import CS libreswan-5.3-8.el10

2026-04-07 06:32:13 -04:00 · 2026-04-07 06:32:13 -04:00 · 59af7ff77a
commit 59af7ff77a
parent 99c859447e
7 changed files with 1232 additions and 28 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,4 @@
 ikev1_dsa.fax.bz2
 ikev1_psk.fax.bz2
 ikev2.fax.bz2
-libreswan-5.2.tar.gz
+libreswan-5.3.tar.gz
--- a/libreswan-5.2.tar.gz.asc
+++ b/libreswan-5.2.tar.gz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAme/mHcTHHRlYW1AbGli
-cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Y95D/981PfZO85XO4a6Db18FJEfe3lt4pWY
-aEIuE//BPruXi6hAAC3+6kzrujT9zxavwecRRr7YXqh3nXyXTTYK/KoK9jp0rqkC
-0orOQb/JO9Gba2PQQU66F37hfQKmxx6ewzZJBjyOERlCaMRU7Rp5cSQv/6XqJqdj
-HAd+wJYIMP8a6NWPiXR9/0gh25slXcLHBSrAtRWXU9rMnh6mEBfGGRfBe1yuw8TQ
-+HUf0LrL8YJTPWPRC4jWAP9NE7IILDzFAD+g/JZKmm9cEhqBbQR66SEbQpJEEh+h
-gDObF2FdXRF8Ya/otSjiI18FcXrg6owSH+e22NKNTdOjJl0j40rM+EVm/fYUNgKx
-FcJ68H42jC1NRJ56k87kC1EGmPXIOfh/N8MwOv2OHyekU5QTR5lUP3nLSS3+9z8m
-f4egcBR/1sVIA+8+boWMQVH9Jt7e/UvpTWmDSNoN847OgFx7R1K3PMKeuMM+hXmp
-izjWZqEbqJ9u1LhToYHW76Ya1QDUWawNQcBNFzzIZn6l1eiS5FS9XzBk0ygA9SJa
-XXvWHmybhem1mMiZYL0fdMtpoVJyxCWG02wt0fYi0CCFjWZYnXUfz37jCgMgU5ML
-7awN/qujryXvFI6siBYz7+HwykvRPrz9Z2lm/okkPjHuoBiUZ5DKWSRTN+WqZFRU
-SR5d2j3Nup2DXg==
-=nmjl
-----END PGP SIGNATURE-----
--- a/libreswan-5.3-helper-thread.patch
+++ b/libreswan-5.3-helper-thread.patch
@ -0,0 +1,97 @@
+From eb31dda36d082e33749bc294d56ec493a094336d Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Sun, 16 Nov 2025 10:33:53 -0500
+Subject: [PATCH] helpers: work around NSS by joining helper threads
+
+Much of the analysis and testing by Ondrej Moris
+
+NSS attaches stuff to the threads onexit queue that must
+be run before the main thread exits (if it doesn't things
+explode during shutdown).
+
+See: Race condition in helper_thread_stopped_callback() #2461
+See: PR_Cleanup() doesn't wait for pthread_create() threads
+https://bugzilla.mozilla.org/show_bug.cgi?id=1992272
+---
+ programs/pluto/server_pool.c | 42 +++++++++++++++++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/server_pool.c b/programs/pluto/server_pool.c
+index 056a007301..5c7dc5e18d 100644
+--- a/programs/pluto/server_pool.c
+++ b/programs/pluto/server_pool.c
+@@ -275,6 +275,22 @@ static void *helper_thread(void *arg)
+ 	dbg("helper %u: telling main thread that it is exiting", w->helper_id);
+ 	schedule_callback("helper stopped", deltatime(0), SOS_NOBODY,
+ 			  helper_thread_stopped_callback, NULL);
+	/*
+	 * Danger.  This isn't the end.
+	 *
+	 * NSS still has stuff in thread-exit handlers to execute and
+	 * there's no clean way of forcing its execution (and if it
+	 * isn't allowed to run NSS crashes!).  Hence, the main thread
+	 * will need to wait for this thread to exit.
+	 *
+	 * But wait, there's more.  The main thread also needs to keep
+	 * the event loop running while these threads are exiting so
+	 * ptread_join() needs to be called with care.
+	 *
+	 * See: Race condition in helper_thread_stopped_callback() #2461
+	 * See: PR_Cleanup() doesn't wait for pthread_create() threads
+	 * https://bugzilla.mozilla.org/show_bug.cgi?id=1992272
+	 */
+ 	return NULL;
+ }
+ 
+@@ -589,10 +605,6 @@ void start_server_helpers(uintmax_t nhelpers, struct logger *logger)
+ 
+ /*
+  * Repeatedly nudge the helper threads until they all exit.
+- *
+- * Note that pthread_join() doesn't work here: an any-thread join may
+- * end up joining an unrelated thread (for instance the CRL helper);
+- * and a specific thread join may block waiting for the wrong thread.
+  */
+ 
+ static void (*server_helpers_stopped_callback)(void);
+@@ -605,6 +617,17 @@ static void helper_thread_stopped_callback(const char *story UNUSED,
+ 	dbg("one helper thread exited, %u remaining",
+ 	    helper_threads_started-helper_threads_stopped);
+ 
+	/*
+	 * Danger:
+	 *
+	 * Delay joining W.pid until all helper threads have exited.
+	 * This way the event-loop is kept running.
+	 *
+	 * Even though W is on the exit path it still needs to execute
+	 * NSS's thread exit code - who knows what that is doing and
+	 * how long it will take -
+	 */
+
+ 	/* wait for more? */
+ 	if (helper_threads_started > helper_threads_stopped) {
+ 		/* poke threads waiting for work */
+@@ -612,9 +635,18 @@ static void helper_thread_stopped_callback(const char *story UNUSED,
+ 		return;
+ 	}
+ 
+-	/* all done; cleanup */
+	 /*
+	  * All done; cleanup
+	  *
+	  * All helper threads are on the exit war-path so, hopefully,
+	  * this join will not block (but no telling what NSS did).
+	  */
+ 	for (unsigned h = 0; h < helper_threads_started; h++) {
+ 		struct helper_thread *w = &helper_threads[h];
+		int e = pthread_join(w->pid, NULL);
+		if (e != 0) {
+			llog_errno(RC_LOG, w->logger, e, "WARNING: pthread_join() failed, ");
+		}
+ 		free_logger(&w->logger, HERE);
+ 	}
+ 
+-- 
+2.52.0
+
--- a/libreswan-5.3-outstanding-ike-auth-crossing.patch
+++ b/libreswan-5.3-outstanding-ike-auth-crossing.patch
--- a/libreswan-5.3.tar.gz.asc
+++ b/libreswan-5.3.tar.gz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmhmv0ETHHRlYW1AbGli
+cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Z24D/98iYhm+GlrtA3RIRWK/SptlXzR+Wq9
+8oL7qU1PiI/ncY9srFvQM4IG1IocPwIWWNPnTU4WVw0/6NRkkH0n9hXdFX6UTOdV
+yrXr8fLKXAthtOJp0oKxs8GZEPqdY06b5AobhhclxzAqGArLwqyzoAHirAB44ia7
+s/1L8krVj1tMdXSbFH3/DaKiduYK460iPNC3zPw+WtsfnGN6ByaNmrAugxfB8ler
+CuilM8mmi5OKq7DZMCH52A7ZNC8I1EkSnXUcPU8JNC097JsIfQyH3VCudwlFifxJ
+sAi4AsEdOCwP2LOm+zvyEjNa0XFIBdRC+YBSMugPWcBWxP+IyspDNc7f8y27Rqva
+kTa/Xd2M6ZeYPw+sdfd+2gMXr8mS7U0OzL7Y0Bmz2ESpmEVTQ8xYf6hEY3hdv1Mz
+aBeY8UpvxEb6mSMJZjOCFLusYJNrbSCtiZlJZbTvPekTxT3xHPa6GZ5CX2hGR+Tn
+RsBQjuqgoqMCakt0rfx+ikVp3ufoUREZKpuGoVW1GPXQTJ9uNzVTjDMHH9M9+o90
+DE75ZHuwvEMnAkfWf3FTr2OQdk3OXFLsQn7bjleoy+gjXdUH0cTIg670EZmnyela
+xv9NjxG047NPFXfLZ3xTIrV6zqETVtG3YiWQlMdGVKjbm8F8UdZN0YXOmJaXks02
+2x+S0v04SBwxEg==
+=iJlv
+-----END PGP SIGNATURE-----
--- a/libreswan.spec
+++ b/libreswan.spec
@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 1;
+    release_number = 8;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -21,6 +21,7 @@
    MANDIR=%{_mandir} \\\
    PREFIX=%{_prefix} \\\
    INITSYSTEM=systemd \\\
+    SBINDIR=%{_sbindir} \\\
    SHELL_BINARY=%{_bindir}/sh \\\
    USE_DNSSEC=true \\\
    USE_LABELED_IPSEC=true \\\
@ -39,7 +40,7 @@
 Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
-Version: 5.2
+Version: 5.3
 Release: %autorelease
 # The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
 # rest is under GPL-2.0-or-later
@ -55,6 +56,8 @@ Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif

 Patch1: libreswan-4.15-ipsec_import.patch
+Patch2: libreswan-5.3-outstanding-ike-auth-crossing.patch
+Patch3: libreswan-5.3-helper-thread.patch

 BuildRequires: audit-libs-devel
 BuildRequires: bison
@ -86,15 +89,12 @@ BuildRequires: ElectricFence
 Requires: iproute >= 2.6.8
 Requires: nss >= %{nss_version}
 Requires: nss-softokn
-Requires: nss-tools
-Requires: unbound-libs >= %{unbound_version}
 Requires: logrotate
 # for pidof
 Requires: procps-ng

-
-Requires(post): bash
-Requires(post): coreutils
+Requires: %{name}-minimal%{?_isa} = %{version}-%{release}
+Obsoletes: %{name} < 5.3-5
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@ -115,6 +115,26 @@ Libreswan also supports IKEv2 (RFC7296) and Secure Labeling

 Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04

+%package minimal
+Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec (minimal version)
+Requires(post): bash
+Requires(post): coreutils
+Requires: nss-tools
+Requires: unbound-libs >= %{unbound_version}
+Obsoletes: %{name} < 5.3-5
+
+%description minimal
+Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
+the Internet Protocol Security and uses strong cryptography to provide
+both authentication and encryption services.  These services allow you
+to build secure tunnels through untrusted networks.  Everything passing
+through the untrusted net is encrypted by the ipsec gateway machine and
+decrypted by the gateway at the other end of the tunnel.  The resulting
+tunnel is a virtual private network or VPN.
+
+This package contains the minimal set of daemons and userland tools
+for setting up Libreswan.
+
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q -n libreswan-%{version}%{?prever}
@ -197,6 +217,8 @@ certutil -N -d sql:$tmpdir --empty-password

 %post
 %systemd_post ipsec.service
+
+%post minimal
 %sysctl_apply 50-libreswan.conf

 %preun
@ -208,6 +230,10 @@ certutil -N -d sql:$tmpdir --empty-password
 %files
 %doc CHANGES COPYING CREDITS README* LICENSE
 %doc docs/*.* docs/examples
+%attr(0644,root,root) %{_unitdir}/ipsec.service
+%doc %{_mandir}/*/*
+
+%files minimal
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
 %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
@ -218,15 +244,40 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
 %attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
 %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
-%attr(0644,root,root) %{_unitdir}/ipsec.service
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
 %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
 %{_sbindir}/ipsec
 %{_libexecdir}/ipsec
-%doc %{_mandir}/*/*

 %changelog
 ## START: Generated by rpmautospec
+* Wed Mar 18 2026 Daiki Ueno <dueno@redhat.com> - 5.3-8
+- Bump release number
+
+* Tue Mar 17 2026 Ondrej Moris <omoris@redhat.com> - 5.3-7
+- ikev2: use nonces to tie-break simultaneous IKE
+
+* Tue Mar 17 2026 Ondrej Moris <omoris@redhat.com> - 5.3-6
+- CI: Update CI plan url
+
+* Mon Feb 23 2026 Daiki Ueno <dueno@redhat.com> - 5.3-5
+- Subpackage minimal set of daemons into -minimal
+
+* Tue Feb 03 2026 Daiki Ueno <dueno@redhat.com> - 5.3-4
+- pluto: reject crossing IKE_AUTH request only for the one side
+
+* Wed Jan 14 2026 Andrew Cagney <cagney@gnu.org> - 5.3-3
+- helpers: work around NSS by joining helper threads
+
+* Fri Jan 09 2026 Ondrej Moris <omoris@redhat.com> - 5.3-2
+- ikev2: reject simultaneous IKE_AUTH requests
+
+* Fri Jul 11 2025 Daiki Ueno <dueno@redhat.com> - 5.3-1
+- Update to libreswan-5.3
+
+* Wed Jun 18 2025 Daiki Ueno <dueno@redhat.com> - 5.2-2
+- ipsec delete: expect no IKE only for orphan child
+
 * Thu Mar 06 2025 Daiki Ueno <dueno@redhat.com> - 5.2-1
 - Update to libreswan 5.2

--- a/2
+++ b/2
@ -1,4 +1,4 @@
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
 SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e
-SHA512 (libreswan-5.2.tar.gz) = 5c87edc879914158ba9c4c2a0edcd6fac0787b16d3c6a50c268cbd675c51cdec94e509031bc226680c0d40bd3375d73007cae5ee0588c136292e3f34cb759694
+SHA512 (libreswan-5.3.tar.gz) = 338fb82a9969da8fa78f64ec9eda0e3dcd216d6b8333a6f966ba839e31d3eb5fdd94613f0fff934be16ff8d84f6f4265c8b35f37c642569e042f65a58038ba0d