rpms
/
libreswan
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libreswan-4.3-3.el8

This commit is contained in:
CentOS Sources 2021-05-18 02:45:49 -04:00 committed by Andrew Lukoshko
parent 72e8f9ee83
commit b575ba032d
14 changed files with 551 additions and 270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/ikev1_dsa.fax.bz2
SOURCES/ikev1_psk.fax.bz2
SOURCES/ikev2.fax.bz2
SOURCES/libreswan-3.32.tar.gz
SOURCES/libreswan-4.3.tar.gz

2
.libreswan.metadata
View File

@ -1,4 +1,4 @@
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
d752c8df37c90733a01c24849d439733acd4e8f0 SOURCES/libreswan-3.32.tar.gz
6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz

57
SOURCES/libreswan-3.32-1544463-seccomp.patch
View File

@ -1,57 +0,0 @@
diff -Naur libreswan-3.32-orig/programs/pluto/pluto_seccomp.c libreswan-3.32/programs/pluto/pluto_seccomp.c
--- libreswan-3.32-orig/programs/pluto/pluto_seccomp.c 2020-05-11 10:13:41.000000000 -0400
+++ libreswan-3.32/programs/pluto/pluto_seccomp.c 2020-07-01 20:33:38.918685784 -0400
@@ -59,6 +59,7 @@
/* needed for pluto and updown, not helpers */
if (main) {
+ LSW_SECCOMP_ADD(ctx, _llseek);
LSW_SECCOMP_ADD(ctx, accept);
LSW_SECCOMP_ADD(ctx, access);
LSW_SECCOMP_ADD(ctx, bind);
@@ -69,6 +70,7 @@
LSW_SECCOMP_ADD(ctx, connect);
LSW_SECCOMP_ADD(ctx, dup);
LSW_SECCOMP_ADD(ctx, dup2);
+ LSW_SECCOMP_ADD(ctx, dup3);
LSW_SECCOMP_ADD(ctx, epoll_create);
LSW_SECCOMP_ADD(ctx, epoll_ctl);
LSW_SECCOMP_ADD(ctx, epoll_wait);
@@ -85,7 +87,7 @@
LSW_SECCOMP_ADD(ctx, getgid);
LSW_SECCOMP_ADD(ctx, getgroups);
LSW_SECCOMP_ADD(ctx, getpgrp);
- LSW_SECCOMP_ADD(ctx, getpid);
+ LSW_SECCOMP_ADD(ctx, getpgid);
LSW_SECCOMP_ADD(ctx, getppid);
LSW_SECCOMP_ADD(ctx, getrandom); /* for unbound */
LSW_SECCOMP_ADD(ctx, getrlimit);
@@ -102,10 +104,12 @@
LSW_SECCOMP_ADD(ctx, pipe);
LSW_SECCOMP_ADD(ctx, pipe2);
LSW_SECCOMP_ADD(ctx, poll);
+ LSW_SECCOMP_ADD(ctx, ppoll);
LSW_SECCOMP_ADD(ctx, prctl);
LSW_SECCOMP_ADD(ctx, pread64);
LSW_SECCOMP_ADD(ctx, prlimit64);
LSW_SECCOMP_ADD(ctx, readlink);
+ LSW_SECCOMP_ADD(ctx, readlinkat);
LSW_SECCOMP_ADD(ctx, recvfrom);
LSW_SECCOMP_ADD(ctx, recvmsg);
LSW_SECCOMP_ADD(ctx, select);
@@ -126,6 +130,7 @@
LSW_SECCOMP_ADD(ctx, arch_prctl);
LSW_SECCOMP_ADD(ctx, exit_group);
LSW_SECCOMP_ADD(ctx, exit);
+ LSW_SECCOMP_ADD(ctx, getpid);
LSW_SECCOMP_ADD(ctx, gettid);
LSW_SECCOMP_ADD(ctx, gettimeofday);
LSW_SECCOMP_ADD(ctx, fstat);
@@ -139,6 +144,7 @@
LSW_SECCOMP_ADD(ctx, rt_sigprocmask);
LSW_SECCOMP_ADD(ctx, rt_sigreturn);
LSW_SECCOMP_ADD(ctx, sched_setparam);
+ LSW_SECCOMP_ADD(ctx, send);
LSW_SECCOMP_ADD(ctx, sendto);
LSW_SECCOMP_ADD(ctx, set_tid_address);
LSW_SECCOMP_ADD(ctx, sigaltstack);

16
SOURCES/libreswan-3.32-1840212-nss-gcm.patch
View File

@ -1,16 +0,0 @@
diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400
+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-06-17 15:06:12.340210966 -0400
@@ -16,6 +16,12 @@
#include <stdio.h>
#include <stdlib.h>
+/*
+ * Special advise from Bob Relyea - needs to go before any nss include
+ *
+ */
+#define NSS_PKCS11_2_0_COMPAT 1
+
#include "lswlog.h"
#include "lswnss.h"
#include "prmem.h"

