supported keyword
-<emphasis remap='B'>insist</emphasis> which is now interpreted as yes.
+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
+now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream
+libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means
+the same as insist.
 </para>
   </listitem>
   </varlistentry>
diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c
--- libreswan-3.32rc1-orig/programs/whack/whack.c	2020-04-28 22:27:20.000000000 -0400
+++ libreswan-3.32rc1/programs/whack/whack.c	2020-04-30 13:41:18.615751749 -0400
@@ -775,7 +775,7 @@
 
 	PS("ikev1-allow", IKEV1_ALLOW),
 	PS("ikev2-allow", IKEV2_ALLOW),
-	PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */
+	/* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/
 
 	PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
 #ifdef XAUTH_HAVE_PAM
@@ -1737,7 +1737,7 @@
 
 		/* --ikev1-allow */
 		case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
-		/* --ikev2-allow (now also --ikev2-propose) */
+		/* --ikev2-allow */
 		case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
 
 		/* --allow-narrowing */
import libreswan-3.32-6.el8 2020-11-03 12:02:35 +00:00			`diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c`
			`--- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c 2020-04-28 22:27:20.000000000 -0400`
			`+++ libreswan-3.32rc1/lib/libipsecconf/confread.c 2020-04-30 13:41:18.612751661 -0400`
			`@@ -1332,13 +1332,16 @@`
import libreswan-3.29-6.el8 2019-11-05 18:48:41 +00:00
			`switch (conn->options[KNCF_IKEv2]) {`
			`case fo_never:`
			`- case fo_permit:`
			`conn->policy \|= POLICY_IKEV1_ALLOW;`
			`/* clear any inherited default */`
			`conn->policy &= ~POLICY_IKEV2_ALLOW;`
			`break;`
			`-`
			`+ case fo_permit:`
			`+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no\|never");`
			`+ return TRUE;`
			`case fo_propose:`
			`+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no\|never");`
			`+ return TRUE;`
			`case fo_insist:`
			`conn->policy \|= POLICY_IKEV2_ALLOW;`
			`/* clear any inherited default */`
import libreswan-3.32-6.el8 2020-11-03 12:02:35 +00:00			`diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml`
			`--- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-28 22:27:20.000000000 -0400`
			`+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-30 13:45:14.847694267 -0400`
			`@@ -1,15 +1,15 @@`
import libreswan-3.29-6.el8 2019-11-05 18:48:41 +00:00			`<varlistentry>`
			`<term><emphasis remap='B'>ikev2</emphasis></term>`
			`<listitem>`
			`-<para>Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used.`
			`-Currently the accepted values are <emphasis remap='B'>no</emphasis>(the default),`
			`-signifying only IKEv1 is accepted, or <emphasis remap='B'>yes</emphasis>,`
			`+<para>Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.`
			`+Currently the accepted values are <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>)`
			`+signifying only IKEv1 is accepted, or <emphasis remap='B'>insist</emphasis>(the default),`
			`signifying only IKEv2 is accepted. Previous versions allowed the keywords`
			`-<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>`
			`-that would allow either IKEv1 or IKEv2, but this is no longer supported. The`
import libreswan-3.32-6.el8 2020-11-03 12:02:35 +00:00			`-permit option is interpreted as no and the propose option is interpreted as`
			`-yes. Older versions also supported keyword`
			`-<emphasis remap='B'>insist</emphasis> which is now interpreted as yes.`
import libreswan-3.29-6.el8 2019-11-05 18:48:41 +00:00			`+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>`
			`+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options`
			`+now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream`
			`+libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means`
			`+the same as insist.`
			`</para>`
			`</listitem>`
			`</varlistentry>`
import libreswan-3.32-6.el8 2020-11-03 12:02:35 +00:00			`diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c`
			`--- libreswan-3.32rc1-orig/programs/whack/whack.c 2020-04-28 22:27:20.000000000 -0400`
			`+++ libreswan-3.32rc1/programs/whack/whack.c 2020-04-30 13:41:18.615751749 -0400`
			`@@ -775,7 +775,7 @@`
import libreswan-3.29-6.el8 2019-11-05 18:48:41 +00:00
			`PS("ikev1-allow", IKEV1_ALLOW),`
			`PS("ikev2-allow", IKEV2_ALLOW),`
			`- PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */`
			`+ /* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/`

			`PS("allow-narrowing", IKEV2_ALLOW_NARROWING),`
			`#ifdef XAUTH_HAVE_PAM`
import libreswan-3.32-6.el8 2020-11-03 12:02:35 +00:00			`@@ -1737,7 +1737,7 @@`
import libreswan-3.29-6.el8 2019-11-05 18:48:41 +00:00
			`/* --ikev1-allow */`
			`case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:`
			`- /* --ikev2-allow (now also --ikev2-propose) */`
			`+ /* --ikev2-allow */`
			`case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:`

			`/* --allow-narrowing */`