diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch new file mode 100644 index 0000000..40073d5 --- /dev/null +++ b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch @@ -0,0 +1,63 @@ +From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor +Date: Fri, 7 Jan 2022 18:36:47 -0500 +Subject: [PATCH] ikev1-policy defaults to drop + +IKEv2 has been available for 16 years (RFC 4306 was published December +2005). At some point, we should be discouraging IKEv1 adoption. + +To the extent that a user needs IKEv1, they can manually add +ikev1-policy=accept to /etc/ipsec.conf. +--- + configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++--- + include/ipsecconf/keywords.h | 2 +- + lib/libipsecconf/confread.c | 1 + + programs/pluto/server.c | 5 ----- + 4 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml +index 17d1747e3b..3bd6702564 100644 +--- a/configs/d.ipsec.conf/ikev1-policy.xml ++++ b/configs/d.ipsec.conf/ikev1-policy.xml +@@ -3,9 +3,10 @@ + + + What to do with received IKEv1 packets. Valid options are +-accept (default), reject which +-will reply with an error, and drop which will silently drop +-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an ++drop (default) which will silently drop ++any received IKEv1 packet, accept, and ++reject which will reply with an error. ++If this option is set to drop or reject, an attempt to load an + IKEv1 connection will fail, as these connections would never be able to receive a packet + for processing. + +diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h +index 660847733c..31b519242a 100644 +--- a/include/ipsecconf/keywords.h ++++ b/include/ipsecconf/keywords.h +@@ -111,7 +111,7 @@ enum keyword_numeric_config_field { + + KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */ + KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */ +- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */ ++ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */ + KBF_ROOF + }; + +diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c +index 5b5aba723f..68fbccf442 100644 +--- a/lib/libipsecconf/confread.c ++++ b/lib/libipsecconf/confread.c +@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) + /* Don't inflict BSI requirements on everyone */ + SOPT(KBF_SEEDBITS, 0); + SOPT(KBF_DROP_OPPO_NULL, false); ++ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP); + + #ifdef HAVE_LABELED_IPSEC + SOPT(KBF_SECCTX, SECCTX); +-- +2.34.1 + diff --git a/libreswan.spec b/libreswan.spec index 6e6ef1d..21c3ee9 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -45,6 +45,7 @@ Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch1: libreswan-4.15-ipsec_import.patch +Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch BuildRequires: audit-libs-devel BuildRequires: bison