15
SOURCES/libreswan-3.32-1842597-accounting.patch
View File

@ -1,15 +0,0 @@
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 28726cf82a..25ee52179a 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -600,8 +600,8 @@ bool fmt_common_shell_out(char *buf, size_t blen, const struct connection *c,
* true==inbound: inbound updates OUR_BYTES; !inbound updates
* PEER_BYTES.
*/
- bool outbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, false, NULL);
- bool inbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, true, NULL);
+ bool outbytes = st != NULL && get_sa_info(st, false, NULL);
+ bool inbytes = st != NULL && get_sa_info(st, true, NULL);
jambuf_t jambuf = array_as_jambuf(buf, blen);
jam_common_shell_out(&jambuf, c, sr, st, inbytes, outbytes);
return jambuf_ok(&jambuf);

24
SOURCES/libreswan-3.32-1847766-xfrmi.patch
View File

@ -1,24 +0,0 @@
commit 790a79ba9f8f16532040d9c8a51a27c20e13c154
Author: Paul Wouters <pwouters@redhat.com>
Date: Tue Jun 16 20:57:01 2020 -0400
pluto: find_pluto_xfrmi_interface() would only check first interface
diff --git a/programs/pluto/kernel_xfrm_interface.c b/programs/pluto/kernel_xfrm_interface.c
index 8fc27b727d..0dc1a7ec8c 100644
--- a/programs/pluto/kernel_xfrm_interface.c
+++ b/programs/pluto/kernel_xfrm_interface.c
@@ -586,9 +586,10 @@ static struct pluto_xfrmi *find_pluto_xfrmi_interface(uint32_t if_id)
struct pluto_xfrmi *ret = NULL;
for (h = pluto_xfrm_interfaces; h != NULL; h = h->next) {
- if (h->if_id == if_id)
- ret = h;
- break;
+ if (h->if_id == if_id) {
+ ret = h;
+ break;
+ }
}
return ret;

25
SOURCES/libreswan-3.32-1880466-labeled-ipsec.patch
View File

@ -1,25 +0,0 @@
diff -Naur libreswan-3.32-orig/lib/libipsecconf/starterwhack.c libreswan-3.32/lib/libipsecconf/starterwhack.c
--- libreswan-3.32-orig/lib/libipsecconf/starterwhack.c 2020-05-11 10:13:41.000000000 -0400
+++ libreswan-3.32/lib/libipsecconf/starterwhack.c 2020-09-24 10:01:14.275131341 -0400
@@ -663,7 +663,7 @@
#endif
#ifdef HAVE_LABELED_IPSEC
- if (conn->options_set[KSCF_POLICY_LABEL]) {
+ if (conn->strings_set[KSCF_POLICY_LABEL]) {
msg.policy_label = conn->policy_label;
starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" policy_label=%s",
conn->name, msg.policy_label);
diff -Naur libreswan-3.32-orig/programs/pluto/ikev1_spdb_struct.c libreswan-3.32/programs/pluto/ikev1_spdb_struct.c
--- libreswan-3.32-orig/programs/pluto/ikev1_spdb_struct.c 2020-05-11 10:13:41.000000000 -0400
+++ libreswan-3.32/programs/pluto/ikev1_spdb_struct.c 2020-09-24 10:01:31.996278599 -0400
@@ -59,8 +59,7 @@
#include "nat_traversal.h"
-#ifndef USE_LABELED_IPSEC
-
+#ifndef HAVE_LABELED_IPSEC
static bool parse_secctx_attr(pb_stream *pbs UNUSED, struct state *st UNUSED)
{
/*

