libreswan/libreswan-3.23-crypto-policies.patch

diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
index c41dd8048..cc2faf5c9 100644
--- a/lib/libipsecconf/parser.l
+++ b/lib/libipsecconf/parser.l
@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
 		char ebuf[128];
 
 		snprintf(ebuf, sizeof(ebuf),
-			"cannot open include filename: '%s': %s",
+			(strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
+				"cannot open include filename: '%s': %s" :
+				"ignored loading default system-wide crypto-policies file '%s': %s",
 			iis->fileglob.gl_pathv[fcnt],
 			strerror(errno));
 		yyerror(ebuf);
diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
index 7374efc3c..974699f01 100644
--- a/programs/configs/ipsec.conf.in
+++ b/programs/configs/ipsec.conf.in
@@ -1,27 +1,18 @@
 # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
 #
-# Manual:     ipsec.conf.5
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
 
 config setup
-	# Normally, pluto logs via syslog. If you want to log to a file,
-	# specify below or to disable logging, eg for embedded systems, use
-	# the file name /dev/null
-	# Note: SElinux policies might prevent pluto writing to a log file at
-	#       an unusual location.
+	# Normally, pluto logs via syslog.
 	#logfile=/var/log/pluto.log
 	#
 	# Do not enable debug options to debug configuration issues!
 	#
-	# plutodebug "all", "none" or a combation from below:
-	# "raw crypt parsing emitting control controlmore kernel pfkey
-	#  natt x509 dpd dns oppo oppoinfo private".
-	# Note: "private" is not included with "all", as it can show confidential
-	#       information. It must be specifically specified
-	# examples:
 	# plutodebug="control parsing"
 	# plutodebug="all crypt"
-	# Again: only enable plutodebug when asked by a developer
-	#plutodebug=none
+	plutodebug=none
 	#
 	# NAT-TRAVERSAL support
 	# exclude networks used on server side by adding %v4:!a.b.c.0/24
@@ -30,10 +21,8 @@ config setup
 	# This range has never been announced via BGP (at least up to 2015)
 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
 
-# For example connections, see your distribution's documentation directory,
-# or https://libreswan.org/wiki/
-#
-# There is also a lot of information in the manual page, "man ipsec.conf"
-#
+# if it exists, include system wide crypto-policy defaults
+include /etc/crypto-policies/back-ends/libreswan.config
+
 # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
 include @IPSEC_CONFDDIR@/*.conf
RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/libreswan#edf019da096d996a265210d164af9c89a6b637c9 2020-10-15 15:26:36 +00:00			`diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l`
			`index c41dd8048..cc2faf5c9 100644`
			`--- a/lib/libipsecconf/parser.l`
			`+++ b/lib/libipsecconf/parser.l`
			`@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)`
			`char ebuf[128];`

			`snprintf(ebuf, sizeof(ebuf),`
			`- "cannot open include filename: '%s': %s",`
			`+ (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?`
			`+ "cannot open include filename: '%s': %s" :`
			`+ "ignored loading default system-wide crypto-policies file '%s': %s",`
			`iis->fileglob.gl_pathv[fcnt],`
			`strerror(errno));`
			`yyerror(ebuf);`
			`diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in`
			`index 7374efc3c..974699f01 100644`
			`--- a/programs/configs/ipsec.conf.in`
			`+++ b/programs/configs/ipsec.conf.in`
			`@@ -1,27 +1,18 @@`
			`# @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file`
			`#`
			`-# Manual: ipsec.conf.5`
			`+# see 'man ipsec.conf' and 'man pluto' for more information`
			`+#`
			`+# For example configurations and documentation, see https://libreswan.org/wiki/`

			`config setup`
			`- # Normally, pluto logs via syslog. If you want to log to a file,`
			`- # specify below or to disable logging, eg for embedded systems, use`
			`- # the file name /dev/null`
			`- # Note: SElinux policies might prevent pluto writing to a log file at`
			`- # an unusual location.`
			`+ # Normally, pluto logs via syslog.`
			`#logfile=/var/log/pluto.log`
			`#`
			`# Do not enable debug options to debug configuration issues!`
			`#`
			`- # plutodebug "all", "none" or a combation from below:`
			`- # "raw crypt parsing emitting control controlmore kernel pfkey`
			`- # natt x509 dpd dns oppo oppoinfo private".`
			`- # Note: "private" is not included with "all", as it can show confidential`
			`- # information. It must be specifically specified`
			`- # examples:`
			`# plutodebug="control parsing"`
			`# plutodebug="all crypt"`
			`- # Again: only enable plutodebug when asked by a developer`
			`- #plutodebug=none`
			`+ plutodebug=none`
			`#`
			`# NAT-TRAVERSAL support`
			`# exclude networks used on server side by adding %v4:!a.b.c.0/24`
			`@@ -30,10 +21,8 @@ config setup`
			`# This range has never been announced via BGP (at least up to 2015)`
			`virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10`

			`-# For example connections, see your distribution's documentation directory,`
			`-# or https://libreswan.org/wiki/`
			`-#`
			`-# There is also a lot of information in the manual page, "man ipsec.conf"`
			`-#`
			`+# if it exists, include system wide crypto-policy defaults`
			`+include /etc/crypto-policies/back-ends/libreswan.config`
			`+`
			`# It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/`
			`include @IPSEC_CONFDDIR@/*.conf`