From 021b38cdf6f1d5ffc9e8e5ee597880e2d660d5ad Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 6 Aug 2024 09:46:06 +0900 Subject: [PATCH] Re-introduce libreswan-4.6-ikev1-policy-defaults-to-drop.patch The patch was included in c9s but omitted when syncronized to Fedora. Now that this is the default behavior in Libreswan 5, we want to keep the patch to avoid any regressions. Resolves: RHEL-52935 Signed-off-by: Daiki Ueno --- ...an-4.6-ikev1-policy-defaults-to-drop.patch | 63 +++++++++++++++++++ libreswan.spec | 1 + 2 files changed, 64 insertions(+) create mode 100644 libreswan-4.6-ikev1-policy-defaults-to-drop.patch diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch new file mode 100644 index 0000000..40073d5 --- /dev/null +++ b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch @@ -0,0 +1,63 @@ +From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor +Date: Fri, 7 Jan 2022 18:36:47 -0500 +Subject: [PATCH] ikev1-policy defaults to drop + +IKEv2 has been available for 16 years (RFC 4306 was published December +2005). At some point, we should be discouraging IKEv1 adoption. + +To the extent that a user needs IKEv1, they can manually add +ikev1-policy=accept to /etc/ipsec.conf. +--- + configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++--- + include/ipsecconf/keywords.h | 2 +- + lib/libipsecconf/confread.c | 1 + + programs/pluto/server.c | 5 ----- + 4 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml +index 17d1747e3b..3bd6702564 100644 +--- a/configs/d.ipsec.conf/ikev1-policy.xml ++++ b/configs/d.ipsec.conf/ikev1-policy.xml +@@ -3,9 +3,10 @@ + + + What to do with received IKEv1 packets. Valid options are +-accept (default), reject which +-will reply with an error, and drop which will silently drop +-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an ++drop (default) which will silently drop ++any received IKEv1 packet, accept, and ++reject which will reply with an error. ++If this option is set to drop or reject, an attempt to load an + IKEv1 connection will fail, as these connections would never be able to receive a packet + for processing. + +diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h +index 660847733c..31b519242a 100644 +--- a/include/ipsecconf/keywords.h ++++ b/include/ipsecconf/keywords.h +@@ -111,7 +111,7 @@ enum keyword_numeric_config_field { + + KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */ + KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */ +- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */ ++ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */ + KBF_ROOF + }; + +diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c +index 5b5aba723f..68fbccf442 100644 +--- a/lib/libipsecconf/confread.c ++++ b/lib/libipsecconf/confread.c +@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) + /* Don't inflict BSI requirements on everyone */ + SOPT(KBF_SEEDBITS, 0); + SOPT(KBF_DROP_OPPO_NULL, false); ++ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP); + + #ifdef HAVE_LABELED_IPSEC + SOPT(KBF_SECCTX, SECCTX); +-- +2.34.1 + diff --git a/libreswan.spec b/libreswan.spec index 6e6ef1d..21c3ee9 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -45,6 +45,7 @@ Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch1: libreswan-4.15-ipsec_import.patch +Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch BuildRequires: audit-libs-devel BuildRequires: bison