From 99c859447edf5d422ebbedf68ec4af2c612094f9 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 27 Mar 2025 13:10:04 +0000 Subject: [PATCH] import CS libreswan-5.2-1.el10 --- .gitignore | 2 +- libreswan-4.15-netlink-extack.patch | 153 ------------------ libreswan-4.15-ondemand-tcp.patch | 52 ------ libreswan-4.15.tar.gz.asc | 17 -- ...an-4.6-ikev1-policy-defaults-to-drop.patch | 63 -------- libreswan-5.2.tar.gz.asc | 17 ++ libreswan.spec | 38 ++++- sources | 2 +- 8 files changed, 50 insertions(+), 294 deletions(-) delete mode 100644 libreswan-4.15-netlink-extack.patch delete mode 100644 libreswan-4.15-ondemand-tcp.patch delete mode 100644 libreswan-4.15.tar.gz.asc delete mode 100644 libreswan-4.6-ikev1-policy-defaults-to-drop.patch create mode 100644 libreswan-5.2.tar.gz.asc diff --git a/.gitignore b/.gitignore index fd00a72..a962855 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ ikev1_dsa.fax.bz2 ikev1_psk.fax.bz2 ikev2.fax.bz2 -libreswan-4.15.tar.gz +libreswan-5.2.tar.gz diff --git a/libreswan-4.15-netlink-extack.patch b/libreswan-4.15-netlink-extack.patch deleted file mode 100644 index 92cf5e7..0000000 --- a/libreswan-4.15-netlink-extack.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 4f2af7c8c3afaaa63e8e16467de3441622a5314d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 21 May 2024 20:12:17 +0900 -Subject: [PATCH] kernel_xfrm: record extended ack from netlink response - -This enables pluto to log any error message reported through extended -ACK attributes[1] in a netlink response, to make diagnostic easier -when an error occurs. Suggested by Sabrina Dubroca. - -1. https://docs.kernel.org/userspace-api/netlink/intro.html#ext-ack - -Signed-off-by: Daiki Ueno -Signed-off-by: Andrew Cagney ---- - include/netlink_attrib.h | 4 +++ - lib/libswan/netlink_attrib.c | 29 +++++++++++++++++++++ - programs/pluto/kernel_xfrm.c | 49 ++++++++++++++++++++++++++++++++++++ - 3 files changed, 82 insertions(+) - -diff --git a/include/netlink_attrib.h b/include/netlink_attrib.h -index 4c952ae3e9..fff35d83f1 100644 ---- a/include/netlink_attrib.h -+++ b/include/netlink_attrib.h -@@ -46,4 +46,8 @@ void nl_addattrstrz(struct nlmsghdr *n, int maxlen, int type, - const char *str); - void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data); - -+const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset); -+const char *nl_getattrvalstrz(const struct nlmsghdr *n, -+ const struct nlattr *attr); -+ - #endif -diff --git a/lib/libswan/netlink_attrib.c b/lib/libswan/netlink_attrib.c -index 34bb4bec83..ccc08cba8f 100644 ---- a/lib/libswan/netlink_attrib.c -+++ b/lib/libswan/netlink_attrib.c -@@ -66,3 +66,32 @@ void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data) - { - nl_addattr_l(n, maxlen, type, &data, sizeof(uint32_t)); - } -+ -+const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset) -+{ -+ struct nlattr *attr = (void *)n + NLMSG_HDRLEN + NLMSG_ALIGN(*offset); -+ struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len); -+ -+ if (attr == tail) { -+ return NULL; -+ } -+ -+ *offset += NLA_ALIGN(attr->nla_len); -+ return attr; -+} -+ -+const char *nl_getattrvalstrz(const struct nlmsghdr *n, -+ const struct nlattr *attr) -+{ -+ struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len); -+ -+ ptrdiff_t len = (void *)tail - (void *)attr; -+ if (len < (ptrdiff_t)sizeof(struct nlattr) || -+ attr->nla_len <= sizeof(struct nlattr) || -+ attr->nla_len > len || -+ !memchr(attr + NLA_HDRLEN, '\0', attr->nla_len - NLA_HDRLEN)) { -+ return NULL; -+ } -+ -+ return (void *)attr + NLA_HDRLEN; -+} -diff --git a/programs/pluto/kernel_xfrm.c b/programs/pluto/kernel_xfrm.c -index eed307f42b..25d1b16bc9 100644 ---- a/programs/pluto/kernel_xfrm.c -+++ b/programs/pluto/kernel_xfrm.c -@@ -260,6 +260,22 @@ static void init_netlink(struct logger *logger) - "socket() in init_netlink()"); - } - -+#ifdef SOL_NETLINK -+ const int on = true; -+ if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_CAP_ACK, -+ (const void *)&on, sizeof(on)) < 0) { -+ llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_CAP_ACK) failed: "); -+ } else { -+ ldbg(logger, "xfrm: setsockopt(NETLINK_CAP_ACK) ok"); -+ } -+ if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_EXT_ACK, -+ (const void *)&on, sizeof(on)) < 0) { -+ llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_EXT_ACK) failed: "); -+ } else { -+ ldbg(logger, "xfrm: setsockopt(NETLINK_EXT_ACK) ok"); -+ } -+#endif -+ - nl_xfrm_fd = cloexec_socket(AF_NETLINK, SOCK_DGRAM|SOCK_NONBLOCK, NETLINK_XFRM); - if (nl_xfrm_fd < 0) { - fatal_errno(PLUTO_EXIT_FAIL, logger, errno, -@@ -301,6 +317,37 @@ static void init_netlink(struct logger *logger) - } - } - -+static void llog_ext_ack(lset_t rc_flags, struct logger *logger, -+ const struct nlmsghdr *n) -+{ -+#ifdef SOL_NETLINK -+ if (n->nlmsg_type != NLMSG_ERROR || -+ !(n->nlmsg_flags & NLM_F_ACK_TLVS)) { -+ return; -+ } -+ -+ struct nlmsgerr *err = (void *)n + NLMSG_HDRLEN; -+ size_t offset = sizeof(*err); -+ if (!(n->nlmsg_flags & NLM_F_CAPPED)) { -+ offset += err->msg.nlmsg_len - NLMSG_HDRLEN; -+ } -+ -+ for (const struct nlattr *attr = nl_getattr(n, &offset); -+ attr != NULL; attr = nl_getattr(n, &offset)) { -+ if ((attr->nla_type & NLA_TYPE_MASK) == NLMSGERR_ATTR_MSG) { -+ const char *msg = nl_getattrvalstrz(n, attr); -+ if (msg) { -+ llog(rc_flags, logger, "netlink ext_ack: %s", -+ msg); -+ } -+ } -+ } -+#else -+ /* use the arguments */ -+ ldbg(logger, "ignoring "PRI_LSET" %p", rc_flags, n); -+#endif -+} -+ - /* - * sendrecv_xfrm_msg() - * -@@ -403,6 +450,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr, - if (rsp.u.e.error != 0) { - llog_error(logger, -rsp.u.e.error, - "netlink response for %s %s", description, story); -+ llog_ext_ack(RC_LOG, logger, &rsp.n); - return false; - } - /* -@@ -413,6 +461,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr, - */ - dbg("netlink response for %s %s included non-error error", - description, story); -+ llog_ext_ack(DEBUG_STREAM, logger, &rsp.n); - /* ignore */ - } - if (rbuf == NULL) { --- -2.45.2 - diff --git a/libreswan-4.15-ondemand-tcp.patch b/libreswan-4.15-ondemand-tcp.patch deleted file mode 100644 index 11689a6..0000000 --- a/libreswan-4.15-ondemand-tcp.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0b91406427cf7292d61900991fd665f076b6d43f Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 2 Jul 2024 20:37:07 +0900 -Subject: [PATCH] tcp: call kernel_ops->poke_ipsec_policy_hole before connect - -This fixes ondemand initiation with TCP. Without the policy hole, a -TCP handshake will not complete, as it cannot receive SYN-ACK packet -in plaintext and thus connect blocks until timeout. - -Signed-off-by: Daiki Ueno -Signed-off-by: Andrew Cagney ---- - programs/pluto/iface_tcp.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c -index c63e8bfe4d..55fe639174 100644 ---- a/programs/pluto/iface_tcp.c -+++ b/programs/pluto/iface_tcp.c -@@ -473,6 +473,15 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev, - return NULL; - } - -+ /* This needs to be called before connect, so TCP handshake -+ * (in plaintext) completes. */ -+ if (kernel_ops->poke_ipsec_policy_hole != NULL && -+ !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) { -+ /* already logged */ -+ close(fd); -+ return NULL; -+ } -+ - /* - * Connect - * -@@ -551,13 +560,6 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev, - } - } - -- if (kernel_ops->poke_ipsec_policy_hole != NULL && -- !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) { -- /* already logged */ -- close(fd); -- return NULL; -- } -- - struct iface_endpoint *ifp = - alloc_iface_endpoint(fd, local_dev, &iketcp_iface_io, - /*esp_encapsulation_enabled*/true, --- -2.45.2 - diff --git a/libreswan-4.15.tar.gz.asc b/libreswan-4.15.tar.gz.asc deleted file mode 100644 index c7efe26..0000000 --- a/libreswan-4.15.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmYXR8ETHHRlYW1AbGli -cmVzd2FuLm9yZwAKCRCF/0tDsw/G+WmID/46LnJ04rvj7RBZDzZg1nUnZyquuWd+ -vqGSFG54Ku5p62/JqL3+8Eu6dQ2o8DI1SJwMJFdaSFIwxNHTvZSr1wOwaSa+NQrI -y/zTSAdZP04P0SqqJyOQxqYFMAEoRZhRE1gD4+1KGlQwPKzAtHi+2sHlfVryZEuF -ZRRpuEcYrsdRneWxzRHKguDLb58b159yvt/HIQNOe7/BGnlq1rkBMgT0rD98A8Qb -EOeZh6TcV9OnW2qm4QcJ5fm0ihvZpO/h3gih4KopwZQa7fUJYUPVRrS2AO40MVIM -peq9/V+wD/+gthVh2eqtNzghGWxxwpZgBDQCmAUTr60QdCYeR2XsB/MGG5BJBs4m -zFgXqsSHnEVJisUxnynNIFhUECo2A0CbVTAZnqBWgGkSO82VLu7506eaxJcJW84s -QpNM7shHVdmV3lroqbJU2zBMKEHvCldFTDO2YTvfOV0Twytyn5gmT1sVqGiwdGpR -XhfoRWILy+ViExhv6ZTubIYc1c8yo5wCG1tAq2iYfdLIcZVvqZIWB5LCv0rN2iPl -0OrKo7bOQEmf7C+AL/LoAKWPpQeS79CYzwSKDfYHzE559yks0KPiTE5nLu8VrWH9 -zDTJ+2Ket3Ve93cz7zdqWcD7+HfKN7CxBW/bfCrysldsEjDBmvMiUI46kwPI99Y2 -w08DOHUAwSUgDg== -=nCeA ------END PGP SIGNATURE----- diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch deleted file mode 100644 index 40073d5..0000000 --- a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001 -From: Daniel Kahn Gillmor -Date: Fri, 7 Jan 2022 18:36:47 -0500 -Subject: [PATCH] ikev1-policy defaults to drop - -IKEv2 has been available for 16 years (RFC 4306 was published December -2005). At some point, we should be discouraging IKEv1 adoption. - -To the extent that a user needs IKEv1, they can manually add -ikev1-policy=accept to /etc/ipsec.conf. ---- - configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++--- - include/ipsecconf/keywords.h | 2 +- - lib/libipsecconf/confread.c | 1 + - programs/pluto/server.c | 5 ----- - 4 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml -index 17d1747e3b..3bd6702564 100644 ---- a/configs/d.ipsec.conf/ikev1-policy.xml -+++ b/configs/d.ipsec.conf/ikev1-policy.xml -@@ -3,9 +3,10 @@ - - - What to do with received IKEv1 packets. Valid options are --accept (default), reject which --will reply with an error, and drop which will silently drop --any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an -+drop (default) which will silently drop -+any received IKEv1 packet, accept, and -+reject which will reply with an error. -+If this option is set to drop or reject, an attempt to load an - IKEv1 connection will fail, as these connections would never be able to receive a packet - for processing. - -diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h -index 660847733c..31b519242a 100644 ---- a/include/ipsecconf/keywords.h -+++ b/include/ipsecconf/keywords.h -@@ -111,7 +111,7 @@ enum keyword_numeric_config_field { - - KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */ - KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */ -- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */ -+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */ - KBF_ROOF - }; - -diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c -index 5b5aba723f..68fbccf442 100644 ---- a/lib/libipsecconf/confread.c -+++ b/lib/libipsecconf/confread.c -@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) - /* Don't inflict BSI requirements on everyone */ - SOPT(KBF_SEEDBITS, 0); - SOPT(KBF_DROP_OPPO_NULL, false); -+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP); - - #ifdef HAVE_LABELED_IPSEC - SOPT(KBF_SECCTX, SECCTX); --- -2.34.1 - diff --git a/libreswan-5.2.tar.gz.asc b/libreswan-5.2.tar.gz.asc new file mode 100644 index 0000000..64928ef --- /dev/null +++ b/libreswan-5.2.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAme/mHcTHHRlYW1AbGli +cmVzd2FuLm9yZwAKCRCF/0tDsw/G+Y95D/981PfZO85XO4a6Db18FJEfe3lt4pWY +aEIuE//BPruXi6hAAC3+6kzrujT9zxavwecRRr7YXqh3nXyXTTYK/KoK9jp0rqkC +0orOQb/JO9Gba2PQQU66F37hfQKmxx6ewzZJBjyOERlCaMRU7Rp5cSQv/6XqJqdj +HAd+wJYIMP8a6NWPiXR9/0gh25slXcLHBSrAtRWXU9rMnh6mEBfGGRfBe1yuw8TQ ++HUf0LrL8YJTPWPRC4jWAP9NE7IILDzFAD+g/JZKmm9cEhqBbQR66SEbQpJEEh+h +gDObF2FdXRF8Ya/otSjiI18FcXrg6owSH+e22NKNTdOjJl0j40rM+EVm/fYUNgKx +FcJ68H42jC1NRJ56k87kC1EGmPXIOfh/N8MwOv2OHyekU5QTR5lUP3nLSS3+9z8m +f4egcBR/1sVIA+8+boWMQVH9Jt7e/UvpTWmDSNoN847OgFx7R1K3PMKeuMM+hXmp +izjWZqEbqJ9u1LhToYHW76Ya1QDUWawNQcBNFzzIZn6l1eiS5FS9XzBk0ygA9SJa +XXvWHmybhem1mMiZYL0fdMtpoVJyxCWG02wt0fYi0CCFjWZYnXUfz37jCgMgU5ML +7awN/qujryXvFI6siBYz7+HwykvRPrz9Z2lm/okkPjHuoBiUZ5DKWSRTN+WqZFRU +SR5d2j3Nup2DXg== +=nmjl +-----END PGP SIGNATURE----- diff --git a/libreswan.spec b/libreswan.spec index 673bc1a..6aac468 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 5; + release_number = 1; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -17,8 +17,8 @@ %global unbound_version 1.6.6 # Libreswan config options %global libreswan_config \\\ - FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ - FINALMANDIR=%{_mandir} \\\ + LIBEXECDIR=%{_libexecdir}/ipsec \\\ + MANDIR=%{_mandir} \\\ PREFIX=%{_prefix} \\\ INITSYSTEM=systemd \\\ SHELL_BINARY=%{_bindir}/sh \\\ @@ -39,7 +39,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script -Version: 4.15 +Version: 5.2 Release: %autorelease # The code in lib/libswan/nss_copies.c is under MPL-2.0, while the # rest is under GPL-2.0-or-later @@ -55,9 +55,6 @@ Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch1: libreswan-4.15-ipsec_import.patch -Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch -Patch3: libreswan-4.15-ondemand-tcp.patch -Patch4: libreswan-4.15-netlink-extack.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -230,6 +227,33 @@ certutil -N -d sql:$tmpdir --empty-password %changelog ## START: Generated by rpmautospec +* Thu Mar 06 2025 Daiki Ueno - 5.2-1 +- Update to libreswan 5.2 + +* Thu Jan 30 2025 Daiki Ueno - 5.1-6 +- ipsec: fix duplicate --ctlsocket option for whack + +* Fri Jan 24 2025 Daiki Ueno - 5.1-5 +- Avoid expectiation failure with crossing streams + +* Fri Jan 24 2025 Daiki Ueno - 5.1-4 +- Speed up parsing protoport configuration + +* Fri Jan 24 2025 Daiki Ueno - 5.1-3 +- showhostkey: fix regression after RHEL-69403 + +* Fri Nov 29 2024 Daiki Ueno - 5.1-2 +- crypto: refcnt struct secret_pubkey_stuff when passing to helper thread + +* Fri Nov 29 2024 Paul Wouters - 5.1-1 +- Update to libreswan 5.1 + +* Tue Oct 29 2024 Troy Dawson - 4.15-7 +- Bump release for October 2024 mass rebuild: + +* Thu Aug 08 2024 Ondrej Moris - 4.15-6 +- Add RHEL-10 CI and gating configuration + * Tue Aug 06 2024 Daiki Ueno - 4.15-5 - Make use of Netlink extack for additional error reporting diff --git a/sources b/sources index 53b545c..1e908cc 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467 SHA512 (ikev2.fax.bz2) = 0d3748d1bd574f6f1f3e4db847eca126ce649566ea710ef227426f433122752b80d1d6b8acf9d0df07b5597c1e45447e3a2fcb3391756e834e8e75f99df8e51e -SHA512 (libreswan-4.15.tar.gz) = 49a60688bb4a5241dbd791bdde0c71ae80cfb7383bb841ea0788a9d0237569d7ad79e59985c700526e3807817ddae77ebd57521897526fbb8fb93ffbea631efe +SHA512 (libreswan-5.2.tar.gz) = 5c87edc879914158ba9c4c2a0edcd6fac0787b16d3c6a50c268cbd675c51cdec94e509031bc226680c0d40bd3375d73007cae5ee0588c136292e3f34cb759694