rpms
/
libreswan
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libreswan-4.6-3.el9

This commit is contained in:
CentOS Sources 2022-03-01 07:15:40 -05:00 committed by Stepan Oksanichenko
parent c0b8ac0f51
commit 3e4e2a63ce
9 changed files with 153 additions and 809 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/ikev1_dsa.fax.bz2
SOURCES/ikev1_psk.fax.bz2
SOURCES/ikev2.fax.bz2
SOURCES/libreswan-4.4.tar.gz
SOURCES/libreswan-4.6.tar.gz

2
.libreswan.metadata
View File

@ -1,4 +1,4 @@
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
c75da86c032fe15979a13f4e779a9fe41386203a SOURCES/libreswan-4.4.tar.gz
8df902f58f9341d45b4b529b73126bf654764934 SOURCES/libreswan-4.6.tar.gz

31
SOURCES/libreswan-4.2-openssl3.patch
View File

@ -1,31 +0,0 @@
diff -up ./programs/pluto/ikev2_ipseckey.c.openssl3 ./programs/pluto/ikev2_ipseckey.c
--- ./programs/pluto/ikev2_ipseckey.c.openssl3 2021-02-03 02:36:01.000000000 +0100
+++ ./programs/pluto/ikev2_ipseckey.c 2021-06-24 17:55:04.863636517 +0200
@@ -25,13 +25,25 @@
#include <arpa/nameser.h>
#include <ldns/ldns.h> /* from ldns-devel */
#include <ldns/rr.h>
+/*
+ * avoid name clash between OpenSSL headers (included through
+ * <ldns/ldns.h>) and NSS headers (included below through <pk11pub.h>)
+ */
+#undef KU_DIGITAL_SIGNATURE
+#undef KU_NON_REPUDIATION
+#undef KU_KEY_ENCIPHERMENT
+#undef KU_DATA_ENCIPHERMENT
+#undef KU_KEY_AGREEMENT
+#undef KU_KEY_CERT_SIGN
+#undef KU_CRL_SIGN
+#undef KU_ENCIPHER_ONLY
#include <unbound.h>
#include "unbound-event.h"
#include "defs.h"
#include "log.h"
+#include "state.h"
#include "constants.h" /* for demux.h */
#include "demux.h" /* to get struct msg_digest */
-#include "state.h"
#include "connections.h"
#include "dnssec.h" /* includes unbound.h */
#include "id.h"
diff -up ./programs/pluto/ikev2_rsa.c.openssl3 ./programs/pluto/ikev2_rsa.c

101
SOURCES/libreswan-4.4-covscan.patch
View File

@ -1,101 +0,0 @@
From 835f711502fa07825b27201cb772e911c59d54b0 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 21 Jul 2021 10:10:43 +0200
Subject: [PATCH] ipsec barf: fix shell test expression
Spotted by shellcheck:
/usr/libexec/ipsec/barf:55:5: error[SC1073]: Couldn't parse this test expression. Fix to allow more checks.
# 53| for f
# 54| do
# 55|-> if [ -s ${LOGS}/${f} -a \
# 56| -f ${LOGS}/${f} -a \
# 57| grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
programs/barf/barf.in | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/programs/barf/barf.in b/programs/barf/barf.in
index e76c62f338..499916da4b 100755
--- a/programs/barf/barf.in
+++ b/programs/barf/barf.in
@@ -53,8 +53,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
then
# aha, this one has it
findlog_file=${LOGS}/${f}
@@ -66,8 +66,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
then
# aha, this one has it
findlog_file=${LOGS}/${f}
@@ -80,8 +80,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
do
if [ -f ${LOGS}/${f} -a \
- ! -d ${LOGS}/${f} -a \
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
+ ! -d ${LOGS}/${f} ] && \
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
then
# found it
findlog_file=${LOGS}/${f}
@@ -93,8 +93,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
then
# found it
findlog_file=${LOGS}/${f}
--
2.31.1
From 00ee1189626db8dcce084cb481ad0c49b435f4ff Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 21 Jul 2021 10:54:58 +0200
Subject: [PATCH] testing jambufcheck: add missing va_end calls in error path
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
testing/programs/jambufcheck/jambufcheck.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/testing/programs/jambufcheck/jambufcheck.c b/testing/programs/jambufcheck/jambufcheck.c
index 72baaa5a1d..23a47b15f6 100644
--- a/testing/programs/jambufcheck/jambufcheck.c
+++ b/testing/programs/jambufcheck/jambufcheck.c
@@ -104,11 +104,13 @@ static void check_jambuf(bool ok, const char *expect, ...)
}
break;
default:
+ va_end(ap);
FAIL("bad case");
return;
}
}
if (ok && !jambuf_ok(&buf)) {
+ va_end(ap);
FAIL("unexpectedly failed writing '%s'",
str == NULL ? "(null)" : str);
return;
--
2.31.1

168
SOURCES/libreswan-4.4-getaddrinfo.patch
View File

@ -1,168 +0,0 @@
diff -up ./lib/libswan/ttoaddress.c.getaddrinfo ./lib/libswan/ttoaddress.c
--- ./lib/libswan/ttoaddress.c.getaddrinfo 2021-04-22 17:24:33.000000000 +0200
+++ ./lib/libswan/ttoaddress.c 2021-07-22 13:16:19.073745043 +0200
@@ -20,6 +20,7 @@
#include <netdb.h> /* for gethostbyname2() */
#include "ip_address.h"
+#include "ip_sockaddr.h"
#include "ip_info.h"
#include "lswalloc.h" /* for alloc_things(), pfree() */
#include "lswlog.h" /* for pexpect() */
@@ -75,56 +76,6 @@ static err_t ttoaddr_base(shunk_t src,
}
/*
- * tryname - try it as a name
- *
- * Error return is intricate because we cannot compose a static string.
- */
-static err_t tryname(const char *p,
- int af,
- int suggested_af, /* kind(s) of numeric addressing tried */
- ip_address *dst)
-{
- struct hostent *h = gethostbyname2(p, af);
- if (h != NULL) {
- if (h->h_addrtype != af) {
- return "address-type mismatch from gethostbyname2!!!";
- }
-
- return data_to_address(h->h_addr, h->h_length, aftoinfo(af), dst);
- }
-
- if (af == AF_INET6) {
- if (suggested_af == AF_INET6) {
- return "not a numeric IPv6 address and name lookup failed (no validation performed)";
- } else /* AF_UNSPEC */ {
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
- }
- }
-
- pexpect(af == AF_INET);
-
- /* like, windows even has an /etc/networks? */
- struct netent *ne = getnetbyname(p);
- if (ne == NULL) {
- /* intricate because we cannot compose a static string */
- if (suggested_af == AF_INET) {
- return "not a numeric IPv4 address and name lookup failed (no validation performed)";
- } else {
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
- }
- }
-
- if (ne->n_addrtype != af) {
- return "address-type mismatch from getnetbyname!!!";
- }
-
- /* apparently .n_net is in host order */
- struct in_addr in = { htonl(ne->n_net), };
- *dst = address_from_in_addr(&in);
- return NULL;
-}
-
-/*
* tryhex - try conversion as an eight-digit hex number (AF_INET only)
*/
@@ -401,57 +352,56 @@ err_t getpiece(const char **srcp, /* *sr
err_t ttoaddress_dns(shunk_t src, const struct ip_info *afi, ip_address *dst)
{
+ char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
+ struct addrinfo *res = NULL;
+ const struct addrinfo hints = (struct addrinfo) {
+ .ai_family = afi == NULL ? AF_UNSPEC : afi->af,
+ };
*dst = unset_address;
- if (src.len == 0) {
- return "empty string";
- }
-
- bool was_numeric = true;
- err_t err = ttoaddr_base(src, afi, &was_numeric, dst);
- if (was_numeric) {
- /* no-point in continuing */
- return err;
- }
- /* err == non-numeric */
+ int eai = getaddrinfo(name, NULL, &hints, &res);
+ err_t err = NULL;
- for (const char *cp = src.ptr, *end = cp + src.len; cp < end; cp++) {
+ if (eai != 0) {
/*
- * Legal ASCII characters in a domain name.
- * Underscore technically is not, but is a common
- * misunderstanding. Non-ASCII characters are simply
- * exempted from checking at the moment, to allow for
- * UTF-8 encoded stuff; the purpose of this check is
- * merely to catch blatant errors.
- *
- * XXX: Suspect the ISASCII() check can be dropped -
- * utf-8 isn't allowed in DNS names and without a
- * utf-8 parser the check is flawed.
+ * return system-supplied diagnostic
+ * except where it is particularly confusing.
+ * "Name or service not unknown." is terrible.
*/
- static const char namechars[] =
- "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
-#define ISASCII(c) (((c) & 0x80) == 0)
- if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) {
- return "illegal (non-DNS-name) character in name";
+ err = eai == EAI_NONAME ? "NAME is unknown" : gai_strerror(eai);
+ } else if (res == NULL) {
+ err = "not a numeric IP address and name lookup failed (no validation performed)";
+ } else {
+ /* always choose IPv4 result if there is one */
+ struct addrinfo *winner = res;
+
+ for (struct addrinfo *r = res; r!= NULL; r = r->ai_next) {
+ if (r->ai_family == AF_INET) {
+ winner = r;
+ break;
+ }
+ }
+
+ ip_port mbz = { .hport = 0 };
+ ip_sockaddr sa = {
+ .len = winner->ai_addrlen,
+ };
+ passert(sizeof(sa.sa) >= winner->ai_addrlen);
+ memcpy(&sa.sa, winner->ai_addr, winner->ai_addrlen);
+ passert(sa.sa.sa.sa_family == winner->ai_family);
+ /* boneheaded getaddrinfo(3) leaves port field uninitialized */
+ if (winner->ai_family == AF_INET) {
+ sa.sa.sin.sin_port = 0;
+ } else if (winner->ai_family == AF_INET6) {
+ sa.sa.sin6.sin6_port = 0;
+ } else {
+ bad_case(winner->ai_family);
}
+ err = sockaddr_to_address_port(sa, dst, &mbz);
+ passert(hport(mbz) == 0);
}
- /*
- * need a guarenteed null terminated string
- */
- char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
- int suggested_af = afi == NULL ? AF_UNSPEC : afi->af;
- err_t v4err = NULL, v6err = NULL;
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET)) {
- err = v4err = tryname(name, AF_INET, suggested_af, dst);
- }
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET6)) {
- err = v6err = tryname(name, AF_INET6, suggested_af, dst);
- }
- /* prefer the IPv4 error */
- if (err != NULL && v4err != NULL) {
- err = v4err;
- }
+ freeaddrinfo(res);
pfree(name);
return err;
}

494
SOURCES/libreswan-4.4-ipcheck.patch
View File

@ -1,494 +0,0 @@
diff --git a/testing/programs/ipcheck/Makefile b/testing/programs/ipcheck/Makefile
index 4dae8336be..af77a9e9d8 100644
--- a/testing/programs/ipcheck/Makefile
+++ b/testing/programs/ipcheck/Makefile
@@ -41,4 +41,4 @@ include ../../../mk/program.mk
endif
local-check: $(PROGRAM)
- $(builddir)/$(PROGRAM)
+ $(builddir)/$(PROGRAM) --dns=yes
diff --git a/testing/programs/ipcheck/ip_address_check.c b/testing/programs/ipcheck/ip_address_check.c
index b80990302a..a84aadaf73 100644
--- a/testing/programs/ipcheck/ip_address_check.c
+++ b/testing/programs/ipcheck/ip_address_check.c
@@ -24,79 +24,76 @@
#include "ip_address.h"
#include "ipcheck.h"
-static void check_shunk_to_address(void)
+static void check_ttoaddress_num(void)
{
static const struct test {
int line;
int family;
const char *in;
const char *str;
- bool requires_dns;
} tests[] = {
/* unset */
- { LN, 0, "", NULL, false, },
+ { LN, 0, "", NULL, },
/* any */
- { LN, 4, "0.0.0.0", "0.0.0.0", false, },
- { LN, 6, "::", "::", false, },
- { LN, 6, "0:0:0:0:0:0:0:0", "::", false, },
+ { LN, 4, "0.0.0.0", "0.0.0.0", },
+ { LN, 6, "::", "::", },
+ { LN, 6, "0:0:0:0:0:0:0:0", "::", },
/* local (zero's fill) */
- { LN, 4, "127.1", "127.0.0.1", false, },
- { LN, 4, "127.0.1", "127.0.0.1", false, },
- { LN, 4, "127.0.0.1", "127.0.0.1", false, },
- { LN, 6, "::1", "::1", false, },
- { LN, 6, "0:0:0:0:0:0:0:1", "::1", false, },
+ { LN, 4, "127.1", "127.0.0.1", },
+ { LN, 4, "127.0.1", "127.0.0.1", },
+ { LN, 4, "127.0.0.1", "127.0.0.1", },
+ { LN, 6, "::1", "::1", },
+ { LN, 6, "0:0:0:0:0:0:0:1", "::1", },
/* mask - and buffer overflow */
- { LN, 4, "255.255.255.255", "255.255.255.255", false, },
- { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false, },
+ { LN, 4, "255.255.255.255", "255.255.255.255", },
+ { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", },
/* all bytes */
- { LN, 4, "1.2.3.4", "1.2.3.4", false, },
- { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", false, },
+ { LN, 4, "1.2.3.4", "1.2.3.4", },
+ { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", },
/* last digit is a big num - see wikepedia */
- { LN, 4, "127.254", "127.0.0.254", false, },
- { LN, 4, "127.65534", "127.0.255.254", false, },
- { LN, 4, "127.16777214", "127.255.255.254", false, },
+ { LN, 4, "127.254", "127.0.0.254", },
+ { LN, 4, "127.65534", "127.0.255.254", },
+ { LN, 4, "127.16777214", "127.255.255.254", },
/* last digit overflow */
- { LN, 4, "127.16777216", NULL, false, },
- { LN, 4, "127.0.65536", NULL, false, },
- { LN, 4, "127.0.0.256", NULL, false, },
+ { LN, 4, "127.16777216", NULL, },
+ { LN, 4, "127.0.65536", NULL, },
+ { LN, 4, "127.0.0.256", NULL, },
/* suppress leading zeros - 01 vs 1 */
- { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", false, },
+ { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", },
/* drop leading 0:0: */
- { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", false, },
+ { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", },
/* drop middle 0:...:0 */
- { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", false, },
+ { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", },
/* drop trailing :0..:0 */
- { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", false, },
+ { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", },
/* drop first 0:..:0 */
- { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", false, },
+ { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", },
/* drop logest 0:..:0 */
- { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", false, },
+ { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", },
/* need two 0 */
- { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", false, },
-
- { LN, 4, "www.libreswan.org", "188.127.201.229", .requires_dns = true, },
+ { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", },
/* hex/octal */
- { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", false, },
- { LN, 4, "0001.0002.0003.0004", "1.2.3.4", false, },
- { LN, 4, "0x01020304", "1.2.3.4", false, },
+ { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", },
+ { LN, 4, "0001.0002.0003.0004", "1.2.3.4", },
+ { LN, 4, "0x01020304", "1.2.3.4", },
/* trailing garbage */
- { LN, 4, "1.2.3.4.", NULL, false, },
- { LN, 4, "1.2.3.4a", NULL, false, },
- { LN, 4, "1.2.3.0a", NULL, false, },
+ { LN, 4, "1.2.3.4.", NULL, },
+ { LN, 4, "1.2.3.4a", NULL, },
+ { LN, 4, "1.2.3.0a", NULL, },
/* bad digits */
- { LN, 4, "256.2.3.4", NULL, false, },
- { LN, 4, "0008.2.3.4", NULL, false, },
- { LN, 4, "0x0g.2.3.4", NULL, false, },
+ { LN, 4, "256.2.3.4", NULL, },
+ { LN, 4, "0008.2.3.4", NULL, },
+ { LN, 4, "0x0g.2.3.4", NULL, },
};
@@ -104,66 +101,146 @@ static void check_shunk_to_address(void)
for (size_t ti = 0; ti < elemsof(tests); ti++) {
const struct test *t = &tests[ti];
- PRINT("%s '%s' -> str: '%s' dns: %s", pri_family(t->family), t->in,
- t->str == NULL ? "ERROR" : t->str,
- bool_str(t->requires_dns));
-
- ip_address tmp, *address = &tmp;
-
- /* NUMERIC/NULL */
- FOR_EACH_THING(family, 0, t->family) {
+ /*
+ * For each address, perform lookups:
+ *
+ * - first with a generic family and then with the
+ * specified family
+ *
+ * - first with ttoaddress_num() and then
+ * ttoaddress_dns() (but only when it should work)
+ */
+
+ FOR_EACH_THING(family, 0, 4, 6) {
const struct ip_info *afi = IP_TYPE(family);
- err = ttoaddress_num(shunk1(t->in), afi, address);
- if (err != NULL) {
- if (t->str != NULL && !t->requires_dns) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly failed: %s",
- t->in, pri_family(family), err);
+ bool err_expected = (t->str == NULL || (family != 0 && family != t->family));
+
+ struct lookup {
+ const char *name;
+ err_t (*ttoaddress)(shunk_t, const struct ip_info *, ip_address *);
+ bool need_dns;
+ } lookups[] = {
+ {
+ "ttoaddress_num",
+ ttoaddress_num,
+ false,
+ },
+ {
+ "ttoaddress_dns",
+ ttoaddress_dns,
+ true,
+ },
+ {
+ .name = NULL,
+ },
+ };
+ for (struct lookup *lookup = lookups; lookup->name != NULL; lookup++) {
+
+ /*
+ * Without DNS a
+ * ttoaddress_dns() lookup of
+ * a bogus IP address will go
+ * into the weeds.
+ */
+ bool skip = (lookup->need_dns && have_dns != DNS_YES);
+
+ PRINT("%s('%s', %s) -> '%s'%s",
+ lookup->name, t->in, pri_family(family),
+ err_expected ? "ERROR" : t->str,
+ skip ? "; skipped as no DNS" : "");
+
+ if (skip) {
+ continue;
+ }
+
+ ip_address tmp, *address = &tmp;
+ err = lookup->ttoaddress(shunk1(t->in), afi, address);
+ if (err_expected) {
+ if (err == NULL) {
+ FAIL("%s(%s, %s) unexpecedly succeeded",
+ lookup->name, t->in, pri_family(family));
+ }
+ PRINT("%s(%s, %s) returned: %s",
+ lookup->name, t->in, pri_family(family), err);
+ } else if (err != NULL) {
+ FAIL("%s(%s, %s) unexpecedly failed: %s",
+ lookup->name, t->in, pri_family(family), err);
} else {
- PRINT("ttoaddress_num(%s, %s) returned: %s",
- t->in, pri_family(family), err);
+ CHECK_STR2(address);
}
- } else if (t->requires_dns) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly parsed a DNS address",
- t->in, pri_family(family));
- } else if (t->str == NULL) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly succeeded",
- t->in, pri_family(family));
- } else {
- CHECK_TYPE(address);
}
}
+ }
+}
+
+static void check_ttoaddress_dns(void)
+{
+ static const struct test {
+ int line;
+ int family;
+ const char *in;
+ const char *str;
+ bool need_dns;
+ } tests[] = {
+
+ /* localhost is found in /etc/hosts on all platforms */
+ { LN, 0, "localhost", "127.0.0.1", false, },
+ { LN, 4, "localhost", "127.0.0.1", false, },
+ { LN, 6, "localhost", "::1", false, },
+
+ { LN, 0, "www.libreswan.org", "188.127.201.229", true, },
+ { LN, 4, "www.libreswan.org", "188.127.201.229", true, },
+ { LN, 6, "www.libreswan.org", "2a00:1190:c00a:f00::229", true, },
- /* DNS/TYPE */
+ { LN, 0, "nowhere.libreswan.org", NULL, true, },
+ { LN, 4, "nowhere.libreswan.org", NULL, true, },
+ { LN, 6, "nowhere.libreswan.org", NULL, true, },
- if (t->requires_dns && !use_dns) {
- PRINT("skipping dns_hunk_to_address(type) -- no DNS");
+ };
+
+ err_t err;
+
+ for (size_t ti = 0; ti < elemsof(tests); ti++) {
+ const struct test *t = &tests[ti];
+ const struct ip_info *afi = IP_TYPE(t->family);
+ bool skip = (have_dns == DNS_NO || (have_dns != DNS_YES && t->need_dns));
+
+ PRINT("%s '%s' -> str: '%s' lookup: %s%s",
+ pri_family(t->family), t->in,
+ t->str == NULL ? "ERROR" : t->str,
+ (t->need_dns ? "DNS" : "/etc/hosts"),
+ (skip ? "; skipped as no DNS" : ""));
+
+ if (skip) {
+ continue;
+ }
+
+ ip_address tmp, *address = &tmp;
+ err = ttoaddress_dns(shunk1(t->in), afi, address);
+ if (err != NULL) {
+ if (t->str != NULL) {
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
+ t->in, pri_family(t->family), err);
+ }
+ PRINT("ttoaddress_dns(%s, %s) failed as expected: %s",
+ t->in, pri_family(t->family), err);
+ } else if (t->str == NULL) {
+ address_buf b;
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded with %s",
+ t->in, pri_family(t->family),
+ str_address(address, &b));
} else {
- const struct ip_info *afi = IP_TYPE(t->family);
- err = ttoaddress_dns(shunk1(t->in), afi, address);
- if (err != NULL) {
- if (t->str != NULL) {
- FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
- t->in, pri_family(t->family), err);
- } else {
- PRINT("ttoaddress_dns(%s, %s) returned: %s",
- t->in, pri_family(t->family), err);
- }
- } else if (t->str == NULL) {
- FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded",
- t->in, pri_family(t->family));
- } else {
+ address_buf b;
+ PRINT("ttoaddress_dns(%s, %s) succeeded with %s",
+ t->in, pri_family(t->family),
+ str_address(address, &b));
+ if (t->family != 0) {
CHECK_TYPE(address);
}
- }
-
- /* now convert it back cooked */
- if (t->requires_dns && !use_dns) {
- PRINT("skipping str_*() -- no DNS");
- } else if (t->str != NULL) {
+ /* and back */
CHECK_STR2(address);
}
-
}
}
@@ -473,7 +550,8 @@ static void check_addresses_to(void)
void ip_address_check(void)
{
- check_shunk_to_address();
+ check_ttoaddress_num();
+ check_ttoaddress_dns();
check_str_address_sensitive();
check_str_address_reversed();
check_address_is();
diff --git a/testing/programs/ipcheck/ip_info_check.c b/testing/programs/ipcheck/ip_info_check.c
index a7553a6029..f1566f4607 100644
--- a/testing/programs/ipcheck/ip_info_check.c
+++ b/testing/programs/ipcheck/ip_info_check.c
@@ -31,10 +31,12 @@
/*hack*/const typeof(L##_tests[0]) *t = &L##_tests[tl]; \
/*hack*/size_t ti = tl; \
const ip_##L *l = L##_tests[tl].L; \
- if (l == NULL) continue; \
+ if (l == NULL) \
+ continue; \
for (size_t tr = 0; tr < elemsof(R##_tests); tr++) { \
const ip_##R *r = R##_tests[tr].R; \
- if (r == NULL) continue; \
+ if (r == NULL) \
+ continue; \
bool expected = false; \
for (size_t to = 0; to < elemsof(L##_op_##R); to++) { \
const typeof(L##_op_##R[0]) *op = &L##_op_##R[to]; \
diff --git a/testing/programs/ipcheck/ip_range_check.c b/testing/programs/ipcheck/ip_range_check.c
index 256cf76c70..9f9a27db58 100644
--- a/testing/programs/ipcheck/ip_range_check.c
+++ b/testing/programs/ipcheck/ip_range_check.c
@@ -389,7 +389,7 @@ static void check_range_op_range(void)
FAIL("ttorange(%s) failed: %s", t->R, oops); \
} \
} else { \
- l = unset_range; \
+ R = unset_range; \
}
TT(l);
TT(r);
diff --git a/testing/programs/ipcheck/ip_sockaddr_check.c b/testing/programs/ipcheck/ip_sockaddr_check.c
index 538154b6e6..d9affb54f9 100644
--- a/testing/programs/ipcheck/ip_sockaddr_check.c
+++ b/testing/programs/ipcheck/ip_sockaddr_check.c
@@ -20,6 +20,8 @@
#include "ip_info.h"
#include "ip_protocol.h"
+#include "lswlog.h" /* for DBG_dump_thing() */
+
#include "ipcheck.h"
static void check_sockaddr_as_endpoint(void)
@@ -52,20 +54,25 @@ static void check_sockaddr_as_endpoint(void)
PRINT("%s '%s' -> '%s' len=%zd", pri_family(t->family), t->in, expect_out, t->size);
/* construct a raw sockaddr */
- ip_sockaddr sa = {
- .sa.sa = {
- .sa_family = SA_FAMILY(t->family),
- },
+ ip_sockaddr sa = {
.len = t->size,
};
switch (t->family) {
case 4:
memcpy(&sa.sa.sin.sin_addr, t->addr, sizeof(sa.sa.sin.sin_addr));
+ sa.sa.sin.sin_family = AF_INET;
sa.sa.sin.sin_port = htons(t->port);
+#ifdef NEED_SIN_LEN
+ sa.sa.sin.sin_len = sizeof(struct sockaddr_in);
+#endif
break;
case 6:
memcpy(&sa.sa.sin6.sin6_addr, t->addr, sizeof(sa.sa.sin6.sin6_addr));
+ sa.sa.sin6.sin6_family = AF_INET6;
sa.sa.sin6.sin6_port = htons(t->port);
+#ifdef NEED_SIN_LEN
+ sa.sa.sin6.sin6_len = sizeof(struct sockaddr_in6);
+#endif
break;
}
@@ -107,6 +114,8 @@ static void check_sockaddr_as_endpoint(void)
esa.len, sizeof(esa.sa));
} else if (!memeq(&esa.sa, &sa.sa, sizeof(esa.sa))) {
/* compare the entire buffer, not just size */
+ DBG_dump_thing("esa.sa", esa.sa);
+ DBG_dump_thing("sa.sa", sa.sa);
FAIL("endpoint_to_sockaddr() returned a different value");
}
} else {
diff --git a/testing/programs/ipcheck/ipcheck.c b/testing/programs/ipcheck/ipcheck.c
index ed13d1ed5c..8df45b5fd4 100644
--- a/testing/programs/ipcheck/ipcheck.c
+++ b/testing/programs/ipcheck/ipcheck.c
@@ -25,21 +25,37 @@
#include "lswtool.h"
unsigned fails;
-bool use_dns = true;
+enum have_dns have_dns = DNS_NO;
int main(int argc, char *argv[])
{
- struct logger *logger = tool_init_log(argv[0]);
+ leak_detective = true;
log_ip = false; /* force sensitive */
+ struct logger *logger = tool_init_log(argv[0]);
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s --dns={no,hosts-file,yes}\n", argv[0]);
+ return 1;
+ }
+
+ /* only one option for now */
+ const char *dns = argv[1];
+ if (!eat(dns, "--dns")) {
+ fprintf(stderr, "%s: unknown option '%s'\n",
+ argv[0], argv[1]);
+ return 1;
+ }
- for (char **argp = argv+1; argp < argv+argc; argp++) {
- if (streq(*argp, "--nodns")) {
- use_dns = false;
- } else {
- fprintf(stderr, "%s: unknown option '%s'\n",
- argv[0], *argp);
- return 1;
- }
+ if (streq(dns, "=no")) {
+ have_dns = DNS_NO;
+ } else if (streq(dns, "=hosts-file") || streq(dns, "")) {
+ have_dns = HAVE_HOSTS_FILE;
+ } else if (streq(dns, "=yes")) {
+ have_dns = DNS_YES;
+ } else {
+ fprintf(stderr, "%s: unknown --dns param '%s'\n",
+ argv[0], dns);
+ return 1;
}
ip_address_check();
@@ -55,6 +71,10 @@ int main(int argc, char *argv[])
ip_port_range_check();
ip_cidr_check();
+ report_leaks(logger);
+
+
+
if (fails > 0) {
fprintf(stderr, "TOTAL FAILURES: %d\n", fails);
return 1;
diff --git a/testing/programs/ipcheck/ipcheck.h b/testing/programs/ipcheck/ipcheck.h
index 7e7c2a284b..5cfdbf05f7 100644
--- a/testing/programs/ipcheck/ipcheck.h
+++ b/testing/programs/ipcheck/ipcheck.h
@@ -44,7 +44,7 @@ extern void ip_cidr_check(void);
*/
extern unsigned fails;
-extern bool use_dns;
+extern enum have_dns { DNS_NO, HAVE_HOSTS_FILE, DNS_YES, } have_dns;
#define pri_family(FAMILY) ((FAMILY) == 0 ? "0" : \
(FAMILY) == 4 ? "IPv4" : \

80
SOURCES/libreswan-4.6-ikev1-policy-defaults-to-drop.patch Normal file
View File

@ -0,0 +1,80 @@
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 7 Jan 2022 18:36:47 -0500
Subject: [PATCH] ikev1-policy defaults to drop
IKEv2 has been available for 16 years (RFC 4306 was published December
2005). At some point, we should be discouraging IKEv1 adoption.
To the extent that a user needs IKEv1, they can manually add
ikev1-policy=accept to /etc/ipsec.conf.
---
configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
include/ipsecconf/keywords.h | 2 +-
lib/libipsecconf/confread.c | 1 +
programs/pluto/server.c | 5 -----
4 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
index 17d1747e3b..3bd6702564 100644
--- a/configs/d.ipsec.conf/ikev1-policy.xml
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
@@ -3,9 +3,10 @@
<listitem>
<para>
What to do with received IKEv1 packets. Valid options are
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
+If this option is set to drop or reject, an attempt to load an
IKEv1 connection will fail, as these connections would never be able to receive a packet
for processing.
</para>
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 660847733c..31b519242a 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
KBF_ROOF
};
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 5b5aba723f..68fbccf442 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
/* Don't inflict BSI requirements on everyone */
SOPT(KBF_SEEDBITS, 0);
SOPT(KBF_DROP_OPPO_NULL, false);
+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
#ifdef HAVE_LABELED_IPSEC
SOPT(KBF_SECCTX, SECCTX);
diff --git a/programs/pluto/server.c b/programs/pluto/server.c
index 665f0ed8b9..448dbca076 100644
--- a/programs/pluto/server.c
+++ b/programs/pluto/server.c
@@ -188,12 +188,7 @@ bool pluto_listen_tcp = false;
enum ddos_mode pluto_ddos_mode = DDOS_AUTO; /* default to auto-detect */
enum global_ikev1_policy pluto_ikev1_pol =
-#ifdef USE_IKEv1
- GLOBAL_IKEv1_ACCEPT;
-#else
- /* there is no IKEv1 code compiled in to send a REJECT */
GLOBAL_IKEv1_DROP;
-#endif
#ifdef HAVE_SECCOMP
enum seccomp_mode pluto_seccomp_mode = SECCOMP_DISABLED;
--
2.34.1

52
SOURCES/libreswan-4.6-openssl3.patch Normal file
View File

@ -0,0 +1,52 @@
From 0212bc6a7c0ac3aa5d8da82bf22132993d339ffc Mon Sep 17 00:00:00 2001
From: Paul Wouters <paul.wouters@aiven.io>
Date: Thu, 13 Jan 2022 15:31:50 -0500
Subject: [PATCH] building: fix fedora rawhide build
Avoid clashing openssl/nss headers
Patch based on work by Daiki Ueno <dueno@redhat.com>
Resolves: https://github.com/libreswan/libreswan/pull/611
---
programs/pluto/ikev2_ipseckey.h | 4 ++--
programs/pluto/ikev2_ipseckey_dnsr.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h
index 243e5b1776..5ef3f966ec 100644
--- a/programs/pluto/ikev2_ipseckey.h
+++ b/programs/pluto/ikev2_ipseckey.h
@@ -1,5 +1,3 @@
-#include "state.h"
-
#ifndef _IKEV2_IPSECKEY_H
#define _IKEV2_IPSECKEY_H
@@ -11,6 +9,8 @@
#define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED
+struct ike_sa;
+
typedef enum {
DNS_OK = STF_OK,
DNS_FATAL = STF_FATAL,
diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c
index b07ed72f2b..09767bf65d 100644
--- a/programs/pluto/ikev2_ipseckey_dnsr.c
+++ b/programs/pluto/ikev2_ipseckey_dnsr.c
@@ -32,7 +32,9 @@
#include "dnssec.h" /* includes unbound.h */
#include "ikev2_ipseckey.h" /* for dns_status */
#include "ikev2_ipseckey_dnsr.h"
-#include "secrets.h"
+
+/* Do not include secrets.h as it will cause conflicts via NSS/OPENSSL headers */
+extern const struct pubkey_type pubkey_type_rsa;
struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */
--
2.31.1

32
SPECS/libreswan.spec
View File

@ -30,8 +30,8 @@
Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.4
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}.1
Version: 4.6
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -40,11 +40,8 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch0: libreswan-4.2-openssl3.patch
Patch1: libreswan-4.4-ipcheck.patch
# Partially backported https://github.com/libreswan/libreswan/commit/4af9072e62237daad9fea9bb769f6dfbdf2e4ea1
Patch2: libreswan-4.4-getaddrinfo.patch
Patch3: libreswan-4.4-covscan.patch
Patch0: libreswan-4.6-openssl3.patch
Patch1: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
BuildRequires: audit-libs-devel
BuildRequires: bison
@ -98,14 +95,10 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%setup -q -n libreswan-%{version}%{?prever}
%patch0 -b .openssl3
%patch0 -p1 -b .openssl3
%patch1 -p1 -b .ikev1-drop
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
# disable some testing tools that throw warnings on arm
%patch1 -p1
sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
%patch2 -p1 -b .getaddrinfo
%patch3 -p1 -b .covscan
%build
make %{?_smp_mflags} \
@ -205,6 +198,19 @@ certutil -N -d sql:$tmpdir --empty-password
%doc %{_mandir}/*/*
%changelog
* Wed Feb 2 2022 Daiki Ueno <dueno@redhat.com> - 4.6-3
- Drop IKEv1 packets by default, based on the Debian patch
by Daniel Kahn Gillmor (rhbz#2039877)
* Mon Jan 17 2022 Daiki Ueno <dueno@redhat.com> - 4.6-2
- Related: rhbz#2017355 rebuild to reflect gating.yaml change
* Mon Jan 17 2022 Daiki Ueno <dueno@redhat.com> - 4.6-1
- Update to 4.6. Resolves: rhbz#2017355
* Mon Jan 10 2022 Daiki Ueno <dueno@redhat.com> - 4.5-1
- Update to 4.5. Resolves: rhbz#2017355
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.4-3.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688