diff --git a/libreswan-3.5-cisco-interop.patch b/libreswan-3.5-cisco-interop.patch new file mode 100644 index 0000000..6c43595 --- /dev/null +++ b/libreswan-3.5-cisco-interop.patch @@ -0,0 +1,44 @@ +commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8 +Author: Paul Wouters +Date: Sun Jul 14 13:27:39 2013 -0400 + + pluto: work around for Cisco VPN clients sending extraneous bytes + +diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c +index cc4be99..1ae2f40 100644 +--- a/programs/pluto/demux.c ++++ b/programs/pluto/demux.c +@@ -146,12 +146,29 @@ void process_packet(struct msg_digest **mdp) + } + } + +- if (md->packet_pbs.roof != md->message_pbs.roof) { ++ if (md->packet_pbs.roof < md->message_pbs.roof) { + libreswan_log( +- "size (%u) differs from size specified in ISAKMP HDR (%u)", +- (unsigned) pbs_room( +- &md->packet_pbs), md->hdr.isa_length); ++ "received packet size (%u) is smaller than from " ++ "size specified in ISAKMP HDR (%u) - packet dropped", ++ (unsigned) pbs_room(&md->packet_pbs), ++ md->hdr.isa_length); ++ /* abort processing corrupt packet */ + return; ++ } else if (md->packet_pbs.roof > md->message_pbs.roof) { ++ /* ++ * Some (old?) versions of the Cisco VPN client send an additional ++ * 16 bytes of zero bytes - Complain but accept it ++ */ ++ DBG(DBG_CONTROL, { ++ DBG_log( ++ "size (%u) in received packet is larger than the size " ++ "specified in ISAKMP HDR (%u) - ignoring extraneous bytes", ++ (unsigned) pbs_room(&md->packet_pbs), ++ md->hdr.isa_length); ++ DBG_dump("extraneous bytes:", md->message_pbs.roof, ++ md->packet_pbs.roof - md->message_pbs.roof); ++ /* continue */ ++ }); + } + + maj = (md->hdr.isa_version >> ISA_MAJ_SHIFT); diff --git a/libreswan.spec b/libreswan.spec index acf4537..f129ab5 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -8,7 +8,6 @@ %global _hardened_build 1 -%global fipscheck_version 1.3.0 %global buildefence 0 %global development 0 @@ -32,6 +31,8 @@ Conflicts: openswan < %{version}-%{release} Obsoletes: openswan < %{version}-%{release} Provides: openswan = %{version}-%{release} +Patch1: libreswan-3.5-cisco-interop.patch + BuildRequires: pkgconfig hostname BuildRequires: nss-devel >= 3.12.6-2, nspr-devel BuildRequires: pam-devel @@ -39,9 +40,9 @@ BuildRequires: pam-devel BuildRequires: unbound-devel %endif %if %{USE_FIPSCHECK} -BuildRequires: fipscheck-devel >= %{fipscheck_version} +BuildRequires: fipscheck-devel # we need fipshmac -Requires: fipscheck%{_isa} >= %{fipscheck_version} +Requires: fipscheck%{_isa} %endif %if %{USE_LINUX_AUDIT} Buildrequires: audit-libs-devel @@ -79,6 +80,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} +%patch1 -p1 -b .ciscovpn %build %if %{buildefence} @@ -184,6 +186,11 @@ rm -fr %{buildroot}/etc/rc.d/rc* %systemd_post ipsec.service %changelog +* Mon Jul 15 2013 Paul Wouters - 3.5-2 +- Added interop patch for (some?) Cisco VPN clients sending 16 zero + bytes of extraneous IKE data +- Removed fipscheck_version + * Sat Jul 13 2013 Paul Wouters - 3.5-1 - Updated to 3.5