Re-introduce libreswan-4.6-ikev1-policy-defaults-to-drop.patch
The patch was included in c9s but omitted when syncronized to Fedora. Now that this is the default behavior in Libreswan 5, we want to keep the patch to avoid any regressions. Resolves: RHEL-52935 Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
parent
a65932fd0e
commit
021b38cdf6
63
libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Normal file
63
libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
||||||
|
Date: Fri, 7 Jan 2022 18:36:47 -0500
|
||||||
|
Subject: [PATCH] ikev1-policy defaults to drop
|
||||||
|
|
||||||
|
IKEv2 has been available for 16 years (RFC 4306 was published December
|
||||||
|
2005). At some point, we should be discouraging IKEv1 adoption.
|
||||||
|
|
||||||
|
To the extent that a user needs IKEv1, they can manually add
|
||||||
|
ikev1-policy=accept to /etc/ipsec.conf.
|
||||||
|
---
|
||||||
|
configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
|
||||||
|
include/ipsecconf/keywords.h | 2 +-
|
||||||
|
lib/libipsecconf/confread.c | 1 +
|
||||||
|
programs/pluto/server.c | 5 -----
|
||||||
|
4 files changed, 6 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
|
||||||
|
index 17d1747e3b..3bd6702564 100644
|
||||||
|
--- a/configs/d.ipsec.conf/ikev1-policy.xml
|
||||||
|
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
|
||||||
|
@@ -3,9 +3,10 @@
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
What to do with received IKEv1 packets. Valid options are
|
||||||
|
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
|
||||||
|
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
|
||||||
|
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
|
||||||
|
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
|
||||||
|
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
|
||||||
|
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
|
||||||
|
+If this option is set to drop or reject, an attempt to load an
|
||||||
|
IKEv1 connection will fail, as these connections would never be able to receive a packet
|
||||||
|
for processing.
|
||||||
|
</para>
|
||||||
|
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
|
||||||
|
index 660847733c..31b519242a 100644
|
||||||
|
--- a/include/ipsecconf/keywords.h
|
||||||
|
+++ b/include/ipsecconf/keywords.h
|
||||||
|
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
|
||||||
|
|
||||||
|
KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
|
||||||
|
KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
|
||||||
|
- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
|
||||||
|
+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
|
||||||
|
KBF_ROOF
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
|
||||||
|
index 5b5aba723f..68fbccf442 100644
|
||||||
|
--- a/lib/libipsecconf/confread.c
|
||||||
|
+++ b/lib/libipsecconf/confread.c
|
||||||
|
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
|
||||||
|
/* Don't inflict BSI requirements on everyone */
|
||||||
|
SOPT(KBF_SEEDBITS, 0);
|
||||||
|
SOPT(KBF_DROP_OPPO_NULL, false);
|
||||||
|
+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
|
||||||
|
|
||||||
|
#ifdef HAVE_LABELED_IPSEC
|
||||||
|
SOPT(KBF_SECCTX, SECCTX);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -45,6 +45,7 @@ Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
Patch1: libreswan-4.15-ipsec_import.patch
|
Patch1: libreswan-4.15-ipsec_import.patch
|
||||||
|
Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
|
||||||
|
|
||||||
BuildRequires: audit-libs-devel
|
BuildRequires: audit-libs-devel
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
|
Loading…
Reference in New Issue
Block a user