diff --git a/libreswan-3.23-crypto-policies.patch b/libreswan-3.23-crypto-policies.patch deleted file mode 100644 index 1aca3db..0000000 --- a/libreswan-3.23-crypto-policies.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l -index c41dd8048..cc2faf5c9 100644 ---- a/lib/libipsecconf/parser.l -+++ b/lib/libipsecconf/parser.l -@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis) - char ebuf[128]; - - snprintf(ebuf, sizeof(ebuf), -- "cannot open include filename: '%s': %s", -+ (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ? -+ "cannot open include filename: '%s': %s" : -+ "ignored loading default system-wide crypto-policies file '%s': %s", - iis->fileglob.gl_pathv[fcnt], - strerror(errno)); - yyerror(ebuf); -diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in -index 7374efc3c..974699f01 100644 ---- a/programs/configs/ipsec.conf.in -+++ b/programs/configs/ipsec.conf.in -@@ -1,27 +1,18 @@ - # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file - # --# Manual: ipsec.conf.5 -+# see 'man ipsec.conf' and 'man pluto' for more information -+# -+# For example configurations and documentation, see https://libreswan.org/wiki/ - - config setup -- # Normally, pluto logs via syslog. If you want to log to a file, -- # specify below or to disable logging, eg for embedded systems, use -- # the file name /dev/null -- # Note: SElinux policies might prevent pluto writing to a log file at -- # an unusual location. -+ # Normally, pluto logs via syslog. - #logfile=/var/log/pluto.log - # - # Do not enable debug options to debug configuration issues! - # -- # plutodebug "all", "none" or a combation from below: -- # "raw crypt parsing emitting control controlmore kernel pfkey -- # natt x509 dpd dns oppo oppoinfo private". -- # Note: "private" is not included with "all", as it can show confidential -- # information. It must be specifically specified -- # examples: - # plutodebug="control parsing" - # plutodebug="all crypt" -- # Again: only enable plutodebug when asked by a developer -- #plutodebug=none -+ plutodebug=none - # - # NAT-TRAVERSAL support - # exclude networks used on server side by adding %v4:!a.b.c.0/24 -@@ -30,10 +21,8 @@ config setup - # This range has never been announced via BGP (at least up to 2015) - virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 - --# For example connections, see your distribution's documentation directory, --# or https://libreswan.org/wiki/ --# --# There is also a lot of information in the manual page, "man ipsec.conf" --# -+# if it exists, include system wide crypto-policy defaults -+include /etc/crypto-policies/back-ends/libreswan.config -+ - # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/ - include @IPSEC_CONFDDIR@/*.conf diff --git a/libreswan-3.23-fixups.patch b/libreswan-3.23-fixups.patch deleted file mode 100644 index f674916..0000000 --- a/libreswan-3.23-fixups.patch +++ /dev/null @@ -1,507 +0,0 @@ -diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c ---- libreswan-3.23-orig/programs/pluto/connections.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/connections.c 2018-02-05 14:38:49.372280712 -0500 -@@ -3158,10 +3158,8 @@ - matching_peer_id && matching_peer_ca && matching_requested_ca, - matching_peer_id, matching_peer_ca, matching_requested_ca);}); - -- /* Ignore template from which we instantiated - this should never happen */ - if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) { -- libreswan_log("Warning: not switching back to template of current instance (FIXME)"); -- continue; -+ DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance")); - } - - /* 'You Tarzan, me Jane' check based on received IDr */ -diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c ---- libreswan-3.23-orig/programs/pluto/hostpair.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/hostpair.c 2018-02-05 14:38:57.865635032 -0500 -@@ -144,17 +144,6 @@ - hisport = pluto_port; - - for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { -- if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) && -- (p->connections->spd.that.id.kind == ID_NULL)) -- { -- DBG(DBG_CONTROLMORE, { -- char ci[CONN_INST_BUF]; -- DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s", -- p->connections->name, -- fmt_conn_instance(p->connections, ci)); -- }); -- continue; -- } - - DBG(DBG_CONTROLMORE, { - ipstr_buf b1; -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h ---- libreswan-3.23-orig/programs/pluto/ikev2.h 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2.h 2018-02-05 14:39:11.171190105 -0500 -@@ -162,7 +162,9 @@ - extern bool ikev2_calculate_rsa_sha1(struct state *st, - enum original_role role, - unsigned char *idhash, -- pb_stream *a_pbs); -+ pb_stream *a_pbs, -+ bool calc_no_ppk_auth, -+ chunk_t *no_ppk_auth); - - extern bool ikev2_create_psk_auth(enum keyword_authby authby, - struct state *st, -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c ---- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-02-05 14:39:11.173190188 -0500 -@@ -2783,7 +2783,9 @@ - - switch (a.isaa_type) { - case IKEv2_AUTH_RSA: -- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { -+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, -+ FALSE, /* store-only not set */ -+ NULL /* store-only chunk unused */)) { - loglog(RC_LOG_SERIOUS, "Failed to find our RSA key"); - return STF_FATAL; - } -@@ -2792,7 +2794,7 @@ - case IKEv2_AUTH_PSK: - case IKEv2_AUTH_NULL: - if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs, -- FALSE /* store-only not set */, -+ FALSE, /* store-only not set */ - NULL /* store-only chunk unused */)) { - loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key"); - return STF_FATAL; -@@ -2812,7 +2814,9 @@ - return STF_INTERNAL_ERROR; - } - -- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { -+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, -+ FALSE, /* store-only not set */ -+ NULL /* store-only chunk unused */)) { - loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key"); - return STF_FATAL; - } -@@ -3224,7 +3228,7 @@ - hmac_update(&id_ctx, id_start, id_len); - hmac_final(idhash, &id_ctx); - -- if (pst->st_sk_pi_no_ppk != NULL) { -+ if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) { - struct hmac_ctx id_ctx_npa; - - hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk); -@@ -3371,7 +3375,7 @@ - notifies++; - - if (pst->st_seen_ppk) -- notifies++; /* used for two payloads */ -+ notifies++; /* used for one or two payloads */ - - /* code does not support AH + ESP, not recommend rfc8221 section-4 */ - struct ipsec_proto_info *proto_info -@@ -3437,21 +3441,24 @@ - } - if (pst->st_seen_ppk) { - chunk_t notify_data = create_unified_ppk_id(&ppk_id_p); -+ int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N; - -- notifies--; /* used for 2 payloads */ -- if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL, -- PROTO_v2_RESERVED, &empty_chunk, -- v2N_PPK_IDENTITY, ¬ify_data, -- &e_pbs_cipher)) -- return STF_INTERNAL_ERROR; -+ notifies--; /* used for one or two payloads */ -+ if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL, -+ PROTO_v2_RESERVED, &empty_chunk, -+ v2N_PPK_IDENTITY, ¬ify_data, -+ &e_pbs_cipher)) -+ return STF_INTERNAL_ERROR; - freeanychunk(notify_data); - -- ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); -- if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, -- PROTO_v2_RESERVED, &empty_chunk, -- v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, -- &e_pbs_cipher)) -- return STF_INTERNAL_ERROR; -+ if (!LIN(POLICY_PPK_INSIST, cc->policy)) { -+ ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); -+ if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, -+ PROTO_v2_RESERVED, &empty_chunk, -+ v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, -+ &e_pbs_cipher)) -+ return STF_INTERNAL_ERROR; -+ } - } - - passert(notifies == 0); -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c ---- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2_ppk.c 2018-02-05 14:39:11.173190188 -0500 -@@ -113,7 +113,24 @@ - enum keyword_authby authby = c->spd.this.authby; - switch (authby) { - case AUTH_RSASIG: -- /* TODO */ -+ if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) { -+ if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) { -+ /* make blobs separately, and somehow combine them and no_ppk_auth -+ * to get an actual no_ppk_auth */ -+ int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len; -+ u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH"); -+ u_char *ret = blobs; -+ memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER); -+ blobs += ASN1_LEN_ALGO_IDENTIFIER; -+ memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE); -+ blobs += ASN1_SHA1_RSA_OID_SIZE; -+ memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len); -+ chunk_t release = *no_ppk_auth; -+ setchunk(*no_ppk_auth, ret, len); -+ freeanychunk(release); -+ } -+ } -+ return STF_OK; - break; - case AUTH_PSK: - if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth)) -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c ---- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2_rsa.c 2018-02-05 14:39:11.173190188 -0500 -@@ -101,7 +101,9 @@ - bool ikev2_calculate_rsa_sha1(struct state *st, - enum original_role role, - unsigned char *idhash, -- pb_stream *a_pbs) -+ pb_stream *a_pbs, -+ bool calc_no_ppk_auth, -+ chunk_t *no_ppk_auth) - { - unsigned char signed_octets[SHA1_DIGEST_SIZE + 16]; - size_t signed_len; -@@ -136,8 +138,13 @@ - if (shr == 0) - return FALSE; - passert(shr == (int)sz); -- if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) -- return FALSE; -+ if (calc_no_ppk_auth == FALSE) { -+ if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) -+ return FALSE; -+ } else { -+ clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk"); -+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth)); -+ } - } - - return TRUE; -diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c ---- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/nss_cert_verify.c 2018-02-05 14:38:52.685418927 -0500 -@@ -498,60 +498,83 @@ - - bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name) - { -- SECStatus rv; - SECItem subAltName; -- PLArenaPool *arena = NULL; -- CERTGeneralName *nameList = NULL; -- CERTGeneralName *current = NULL; -- bool san_ip = FALSE; -- unsigned int len = strlen(name); -- ip_address myip; -- -- rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, -+ SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, - &subAltName); - if (rv != SECSuccess) { - DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension")); - return FALSE; - } - -- if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL) -- san_ip = TRUE; -+ ip_address myip; -+ bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL); - -- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); -+ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - passert(arena != NULL); - -- nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName); -- passert(current != NULL); -+ CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName); - -- do -- { -+ if (nameList == NULL) { -+ loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode"); -+ PORT_FreeArena(arena, PR_FALSE); -+ return FALSE; -+ } -+ -+ /* -+ * nameList is a pointer into a non-empty circular linked list. -+ * This loop visits each entry. -+ * We have visited each when we come back to the start. -+ * We test only at the end, after we advance, because we want to visit -+ * the first entry the first time we see it but stop when we get to it -+ * the second time. -+ */ -+ CERTGeneralName *current = nameList; -+ do { - switch (current->type) { - case certDNSName: - case certRFC822Name: -- if (san_ip) -- break; -- if (current->name.other.len == len) { -- if (memcmp(current->name.other.data, name, len) == 0) { -- DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name)); -- PORT_FreeArena(arena, PR_FALSE); -- return TRUE; -- } -- } -+ { -+ /* -+ * Match the parameter name with the name in the certificate. -+ * The name in the cert may start with "*."; that will match -+ * any initial component in name (up to the first '.'). -+ */ -+ /* we need to cast because name.other.data is unsigned char * */ -+ const char *c_ptr = (const void *) current->name.other.data; -+ size_t c_len = current->name.other.len; -+ -+ const char *n_ptr = name; -+ static const char wild[] = "*."; -+ const size_t wild_len = sizeof(wild) - 1; -+ -+ if (c_len > wild_len && startswith(c_ptr, wild)) { -+ /* wildcard in cert: ignore first component of name */ -+ c_ptr += wild_len; -+ c_len -= wild_len; -+ n_ptr = strchr(n_ptr, '.'); -+ if (n_ptr == NULL) -+ break; /* cannot match */ - -- if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) { -- char osan[IDTOA_BUF]; -+ n_ptr++; /* skip . */ -+ } - -- memcpy(osan,current->name.other.data, current->name.other.len); -- osan[current->name.other.len] = '\0'; -- DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name)); -- } else { -- DBG(DBG_X509, DBG_log("subjectAltname does not match %s", name)); -+ if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) { -+ /* -+ * ??? if current->name.other.data contains bad characters, -+ * what prevents them being logged? -+ */ -+ DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate", -+ name, current->name.other.len, current->name.other.data)); -+ PORT_FreeArena(arena, PR_FALSE); -+ return TRUE; - } - break; -+ } - - case certIPAddress: - if (!san_ip) - break; -+ - if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) { - if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) { - DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name)); -@@ -572,7 +595,7 @@ - break; - } - } -- DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name)); -+ DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name)); - break; - - default: -diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in ---- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in 2018-02-05 14:38:49.373280754 -0500 -@@ -1,31 +1,52 @@ - #!/usr/bin/python -+# -+# Copyright (C) 2018 Paul Wouters -+# -+# This program is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at your -+# option) any later version. See . -+# -+# This program is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# for more details. - - import sys --import base64 --import commands -+import subprocess - --log = "" -- --status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1") -+# Get my %defaultroute IP address -+myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True) - myip = myip.split("src")[1].strip().split()[0] - - argv = sys.argv --argc = len(sys.argv) -+ourself = argv.pop(0) - --#log += "Number or arguments is %d\n"%argc --#if argc >= 4: --# log += "QNAME:%s\n"%argv[1] --# log += "TTL:%s\n"%argv[2] --# log += "IP:%s\n"%argv[3] --# log += "IPSECKEY:%s\n"%argv[4] --# rr = argv[4] --# pref, gwtype, algo, gw, pubkey = rr.split(" ") --#log += "-----------------------------\n" -- --cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey) --cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey) --cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3]) --ret, output = commands.getstatusoutput(cmdname) --ret, output = commands.getstatusoutput(cmdip) --ret, output = commands.getstatusoutput(cmdoe) --ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus") -+try: -+ qname = argv.pop(0) -+ ttl = argv.pop(0) -+ ip = argv.pop(0) -+except: -+ sys.exit("Bad arguments to ipsec _unbound") -+ -+while (argv != []): -+ try: -+ gwprec = argv.pop(0) -+ gwtype = argv.pop(0) -+ gwalg = argv.pop(0) -+ gwid = argv.pop(0) -+ pubkey = argv.pop(0) -+ addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) -+ addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) -+ print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) -+ print(subprocess.call(addkeyip, shell=True)) -+ print(subprocess.call(addkeyhostname, shell=True)) -+ except: -+ sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) -+ -+# done injecting all IPSECKEY records into pluto - try actual OE now -+cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip) -+print(subprocess.check_output(cmdoeip, shell=True)) -+#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname) -+#ret, output = commands.getstatusoutput(cmdoeqname) -+print(subprocess.check_output("ipsec whack --trafficstatus", shell=True)) -diff --git a/include/ietf_constants.h b/include/ietf_constants.h -index 8a1ba5d..38fa4de 100644 ---- a/include/ietf_constants.h -+++ b/include/ietf_constants.h -@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type { - IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23, - IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24, - IKEv2_INTERNAL_DNS_DOMAIN = 25, -- /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */ -+ IKEv2_INTERNAL_DNSSEC_TA = 26 - }; - - -diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c -index 9ea9872..ab6db3e 100644 ---- a/lib/libswan/constants.c -+++ b/lib/libswan/constants.c -@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = { - "IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */ - "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */ - "IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */ -- /* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */ -+ "IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */ - }; - - enum_names ikev2_cp_attribute_type_names = { - IKEv2_CP_ATTR_RESERVED, -- IKEv2_INTERNAL_DNS_DOMAIN, -- /* IKEv2_INTERNAL_DNSSEC_TA, */ -+ IKEv2_INTERNAL_DNSSEC_TA, - ARRAY_REF(ikev2_cp_attribute_type_name), - NULL, /* prefix */ - NULL -diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c -index ae56972..e818e0e 100644 ---- a/programs/addconn/addconn.c -+++ b/programs/addconn/addconn.c -@@ -416,12 +416,11 @@ int main(int argc, char *argv[]) - if (verbose) - printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n"); - -- for (conn = cfg->conns.tqh_first; -- conn != NULL; -- conn = conn->link.tqe_next) { -+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { - if (conn->desired_state == STARTUP_ADD || - conn->desired_state == STARTUP_ONDEMAND || -- conn->desired_state == STARTUP_START) { -+ conn->desired_state == STARTUP_START) -+ { - if (verbose) - printf(" %s", conn->name); - resolve_defaultroute(conn); -@@ -436,30 +435,22 @@ int main(int argc, char *argv[]) - starter_whack_listen(cfg); - - if (verbose) -- printf(" Pass #2: Routing auto=route and auto=start connections\n"); -+ printf(" Pass #2: Routing auto=route connections\n"); - -- for (conn = cfg->conns.tqh_first; -- conn != NULL; -- conn = conn->link.tqe_next) { -- if (conn->desired_state == STARTUP_ADD || -- conn->desired_state == STARTUP_ONDEMAND || -- conn->desired_state == STARTUP_START) { -+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { -+ if (conn->desired_state == STARTUP_ONDEMAND) -+ { - if (verbose) - printf(" %s", conn->name); -- resolve_defaultroute(conn); -- if (conn->desired_state == STARTUP_ONDEMAND || -- conn->desired_state == STARTUP_START) { -+ if (conn->desired_state == STARTUP_ONDEMAND) - starter_whack_route_conn(cfg, conn); -- } - } - } - - if (verbose) - printf(" Pass #3: Initiating auto=start connections\n"); - -- for (conn = cfg->conns.tqh_first; -- conn != NULL; -- conn = conn->link.tqe_next) { -+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { - if (conn->desired_state == STARTUP_START) { - if (verbose) - printf(" %s", conn->name); -diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in -index 64b2808..b343445 100644 ---- a/programs/_updown.netkey/_updown.netkey.in -+++ b/programs/_updown.netkey/_updown.netkey.in -@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in - up-client) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. -+ addvtiiface - updateresolvconf - addcat - addsource diff --git a/libreswan-3.23-gcc8.patch b/libreswan-3.23-gcc8.patch deleted file mode 100644 index 62a8fde..0000000 --- a/libreswan-3.23-gcc8.patch +++ /dev/null @@ -1,82 +0,0 @@ -diff -Naur libreswan-3.23-orig/programs/pluto/kernel_netlink.c libreswan-3.23/programs/pluto/kernel_netlink.c ---- libreswan-3.23-orig/programs/pluto/kernel_netlink.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/kernel_netlink.c 2018-02-19 18:56:24.433527475 -0500 -@@ -51,8 +51,9 @@ - #include - #include - --#include "libreswan.h" /* before xfrm.h otherwise break on F22 */ -+//#include - #include "linux/xfrm.h" /* local (if configured) or system copy */ -+#include "libreswan.h" /* before xfrm.h otherwise break on F22 */ - - #include "libreswan/pfkeyv2.h" - #include "libreswan/pfkey.h" -diff -Naur libreswan-3.23-orig/programs/pluto/linux_audit.c libreswan-3.23/programs/pluto/linux_audit.c ---- libreswan-3.23-orig/programs/pluto/linux_audit.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/linux_audit.c 2018-02-19 18:58:51.356837932 -0500 -@@ -74,6 +74,15 @@ - - #include "pluto_stats.h" - -+#if __GNUC__ >= 7 -+ /* -+ * GCC 7+ warns about the following calls that truncate a string using -+ * snprintf(). We are truncating the log message for a reason. -+ */ -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wformat-truncation" -+#endif -+ - static bool log_to_audit = FALSE; /* audit log messages for kernel */ - - void linux_audit_init(void) -@@ -159,13 +168,13 @@ - char raddr[ADDRTOT_BUF]; - char laddr[ADDRTOT_BUF]; - char audit_str[AUDIT_LOG_SIZE]; -- char cipher_str[AUDIT_LOG_SIZE]; -- char spi_str[AUDIT_LOG_SIZE]; -+ char cipher_str[20]; -+ char spi_str[20]; - struct connection *const c = st->st_connection; - bool initiator = FALSE; - char head[IDTOA_BUF]; -- char integname[IDTOA_BUF]; -- char prfname[IDTOA_BUF]; -+ char integname[20]; -+ char prfname[20]; - struct esb_buf esb, esb2; - /* we need to free() this */ - char *conn_encode = audit_encode_nv_string("conn-name",c->name,0); -@@ -300,3 +309,6 @@ - AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA, - audit_str, raddr, AUDIT_RESULT_OK); - } -+#if __GNUC__ >= 7 -+#pragma GCC diagnostic pop -+#endif -diff -Naur libreswan-3.23-orig/programs/pluto/log.h libreswan-3.23/programs/pluto/log.h ---- libreswan-3.23-orig/programs/pluto/log.h 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/log.h 2018-02-19 18:56:24.433527475 -0500 -@@ -154,7 +154,7 @@ - - #ifdef USE_LINUX_AUDIT - #include /* from audit-libs devel */ --#define AUDIT_LOG_SIZE 256 -+#define AUDIT_LOG_SIZE 512 - /* should really be in libaudit.h */ - #define AUDIT_RESULT_FAIL 0 - #define AUDIT_RESULT_OK 1 -diff -Naur libreswan-3.23-orig/programs/pluto/pluto_constants.c libreswan-3.23/programs/pluto/pluto_constants.c ---- libreswan-3.23-orig/programs/pluto/pluto_constants.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/pluto_constants.c 2018-02-19 18:56:24.434527471 -0500 -@@ -478,7 +478,7 @@ - policy & - ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK), - pbitnamesbuf, sizeof(pbitnamesbuf)); -- static char buf[200]; /* NOT RE-ENTRANT! I hope that it is big enough! */ -+ static char buf[512]; /* NOT RE-ENTRANT! I hope that it is big enough! */ - lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT; - lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT; - diff --git a/libreswan-3.23-ppk-update.patch b/libreswan-3.23-ppk-update.patch deleted file mode 100644 index fe9d9fb..0000000 --- a/libreswan-3.23-ppk-update.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff --git a/include/ietf_constants.h b/include/ietf_constants.h -index 38fa4de..08c8d9e 100644 ---- a/include/ietf_constants.h -+++ b/include/ietf_constants.h -@@ -1486,12 +1486,14 @@ typedef enum { - v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */ - v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */ - v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */ -- -- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */ -- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */ -- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */ -- -- /* 16432 - 40969 Unassigned */ -+ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */ -+ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */ -+ v2N_PUZZLE = 16434, /* RFC-8019 */ -+ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */ -+ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */ -+ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */ -+ -+ /* 16438 - 40969 Unassigned */ - /* 40960 - 65535 Private Use */ - } v2_notification_t; - -diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c -index ab6db3e..a0dab63 100644 ---- a/lib/libswan/constants.c -+++ b/lib/libswan/constants.c -@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = { - }; - */ - --static const char *const ikev2_notify_name_private[] = { -- "v2N_USE_PPK", -- "v2N_PPK_IDENTITY", -- "v2N_NO_PPK_AUTH", --}; -- --static enum_names ikev2_notify_names_private = { -- v2N_USE_PPK, -- v2N_NO_PPK_AUTH, -- ARRAY_REF(ikev2_notify_name_private), -- "v2N_", /* prefix */ -- NULL --}; -- - /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */ - static const char *const ikev2_notify_name_16384[] = { - "v2N_INITIAL_CONTACT", /* 16384 */ -@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = { - "v2N_SENDER_REQUEST_ID", - "v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */ - "v2N_SIGNATURE_HASH_ALGORITHMS", -+ "v2N_CLONE_IKE_SA_SUPPORTED", -+ "v2N_CLONE_IKE_SA", -+ "v2N_PUZZLE", -+ "v2N_USE_PPK", /* 16435 */ -+ "v2N_PPK_IDENTITY", -+ "v2N_NO_PPK_AUTH", - }; - - static enum_names ikev2_notify_names_16384 = { - v2N_INITIAL_CONTACT, -- v2N_SIGNATURE_HASH_ALGORITHMS, -+ v2N_NO_PPK_AUTH, - ARRAY_REF(ikev2_notify_name_16384), - "v2N_", /* prefix */ -- &ikev2_notify_names_private -+ NULL - }; - - static const char *const ikev2_notify_name[] = { -diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c -index 258ba85..b86eea8 100644 ---- a/programs/pluto/ikev2_parent.c -+++ b/programs/pluto/ikev2_parent.c -@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) - break; - } - -- if (LIN(POLICY_PPK_ALLOW, policy)) { -- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); -+ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); - -- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { -- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); -- return STF_FATAL; -- } -- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); -- st->st_no_ppk_auth = no_ppk_auth; -- } else { -- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK"); -+ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { -+ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); -+ return STF_FATAL; - } -+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); -+ st->st_no_ppk_auth = no_ppk_auth; - break; - } - case v2N_MOBIKE_SUPPORTED: -@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) - } - } - -- /* if we found proper PPK ID, we should use that without fallback to no ppk */ -- if (found_ppk) -+ /* -+ * If we found proper PPK ID and policy allows PPK, use that. -+ * Otherwise use NO_PPK_AUTH -+ */ -+ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy)) - freeanychunk(st->st_no_ppk_auth); - - if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) { diff --git a/libreswan-3.23-seccomp.patch b/libreswan-3.23-seccomp.patch deleted file mode 100644 index 0e3679a..0000000 --- a/libreswan-3.23-seccomp.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c ---- libreswan-3.23-orig/programs/addconn/addconn.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/addconn/addconn.c 2018-02-05 14:13:25.758711788 -0500 -@@ -140,7 +140,9 @@ - rc |= S_RULE_ADD(set_robust_list); - rc |= S_RULE_ADD(set_tid_address); - rc |= S_RULE_ADD(socket); -+ rc |= S_RULE_ADD(socketcall); - rc |= S_RULE_ADD(socketpair); -+ rc |= S_RULE_ADD(stat); - rc |= S_RULE_ADD(statfs); - rc |= S_RULE_ADD(uname); - rc |= S_RULE_ADD(write); -diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c ---- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/pluto_seccomp.c 2018-02-05 14:13:38.390239502 -0500 -@@ -109,6 +109,7 @@ - rc |= S_RULE_ADD(set_robust_list); - rc |= S_RULE_ADD(setsockopt); - rc |= S_RULE_ADD(socket); -+ rc |= S_RULE_ADD(socketcall); - rc |= S_RULE_ADD(socketpair); - rc |= S_RULE_ADD(sysinfo); - rc |= S_RULE_ADD(uname); diff --git a/libreswan-3.25-relax-delete.patch b/libreswan-3.25-relax-delete.patch deleted file mode 100644 index e5a0280..0000000 --- a/libreswan-3.25-relax-delete.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff --git a/programs/pluto/state.c b/programs/pluto/state.c -index 7b33145..a3bcc3c 100644 ---- a/programs/pluto/state.c -+++ b/programs/pluto/state.c -@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst) - d = next; - } - -- if (c->newest_isakmp_sa != SOS_NOBODY && -- c->newest_isakmp_sa != pst->st_serialno) { -- struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa); -+ /* -+ * This only affects IKEv2, since we don't store any -+ * received INITIAL_CONTACT for IKEv1. -+ * We don't do this on IKEv1, because it seems to -+ * confuse various third parties (Windows, Cisco VPN 300, -+ * and juniper -+ * likely because this would be called before the IPsec SA -+ * of QuickMode is installed, so the remote endpoints view -+ * this IKE SA still as the active one? -+ */ -+ if (pst->st_seen_initialc) { - -- DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s", -- old_p1->st_connection->name)); -- old_p1->st_suppress_del_notify = TRUE; -- event_force(EVENT_SA_EXPIRE, old_p1); -- } -+ if (c->newest_isakmp_sa != SOS_NOBODY && -+ c->newest_isakmp_sa != pst->st_serialno) { -+ struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa); - -- if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY)) -- { -- struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa); -- struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection; -+ DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s", -+ old_p1->st_connection->name)); -+ old_p1->st_suppress_del_notify = TRUE; -+ event_force(EVENT_SA_EXPIRE, old_p1); -+ } - -- if (c == d && same_id(&c->spd.that.id, &d->spd.that.id)) -+ if (c->newest_ipsec_sa != SOS_NOBODY) - { -- DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'", -- c->newest_ipsec_sa, c->name)); -- old_p2->st_suppress_del_notify = TRUE; -- event_force(EVENT_SA_EXPIRE, old_p2); -+ struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa); -+ struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection; -+ -+ if (c == d && same_id(&c->spd.that.id, &d->spd.that.id)) -+ { -+ DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'", -+ c->newest_ipsec_sa, c->name)); -+ old_p2->st_suppress_del_notify = TRUE; -+ event_force(EVENT_SA_EXPIRE, old_p2); -+ } - } - } - diff --git a/libreswan-3.25-unbound-hook.patch b/libreswan-3.25-unbound-hook.patch deleted file mode 100644 index 007ae73..0000000 --- a/libreswan-3.25-unbound-hook.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit 9dce290a0d2df5c278ed9442b10954d65cc238e4 -Author: Paul Wouters -Date: Sun Jul 8 22:29:52 2018 -0400 - - _unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1 - -diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in -index 0d266d5..38279de 100755 ---- a/programs/_unbound-hook/_unbound-hook.in -+++ b/programs/_unbound-hook/_unbound-hook.in -@@ -29,14 +29,17 @@ try: - except: - sys.exit("Bad arguments to ipsec _unbound") - --while (argv != []): -+# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list -+data = argv.pop(0).split(" ") -+ -+while (data != []): - try: -- gwprec = argv.pop(0) -- gwtype = argv.pop(0) -- gwalg = argv.pop(0) -- gwid = argv.pop(0) -- pubkey = argv.pop(0) -- addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) -+ gwprec = data.pop(0) -+ gwtype = data.pop(0) -+ gwalg = data.pop(0) -+ gwid = data.pop(0) -+ pubkey = data.pop(0) -+ addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) - addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) - print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) - print(subprocess.call(addkeyip, shell=True)) diff --git a/libreswan-3.26-asn1-zu.patch b/libreswan-3.26-asn1-zu.patch deleted file mode 100644 index 58b68ac..0000000 --- a/libreswan-3.26-asn1-zu.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -Naur libreswan-3.26-orig/lib/libswan/asn1.c libreswan-3.26/lib/libswan/asn1.c ---- libreswan-3.26-orig/lib/libswan/asn1.c 2018-09-16 22:45:52.000000000 -0400 -+++ libreswan-3.26/lib/libswan/asn1.c 2018-09-17 00:28:06.726985327 -0400 -@@ -164,7 +164,7 @@ - sig_val->len = len_r; - /* XXX: need to check len_r and len_s fits in this */ - sig_val->ptr = alloc_bytes(len_r * 2, "ec points"); -- DBG(DBG_PARSING, DBG_log(" sig_val len is %ld",sig_val->len)); -+ DBG(DBG_PARSING, DBG_log(" sig_val len is %zu",sig_val->len)); - /* copy the values of r into signature */ - memcpy(sig_val->ptr,blob->ptr,len_r); - -@@ -184,7 +184,7 @@ - } - DBG(DBG_PARSING, DBG_log(" len_s is %d",len_s)); - sig_val->len += len_s; -- DBG(DBG_PARSING, DBG_log(" sig_val total len is %ld",sig_val->len)); -+ DBG(DBG_PARSING, DBG_log(" sig_val total len is %zu",sig_val->len)); - /* copy the values of r into signature */ - memcpy(sig_val->ptr+len_r,blob->ptr,len_s); - } diff --git a/libreswan-3.29-updown-syntax.patch b/libreswan-3.29-updown-syntax.patch deleted file mode 100644 index e6eb679..0000000 --- a/libreswan-3.29-updown-syntax.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in -index 9c76998233..21000b1ea4 100644 ---- a/programs/_updown.netkey/_updown.netkey.in -+++ b/programs/_updown.netkey/_updown.netkey.in -@@ -446,7 +446,7 @@ delsource() { - return ${st} - fi - # Remove source ip if it's not used any more. -- if [ -z $(ip -o route list src ${PLUTO_MY_SOURCEIP}) ]; then -+ if [ -z "$(ip -o route list src ${PLUTO_MY_SOURCEIP})" ]; then - if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then - interface="${VTI_IFACE}" - fi diff --git a/libreswan-3.30-s390x.patch b/libreswan-3.30-s390x.patch deleted file mode 100644 index a229d8a..0000000 --- a/libreswan-3.30-s390x.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit 8b067b47b1e2306c83bed49ecada1bddfb1c1a38 -Author: Paul Wouters -Date: Fri Feb 14 15:22:21 2020 -0500 - - pluto: fixup: 'incl' may be used uninitialized in init_virtual_ip() - - For some reason, only the s390x compiler complains. - -diff --git a/programs/pluto/virtual.c b/programs/pluto/virtual.c -index ce94d5a5ee..74d77a3ab0 100644 ---- a/programs/pluto/virtual.c -+++ b/programs/pluto/virtual.c -@@ -172,7 +172,7 @@ void init_virtual_ip(const char *private_list) - if (next == NULL) - next = str + strlen(str); - -- bool incl; -+ bool incl = FALSE; - if (read_subnet(str, next - str, - &(private_net_incl[i_incl]), - &(private_net_excl[i_excl]), diff --git a/libreswan-3.32-nss-api.patch b/libreswan-3.32-nss-api.patch deleted file mode 100644 index efd10ba..0000000 --- a/libreswan-3.32-nss-api.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c ---- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-26 10:23:26.563318038 -0400 -@@ -16,6 +16,12 @@ - #include - #include - -+/* -+ * Special advise from Bob Relyea - needs to go before any nss include -+ * -+ */ -+#define NSS_PKCS11_2_0_COMPAT 1 -+ - #include "lswlog.h" - #include "lswnss.h" - #include "prmem.h" diff --git a/libreswan-3.32-uninitialized.patch b/libreswan-3.32-uninitialized.patch deleted file mode 100644 index 1a9ce1a..0000000 --- a/libreswan-3.32-uninitialized.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c -index 702c9a8..3772508 100644 ---- a/programs/pluto/ikev2_parent.c -+++ b/programs/pluto/ikev2_parent.c -@@ -2150,7 +2150,7 @@ static stf_status ikev2_parent_inR1outI2_tail(struct state *pst, struct msg_dige - struct pluto_crypto_req *r) - { - struct connection *const pc = pst->st_connection; /* parent connection */ -- struct ppk_id_payload ppk_id_p; -+ struct ppk_id_payload ppk_id_p = { }; - struct ike_sa *ike = pexpect_ike_sa(pst); - - if (!finish_dh_v2(pst, r, FALSE)) { diff --git a/libreswan-4.4-ipcheck.patch b/libreswan-4.4-ipcheck.patch deleted file mode 100644 index fb4ac81..0000000 --- a/libreswan-4.4-ipcheck.patch +++ /dev/null @@ -1,494 +0,0 @@ -diff --git a/testing/programs/ipcheck/Makefile b/testing/programs/ipcheck/Makefile -index 4dae8336be..af77a9e9d8 100644 ---- a/testing/programs/ipcheck/Makefile -+++ b/testing/programs/ipcheck/Makefile -@@ -41,4 +41,4 @@ include ../../../mk/program.mk - endif - - local-check: $(PROGRAM) -- $(builddir)/$(PROGRAM) -+ $(builddir)/$(PROGRAM) --dns=yes -diff --git a/testing/programs/ipcheck/ip_address_check.c b/testing/programs/ipcheck/ip_address_check.c -index b80990302a..a84aadaf73 100644 ---- a/testing/programs/ipcheck/ip_address_check.c -+++ b/testing/programs/ipcheck/ip_address_check.c -@@ -24,79 +24,76 @@ - #include "ip_address.h" - #include "ipcheck.h" - --static void check_shunk_to_address(void) -+static void check_ttoaddress_num(void) - { - static const struct test { - int line; - int family; - const char *in; - const char *str; -- bool requires_dns; - } tests[] = { - - /* unset */ -- { LN, 0, "", NULL, false, }, -+ { LN, 0, "", NULL, }, - - /* any */ -- { LN, 4, "0.0.0.0", "0.0.0.0", false, }, -- { LN, 6, "::", "::", false, }, -- { LN, 6, "0:0:0:0:0:0:0:0", "::", false, }, -+ { LN, 4, "0.0.0.0", "0.0.0.0", }, -+ { LN, 6, "::", "::", }, -+ { LN, 6, "0:0:0:0:0:0:0:0", "::", }, - - /* local (zero's fill) */ -- { LN, 4, "127.1", "127.0.0.1", false, }, -- { LN, 4, "127.0.1", "127.0.0.1", false, }, -- { LN, 4, "127.0.0.1", "127.0.0.1", false, }, -- { LN, 6, "::1", "::1", false, }, -- { LN, 6, "0:0:0:0:0:0:0:1", "::1", false, }, -+ { LN, 4, "127.1", "127.0.0.1", }, -+ { LN, 4, "127.0.1", "127.0.0.1", }, -+ { LN, 4, "127.0.0.1", "127.0.0.1", }, -+ { LN, 6, "::1", "::1", }, -+ { LN, 6, "0:0:0:0:0:0:0:1", "::1", }, - - /* mask - and buffer overflow */ -- { LN, 4, "255.255.255.255", "255.255.255.255", false, }, -- { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false, }, -+ { LN, 4, "255.255.255.255", "255.255.255.255", }, -+ { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", }, - - /* all bytes */ -- { LN, 4, "1.2.3.4", "1.2.3.4", false, }, -- { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", false, }, -+ { LN, 4, "1.2.3.4", "1.2.3.4", }, -+ { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", }, - - /* last digit is a big num - see wikepedia */ -- { LN, 4, "127.254", "127.0.0.254", false, }, -- { LN, 4, "127.65534", "127.0.255.254", false, }, -- { LN, 4, "127.16777214", "127.255.255.254", false, }, -+ { LN, 4, "127.254", "127.0.0.254", }, -+ { LN, 4, "127.65534", "127.0.255.254", }, -+ { LN, 4, "127.16777214", "127.255.255.254", }, - /* last digit overflow */ -- { LN, 4, "127.16777216", NULL, false, }, -- { LN, 4, "127.0.65536", NULL, false, }, -- { LN, 4, "127.0.0.256", NULL, false, }, -+ { LN, 4, "127.16777216", NULL, }, -+ { LN, 4, "127.0.65536", NULL, }, -+ { LN, 4, "127.0.0.256", NULL, }, - - /* suppress leading zeros - 01 vs 1 */ -- { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", false, }, -+ { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", }, - /* drop leading 0:0: */ -- { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", false, }, -+ { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", }, - /* drop middle 0:...:0 */ -- { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", false, }, -+ { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", }, - /* drop trailing :0..:0 */ -- { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", false, }, -+ { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", }, - /* drop first 0:..:0 */ -- { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", false, }, -+ { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", }, - /* drop logest 0:..:0 */ -- { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", false, }, -+ { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", }, - /* need two 0 */ -- { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", false, }, -- -- { LN, 4, "www.libreswan.org", "188.127.201.229", .requires_dns = true, }, -+ { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", }, - - /* hex/octal */ -- { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", false, }, -- { LN, 4, "0001.0002.0003.0004", "1.2.3.4", false, }, -- { LN, 4, "0x01020304", "1.2.3.4", false, }, -+ { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", }, -+ { LN, 4, "0001.0002.0003.0004", "1.2.3.4", }, -+ { LN, 4, "0x01020304", "1.2.3.4", }, - - /* trailing garbage */ -- { LN, 4, "1.2.3.4.", NULL, false, }, -- { LN, 4, "1.2.3.4a", NULL, false, }, -- { LN, 4, "1.2.3.0a", NULL, false, }, -+ { LN, 4, "1.2.3.4.", NULL, }, -+ { LN, 4, "1.2.3.4a", NULL, }, -+ { LN, 4, "1.2.3.0a", NULL, }, - - /* bad digits */ -- { LN, 4, "256.2.3.4", NULL, false, }, -- { LN, 4, "0008.2.3.4", NULL, false, }, -- { LN, 4, "0x0g.2.3.4", NULL, false, }, -+ { LN, 4, "256.2.3.4", NULL, }, -+ { LN, 4, "0008.2.3.4", NULL, }, -+ { LN, 4, "0x0g.2.3.4", NULL, }, - - }; - -@@ -104,66 +101,146 @@ static void check_shunk_to_address(void) - - for (size_t ti = 0; ti < elemsof(tests); ti++) { - const struct test *t = &tests[ti]; -- PRINT("%s '%s' -> str: '%s' dns: %s", pri_family(t->family), t->in, -- t->str == NULL ? "ERROR" : t->str, -- bool_str(t->requires_dns)); -- -- ip_address tmp, *address = &tmp; -- -- /* NUMERIC/NULL */ - -- FOR_EACH_THING(family, 0, t->family) { -+ /* -+ * For each address, perform lookups: -+ * -+ * - first with a generic family and then with the -+ * specified family -+ * -+ * - first with ttoaddress_num() and then -+ * ttoaddress_dns() (but only when it should work) -+ */ -+ -+ FOR_EACH_THING(family, 0, 4, 6) { - const struct ip_info *afi = IP_TYPE(family); -- err = ttoaddress_num(shunk1(t->in), afi, address); -- if (err != NULL) { -- if (t->str != NULL && !t->requires_dns) { -- FAIL("ttoaddress_num(%s, %s) unexpecedly failed: %s", -- t->in, pri_family(family), err); -+ bool err_expected = (t->str == NULL || (family != 0 && family != t->family)); -+ -+ struct lookup { -+ const char *name; -+ err_t (*ttoaddress)(shunk_t, const struct ip_info *, ip_address *); -+ bool need_dns; -+ } lookups[] = { -+ { -+ "ttoaddress_num", -+ ttoaddress_num, -+ false, -+ }, -+ { -+ "ttoaddress_dns", -+ ttoaddress_dns, -+ true, -+ }, -+ { -+ .name = NULL, -+ }, -+ }; -+ for (struct lookup *lookup = lookups; lookup->name != NULL; lookup++) { -+ -+ /* -+ * Without DNS a -+ * ttoaddress_dns() lookup of -+ * a bogus IP address will go -+ * into the weeds. -+ */ -+ bool skip = (lookup->need_dns && have_dns != DNS_YES); -+ -+ PRINT("%s('%s', %s) -> '%s'%s", -+ lookup->name, t->in, pri_family(family), -+ err_expected ? "ERROR" : t->str, -+ skip ? "; skipped as no DNS" : ""); -+ -+ if (skip) { -+ continue; -+ } -+ -+ ip_address tmp, *address = &tmp; -+ err = lookup->ttoaddress(shunk1(t->in), afi, address); -+ if (err_expected) { -+ if (err == NULL) { -+ FAIL("%s(%s, %s) unexpecedly succeeded", -+ lookup->name, t->in, pri_family(family)); -+ } -+ PRINT("%s(%s, %s) returned: %s", -+ lookup->name, t->in, pri_family(family), err); -+ } else if (err != NULL) { -+ FAIL("%s(%s, %s) unexpecedly failed: %s", -+ lookup->name, t->in, pri_family(family), err); - } else { -- PRINT("ttoaddress_num(%s, %s) returned: %s", -- t->in, pri_family(family), err); -+ CHECK_STR2(address); - } -- } else if (t->requires_dns) { -- FAIL("ttoaddress_num(%s, %s) unexpecedly parsed a DNS address", -- t->in, pri_family(family)); -- } else if (t->str == NULL) { -- FAIL("ttoaddress_num(%s, %s) unexpecedly succeeded", -- t->in, pri_family(family)); -- } else { -- CHECK_TYPE(address); - } - } -+ } -+} -+ -+static void check_ttoaddress_dns(void) -+{ -+ static const struct test { -+ int line; -+ int family; -+ const char *in; -+ const char *str; -+ bool need_dns; -+ } tests[] = { -+ -+ /* localhost is found in /etc/hosts on all platforms */ -+ { LN, 0, "localhost", "127.0.0.1", false, }, -+ { LN, 4, "localhost", "127.0.0.1", false, }, -+ { LN, 6, "localhost", "::1", false, }, -+ -+ { LN, 0, "www.libreswan.org", "188.127.201.229", true, }, -+ { LN, 4, "www.libreswan.org", "188.127.201.229", true, }, -+ { LN, 6, "www.libreswan.org", "2a00:1190:c00a:f00::229", true, }, - -- /* DNS/TYPE */ -+ { LN, 0, "nowhere.libreswan.org", NULL, true, }, -+ { LN, 4, "nowhere.libreswan.org", NULL, true, }, -+ { LN, 6, "nowhere.libreswan.org", NULL, true, }, - -- if (t->requires_dns && !use_dns) { -- PRINT("skipping dns_hunk_to_address(type) -- no DNS"); -+ }; -+ -+ err_t err; -+ -+ for (size_t ti = 0; ti < elemsof(tests); ti++) { -+ const struct test *t = &tests[ti]; -+ const struct ip_info *afi = IP_TYPE(t->family); -+ bool skip = (have_dns == DNS_NO || (have_dns != DNS_YES && t->need_dns)); -+ -+ PRINT("%s '%s' -> str: '%s' lookup: %s%s", -+ pri_family(t->family), t->in, -+ t->str == NULL ? "ERROR" : t->str, -+ (t->need_dns ? "DNS" : "/etc/hosts"), -+ (skip ? "; skipped as no DNS" : "")); -+ -+ if (skip) { -+ continue; -+ } -+ -+ ip_address tmp, *address = &tmp; -+ err = ttoaddress_dns(shunk1(t->in), afi, address); -+ if (err != NULL) { -+ if (t->str != NULL) { -+ FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s", -+ t->in, pri_family(t->family), err); -+ } -+ PRINT("ttoaddress_dns(%s, %s) failed as expected: %s", -+ t->in, pri_family(t->family), err); -+ } else if (t->str == NULL) { -+ address_buf b; -+ FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded with %s", -+ t->in, pri_family(t->family), -+ str_address(address, &b)); - } else { -- const struct ip_info *afi = IP_TYPE(t->family); -- err = ttoaddress_dns(shunk1(t->in), afi, address); -- if (err != NULL) { -- if (t->str != NULL) { -- FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s", -- t->in, pri_family(t->family), err); -- } else { -- PRINT("ttoaddress_dns(%s, %s) returned: %s", -- t->in, pri_family(t->family), err); -- } -- } else if (t->str == NULL) { -- FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded", -- t->in, pri_family(t->family)); -- } else { -+ address_buf b; -+ PRINT("ttoaddress_dns(%s, %s) succeeded with %s", -+ t->in, pri_family(t->family), -+ str_address(address, &b)); -+ if (t->family != 0) { - CHECK_TYPE(address); - } -- } -- -- /* now convert it back cooked */ -- if (t->requires_dns && !use_dns) { -- PRINT("skipping str_*() -- no DNS"); -- } else if (t->str != NULL) { -+ /* and back */ - CHECK_STR2(address); - } -- - } - } - -@@ -473,7 +550,8 @@ static void check_addresses_to(void) - - void ip_address_check(void) - { -- check_shunk_to_address(); -+ check_ttoaddress_num(); -+ check_ttoaddress_dns(); - check_str_address_sensitive(); - check_str_address_reversed(); - check_address_is(); -diff --git a/testing/programs/ipcheck/ip_info_check.c b/testing/programs/ipcheck/ip_info_check.c -index a7553a6029..f1566f4607 100644 ---- a/testing/programs/ipcheck/ip_info_check.c -+++ b/testing/programs/ipcheck/ip_info_check.c -@@ -31,10 +31,12 @@ - /*hack*/const typeof(L##_tests[0]) *t = &L##_tests[tl]; \ - /*hack*/size_t ti = tl; \ - const ip_##L *l = L##_tests[tl].L; \ -- if (l == NULL) continue; \ -+ if (l == NULL) \ -+ continue; \ - for (size_t tr = 0; tr < elemsof(R##_tests); tr++) { \ - const ip_##R *r = R##_tests[tr].R; \ -- if (r == NULL) continue; \ -+ if (r == NULL) \ -+ continue; \ - bool expected = false; \ - for (size_t to = 0; to < elemsof(L##_op_##R); to++) { \ - const typeof(L##_op_##R[0]) *op = &L##_op_##R[to]; \ -diff --git a/testing/programs/ipcheck/ip_range_check.c b/testing/programs/ipcheck/ip_range_check.c -index 256cf76c70..9f9a27db58 100644 ---- a/testing/programs/ipcheck/ip_range_check.c -+++ b/testing/programs/ipcheck/ip_range_check.c -@@ -389,7 +389,7 @@ static void check_range_op_range(void) - FAIL("ttorange(%s) failed: %s", t->R, oops); \ - } \ - } else { \ -- l = unset_range; \ -+ R = unset_range; \ - } - TT(l); - TT(r); -diff --git a/testing/programs/ipcheck/ip_sockaddr_check.c b/testing/programs/ipcheck/ip_sockaddr_check.c -index 538154b6e6..d9affb54f9 100644 ---- a/testing/programs/ipcheck/ip_sockaddr_check.c -+++ b/testing/programs/ipcheck/ip_sockaddr_check.c -@@ -20,6 +20,8 @@ - #include "ip_info.h" - #include "ip_protocol.h" - -+#include "lswlog.h" /* for DBG_dump_thing() */ -+ - #include "ipcheck.h" - - static void check_sockaddr_as_endpoint(void) -@@ -52,20 +54,25 @@ static void check_sockaddr_as_endpoint(void) - PRINT("%s '%s' -> '%s' len=%zd", pri_family(t->family), t->in, expect_out, t->size); - - /* construct a raw sockaddr */ -- ip_sockaddr sa = { -- .sa.sa = { -- .sa_family = SA_FAMILY(t->family), -- }, -+ ip_sockaddr sa = { - .len = t->size, - }; - switch (t->family) { - case 4: - memcpy(&sa.sa.sin.sin_addr, t->addr, sizeof(sa.sa.sin.sin_addr)); -+ sa.sa.sin.sin_family = AF_INET; - sa.sa.sin.sin_port = htons(t->port); -+#ifdef NEED_SIN_LEN -+ sa.sa.sin.sin_len = sizeof(struct sockaddr_in); -+#endif - break; - case 6: - memcpy(&sa.sa.sin6.sin6_addr, t->addr, sizeof(sa.sa.sin6.sin6_addr)); -+ sa.sa.sin6.sin6_family = AF_INET6; - sa.sa.sin6.sin6_port = htons(t->port); -+#ifdef NEED_SIN_LEN -+ sa.sa.sin6.sin6_len = sizeof(struct sockaddr_in6); -+#endif - break; - } - -@@ -107,6 +114,8 @@ static void check_sockaddr_as_endpoint(void) - esa.len, sizeof(esa.sa)); - } else if (!memeq(&esa.sa, &sa.sa, sizeof(esa.sa))) { - /* compare the entire buffer, not just size */ -+ DBG_dump_thing("esa.sa", esa.sa); -+ DBG_dump_thing("sa.sa", sa.sa); - FAIL("endpoint_to_sockaddr() returned a different value"); - } - } else { -diff --git a/testing/programs/ipcheck/ipcheck.c b/testing/programs/ipcheck/ipcheck.c -index ed13d1ed5c..8df45b5fd4 100644 ---- a/testing/programs/ipcheck/ipcheck.c -+++ b/testing/programs/ipcheck/ipcheck.c -@@ -25,21 +25,37 @@ - #include "lswtool.h" - - unsigned fails; --bool use_dns = true; -+enum have_dns have_dns = DNS_NO; - - int main(int argc, char *argv[]) - { -- struct logger *logger = tool_init_log(argv[0]); -+ leak_detective = true; - log_ip = false; /* force sensitive */ -+ struct logger *logger = tool_init_log(argv[0]); -+ -+ if (argc != 2) { -+ fprintf(stderr, "usage: %s --dns={no,hosts-file,yes}\n", argv[0]); -+ return 1; -+ } -+ -+ /* only one option for now */ -+ const char *dns = argv[1]; -+ if (!eat(dns, "--dns")) { -+ fprintf(stderr, "%s: unknown option '%s'\n", -+ argv[0], argv[1]); -+ return 1; -+ } - -- for (char **argp = argv+1; argp < argv+argc; argp++) { -- if (streq(*argp, "--nodns")) { -- use_dns = false; -- } else { -- fprintf(stderr, "%s: unknown option '%s'\n", -- argv[0], *argp); -- return 1; -- } -+ if (streq(dns, "=no")) { -+ have_dns = DNS_NO; -+ } else if (streq(dns, "=hosts-file") || streq(dns, "")) { -+ have_dns = HAVE_HOSTS_FILE; -+ } else if (streq(dns, "=yes")) { -+ have_dns = DNS_YES; -+ } else { -+ fprintf(stderr, "%s: unknown --dns param '%s'\n", -+ argv[0], dns); -+ return 1; - } - - ip_address_check(); -@@ -55,6 +71,10 @@ int main(int argc, char *argv[]) - ip_port_range_check(); - ip_cidr_check(); - -+ report_leaks(logger); -+ -+ -+ - if (fails > 0) { - fprintf(stderr, "TOTAL FAILURES: %d\n", fails); - return 1; -diff --git a/testing/programs/ipcheck/ipcheck.h b/testing/programs/ipcheck/ipcheck.h -index 7e7c2a284b..5cfdbf05f7 100644 ---- a/testing/programs/ipcheck/ipcheck.h -+++ b/testing/programs/ipcheck/ipcheck.h -@@ -44,7 +44,7 @@ extern void ip_cidr_check(void); - */ - - extern unsigned fails; --extern bool use_dns; -+extern enum have_dns { DNS_NO, HAVE_HOSTS_FILE, DNS_YES, } have_dns; - - #define pri_family(FAMILY) ((FAMILY) == 0 ? "0" : \ - (FAMILY) == 4 ? "IPv4" : \ diff --git a/libreswan-4.6-openssl-nss.patch b/libreswan-4.6-openssl-nss.patch deleted file mode 100644 index 62c0568..0000000 --- a/libreswan-4.6-openssl-nss.patch +++ /dev/null @@ -1,46 +0,0 @@ -commit 0212bc6a7c0ac3aa5d8da82bf22132993d339ffc -Author: Paul Wouters -Date: Thu Jan 13 15:31:50 2022 -0500 - - building: fix fedora rawhide build - - Avoid clashing openssl/nss headers - - Patch based on work by Daiki Ueno - - Resolves: https://github.com/libreswan/libreswan/pull/611 - -diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h -index 243e5b1776..5ef3f966ec 100644 ---- a/programs/pluto/ikev2_ipseckey.h -+++ b/programs/pluto/ikev2_ipseckey.h -@@ -1,5 +1,3 @@ --#include "state.h" -- - #ifndef _IKEV2_IPSECKEY_H - #define _IKEV2_IPSECKEY_H - -@@ -11,6 +9,8 @@ - - #define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED - -+struct ike_sa; -+ - typedef enum { - DNS_OK = STF_OK, - DNS_FATAL = STF_FATAL, -diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c -index b07ed72f2b..09767bf65d 100644 ---- a/programs/pluto/ikev2_ipseckey_dnsr.c -+++ b/programs/pluto/ikev2_ipseckey_dnsr.c -@@ -32,7 +32,9 @@ - #include "dnssec.h" /* includes unbound.h */ - #include "ikev2_ipseckey.h" /* for dns_status */ - #include "ikev2_ipseckey_dnsr.h" --#include "secrets.h" -+ -+/* Do not include secrets.h as it will cause conflicts via NSS/OPENSSL headers */ -+extern const struct pubkey_type pubkey_type_rsa; - - struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */ -