rpms/libreswan
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS libreswan-5.2-1.el10

Browse Source
This commit is contained in:
eabdullin 2025-03-27 13:10:04 +00:00
parent ff39f51bd2
commit 99c859447e
8 changed files with 50 additions and 294 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
ikev1_dsa.fax.bz2
ikev1_psk.fax.bz2
ikev2.fax.bz2
libreswan-4.15.tar.gz
libreswan-5.2.tar.gz

153
libreswan-4.15-netlink-extack.patch
View File

@ -1,153 +0,0 @@
From 4f2af7c8c3afaaa63e8e16467de3441622a5314d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 21 May 2024 20:12:17 +0900
Subject: [PATCH] kernel_xfrm: record extended ack from netlink response
This enables pluto to log any error message reported through extended
ACK attributes[1] in a netlink response, to make diagnostic easier
when an error occurs. Suggested by Sabrina Dubroca.
1. https://docs.kernel.org/userspace-api/netlink/intro.html#ext-ack
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Andrew Cagney <cagney@gnu.org>
---
include/netlink_attrib.h | 4 +++
lib/libswan/netlink_attrib.c | 29 +++++++++++++++++++++
programs/pluto/kernel_xfrm.c | 49 ++++++++++++++++++++++++++++++++++++
3 files changed, 82 insertions(+)
diff --git a/include/netlink_attrib.h b/include/netlink_attrib.h
index 4c952ae3e9..fff35d83f1 100644
--- a/include/netlink_attrib.h
+++ b/include/netlink_attrib.h
@@ -46,4 +46,8 @@ void nl_addattrstrz(struct nlmsghdr *n, int maxlen, int type,
const char *str);
void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data);
+const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset);
+const char *nl_getattrvalstrz(const struct nlmsghdr *n,
+ const struct nlattr *attr);
+
#endif
diff --git a/lib/libswan/netlink_attrib.c b/lib/libswan/netlink_attrib.c
index 34bb4bec83..ccc08cba8f 100644
--- a/lib/libswan/netlink_attrib.c
+++ b/lib/libswan/netlink_attrib.c
@@ -66,3 +66,32 @@ void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data)
{
nl_addattr_l(n, maxlen, type, &data, sizeof(uint32_t));
}
+
+const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset)
+{
+ struct nlattr *attr = (void *)n + NLMSG_HDRLEN + NLMSG_ALIGN(*offset);
+ struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
+
+ if (attr == tail) {
+ return NULL;
+ }
+
+ *offset += NLA_ALIGN(attr->nla_len);
+ return attr;
+}
+
+const char *nl_getattrvalstrz(const struct nlmsghdr *n,
+ const struct nlattr *attr)
+{
+ struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
+
+ ptrdiff_t len = (void *)tail - (void *)attr;
+ if (len < (ptrdiff_t)sizeof(struct nlattr) ||
+ attr->nla_len <= sizeof(struct nlattr) ||
+ attr->nla_len > len ||
+ !memchr(attr + NLA_HDRLEN, '\0', attr->nla_len - NLA_HDRLEN)) {
+ return NULL;
+ }
+
+ return (void *)attr + NLA_HDRLEN;
+}
diff --git a/programs/pluto/kernel_xfrm.c b/programs/pluto/kernel_xfrm.c
index eed307f42b..25d1b16bc9 100644
--- a/programs/pluto/kernel_xfrm.c
+++ b/programs/pluto/kernel_xfrm.c
@@ -260,6 +260,22 @@ static void init_netlink(struct logger *logger)
"socket() in init_netlink()");
}
+#ifdef SOL_NETLINK
+ const int on = true;
+ if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_CAP_ACK,
+ (const void *)&on, sizeof(on)) < 0) {
+ llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_CAP_ACK) failed: ");
+ } else {
+ ldbg(logger, "xfrm: setsockopt(NETLINK_CAP_ACK) ok");
+ }
+ if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_EXT_ACK,
+ (const void *)&on, sizeof(on)) < 0) {
+ llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_EXT_ACK) failed: ");
+ } else {
+ ldbg(logger, "xfrm: setsockopt(NETLINK_EXT_ACK) ok");
+ }
+#endif
+
nl_xfrm_fd = cloexec_socket(AF_NETLINK, SOCK_DGRAM|SOCK_NONBLOCK, NETLINK_XFRM);
if (nl_xfrm_fd < 0) {
fatal_errno(PLUTO_EXIT_FAIL, logger, errno,
@@ -301,6 +317,37 @@ static void init_netlink(struct logger *logger)
}
}
+static void llog_ext_ack(lset_t rc_flags, struct logger *logger,
+ const struct nlmsghdr *n)
+{
+#ifdef SOL_NETLINK
+ if (n->nlmsg_type != NLMSG_ERROR ||
+ !(n->nlmsg_flags & NLM_F_ACK_TLVS)) {
+ return;
+ }
+
+ struct nlmsgerr *err = (void *)n + NLMSG_HDRLEN;
+ size_t offset = sizeof(*err);
+ if (!(n->nlmsg_flags & NLM_F_CAPPED)) {
+ offset += err->msg.nlmsg_len - NLMSG_HDRLEN;
+ }
+
+ for (const struct nlattr *attr = nl_getattr(n, &offset);
+ attr != NULL; attr = nl_getattr(n, &offset)) {
+ if ((attr->nla_type & NLA_TYPE_MASK) == NLMSGERR_ATTR_MSG) {
+ const char *msg = nl_getattrvalstrz(n, attr);
+ if (msg) {
+ llog(rc_flags, logger, "netlink ext_ack: %s",
+ msg);
+ }
+ }
+ }
+#else
+ /* use the arguments */
+ ldbg(logger, "ignoring "PRI_LSET" %p", rc_flags, n);
+#endif
+}
+
/*
* sendrecv_xfrm_msg()
*
@@ -403,6 +450,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
if (rsp.u.e.error != 0) {
llog_error(logger, -rsp.u.e.error,
"netlink response for %s %s", description, story);
+ llog_ext_ack(RC_LOG, logger, &rsp.n);
return false;
}
/*
@@ -413,6 +461,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
*/
dbg("netlink response for %s %s included non-error error",
description, story);
+ llog_ext_ack(DEBUG_STREAM, logger, &rsp.n);
/* ignore */
}
if (rbuf == NULL) {
--
2.45.2

52
libreswan-4.15-ondemand-tcp.patch
View File

@ -1,52 +0,0 @@
From 0b91406427cf7292d61900991fd665f076b6d43f Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 2 Jul 2024 20:37:07 +0900
Subject: [PATCH] tcp: call kernel_ops->poke_ipsec_policy_hole before connect
This fixes ondemand initiation with TCP. Without the policy hole, a
TCP handshake will not complete, as it cannot receive SYN-ACK packet
in plaintext and thus connect blocks until timeout.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Andrew Cagney <cagney@gnu.org>
---
programs/pluto/iface_tcp.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
index c63e8bfe4d..55fe639174 100644
--- a/programs/pluto/iface_tcp.c
+++ b/programs/pluto/iface_tcp.c
@@ -473,6 +473,15 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
return NULL;
}
+ /* This needs to be called before connect, so TCP handshake
+ * (in plaintext) completes. */
+ if (kernel_ops->poke_ipsec_policy_hole != NULL &&
+ !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
+ /* already logged */
+ close(fd);
+ return NULL;
+ }
+
/*
* Connect
*
@@ -551,13 +560,6 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
}
}
- if (kernel_ops->poke_ipsec_policy_hole != NULL &&
- !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
- /* already logged */
- close(fd);
- return NULL;
- }
-
struct iface_endpoint *ifp =
alloc_iface_endpoint(fd, local_dev, &iketcp_iface_io,
/*esp_encapsulation_enabled*/true,
--
2.45.2

17
libreswan-4.15.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmYXR8ETHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+WmID/46LnJ04rvj7RBZDzZg1nUnZyquuWd+
vqGSFG54Ku5p62/JqL3+8Eu6dQ2o8DI1SJwMJFdaSFIwxNHTvZSr1wOwaSa+NQrI
y/zTSAdZP04P0SqqJyOQxqYFMAEoRZhRE1gD4+1KGlQwPKzAtHi+2sHlfVryZEuF
ZRRpuEcYrsdRneWxzRHKguDLb58b159yvt/HIQNOe7/BGnlq1rkBMgT0rD98A8Qb
EOeZh6TcV9OnW2qm4QcJ5fm0ihvZpO/h3gih4KopwZQa7fUJYUPVRrS2AO40MVIM
peq9/V+wD/+gthVh2eqtNzghGWxxwpZgBDQCmAUTr60QdCYeR2XsB/MGG5BJBs4m
zFgXqsSHnEVJisUxnynNIFhUECo2A0CbVTAZnqBWgGkSO82VLu7506eaxJcJW84s
QpNM7shHVdmV3lroqbJU2zBMKEHvCldFTDO2YTvfOV0Twytyn5gmT1sVqGiwdGpR
XhfoRWILy+ViExhv6ZTubIYc1c8yo5wCG1tAq2iYfdLIcZVvqZIWB5LCv0rN2iPl
0OrKo7bOQEmf7C+AL/LoAKWPpQeS79CYzwSKDfYHzE559yks0KPiTE5nLu8VrWH9
zDTJ+2Ket3Ve93cz7zdqWcD7+HfKN7CxBW/bfCrysldsEjDBmvMiUI46kwPI99Y2
w08DOHUAwSUgDg==
=nCeA
-----END PGP SIGNATURE-----

63
libreswan-4.6-ikev1-policy-defaults-to-drop.patch
View File

@ -1,63 +0,0 @@
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 7 Jan 2022 18:36:47 -0500
Subject: [PATCH] ikev1-policy defaults to drop
IKEv2 has been available for 16 years (RFC 4306 was published December
2005). At some point, we should be discouraging IKEv1 adoption.
To the extent that a user needs IKEv1, they can manually add
ikev1-policy=accept to /etc/ipsec.conf.
---
configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
include/ipsecconf/keywords.h | 2 +-
lib/libipsecconf/confread.c | 1 +
programs/pluto/server.c | 5 -----
4 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
index 17d1747e3b..3bd6702564 100644
--- a/configs/d.ipsec.conf/ikev1-policy.xml
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
@@ -3,9 +3,10 @@
<listitem>
<para>
What to do with received IKEv1 packets. Valid options are
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
+If this option is set to drop or reject, an attempt to load an
IKEv1 connection will fail, as these connections would never be able to receive a packet
for processing.
</para>
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 660847733c..31b519242a 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
KBF_ROOF
};
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 5b5aba723f..68fbccf442 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
/* Don't inflict BSI requirements on everyone */
SOPT(KBF_SEEDBITS, 0);
SOPT(KBF_DROP_OPPO_NULL, false);
+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
#ifdef HAVE_LABELED_IPSEC
SOPT(KBF_SECCTX, SECCTX);
--
2.34.1

17
libreswan-5.2.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAme/mHcTHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Y95D/981PfZO85XO4a6Db18FJEfe3lt4pWY
aEIuE//BPruXi6hAAC3+6kzrujT9zxavwecRRr7YXqh3nXyXTTYK/KoK9jp0rqkC
0orOQb/JO9Gba2PQQU66F37hfQKmxx6ewzZJBjyOERlCaMRU7Rp5cSQv/6XqJqdj
HAd+wJYIMP8a6NWPiXR9/0gh25slXcLHBSrAtRWXU9rMnh6mEBfGGRfBe1yuw8TQ
+HUf0LrL8YJTPWPRC4jWAP9NE7IILDzFAD+g/JZKmm9cEhqBbQR66SEbQpJEEh+h
gDObF2FdXRF8Ya/otSjiI18FcXrg6owSH+e22NKNTdOjJl0j40rM+EVm/fYUNgKx
FcJ68H42jC1NRJ56k87kC1EGmPXIOfh/N8MwOv2OHyekU5QTR5lUP3nLSS3+9z8m
f4egcBR/1sVIA+8+boWMQVH9Jt7e/UvpTWmDSNoN847OgFx7R1K3PMKeuMM+hXmp
izjWZqEbqJ9u1LhToYHW76Ya1QDUWawNQcBNFzzIZn6l1eiS5FS9XzBk0ygA9SJa
XXvWHmybhem1mMiZYL0fdMtpoVJyxCWG02wt0fYi0CCFjWZYnXUfz37jCgMgU5ML
7awN/qujryXvFI6siBYz7+HwykvRPrz9Z2lm/okkPjHuoBiUZ5DKWSRTN+WqZFRU
SR5d2j3Nup2DXg==
=nmjl
-----END PGP SIGNATURE-----

38
libreswan.spec
View File

@ -2,7 +2,7 @@
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 5;
release_number = 1;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -17,8 +17,8 @@
%global unbound_version 1.6.6
# Libreswan config options
%global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
LIBEXECDIR=%{_libexecdir}/ipsec \\\
MANDIR=%{_mandir} \\\
PREFIX=%{_prefix} \\\
INITSYSTEM=systemd \\\
SHELL_BINARY=%{_bindir}/sh \\\
@ -39,7 +39,7 @@
Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.15
Version: 5.2
Release: %autorelease
# The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
# rest is under GPL-2.0-or-later
@ -55,9 +55,6 @@ Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch1: libreswan-4.15-ipsec_import.patch
Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Patch3: libreswan-4.15-ondemand-tcp.patch
Patch4: libreswan-4.15-netlink-extack.patch
BuildRequires: audit-libs-devel
BuildRequires: bison
@ -230,6 +227,33 @@ certutil -N -d sql:$tmpdir --empty-password
%changelog
## START: Generated by rpmautospec
* Thu Mar 06 2025 Daiki Ueno <dueno@redhat.com> - 5.2-1
- Update to libreswan 5.2
* Thu Jan 30 2025 Daiki Ueno <dueno@redhat.com> - 5.1-6
- ipsec: fix duplicate --ctlsocket option for whack
* Fri Jan 24 2025 Daiki Ueno <dueno@redhat.com> - 5.1-5
- Avoid expectiation failure with crossing streams
* Fri Jan 24 2025 Daiki Ueno <dueno@redhat.com> - 5.1-4
- Speed up parsing protoport configuration
* Fri Jan 24 2025 Daiki Ueno <dueno@redhat.com> - 5.1-3
- showhostkey: fix regression after RHEL-69403
* Fri Nov 29 2024 Daiki Ueno <dueno@redhat.com> - 5.1-2
- crypto: refcnt struct secret_pubkey_stuff when passing to helper thread
* Fri Nov 29 2024 Paul Wouters <paul.wouters@aiven.io> - 5.1-1
- Update to libreswan 5.1
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 4.15-7
- Bump release for October 2024 mass rebuild:
* Thu Aug 08 2024 Ondrej Moris <omoris@redhat.com> - 4.15-6
- Add RHEL-10 CI and gating configuration
* Tue Aug 06 2024 Daiki Ueno <dueno@redhat.com> - 4.15-5
- Make use of Netlink extack for additional error reporting

2
sources
View File

@ -1,4 +1,4 @@
SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e
SHA512 (libreswan-4.15.tar.gz) = 49a60688bb4a5241dbd791bdde0c71ae80cfb7383bb841ea0788a9d0237569d7ad79e59985c700526e3807817ddae77ebd57521897526fbb8fb93ffbea631efe
SHA512 (libreswan-5.2.tar.gz) = 5c87edc879914158ba9c4c2a0edcd6fac0787b16d3c6a50c268cbd675c51cdec94e509031bc226680c0d40bd3375d73007cae5ee0588c136292e3f34cb759694