rpms/libreswan
5
0
Fork 0
Code Issues Pull Requests Releases Activity

cleanup old obsoleted patches

Browse Source
This commit is contained in:
Paul Wouters 2023-01-10 13:50:11 -05:00
parent 3ee4c1aee5
commit 74667615e4
No known key found for this signature in database
GPG Key ID: DB48D2E5122468BF
14 changed files with 0 additions and 1516 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
libreswan-3.23-crypto-policies.patch
View File

@ -1,66 +0,0 @@
diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
index c41dd8048..cc2faf5c9 100644
--- a/lib/libipsecconf/parser.l
+++ b/lib/libipsecconf/parser.l
@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
char ebuf[128];
snprintf(ebuf, sizeof(ebuf),
- "cannot open include filename: '%s': %s",
+ (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
+ "cannot open include filename: '%s': %s" :
+ "ignored loading default system-wide crypto-policies file '%s': %s",
iis->fileglob.gl_pathv[fcnt],
strerror(errno));
yyerror(ebuf);
diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
index 7374efc3c..974699f01 100644
--- a/programs/configs/ipsec.conf.in
+++ b/programs/configs/ipsec.conf.in
@@ -1,27 +1,18 @@
# @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
#
-# Manual: ipsec.conf.5
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
- # Normally, pluto logs via syslog. If you want to log to a file,
- # specify below or to disable logging, eg for embedded systems, use
- # the file name /dev/null
- # Note: SElinux policies might prevent pluto writing to a log file at
- # an unusual location.
+ # Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
- # plutodebug "all", "none" or a combation from below:
- # "raw crypt parsing emitting control controlmore kernel pfkey
- # natt x509 dpd dns oppo oppoinfo private".
- # Note: "private" is not included with "all", as it can show confidential
- # information. It must be specifically specified
- # examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
- # Again: only enable plutodebug when asked by a developer
- #plutodebug=none
+ plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
@@ -30,10 +21,8 @@ config setup
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
-# For example connections, see your distribution's documentation directory,
-# or https://libreswan.org/wiki/
-#
-# There is also a lot of information in the manual page, "man ipsec.conf"
-#
+# if it exists, include system wide crypto-policy defaults
+include /etc/crypto-policies/back-ends/libreswan.config
+
# It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
include @IPSEC_CONFDDIR@/*.conf

507
libreswan-3.23-fixups.patch
View File

@ -1,507 +0,0 @@
diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c
--- libreswan-3.23-orig/programs/pluto/connections.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/connections.c 2018-02-05 14:38:49.372280712 -0500
@@ -3158,10 +3158,8 @@
matching_peer_id && matching_peer_ca && matching_requested_ca,
matching_peer_id, matching_peer_ca, matching_requested_ca);});
- /* Ignore template from which we instantiated - this should never happen */
if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) {
- libreswan_log("Warning: not switching back to template of current instance (FIXME)");
- continue;
+ DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance"));
}
/* 'You Tarzan, me Jane' check based on received IDr */
diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c
--- libreswan-3.23-orig/programs/pluto/hostpair.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/hostpair.c 2018-02-05 14:38:57.865635032 -0500
@@ -144,17 +144,6 @@
hisport = pluto_port;
for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) {
- if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) &&
- (p->connections->spd.that.id.kind == ID_NULL))
- {
- DBG(DBG_CONTROLMORE, {
- char ci[CONN_INST_BUF];
- DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s",
- p->connections->name,
- fmt_conn_instance(p->connections, ci));
- });
- continue;
- }
DBG(DBG_CONTROLMORE, {
ipstr_buf b1;
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h
--- libreswan-3.23-orig/programs/pluto/ikev2.h 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2.h 2018-02-05 14:39:11.171190105 -0500
@@ -162,7 +162,9 @@
extern bool ikev2_calculate_rsa_sha1(struct state *st,
enum original_role role,
unsigned char *idhash,
- pb_stream *a_pbs);
+ pb_stream *a_pbs,
+ bool calc_no_ppk_auth,
+ chunk_t *no_ppk_auth);
extern bool ikev2_create_psk_auth(enum keyword_authby authby,
struct state *st,
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c
--- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-02-05 14:39:11.173190188 -0500
@@ -2783,7 +2783,9 @@
switch (a.isaa_type) {
case IKEv2_AUTH_RSA:
- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
+ FALSE, /* store-only not set */
+ NULL /* store-only chunk unused */)) {
loglog(RC_LOG_SERIOUS, "Failed to find our RSA key");
return STF_FATAL;
}
@@ -2792,7 +2794,7 @@
case IKEv2_AUTH_PSK:
case IKEv2_AUTH_NULL:
if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs,
- FALSE /* store-only not set */,
+ FALSE, /* store-only not set */
NULL /* store-only chunk unused */)) {
loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key");
return STF_FATAL;
@@ -2812,7 +2814,9 @@
return STF_INTERNAL_ERROR;
}
- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
+ FALSE, /* store-only not set */
+ NULL /* store-only chunk unused */)) {
loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key");
return STF_FATAL;
}
@@ -3224,7 +3228,7 @@
hmac_update(&id_ctx, id_start, id_len);
hmac_final(idhash, &id_ctx);
- if (pst->st_sk_pi_no_ppk != NULL) {
+ if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) {
struct hmac_ctx id_ctx_npa;
hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk);
@@ -3371,7 +3375,7 @@
notifies++;
if (pst->st_seen_ppk)
- notifies++; /* used for two payloads */
+ notifies++; /* used for one or two payloads */
/* code does not support AH + ESP, not recommend rfc8221 section-4 */
struct ipsec_proto_info *proto_info
@@ -3437,21 +3441,24 @@
}
if (pst->st_seen_ppk) {
chunk_t notify_data = create_unified_ppk_id(&ppk_id_p);
+ int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N;
- notifies--; /* used for 2 payloads */
- if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL,
- PROTO_v2_RESERVED, &empty_chunk,
- v2N_PPK_IDENTITY, &notify_data,
- &e_pbs_cipher))
- return STF_INTERNAL_ERROR;
+ notifies--; /* used for one or two payloads */
+ if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL,
+ PROTO_v2_RESERVED, &empty_chunk,
+ v2N_PPK_IDENTITY, &notify_data,
+ &e_pbs_cipher))
+ return STF_INTERNAL_ERROR;
freeanychunk(notify_data);
- ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
- if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
- PROTO_v2_RESERVED, &empty_chunk,
- v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
- &e_pbs_cipher))
- return STF_INTERNAL_ERROR;
+ if (!LIN(POLICY_PPK_INSIST, cc->policy)) {
+ ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
+ if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
+ PROTO_v2_RESERVED, &empty_chunk,
+ v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
+ &e_pbs_cipher))
+ return STF_INTERNAL_ERROR;
+ }
}
passert(notifies == 0);
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c
--- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2_ppk.c 2018-02-05 14:39:11.173190188 -0500
@@ -113,7 +113,24 @@
enum keyword_authby authby = c->spd.this.authby;
switch (authby) {
case AUTH_RSASIG:
- /* TODO */
+ if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) {
+ if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) {
+ /* make blobs separately, and somehow combine them and no_ppk_auth
+ * to get an actual no_ppk_auth */
+ int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len;
+ u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH");
+ u_char *ret = blobs;
+ memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER);
+ blobs += ASN1_LEN_ALGO_IDENTIFIER;
+ memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE);
+ blobs += ASN1_SHA1_RSA_OID_SIZE;
+ memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len);
+ chunk_t release = *no_ppk_auth;
+ setchunk(*no_ppk_auth, ret, len);
+ freeanychunk(release);
+ }
+ }
+ return STF_OK;
break;
case AUTH_PSK:
if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth))
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c
--- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2_rsa.c 2018-02-05 14:39:11.173190188 -0500
@@ -101,7 +101,9 @@
bool ikev2_calculate_rsa_sha1(struct state *st,
enum original_role role,
unsigned char *idhash,
- pb_stream *a_pbs)
+ pb_stream *a_pbs,
+ bool calc_no_ppk_auth,
+ chunk_t *no_ppk_auth)
{
unsigned char signed_octets[SHA1_DIGEST_SIZE + 16];
size_t signed_len;
@@ -136,8 +138,13 @@
if (shr == 0)
return FALSE;
passert(shr == (int)sz);
- if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
- return FALSE;
+ if (calc_no_ppk_auth == FALSE) {
+ if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
+ return FALSE;
+ } else {
+ clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk");
+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth));
+ }
}
return TRUE;
diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c
--- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/nss_cert_verify.c 2018-02-05 14:38:52.685418927 -0500
@@ -498,60 +498,83 @@
bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name)
{
- SECStatus rv;
SECItem subAltName;
- PLArenaPool *arena = NULL;
- CERTGeneralName *nameList = NULL;
- CERTGeneralName *current = NULL;
- bool san_ip = FALSE;
- unsigned int len = strlen(name);
- ip_address myip;
-
- rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
+ SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
&subAltName);
if (rv != SECSuccess) {
DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension"));
return FALSE;
}
- if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL)
- san_ip = TRUE;
+ ip_address myip;
+ bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL);
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
passert(arena != NULL);
- nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
- passert(current != NULL);
+ CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName);
- do
- {
+ if (nameList == NULL) {
+ loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode");
+ PORT_FreeArena(arena, PR_FALSE);
+ return FALSE;
+ }
+
+ /*
+ * nameList is a pointer into a non-empty circular linked list.
+ * This loop visits each entry.
+ * We have visited each when we come back to the start.
+ * We test only at the end, after we advance, because we want to visit
+ * the first entry the first time we see it but stop when we get to it
+ * the second time.
+ */
+ CERTGeneralName *current = nameList;
+ do {
switch (current->type) {
case certDNSName:
case certRFC822Name:
- if (san_ip)
- break;
- if (current->name.other.len == len) {
- if (memcmp(current->name.other.data, name, len) == 0) {
- DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name));
- PORT_FreeArena(arena, PR_FALSE);
- return TRUE;
- }
- }
+ {
+ /*
+ * Match the parameter name with the name in the certificate.
+ * The name in the cert may start with "*."; that will match
+ * any initial component in name (up to the first '.').
+ */
+ /* we need to cast because name.other.data is unsigned char * */
+ const char *c_ptr = (const void *) current->name.other.data;
+ size_t c_len = current->name.other.len;
+
+ const char *n_ptr = name;
+ static const char wild[] = "*.";
+ const size_t wild_len = sizeof(wild) - 1;
+
+ if (c_len > wild_len && startswith(c_ptr, wild)) {
+ /* wildcard in cert: ignore first component of name */
+ c_ptr += wild_len;
+ c_len -= wild_len;
+ n_ptr = strchr(n_ptr, '.');
+ if (n_ptr == NULL)
+ break; /* cannot match */
- if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) {
- char osan[IDTOA_BUF];
+ n_ptr++; /* skip . */
+ }
- memcpy(osan,current->name.other.data, current->name.other.len);
- osan[current->name.other.len] = '\0';
- DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name));
- } else {
- DBG(DBG_X509, DBG_log("subjectAltname <TOO BIG TO PRINT> does not match %s", name));
+ if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) {
+ /*
+ * ??? if current->name.other.data contains bad characters,
+ * what prevents them being logged?
+ */
+ DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate",
+ name, current->name.other.len, current->name.other.data));
+ PORT_FreeArena(arena, PR_FALSE);
+ return TRUE;
}
break;
+ }
case certIPAddress:
if (!san_ip)
break;
+
if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) {
if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) {
DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name));
@@ -572,7 +595,7 @@
break;
}
}
- DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name));
+ DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name));
break;
default:
diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in
--- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in 2018-02-05 14:38:49.373280754 -0500
@@ -1,31 +1,52 @@
#!/usr/bin/python
+#
+# Copyright (C) 2018 Paul Wouters <pwouters@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
import sys
-import base64
-import commands
+import subprocess
-log = ""
-
-status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1")
+# Get my %defaultroute IP address
+myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True)
myip = myip.split("src")[1].strip().split()[0]
argv = sys.argv
-argc = len(sys.argv)
+ourself = argv.pop(0)
-#log += "Number or arguments is %d\n"%argc
-#if argc >= 4:
-# log += "QNAME:%s\n"%argv[1]
-# log += "TTL:%s\n"%argv[2]
-# log += "IP:%s\n"%argv[3]
-# log += "IPSECKEY:%s\n"%argv[4]
-# rr = argv[4]
-# pref, gwtype, algo, gw, pubkey = rr.split(" ")
-#log += "-----------------------------\n"
-
-cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey)
-cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey)
-cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3])
-ret, output = commands.getstatusoutput(cmdname)
-ret, output = commands.getstatusoutput(cmdip)
-ret, output = commands.getstatusoutput(cmdoe)
-ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus")
+try:
+ qname = argv.pop(0)
+ ttl = argv.pop(0)
+ ip = argv.pop(0)
+except:
+ sys.exit("Bad arguments to ipsec _unbound")
+
+while (argv != []):
+ try:
+ gwprec = argv.pop(0)
+ gwtype = argv.pop(0)
+ gwalg = argv.pop(0)
+ gwid = argv.pop(0)
+ pubkey = argv.pop(0)
+ addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+ addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
+ print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+ print(subprocess.call(addkeyip, shell=True))
+ print(subprocess.call(addkeyhostname, shell=True))
+ except:
+ sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+
+# done injecting all IPSECKEY records into pluto - try actual OE now
+cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip)
+print(subprocess.check_output(cmdoeip, shell=True))
+#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname)
+#ret, output = commands.getstatusoutput(cmdoeqname)
+print(subprocess.check_output("ipsec whack --trafficstatus", shell=True))
diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 8a1ba5d..38fa4de 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type {
IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23,
IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24,
IKEv2_INTERNAL_DNS_DOMAIN = 25,
- /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */
+ IKEv2_INTERNAL_DNSSEC_TA = 26
};
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index 9ea9872..ab6db3e 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = {
"IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */
"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */
"IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */
- /* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */
+ "IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */
};
enum_names ikev2_cp_attribute_type_names = {
IKEv2_CP_ATTR_RESERVED,
- IKEv2_INTERNAL_DNS_DOMAIN,
- /* IKEv2_INTERNAL_DNSSEC_TA, */
+ IKEv2_INTERNAL_DNSSEC_TA,
ARRAY_REF(ikev2_cp_attribute_type_name),
NULL, /* prefix */
NULL
diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c
index ae56972..e818e0e 100644
--- a/programs/addconn/addconn.c
+++ b/programs/addconn/addconn.c
@@ -416,12 +416,11 @@ int main(int argc, char *argv[])
if (verbose)
printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n");
- for (conn = cfg->conns.tqh_first;
- conn != NULL;
- conn = conn->link.tqe_next) {
+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_ADD ||
conn->desired_state == STARTUP_ONDEMAND ||
- conn->desired_state == STARTUP_START) {
+ conn->desired_state == STARTUP_START)
+ {
if (verbose)
printf(" %s", conn->name);
resolve_defaultroute(conn);
@@ -436,30 +435,22 @@ int main(int argc, char *argv[])
starter_whack_listen(cfg);
if (verbose)
- printf(" Pass #2: Routing auto=route and auto=start connections\n");
+ printf(" Pass #2: Routing auto=route connections\n");
- for (conn = cfg->conns.tqh_first;
- conn != NULL;
- conn = conn->link.tqe_next) {
- if (conn->desired_state == STARTUP_ADD ||
- conn->desired_state == STARTUP_ONDEMAND ||
- conn->desired_state == STARTUP_START) {
+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
+ if (conn->desired_state == STARTUP_ONDEMAND)
+ {
if (verbose)
printf(" %s", conn->name);
- resolve_defaultroute(conn);
- if (conn->desired_state == STARTUP_ONDEMAND ||
- conn->desired_state == STARTUP_START) {
+ if (conn->desired_state == STARTUP_ONDEMAND)
starter_whack_route_conn(cfg, conn);
- }
}
}
if (verbose)
printf(" Pass #3: Initiating auto=start connections\n");
- for (conn = cfg->conns.tqh_first;
- conn != NULL;
- conn = conn->link.tqe_next) {
+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_START) {
if (verbose)
printf(" %s", conn->name);
diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
index 64b2808..b343445 100644
--- a/programs/_updown.netkey/_updown.netkey.in
+++ b/programs/_updown.netkey/_updown.netkey.in
@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in
up-client)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
+ addvtiiface
updateresolvconf
addcat
addsource

82
libreswan-3.23-gcc8.patch
View File

@ -1,82 +0,0 @@
diff -Naur libreswan-3.23-orig/programs/pluto/kernel_netlink.c libreswan-3.23/programs/pluto/kernel_netlink.c
--- libreswan-3.23-orig/programs/pluto/kernel_netlink.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/kernel_netlink.c 2018-02-19 18:56:24.433527475 -0500
@@ -51,8 +51,9 @@
#include <linux/if_addr.h>
#include <linux/if_link.h>
-#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
+//#include <netinet/in.h>
#include "linux/xfrm.h" /* local (if configured) or system copy */
+#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
#include "libreswan/pfkeyv2.h"
#include "libreswan/pfkey.h"
diff -Naur libreswan-3.23-orig/programs/pluto/linux_audit.c libreswan-3.23/programs/pluto/linux_audit.c
--- libreswan-3.23-orig/programs/pluto/linux_audit.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/linux_audit.c 2018-02-19 18:58:51.356837932 -0500
@@ -74,6 +74,15 @@
#include "pluto_stats.h"
+#if __GNUC__ >= 7
+ /*
+ * GCC 7+ warns about the following calls that truncate a string using
+ * snprintf(). We are truncating the log message for a reason.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+#endif
+
static bool log_to_audit = FALSE; /* audit log messages for kernel */
void linux_audit_init(void)
@@ -159,13 +168,13 @@
char raddr[ADDRTOT_BUF];
char laddr[ADDRTOT_BUF];
char audit_str[AUDIT_LOG_SIZE];
- char cipher_str[AUDIT_LOG_SIZE];
- char spi_str[AUDIT_LOG_SIZE];
+ char cipher_str[20];
+ char spi_str[20];
struct connection *const c = st->st_connection;
bool initiator = FALSE;
char head[IDTOA_BUF];
- char integname[IDTOA_BUF];
- char prfname[IDTOA_BUF];
+ char integname[20];
+ char prfname[20];
struct esb_buf esb, esb2;
/* we need to free() this */
char *conn_encode = audit_encode_nv_string("conn-name",c->name,0);
@@ -300,3 +309,6 @@
AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA,
audit_str, raddr, AUDIT_RESULT_OK);
}
+#if __GNUC__ >= 7
+#pragma GCC diagnostic pop
+#endif
diff -Naur libreswan-3.23-orig/programs/pluto/log.h libreswan-3.23/programs/pluto/log.h
--- libreswan-3.23-orig/programs/pluto/log.h 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/log.h 2018-02-19 18:56:24.433527475 -0500
@@ -154,7 +154,7 @@
#ifdef USE_LINUX_AUDIT
#include <libaudit.h> /* from audit-libs devel */
-#define AUDIT_LOG_SIZE 256
+#define AUDIT_LOG_SIZE 512
/* should really be in libaudit.h */
#define AUDIT_RESULT_FAIL 0
#define AUDIT_RESULT_OK 1
diff -Naur libreswan-3.23-orig/programs/pluto/pluto_constants.c libreswan-3.23/programs/pluto/pluto_constants.c
--- libreswan-3.23-orig/programs/pluto/pluto_constants.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/pluto_constants.c 2018-02-19 18:56:24.434527471 -0500
@@ -478,7 +478,7 @@
policy &
~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK),
pbitnamesbuf, sizeof(pbitnamesbuf));
- static char buf[200]; /* NOT RE-ENTRANT! I hope that it is big enough! */
+ static char buf[512]; /* NOT RE-ENTRANT! I hope that it is big enough! */
lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;

116
libreswan-3.23-ppk-update.patch
View File

@ -1,116 +0,0 @@
diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 38fa4de..08c8d9e 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -1486,12 +1486,14 @@ typedef enum {
v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */
v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */
v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */
-
- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */
- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */
- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */
-
- /* 16432 - 40969 Unassigned */
+ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */
+ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */
+ v2N_PUZZLE = 16434, /* RFC-8019 */
+ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */
+ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */
+ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */
+
+ /* 16438 - 40969 Unassigned */
/* 40960 - 65535 Private Use */
} v2_notification_t;
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index ab6db3e..a0dab63 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = {
};
*/
-static const char *const ikev2_notify_name_private[] = {
- "v2N_USE_PPK",
- "v2N_PPK_IDENTITY",
- "v2N_NO_PPK_AUTH",
-};
-
-static enum_names ikev2_notify_names_private = {
- v2N_USE_PPK,
- v2N_NO_PPK_AUTH,
- ARRAY_REF(ikev2_notify_name_private),
- "v2N_", /* prefix */
- NULL
-};
-
/* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */
static const char *const ikev2_notify_name_16384[] = {
"v2N_INITIAL_CONTACT", /* 16384 */
@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = {
"v2N_SENDER_REQUEST_ID",
"v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */
"v2N_SIGNATURE_HASH_ALGORITHMS",
+ "v2N_CLONE_IKE_SA_SUPPORTED",
+ "v2N_CLONE_IKE_SA",
+ "v2N_PUZZLE",
+ "v2N_USE_PPK", /* 16435 */
+ "v2N_PPK_IDENTITY",
+ "v2N_NO_PPK_AUTH",
};
static enum_names ikev2_notify_names_16384 = {
v2N_INITIAL_CONTACT,
- v2N_SIGNATURE_HASH_ALGORITHMS,
+ v2N_NO_PPK_AUTH,
ARRAY_REF(ikev2_notify_name_16384),
"v2N_", /* prefix */
- &ikev2_notify_names_private
+ NULL
};
static const char *const ikev2_notify_name[] = {
diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index 258ba85..b86eea8 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
break;
}
- if (LIN(POLICY_PPK_ALLOW, policy)) {
- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
+ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
- return STF_FATAL;
- }
- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
- st->st_no_ppk_auth = no_ppk_auth;
- } else {
- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK");
+ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
+ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
+ return STF_FATAL;
}
+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
+ st->st_no_ppk_auth = no_ppk_auth;
break;
}
case v2N_MOBIKE_SUPPORTED:
@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
}
}
- /* if we found proper PPK ID, we should use that without fallback to no ppk */
- if (found_ppk)
+ /*
+ * If we found proper PPK ID and policy allows PPK, use that.
+ * Otherwise use NO_PPK_AUTH
+ */
+ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy))
freeanychunk(st->st_no_ppk_auth);
if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) {

24
libreswan-3.23-seccomp.patch
View File

@ -1,24 +0,0 @@
diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c
--- libreswan-3.23-orig/programs/addconn/addconn.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/addconn/addconn.c 2018-02-05 14:13:25.758711788 -0500
@@ -140,7 +140,9 @@
rc |= S_RULE_ADD(set_robust_list);
rc |= S_RULE_ADD(set_tid_address);
rc |= S_RULE_ADD(socket);
+ rc |= S_RULE_ADD(socketcall);
rc |= S_RULE_ADD(socketpair);
+ rc |= S_RULE_ADD(stat);
rc |= S_RULE_ADD(statfs);
rc |= S_RULE_ADD(uname);
rc |= S_RULE_ADD(write);
diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c
--- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/pluto_seccomp.c 2018-02-05 14:13:38.390239502 -0500
@@ -109,6 +109,7 @@
rc |= S_RULE_ADD(set_robust_list);
rc |= S_RULE_ADD(setsockopt);
rc |= S_RULE_ADD(socket);
+ rc |= S_RULE_ADD(socketcall);
rc |= S_RULE_ADD(socketpair);
rc |= S_RULE_ADD(sysinfo);
rc |= S_RULE_ADD(uname);

62
libreswan-3.25-relax-delete.patch
View File

@ -1,62 +0,0 @@
diff --git a/programs/pluto/state.c b/programs/pluto/state.c
index 7b33145..a3bcc3c 100644
--- a/programs/pluto/state.c
+++ b/programs/pluto/state.c
@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst)
d = next;
}
- if (c->newest_isakmp_sa != SOS_NOBODY &&
- c->newest_isakmp_sa != pst->st_serialno) {
- struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
+ /*
+ * This only affects IKEv2, since we don't store any
+ * received INITIAL_CONTACT for IKEv1.
+ * We don't do this on IKEv1, because it seems to
+ * confuse various third parties (Windows, Cisco VPN 300,
+ * and juniper
+ * likely because this would be called before the IPsec SA
+ * of QuickMode is installed, so the remote endpoints view
+ * this IKE SA still as the active one?
+ */
+ if (pst->st_seen_initialc) {
- DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
- old_p1->st_connection->name));
- old_p1->st_suppress_del_notify = TRUE;
- event_force(EVENT_SA_EXPIRE, old_p1);
- }
+ if (c->newest_isakmp_sa != SOS_NOBODY &&
+ c->newest_isakmp_sa != pst->st_serialno) {
+ struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa);
- if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY))
- {
- struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
- struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
+ DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s",
+ old_p1->st_connection->name));
+ old_p1->st_suppress_del_notify = TRUE;
+ event_force(EVENT_SA_EXPIRE, old_p1);
+ }
- if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
+ if (c->newest_ipsec_sa != SOS_NOBODY)
{
- DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
- c->newest_ipsec_sa, c->name));
- old_p2->st_suppress_del_notify = TRUE;
- event_force(EVENT_SA_EXPIRE, old_p2);
+ struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa);
+ struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection;
+
+ if (c == d && same_id(&c->spd.that.id, &d->spd.that.id))
+ {
+ DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'",
+ c->newest_ipsec_sa, c->name));
+ old_p2->st_suppress_del_notify = TRUE;
+ event_force(EVENT_SA_EXPIRE, old_p2);
+ }
}
}

35
libreswan-3.25-unbound-hook.patch
View File

@ -1,35 +0,0 @@
commit 9dce290a0d2df5c278ed9442b10954d65cc238e4
Author: Paul Wouters <pwouters@redhat.com>
Date: Sun Jul 8 22:29:52 2018 -0400
_unbound-hook: Fixup adding IPv4 pubkey into pluto. Expect unbound to quote argument as 1
diff --git a/programs/_unbound-hook/_unbound-hook.in b/programs/_unbound-hook/_unbound-hook.in
index 0d266d5..38279de 100755
--- a/programs/_unbound-hook/_unbound-hook.in
+++ b/programs/_unbound-hook/_unbound-hook.in
@@ -29,14 +29,17 @@ try:
except:
sys.exit("Bad arguments to ipsec _unbound")
-while (argv != []):
+# unbound now quotes the entire RRDATAs, so it counts as 1 argument in the list
+data = argv.pop(0).split(" ")
+
+while (data != []):
try:
- gwprec = argv.pop(0)
- gwtype = argv.pop(0)
- gwalg = argv.pop(0)
- gwid = argv.pop(0)
- pubkey = argv.pop(0)
- addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+ gwprec = data.pop(0)
+ gwtype = data.pop(0)
+ gwalg = data.pop(0)
+ gwid = data.pop(0)
+ pubkey = data.pop(0)
+ addkeyip = "ipsec whack --keyid %s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
print(subprocess.call(addkeyip, shell=True))

21
libreswan-3.26-asn1-zu.patch
View File

@ -1,21 +0,0 @@
diff -Naur libreswan-3.26-orig/lib/libswan/asn1.c libreswan-3.26/lib/libswan/asn1.c
--- libreswan-3.26-orig/lib/libswan/asn1.c 2018-09-16 22:45:52.000000000 -0400
+++ libreswan-3.26/lib/libswan/asn1.c 2018-09-17 00:28:06.726985327 -0400
@@ -164,7 +164,7 @@
sig_val->len = len_r;
/* XXX: need to check len_r and len_s fits in this */
sig_val->ptr = alloc_bytes(len_r * 2, "ec points");
- DBG(DBG_PARSING, DBG_log(" sig_val len is %ld",sig_val->len));
+ DBG(DBG_PARSING, DBG_log(" sig_val len is %zu",sig_val->len));
/* copy the values of r into signature */
memcpy(sig_val->ptr,blob->ptr,len_r);
@@ -184,7 +184,7 @@
}
DBG(DBG_PARSING, DBG_log(" len_s is %d",len_s));
sig_val->len += len_s;
- DBG(DBG_PARSING, DBG_log(" sig_val total len is %ld",sig_val->len));
+ DBG(DBG_PARSING, DBG_log(" sig_val total len is %zu",sig_val->len));
/* copy the values of r into signature */
memcpy(sig_val->ptr+len_r,blob->ptr,len_s);
}

13
libreswan-3.29-updown-syntax.patch
View File

@ -1,13 +0,0 @@
diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
index 9c76998233..21000b1ea4 100644
--- a/programs/_updown.netkey/_updown.netkey.in
+++ b/programs/_updown.netkey/_updown.netkey.in
@@ -446,7 +446,7 @@ delsource() {
return ${st}
fi
# Remove source ip if it's not used any more.
- if [ -z $(ip -o route list src ${PLUTO_MY_SOURCEIP}) ]; then
+ if [ -z "$(ip -o route list src ${PLUTO_MY_SOURCEIP})" ]; then
if [ -n "${VTI_IFACE}" -a "${VTI_ROUTING}" = yes ]; then
interface="${VTI_IFACE}"
fi

21
libreswan-3.30-s390x.patch
View File

@ -1,21 +0,0 @@
commit 8b067b47b1e2306c83bed49ecada1bddfb1c1a38
Author: Paul Wouters <pwouters@redhat.com>
Date: Fri Feb 14 15:22:21 2020 -0500
pluto: fixup: 'incl' may be used uninitialized in init_virtual_ip()
For some reason, only the s390x compiler complains.
diff --git a/programs/pluto/virtual.c b/programs/pluto/virtual.c
index ce94d5a5ee..74d77a3ab0 100644
--- a/programs/pluto/virtual.c
+++ b/programs/pluto/virtual.c
@@ -172,7 +172,7 @@ void init_virtual_ip(const char *private_list)
if (next == NULL)
next = str + strlen(str);
- bool incl;
+ bool incl = FALSE;
if (read_subnet(str, next - str,
&(private_net_incl[i_incl]),
&(private_net_excl[i_excl]),

16
libreswan-3.32-nss-api.patch
View File

@ -1,16 +0,0 @@
diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400
+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-26 10:23:26.563318038 -0400
@@ -16,6 +16,12 @@
#include <stdio.h>
#include <stdlib.h>
+/*
+ * Special advise from Bob Relyea - needs to go before any nss include
+ *
+ */
+#define NSS_PKCS11_2_0_COMPAT 1
+
#include "lswlog.h"
#include "lswnss.h"
#include "prmem.h"

13
libreswan-3.32-uninitialized.patch
View File

@ -1,13 +0,0 @@
diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index 702c9a8..3772508 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -2150,7 +2150,7 @@ static stf_status ikev2_parent_inR1outI2_tail(struct state *pst, struct msg_dige
struct pluto_crypto_req *r)
{
struct connection *const pc = pst->st_connection; /* parent connection */
- struct ppk_id_payload ppk_id_p;
+ struct ppk_id_payload ppk_id_p = { };
struct ike_sa *ike = pexpect_ike_sa(pst);
if (!finish_dh_v2(pst, r, FALSE)) {

494
libreswan-4.4-ipcheck.patch
View File

@ -1,494 +0,0 @@
diff --git a/testing/programs/ipcheck/Makefile b/testing/programs/ipcheck/Makefile
index 4dae8336be..af77a9e9d8 100644
--- a/testing/programs/ipcheck/Makefile
+++ b/testing/programs/ipcheck/Makefile
@@ -41,4 +41,4 @@ include ../../../mk/program.mk
endif
local-check: $(PROGRAM)
- $(builddir)/$(PROGRAM)
+ $(builddir)/$(PROGRAM) --dns=yes
diff --git a/testing/programs/ipcheck/ip_address_check.c b/testing/programs/ipcheck/ip_address_check.c
index b80990302a..a84aadaf73 100644
--- a/testing/programs/ipcheck/ip_address_check.c
+++ b/testing/programs/ipcheck/ip_address_check.c
@@ -24,79 +24,76 @@
#include "ip_address.h"
#include "ipcheck.h"
-static void check_shunk_to_address(void)
+static void check_ttoaddress_num(void)
{
static const struct test {
int line;
int family;
const char *in;
const char *str;
- bool requires_dns;
} tests[] = {
/* unset */
- { LN, 0, "", NULL, false, },
+ { LN, 0, "", NULL, },
/* any */
- { LN, 4, "0.0.0.0", "0.0.0.0", false, },
- { LN, 6, "::", "::", false, },
- { LN, 6, "0:0:0:0:0:0:0:0", "::", false, },
+ { LN, 4, "0.0.0.0", "0.0.0.0", },
+ { LN, 6, "::", "::", },
+ { LN, 6, "0:0:0:0:0:0:0:0", "::", },
/* local (zero's fill) */
- { LN, 4, "127.1", "127.0.0.1", false, },
- { LN, 4, "127.0.1", "127.0.0.1", false, },
- { LN, 4, "127.0.0.1", "127.0.0.1", false, },
- { LN, 6, "::1", "::1", false, },
- { LN, 6, "0:0:0:0:0:0:0:1", "::1", false, },
+ { LN, 4, "127.1", "127.0.0.1", },
+ { LN, 4, "127.0.1", "127.0.0.1", },
+ { LN, 4, "127.0.0.1", "127.0.0.1", },
+ { LN, 6, "::1", "::1", },
+ { LN, 6, "0:0:0:0:0:0:0:1", "::1", },
/* mask - and buffer overflow */
- { LN, 4, "255.255.255.255", "255.255.255.255", false, },
- { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false, },
+ { LN, 4, "255.255.255.255", "255.255.255.255", },
+ { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", },
/* all bytes */
- { LN, 4, "1.2.3.4", "1.2.3.4", false, },
- { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", false, },
+ { LN, 4, "1.2.3.4", "1.2.3.4", },
+ { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", },
/* last digit is a big num - see wikepedia */
- { LN, 4, "127.254", "127.0.0.254", false, },
- { LN, 4, "127.65534", "127.0.255.254", false, },
- { LN, 4, "127.16777214", "127.255.255.254", false, },
+ { LN, 4, "127.254", "127.0.0.254", },
+ { LN, 4, "127.65534", "127.0.255.254", },
+ { LN, 4, "127.16777214", "127.255.255.254", },
/* last digit overflow */
- { LN, 4, "127.16777216", NULL, false, },
- { LN, 4, "127.0.65536", NULL, false, },
- { LN, 4, "127.0.0.256", NULL, false, },
+ { LN, 4, "127.16777216", NULL, },
+ { LN, 4, "127.0.65536", NULL, },
+ { LN, 4, "127.0.0.256", NULL, },
/* suppress leading zeros - 01 vs 1 */
- { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", false, },
+ { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", },
/* drop leading 0:0: */
- { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", false, },
+ { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", },
/* drop middle 0:...:0 */
- { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", false, },
+ { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", },
/* drop trailing :0..:0 */
- { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", false, },
+ { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", },
/* drop first 0:..:0 */
- { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", false, },
+ { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", },
/* drop logest 0:..:0 */
- { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", false, },
+ { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", },
/* need two 0 */
- { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", false, },
-
- { LN, 4, "www.libreswan.org", "188.127.201.229", .requires_dns = true, },
+ { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", },
/* hex/octal */
- { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", false, },
- { LN, 4, "0001.0002.0003.0004", "1.2.3.4", false, },
- { LN, 4, "0x01020304", "1.2.3.4", false, },
+ { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", },
+ { LN, 4, "0001.0002.0003.0004", "1.2.3.4", },
+ { LN, 4, "0x01020304", "1.2.3.4", },
/* trailing garbage */
- { LN, 4, "1.2.3.4.", NULL, false, },
- { LN, 4, "1.2.3.4a", NULL, false, },
- { LN, 4, "1.2.3.0a", NULL, false, },
+ { LN, 4, "1.2.3.4.", NULL, },
+ { LN, 4, "1.2.3.4a", NULL, },
+ { LN, 4, "1.2.3.0a", NULL, },
/* bad digits */
- { LN, 4, "256.2.3.4", NULL, false, },
- { LN, 4, "0008.2.3.4", NULL, false, },
- { LN, 4, "0x0g.2.3.4", NULL, false, },
+ { LN, 4, "256.2.3.4", NULL, },
+ { LN, 4, "0008.2.3.4", NULL, },
+ { LN, 4, "0x0g.2.3.4", NULL, },
};
@@ -104,66 +101,146 @@ static void check_shunk_to_address(void)
for (size_t ti = 0; ti < elemsof(tests); ti++) {
const struct test *t = &tests[ti];
- PRINT("%s '%s' -> str: '%s' dns: %s", pri_family(t->family), t->in,
- t->str == NULL ? "ERROR" : t->str,
- bool_str(t->requires_dns));
-
- ip_address tmp, *address = &tmp;
-
- /* NUMERIC/NULL */
- FOR_EACH_THING(family, 0, t->family) {
+ /*
+ * For each address, perform lookups:
+ *
+ * - first with a generic family and then with the
+ * specified family
+ *
+ * - first with ttoaddress_num() and then
+ * ttoaddress_dns() (but only when it should work)
+ */
+
+ FOR_EACH_THING(family, 0, 4, 6) {
const struct ip_info *afi = IP_TYPE(family);
- err = ttoaddress_num(shunk1(t->in), afi, address);
- if (err != NULL) {
- if (t->str != NULL && !t->requires_dns) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly failed: %s",
- t->in, pri_family(family), err);
+ bool err_expected = (t->str == NULL || (family != 0 && family != t->family));
+
+ struct lookup {
+ const char *name;
+ err_t (*ttoaddress)(shunk_t, const struct ip_info *, ip_address *);
+ bool need_dns;
+ } lookups[] = {
+ {
+ "ttoaddress_num",
+ ttoaddress_num,
+ false,
+ },
+ {
+ "ttoaddress_dns",
+ ttoaddress_dns,
+ true,
+ },
+ {
+ .name = NULL,
+ },
+ };
+ for (struct lookup *lookup = lookups; lookup->name != NULL; lookup++) {
+
+ /*
+ * Without DNS a
+ * ttoaddress_dns() lookup of
+ * a bogus IP address will go
+ * into the weeds.
+ */
+ bool skip = (lookup->need_dns && have_dns != DNS_YES);
+
+ PRINT("%s('%s', %s) -> '%s'%s",
+ lookup->name, t->in, pri_family(family),
+ err_expected ? "ERROR" : t->str,
+ skip ? "; skipped as no DNS" : "");
+
+ if (skip) {
+ continue;
+ }
+
+ ip_address tmp, *address = &tmp;
+ err = lookup->ttoaddress(shunk1(t->in), afi, address);
+ if (err_expected) {
+ if (err == NULL) {
+ FAIL("%s(%s, %s) unexpecedly succeeded",
+ lookup->name, t->in, pri_family(family));
+ }
+ PRINT("%s(%s, %s) returned: %s",
+ lookup->name, t->in, pri_family(family), err);
+ } else if (err != NULL) {
+ FAIL("%s(%s, %s) unexpecedly failed: %s",
+ lookup->name, t->in, pri_family(family), err);
} else {
- PRINT("ttoaddress_num(%s, %s) returned: %s",
- t->in, pri_family(family), err);
+ CHECK_STR2(address);
}
- } else if (t->requires_dns) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly parsed a DNS address",
- t->in, pri_family(family));
- } else if (t->str == NULL) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly succeeded",
- t->in, pri_family(family));
- } else {
- CHECK_TYPE(address);
}
}
+ }
+}
+
+static void check_ttoaddress_dns(void)
+{
+ static const struct test {
+ int line;
+ int family;
+ const char *in;
+ const char *str;
+ bool need_dns;
+ } tests[] = {
+
+ /* localhost is found in /etc/hosts on all platforms */
+ { LN, 0, "localhost", "127.0.0.1", false, },
+ { LN, 4, "localhost", "127.0.0.1", false, },
+ { LN, 6, "localhost", "::1", false, },
+
+ { LN, 0, "www.libreswan.org", "188.127.201.229", true, },
+ { LN, 4, "www.libreswan.org", "188.127.201.229", true, },
+ { LN, 6, "www.libreswan.org", "2a00:1190:c00a:f00::229", true, },
- /* DNS/TYPE */
+ { LN, 0, "nowhere.libreswan.org", NULL, true, },
+ { LN, 4, "nowhere.libreswan.org", NULL, true, },
+ { LN, 6, "nowhere.libreswan.org", NULL, true, },
- if (t->requires_dns && !use_dns) {
- PRINT("skipping dns_hunk_to_address(type) -- no DNS");
+ };
+
+ err_t err;
+
+ for (size_t ti = 0; ti < elemsof(tests); ti++) {
+ const struct test *t = &tests[ti];
+ const struct ip_info *afi = IP_TYPE(t->family);
+ bool skip = (have_dns == DNS_NO || (have_dns != DNS_YES && t->need_dns));
+
+ PRINT("%s '%s' -> str: '%s' lookup: %s%s",
+ pri_family(t->family), t->in,
+ t->str == NULL ? "ERROR" : t->str,
+ (t->need_dns ? "DNS" : "/etc/hosts"),
+ (skip ? "; skipped as no DNS" : ""));
+
+ if (skip) {
+ continue;
+ }
+
+ ip_address tmp, *address = &tmp;
+ err = ttoaddress_dns(shunk1(t->in), afi, address);
+ if (err != NULL) {
+ if (t->str != NULL) {
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
+ t->in, pri_family(t->family), err);
+ }
+ PRINT("ttoaddress_dns(%s, %s) failed as expected: %s",
+ t->in, pri_family(t->family), err);
+ } else if (t->str == NULL) {
+ address_buf b;
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded with %s",
+ t->in, pri_family(t->family),
+ str_address(address, &b));
} else {
- const struct ip_info *afi = IP_TYPE(t->family);
- err = ttoaddress_dns(shunk1(t->in), afi, address);
- if (err != NULL) {
- if (t->str != NULL) {
- FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
- t->in, pri_family(t->family), err);
- } else {
- PRINT("ttoaddress_dns(%s, %s) returned: %s",
- t->in, pri_family(t->family), err);
- }
- } else if (t->str == NULL) {
- FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded",
- t->in, pri_family(t->family));
- } else {
+ address_buf b;
+ PRINT("ttoaddress_dns(%s, %s) succeeded with %s",
+ t->in, pri_family(t->family),
+ str_address(address, &b));
+ if (t->family != 0) {
CHECK_TYPE(address);
}
- }
-
- /* now convert it back cooked */
- if (t->requires_dns && !use_dns) {
- PRINT("skipping str_*() -- no DNS");
- } else if (t->str != NULL) {
+ /* and back */
CHECK_STR2(address);
}
-
}
}
@@ -473,7 +550,8 @@ static void check_addresses_to(void)
void ip_address_check(void)
{
- check_shunk_to_address();
+ check_ttoaddress_num();
+ check_ttoaddress_dns();
check_str_address_sensitive();
check_str_address_reversed();
check_address_is();
diff --git a/testing/programs/ipcheck/ip_info_check.c b/testing/programs/ipcheck/ip_info_check.c
index a7553a6029..f1566f4607 100644
--- a/testing/programs/ipcheck/ip_info_check.c
+++ b/testing/programs/ipcheck/ip_info_check.c
@@ -31,10 +31,12 @@
/*hack*/const typeof(L##_tests[0]) *t = &L##_tests[tl]; \
/*hack*/size_t ti = tl; \
const ip_##L *l = L##_tests[tl].L; \
- if (l == NULL) continue; \
+ if (l == NULL) \
+ continue; \
for (size_t tr = 0; tr < elemsof(R##_tests); tr++) { \
const ip_##R *r = R##_tests[tr].R; \
- if (r == NULL) continue; \
+ if (r == NULL) \
+ continue; \
bool expected = false; \
for (size_t to = 0; to < elemsof(L##_op_##R); to++) { \
const typeof(L##_op_##R[0]) *op = &L##_op_##R[to]; \
diff --git a/testing/programs/ipcheck/ip_range_check.c b/testing/programs/ipcheck/ip_range_check.c
index 256cf76c70..9f9a27db58 100644
--- a/testing/programs/ipcheck/ip_range_check.c
+++ b/testing/programs/ipcheck/ip_range_check.c
@@ -389,7 +389,7 @@ static void check_range_op_range(void)
FAIL("ttorange(%s) failed: %s", t->R, oops); \
} \
} else { \
- l = unset_range; \
+ R = unset_range; \
}
TT(l);
TT(r);
diff --git a/testing/programs/ipcheck/ip_sockaddr_check.c b/testing/programs/ipcheck/ip_sockaddr_check.c
index 538154b6e6..d9affb54f9 100644
--- a/testing/programs/ipcheck/ip_sockaddr_check.c
+++ b/testing/programs/ipcheck/ip_sockaddr_check.c
@@ -20,6 +20,8 @@
#include "ip_info.h"
#include "ip_protocol.h"
+#include "lswlog.h" /* for DBG_dump_thing() */
+
#include "ipcheck.h"
static void check_sockaddr_as_endpoint(void)
@@ -52,20 +54,25 @@ static void check_sockaddr_as_endpoint(void)
PRINT("%s '%s' -> '%s' len=%zd", pri_family(t->family), t->in, expect_out, t->size);
/* construct a raw sockaddr */
- ip_sockaddr sa = {
- .sa.sa = {
- .sa_family = SA_FAMILY(t->family),
- },
+ ip_sockaddr sa = {
.len = t->size,
};
switch (t->family) {
case 4:
memcpy(&sa.sa.sin.sin_addr, t->addr, sizeof(sa.sa.sin.sin_addr));
+ sa.sa.sin.sin_family = AF_INET;
sa.sa.sin.sin_port = htons(t->port);
+#ifdef NEED_SIN_LEN
+ sa.sa.sin.sin_len = sizeof(struct sockaddr_in);
+#endif
break;
case 6:
memcpy(&sa.sa.sin6.sin6_addr, t->addr, sizeof(sa.sa.sin6.sin6_addr));
+ sa.sa.sin6.sin6_family = AF_INET6;
sa.sa.sin6.sin6_port = htons(t->port);
+#ifdef NEED_SIN_LEN
+ sa.sa.sin6.sin6_len = sizeof(struct sockaddr_in6);
+#endif
break;
}
@@ -107,6 +114,8 @@ static void check_sockaddr_as_endpoint(void)
esa.len, sizeof(esa.sa));
} else if (!memeq(&esa.sa, &sa.sa, sizeof(esa.sa))) {
/* compare the entire buffer, not just size */
+ DBG_dump_thing("esa.sa", esa.sa);
+ DBG_dump_thing("sa.sa", sa.sa);
FAIL("endpoint_to_sockaddr() returned a different value");
}
} else {
diff --git a/testing/programs/ipcheck/ipcheck.c b/testing/programs/ipcheck/ipcheck.c
index ed13d1ed5c..8df45b5fd4 100644
--- a/testing/programs/ipcheck/ipcheck.c
+++ b/testing/programs/ipcheck/ipcheck.c
@@ -25,21 +25,37 @@
#include "lswtool.h"
unsigned fails;
-bool use_dns = true;
+enum have_dns have_dns = DNS_NO;
int main(int argc, char *argv[])
{
- struct logger *logger = tool_init_log(argv[0]);
+ leak_detective = true;
log_ip = false; /* force sensitive */
+ struct logger *logger = tool_init_log(argv[0]);
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s --dns={no,hosts-file,yes}\n", argv[0]);
+ return 1;
+ }
+
+ /* only one option for now */
+ const char *dns = argv[1];
+ if (!eat(dns, "--dns")) {
+ fprintf(stderr, "%s: unknown option '%s'\n",
+ argv[0], argv[1]);
+ return 1;
+ }
- for (char **argp = argv+1; argp < argv+argc; argp++) {
- if (streq(*argp, "--nodns")) {
- use_dns = false;
- } else {
- fprintf(stderr, "%s: unknown option '%s'\n",
- argv[0], *argp);
- return 1;
- }
+ if (streq(dns, "=no")) {
+ have_dns = DNS_NO;
+ } else if (streq(dns, "=hosts-file") || streq(dns, "")) {
+ have_dns = HAVE_HOSTS_FILE;
+ } else if (streq(dns, "=yes")) {
+ have_dns = DNS_YES;
+ } else {
+ fprintf(stderr, "%s: unknown --dns param '%s'\n",
+ argv[0], dns);
+ return 1;
}
ip_address_check();
@@ -55,6 +71,10 @@ int main(int argc, char *argv[])
ip_port_range_check();
ip_cidr_check();
+ report_leaks(logger);
+
+
+
if (fails > 0) {
fprintf(stderr, "TOTAL FAILURES: %d\n", fails);
return 1;
diff --git a/testing/programs/ipcheck/ipcheck.h b/testing/programs/ipcheck/ipcheck.h
index 7e7c2a284b..5cfdbf05f7 100644
--- a/testing/programs/ipcheck/ipcheck.h
+++ b/testing/programs/ipcheck/ipcheck.h
@@ -44,7 +44,7 @@ extern void ip_cidr_check(void);
*/
extern unsigned fails;
-extern bool use_dns;
+extern enum have_dns { DNS_NO, HAVE_HOSTS_FILE, DNS_YES, } have_dns;
#define pri_family(FAMILY) ((FAMILY) == 0 ? "0" : \
(FAMILY) == 4 ? "IPv4" : \

46
libreswan-4.6-openssl-nss.patch
View File

@ -1,46 +0,0 @@
commit 0212bc6a7c0ac3aa5d8da82bf22132993d339ffc
Author: Paul Wouters <paul.wouters@aiven.io>
Date: Thu Jan 13 15:31:50 2022 -0500
building: fix fedora rawhide build
Avoid clashing openssl/nss headers
Patch based on work by Daiki Ueno <dueno@redhat.com>
Resolves: https://github.com/libreswan/libreswan/pull/611
diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h
index 243e5b1776..5ef3f966ec 100644
--- a/programs/pluto/ikev2_ipseckey.h
+++ b/programs/pluto/ikev2_ipseckey.h
@@ -1,5 +1,3 @@
-#include "state.h"
-
#ifndef _IKEV2_IPSECKEY_H
#define _IKEV2_IPSECKEY_H
@@ -11,6 +9,8 @@
#define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED
+struct ike_sa;
+
typedef enum {
DNS_OK = STF_OK,
DNS_FATAL = STF_FATAL,
diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c
index b07ed72f2b..09767bf65d 100644
--- a/programs/pluto/ikev2_ipseckey_dnsr.c
+++ b/programs/pluto/ikev2_ipseckey_dnsr.c
@@ -32,7 +32,9 @@
#include "dnssec.h" /* includes unbound.h */
#include "ikev2_ipseckey.h" /* for dns_status */
#include "ikev2_ipseckey_dnsr.h"
-#include "secrets.h"
+
+/* Do not include secrets.h as it will cause conflicts via NSS/OPENSSL headers */
+extern const struct pubkey_type pubkey_type_rsa;
struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */