diff --git a/.gitignore b/.gitignore index 62078de..fbde36f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/ikev1_dsa.fax.bz2 SOURCES/ikev1_psk.fax.bz2 SOURCES/ikev2.fax.bz2 -SOURCES/libreswan-4.4.tar.gz +SOURCES/libreswan-4.6.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata index 201074d..88e1d8e 100644 --- a/.libreswan.metadata +++ b/.libreswan.metadata @@ -1,4 +1,4 @@ b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 -c75da86c032fe15979a13f4e779a9fe41386203a SOURCES/libreswan-4.4.tar.gz +8df902f58f9341d45b4b529b73126bf654764934 SOURCES/libreswan-4.6.tar.gz diff --git a/SOURCES/libreswan-4.2-openssl3.patch b/SOURCES/libreswan-4.2-openssl3.patch deleted file mode 100644 index 3feb776..0000000 --- a/SOURCES/libreswan-4.2-openssl3.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up ./programs/pluto/ikev2_ipseckey.c.openssl3 ./programs/pluto/ikev2_ipseckey.c ---- ./programs/pluto/ikev2_ipseckey.c.openssl3 2021-02-03 02:36:01.000000000 +0100 -+++ ./programs/pluto/ikev2_ipseckey.c 2021-06-24 17:55:04.863636517 +0200 -@@ -25,13 +25,25 @@ - #include - #include /* from ldns-devel */ - #include -+/* -+ * avoid name clash between OpenSSL headers (included through -+ * ) and NSS headers (included below through ) -+ */ -+#undef KU_DIGITAL_SIGNATURE -+#undef KU_NON_REPUDIATION -+#undef KU_KEY_ENCIPHERMENT -+#undef KU_DATA_ENCIPHERMENT -+#undef KU_KEY_AGREEMENT -+#undef KU_KEY_CERT_SIGN -+#undef KU_CRL_SIGN -+#undef KU_ENCIPHER_ONLY - #include - #include "unbound-event.h" - #include "defs.h" - #include "log.h" -+#include "state.h" - #include "constants.h" /* for demux.h */ - #include "demux.h" /* to get struct msg_digest */ --#include "state.h" - #include "connections.h" - #include "dnssec.h" /* includes unbound.h */ - #include "id.h" -diff -up ./programs/pluto/ikev2_rsa.c.openssl3 ./programs/pluto/ikev2_rsa.c diff --git a/SOURCES/libreswan-4.4-covscan.patch b/SOURCES/libreswan-4.4-covscan.patch deleted file mode 100644 index a47bafb..0000000 --- a/SOURCES/libreswan-4.4-covscan.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 835f711502fa07825b27201cb772e911c59d54b0 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 21 Jul 2021 10:10:43 +0200 -Subject: [PATCH] ipsec barf: fix shell test expression - -Spotted by shellcheck: - - /usr/libexec/ipsec/barf:55:5: error[SC1073]: Couldn't parse this test expression. Fix to allow more checks. - # 53| for f - # 54| do - # 55|-> if [ -s ${LOGS}/${f} -a \ - # 56| -f ${LOGS}/${f} -a \ - # 57| grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ] - -Signed-off-by: Daiki Ueno ---- - programs/barf/barf.in | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/programs/barf/barf.in b/programs/barf/barf.in -index e76c62f338..499916da4b 100755 ---- a/programs/barf/barf.in -+++ b/programs/barf/barf.in -@@ -53,8 +53,8 @@ findlog() { # findlog string fallbackstring possiblefile ... - for f - do - if [ -s ${LOGS}/${f} -a \ -- -f ${LOGS}/${f} -a \ -- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ] -+ -f ${LOGS}/${f} ] && \ -+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null - then - # aha, this one has it - findlog_file=${LOGS}/${f} -@@ -66,8 +66,8 @@ findlog() { # findlog string fallbackstring possiblefile ... - for f - do - if [ -s ${LOGS}/${f} -a \ -- -f ${LOGS}/${f} -a \ -- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ] -+ -f ${LOGS}/${f} ] && \ -+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null - then - # aha, this one has it - findlog_file=${LOGS}/${f} -@@ -80,8 +80,8 @@ findlog() { # findlog string fallbackstring possiblefile ... - for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$') - do - if [ -f ${LOGS}/${f} -a \ -- ! -d ${LOGS}/${f} -a \ -- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ] -+ ! -d ${LOGS}/${f} ] && \ -+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null - then - # found it - findlog_file=${LOGS}/${f} -@@ -93,8 +93,8 @@ findlog() { # findlog string fallbackstring possiblefile ... - for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$') - do - if [ -s ${LOGS}/${f} -a \ -- -f ${LOGS}/${f} -a \ -- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ] -+ -f ${LOGS}/${f} ] && \ -+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null - then - # found it - findlog_file=${LOGS}/${f} --- -2.31.1 - -From 00ee1189626db8dcce084cb481ad0c49b435f4ff Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 21 Jul 2021 10:54:58 +0200 -Subject: [PATCH] testing jambufcheck: add missing va_end calls in error path - -Signed-off-by: Daiki Ueno ---- - testing/programs/jambufcheck/jambufcheck.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/testing/programs/jambufcheck/jambufcheck.c b/testing/programs/jambufcheck/jambufcheck.c -index 72baaa5a1d..23a47b15f6 100644 ---- a/testing/programs/jambufcheck/jambufcheck.c -+++ b/testing/programs/jambufcheck/jambufcheck.c -@@ -104,11 +104,13 @@ static void check_jambuf(bool ok, const char *expect, ...) - } - break; - default: -+ va_end(ap); - FAIL("bad case"); - return; - } - } - if (ok && !jambuf_ok(&buf)) { -+ va_end(ap); - FAIL("unexpectedly failed writing '%s'", - str == NULL ? "(null)" : str); - return; --- -2.31.1 - diff --git a/SOURCES/libreswan-4.4-getaddrinfo.patch b/SOURCES/libreswan-4.4-getaddrinfo.patch deleted file mode 100644 index 4f19bd0..0000000 --- a/SOURCES/libreswan-4.4-getaddrinfo.patch +++ /dev/null @@ -1,168 +0,0 @@ -diff -up ./lib/libswan/ttoaddress.c.getaddrinfo ./lib/libswan/ttoaddress.c ---- ./lib/libswan/ttoaddress.c.getaddrinfo 2021-04-22 17:24:33.000000000 +0200 -+++ ./lib/libswan/ttoaddress.c 2021-07-22 13:16:19.073745043 +0200 -@@ -20,6 +20,7 @@ - #include /* for gethostbyname2() */ - - #include "ip_address.h" -+#include "ip_sockaddr.h" - #include "ip_info.h" - #include "lswalloc.h" /* for alloc_things(), pfree() */ - #include "lswlog.h" /* for pexpect() */ -@@ -75,56 +76,6 @@ static err_t ttoaddr_base(shunk_t src, - } - - /* -- * tryname - try it as a name -- * -- * Error return is intricate because we cannot compose a static string. -- */ --static err_t tryname(const char *p, -- int af, -- int suggested_af, /* kind(s) of numeric addressing tried */ -- ip_address *dst) --{ -- struct hostent *h = gethostbyname2(p, af); -- if (h != NULL) { -- if (h->h_addrtype != af) { -- return "address-type mismatch from gethostbyname2!!!"; -- } -- -- return data_to_address(h->h_addr, h->h_length, aftoinfo(af), dst); -- } -- -- if (af == AF_INET6) { -- if (suggested_af == AF_INET6) { -- return "not a numeric IPv6 address and name lookup failed (no validation performed)"; -- } else /* AF_UNSPEC */ { -- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)"; -- } -- } -- -- pexpect(af == AF_INET); -- -- /* like, windows even has an /etc/networks? */ -- struct netent *ne = getnetbyname(p); -- if (ne == NULL) { -- /* intricate because we cannot compose a static string */ -- if (suggested_af == AF_INET) { -- return "not a numeric IPv4 address and name lookup failed (no validation performed)"; -- } else { -- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)"; -- } -- } -- -- if (ne->n_addrtype != af) { -- return "address-type mismatch from getnetbyname!!!"; -- } -- -- /* apparently .n_net is in host order */ -- struct in_addr in = { htonl(ne->n_net), }; -- *dst = address_from_in_addr(&in); -- return NULL; --} -- --/* - * tryhex - try conversion as an eight-digit hex number (AF_INET only) - */ - -@@ -401,57 +352,56 @@ err_t getpiece(const char **srcp, /* *sr - - err_t ttoaddress_dns(shunk_t src, const struct ip_info *afi, ip_address *dst) - { -+ char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */ -+ struct addrinfo *res = NULL; -+ const struct addrinfo hints = (struct addrinfo) { -+ .ai_family = afi == NULL ? AF_UNSPEC : afi->af, -+ }; - *dst = unset_address; -- if (src.len == 0) { -- return "empty string"; -- } -- -- bool was_numeric = true; -- err_t err = ttoaddr_base(src, afi, &was_numeric, dst); -- if (was_numeric) { -- /* no-point in continuing */ -- return err; -- } - -- /* err == non-numeric */ -+ int eai = getaddrinfo(name, NULL, &hints, &res); -+ err_t err = NULL; - -- for (const char *cp = src.ptr, *end = cp + src.len; cp < end; cp++) { -+ if (eai != 0) { - /* -- * Legal ASCII characters in a domain name. -- * Underscore technically is not, but is a common -- * misunderstanding. Non-ASCII characters are simply -- * exempted from checking at the moment, to allow for -- * UTF-8 encoded stuff; the purpose of this check is -- * merely to catch blatant errors. -- * -- * XXX: Suspect the ISASCII() check can be dropped - -- * utf-8 isn't allowed in DNS names and without a -- * utf-8 parser the check is flawed. -+ * return system-supplied diagnostic -+ * except where it is particularly confusing. -+ * "Name or service not unknown." is terrible. - */ -- static const char namechars[] = -- "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_."; --#define ISASCII(c) (((c) & 0x80) == 0) -- if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) { -- return "illegal (non-DNS-name) character in name"; -+ err = eai == EAI_NONAME ? "NAME is unknown" : gai_strerror(eai); -+ } else if (res == NULL) { -+ err = "not a numeric IP address and name lookup failed (no validation performed)"; -+ } else { -+ /* always choose IPv4 result if there is one */ -+ struct addrinfo *winner = res; -+ -+ for (struct addrinfo *r = res; r!= NULL; r = r->ai_next) { -+ if (r->ai_family == AF_INET) { -+ winner = r; -+ break; -+ } -+ } -+ -+ ip_port mbz = { .hport = 0 }; -+ ip_sockaddr sa = { -+ .len = winner->ai_addrlen, -+ }; -+ passert(sizeof(sa.sa) >= winner->ai_addrlen); -+ memcpy(&sa.sa, winner->ai_addr, winner->ai_addrlen); -+ passert(sa.sa.sa.sa_family == winner->ai_family); -+ /* boneheaded getaddrinfo(3) leaves port field uninitialized */ -+ if (winner->ai_family == AF_INET) { -+ sa.sa.sin.sin_port = 0; -+ } else if (winner->ai_family == AF_INET6) { -+ sa.sa.sin6.sin6_port = 0; -+ } else { -+ bad_case(winner->ai_family); - } -+ err = sockaddr_to_address_port(sa, dst, &mbz); -+ passert(hport(mbz) == 0); - } - -- /* -- * need a guarenteed null terminated string -- */ -- char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */ -- int suggested_af = afi == NULL ? AF_UNSPEC : afi->af; -- err_t v4err = NULL, v6err = NULL; -- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET)) { -- err = v4err = tryname(name, AF_INET, suggested_af, dst); -- } -- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET6)) { -- err = v6err = tryname(name, AF_INET6, suggested_af, dst); -- } -- /* prefer the IPv4 error */ -- if (err != NULL && v4err != NULL) { -- err = v4err; -- } -+ freeaddrinfo(res); - pfree(name); - return err; - } diff --git a/SOURCES/libreswan-4.4-ipcheck.patch b/SOURCES/libreswan-4.4-ipcheck.patch deleted file mode 100644 index fb4ac81..0000000 --- a/SOURCES/libreswan-4.4-ipcheck.patch +++ /dev/null @@ -1,494 +0,0 @@ -diff --git a/testing/programs/ipcheck/Makefile b/testing/programs/ipcheck/Makefile -index 4dae8336be..af77a9e9d8 100644 ---- a/testing/programs/ipcheck/Makefile -+++ b/testing/programs/ipcheck/Makefile -@@ -41,4 +41,4 @@ include ../../../mk/program.mk - endif - - local-check: $(PROGRAM) -- $(builddir)/$(PROGRAM) -+ $(builddir)/$(PROGRAM) --dns=yes -diff --git a/testing/programs/ipcheck/ip_address_check.c b/testing/programs/ipcheck/ip_address_check.c -index b80990302a..a84aadaf73 100644 ---- a/testing/programs/ipcheck/ip_address_check.c -+++ b/testing/programs/ipcheck/ip_address_check.c -@@ -24,79 +24,76 @@ - #include "ip_address.h" - #include "ipcheck.h" - --static void check_shunk_to_address(void) -+static void check_ttoaddress_num(void) - { - static const struct test { - int line; - int family; - const char *in; - const char *str; -- bool requires_dns; - } tests[] = { - - /* unset */ -- { LN, 0, "", NULL, false, }, -+ { LN, 0, "", NULL, }, - - /* any */ -- { LN, 4, "0.0.0.0", "0.0.0.0", false, }, -- { LN, 6, "::", "::", false, }, -- { LN, 6, "0:0:0:0:0:0:0:0", "::", false, }, -+ { LN, 4, "0.0.0.0", "0.0.0.0", }, -+ { LN, 6, "::", "::", }, -+ { LN, 6, "0:0:0:0:0:0:0:0", "::", }, - - /* local (zero's fill) */ -- { LN, 4, "127.1", "127.0.0.1", false, }, -- { LN, 4, "127.0.1", "127.0.0.1", false, }, -- { LN, 4, "127.0.0.1", "127.0.0.1", false, }, -- { LN, 6, "::1", "::1", false, }, -- { LN, 6, "0:0:0:0:0:0:0:1", "::1", false, }, -+ { LN, 4, "127.1", "127.0.0.1", }, -+ { LN, 4, "127.0.1", "127.0.0.1", }, -+ { LN, 4, "127.0.0.1", "127.0.0.1", }, -+ { LN, 6, "::1", "::1", }, -+ { LN, 6, "0:0:0:0:0:0:0:1", "::1", }, - - /* mask - and buffer overflow */ -- { LN, 4, "255.255.255.255", "255.255.255.255", false, }, -- { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false, }, -+ { LN, 4, "255.255.255.255", "255.255.255.255", }, -+ { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", }, - - /* all bytes */ -- { LN, 4, "1.2.3.4", "1.2.3.4", false, }, -- { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", false, }, -+ { LN, 4, "1.2.3.4", "1.2.3.4", }, -+ { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", }, - - /* last digit is a big num - see wikepedia */ -- { LN, 4, "127.254", "127.0.0.254", false, }, -- { LN, 4, "127.65534", "127.0.255.254", false, }, -- { LN, 4, "127.16777214", "127.255.255.254", false, }, -+ { LN, 4, "127.254", "127.0.0.254", }, -+ { LN, 4, "127.65534", "127.0.255.254", }, -+ { LN, 4, "127.16777214", "127.255.255.254", }, - /* last digit overflow */ -- { LN, 4, "127.16777216", NULL, false, }, -- { LN, 4, "127.0.65536", NULL, false, }, -- { LN, 4, "127.0.0.256", NULL, false, }, -+ { LN, 4, "127.16777216", NULL, }, -+ { LN, 4, "127.0.65536", NULL, }, -+ { LN, 4, "127.0.0.256", NULL, }, - - /* suppress leading zeros - 01 vs 1 */ -- { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", false, }, -+ { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", }, - /* drop leading 0:0: */ -- { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", false, }, -+ { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", }, - /* drop middle 0:...:0 */ -- { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", false, }, -+ { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", }, - /* drop trailing :0..:0 */ -- { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", false, }, -+ { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", }, - /* drop first 0:..:0 */ -- { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", false, }, -+ { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", }, - /* drop logest 0:..:0 */ -- { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", false, }, -+ { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", }, - /* need two 0 */ -- { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", false, }, -- -- { LN, 4, "www.libreswan.org", "188.127.201.229", .requires_dns = true, }, -+ { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", }, - - /* hex/octal */ -- { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", false, }, -- { LN, 4, "0001.0002.0003.0004", "1.2.3.4", false, }, -- { LN, 4, "0x01020304", "1.2.3.4", false, }, -+ { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", }, -+ { LN, 4, "0001.0002.0003.0004", "1.2.3.4", }, -+ { LN, 4, "0x01020304", "1.2.3.4", }, - - /* trailing garbage */ -- { LN, 4, "1.2.3.4.", NULL, false, }, -- { LN, 4, "1.2.3.4a", NULL, false, }, -- { LN, 4, "1.2.3.0a", NULL, false, }, -+ { LN, 4, "1.2.3.4.", NULL, }, -+ { LN, 4, "1.2.3.4a", NULL, }, -+ { LN, 4, "1.2.3.0a", NULL, }, - - /* bad digits */ -- { LN, 4, "256.2.3.4", NULL, false, }, -- { LN, 4, "0008.2.3.4", NULL, false, }, -- { LN, 4, "0x0g.2.3.4", NULL, false, }, -+ { LN, 4, "256.2.3.4", NULL, }, -+ { LN, 4, "0008.2.3.4", NULL, }, -+ { LN, 4, "0x0g.2.3.4", NULL, }, - - }; - -@@ -104,66 +101,146 @@ static void check_shunk_to_address(void) - - for (size_t ti = 0; ti < elemsof(tests); ti++) { - const struct test *t = &tests[ti]; -- PRINT("%s '%s' -> str: '%s' dns: %s", pri_family(t->family), t->in, -- t->str == NULL ? "ERROR" : t->str, -- bool_str(t->requires_dns)); -- -- ip_address tmp, *address = &tmp; -- -- /* NUMERIC/NULL */ - -- FOR_EACH_THING(family, 0, t->family) { -+ /* -+ * For each address, perform lookups: -+ * -+ * - first with a generic family and then with the -+ * specified family -+ * -+ * - first with ttoaddress_num() and then -+ * ttoaddress_dns() (but only when it should work) -+ */ -+ -+ FOR_EACH_THING(family, 0, 4, 6) { - const struct ip_info *afi = IP_TYPE(family); -- err = ttoaddress_num(shunk1(t->in), afi, address); -- if (err != NULL) { -- if (t->str != NULL && !t->requires_dns) { -- FAIL("ttoaddress_num(%s, %s) unexpecedly failed: %s", -- t->in, pri_family(family), err); -+ bool err_expected = (t->str == NULL || (family != 0 && family != t->family)); -+ -+ struct lookup { -+ const char *name; -+ err_t (*ttoaddress)(shunk_t, const struct ip_info *, ip_address *); -+ bool need_dns; -+ } lookups[] = { -+ { -+ "ttoaddress_num", -+ ttoaddress_num, -+ false, -+ }, -+ { -+ "ttoaddress_dns", -+ ttoaddress_dns, -+ true, -+ }, -+ { -+ .name = NULL, -+ }, -+ }; -+ for (struct lookup *lookup = lookups; lookup->name != NULL; lookup++) { -+ -+ /* -+ * Without DNS a -+ * ttoaddress_dns() lookup of -+ * a bogus IP address will go -+ * into the weeds. -+ */ -+ bool skip = (lookup->need_dns && have_dns != DNS_YES); -+ -+ PRINT("%s('%s', %s) -> '%s'%s", -+ lookup->name, t->in, pri_family(family), -+ err_expected ? "ERROR" : t->str, -+ skip ? "; skipped as no DNS" : ""); -+ -+ if (skip) { -+ continue; -+ } -+ -+ ip_address tmp, *address = &tmp; -+ err = lookup->ttoaddress(shunk1(t->in), afi, address); -+ if (err_expected) { -+ if (err == NULL) { -+ FAIL("%s(%s, %s) unexpecedly succeeded", -+ lookup->name, t->in, pri_family(family)); -+ } -+ PRINT("%s(%s, %s) returned: %s", -+ lookup->name, t->in, pri_family(family), err); -+ } else if (err != NULL) { -+ FAIL("%s(%s, %s) unexpecedly failed: %s", -+ lookup->name, t->in, pri_family(family), err); - } else { -- PRINT("ttoaddress_num(%s, %s) returned: %s", -- t->in, pri_family(family), err); -+ CHECK_STR2(address); - } -- } else if (t->requires_dns) { -- FAIL("ttoaddress_num(%s, %s) unexpecedly parsed a DNS address", -- t->in, pri_family(family)); -- } else if (t->str == NULL) { -- FAIL("ttoaddress_num(%s, %s) unexpecedly succeeded", -- t->in, pri_family(family)); -- } else { -- CHECK_TYPE(address); - } - } -+ } -+} -+ -+static void check_ttoaddress_dns(void) -+{ -+ static const struct test { -+ int line; -+ int family; -+ const char *in; -+ const char *str; -+ bool need_dns; -+ } tests[] = { -+ -+ /* localhost is found in /etc/hosts on all platforms */ -+ { LN, 0, "localhost", "127.0.0.1", false, }, -+ { LN, 4, "localhost", "127.0.0.1", false, }, -+ { LN, 6, "localhost", "::1", false, }, -+ -+ { LN, 0, "www.libreswan.org", "188.127.201.229", true, }, -+ { LN, 4, "www.libreswan.org", "188.127.201.229", true, }, -+ { LN, 6, "www.libreswan.org", "2a00:1190:c00a:f00::229", true, }, - -- /* DNS/TYPE */ -+ { LN, 0, "nowhere.libreswan.org", NULL, true, }, -+ { LN, 4, "nowhere.libreswan.org", NULL, true, }, -+ { LN, 6, "nowhere.libreswan.org", NULL, true, }, - -- if (t->requires_dns && !use_dns) { -- PRINT("skipping dns_hunk_to_address(type) -- no DNS"); -+ }; -+ -+ err_t err; -+ -+ for (size_t ti = 0; ti < elemsof(tests); ti++) { -+ const struct test *t = &tests[ti]; -+ const struct ip_info *afi = IP_TYPE(t->family); -+ bool skip = (have_dns == DNS_NO || (have_dns != DNS_YES && t->need_dns)); -+ -+ PRINT("%s '%s' -> str: '%s' lookup: %s%s", -+ pri_family(t->family), t->in, -+ t->str == NULL ? "ERROR" : t->str, -+ (t->need_dns ? "DNS" : "/etc/hosts"), -+ (skip ? "; skipped as no DNS" : "")); -+ -+ if (skip) { -+ continue; -+ } -+ -+ ip_address tmp, *address = &tmp; -+ err = ttoaddress_dns(shunk1(t->in), afi, address); -+ if (err != NULL) { -+ if (t->str != NULL) { -+ FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s", -+ t->in, pri_family(t->family), err); -+ } -+ PRINT("ttoaddress_dns(%s, %s) failed as expected: %s", -+ t->in, pri_family(t->family), err); -+ } else if (t->str == NULL) { -+ address_buf b; -+ FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded with %s", -+ t->in, pri_family(t->family), -+ str_address(address, &b)); - } else { -- const struct ip_info *afi = IP_TYPE(t->family); -- err = ttoaddress_dns(shunk1(t->in), afi, address); -- if (err != NULL) { -- if (t->str != NULL) { -- FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s", -- t->in, pri_family(t->family), err); -- } else { -- PRINT("ttoaddress_dns(%s, %s) returned: %s", -- t->in, pri_family(t->family), err); -- } -- } else if (t->str == NULL) { -- FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded", -- t->in, pri_family(t->family)); -- } else { -+ address_buf b; -+ PRINT("ttoaddress_dns(%s, %s) succeeded with %s", -+ t->in, pri_family(t->family), -+ str_address(address, &b)); -+ if (t->family != 0) { - CHECK_TYPE(address); - } -- } -- -- /* now convert it back cooked */ -- if (t->requires_dns && !use_dns) { -- PRINT("skipping str_*() -- no DNS"); -- } else if (t->str != NULL) { -+ /* and back */ - CHECK_STR2(address); - } -- - } - } - -@@ -473,7 +550,8 @@ static void check_addresses_to(void) - - void ip_address_check(void) - { -- check_shunk_to_address(); -+ check_ttoaddress_num(); -+ check_ttoaddress_dns(); - check_str_address_sensitive(); - check_str_address_reversed(); - check_address_is(); -diff --git a/testing/programs/ipcheck/ip_info_check.c b/testing/programs/ipcheck/ip_info_check.c -index a7553a6029..f1566f4607 100644 ---- a/testing/programs/ipcheck/ip_info_check.c -+++ b/testing/programs/ipcheck/ip_info_check.c -@@ -31,10 +31,12 @@ - /*hack*/const typeof(L##_tests[0]) *t = &L##_tests[tl]; \ - /*hack*/size_t ti = tl; \ - const ip_##L *l = L##_tests[tl].L; \ -- if (l == NULL) continue; \ -+ if (l == NULL) \ -+ continue; \ - for (size_t tr = 0; tr < elemsof(R##_tests); tr++) { \ - const ip_##R *r = R##_tests[tr].R; \ -- if (r == NULL) continue; \ -+ if (r == NULL) \ -+ continue; \ - bool expected = false; \ - for (size_t to = 0; to < elemsof(L##_op_##R); to++) { \ - const typeof(L##_op_##R[0]) *op = &L##_op_##R[to]; \ -diff --git a/testing/programs/ipcheck/ip_range_check.c b/testing/programs/ipcheck/ip_range_check.c -index 256cf76c70..9f9a27db58 100644 ---- a/testing/programs/ipcheck/ip_range_check.c -+++ b/testing/programs/ipcheck/ip_range_check.c -@@ -389,7 +389,7 @@ static void check_range_op_range(void) - FAIL("ttorange(%s) failed: %s", t->R, oops); \ - } \ - } else { \ -- l = unset_range; \ -+ R = unset_range; \ - } - TT(l); - TT(r); -diff --git a/testing/programs/ipcheck/ip_sockaddr_check.c b/testing/programs/ipcheck/ip_sockaddr_check.c -index 538154b6e6..d9affb54f9 100644 ---- a/testing/programs/ipcheck/ip_sockaddr_check.c -+++ b/testing/programs/ipcheck/ip_sockaddr_check.c -@@ -20,6 +20,8 @@ - #include "ip_info.h" - #include "ip_protocol.h" - -+#include "lswlog.h" /* for DBG_dump_thing() */ -+ - #include "ipcheck.h" - - static void check_sockaddr_as_endpoint(void) -@@ -52,20 +54,25 @@ static void check_sockaddr_as_endpoint(void) - PRINT("%s '%s' -> '%s' len=%zd", pri_family(t->family), t->in, expect_out, t->size); - - /* construct a raw sockaddr */ -- ip_sockaddr sa = { -- .sa.sa = { -- .sa_family = SA_FAMILY(t->family), -- }, -+ ip_sockaddr sa = { - .len = t->size, - }; - switch (t->family) { - case 4: - memcpy(&sa.sa.sin.sin_addr, t->addr, sizeof(sa.sa.sin.sin_addr)); -+ sa.sa.sin.sin_family = AF_INET; - sa.sa.sin.sin_port = htons(t->port); -+#ifdef NEED_SIN_LEN -+ sa.sa.sin.sin_len = sizeof(struct sockaddr_in); -+#endif - break; - case 6: - memcpy(&sa.sa.sin6.sin6_addr, t->addr, sizeof(sa.sa.sin6.sin6_addr)); -+ sa.sa.sin6.sin6_family = AF_INET6; - sa.sa.sin6.sin6_port = htons(t->port); -+#ifdef NEED_SIN_LEN -+ sa.sa.sin6.sin6_len = sizeof(struct sockaddr_in6); -+#endif - break; - } - -@@ -107,6 +114,8 @@ static void check_sockaddr_as_endpoint(void) - esa.len, sizeof(esa.sa)); - } else if (!memeq(&esa.sa, &sa.sa, sizeof(esa.sa))) { - /* compare the entire buffer, not just size */ -+ DBG_dump_thing("esa.sa", esa.sa); -+ DBG_dump_thing("sa.sa", sa.sa); - FAIL("endpoint_to_sockaddr() returned a different value"); - } - } else { -diff --git a/testing/programs/ipcheck/ipcheck.c b/testing/programs/ipcheck/ipcheck.c -index ed13d1ed5c..8df45b5fd4 100644 ---- a/testing/programs/ipcheck/ipcheck.c -+++ b/testing/programs/ipcheck/ipcheck.c -@@ -25,21 +25,37 @@ - #include "lswtool.h" - - unsigned fails; --bool use_dns = true; -+enum have_dns have_dns = DNS_NO; - - int main(int argc, char *argv[]) - { -- struct logger *logger = tool_init_log(argv[0]); -+ leak_detective = true; - log_ip = false; /* force sensitive */ -+ struct logger *logger = tool_init_log(argv[0]); -+ -+ if (argc != 2) { -+ fprintf(stderr, "usage: %s --dns={no,hosts-file,yes}\n", argv[0]); -+ return 1; -+ } -+ -+ /* only one option for now */ -+ const char *dns = argv[1]; -+ if (!eat(dns, "--dns")) { -+ fprintf(stderr, "%s: unknown option '%s'\n", -+ argv[0], argv[1]); -+ return 1; -+ } - -- for (char **argp = argv+1; argp < argv+argc; argp++) { -- if (streq(*argp, "--nodns")) { -- use_dns = false; -- } else { -- fprintf(stderr, "%s: unknown option '%s'\n", -- argv[0], *argp); -- return 1; -- } -+ if (streq(dns, "=no")) { -+ have_dns = DNS_NO; -+ } else if (streq(dns, "=hosts-file") || streq(dns, "")) { -+ have_dns = HAVE_HOSTS_FILE; -+ } else if (streq(dns, "=yes")) { -+ have_dns = DNS_YES; -+ } else { -+ fprintf(stderr, "%s: unknown --dns param '%s'\n", -+ argv[0], dns); -+ return 1; - } - - ip_address_check(); -@@ -55,6 +71,10 @@ int main(int argc, char *argv[]) - ip_port_range_check(); - ip_cidr_check(); - -+ report_leaks(logger); -+ -+ -+ - if (fails > 0) { - fprintf(stderr, "TOTAL FAILURES: %d\n", fails); - return 1; -diff --git a/testing/programs/ipcheck/ipcheck.h b/testing/programs/ipcheck/ipcheck.h -index 7e7c2a284b..5cfdbf05f7 100644 ---- a/testing/programs/ipcheck/ipcheck.h -+++ b/testing/programs/ipcheck/ipcheck.h -@@ -44,7 +44,7 @@ extern void ip_cidr_check(void); - */ - - extern unsigned fails; --extern bool use_dns; -+extern enum have_dns { DNS_NO, HAVE_HOSTS_FILE, DNS_YES, } have_dns; - - #define pri_family(FAMILY) ((FAMILY) == 0 ? "0" : \ - (FAMILY) == 4 ? "IPv4" : \ diff --git a/SOURCES/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/SOURCES/libreswan-4.6-ikev1-policy-defaults-to-drop.patch new file mode 100644 index 0000000..ebcb2e0 --- /dev/null +++ b/SOURCES/libreswan-4.6-ikev1-policy-defaults-to-drop.patch @@ -0,0 +1,80 @@ +From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor +Date: Fri, 7 Jan 2022 18:36:47 -0500 +Subject: [PATCH] ikev1-policy defaults to drop + +IKEv2 has been available for 16 years (RFC 4306 was published December +2005). At some point, we should be discouraging IKEv1 adoption. + +To the extent that a user needs IKEv1, they can manually add +ikev1-policy=accept to /etc/ipsec.conf. +--- + configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++--- + include/ipsecconf/keywords.h | 2 +- + lib/libipsecconf/confread.c | 1 + + programs/pluto/server.c | 5 ----- + 4 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml +index 17d1747e3b..3bd6702564 100644 +--- a/configs/d.ipsec.conf/ikev1-policy.xml ++++ b/configs/d.ipsec.conf/ikev1-policy.xml +@@ -3,9 +3,10 @@ + + + What to do with received IKEv1 packets. Valid options are +-accept (default), reject which +-will reply with an error, and drop which will silently drop +-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an ++drop (default) which will silently drop ++any received IKEv1 packet, accept, and ++reject which will reply with an error. ++If this option is set to drop or reject, an attempt to load an + IKEv1 connection will fail, as these connections would never be able to receive a packet + for processing. + +diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h +index 660847733c..31b519242a 100644 +--- a/include/ipsecconf/keywords.h ++++ b/include/ipsecconf/keywords.h +@@ -111,7 +111,7 @@ enum keyword_numeric_config_field { + + KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */ + KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */ +- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */ ++ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */ + KBF_ROOF + }; + +diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c +index 5b5aba723f..68fbccf442 100644 +--- a/lib/libipsecconf/confread.c ++++ b/lib/libipsecconf/confread.c +@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) + /* Don't inflict BSI requirements on everyone */ + SOPT(KBF_SEEDBITS, 0); + SOPT(KBF_DROP_OPPO_NULL, false); ++ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP); + + #ifdef HAVE_LABELED_IPSEC + SOPT(KBF_SECCTX, SECCTX); +diff --git a/programs/pluto/server.c b/programs/pluto/server.c +index 665f0ed8b9..448dbca076 100644 +--- a/programs/pluto/server.c ++++ b/programs/pluto/server.c +@@ -188,12 +188,7 @@ bool pluto_listen_tcp = false; + enum ddos_mode pluto_ddos_mode = DDOS_AUTO; /* default to auto-detect */ + + enum global_ikev1_policy pluto_ikev1_pol = +-#ifdef USE_IKEv1 +- GLOBAL_IKEv1_ACCEPT; +-#else +- /* there is no IKEv1 code compiled in to send a REJECT */ + GLOBAL_IKEv1_DROP; +-#endif + + #ifdef HAVE_SECCOMP + enum seccomp_mode pluto_seccomp_mode = SECCOMP_DISABLED; +-- +2.34.1 + diff --git a/SOURCES/libreswan-4.6-openssl3.patch b/SOURCES/libreswan-4.6-openssl3.patch new file mode 100644 index 0000000..a5e0f9d --- /dev/null +++ b/SOURCES/libreswan-4.6-openssl3.patch @@ -0,0 +1,52 @@ +From 0212bc6a7c0ac3aa5d8da82bf22132993d339ffc Mon Sep 17 00:00:00 2001 +From: Paul Wouters +Date: Thu, 13 Jan 2022 15:31:50 -0500 +Subject: [PATCH] building: fix fedora rawhide build + +Avoid clashing openssl/nss headers + +Patch based on work by Daiki Ueno + +Resolves: https://github.com/libreswan/libreswan/pull/611 +--- + programs/pluto/ikev2_ipseckey.h | 4 ++-- + programs/pluto/ikev2_ipseckey_dnsr.c | 4 +++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h +index 243e5b1776..5ef3f966ec 100644 +--- a/programs/pluto/ikev2_ipseckey.h ++++ b/programs/pluto/ikev2_ipseckey.h +@@ -1,5 +1,3 @@ +-#include "state.h" +- + #ifndef _IKEV2_IPSECKEY_H + #define _IKEV2_IPSECKEY_H + +@@ -11,6 +9,8 @@ + + #define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED + ++struct ike_sa; ++ + typedef enum { + DNS_OK = STF_OK, + DNS_FATAL = STF_FATAL, +diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c +index b07ed72f2b..09767bf65d 100644 +--- a/programs/pluto/ikev2_ipseckey_dnsr.c ++++ b/programs/pluto/ikev2_ipseckey_dnsr.c +@@ -32,7 +32,9 @@ + #include "dnssec.h" /* includes unbound.h */ + #include "ikev2_ipseckey.h" /* for dns_status */ + #include "ikev2_ipseckey_dnsr.h" +-#include "secrets.h" ++ ++/* Do not include secrets.h as it will cause conflicts via NSS/OPENSSL headers */ ++extern const struct pubkey_type pubkey_type_rsa; + + struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */ + +-- +2.31.1 + diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index cb0c018..7c641e6 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -30,8 +30,8 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script -Version: 4.4 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}.1 +Version: 4.6 +Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -40,11 +40,8 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif -Patch0: libreswan-4.2-openssl3.patch -Patch1: libreswan-4.4-ipcheck.patch -# Partially backported https://github.com/libreswan/libreswan/commit/4af9072e62237daad9fea9bb769f6dfbdf2e4ea1 -Patch2: libreswan-4.4-getaddrinfo.patch -Patch3: libreswan-4.4-covscan.patch +Patch0: libreswan-4.6-openssl3.patch +Patch1: libreswan-4.6-ikev1-policy-defaults-to-drop.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -98,14 +95,10 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} -%patch0 -b .openssl3 +%patch0 -p1 -b .openssl3 +%patch1 -p1 -b .ikev1-drop # enable crypto-policies support sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in -# disable some testing tools that throw warnings on arm -%patch1 -p1 -sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile -%patch2 -p1 -b .getaddrinfo -%patch3 -p1 -b .covscan %build make %{?_smp_mflags} \ @@ -205,6 +198,19 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog +* Wed Feb 2 2022 Daiki Ueno - 4.6-3 +- Drop IKEv1 packets by default, based on the Debian patch + by Daniel Kahn Gillmor (rhbz#2039877) + +* Mon Jan 17 2022 Daiki Ueno - 4.6-2 +- Related: rhbz#2017355 rebuild to reflect gating.yaml change + +* Mon Jan 17 2022 Daiki Ueno - 4.6-1 +- Update to 4.6. Resolves: rhbz#2017355 + +* Mon Jan 10 2022 Daiki Ueno - 4.5-1 +- Update to 4.5. Resolves: rhbz#2017355 + * Mon Aug 09 2021 Mohan Boddu - 4.4-3.1 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688