import libreswan-4.4-3.el9.1

This commit is contained in:
CentOS Sources 2021-11-03 01:21:49 -04:00 committed by Stepan Oksanichenko
commit c0b8ac0f51
7 changed files with 1289 additions and 0 deletions

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
SOURCES/ikev1_dsa.fax.bz2
SOURCES/ikev1_psk.fax.bz2
SOURCES/ikev2.fax.bz2
SOURCES/libreswan-4.4.tar.gz

4
.libreswan.metadata Normal file
View File

@ -0,0 +1,4 @@
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
c75da86c032fe15979a13f4e779a9fe41386203a SOURCES/libreswan-4.4.tar.gz

View File

@ -0,0 +1,31 @@
diff -up ./programs/pluto/ikev2_ipseckey.c.openssl3 ./programs/pluto/ikev2_ipseckey.c
--- ./programs/pluto/ikev2_ipseckey.c.openssl3 2021-02-03 02:36:01.000000000 +0100
+++ ./programs/pluto/ikev2_ipseckey.c 2021-06-24 17:55:04.863636517 +0200
@@ -25,13 +25,25 @@
#include <arpa/nameser.h>
#include <ldns/ldns.h> /* from ldns-devel */
#include <ldns/rr.h>
+/*
+ * avoid name clash between OpenSSL headers (included through
+ * <ldns/ldns.h>) and NSS headers (included below through <pk11pub.h>)
+ */
+#undef KU_DIGITAL_SIGNATURE
+#undef KU_NON_REPUDIATION
+#undef KU_KEY_ENCIPHERMENT
+#undef KU_DATA_ENCIPHERMENT
+#undef KU_KEY_AGREEMENT
+#undef KU_KEY_CERT_SIGN
+#undef KU_CRL_SIGN
+#undef KU_ENCIPHER_ONLY
#include <unbound.h>
#include "unbound-event.h"
#include "defs.h"
#include "log.h"
+#include "state.h"
#include "constants.h" /* for demux.h */
#include "demux.h" /* to get struct msg_digest */
-#include "state.h"
#include "connections.h"
#include "dnssec.h" /* includes unbound.h */
#include "id.h"
diff -up ./programs/pluto/ikev2_rsa.c.openssl3 ./programs/pluto/ikev2_rsa.c

View File

@ -0,0 +1,101 @@
From 835f711502fa07825b27201cb772e911c59d54b0 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 21 Jul 2021 10:10:43 +0200
Subject: [PATCH] ipsec barf: fix shell test expression
Spotted by shellcheck:
/usr/libexec/ipsec/barf:55:5: error[SC1073]: Couldn't parse this test expression. Fix to allow more checks.
# 53| for f
# 54| do
# 55|-> if [ -s ${LOGS}/${f} -a \
# 56| -f ${LOGS}/${f} -a \
# 57| grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
programs/barf/barf.in | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/programs/barf/barf.in b/programs/barf/barf.in
index e76c62f338..499916da4b 100755
--- a/programs/barf/barf.in
+++ b/programs/barf/barf.in
@@ -53,8 +53,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
then
# aha, this one has it
findlog_file=${LOGS}/${f}
@@ -66,8 +66,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
then
# aha, this one has it
findlog_file=${LOGS}/${f}
@@ -80,8 +80,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
do
if [ -f ${LOGS}/${f} -a \
- ! -d ${LOGS}/${f} -a \
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
+ ! -d ${LOGS}/${f} ] && \
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
then
# found it
findlog_file=${LOGS}/${f}
@@ -93,8 +93,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
do
if [ -s ${LOGS}/${f} -a \
- -f ${LOGS}/${f} -a \
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
+ -f ${LOGS}/${f} ] && \
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
then
# found it
findlog_file=${LOGS}/${f}
--
2.31.1
From 00ee1189626db8dcce084cb481ad0c49b435f4ff Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 21 Jul 2021 10:54:58 +0200
Subject: [PATCH] testing jambufcheck: add missing va_end calls in error path
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
testing/programs/jambufcheck/jambufcheck.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/testing/programs/jambufcheck/jambufcheck.c b/testing/programs/jambufcheck/jambufcheck.c
index 72baaa5a1d..23a47b15f6 100644
--- a/testing/programs/jambufcheck/jambufcheck.c
+++ b/testing/programs/jambufcheck/jambufcheck.c
@@ -104,11 +104,13 @@ static void check_jambuf(bool ok, const char *expect, ...)
}
break;
default:
+ va_end(ap);
FAIL("bad case");
return;
}
}
if (ok && !jambuf_ok(&buf)) {
+ va_end(ap);
FAIL("unexpectedly failed writing '%s'",
str == NULL ? "(null)" : str);
return;
--
2.31.1

View File

@ -0,0 +1,168 @@
diff -up ./lib/libswan/ttoaddress.c.getaddrinfo ./lib/libswan/ttoaddress.c
--- ./lib/libswan/ttoaddress.c.getaddrinfo 2021-04-22 17:24:33.000000000 +0200
+++ ./lib/libswan/ttoaddress.c 2021-07-22 13:16:19.073745043 +0200
@@ -20,6 +20,7 @@
#include <netdb.h> /* for gethostbyname2() */
#include "ip_address.h"
+#include "ip_sockaddr.h"
#include "ip_info.h"
#include "lswalloc.h" /* for alloc_things(), pfree() */
#include "lswlog.h" /* for pexpect() */
@@ -75,56 +76,6 @@ static err_t ttoaddr_base(shunk_t src,
}
/*
- * tryname - try it as a name
- *
- * Error return is intricate because we cannot compose a static string.
- */
-static err_t tryname(const char *p,
- int af,
- int suggested_af, /* kind(s) of numeric addressing tried */
- ip_address *dst)
-{
- struct hostent *h = gethostbyname2(p, af);
- if (h != NULL) {
- if (h->h_addrtype != af) {
- return "address-type mismatch from gethostbyname2!!!";
- }
-
- return data_to_address(h->h_addr, h->h_length, aftoinfo(af), dst);
- }
-
- if (af == AF_INET6) {
- if (suggested_af == AF_INET6) {
- return "not a numeric IPv6 address and name lookup failed (no validation performed)";
- } else /* AF_UNSPEC */ {
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
- }
- }
-
- pexpect(af == AF_INET);
-
- /* like, windows even has an /etc/networks? */
- struct netent *ne = getnetbyname(p);
- if (ne == NULL) {
- /* intricate because we cannot compose a static string */
- if (suggested_af == AF_INET) {
- return "not a numeric IPv4 address and name lookup failed (no validation performed)";
- } else {
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
- }
- }
-
- if (ne->n_addrtype != af) {
- return "address-type mismatch from getnetbyname!!!";
- }
-
- /* apparently .n_net is in host order */
- struct in_addr in = { htonl(ne->n_net), };
- *dst = address_from_in_addr(&in);
- return NULL;
-}
-
-/*
* tryhex - try conversion as an eight-digit hex number (AF_INET only)
*/
@@ -401,57 +352,56 @@ err_t getpiece(const char **srcp, /* *sr
err_t ttoaddress_dns(shunk_t src, const struct ip_info *afi, ip_address *dst)
{
+ char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
+ struct addrinfo *res = NULL;
+ const struct addrinfo hints = (struct addrinfo) {
+ .ai_family = afi == NULL ? AF_UNSPEC : afi->af,
+ };
*dst = unset_address;
- if (src.len == 0) {
- return "empty string";
- }
-
- bool was_numeric = true;
- err_t err = ttoaddr_base(src, afi, &was_numeric, dst);
- if (was_numeric) {
- /* no-point in continuing */
- return err;
- }
- /* err == non-numeric */
+ int eai = getaddrinfo(name, NULL, &hints, &res);
+ err_t err = NULL;
- for (const char *cp = src.ptr, *end = cp + src.len; cp < end; cp++) {
+ if (eai != 0) {
/*
- * Legal ASCII characters in a domain name.
- * Underscore technically is not, but is a common
- * misunderstanding. Non-ASCII characters are simply
- * exempted from checking at the moment, to allow for
- * UTF-8 encoded stuff; the purpose of this check is
- * merely to catch blatant errors.
- *
- * XXX: Suspect the ISASCII() check can be dropped -
- * utf-8 isn't allowed in DNS names and without a
- * utf-8 parser the check is flawed.
+ * return system-supplied diagnostic
+ * except where it is particularly confusing.
+ * "Name or service not unknown." is terrible.
*/
- static const char namechars[] =
- "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
-#define ISASCII(c) (((c) & 0x80) == 0)
- if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) {
- return "illegal (non-DNS-name) character in name";
+ err = eai == EAI_NONAME ? "NAME is unknown" : gai_strerror(eai);
+ } else if (res == NULL) {
+ err = "not a numeric IP address and name lookup failed (no validation performed)";
+ } else {
+ /* always choose IPv4 result if there is one */
+ struct addrinfo *winner = res;
+
+ for (struct addrinfo *r = res; r!= NULL; r = r->ai_next) {
+ if (r->ai_family == AF_INET) {
+ winner = r;
+ break;
+ }
+ }
+
+ ip_port mbz = { .hport = 0 };
+ ip_sockaddr sa = {
+ .len = winner->ai_addrlen,
+ };
+ passert(sizeof(sa.sa) >= winner->ai_addrlen);
+ memcpy(&sa.sa, winner->ai_addr, winner->ai_addrlen);
+ passert(sa.sa.sa.sa_family == winner->ai_family);
+ /* boneheaded getaddrinfo(3) leaves port field uninitialized */
+ if (winner->ai_family == AF_INET) {
+ sa.sa.sin.sin_port = 0;
+ } else if (winner->ai_family == AF_INET6) {
+ sa.sa.sin6.sin6_port = 0;
+ } else {
+ bad_case(winner->ai_family);
}
+ err = sockaddr_to_address_port(sa, dst, &mbz);
+ passert(hport(mbz) == 0);
}
- /*
- * need a guarenteed null terminated string
- */
- char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
- int suggested_af = afi == NULL ? AF_UNSPEC : afi->af;
- err_t v4err = NULL, v6err = NULL;
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET)) {
- err = v4err = tryname(name, AF_INET, suggested_af, dst);
- }
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET6)) {
- err = v6err = tryname(name, AF_INET6, suggested_af, dst);
- }
- /* prefer the IPv4 error */
- if (err != NULL && v4err != NULL) {
- err = v4err;
- }
+ freeaddrinfo(res);
pfree(name);
return err;
}

View File

@ -0,0 +1,494 @@
diff --git a/testing/programs/ipcheck/Makefile b/testing/programs/ipcheck/Makefile
index 4dae8336be..af77a9e9d8 100644
--- a/testing/programs/ipcheck/Makefile
+++ b/testing/programs/ipcheck/Makefile
@@ -41,4 +41,4 @@ include ../../../mk/program.mk
endif
local-check: $(PROGRAM)
- $(builddir)/$(PROGRAM)
+ $(builddir)/$(PROGRAM) --dns=yes
diff --git a/testing/programs/ipcheck/ip_address_check.c b/testing/programs/ipcheck/ip_address_check.c
index b80990302a..a84aadaf73 100644
--- a/testing/programs/ipcheck/ip_address_check.c
+++ b/testing/programs/ipcheck/ip_address_check.c
@@ -24,79 +24,76 @@
#include "ip_address.h"
#include "ipcheck.h"
-static void check_shunk_to_address(void)
+static void check_ttoaddress_num(void)
{
static const struct test {
int line;
int family;
const char *in;
const char *str;
- bool requires_dns;
} tests[] = {
/* unset */
- { LN, 0, "", NULL, false, },
+ { LN, 0, "", NULL, },
/* any */
- { LN, 4, "0.0.0.0", "0.0.0.0", false, },
- { LN, 6, "::", "::", false, },
- { LN, 6, "0:0:0:0:0:0:0:0", "::", false, },
+ { LN, 4, "0.0.0.0", "0.0.0.0", },
+ { LN, 6, "::", "::", },
+ { LN, 6, "0:0:0:0:0:0:0:0", "::", },
/* local (zero's fill) */
- { LN, 4, "127.1", "127.0.0.1", false, },
- { LN, 4, "127.0.1", "127.0.0.1", false, },
- { LN, 4, "127.0.0.1", "127.0.0.1", false, },
- { LN, 6, "::1", "::1", false, },
- { LN, 6, "0:0:0:0:0:0:0:1", "::1", false, },
+ { LN, 4, "127.1", "127.0.0.1", },
+ { LN, 4, "127.0.1", "127.0.0.1", },
+ { LN, 4, "127.0.0.1", "127.0.0.1", },
+ { LN, 6, "::1", "::1", },
+ { LN, 6, "0:0:0:0:0:0:0:1", "::1", },
/* mask - and buffer overflow */
- { LN, 4, "255.255.255.255", "255.255.255.255", false, },
- { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false, },
+ { LN, 4, "255.255.255.255", "255.255.255.255", },
+ { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", },
/* all bytes */
- { LN, 4, "1.2.3.4", "1.2.3.4", false, },
- { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", false, },
+ { LN, 4, "1.2.3.4", "1.2.3.4", },
+ { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", },
/* last digit is a big num - see wikepedia */
- { LN, 4, "127.254", "127.0.0.254", false, },
- { LN, 4, "127.65534", "127.0.255.254", false, },
- { LN, 4, "127.16777214", "127.255.255.254", false, },
+ { LN, 4, "127.254", "127.0.0.254", },
+ { LN, 4, "127.65534", "127.0.255.254", },
+ { LN, 4, "127.16777214", "127.255.255.254", },
/* last digit overflow */
- { LN, 4, "127.16777216", NULL, false, },
- { LN, 4, "127.0.65536", NULL, false, },
- { LN, 4, "127.0.0.256", NULL, false, },
+ { LN, 4, "127.16777216", NULL, },
+ { LN, 4, "127.0.65536", NULL, },
+ { LN, 4, "127.0.0.256", NULL, },
/* suppress leading zeros - 01 vs 1 */
- { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", false, },
+ { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", },
/* drop leading 0:0: */
- { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", false, },
+ { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", },
/* drop middle 0:...:0 */
- { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", false, },
+ { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", },
/* drop trailing :0..:0 */
- { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", false, },
+ { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", },
/* drop first 0:..:0 */
- { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", false, },
+ { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", },
/* drop logest 0:..:0 */
- { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", false, },
+ { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", },
/* need two 0 */
- { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", false, },
-
- { LN, 4, "www.libreswan.org", "188.127.201.229", .requires_dns = true, },
+ { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", },
/* hex/octal */
- { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", false, },
- { LN, 4, "0001.0002.0003.0004", "1.2.3.4", false, },
- { LN, 4, "0x01020304", "1.2.3.4", false, },
+ { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", },
+ { LN, 4, "0001.0002.0003.0004", "1.2.3.4", },
+ { LN, 4, "0x01020304", "1.2.3.4", },
/* trailing garbage */
- { LN, 4, "1.2.3.4.", NULL, false, },
- { LN, 4, "1.2.3.4a", NULL, false, },
- { LN, 4, "1.2.3.0a", NULL, false, },
+ { LN, 4, "1.2.3.4.", NULL, },
+ { LN, 4, "1.2.3.4a", NULL, },
+ { LN, 4, "1.2.3.0a", NULL, },
/* bad digits */
- { LN, 4, "256.2.3.4", NULL, false, },
- { LN, 4, "0008.2.3.4", NULL, false, },
- { LN, 4, "0x0g.2.3.4", NULL, false, },
+ { LN, 4, "256.2.3.4", NULL, },
+ { LN, 4, "0008.2.3.4", NULL, },
+ { LN, 4, "0x0g.2.3.4", NULL, },
};
@@ -104,66 +101,146 @@ static void check_shunk_to_address(void)
for (size_t ti = 0; ti < elemsof(tests); ti++) {
const struct test *t = &tests[ti];
- PRINT("%s '%s' -> str: '%s' dns: %s", pri_family(t->family), t->in,
- t->str == NULL ? "ERROR" : t->str,
- bool_str(t->requires_dns));
-
- ip_address tmp, *address = &tmp;
-
- /* NUMERIC/NULL */
- FOR_EACH_THING(family, 0, t->family) {
+ /*
+ * For each address, perform lookups:
+ *
+ * - first with a generic family and then with the
+ * specified family
+ *
+ * - first with ttoaddress_num() and then
+ * ttoaddress_dns() (but only when it should work)
+ */
+
+ FOR_EACH_THING(family, 0, 4, 6) {
const struct ip_info *afi = IP_TYPE(family);
- err = ttoaddress_num(shunk1(t->in), afi, address);
- if (err != NULL) {
- if (t->str != NULL && !t->requires_dns) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly failed: %s",
- t->in, pri_family(family), err);
+ bool err_expected = (t->str == NULL || (family != 0 && family != t->family));
+
+ struct lookup {
+ const char *name;
+ err_t (*ttoaddress)(shunk_t, const struct ip_info *, ip_address *);
+ bool need_dns;
+ } lookups[] = {
+ {
+ "ttoaddress_num",
+ ttoaddress_num,
+ false,
+ },
+ {
+ "ttoaddress_dns",
+ ttoaddress_dns,
+ true,
+ },
+ {
+ .name = NULL,
+ },
+ };
+ for (struct lookup *lookup = lookups; lookup->name != NULL; lookup++) {
+
+ /*
+ * Without DNS a
+ * ttoaddress_dns() lookup of
+ * a bogus IP address will go
+ * into the weeds.
+ */
+ bool skip = (lookup->need_dns && have_dns != DNS_YES);
+
+ PRINT("%s('%s', %s) -> '%s'%s",
+ lookup->name, t->in, pri_family(family),
+ err_expected ? "ERROR" : t->str,
+ skip ? "; skipped as no DNS" : "");
+
+ if (skip) {
+ continue;
+ }
+
+ ip_address tmp, *address = &tmp;
+ err = lookup->ttoaddress(shunk1(t->in), afi, address);
+ if (err_expected) {
+ if (err == NULL) {
+ FAIL("%s(%s, %s) unexpecedly succeeded",
+ lookup->name, t->in, pri_family(family));
+ }
+ PRINT("%s(%s, %s) returned: %s",
+ lookup->name, t->in, pri_family(family), err);
+ } else if (err != NULL) {
+ FAIL("%s(%s, %s) unexpecedly failed: %s",
+ lookup->name, t->in, pri_family(family), err);
} else {
- PRINT("ttoaddress_num(%s, %s) returned: %s",
- t->in, pri_family(family), err);
+ CHECK_STR2(address);
}
- } else if (t->requires_dns) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly parsed a DNS address",
- t->in, pri_family(family));
- } else if (t->str == NULL) {
- FAIL("ttoaddress_num(%s, %s) unexpecedly succeeded",
- t->in, pri_family(family));
- } else {
- CHECK_TYPE(address);
}
}
+ }
+}
+
+static void check_ttoaddress_dns(void)
+{
+ static const struct test {
+ int line;
+ int family;
+ const char *in;
+ const char *str;
+ bool need_dns;
+ } tests[] = {
+
+ /* localhost is found in /etc/hosts on all platforms */
+ { LN, 0, "localhost", "127.0.0.1", false, },
+ { LN, 4, "localhost", "127.0.0.1", false, },
+ { LN, 6, "localhost", "::1", false, },
+
+ { LN, 0, "www.libreswan.org", "188.127.201.229", true, },
+ { LN, 4, "www.libreswan.org", "188.127.201.229", true, },
+ { LN, 6, "www.libreswan.org", "2a00:1190:c00a:f00::229", true, },
- /* DNS/TYPE */
+ { LN, 0, "nowhere.libreswan.org", NULL, true, },
+ { LN, 4, "nowhere.libreswan.org", NULL, true, },
+ { LN, 6, "nowhere.libreswan.org", NULL, true, },
- if (t->requires_dns && !use_dns) {
- PRINT("skipping dns_hunk_to_address(type) -- no DNS");
+ };
+
+ err_t err;
+
+ for (size_t ti = 0; ti < elemsof(tests); ti++) {
+ const struct test *t = &tests[ti];
+ const struct ip_info *afi = IP_TYPE(t->family);
+ bool skip = (have_dns == DNS_NO || (have_dns != DNS_YES && t->need_dns));
+
+ PRINT("%s '%s' -> str: '%s' lookup: %s%s",
+ pri_family(t->family), t->in,
+ t->str == NULL ? "ERROR" : t->str,
+ (t->need_dns ? "DNS" : "/etc/hosts"),
+ (skip ? "; skipped as no DNS" : ""));
+
+ if (skip) {
+ continue;
+ }
+
+ ip_address tmp, *address = &tmp;
+ err = ttoaddress_dns(shunk1(t->in), afi, address);
+ if (err != NULL) {
+ if (t->str != NULL) {
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
+ t->in, pri_family(t->family), err);
+ }
+ PRINT("ttoaddress_dns(%s, %s) failed as expected: %s",
+ t->in, pri_family(t->family), err);
+ } else if (t->str == NULL) {
+ address_buf b;
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded with %s",
+ t->in, pri_family(t->family),
+ str_address(address, &b));
} else {
- const struct ip_info *afi = IP_TYPE(t->family);
- err = ttoaddress_dns(shunk1(t->in), afi, address);
- if (err != NULL) {
- if (t->str != NULL) {
- FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
- t->in, pri_family(t->family), err);
- } else {
- PRINT("ttoaddress_dns(%s, %s) returned: %s",
- t->in, pri_family(t->family), err);
- }
- } else if (t->str == NULL) {
- FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded",
- t->in, pri_family(t->family));
- } else {
+ address_buf b;
+ PRINT("ttoaddress_dns(%s, %s) succeeded with %s",
+ t->in, pri_family(t->family),
+ str_address(address, &b));
+ if (t->family != 0) {
CHECK_TYPE(address);
}
- }
-
- /* now convert it back cooked */
- if (t->requires_dns && !use_dns) {
- PRINT("skipping str_*() -- no DNS");
- } else if (t->str != NULL) {
+ /* and back */
CHECK_STR2(address);
}
-
}
}
@@ -473,7 +550,8 @@ static void check_addresses_to(void)
void ip_address_check(void)
{
- check_shunk_to_address();
+ check_ttoaddress_num();
+ check_ttoaddress_dns();
check_str_address_sensitive();
check_str_address_reversed();
check_address_is();
diff --git a/testing/programs/ipcheck/ip_info_check.c b/testing/programs/ipcheck/ip_info_check.c
index a7553a6029..f1566f4607 100644
--- a/testing/programs/ipcheck/ip_info_check.c
+++ b/testing/programs/ipcheck/ip_info_check.c
@@ -31,10 +31,12 @@
/*hack*/const typeof(L##_tests[0]) *t = &L##_tests[tl]; \
/*hack*/size_t ti = tl; \
const ip_##L *l = L##_tests[tl].L; \
- if (l == NULL) continue; \
+ if (l == NULL) \
+ continue; \
for (size_t tr = 0; tr < elemsof(R##_tests); tr++) { \
const ip_##R *r = R##_tests[tr].R; \
- if (r == NULL) continue; \
+ if (r == NULL) \
+ continue; \
bool expected = false; \
for (size_t to = 0; to < elemsof(L##_op_##R); to++) { \
const typeof(L##_op_##R[0]) *op = &L##_op_##R[to]; \
diff --git a/testing/programs/ipcheck/ip_range_check.c b/testing/programs/ipcheck/ip_range_check.c
index 256cf76c70..9f9a27db58 100644
--- a/testing/programs/ipcheck/ip_range_check.c
+++ b/testing/programs/ipcheck/ip_range_check.c
@@ -389,7 +389,7 @@ static void check_range_op_range(void)
FAIL("ttorange(%s) failed: %s", t->R, oops); \
} \
} else { \
- l = unset_range; \
+ R = unset_range; \
}
TT(l);
TT(r);
diff --git a/testing/programs/ipcheck/ip_sockaddr_check.c b/testing/programs/ipcheck/ip_sockaddr_check.c
index 538154b6e6..d9affb54f9 100644
--- a/testing/programs/ipcheck/ip_sockaddr_check.c
+++ b/testing/programs/ipcheck/ip_sockaddr_check.c
@@ -20,6 +20,8 @@
#include "ip_info.h"
#include "ip_protocol.h"
+#include "lswlog.h" /* for DBG_dump_thing() */
+
#include "ipcheck.h"
static void check_sockaddr_as_endpoint(void)
@@ -52,20 +54,25 @@ static void check_sockaddr_as_endpoint(void)
PRINT("%s '%s' -> '%s' len=%zd", pri_family(t->family), t->in, expect_out, t->size);
/* construct a raw sockaddr */
- ip_sockaddr sa = {
- .sa.sa = {
- .sa_family = SA_FAMILY(t->family),
- },
+ ip_sockaddr sa = {
.len = t->size,
};
switch (t->family) {
case 4:
memcpy(&sa.sa.sin.sin_addr, t->addr, sizeof(sa.sa.sin.sin_addr));
+ sa.sa.sin.sin_family = AF_INET;
sa.sa.sin.sin_port = htons(t->port);
+#ifdef NEED_SIN_LEN
+ sa.sa.sin.sin_len = sizeof(struct sockaddr_in);
+#endif
break;
case 6:
memcpy(&sa.sa.sin6.sin6_addr, t->addr, sizeof(sa.sa.sin6.sin6_addr));
+ sa.sa.sin6.sin6_family = AF_INET6;
sa.sa.sin6.sin6_port = htons(t->port);
+#ifdef NEED_SIN_LEN
+ sa.sa.sin6.sin6_len = sizeof(struct sockaddr_in6);
+#endif
break;
}
@@ -107,6 +114,8 @@ static void check_sockaddr_as_endpoint(void)
esa.len, sizeof(esa.sa));
} else if (!memeq(&esa.sa, &sa.sa, sizeof(esa.sa))) {
/* compare the entire buffer, not just size */
+ DBG_dump_thing("esa.sa", esa.sa);
+ DBG_dump_thing("sa.sa", sa.sa);
FAIL("endpoint_to_sockaddr() returned a different value");
}
} else {
diff --git a/testing/programs/ipcheck/ipcheck.c b/testing/programs/ipcheck/ipcheck.c
index ed13d1ed5c..8df45b5fd4 100644
--- a/testing/programs/ipcheck/ipcheck.c
+++ b/testing/programs/ipcheck/ipcheck.c
@@ -25,21 +25,37 @@
#include "lswtool.h"
unsigned fails;
-bool use_dns = true;
+enum have_dns have_dns = DNS_NO;
int main(int argc, char *argv[])
{
- struct logger *logger = tool_init_log(argv[0]);
+ leak_detective = true;
log_ip = false; /* force sensitive */
+ struct logger *logger = tool_init_log(argv[0]);
+
+ if (argc != 2) {
+ fprintf(stderr, "usage: %s --dns={no,hosts-file,yes}\n", argv[0]);
+ return 1;
+ }
+
+ /* only one option for now */
+ const char *dns = argv[1];
+ if (!eat(dns, "--dns")) {
+ fprintf(stderr, "%s: unknown option '%s'\n",
+ argv[0], argv[1]);
+ return 1;
+ }
- for (char **argp = argv+1; argp < argv+argc; argp++) {
- if (streq(*argp, "--nodns")) {
- use_dns = false;
- } else {
- fprintf(stderr, "%s: unknown option '%s'\n",
- argv[0], *argp);
- return 1;
- }
+ if (streq(dns, "=no")) {
+ have_dns = DNS_NO;
+ } else if (streq(dns, "=hosts-file") || streq(dns, "")) {
+ have_dns = HAVE_HOSTS_FILE;
+ } else if (streq(dns, "=yes")) {
+ have_dns = DNS_YES;
+ } else {
+ fprintf(stderr, "%s: unknown --dns param '%s'\n",
+ argv[0], dns);
+ return 1;
}
ip_address_check();
@@ -55,6 +71,10 @@ int main(int argc, char *argv[])
ip_port_range_check();
ip_cidr_check();
+ report_leaks(logger);
+
+
+
if (fails > 0) {
fprintf(stderr, "TOTAL FAILURES: %d\n", fails);
return 1;
diff --git a/testing/programs/ipcheck/ipcheck.h b/testing/programs/ipcheck/ipcheck.h
index 7e7c2a284b..5cfdbf05f7 100644
--- a/testing/programs/ipcheck/ipcheck.h
+++ b/testing/programs/ipcheck/ipcheck.h
@@ -44,7 +44,7 @@ extern void ip_cidr_check(void);
*/
extern unsigned fails;
-extern bool use_dns;
+extern enum have_dns { DNS_NO, HAVE_HOSTS_FILE, DNS_YES, } have_dns;
#define pri_family(FAMILY) ((FAMILY) == 0 ? "0" : \
(FAMILY) == 4 ? "IPv4" : \

487
SPECS/libreswan.spec Normal file
View File

@ -0,0 +1,487 @@
%global _hardened_build 1
# These are rpm macros and are 0 or 1
%global with_efence 0
%global with_development 0
%global with_cavstests 1
%global nss_version 3.52
%global unbound_version 1.6.6
# Libreswan config options
%global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
PREFIX=%{_prefix} \\\
INITSYSTEM=systemd \\\
PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\
USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\
USE_NM=true \\\
USE_NSS_IPSEC_PROFILE=true \\\
USE_SECCOMP=true \\\
USE_AUTHPAM=true \\\
%{nil}
#global prever dr1
Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.4
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}.1
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
%if 0%{with_cavstests}
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch0: libreswan-4.2-openssl3.patch
Patch1: libreswan-4.4-ipcheck.patch
# Partially backported https://github.com/libreswan/libreswan/commit/4af9072e62237daad9fea9bb769f6dfbdf2e4ea1
Patch2: libreswan-4.4-getaddrinfo.patch
Patch3: libreswan-4.4-covscan.patch
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gcc make
BuildRequires: hostname
BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools >= %{nss_version}
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: systemd-devel
BuildRequires: unbound-devel >= %{unbound_version}
BuildRequires: xmlto
%if 0%{with_efence}
BuildRequires: ElectricFence
%endif
Requires: iproute >= 2.6.8
Requires: nss >= %{nss_version}
Requires: nss-softokn
Requires: nss-tools
Requires: unbound-libs >= %{unbound_version}
Requires(post): bash
Requires(post): coreutils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel. The resulting
tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up
Libreswan.
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%setup -q -n libreswan-%{version}%{?prever}
%patch0 -b .openssl3
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
# disable some testing tools that throw warnings on arm
%patch1 -p1
sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
%patch2 -p1 -b .getaddrinfo
%patch3 -p1 -b .covscan
%build
make %{?_smp_mflags} \
%if 0%{with_development}
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
%else
OPTIMIZE_CFLAGS="%{optflags}" \
%endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence}
USE_EFENCE=true \
%endif
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
%{libreswan_config} \
programs
FS=$(pwd)
%install
make \
DESTDIR=%{buildroot} \
%{libreswan_config} \
install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
install -d -m 0755 %{buildroot}%{_rundir}/pluto
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/sysctl.d
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
> %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%if 0%{with_cavstests}
%check
# There is an elaborate upstream testing infrastructure which we do not
# run here - it takes hours and uses kvm
# We only run the CAVS tests.
cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
bunzip2 *.fax.bz2
: starting CAVS test for IKEv2
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
diff -u ikev2.fax - > /dev/null
: starting CAVS test for IKEv1 RSASIG
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
diff -u ikev1_dsa.fax - > /dev/null
: starting CAVS test for IKEv1 PSK
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed
%endif
# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
: Algorithm parser tests passed
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
%post
%systemd_post ipsec.service
%preun
%systemd_preun ipsec.service
%postun
%systemd_postun_with_restart ipsec.service
%files
%doc CHANGES COPYING CREDITS README* LICENSE
%doc docs/*.* docs/examples
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%doc %{_mandir}/*/*
%changelog
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.4-3.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 21 2021 Daiki Ueno <dueno@redhat.com> - 4.4-3
- Backport removal gethostbyname2 uses from the upstream
- Fix issues spotted by covscan (rhbz#1938784)
* Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 4.4-2
- Rebuild with newer GCC to fix annocheck failures
* Thu Jul 1 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
- Update to 4.4. Resolves: rhbz#1975812
- Port compiler warning suppression by Paul Wouters:
https://src.fedoraproject.org/rpms/libreswan/c/8d7f98d41444ac77c562f735b4b93038f5346ce2?branch=rawhide
* Thu Jun 24 2021 Daiki Ueno <dueno@redhat.com> - 4.2-1.3
- Fix FTBFS with OpenSSL 3.0 (rhbz#1975439)
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.2
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
- Update to 4.2
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Dec 19 19:59:55 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.2-0.1.rc1
- Resolves: rhbz#1867580 pluto process frequently dumps core
(disable USE_NSS_KDF until nss fixes have propagated)
* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 4.1-4
- Rebuild for ldns soname bump
* Mon Nov 23 11:50:41 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.1-3
- Resolves: rhbz#1894381 Libreswan 4.1-2 breaks l2tp connection to Windows VPN server
* Mon Oct 26 10:21:57 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-2
- Resolves: rhbz#1889538 libreswan's /var/lib/ipsec/nss missing
* Sun Oct 18 21:49:39 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
- Updated to 4.1 - interop fix for Cisco
* Thu Oct 15 10:27:14 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-1
- Resolves: rhbz#1888448 libreswan-4.0 is available
* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.2.rc1
- Rebuild for libevent 2.1.12 with a soname bump
* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
- Updated to 4.0rc1
* Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.2
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 3.32-3
- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
object
* Tue May 26 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
* Mon May 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
- Resolves: rhbz#1809770 libreswan-3.32 is available
* Tue Apr 14 2020 Paul Wouters <pwouters@redhat.com> - 3.31-2
- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
* Tue Mar 03 2020 Paul Wouters <pwouters@redhat.com> - 3.31-1
- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
- Resolves: rhbz#1802896 libreswan-3.30 is available
- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
- _updown.netkey: fix syntax error in checking routes
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
* Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.27-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.27-1.1
- Rebuilt for libcrypt.so.2 (#1666033)
* Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
- Updated to 3.27 (various bugfixes)
* Thu Sep 27 2018 Paul Wouters <pwouters@redhat.com> - 3.26-3
- Add fedora python fixup for _unbound-hook
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-2
- linking against freebl is no longer needed (and wasn't done in 3.25)
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.25-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
- Fix Opportunistic IPsec _unbound-hook argument parsing
- Make rundir readable for all (so we can hand out permissions later)
* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
- Updated to 3.25
* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
- Support crypto-policies package
- Pull in some patches from upstream and IANA registry updates
- gcc7 format-truncate fixes and workarounds
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.23-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jan 25 2018 Paul Wouters <pwouters@redhat.com> - 3.23-1
- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 3.22-1.1
- Rebuilt for switch to libxcrypt
* Mon Oct 23 2017 Paul Wouters <pwouters@redhat.com> - 3.22-1
- Updated to 3.22 - many bugfixes, and unbound ipsecmod support
* Wed Aug 9 2017 Paul Wouters <pwouters@redhat.com> - 3.21-1
- Updated to 3.21
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Mar 14 2017 Paul Wouters <pwouters@redhat.com> - 3.20-1
- Updated to 3.20
* Fri Mar 03 2017 Paul Wouters <pwouters@redhat.com> - 3.20-0.1.dr4
- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.19-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Feb 03 2017 Paul Wouters <pwouters@redhat.com> - 3.19-2
- Resolves: rhbz#1392191 libreswan: crash when OSX client connects
- Improved uniqueid and session replacing support
- Test Buffer warning fix on size_t
- Re-introduce --configdir for backwards compatibility
* Sun Jan 15 2017 Paul Wouters <pwouters@redhat.com> - 3.19-1
- Updated to 3.19 (see download.libreswan.org/CHANGES)
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 3.18-1.1
- Rebuild for Python 3.6
* Fri Jul 29 2016 Paul Wouters <pwouters@redhat.com> - 3.18-1
- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support
- Remove support for /etc/sysconfig/pluto (use native systemd instead)
* Thu May 05 2016 Paul Wouters <pwouters@redhat.com> - 3.17-2
- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
* Thu Apr 07 2016 Paul Wouters <pwouters@redhat.com> - 3.17-1
- Updated to 3.17 for CVE-2016-3071
- Disable LIBCAP_NG as it prevents unbound-control from working properly
- Temporarilly disable WERROR due to a few minor known issues
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.16-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Dec 18 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
- Updated to 3.16 (see https://download.libreswan.org/CHANGES)
* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
- NSS database creation moved from spec file to service file
- Run CAVS tests on package build
- Added BuildRequire systemd-units and xmlto
- Bumped minimum required nss to 3.16.1
- Install tmpfiles
- Install sysctl file
- Update doc files to include
* Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
- Resolves: rhbz#1238967 Switch libreswan to use python3
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Jun 01 2015 Paul Wouters <pwouters@redhat.com> - 3.13-1
- Updated to 3.13 for CVE-2015-3204
* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
- Updated to 3.12 Various IKEv2 fixes
* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
- Updated to 3.11 (many fixes, including startup fixes)
- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs
- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade
- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running
* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines
* Mon Sep 01 2014 Paul Wouters <pwouters@redhat.com> - 3.10-1
- Updated to 3.10, major bugfix release, new xauth status options
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 10 2014 Paul Wouters <pwouters@redhat.com> - 3.9-1
- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements
- Mark libreswan-fips.conf as config file
- attr modifier for man pages no longer needed
- BUGS file no longer exists upstream
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat Jan 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102)
* Wed Dec 11 2013 Paul Wouters <pwouters@redhat.com> - 3.7-1
- Updated to 3.7, fixes CVE-2013-4564
- Fixes creating a bogus NSS db on startup (rhbz#1005410)
* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes)
- Generate empty NSS db if none exists
* Mon Aug 19 2013 Paul Wouters <pwouters@redhat.com> - 3.5-3
- Add a Provides: for openswan-doc
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.5-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
- Added interop patch for (some?) Cisco VPN clients sending 16 zero
bytes of extraneous IKE data
- Removed fipscheck_version
* Sat Jul 13 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
- Updated to 3.5
* Thu Jun 06 2013 Paul Wouters <pwouters@redhat.com> - 3.4-1
- Updated to 3.4, which only contains style changes to kernel coding style
- IN MEMORIAM: June 3rd, 2013 Hugh Daniel
* Mon May 13 2013 Paul Wouters <pwouters@redhat.com> - 3.3-1
- Updated to 3.3, which resolves CVE-2013-2052
* Sat Apr 13 2013 Paul Wouters <pwouters@redhat.com> - 3.2-1
- Initial package for Fedora