From 5389f58fcc57ed3bb760443f4cdd5befd47903fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0abata?= Date: Thu, 15 Oct 2020 17:26:36 +0200 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/libreswan#edf019da096d996a265210d164af9c89a6b637c9 --- .gitignore | 36 ++ libreswan-3.23-crypto-policies.patch | 66 ++++ libreswan-3.23-fixups.patch | 507 +++++++++++++++++++++++++++ libreswan-3.23-gcc8.patch | 82 +++++ libreswan-3.23-ppk-update.patch | 116 ++++++ libreswan-3.23-seccomp.patch | 24 ++ libreswan-3.25-relax-delete.patch | 62 ++++ libreswan-3.25-unbound-hook.patch | 35 ++ libreswan-3.26-asn1-zu.patch | 21 ++ libreswan-3.29-updown-syntax.patch | 13 + libreswan-3.30-s390x.patch | 21 ++ libreswan-3.32-nss-api.patch | 16 + libreswan-3.32-uninitialized.patch | 13 + libreswan.spec | 435 +++++++++++++++++++++++ sources | 4 + tests/tests.yml | 14 + 16 files changed, 1465 insertions(+) create mode 100644 libreswan-3.23-crypto-policies.patch create mode 100644 libreswan-3.23-fixups.patch create mode 100644 libreswan-3.23-gcc8.patch create mode 100644 libreswan-3.23-ppk-update.patch create mode 100644 libreswan-3.23-seccomp.patch create mode 100644 libreswan-3.25-relax-delete.patch create mode 100644 libreswan-3.25-unbound-hook.patch create mode 100644 libreswan-3.26-asn1-zu.patch create mode 100644 libreswan-3.29-updown-syntax.patch create mode 100644 libreswan-3.30-s390x.patch create mode 100644 libreswan-3.32-nss-api.patch create mode 100644 libreswan-3.32-uninitialized.patch create mode 100644 libreswan.spec create mode 100644 sources create mode 100644 tests/tests.yml diff --git a/.gitignore b/.gitignore index e69de29..ee35485 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,36 @@ +/libreswan-3.2.tar.gz +/libreswan-3.3.tar.gz +/libreswan-3.4.tar.gz +/libreswan-3.5.tar.gz +/libreswan-3.6.tar.gz +/libreswan-3.7.tar.gz +/libreswan-3.8.tar.gz +/libreswan-3.9.tar.gz +/libreswan-3.10.tar.gz +/libreswan-3.11.tar.gz +/libreswan-3.12.tar.gz +/libreswan-3.13.tar.gz +/libreswan-3.14.tar.gz +/ikev1_dsa.fax.bz2 +/ikev1_psk.fax.bz2 +/ikev2.fax.bz2 +/libreswan-3.15.tar.gz +/libreswan-3.16.tar.gz +/libreswan-3.17.tar.gz +/libreswan-3.18.tar.gz +/libreswan-3.19.tar.gz +/libreswan-3.20dr4.tar.gz +/libreswan-3.20.tar.gz +/libreswan-3.21.tar.gz +/libreswan-3.22.tar.gz +/libreswan-3.23.tar.gz +/libreswan-3.24.tar.gz +/libreswan-3.25.tar.gz +/libreswan-3.26.tar.gz +/libreswan-3.27.tar.gz +/libreswan-3.28.tar.gz +/libreswan-3.29.tar.gz +/libreswan-3.30.tar.gz +/libreswan-3.31.tar.gz +/libreswan-3.32.tar.gz +/libreswan-4.0rc1.tar.gz diff --git a/libreswan-3.23-crypto-policies.patch b/libreswan-3.23-crypto-policies.patch new file mode 100644 index 0000000..1aca3db --- /dev/null +++ b/libreswan-3.23-crypto-policies.patch @@ -0,0 +1,66 @@ +diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l +index c41dd8048..cc2faf5c9 100644 +--- a/lib/libipsecconf/parser.l ++++ b/lib/libipsecconf/parser.l +@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis) + char ebuf[128]; + + snprintf(ebuf, sizeof(ebuf), +- "cannot open include filename: '%s': %s", ++ (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ? ++ "cannot open include filename: '%s': %s" : ++ "ignored loading default system-wide crypto-policies file '%s': %s", + iis->fileglob.gl_pathv[fcnt], + strerror(errno)); + yyerror(ebuf); +diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in +index 7374efc3c..974699f01 100644 +--- a/programs/configs/ipsec.conf.in ++++ b/programs/configs/ipsec.conf.in +@@ -1,27 +1,18 @@ + # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file + # +-# Manual: ipsec.conf.5 ++# see 'man ipsec.conf' and 'man pluto' for more information ++# ++# For example configurations and documentation, see https://libreswan.org/wiki/ + + config setup +- # Normally, pluto logs via syslog. If you want to log to a file, +- # specify below or to disable logging, eg for embedded systems, use +- # the file name /dev/null +- # Note: SElinux policies might prevent pluto writing to a log file at +- # an unusual location. ++ # Normally, pluto logs via syslog. + #logfile=/var/log/pluto.log + # + # Do not enable debug options to debug configuration issues! + # +- # plutodebug "all", "none" or a combation from below: +- # "raw crypt parsing emitting control controlmore kernel pfkey +- # natt x509 dpd dns oppo oppoinfo private". +- # Note: "private" is not included with "all", as it can show confidential +- # information. It must be specifically specified +- # examples: + # plutodebug="control parsing" + # plutodebug="all crypt" +- # Again: only enable plutodebug when asked by a developer +- #plutodebug=none ++ plutodebug=none + # + # NAT-TRAVERSAL support + # exclude networks used on server side by adding %v4:!a.b.c.0/24 +@@ -30,10 +21,8 @@ config setup + # This range has never been announced via BGP (at least up to 2015) + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + +-# For example connections, see your distribution's documentation directory, +-# or https://libreswan.org/wiki/ +-# +-# There is also a lot of information in the manual page, "man ipsec.conf" +-# ++# if it exists, include system wide crypto-policy defaults ++include /etc/crypto-policies/back-ends/libreswan.config ++ + # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/ + include @IPSEC_CONFDDIR@/*.conf diff --git a/libreswan-3.23-fixups.patch b/libreswan-3.23-fixups.patch new file mode 100644 index 0000000..f674916 --- /dev/null +++ b/libreswan-3.23-fixups.patch @@ -0,0 +1,507 @@ +diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c +--- libreswan-3.23-orig/programs/pluto/connections.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/connections.c 2018-02-05 14:38:49.372280712 -0500 +@@ -3158,10 +3158,8 @@ + matching_peer_id && matching_peer_ca && matching_requested_ca, + matching_peer_id, matching_peer_ca, matching_requested_ca);}); + +- /* Ignore template from which we instantiated - this should never happen */ + if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) { +- libreswan_log("Warning: not switching back to template of current instance (FIXME)"); +- continue; ++ DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance")); + } + + /* 'You Tarzan, me Jane' check based on received IDr */ +diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c +--- libreswan-3.23-orig/programs/pluto/hostpair.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/hostpair.c 2018-02-05 14:38:57.865635032 -0500 +@@ -144,17 +144,6 @@ + hisport = pluto_port; + + for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { +- if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) && +- (p->connections->spd.that.id.kind == ID_NULL)) +- { +- DBG(DBG_CONTROLMORE, { +- char ci[CONN_INST_BUF]; +- DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s", +- p->connections->name, +- fmt_conn_instance(p->connections, ci)); +- }); +- continue; +- } + + DBG(DBG_CONTROLMORE, { + ipstr_buf b1; +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h +--- libreswan-3.23-orig/programs/pluto/ikev2.h 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2.h 2018-02-05 14:39:11.171190105 -0500 +@@ -162,7 +162,9 @@ + extern bool ikev2_calculate_rsa_sha1(struct state *st, + enum original_role role, + unsigned char *idhash, +- pb_stream *a_pbs); ++ pb_stream *a_pbs, ++ bool calc_no_ppk_auth, ++ chunk_t *no_ppk_auth); + + extern bool ikev2_create_psk_auth(enum keyword_authby authby, + struct state *st, +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c +--- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-02-05 14:39:11.173190188 -0500 +@@ -2783,7 +2783,9 @@ + + switch (a.isaa_type) { + case IKEv2_AUTH_RSA: +- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { ++ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, ++ FALSE, /* store-only not set */ ++ NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "Failed to find our RSA key"); + return STF_FATAL; + } +@@ -2792,7 +2794,7 @@ + case IKEv2_AUTH_PSK: + case IKEv2_AUTH_NULL: + if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs, +- FALSE /* store-only not set */, ++ FALSE, /* store-only not set */ + NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key"); + return STF_FATAL; +@@ -2812,7 +2814,9 @@ + return STF_INTERNAL_ERROR; + } + +- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { ++ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, ++ FALSE, /* store-only not set */ ++ NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key"); + return STF_FATAL; + } +@@ -3224,7 +3228,7 @@ + hmac_update(&id_ctx, id_start, id_len); + hmac_final(idhash, &id_ctx); + +- if (pst->st_sk_pi_no_ppk != NULL) { ++ if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) { + struct hmac_ctx id_ctx_npa; + + hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk); +@@ -3371,7 +3375,7 @@ + notifies++; + + if (pst->st_seen_ppk) +- notifies++; /* used for two payloads */ ++ notifies++; /* used for one or two payloads */ + + /* code does not support AH + ESP, not recommend rfc8221 section-4 */ + struct ipsec_proto_info *proto_info +@@ -3437,21 +3441,24 @@ + } + if (pst->st_seen_ppk) { + chunk_t notify_data = create_unified_ppk_id(&ppk_id_p); ++ int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N; + +- notifies--; /* used for 2 payloads */ +- if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL, +- PROTO_v2_RESERVED, &empty_chunk, +- v2N_PPK_IDENTITY, ¬ify_data, +- &e_pbs_cipher)) +- return STF_INTERNAL_ERROR; ++ notifies--; /* used for one or two payloads */ ++ if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL, ++ PROTO_v2_RESERVED, &empty_chunk, ++ v2N_PPK_IDENTITY, ¬ify_data, ++ &e_pbs_cipher)) ++ return STF_INTERNAL_ERROR; + freeanychunk(notify_data); + +- ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); +- if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, +- PROTO_v2_RESERVED, &empty_chunk, +- v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, +- &e_pbs_cipher)) +- return STF_INTERNAL_ERROR; ++ if (!LIN(POLICY_PPK_INSIST, cc->policy)) { ++ ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); ++ if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, ++ PROTO_v2_RESERVED, &empty_chunk, ++ v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, ++ &e_pbs_cipher)) ++ return STF_INTERNAL_ERROR; ++ } + } + + passert(notifies == 0); +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c +--- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_ppk.c 2018-02-05 14:39:11.173190188 -0500 +@@ -113,7 +113,24 @@ + enum keyword_authby authby = c->spd.this.authby; + switch (authby) { + case AUTH_RSASIG: +- /* TODO */ ++ if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) { ++ if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) { ++ /* make blobs separately, and somehow combine them and no_ppk_auth ++ * to get an actual no_ppk_auth */ ++ int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len; ++ u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH"); ++ u_char *ret = blobs; ++ memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER); ++ blobs += ASN1_LEN_ALGO_IDENTIFIER; ++ memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE); ++ blobs += ASN1_SHA1_RSA_OID_SIZE; ++ memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len); ++ chunk_t release = *no_ppk_auth; ++ setchunk(*no_ppk_auth, ret, len); ++ freeanychunk(release); ++ } ++ } ++ return STF_OK; + break; + case AUTH_PSK: + if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth)) +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c +--- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_rsa.c 2018-02-05 14:39:11.173190188 -0500 +@@ -101,7 +101,9 @@ + bool ikev2_calculate_rsa_sha1(struct state *st, + enum original_role role, + unsigned char *idhash, +- pb_stream *a_pbs) ++ pb_stream *a_pbs, ++ bool calc_no_ppk_auth, ++ chunk_t *no_ppk_auth) + { + unsigned char signed_octets[SHA1_DIGEST_SIZE + 16]; + size_t signed_len; +@@ -136,8 +138,13 @@ + if (shr == 0) + return FALSE; + passert(shr == (int)sz); +- if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) +- return FALSE; ++ if (calc_no_ppk_auth == FALSE) { ++ if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) ++ return FALSE; ++ } else { ++ clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk"); ++ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth)); ++ } + } + + return TRUE; +diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c +--- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/nss_cert_verify.c 2018-02-05 14:38:52.685418927 -0500 +@@ -498,60 +498,83 @@ + + bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name) + { +- SECStatus rv; + SECItem subAltName; +- PLArenaPool *arena = NULL; +- CERTGeneralName *nameList = NULL; +- CERTGeneralName *current = NULL; +- bool san_ip = FALSE; +- unsigned int len = strlen(name); +- ip_address myip; +- +- rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, ++ SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, + &subAltName); + if (rv != SECSuccess) { + DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension")); + return FALSE; + } + +- if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL) +- san_ip = TRUE; ++ ip_address myip; ++ bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL); + +- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + passert(arena != NULL); + +- nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName); +- passert(current != NULL); ++ CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName); + +- do +- { ++ if (nameList == NULL) { ++ loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode"); ++ PORT_FreeArena(arena, PR_FALSE); ++ return FALSE; ++ } ++ ++ /* ++ * nameList is a pointer into a non-empty circular linked list. ++ * This loop visits each entry. ++ * We have visited each when we come back to the start. ++ * We test only at the end, after we advance, because we want to visit ++ * the first entry the first time we see it but stop when we get to it ++ * the second time. ++ */ ++ CERTGeneralName *current = nameList; ++ do { + switch (current->type) { + case certDNSName: + case certRFC822Name: +- if (san_ip) +- break; +- if (current->name.other.len == len) { +- if (memcmp(current->name.other.data, name, len) == 0) { +- DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name)); +- PORT_FreeArena(arena, PR_FALSE); +- return TRUE; +- } +- } ++ { ++ /* ++ * Match the parameter name with the name in the certificate. ++ * The name in the cert may start with "*."; that will match ++ * any initial component in name (up to the first '.'). ++ */ ++ /* we need to cast because name.other.data is unsigned char * */ ++ const char *c_ptr = (const void *) current->name.other.data; ++ size_t c_len = current->name.other.len; ++ ++ const char *n_ptr = name; ++ static const char wild[] = "*."; ++ const size_t wild_len = sizeof(wild) - 1; ++ ++ if (c_len > wild_len && startswith(c_ptr, wild)) { ++ /* wildcard in cert: ignore first component of name */ ++ c_ptr += wild_len; ++ c_len -= wild_len; ++ n_ptr = strchr(n_ptr, '.'); ++ if (n_ptr == NULL) ++ break; /* cannot match */ + +- if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) { +- char osan[IDTOA_BUF]; ++ n_ptr++; /* skip . */ ++ } + +- memcpy(osan,current->name.other.data, current->name.other.len); +- osan[current->name.other.len] = '\0'; +- DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name)); +- } else { +- DBG(DBG_X509, DBG_log("subjectAltname does not match %s", name)); ++ if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) { ++ /* ++ * ??? if current->name.other.data contains bad characters, ++ * what prevents them being logged? ++ */ ++ DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate", ++ name, current->name.other.len, current->name.other.data)); ++ PORT_FreeArena(arena, PR_FALSE); ++ return TRUE; + } + break; ++ } + + case certIPAddress: + if (!san_ip) + break; ++ + if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) { + if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) { + DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name)); +@@ -572,7 +595,7 @@ + break; + } + } +- DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name)); ++ DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name)); + break; + + default: +diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in +--- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in 2018-02-05 14:38:49.373280754 -0500 +@@ -1,31 +1,52 @@ + #!/usr/bin/python ++# ++# Copyright (C) 2018 Paul Wouters ++# ++# This program is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at your ++# option) any later version. See . ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# for more details. + + import sys +-import base64 +-import commands ++import subprocess + +-log = "" +- +-status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1") ++# Get my %defaultroute IP address ++myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True) + myip = myip.split("src")[1].strip().split()[0] + + argv = sys.argv +-argc = len(sys.argv) ++ourself = argv.pop(0) + +-#log += "Number or arguments is %d\n"%argc +-#if argc >= 4: +-# log += "QNAME:%s\n"%argv[1] +-# log += "TTL:%s\n"%argv[2] +-# log += "IP:%s\n"%argv[3] +-# log += "IPSECKEY:%s\n"%argv[4] +-# rr = argv[4] +-# pref, gwtype, algo, gw, pubkey = rr.split(" ") +-#log += "-----------------------------\n" +- +-cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey) +-cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey) +-cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3]) +-ret, output = commands.getstatusoutput(cmdname) +-ret, output = commands.getstatusoutput(cmdip) +-ret, output = commands.getstatusoutput(cmdoe) +-ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus") ++try: ++ qname = argv.pop(0) ++ ttl = argv.pop(0) ++ ip = argv.pop(0) ++except: ++ sys.exit("Bad arguments to ipsec _unbound") ++ ++while (argv != []): ++ try: ++ gwprec = argv.pop(0) ++ gwtype = argv.pop(0) ++ gwalg = argv.pop(0) ++ gwid = argv.pop(0) ++ pubkey = argv.pop(0) ++ addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) ++ addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) ++ print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) ++ print(subprocess.call(addkeyip, shell=True)) ++ print(subprocess.call(addkeyhostname, shell=True)) ++ except: ++ sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) ++ ++# done injecting all IPSECKEY records into pluto - try actual OE now ++cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip) ++print(subprocess.check_output(cmdoeip, shell=True)) ++#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname) ++#ret, output = commands.getstatusoutput(cmdoeqname) ++print(subprocess.check_output("ipsec whack --trafficstatus", shell=True)) +diff --git a/include/ietf_constants.h b/include/ietf_constants.h +index 8a1ba5d..38fa4de 100644 +--- a/include/ietf_constants.h ++++ b/include/ietf_constants.h +@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type { + IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23, + IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24, + IKEv2_INTERNAL_DNS_DOMAIN = 25, +- /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */ ++ IKEv2_INTERNAL_DNSSEC_TA = 26 + }; + + +diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c +index 9ea9872..ab6db3e 100644 +--- a/lib/libswan/constants.c ++++ b/lib/libswan/constants.c +@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = { + "IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */ + "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */ + "IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */ +- /* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */ ++ "IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */ + }; + + enum_names ikev2_cp_attribute_type_names = { + IKEv2_CP_ATTR_RESERVED, +- IKEv2_INTERNAL_DNS_DOMAIN, +- /* IKEv2_INTERNAL_DNSSEC_TA, */ ++ IKEv2_INTERNAL_DNSSEC_TA, + ARRAY_REF(ikev2_cp_attribute_type_name), + NULL, /* prefix */ + NULL +diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c +index ae56972..e818e0e 100644 +--- a/programs/addconn/addconn.c ++++ b/programs/addconn/addconn.c +@@ -416,12 +416,11 @@ int main(int argc, char *argv[]) + if (verbose) + printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { + if (conn->desired_state == STARTUP_ADD || + conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ conn->desired_state == STARTUP_START) ++ { + if (verbose) + printf(" %s", conn->name); + resolve_defaultroute(conn); +@@ -436,30 +435,22 @@ int main(int argc, char *argv[]) + starter_whack_listen(cfg); + + if (verbose) +- printf(" Pass #2: Routing auto=route and auto=start connections\n"); ++ printf(" Pass #2: Routing auto=route connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { +- if (conn->desired_state == STARTUP_ADD || +- conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { ++ if (conn->desired_state == STARTUP_ONDEMAND) ++ { + if (verbose) + printf(" %s", conn->name); +- resolve_defaultroute(conn); +- if (conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ if (conn->desired_state == STARTUP_ONDEMAND) + starter_whack_route_conn(cfg, conn); +- } + } + } + + if (verbose) + printf(" Pass #3: Initiating auto=start connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { + if (conn->desired_state == STARTUP_START) { + if (verbose) + printf(" %s", conn->name); +diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in +index 64b2808..b343445 100644 +--- a/programs/_updown.netkey/_updown.netkey.in ++++ b/programs/_updown.netkey/_updown.netkey.in +@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in + up-client) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. ++ addvtiiface + updateresolvconf + addcat + addsource diff --git a/libreswan-3.23-gcc8.patch b/libreswan-3.23-gcc8.patch new file mode 100644 index 0000000..62a8fde --- /dev/null +++ b/libreswan-3.23-gcc8.patch @@ -0,0 +1,82 @@ +diff -Naur libreswan-3.23-orig/programs/pluto/kernel_netlink.c libreswan-3.23/programs/pluto/kernel_netlink.c +--- libreswan-3.23-orig/programs/pluto/kernel_netlink.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/kernel_netlink.c 2018-02-19 18:56:24.433527475 -0500 +@@ -51,8 +51,9 @@ + #include + #include + +-#include "libreswan.h" /* before xfrm.h otherwise break on F22 */ ++//#include + #include "linux/xfrm.h" /* local (if configured) or system copy */ ++#include "libreswan.h" /* before xfrm.h otherwise break on F22 */ + + #include "libreswan/pfkeyv2.h" + #include "libreswan/pfkey.h" +diff -Naur libreswan-3.23-orig/programs/pluto/linux_audit.c libreswan-3.23/programs/pluto/linux_audit.c +--- libreswan-3.23-orig/programs/pluto/linux_audit.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/linux_audit.c 2018-02-19 18:58:51.356837932 -0500 +@@ -74,6 +74,15 @@ + + #include "pluto_stats.h" + ++#if __GNUC__ >= 7 ++ /* ++ * GCC 7+ warns about the following calls that truncate a string using ++ * snprintf(). We are truncating the log message for a reason. ++ */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wformat-truncation" ++#endif ++ + static bool log_to_audit = FALSE; /* audit log messages for kernel */ + + void linux_audit_init(void) +@@ -159,13 +168,13 @@ + char raddr[ADDRTOT_BUF]; + char laddr[ADDRTOT_BUF]; + char audit_str[AUDIT_LOG_SIZE]; +- char cipher_str[AUDIT_LOG_SIZE]; +- char spi_str[AUDIT_LOG_SIZE]; ++ char cipher_str[20]; ++ char spi_str[20]; + struct connection *const c = st->st_connection; + bool initiator = FALSE; + char head[IDTOA_BUF]; +- char integname[IDTOA_BUF]; +- char prfname[IDTOA_BUF]; ++ char integname[20]; ++ char prfname[20]; + struct esb_buf esb, esb2; + /* we need to free() this */ + char *conn_encode = audit_encode_nv_string("conn-name",c->name,0); +@@ -300,3 +309,6 @@ + AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA, + audit_str, raddr, AUDIT_RESULT_OK); + } ++#if __GNUC__ >= 7 ++#pragma GCC diagnostic pop ++#endif +diff -Naur libreswan-3.23-orig/programs/pluto/log.h libreswan-3.23/programs/pluto/log.h +--- libreswan-3.23-orig/programs/pluto/log.h 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/log.h 2018-02-19 18:56:24.433527475 -0500 +@@ -154,7 +154,7 @@ + + #ifdef USE_LINUX_AUDIT + #include /* from audit-libs devel */ +-#define AUDIT_LOG_SIZE 256 ++#define AUDIT_LOG_SIZE 512 + /* should really be in libaudit.h */ + #define AUDIT_RESULT_FAIL 0 + #define AUDIT_RESULT_OK 1 +diff -Naur libreswan-3.23-orig/programs/pluto/pluto_constants.c libreswan-3.23/programs/pluto/pluto_constants.c +--- libreswan-3.23-orig/programs/pluto/pluto_constants.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/pluto_constants.c 2018-02-19 18:56:24.434527471 -0500 +@@ -478,7 +478,7 @@ + policy & + ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK), + pbitnamesbuf, sizeof(pbitnamesbuf)); +- static char buf[200]; /* NOT RE-ENTRANT! I hope that it is big enough! */ ++ static char buf[512]; /* NOT RE-ENTRANT! I hope that it is big enough! */ + lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT; + lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT; + diff --git a/libreswan-3.23-ppk-update.patch b/libreswan-3.23-ppk-update.patch new file mode 100644 index 0000000..fe9d9fb --- /dev/null +++ b/libreswan-3.23-ppk-update.patch @@ -0,0 +1,116 @@ +diff --git a/include/ietf_constants.h b/include/ietf_constants.h +index 38fa4de..08c8d9e 100644 +--- a/include/ietf_constants.h ++++ b/include/ietf_constants.h +@@ -1486,12 +1486,14 @@ typedef enum { + v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */ + v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */ + v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */ +- +- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- +- /* 16432 - 40969 Unassigned */ ++ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */ ++ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */ ++ v2N_PUZZLE = 16434, /* RFC-8019 */ ++ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */ ++ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */ ++ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */ ++ ++ /* 16438 - 40969 Unassigned */ + /* 40960 - 65535 Private Use */ + } v2_notification_t; + +diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c +index ab6db3e..a0dab63 100644 +--- a/lib/libswan/constants.c ++++ b/lib/libswan/constants.c +@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = { + }; + */ + +-static const char *const ikev2_notify_name_private[] = { +- "v2N_USE_PPK", +- "v2N_PPK_IDENTITY", +- "v2N_NO_PPK_AUTH", +-}; +- +-static enum_names ikev2_notify_names_private = { +- v2N_USE_PPK, +- v2N_NO_PPK_AUTH, +- ARRAY_REF(ikev2_notify_name_private), +- "v2N_", /* prefix */ +- NULL +-}; +- + /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */ + static const char *const ikev2_notify_name_16384[] = { + "v2N_INITIAL_CONTACT", /* 16384 */ +@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = { + "v2N_SENDER_REQUEST_ID", + "v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */ + "v2N_SIGNATURE_HASH_ALGORITHMS", ++ "v2N_CLONE_IKE_SA_SUPPORTED", ++ "v2N_CLONE_IKE_SA", ++ "v2N_PUZZLE", ++ "v2N_USE_PPK", /* 16435 */ ++ "v2N_PPK_IDENTITY", ++ "v2N_NO_PPK_AUTH", + }; + + static enum_names ikev2_notify_names_16384 = { + v2N_INITIAL_CONTACT, +- v2N_SIGNATURE_HASH_ALGORITHMS, ++ v2N_NO_PPK_AUTH, + ARRAY_REF(ikev2_notify_name_16384), + "v2N_", /* prefix */ +- &ikev2_notify_names_private ++ NULL + }; + + static const char *const ikev2_notify_name[] = { +diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c +index 258ba85..b86eea8 100644 +--- a/programs/pluto/ikev2_parent.c ++++ b/programs/pluto/ikev2_parent.c +@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) + break; + } + +- if (LIN(POLICY_PPK_ALLOW, policy)) { +- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); ++ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); + +- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { +- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); +- return STF_FATAL; +- } +- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); +- st->st_no_ppk_auth = no_ppk_auth; +- } else { +- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK"); ++ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { ++ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); ++ return STF_FATAL; + } ++ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); ++ st->st_no_ppk_auth = no_ppk_auth; + break; + } + case v2N_MOBIKE_SUPPORTED: +@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) + } + } + +- /* if we found proper PPK ID, we should use that without fallback to no ppk */ +- if (found_ppk) ++ /* ++ * If we found proper PPK ID and policy allows PPK, use that. ++ * Otherwise use NO_PPK_AUTH ++ */ ++ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy)) + freeanychunk(st->st_no_ppk_auth); + + if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) { diff --git a/libreswan-3.23-seccomp.patch b/libreswan-3.23-seccomp.patch new file mode 100644 index 0000000..0e3679a --- /dev/null +++ b/libreswan-3.23-seccomp.patch @@ -0,0 +1,24 @@ +diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c +--- libreswan-3.23-orig/programs/addconn/addconn.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/addconn/addconn.c 2018-02-05 14:13:25.758711788 -0500 +@@ -140,7 +140,9 @@ + rc |= S_RULE_ADD(set_robust_list); + rc |= S_RULE_ADD(set_tid_address); + rc |= S_RULE_ADD(socket); ++ rc |= S_RULE_ADD(socketcall); + rc |= S_RULE_ADD(socketpair); ++ rc |= S_RULE_ADD(stat); + rc |= S_RULE_ADD(statfs); + rc |= S_RULE_ADD(uname); + rc |= S_RULE_ADD(write); +diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c +--- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/pluto_seccomp.c 2018-02-05 14:13:38.390239502 -0500 +@@ -109,6 +109,7 @@ + rc |= S_RULE_ADD(set_robust_list); + rc |= S_RULE_ADD(setsockopt); + rc |= S_RULE_ADD(socket); ++ rc |= S_RULE_ADD(socketcall); + rc |= S_RULE_ADD(socketpair); + rc |= S_RULE_ADD(sysinfo); + rc |= S_RULE_ADD(uname); diff --git a/libreswan-3.25-relax-delete.patch b/libreswan-3.25-relax-delete.patch new file mode 100644 index 0000000..e5a0280 --- /dev/null +++ b/libreswan-3.25-relax-delete.patch @@ -0,0 +1,62 @@ +diff --git a/programs/pluto/state.c b/programs/pluto/state.c +index 7b33145..a3bcc3c 100644 +--- a/programs/pluto/state.c ++++ b/programs/pluto/state.c +@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst) + d = next; + } + +- if (c->newest_isakmp_sa != SOS_NOBODY && +- c->newest_isakmp_sa != pst->st_serialno) { +- struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa); ++ /* ++ * This only affects IKEv2, since we don't store any ++ * received INITIAL_CONTACT for IKEv1. ++ * We don't do this on IKEv1, because it seems to ++ * confuse various third parties (Windows, Cisco VPN 300, ++ * and juniper ++ * likely because this would be called before the IPsec SA ++ * of QuickMode is installed, so the remote endpoints view ++ * this IKE SA still as the active one? ++ */ ++ if (pst->st_seen_initialc) { + +- DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s", +- old_p1->st_connection->name)); +- old_p1->st_suppress_del_notify = TRUE; +- event_force(EVENT_SA_EXPIRE, old_p1); +- } ++ if (c->newest_isakmp_sa != SOS_NOBODY && ++ c->newest_isakmp_sa != pst->st_serialno) { ++ struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa); + +- if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY)) +- { +- struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa); +- struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection; ++ DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s", ++ old_p1->st_connection->name)); ++ old_p1->st_suppress_del_notify = TRUE; ++ event_force(EVENT_SA_EXPIRE, old_p1); ++ } + +- if (c == d && same_id(&c->spd.that.id, &d->spd.that.id)) ++ if (c->newest_ipsec_sa != SOS_NOBODY) + { +- DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'", +- c->newest_ipsec_sa, c->name)); +- old_p2->st_suppress_del_notify = TRUE; +- event_force(EVENT_SA_EXPIRE, old_p2); ++ struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa); ++ struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection; ++ ++ if (c == d && same_id(&c->spd.that.id, &d->spd.that.id)) ++ { ++ DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'", ++ c->newest_ipsec_sa, c->name)); ++ old_p2->st_suppress_del_notify = TRUE; ++ event_force(EVENT_SA_EXPIRE, old_p2); ++ } + } + } + diff --git a/libreswan-3.25-unbound-hook.patch b/libreswan-3.25-unbound-hook.patch new file mode 100644 index 0000000..007ae73 --- /dev/null +++ b/libreswan-3.25-unbound-hook.patch @@ -0,0 +1,35 @@ +commit 9dce290a0d2df5c278ed9442b10954d65cc238e4 +Author: Paul Wouters +Date: Sun Jul 8 22:29:52 2018 -0400 + + _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1 + +diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in +index 0d266d5..38279de 100755 +--- a/programs/_unbound-hook/_unbound-hook.in ++++ b/programs/_unbound-hook/_unbound-hook.in +@@ -29,14 +29,17 @@ try: + except: + sys.exit("Bad arguments to ipsec _unbound") + +-while (argv != []): ++# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list ++data = argv.pop(0).split(" ") ++ ++while (data != []): + try: +- gwprec = argv.pop(0) +- gwtype = argv.pop(0) +- gwalg = argv.pop(0) +- gwid = argv.pop(0) +- pubkey = argv.pop(0) +- addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) ++ gwprec = data.pop(0) ++ gwtype = data.pop(0) ++ gwalg = data.pop(0) ++ gwid = data.pop(0) ++ pubkey = data.pop(0) ++ addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) + addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) + print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) + print(subprocess.call(addkeyip, shell=True)) diff --git a/libreswan-3.26-asn1-zu.patch b/libreswan-3.26-asn1-zu.patch new file mode 100644 index 0000000..58b68ac --- /dev/null +++ b/libreswan-3.26-asn1-zu.patch @@ -0,0 +1,21 @@ +diff -Naur libreswan-3.26-orig/lib/libswan/asn1.c libreswan-3.26/lib/libswan/asn1.c +--- libreswan-3.26-orig/lib/libswan/asn1.c 2018-09-16 22:45:52.000000000 -0400 ++++ libreswan-3.26/lib/libswan/asn1.c 2018-09-17 00:28:06.726985327 -0400 +@@ -164,7 +164,7 @@ + sig_val->len = len_r; + /* XXX: need to check len_r and len_s fits in this */ + sig_val->ptr = alloc_bytes(len_r * 2, "ec points"); +- DBG(DBG_PARSING, DBG_log(" sig_val len is %ld",sig_val->len)); ++ DBG(DBG_PARSING, DBG_log(" sig_val len is %zu",sig_val->len)); + /* copy the values of r into signature */ + memcpy(sig_val->ptr,blob->ptr,len_r); + +@@ -184,7 +184,7 @@ + } + DBG(DBG_PARSING, DBG_log(" len_s is %d",len_s)); + sig_val->len += len_s; +- DBG(DBG_PARSING, DBG_log(" sig_val total len is %ld",sig_val->len)); ++ DBG(DBG_PARSING, DBG_log(" sig_val total len is %zu",sig_val->len)); + /* copy the values of r into signature */ + memcpy(sig_val->ptr+len_r,blob->ptr,len_s); + } diff --git a/libreswan-3.29-updown-syntax.patch b/libreswan-3.29-updown-syntax.patch new file mode 100644 index 0000000..e6eb679 --- /dev/null +++ b/libreswan-3.29-updown-syntax.patch @@ -0,0 +1,13 @@ +diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in +index 9c76998233..21000b1ea4 100644 +--- a/programs/_updown.netkey/_updown.netkey.in ++++ b/programs/_updown.netkey/_updown.netkey.in +@@ -446,7 +446,7 @@ delsource() { + return ${st} + fi + # Remove source ip if it's not used any more. +- if [ -z $(ip -o route list src ${PLUTO_MY_SOURCEIP}) ]; then ++ if [ -z "$(ip -o route list src ${PLUTO_MY_SOURCEIP})" ]; then + if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then + interface="${VTI_IFACE}" + fi diff --git a/libreswan-3.30-s390x.patch b/libreswan-3.30-s390x.patch new file mode 100644 index 0000000..a229d8a --- /dev/null +++ b/libreswan-3.30-s390x.patch @@ -0,0 +1,21 @@ +commit 8b067b47b1e2306c83bed49ecada1bddfb1c1a38 +Author: Paul Wouters +Date: Fri Feb 14 15:22:21 2020 -0500 + + pluto: fixup: 'incl' may be used uninitialized in init_virtual_ip() + + For some reason, only the s390x compiler complains. + +diff --git a/programs/pluto/virtual.c b/programs/pluto/virtual.c +index ce94d5a5ee..74d77a3ab0 100644 +--- a/programs/pluto/virtual.c ++++ b/programs/pluto/virtual.c +@@ -172,7 +172,7 @@ void init_virtual_ip(const char *private_list) + if (next == NULL) + next = str + strlen(str); + +- bool incl; ++ bool incl = FALSE; + if (read_subnet(str, next - str, + &(private_net_incl[i_incl]), + &(private_net_excl[i_excl]), diff --git a/libreswan-3.32-nss-api.patch b/libreswan-3.32-nss-api.patch new file mode 100644 index 0000000..efd10ba --- /dev/null +++ b/libreswan-3.32-nss-api.patch @@ -0,0 +1,16 @@ +diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c +--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400 ++++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-26 10:23:26.563318038 -0400 +@@ -16,6 +16,12 @@ + #include + #include + ++/* ++ * Special advise from Bob Relyea - needs to go before any nss include ++ * ++ */ ++#define NSS_PKCS11_2_0_COMPAT 1 ++ + #include "lswlog.h" + #include "lswnss.h" + #include "prmem.h" diff --git a/libreswan-3.32-uninitialized.patch b/libreswan-3.32-uninitialized.patch new file mode 100644 index 0000000..1a9ce1a --- /dev/null +++ b/libreswan-3.32-uninitialized.patch @@ -0,0 +1,13 @@ +diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c +index 702c9a8..3772508 100644 +--- a/programs/pluto/ikev2_parent.c ++++ b/programs/pluto/ikev2_parent.c +@@ -2150,7 +2150,7 @@ static stf_status ikev2_parent_inR1outI2_tail(struct state *pst, struct msg_dige + struct pluto_crypto_req *r) + { + struct connection *const pc = pst->st_connection; /* parent connection */ +- struct ppk_id_payload ppk_id_p; ++ struct ppk_id_payload ppk_id_p = { }; + struct ike_sa *ike = pexpect_ike_sa(pst); + + if (!finish_dh_v2(pst, r, FALSE)) { diff --git a/libreswan.spec b/libreswan.spec new file mode 100644 index 0000000..2bd9936 --- /dev/null +++ b/libreswan.spec @@ -0,0 +1,435 @@ +%global _hardened_build 1 +# These are rpm macros and are 0 or 1 +%global with_efence 0 +%global with_development 0 +%global with_cavstests 1 +# minimum version for support for rhbz#1651314 +%global nss_version 3.44.0-8 +%global unbound_version 1.6.6 +# Libreswan config options. With these settings, libreswan +# does not require its own FIPS validation. Only the system +# and NSS needs to be FIPS validated. +%global libreswan_config \\\ + SHELL_BINARY=/usr/bin/sh \\\ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ + FINALMANDIR=%{_mandir} \\\ + PREFIX=%{_prefix} \\\ + INITSYSTEM=systemd \\\ + NSS_REQ_AVA_COPY=false \\\ + NSS_HAS_IPSEC_PROFILE=true \\\ + PYTHON_BINARY=%{__python3} \\\ + USE_DNSSEC=true \\\ + USE_FIPSCHECK=false \\\ + USE_LABELED_IPSEC=true \\\ + USE_LDAP=true \\\ + USE_LIBCAP_NG=true \\\ + USE_LIBCURL=true \\\ + USE_LINUX_AUDIT=true \\\ + USE_NM=true \\\ + USE_SECCOMP=true \\\ + USE_XAUTHPAM=true \\\ + USE_NSS_KDF=true \\\ +%{nil} + +%global prever rc1 + +Name: libreswan +Summary: IKE implementation for IPsec with IKEv1 and IKEv2 support +# version is generated in the release script +Version: 4.0 +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} +License: GPLv2 +Url: https://libreswan.org/ +Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz +%if 0%{with_cavstests} +Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 +Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 +Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 +%endif +BuildRequires: audit-libs-devel +BuildRequires: bison +BuildRequires: curl-devel +BuildRequires: flex +BuildRequires: gcc make +BuildRequires: ldns-devel +BuildRequires: libcap-ng-devel +BuildRequires: libevent-devel +BuildRequires: libseccomp-devel +BuildRequires: libselinux-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel >= %{nss_version} +BuildRequires: nss-tools +BuildRequires: openldap-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: hostname +BuildRequires: redhat-rpm-config +BuildRequires: systemd-devel +BuildRequires: unbound-devel >= %{unbound_version} +BuildRequires: xmlto +%if 0%{with_efence} +BuildRequires: ElectricFence +%endif +Requires: iproute >= 2.6.8 +Requires: nss >= %{nss_version} +Requires: nss-softokn +Requires: nss-tools +Requires: unbound-libs >= %{unbound_version} +Requires(post): bash +Requires(post): coreutils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description +Libreswan is an implementation of IKEv1 and IKEv2 for IPsec. IPsec is +the Internet Protocol Security and uses strong cryptography to provide +both authentication and encryption services. These services allow you +to build secure tunnels through untrusted networks. Everything passing +through the untrusted net is encrypted by the ipsec gateway machine and +decrypted by the gateway at the other end of the tunnel. The resulting +tunnel is a virtual private network or VPN. + +This package contains the daemons and userland tools for setting up +Libreswan. + +Libreswan also supports IKEv2 (RFC7296) and Secure Labeling + +Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 + +%prep +%setup -q -n libreswan-%{version}%{?prever} + +# replace unsupported KLIPS README +echo "KLIPS is not supported with RHEL8" > README.KLIPS + +# linking to freebl is not needed +sed -i "s/-lfreebl //" mk/config.mk + +# enable crypto-policies support +sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in + + +%build +# link flags disable hardening because it fails on arm with what looks like gcc bugs in -Werror=lto-type-mismatch +make %{?_smp_mflags} \ +%if 0%{with_development} + OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \ +%else + OPTIMIZE_CFLAGS="%{optflags}" \ +%endif +%if 0%{with_efence} + USE_EFENCE=true \ +%endif + WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \ + USERLINK="-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \ + %{libreswan_config} \ + programs +FS=$(pwd) + +%install +make \ + DESTDIR=%{buildroot} \ + %{libreswan_config} \ + install +FS=$(pwd) +rm -rf %{buildroot}/usr/share/doc/libreswan +rm -rf %{buildroot}%{_libexecdir}/ipsec/*check + +install -d -m 0755 %{buildroot}%{_rundir}/pluto +install -d %{buildroot}%{_sbindir} + +install -d %{buildroot}%{_sysconfdir}/sysctl.d +install -m 0644 packaging/fedora/libreswan-sysctl.conf \ + %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf + +echo "include %{_sysconfdir}/ipsec.d/*.secrets" \ + > %{buildroot}%{_sysconfdir}/ipsec.secrets +rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* + +%if 0%{with_cavstests} +%check +# There is an elaborate upstream testing infrastructure which we do not +# run here - it takes hours and uses kvm +# We only run the CAVS tests. +cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . +bunzip2 *.fax.bz2 + +: starting CAVS test for IKEv2 +%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \ + diff -u ikev2.fax - > /dev/null +: starting CAVS test for IKEv1 RSASIG +%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \ + diff -u ikev1_dsa.fax - > /dev/null +: starting CAVS test for IKEv1 PSK +%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ + diff -u ikev1_psk.fax - > /dev/null +: CAVS tests passed + +%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } +%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } + +# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode +tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) +certutil -N -d sql:$tmpdir --empty-password +%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir +: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST + +%endif + +%post +%systemd_post ipsec.service + +%preun +%systemd_preun ipsec.service + +%postun +%systemd_postun_with_restart ipsec.service + +%files +%doc CHANGES COPYING CREDITS README* LICENSE +%doc docs/*.* docs/examples +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf +%attr(0755,root,root) %dir %{_rundir}/pluto +%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf +%attr(0644,root,root) %{_unitdir}/ipsec.service +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto +%{_sbindir}/ipsec +%{_libexecdir}/ipsec +%attr(0644,root,root) %doc %{_mandir}/*/* + +%changelog +* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters - 4.0-0.2.rc1 +- Rebuild for libevent 2.1.12 with a soname bump + +* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters - 4.0-0.1.rc1 +- Updated to 4.0rc1 + +* Thu Aug 27 2020 Paul Wouters - 3.32-4 +- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33 + +* Sat Aug 01 2020 Fedora Release Engineering - 3.32-3.2 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 3.32-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jun 30 2020 Jeff Law - 3.32-3 +- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized + object + +* Tue May 26 2020 Paul Wouters - 3.32-2 +- Backport NSS guarding fix for unannounced changed api in NSS causing segfault + +* Mon May 11 2020 Paul Wouters - 3.32-1 +- Resolves: rhbz#1809770 libreswan-3.32 is available + +* Tue Apr 14 2020 Paul Wouters - 3.31-2 +- Resolves: rhbz#1823823 Please drop the dependency on fipscheck + +* Tue Mar 03 2020 Paul Wouters - 3.31-1 +- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression) + +* Fri Feb 14 2020 Paul Wouters - 3.30-1 +- Resolves: rhbz#1802896 libreswan-3.30 is available +- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32 +- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError: + +* Wed Jan 29 2020 Fedora Release Engineering - 3.29-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 09 2020 Paul Wouters - 3.29-2 +- _updown.netkey: fix syntax error in checking routes + +* Thu Jul 25 2019 Fedora Release Engineering - 3.29-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Jun 10 2019 Paul Wouters - 3.29-1 +- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155 + +* Tue May 21 2019 Paul Wouters - 3.28-1 +- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312) + +* Fri Feb 01 2019 Fedora Release Engineering - 3.27-1.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 3.27-1.1 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Mon Oct 08 2018 Paul Wouters - 3.27-1 +- Updated to 3.27 (various bugfixes) + +* Thu Sep 27 2018 Paul Wouters - 3.26-3 +- Add fedora python fixup for _unbound-hook + +* Mon Sep 17 2018 Paul Wouters - 3.26-2 +- linking against freebl is no longer needed (and wasn't done in 3.25) + +* Mon Sep 17 2018 Paul Wouters - 3.26-1 +- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support) + +* Fri Jul 13 2018 Fedora Release Engineering - 3.25-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Paul Wouters - 3.25-3 +- Fix Opportunistic IPsec _unbound-hook argument parsing +- Make rundir readable for all (so we can hand out permissions later) + +* Mon Jul 02 2018 Paul Wouters - 3.25-2 +- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors + +* Wed Jun 27 2018 Paul Wouters - 3.25-1 +- Updated to 3.25 + +* Mon Feb 19 2018 Paul Wouters - 3.23-2 +- Support crypto-policies package +- Pull in some patches from upstream and IANA registry updates +- gcc7 format-truncate fixes and workarounds + +* Wed Feb 07 2018 Fedora Release Engineering - 3.23-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Paul Wouters - 3.23-1 +- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements + +* Sat Jan 20 2018 Björn Esser - 3.22-1.1 +- Rebuilt for switch to libxcrypt + +* Mon Oct 23 2017 Paul Wouters - 3.22-1 +- Updated to 3.22 - many bugfixes, and unbound ipsecmod support + +* Wed Aug 9 2017 Paul Wouters - 3.21-1 +- Updated to 3.21 + +* Thu Aug 03 2017 Fedora Release Engineering - 3.20-1.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.20-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Mar 14 2017 Paul Wouters - 3.20-1 +- Updated to 3.20 + +* Fri Mar 03 2017 Paul Wouters - 3.20-0.1.dr4 +- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA + +* Fri Feb 10 2017 Fedora Release Engineering - 3.19-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 03 2017 Paul Wouters - 3.19-2 +- Resolves: rhbz#1392191 libreswan: crash when OSX client connects +- Improved uniqueid and session replacing support +- Test Buffer warning fix on size_t +- Re-introduce --configdir for backwards compatibility + +* Sun Jan 15 2017 Paul Wouters - 3.19-1 +- Updated to 3.19 (see download.libreswan.org/CHANGES) + +* Mon Dec 19 2016 Miro Hrončok - 3.18-1.1 +- Rebuild for Python 3.6 + +* Fri Jul 29 2016 Paul Wouters - 3.18-1 +- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support +- Remove support for /etc/sysconfig/pluto (use native systemd instead) + +* Thu May 05 2016 Paul Wouters - 3.17-2 +- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used + +* Thu Apr 07 2016 Paul Wouters - 3.17-1 +- Updated to 3.17 for CVE-2016-3071 +- Disable LIBCAP_NG as it prevents unbound-control from working properly +- Temporarilly disable WERROR due to a few minor known issues + +* Thu Feb 04 2016 Fedora Release Engineering - 3.16-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Dec 18 2015 Paul Wouters - 3.16-1 +- Updated to 3.16 (see https://download.libreswan.org/CHANGES) + +* Tue Aug 11 2015 Paul Wouters - 3.15-1 +- Updated to 3.15 (see http://download.libreswan.org/CHANGES) +- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx +- NSS database creation moved from spec file to service file +- Run CAVS tests on package build +- Added BuildRequire systemd-units and xmlto +- Bumped minimum required nss to 3.16.1 +- Install tmpfiles +- Install sysctl file +- Update doc files to include + +* Mon Jul 13 2015 Paul Wouters - 3.13-2 +- Resolves: rhbz#1238967 Switch libreswan to use python3 + +* Wed Jun 17 2015 Fedora Release Engineering - 3.13-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 01 2015 Paul Wouters - 3.13-1 +- Updated to 3.13 for CVE-2015-3204 + +* Fri Nov 07 2014 Paul Wouters - 3.12-1 +- Updated to 3.12 Various IKEv2 fixes + +* Wed Oct 22 2014 Paul Wouters - 3.11-1 +- Updated to 3.11 (many fixes, including startup fixes) +- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs +- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade +- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running + +* Tue Sep 09 2014 Paul Wouters - 3.10-3 +- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines + +* Mon Sep 01 2014 Paul Wouters - 3.10-1 +- Updated to 3.10, major bugfix release, new xauth status options + +* Sun Aug 17 2014 Fedora Release Engineering - 3.9-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Jul 10 2014 Paul Wouters - 3.9-1 +- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements +- Mark libreswan-fips.conf as config file +- attr modifier for man pages no longer needed +- BUGS file no longer exists upstream + +* Sat Jun 07 2014 Fedora Release Engineering - 3.8-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Jan 18 2014 Paul Wouters - 3.8-1 +- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102) + +* Wed Dec 11 2013 Paul Wouters - 3.7-1 +- Updated to 3.7, fixes CVE-2013-4564 +- Fixes creating a bogus NSS db on startup (rhbz#1005410) + +* Thu Oct 31 2013 Paul Wouters - 3.6-1 +- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes) +- Generate empty NSS db if none exists + +* Mon Aug 19 2013 Paul Wouters - 3.5-3 +- Add a Provides: for openswan-doc + +* Sat Aug 03 2013 Fedora Release Engineering - 3.5-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Paul Wouters - 3.5-2 +- Added interop patch for (some?) Cisco VPN clients sending 16 zero + bytes of extraneous IKE data +- Removed fipscheck_version + +* Sat Jul 13 2013 Paul Wouters - 3.5-1 +- Updated to 3.5 + +* Thu Jun 06 2013 Paul Wouters - 3.4-1 +- Updated to 3.4, which only contains style changes to kernel coding style +- IN MEMORIAM: June 3rd, 2013 Hugh Daniel + +* Mon May 13 2013 Paul Wouters - 3.3-1 +- Updated to 3.3, which resolves CVE-2013-2052 + +* Sat Apr 13 2013 Paul Wouters - 3.2-1 +- Initial package for Fedora diff --git a/sources b/sources new file mode 100644 index 0000000..78c1d33 --- /dev/null +++ b/sources @@ -0,0 +1,4 @@ +SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac +SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467 +SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e +SHA512 (libreswan-4.0rc1.tar.gz) = 3ae36e477c6891f94b5d82b1a0ecb05a8413eab96125e6ae92289164b797538cf53cf6825dd1d4699bfdd4c49f68cc65097024f5b1ea9464226dae75abc5c669 diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..1d79939 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,14 @@ +# Tests for libreswan using NM's tests +- hosts: localhost + roles: + - role: standard-test-basic + tags: + - classic + repositories: + - repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci" + dest: "NetworkManager-ci" + tests: + - sanity-tests: + dir: NetworkManager-ci + run: run/osci/run-tests libreswan +