53
SOURCES/libreswan-3.32-rebase-fixups.patch
View File

@ -1,53 +0,0 @@
diff -Naur libreswan-3.32-orig/lib/libipsecconf/interfaces.c libreswan-3.32/lib/libipsecconf/interfaces.c
--- libreswan-3.32-orig/lib/libipsecconf/interfaces.c 2020-05-11 10:13:41.000000000 -0400
+++ libreswan-3.32/lib/libipsecconf/interfaces.c 2020-06-04 18:51:39.508280352 -0400
@@ -71,7 +71,11 @@
if (sa->sa.sa_family == af) {
/* XXX: sizeof right? */
ip_endpoint nhe;
- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &nhe));
+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &nhe);
+ if (e != NULL) {
+ pexpect(e != NULL);
+ return false;
+ }
pexpect(endpoint_hport(&nhe) == 0);
*nh = endpoint_address(&nhe);
}
@@ -84,7 +88,11 @@
if (sa->sa.sa_family == af) {
/* XXX: sizeof right? */
ip_endpoint dste;
- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &dste));
+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &dste);
+ if (e != NULL) {
+ pexpect(e != NULL);
+ return false;
+ }
pexpect(endpoint_hport(&dste) == 0);
*dst = endpoint_address(&dste);
}
diff -Naur libreswan-3.32-orig/lib/libswan/ip_endpoint.c libreswan-3.32/lib/libswan/ip_endpoint.c
--- libreswan-3.32-orig/lib/libswan/ip_endpoint.c 2020-05-11 10:13:41.000000000 -0400
+++ libreswan-3.32/lib/libswan/ip_endpoint.c 2020-06-04 18:51:39.508280352 -0400
@@ -54,20 +54,12 @@
switch (sa->sa.sa_family) {
case AF_INET:
{
- /* XXX: to strict? */
- if (sa_len != sizeof(sa->sin)) {
- return "wrong length";
- }
address = address_from_in_addr(&sa->sin.sin_addr);
port = ntohs(sa->sin.sin_port);
break;
}
case AF_INET6:
{
- /* XXX: to strict? */
- if (sa_len != sizeof(sa->sin6)) {
- return "wrong length";
- }
address = address_from_in6_addr(&sa->sin6.sin6_addr);
port = ntohs(sa->sin6.sin6_port);
break;

123
SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch Normal file
View File

@ -0,0 +1,123 @@
diff -Naur libreswan-4.2-orig/lib/libipsecconf/keywords.c libreswan-4.2/lib/libipsecconf/keywords.c
--- libreswan-4.2-orig/lib/libipsecconf/keywords.c 2021-02-02 20:36:01.000000000 -0500
+++ libreswan-4.2/lib/libipsecconf/keywords.c 2021-02-04 19:22:05.880228930 -0500
@@ -374,6 +374,8 @@
{ "interfaces", kv_config, kt_string, KSF_INTERFACES, NULL, NULL, },
{ "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NULL, NULL, },
{ "curl-timeout", kv_config, kt_time, KBF_CURLTIMEOUT, NULL, NULL, },
+ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */
+ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, /* obsolete _ */
{ "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NULL, NULL, },
{ "syslog", kv_config, kt_string, KSF_SYSLOG, NULL, NULL, },
@@ -381,6 +383,7 @@
{ "logfile", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, },
{ "plutostderrlog", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
{ "logtime", kv_config, kt_bool, KBF_LOGTIME, NULL, NULL, },
+ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */
{ "logappend", kv_config, kt_bool, KBF_LOGAPPEND, NULL, NULL, },
{ "logip", kv_config, kt_bool, KBF_LOGIP, NULL, NULL, },
{ "audit-log", kv_config, kt_bool, KBF_AUDIT_LOG, NULL, NULL, },
@@ -400,13 +403,20 @@
{ "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
{ "crl-strict", kv_config, kt_bool, KBF_CRL_STRICT, NULL, NULL, },
+ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */
{ "crlcheckinterval", kv_config, kt_time, KBF_CRL_CHECKINTERVAL, NULL, NULL, },
+ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */
{ "ocsp-strict", kv_config, kt_bool, KBF_OCSP_STRICT, NULL, NULL, },
+ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */
{ "ocsp-enable", kv_config, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, },
+ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */
{ "ocsp-uri", kv_config, kt_string, KSF_OCSP_URI, NULL, NULL, },
+ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */
{ "ocsp-timeout", kv_config, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, },
+ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */
{ "ocsp-trustname", kv_config, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, },
+ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */
{ "ocsp-cache-size", kv_config, kt_number, KBF_OCSP_CACHE_SIZE, NULL, NULL, },
{ "ocsp-cache-min-age", kv_config, kt_time, KBF_OCSP_CACHE_MIN, NULL, NULL, },
{ "ocsp-cache-max-age", kv_config, kt_time, KBF_OCSP_CACHE_MAX, NULL, NULL, },
@@ -426,6 +436,7 @@
{ "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
{ "seedbits", kv_config, kt_number, KBF_SEEDBITS, NULL, NULL, },
{ "keep-alive", kv_config, kt_number, KBF_KEEPALIVE, NULL, NULL, },
+ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
{ "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
{ "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
@@ -437,6 +448,8 @@
#ifdef HAVE_LABELED_IPSEC
{ "ikev1-secctx-attr-type", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
{ "secctx-attr-type", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, },
+ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */
+ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
#endif
/* these options are obsoleted (and not old aliases) */
@@ -467,6 +480,7 @@
{ "username", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, },
/* xauthusername is still used in NetworkManager-libreswan :/ */
{ "xauthusername", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
+ { "xauthname", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
{ "addresspool", kv_conn | kv_leftright, kt_range, KSCF_ADDRESSPOOL, NULL, NULL, },
{ "auth", kv_conn | kv_leftright, kt_enum, KNCF_AUTH, &kw_authby_lr_list, NULL, },
{ "cat", kv_conn | kv_leftright, kt_bool, KNCF_CAT, NULL, NULL, },
@@ -489,6 +503,8 @@
{ "esn", kv_conn | kv_processed, kt_enum, KNCF_ESN, &kw_esn_list, NULL, },
{ "decap-dscp", kv_conn | kv_processed, kt_bool, KNCF_DECAP_DSCP, NULL, NULL, },
{ "nopmtudisc", kv_conn | kv_processed, kt_bool, KNCF_NOPMTUDISC, NULL, NULL, },
+ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete _ */
+ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete name */
{ "fragmentation", kv_conn | kv_processed, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, },
{ "mobike", kv_conn, kt_bool, KNCF_MOBIKE, NULL, NULL, },
{ "narrowing", kv_conn, kt_bool, KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
@@ -499,13 +515,18 @@
{ "accept-redirect-to", kv_conn, kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
{ "pfs", kv_conn, kt_bool, KNCF_PFS, NULL, NULL, },
+ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
{ "nat-keepalive", kv_conn, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, },
+ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */
{ "initial-contact", kv_conn, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, },
+ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */
{ "cisco-unity", kv_conn, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, },
{ "send-no-esp-tfc", kv_conn, kt_bool, KNCF_NO_ESP_TFC, NULL, NULL, },
{ "fake-strongswan", kv_conn, kt_bool, KNCF_VID_STRONGSWAN, NULL, NULL, },
+ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */
{ "send-vendorid", kv_conn, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, },
+ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */
{ "sha2-truncbug", kv_conn, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, },
{ "ms-dh-downgrade", kv_conn, kt_bool, KNCF_MSDH_DOWNGRADE, NULL, NULL, },
{ "require-id-on-certificate", kv_conn, kt_bool, KNCF_SAN_ON_CERT, NULL, NULL, },
@@ -520,7 +541,10 @@
{"ikepad", kv_conn, kt_bool, KNCF_IKEPAD, NULL, NULL, },
{ "nat-ikev1-method", kv_conn | kv_processed, kt_enum, KNCF_IKEV1_NATT, &kw_ikev1natt_list, NULL, },
+ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
{ "policy-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
+ { "policy_label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
{ "sec-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
/* Cisco interop: remote peer type */
@@ -531,13 +555,17 @@
/* Network Manager support */
#ifdef HAVE_NM
{ "nm-configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, },
+ { "nm_configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
#endif
{ "xauthby", kv_conn, kt_enum, KNCF_XAUTHBY, &kw_xauthby, NULL, },
{ "xauthfail", kv_conn, kt_enum, KNCF_XAUTHFAIL, &kw_xauthfail, NULL, },
{ "modecfgpull", kv_conn, kt_invertbool, KNCF_MODECONFIGPULL, NULL, NULL, },
{ "modecfgdns", kv_conn, kt_string, KSCF_MODECFGDNS, NULL, NULL, },
+ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
+ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
{ "modecfgdomains", kv_conn, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, },
+ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
{ "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, },
{ "ignore-peer-dns", kv_conn, kt_bool, KNCF_IGNORE_PEER_DNS, NULL, NULL, },
{ "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, },

11
SOURCES/libreswan-4.3-1934186-config.patch Normal file
View File

@ -0,0 +1,11 @@
diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in
--- libreswan-4.3-orig/configs/ipsec.conf.in 2021-03-04 14:29:50.591912834 -0500
+++ libreswan-4.3/configs/ipsec.conf.in 2021-03-04 14:30:27.227389433 -0500
@@ -32,6 +32,7 @@
# listen-tcp=yes
# To enable IKE and IPsec over TCP for VPN client, also specify
# tcp-remote-port=4500 in the client's conn section.
+ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

146
SOURCES/libreswan-4.3-ikev2-tcp.patch Normal file
View File

@ -0,0 +1,146 @@
commit 9a69641b34675de26c3989082795ab97325db55c
Author: Paul Wouters <pwouters@redhat.com>
Date: Mon Mar 1 14:57:31 2021 -0500
IKEv2: Fix TCP socket to have IP_XFRM_POLICY sockopt set.
Without this, transport mode or host-to-host will not properly work
on a number of kernels, such as RHEL8 4.18.0-291.el8.x86_64
Reported by: Sabrina Dubroca <sdubroca@redhat.com>
diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
index 9a66343f3f..3b4f57d07d 100644
--- a/programs/pluto/iface_tcp.c
+++ b/programs/pluto/iface_tcp.c
@@ -52,6 +52,16 @@
#include "nat_traversal.h" /* for nat_traversal_enabled which seems like a broken idea */
#include "pluto_stats.h"
+/* work around weird combo's of glibc and kernel header conflicts */
+#ifndef GLIBC_KERN_FLIP_HEADERS
+# include "linux/xfrm.h" /* local (if configured) or system copy */
+# include "libreswan.h"
+#else
+# include "libreswan.h"
+# include "linux/xfrm.h" /* local (if configured) or system copy */
+#endif
+
+
static void accept_ike_in_tcp_cb(struct evconnlistener *evcon UNUSED,
int accepted_fd,
struct sockaddr *sockaddr, int sockaddr_len,
@@ -383,6 +393,8 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
struct logger from_logger = logger_from(&global_logger, &ifp->iketcp_remote_endpoint);
struct logger *logger = &from_logger;
+ bool v6 = ifp->ip_dev->id_address.version == 6;
+
switch (ifp->iketcp_state) {
case IKETCP_OPEN:
@@ -443,7 +455,19 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
if (impair.tcp_skip_setsockopt_espintcp) {
llog(RC_LOG, logger, "IMPAIR: TCP: skipping setsockopt(ESPINTCP)");
} else {
+ struct xfrm_userpolicy_info policy_in = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_IN,
+ };
+ struct xfrm_userpolicy_info policy_out = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_OUT,
+ };
+
dbg("TCP: OPEN: socket %d enabling ESPINTCP", ifp->fd);
+
if (setsockopt(ifp->fd, IPPROTO_TCP, TCP_ULP,
"espintcp", sizeof("espintcp"))) {
int e = errno;
@@ -459,6 +483,24 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
free_any_iface_endpoint(&ifp);
return;
}
+
+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
+ int e = errno;
+ llog(RC_LOG, logger,
+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_in\") failed; closing socket "PRI_ERRNO,
+ ifp->fd, pri_errno(e));
+ free_any_iface_endpoint(&ifp);
+ return;
+ }
+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
+ int e = errno;
+ llog(RC_LOG, logger,
+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_out\") failed; closing socket "PRI_ERRNO,
+ ifp->fd, pri_errno(e));
+ free_any_iface_endpoint(&ifp);
+ return;
+ }
+
}
/*
@@ -650,6 +692,17 @@ stf_status create_tcp_interface(struct state *st)
if (impair.tcp_skip_setsockopt_espintcp) {
log_state(RC_LOG, st, "IMPAIR: TCP: skipping setsockopt(espintcp)");
} else {
+ bool v6 = st->st_remote_endpoint.version == 6;
+ struct xfrm_userpolicy_info policy_in = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_IN,
+ };
+ struct xfrm_userpolicy_info policy_out = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_OUT,
+ };
dbg("TCP: socket %d enabling \"espintcp\"", fd);
if (setsockopt(fd, IPPROTO_TCP, TCP_ULP, "espintcp", sizeof("espintcp"))) {
log_errno(st->st_logger, errno,
@@ -657,6 +710,18 @@ stf_status create_tcp_interface(struct state *st)
close(fd);
return STF_FATAL;
}
+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
+ log_errno(st->st_logger, errno,
+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(in)) failed in netlink_espintcp()");
+ close(fd);
+ return STF_FATAL;
+ }
+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
+ log_errno(st->st_logger, errno,
+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(out)) failed in netlink_espintcp()");
+ close(fd);
+ return STF_FATAL;
+ }
}
struct iface_endpoint *ifp = alloc_thing(struct iface_endpoint, "TCP iface initiator");
commit 7c38cd473d89b8c860ee7e3b8b31cfe012370f1d
Author: Paul Wouters <pwouters@redhat.com>
Date: Mon Mar 1 15:09:16 2021 -0500
documentation: small TCP doc update in ipsec.conf.in
diff --git a/configs/ipsec.conf.in b/configs/ipsec.conf.in
index bb2cc16e64..9fa3300176 100644
--- a/configs/ipsec.conf.in
+++ b/configs/ipsec.conf.in
@@ -28,9 +28,10 @@ config setup
# dnssec-enable=no
#
# To enable IKE and IPsec over TCP for VPN server. Requires at least
- # Linux 5.7 kernel. For TCP support as a VPN client, specify
- # tcp-remote-port=4500 in the client conn section.
+ # Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291)
# listen-tcp=yes
+ # To enable IKE and IPsec over TCP for VPN client, also specify
+ # tcp-remote-port=4500 in the client's conn section.
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

191
SOURCES/libreswan-4.3-labeled-ipsec.patch Normal file
View File

@ -0,0 +1,191 @@
diff -Naur libreswan-4.3-orig/programs/pluto/connections.c libreswan-4.3/programs/pluto/connections.c
--- libreswan-4.3-orig/programs/pluto/connections.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/connections.c 2021-02-24 16:28:05.608119041 -0500
@@ -2475,9 +2475,8 @@
endpoint_in_selector(local_client, &sr->this.client) &&
endpoint_in_selector(remote_client, &sr->that.client)
#ifdef HAVE_LABELED_IPSEC
- && ((sec_label.ptr == NULL &&
- sr->this.sec_label.ptr == NULL) ||
- /* don't call with NULL, it confuses it */
+ && ((sec_label.ptr == NULL && sr->this.sec_label.ptr == NULL) ||
+ hunk_eq(sec_label, sr->this.sec_label) ||
within_range((const char *)sec_label.ptr,
(const char *)sr->this.sec_label.ptr, logger))
#endif
diff -Naur libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c libreswan-4.3/programs/pluto/ikev1_spdb_struct.c
--- libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/ikev1_spdb_struct.c 2021-02-24 16:28:59.819791102 -0500
@@ -113,7 +113,9 @@
return false;
}
- if (!within_range(sec_label.ptr, /* we ensured NUL termination above */
+
+ if (!hunk_eq(sec_label, c->spd.this.sec_label) &&
+ !within_range(sec_label.ptr, /* we ensured NUL termination above */
(const char *)c->spd.this.sec_label.ptr, /* we ensured NUL termination earlier? */
st->st_logger)) {
LLOG_JAMBUF(RC_LOG_SERIOUS, st->st_logger, buf) {
diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_ts.c libreswan-4.3/programs/pluto/ikev2_ts.c
--- libreswan-4.3-orig/programs/pluto/ikev2_ts.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/ikev2_ts.c 2021-02-24 16:30:19.639780631 -0500
@@ -862,7 +862,8 @@
}
#ifdef HAVE_LABELED_IPSEC
-static bool score_ends_seclabel(const struct ends *ends,
+static bool score_ends_seclabel(const chunk_t **selected_sec_label,
+ const struct ends *ends,
const struct connection *d,
const struct traffic_selectors *tsi,
const struct traffic_selectors *tsr,
@@ -875,6 +876,10 @@
bool match_i = false;
bool match_r = false;
+ if (selected_sec_label != NULL) {
+ *selected_sec_label = NULL;
+ }
+
for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) {
const struct traffic_selector *cur = &tsi->ts[tsi_n];
if (cur->ts_type == IKEv2_TS_SECLABEL) {
@@ -883,7 +888,8 @@
// complain loudly
continue;
} else {
- if (within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
+ if (hunk_eq(cur->sec_label, d->spd.this.sec_label) ||
+ within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
match_i = true;
dbg("ikev2ts #1: received label within range of our security label");
} else {
@@ -902,9 +908,13 @@
dbg("IKEv2_TS_SECLABEL but zero length cur->sec_label");
continue;
} else {
- if (within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
+ if (hunk_eq(ends->r->sec_label, d->spd.this.sec_label) ||
+ within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
dbg("ikev2ts #2: received label within range of our security label");
match_r = true;
+ if (selected_sec_label != NULL) {
+ *selected_sec_label = &cur->sec_label;
+ }
} else {
dbg("ikev2ts #2: received label not within range of our security label");
DBG_dump_hunk("ends->r->sec_label", ends->r->sec_label);
@@ -926,7 +936,8 @@
return require_label == recv_label_i && match_i && match_r;
}
#else
-static bool score_ends_seclabel(const struct ends *ends UNUSED,
+static bool score_ends_seclabel(const chunk_t **selected_sec_label,
+ const struct ends *ends UNUSED,
const struct connection *d UNUSED,
const struct traffic_selectors *tsi UNUSED,
const struct traffic_selectors *tsr UNUSED,
@@ -1030,6 +1041,7 @@
struct best_score best_score = NO_SCORE;
const struct spd_route *best_spd_route = NULL;
struct connection *best_connection = c;
+ const chunk_t *best_sec_label = NULL;
/* find best spd in c */
@@ -1042,7 +1054,8 @@
.r = &sra->this,
};
- if (!score_ends_seclabel(&ends, c, &tsi, &tsr, child->sa.st_logger)) {
+ const chunk_t* selected_sec_label = NULL;
+ if (!score_ends_seclabel(&selected_sec_label, &ends, c, &tsi, &tsr, child->sa.st_logger)) {
continue;
}
@@ -1060,6 +1073,7 @@
score.tsi - tsi.ts, score.tsr - tsr.ts);
best_score = score;
best_spd_route = sra;
+ best_sec_label = selected_sec_label;
passert(best_connection == c);
}
}
@@ -1143,7 +1157,8 @@
? END_NARROWER_THAN_TS
: END_EQUALS_TS;
- if (!score_ends_seclabel(&ends, d, &tsi, &tsr,
+ const chunk_t* selected_sec_label = NULL;
+ if (!score_ends_seclabel(&selected_sec_label, &ends, d, &tsi, &tsr,
child->sa.st_logger))
continue;
@@ -1159,6 +1174,7 @@
best_connection = d;
best_score = score;
best_spd_route = sr;
+ best_sec_label = selected_sec_label;
}
}
}
@@ -1389,6 +1405,13 @@
*/
update_state_connection(&child->sa, best_connection);
+ if (best_sec_label != NULL) {
+ if (child->sa.st_seen_sec_label.len != 0) {
+ free_chunk_content(&child->sa.st_seen_sec_label);
+ }
+ child->sa.st_seen_sec_label = clone_hunk(*best_sec_label, "st_seen_sec_label");
+ }
+
child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this, child->sa.st_acquired_sec_label);
child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that, child->sa.st_seen_sec_label);
@@ -1424,7 +1447,8 @@
? END_WIDER_THAN_TS
: END_EQUALS_TS;
- if (!score_ends_seclabel(&e, c, &tsi, &tsr, child->sa.st_logger))
+ const chunk_t *selected_sec_label = NULL;
+ if (!score_ends_seclabel(&selected_sec_label, &e, c, &tsi, &tsr, child->sa.st_logger))
return false;
struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsi, &tsr);
@@ -1435,6 +1459,13 @@
return false;
}
+ if (selected_sec_label != NULL) {
+ if (child->sa.st_seen_sec_label.len != 0) {
+ free_chunk_content(&child->sa.st_seen_sec_label);
+ }
+ child->sa.st_seen_sec_label = clone_hunk(*selected_sec_label, "st_seen_sec_label");
+ }
+
/* XXX: check conversions */
dbg("initiator saving acceptable TSi response in this");
ts_to_end(best.tsi, &c->spd.this, &child->sa.st_ts_this);
@@ -1489,7 +1520,7 @@
enum fit fitness = END_NARROWER_THAN_TS;
- if (!score_ends_seclabel(&ends, c, &their_tsis, &their_tsrs,
+ if (!score_ends_seclabel(NULL, &ends, c, &their_tsis, &their_tsrs,
child->sa.st_logger)) {
log_state(RC_LOG_SERIOUS, &child->sa,
"rekey: received Traffic Selectors mismatch configured selectors for Security Label");
diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_parent.c libreswan-4.3/programs/pluto/ikev2_parent.c
--- libreswan-4.3-orig/programs/pluto/ikev2_parent.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/ikev2_parent.c 2021-03-01 10:31:49.667207958 -0500
@@ -5943,8 +5943,6 @@
* from a policy we gave the kernel, so it _should_ be within our range?
*/
child->sa.st_acquired_sec_label = clone_hunk(p->sec_label, "st_acquired_sec_label");
- c->spd.this.sec_label = clone_hunk(p->sec_label, "updated conn label");
- c->spd.that.sec_label = clone_hunk(p->sec_label, "updated conn label");
}
} else {

84
SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch → SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch
View File

@ -1,28 +1,6 @@
diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c
--- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c 2020-04-28 22:27:20.000000000 -0400
+++ libreswan-3.32rc1/lib/libipsecconf/confread.c 2020-04-30 13:41:18.612751661 -0400
@@ -1332,13 +1332,16 @@
switch (conn->options[KNCF_IKEv2]) {
case fo_never:
- case fo_permit:
conn->policy |= POLICY_IKEV1_ALLOW;
/* clear any inherited default */
conn->policy &= ~POLICY_IKEV2_ALLOW;
break;
-
+ case fo_permit:
+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
+ return TRUE;
case fo_propose:
+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
+ return TRUE;
case fo_insist:
conn->policy |= POLICY_IKEV2_ALLOW;
/* clear any inherited default */
diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml
--- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-28 22:27:20.000000000 -0400
+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-30 13:45:14.847694267 -0400
diff -Naur libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml libreswan-4.3/configs/d.ipsec.conf/ikev2.xml
--- libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:33:36.226284499 -0500
@@ -1,15 +1,15 @@
<varlistentry>
<term><emphasis remap='B'>ikev2</emphasis></term>
@ -47,24 +25,46 @@ diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libres
</para>
</listitem>
</varlistentry>
diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c
--- libreswan-3.32rc1-orig/programs/whack/whack.c 2020-04-28 22:27:20.000000000 -0400
+++ libreswan-3.32rc1/programs/whack/whack.c 2020-04-30 13:41:18.615751749 -0400
@@ -775,7 +775,7 @@
diff -Naur libreswan-4.3-orig/lib/libipsecconf/confread.c libreswan-4.3/lib/libipsecconf/confread.c
--- libreswan-4.3-orig/lib/libipsecconf/confread.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/lib/libipsecconf/confread.c 2021-02-21 12:37:43.138031929 -0500
@@ -1310,11 +1310,17 @@
PS("ikev1-allow", IKEV1_ALLOW),
PS("ikev2-allow", IKEV2_ALLOW),
- PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */
+ /* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/
switch (conn->options[KNCF_IKEv2]) {
case fo_never:
- case fo_permit:
conn->ike_version = IKEv1;
break;
+ case fo_permit:
+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
+ return TRUE;
+
case fo_propose:
+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
+ return TRUE;
+
case fo_insist:
conn->ike_version = IKEv2;
break;
diff -Naur libreswan-4.3-orig/programs/whack/whack.c libreswan-4.3/programs/whack/whack.c
--- libreswan-4.3-orig/programs/whack/whack.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/whack/whack.c 2021-02-21 12:39:27.066188354 -0500
@@ -801,7 +801,7 @@
{ "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
{ "ikev2", no_argument, NULL, CD_IKEv2 +OO },
{ "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
- { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
+ /* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
#ifdef XAUTH_HAVE_PAM
@@ -1737,7 +1737,7 @@
#ifdef AUTH_HAVE_PAM
@@ -1762,7 +1762,7 @@
end_seen = LEMPTY;
continue;
/* --ikev1-allow */
case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
- /* --ikev2-allow (now also --ikev2-propose) */
+ /* --ikev2-allow */
case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
/* --allow-narrowing */
- /* --ikev1 --ikev2 --ikev2-propose */
+ /* --ikev1 --ikev2 */
case CD_IKEv1:
case CD_IKEv2:
{

72
SPECS/libreswan.spec
View File

@ -5,17 +5,18 @@
%global with_cavstests 1
# minimum version for support for rhbz#1651314
# should prob update for nss with IKEv1 quick mode support
%global nss_version 3.53.1-3
%global nss_version 3.53.1
%global unbound_version 1.6.6
%global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
INC_RCDEFAULT=%{_initrddir} \\\
INC_USRLOCAL=%{_prefix} \\\
FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
INITSYSTEM=systemd \\\
NSS_REQ_AVA_COPY=false \\\
NSS_HAS_IPSEC_PROFILE=true \\\
NSS_REQ_AVA_COPY=false \\\
PREFIX=%{_prefix} \\\
PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\
USE_FIPSCHECK=false \\\
USE_LABELED_IPSEC=true \\\
@ -24,11 +25,9 @@
USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\
USE_NM=true \\\
USE_NSS_KDF=true \\\
USE_SECCOMP=true \\\
USE_XAUTHPAM=true \\\
USE_KLIPS=false \\\
USE_NSS_PRF=true \\\
USE_PRF_AES_XCBC=true \\\
USE_AUTHPAM=true \\\
USE_DH2=true \\\
%{nil}
@ -37,8 +36,8 @@
Name: libreswan
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
# version is generated in the release script
Version: 3.32
Release: %{?prever:0.}7%{?prever:.%{prever}}%{?dist}
Version: 4.3
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
@ -49,20 +48,18 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch1: libreswan-3.32-maintain-different-v1v2-split.patch
Patch2: libreswan-3.32-rebase-fixups.patch
Patch3: libreswan-3.32-1842597-accounting.patch
Patch4: libreswan-3.32-1847766-xfrmi.patch
Patch5: libreswan-3.32-1840212-nss-gcm.patch
Patch6: libreswan-3.32-1544463-seccomp.patch
Patch7: libreswan-3.32-1861360-nodefault-rsa-pss.patch
Patch8: libreswan-3.32-1880466-labeled-ipsec.patch
Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
Patch4: libreswan-4.3-labeled-ipsec.patch
Patch5: libreswan-4.3-ikev2-tcp.patch
Patch6: libreswan-4.3-1934186-config.patch
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gcc make
BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
@ -70,7 +67,7 @@ BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
buildRequires: nss-tools
BuildRequires: nss-tools
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
@ -117,21 +114,12 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
pathfix.py -i %{__python3} -pn testing/cert_verify/usage_test \
testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py \
testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
# replace unsupported KLIPS README
echo "KLIPS is not supported with RHEL8" > README.KLIPS
# linking to freebl is not needed
sed -i "s/-lfreebl //" mk/config.mk
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
%build
make %{?_smp_mflags} \
@ -159,8 +147,6 @@ rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
install -d -m 0755 %{buildroot}%{_rundir}/pluto
# used when setting --perpeerlog without --perpeerlogbase
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/sysctl.d
@ -221,19 +207,33 @@ certutil -N -d sql:$tmpdir --empty-password
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
%attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%attr(0644,root,root) %doc %{_mandir}/*/*
%changelog
* Thu Sep 24 10:03:36 EDT 2020 Paul Wouters <pwouters@redhat.com> - 3.32-7
- Resolves: rhbz#1882449 Labeled IPsec not working [rhel-8.3.0.z]
* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229
- Resolves: rhbz#1934186 virtual_private setting is missing in the default config
* Mon Mar 01 2021 Paul Wouters <pwouters@redhat.com> - 4.3-2
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
* Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
* Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss