import libreswan-4.4-3.el9.1
This commit is contained in:
commit
c0b8ac0f51
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
SOURCES/ikev1_dsa.fax.bz2
|
||||
SOURCES/ikev1_psk.fax.bz2
|
||||
SOURCES/ikev2.fax.bz2
|
||||
SOURCES/libreswan-4.4.tar.gz
|
4
.libreswan.metadata
Normal file
4
.libreswan.metadata
Normal file
@ -0,0 +1,4 @@
|
||||
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
|
||||
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
|
||||
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
|
||||
c75da86c032fe15979a13f4e779a9fe41386203a SOURCES/libreswan-4.4.tar.gz
|
31
SOURCES/libreswan-4.2-openssl3.patch
Normal file
31
SOURCES/libreswan-4.2-openssl3.patch
Normal file
@ -0,0 +1,31 @@
|
||||
diff -up ./programs/pluto/ikev2_ipseckey.c.openssl3 ./programs/pluto/ikev2_ipseckey.c
|
||||
--- ./programs/pluto/ikev2_ipseckey.c.openssl3 2021-02-03 02:36:01.000000000 +0100
|
||||
+++ ./programs/pluto/ikev2_ipseckey.c 2021-06-24 17:55:04.863636517 +0200
|
||||
@@ -25,13 +25,25 @@
|
||||
#include <arpa/nameser.h>
|
||||
#include <ldns/ldns.h> /* from ldns-devel */
|
||||
#include <ldns/rr.h>
|
||||
+/*
|
||||
+ * avoid name clash between OpenSSL headers (included through
|
||||
+ * <ldns/ldns.h>) and NSS headers (included below through <pk11pub.h>)
|
||||
+ */
|
||||
+#undef KU_DIGITAL_SIGNATURE
|
||||
+#undef KU_NON_REPUDIATION
|
||||
+#undef KU_KEY_ENCIPHERMENT
|
||||
+#undef KU_DATA_ENCIPHERMENT
|
||||
+#undef KU_KEY_AGREEMENT
|
||||
+#undef KU_KEY_CERT_SIGN
|
||||
+#undef KU_CRL_SIGN
|
||||
+#undef KU_ENCIPHER_ONLY
|
||||
#include <unbound.h>
|
||||
#include "unbound-event.h"
|
||||
#include "defs.h"
|
||||
#include "log.h"
|
||||
+#include "state.h"
|
||||
#include "constants.h" /* for demux.h */
|
||||
#include "demux.h" /* to get struct msg_digest */
|
||||
-#include "state.h"
|
||||
#include "connections.h"
|
||||
#include "dnssec.h" /* includes unbound.h */
|
||||
#include "id.h"
|
||||
diff -up ./programs/pluto/ikev2_rsa.c.openssl3 ./programs/pluto/ikev2_rsa.c
|
101
SOURCES/libreswan-4.4-covscan.patch
Normal file
101
SOURCES/libreswan-4.4-covscan.patch
Normal file
@ -0,0 +1,101 @@
|
||||
From 835f711502fa07825b27201cb772e911c59d54b0 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Wed, 21 Jul 2021 10:10:43 +0200
|
||||
Subject: [PATCH] ipsec barf: fix shell test expression
|
||||
|
||||
Spotted by shellcheck:
|
||||
|
||||
/usr/libexec/ipsec/barf:55:5: error[SC1073]: Couldn't parse this test expression. Fix to allow more checks.
|
||||
# 53| for f
|
||||
# 54| do
|
||||
# 55|-> if [ -s ${LOGS}/${f} -a \
|
||||
# 56| -f ${LOGS}/${f} -a \
|
||||
# 57| grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
|
||||
|
||||
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||
---
|
||||
programs/barf/barf.in | 16 ++++++++--------
|
||||
1 file changed, 8 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/programs/barf/barf.in b/programs/barf/barf.in
|
||||
index e76c62f338..499916da4b 100755
|
||||
--- a/programs/barf/barf.in
|
||||
+++ b/programs/barf/barf.in
|
||||
@@ -53,8 +53,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
|
||||
for f
|
||||
do
|
||||
if [ -s ${LOGS}/${f} -a \
|
||||
- -f ${LOGS}/${f} -a \
|
||||
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
|
||||
+ -f ${LOGS}/${f} ] && \
|
||||
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
|
||||
then
|
||||
# aha, this one has it
|
||||
findlog_file=${LOGS}/${f}
|
||||
@@ -66,8 +66,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
|
||||
for f
|
||||
do
|
||||
if [ -s ${LOGS}/${f} -a \
|
||||
- -f ${LOGS}/${f} -a \
|
||||
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
|
||||
+ -f ${LOGS}/${f} ] && \
|
||||
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
|
||||
then
|
||||
# aha, this one has it
|
||||
findlog_file=${LOGS}/${f}
|
||||
@@ -80,8 +80,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
|
||||
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
|
||||
do
|
||||
if [ -f ${LOGS}/${f} -a \
|
||||
- ! -d ${LOGS}/${f} -a \
|
||||
- grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null ]
|
||||
+ ! -d ${LOGS}/${f} ] && \
|
||||
+ grep -E -q "${s}" ${LOGS}/${f} 2>/dev/null
|
||||
then
|
||||
# found it
|
||||
findlog_file=${LOGS}/${f}
|
||||
@@ -93,8 +93,8 @@ findlog() { # findlog string fallbackstring possiblefile ...
|
||||
for f in $(ls -t ${LOGS} | grep -E -v 'lastlog|tmp|^mail|\.(gz|Z)$')
|
||||
do
|
||||
if [ -s ${LOGS}/${f} -a \
|
||||
- -f ${LOGS}/${f} -a \
|
||||
- grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null ]
|
||||
+ -f ${LOGS}/${f} ] && \
|
||||
+ grep -E -q "${t}" ${LOGS}/${f} 2>/dev/null
|
||||
then
|
||||
# found it
|
||||
findlog_file=${LOGS}/${f}
|
||||
--
|
||||
2.31.1
|
||||
|
||||
From 00ee1189626db8dcce084cb481ad0c49b435f4ff Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Wed, 21 Jul 2021 10:54:58 +0200
|
||||
Subject: [PATCH] testing jambufcheck: add missing va_end calls in error path
|
||||
|
||||
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||
---
|
||||
testing/programs/jambufcheck/jambufcheck.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/testing/programs/jambufcheck/jambufcheck.c b/testing/programs/jambufcheck/jambufcheck.c
|
||||
index 72baaa5a1d..23a47b15f6 100644
|
||||
--- a/testing/programs/jambufcheck/jambufcheck.c
|
||||
+++ b/testing/programs/jambufcheck/jambufcheck.c
|
||||
@@ -104,11 +104,13 @@ static void check_jambuf(bool ok, const char *expect, ...)
|
||||
}
|
||||
break;
|
||||
default:
|
||||
+ va_end(ap);
|
||||
FAIL("bad case");
|
||||
return;
|
||||
}
|
||||
}
|
||||
if (ok && !jambuf_ok(&buf)) {
|
||||
+ va_end(ap);
|
||||
FAIL("unexpectedly failed writing '%s'",
|
||||
str == NULL ? "(null)" : str);
|
||||
return;
|
||||
--
|
||||
2.31.1
|
||||
|
168
SOURCES/libreswan-4.4-getaddrinfo.patch
Normal file
168
SOURCES/libreswan-4.4-getaddrinfo.patch
Normal file
@ -0,0 +1,168 @@
|
||||
diff -up ./lib/libswan/ttoaddress.c.getaddrinfo ./lib/libswan/ttoaddress.c
|
||||
--- ./lib/libswan/ttoaddress.c.getaddrinfo 2021-04-22 17:24:33.000000000 +0200
|
||||
+++ ./lib/libswan/ttoaddress.c 2021-07-22 13:16:19.073745043 +0200
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <netdb.h> /* for gethostbyname2() */
|
||||
|
||||
#include "ip_address.h"
|
||||
+#include "ip_sockaddr.h"
|
||||
#include "ip_info.h"
|
||||
#include "lswalloc.h" /* for alloc_things(), pfree() */
|
||||
#include "lswlog.h" /* for pexpect() */
|
||||
@@ -75,56 +76,6 @@ static err_t ttoaddr_base(shunk_t src,
|
||||
}
|
||||
|
||||
/*
|
||||
- * tryname - try it as a name
|
||||
- *
|
||||
- * Error return is intricate because we cannot compose a static string.
|
||||
- */
|
||||
-static err_t tryname(const char *p,
|
||||
- int af,
|
||||
- int suggested_af, /* kind(s) of numeric addressing tried */
|
||||
- ip_address *dst)
|
||||
-{
|
||||
- struct hostent *h = gethostbyname2(p, af);
|
||||
- if (h != NULL) {
|
||||
- if (h->h_addrtype != af) {
|
||||
- return "address-type mismatch from gethostbyname2!!!";
|
||||
- }
|
||||
-
|
||||
- return data_to_address(h->h_addr, h->h_length, aftoinfo(af), dst);
|
||||
- }
|
||||
-
|
||||
- if (af == AF_INET6) {
|
||||
- if (suggested_af == AF_INET6) {
|
||||
- return "not a numeric IPv6 address and name lookup failed (no validation performed)";
|
||||
- } else /* AF_UNSPEC */ {
|
||||
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- pexpect(af == AF_INET);
|
||||
-
|
||||
- /* like, windows even has an /etc/networks? */
|
||||
- struct netent *ne = getnetbyname(p);
|
||||
- if (ne == NULL) {
|
||||
- /* intricate because we cannot compose a static string */
|
||||
- if (suggested_af == AF_INET) {
|
||||
- return "not a numeric IPv4 address and name lookup failed (no validation performed)";
|
||||
- } else {
|
||||
- return "not a numeric IPv4 or IPv6 address and name lookup failed (no validation performed)";
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- if (ne->n_addrtype != af) {
|
||||
- return "address-type mismatch from getnetbyname!!!";
|
||||
- }
|
||||
-
|
||||
- /* apparently .n_net is in host order */
|
||||
- struct in_addr in = { htonl(ne->n_net), };
|
||||
- *dst = address_from_in_addr(&in);
|
||||
- return NULL;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
* tryhex - try conversion as an eight-digit hex number (AF_INET only)
|
||||
*/
|
||||
|
||||
@@ -401,57 +352,56 @@ err_t getpiece(const char **srcp, /* *sr
|
||||
|
||||
err_t ttoaddress_dns(shunk_t src, const struct ip_info *afi, ip_address *dst)
|
||||
{
|
||||
+ char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
|
||||
+ struct addrinfo *res = NULL;
|
||||
+ const struct addrinfo hints = (struct addrinfo) {
|
||||
+ .ai_family = afi == NULL ? AF_UNSPEC : afi->af,
|
||||
+ };
|
||||
*dst = unset_address;
|
||||
- if (src.len == 0) {
|
||||
- return "empty string";
|
||||
- }
|
||||
-
|
||||
- bool was_numeric = true;
|
||||
- err_t err = ttoaddr_base(src, afi, &was_numeric, dst);
|
||||
- if (was_numeric) {
|
||||
- /* no-point in continuing */
|
||||
- return err;
|
||||
- }
|
||||
|
||||
- /* err == non-numeric */
|
||||
+ int eai = getaddrinfo(name, NULL, &hints, &res);
|
||||
+ err_t err = NULL;
|
||||
|
||||
- for (const char *cp = src.ptr, *end = cp + src.len; cp < end; cp++) {
|
||||
+ if (eai != 0) {
|
||||
/*
|
||||
- * Legal ASCII characters in a domain name.
|
||||
- * Underscore technically is not, but is a common
|
||||
- * misunderstanding. Non-ASCII characters are simply
|
||||
- * exempted from checking at the moment, to allow for
|
||||
- * UTF-8 encoded stuff; the purpose of this check is
|
||||
- * merely to catch blatant errors.
|
||||
- *
|
||||
- * XXX: Suspect the ISASCII() check can be dropped -
|
||||
- * utf-8 isn't allowed in DNS names and without a
|
||||
- * utf-8 parser the check is flawed.
|
||||
+ * return system-supplied diagnostic
|
||||
+ * except where it is particularly confusing.
|
||||
+ * "Name or service not unknown." is terrible.
|
||||
*/
|
||||
- static const char namechars[] =
|
||||
- "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-_.";
|
||||
-#define ISASCII(c) (((c) & 0x80) == 0)
|
||||
- if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) {
|
||||
- return "illegal (non-DNS-name) character in name";
|
||||
+ err = eai == EAI_NONAME ? "NAME is unknown" : gai_strerror(eai);
|
||||
+ } else if (res == NULL) {
|
||||
+ err = "not a numeric IP address and name lookup failed (no validation performed)";
|
||||
+ } else {
|
||||
+ /* always choose IPv4 result if there is one */
|
||||
+ struct addrinfo *winner = res;
|
||||
+
|
||||
+ for (struct addrinfo *r = res; r!= NULL; r = r->ai_next) {
|
||||
+ if (r->ai_family == AF_INET) {
|
||||
+ winner = r;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ ip_port mbz = { .hport = 0 };
|
||||
+ ip_sockaddr sa = {
|
||||
+ .len = winner->ai_addrlen,
|
||||
+ };
|
||||
+ passert(sizeof(sa.sa) >= winner->ai_addrlen);
|
||||
+ memcpy(&sa.sa, winner->ai_addr, winner->ai_addrlen);
|
||||
+ passert(sa.sa.sa.sa_family == winner->ai_family);
|
||||
+ /* boneheaded getaddrinfo(3) leaves port field uninitialized */
|
||||
+ if (winner->ai_family == AF_INET) {
|
||||
+ sa.sa.sin.sin_port = 0;
|
||||
+ } else if (winner->ai_family == AF_INET6) {
|
||||
+ sa.sa.sin6.sin6_port = 0;
|
||||
+ } else {
|
||||
+ bad_case(winner->ai_family);
|
||||
}
|
||||
+ err = sockaddr_to_address_port(sa, dst, &mbz);
|
||||
+ passert(hport(mbz) == 0);
|
||||
}
|
||||
|
||||
- /*
|
||||
- * need a guarenteed null terminated string
|
||||
- */
|
||||
- char *name = clone_hunk_as_string(src, "ttoaddress_dns"); /* must free */
|
||||
- int suggested_af = afi == NULL ? AF_UNSPEC : afi->af;
|
||||
- err_t v4err = NULL, v6err = NULL;
|
||||
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET)) {
|
||||
- err = v4err = tryname(name, AF_INET, suggested_af, dst);
|
||||
- }
|
||||
- if (err && (suggested_af == AF_UNSPEC || suggested_af == AF_INET6)) {
|
||||
- err = v6err = tryname(name, AF_INET6, suggested_af, dst);
|
||||
- }
|
||||
- /* prefer the IPv4 error */
|
||||
- if (err != NULL && v4err != NULL) {
|
||||
- err = v4err;
|
||||
- }
|
||||
+ freeaddrinfo(res);
|
||||
pfree(name);
|
||||
return err;
|
||||
}
|
494
SOURCES/libreswan-4.4-ipcheck.patch
Normal file
494
SOURCES/libreswan-4.4-ipcheck.patch
Normal file
@ -0,0 +1,494 @@
|
||||
diff --git a/testing/programs/ipcheck/Makefile b/testing/programs/ipcheck/Makefile
|
||||
index 4dae8336be..af77a9e9d8 100644
|
||||
--- a/testing/programs/ipcheck/Makefile
|
||||
+++ b/testing/programs/ipcheck/Makefile
|
||||
@@ -41,4 +41,4 @@ include ../../../mk/program.mk
|
||||
endif
|
||||
|
||||
local-check: $(PROGRAM)
|
||||
- $(builddir)/$(PROGRAM)
|
||||
+ $(builddir)/$(PROGRAM) --dns=yes
|
||||
diff --git a/testing/programs/ipcheck/ip_address_check.c b/testing/programs/ipcheck/ip_address_check.c
|
||||
index b80990302a..a84aadaf73 100644
|
||||
--- a/testing/programs/ipcheck/ip_address_check.c
|
||||
+++ b/testing/programs/ipcheck/ip_address_check.c
|
||||
@@ -24,79 +24,76 @@
|
||||
#include "ip_address.h"
|
||||
#include "ipcheck.h"
|
||||
|
||||
-static void check_shunk_to_address(void)
|
||||
+static void check_ttoaddress_num(void)
|
||||
{
|
||||
static const struct test {
|
||||
int line;
|
||||
int family;
|
||||
const char *in;
|
||||
const char *str;
|
||||
- bool requires_dns;
|
||||
} tests[] = {
|
||||
|
||||
/* unset */
|
||||
- { LN, 0, "", NULL, false, },
|
||||
+ { LN, 0, "", NULL, },
|
||||
|
||||
/* any */
|
||||
- { LN, 4, "0.0.0.0", "0.0.0.0", false, },
|
||||
- { LN, 6, "::", "::", false, },
|
||||
- { LN, 6, "0:0:0:0:0:0:0:0", "::", false, },
|
||||
+ { LN, 4, "0.0.0.0", "0.0.0.0", },
|
||||
+ { LN, 6, "::", "::", },
|
||||
+ { LN, 6, "0:0:0:0:0:0:0:0", "::", },
|
||||
|
||||
/* local (zero's fill) */
|
||||
- { LN, 4, "127.1", "127.0.0.1", false, },
|
||||
- { LN, 4, "127.0.1", "127.0.0.1", false, },
|
||||
- { LN, 4, "127.0.0.1", "127.0.0.1", false, },
|
||||
- { LN, 6, "::1", "::1", false, },
|
||||
- { LN, 6, "0:0:0:0:0:0:0:1", "::1", false, },
|
||||
+ { LN, 4, "127.1", "127.0.0.1", },
|
||||
+ { LN, 4, "127.0.1", "127.0.0.1", },
|
||||
+ { LN, 4, "127.0.0.1", "127.0.0.1", },
|
||||
+ { LN, 6, "::1", "::1", },
|
||||
+ { LN, 6, "0:0:0:0:0:0:0:1", "::1", },
|
||||
|
||||
/* mask - and buffer overflow */
|
||||
- { LN, 4, "255.255.255.255", "255.255.255.255", false, },
|
||||
- { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false, },
|
||||
+ { LN, 4, "255.255.255.255", "255.255.255.255", },
|
||||
+ { LN, 6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", },
|
||||
|
||||
/* all bytes */
|
||||
- { LN, 4, "1.2.3.4", "1.2.3.4", false, },
|
||||
- { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", false, },
|
||||
+ { LN, 4, "1.2.3.4", "1.2.3.4", },
|
||||
+ { LN, 6, "1:2:3:4:5:6:7:8", "1:2:3:4:5:6:7:8", },
|
||||
|
||||
/* last digit is a big num - see wikepedia */
|
||||
- { LN, 4, "127.254", "127.0.0.254", false, },
|
||||
- { LN, 4, "127.65534", "127.0.255.254", false, },
|
||||
- { LN, 4, "127.16777214", "127.255.255.254", false, },
|
||||
+ { LN, 4, "127.254", "127.0.0.254", },
|
||||
+ { LN, 4, "127.65534", "127.0.255.254", },
|
||||
+ { LN, 4, "127.16777214", "127.255.255.254", },
|
||||
/* last digit overflow */
|
||||
- { LN, 4, "127.16777216", NULL, false, },
|
||||
- { LN, 4, "127.0.65536", NULL, false, },
|
||||
- { LN, 4, "127.0.0.256", NULL, false, },
|
||||
+ { LN, 4, "127.16777216", NULL, },
|
||||
+ { LN, 4, "127.0.65536", NULL, },
|
||||
+ { LN, 4, "127.0.0.256", NULL, },
|
||||
|
||||
/* suppress leading zeros - 01 vs 1 */
|
||||
- { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", false, },
|
||||
+ { LN, 6, "0001:0012:0003:0014:0005:0016:0007:0018", "1:12:3:14:5:16:7:18", },
|
||||
/* drop leading 0:0: */
|
||||
- { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", false, },
|
||||
+ { LN, 6, "0:0:3:4:5:6:7:8", "::3:4:5:6:7:8", },
|
||||
/* drop middle 0:...:0 */
|
||||
- { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", false, },
|
||||
+ { LN, 6, "1:2:0:0:0:0:7:8", "1:2::7:8", },
|
||||
/* drop trailing :0..:0 */
|
||||
- { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", false, },
|
||||
+ { LN, 6, "1:2:3:4:5:0:0:0", "1:2:3:4:5::", },
|
||||
/* drop first 0:..:0 */
|
||||
- { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", false, },
|
||||
+ { LN, 6, "1:2:0:0:5:6:0:0", "1:2::5:6:0:0", },
|
||||
/* drop logest 0:..:0 */
|
||||
- { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", false, },
|
||||
+ { LN, 6, "0:0:3:0:0:0:7:8", "0:0:3::7:8", },
|
||||
/* need two 0 */
|
||||
- { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", false, },
|
||||
-
|
||||
- { LN, 4, "www.libreswan.org", "188.127.201.229", .requires_dns = true, },
|
||||
+ { LN, 6, "0:2:0:4:0:6:0:8", "0:2:0:4:0:6:0:8", },
|
||||
|
||||
/* hex/octal */
|
||||
- { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", false, },
|
||||
- { LN, 4, "0001.0002.0003.0004", "1.2.3.4", false, },
|
||||
- { LN, 4, "0x01020304", "1.2.3.4", false, },
|
||||
+ { LN, 4, "0x01.0x02.0x03.0x04", "1.2.3.4", },
|
||||
+ { LN, 4, "0001.0002.0003.0004", "1.2.3.4", },
|
||||
+ { LN, 4, "0x01020304", "1.2.3.4", },
|
||||
|
||||
/* trailing garbage */
|
||||
- { LN, 4, "1.2.3.4.", NULL, false, },
|
||||
- { LN, 4, "1.2.3.4a", NULL, false, },
|
||||
- { LN, 4, "1.2.3.0a", NULL, false, },
|
||||
+ { LN, 4, "1.2.3.4.", NULL, },
|
||||
+ { LN, 4, "1.2.3.4a", NULL, },
|
||||
+ { LN, 4, "1.2.3.0a", NULL, },
|
||||
|
||||
/* bad digits */
|
||||
- { LN, 4, "256.2.3.4", NULL, false, },
|
||||
- { LN, 4, "0008.2.3.4", NULL, false, },
|
||||
- { LN, 4, "0x0g.2.3.4", NULL, false, },
|
||||
+ { LN, 4, "256.2.3.4", NULL, },
|
||||
+ { LN, 4, "0008.2.3.4", NULL, },
|
||||
+ { LN, 4, "0x0g.2.3.4", NULL, },
|
||||
|
||||
};
|
||||
|
||||
@@ -104,66 +101,146 @@ static void check_shunk_to_address(void)
|
||||
|
||||
for (size_t ti = 0; ti < elemsof(tests); ti++) {
|
||||
const struct test *t = &tests[ti];
|
||||
- PRINT("%s '%s' -> str: '%s' dns: %s", pri_family(t->family), t->in,
|
||||
- t->str == NULL ? "ERROR" : t->str,
|
||||
- bool_str(t->requires_dns));
|
||||
-
|
||||
- ip_address tmp, *address = &tmp;
|
||||
-
|
||||
- /* NUMERIC/NULL */
|
||||
|
||||
- FOR_EACH_THING(family, 0, t->family) {
|
||||
+ /*
|
||||
+ * For each address, perform lookups:
|
||||
+ *
|
||||
+ * - first with a generic family and then with the
|
||||
+ * specified family
|
||||
+ *
|
||||
+ * - first with ttoaddress_num() and then
|
||||
+ * ttoaddress_dns() (but only when it should work)
|
||||
+ */
|
||||
+
|
||||
+ FOR_EACH_THING(family, 0, 4, 6) {
|
||||
const struct ip_info *afi = IP_TYPE(family);
|
||||
- err = ttoaddress_num(shunk1(t->in), afi, address);
|
||||
- if (err != NULL) {
|
||||
- if (t->str != NULL && !t->requires_dns) {
|
||||
- FAIL("ttoaddress_num(%s, %s) unexpecedly failed: %s",
|
||||
- t->in, pri_family(family), err);
|
||||
+ bool err_expected = (t->str == NULL || (family != 0 && family != t->family));
|
||||
+
|
||||
+ struct lookup {
|
||||
+ const char *name;
|
||||
+ err_t (*ttoaddress)(shunk_t, const struct ip_info *, ip_address *);
|
||||
+ bool need_dns;
|
||||
+ } lookups[] = {
|
||||
+ {
|
||||
+ "ttoaddress_num",
|
||||
+ ttoaddress_num,
|
||||
+ false,
|
||||
+ },
|
||||
+ {
|
||||
+ "ttoaddress_dns",
|
||||
+ ttoaddress_dns,
|
||||
+ true,
|
||||
+ },
|
||||
+ {
|
||||
+ .name = NULL,
|
||||
+ },
|
||||
+ };
|
||||
+ for (struct lookup *lookup = lookups; lookup->name != NULL; lookup++) {
|
||||
+
|
||||
+ /*
|
||||
+ * Without DNS a
|
||||
+ * ttoaddress_dns() lookup of
|
||||
+ * a bogus IP address will go
|
||||
+ * into the weeds.
|
||||
+ */
|
||||
+ bool skip = (lookup->need_dns && have_dns != DNS_YES);
|
||||
+
|
||||
+ PRINT("%s('%s', %s) -> '%s'%s",
|
||||
+ lookup->name, t->in, pri_family(family),
|
||||
+ err_expected ? "ERROR" : t->str,
|
||||
+ skip ? "; skipped as no DNS" : "");
|
||||
+
|
||||
+ if (skip) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ ip_address tmp, *address = &tmp;
|
||||
+ err = lookup->ttoaddress(shunk1(t->in), afi, address);
|
||||
+ if (err_expected) {
|
||||
+ if (err == NULL) {
|
||||
+ FAIL("%s(%s, %s) unexpecedly succeeded",
|
||||
+ lookup->name, t->in, pri_family(family));
|
||||
+ }
|
||||
+ PRINT("%s(%s, %s) returned: %s",
|
||||
+ lookup->name, t->in, pri_family(family), err);
|
||||
+ } else if (err != NULL) {
|
||||
+ FAIL("%s(%s, %s) unexpecedly failed: %s",
|
||||
+ lookup->name, t->in, pri_family(family), err);
|
||||
} else {
|
||||
- PRINT("ttoaddress_num(%s, %s) returned: %s",
|
||||
- t->in, pri_family(family), err);
|
||||
+ CHECK_STR2(address);
|
||||
}
|
||||
- } else if (t->requires_dns) {
|
||||
- FAIL("ttoaddress_num(%s, %s) unexpecedly parsed a DNS address",
|
||||
- t->in, pri_family(family));
|
||||
- } else if (t->str == NULL) {
|
||||
- FAIL("ttoaddress_num(%s, %s) unexpecedly succeeded",
|
||||
- t->in, pri_family(family));
|
||||
- } else {
|
||||
- CHECK_TYPE(address);
|
||||
}
|
||||
}
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void check_ttoaddress_dns(void)
|
||||
+{
|
||||
+ static const struct test {
|
||||
+ int line;
|
||||
+ int family;
|
||||
+ const char *in;
|
||||
+ const char *str;
|
||||
+ bool need_dns;
|
||||
+ } tests[] = {
|
||||
+
|
||||
+ /* localhost is found in /etc/hosts on all platforms */
|
||||
+ { LN, 0, "localhost", "127.0.0.1", false, },
|
||||
+ { LN, 4, "localhost", "127.0.0.1", false, },
|
||||
+ { LN, 6, "localhost", "::1", false, },
|
||||
+
|
||||
+ { LN, 0, "www.libreswan.org", "188.127.201.229", true, },
|
||||
+ { LN, 4, "www.libreswan.org", "188.127.201.229", true, },
|
||||
+ { LN, 6, "www.libreswan.org", "2a00:1190:c00a:f00::229", true, },
|
||||
|
||||
- /* DNS/TYPE */
|
||||
+ { LN, 0, "nowhere.libreswan.org", NULL, true, },
|
||||
+ { LN, 4, "nowhere.libreswan.org", NULL, true, },
|
||||
+ { LN, 6, "nowhere.libreswan.org", NULL, true, },
|
||||
|
||||
- if (t->requires_dns && !use_dns) {
|
||||
- PRINT("skipping dns_hunk_to_address(type) -- no DNS");
|
||||
+ };
|
||||
+
|
||||
+ err_t err;
|
||||
+
|
||||
+ for (size_t ti = 0; ti < elemsof(tests); ti++) {
|
||||
+ const struct test *t = &tests[ti];
|
||||
+ const struct ip_info *afi = IP_TYPE(t->family);
|
||||
+ bool skip = (have_dns == DNS_NO || (have_dns != DNS_YES && t->need_dns));
|
||||
+
|
||||
+ PRINT("%s '%s' -> str: '%s' lookup: %s%s",
|
||||
+ pri_family(t->family), t->in,
|
||||
+ t->str == NULL ? "ERROR" : t->str,
|
||||
+ (t->need_dns ? "DNS" : "/etc/hosts"),
|
||||
+ (skip ? "; skipped as no DNS" : ""));
|
||||
+
|
||||
+ if (skip) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ ip_address tmp, *address = &tmp;
|
||||
+ err = ttoaddress_dns(shunk1(t->in), afi, address);
|
||||
+ if (err != NULL) {
|
||||
+ if (t->str != NULL) {
|
||||
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
|
||||
+ t->in, pri_family(t->family), err);
|
||||
+ }
|
||||
+ PRINT("ttoaddress_dns(%s, %s) failed as expected: %s",
|
||||
+ t->in, pri_family(t->family), err);
|
||||
+ } else if (t->str == NULL) {
|
||||
+ address_buf b;
|
||||
+ FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded with %s",
|
||||
+ t->in, pri_family(t->family),
|
||||
+ str_address(address, &b));
|
||||
} else {
|
||||
- const struct ip_info *afi = IP_TYPE(t->family);
|
||||
- err = ttoaddress_dns(shunk1(t->in), afi, address);
|
||||
- if (err != NULL) {
|
||||
- if (t->str != NULL) {
|
||||
- FAIL("ttoaddress_dns(%s, %s) unexpecedly failed: %s",
|
||||
- t->in, pri_family(t->family), err);
|
||||
- } else {
|
||||
- PRINT("ttoaddress_dns(%s, %s) returned: %s",
|
||||
- t->in, pri_family(t->family), err);
|
||||
- }
|
||||
- } else if (t->str == NULL) {
|
||||
- FAIL("ttoaddress_dns(%s, %s) unexpecedly succeeded",
|
||||
- t->in, pri_family(t->family));
|
||||
- } else {
|
||||
+ address_buf b;
|
||||
+ PRINT("ttoaddress_dns(%s, %s) succeeded with %s",
|
||||
+ t->in, pri_family(t->family),
|
||||
+ str_address(address, &b));
|
||||
+ if (t->family != 0) {
|
||||
CHECK_TYPE(address);
|
||||
}
|
||||
- }
|
||||
-
|
||||
- /* now convert it back cooked */
|
||||
- if (t->requires_dns && !use_dns) {
|
||||
- PRINT("skipping str_*() -- no DNS");
|
||||
- } else if (t->str != NULL) {
|
||||
+ /* and back */
|
||||
CHECK_STR2(address);
|
||||
}
|
||||
-
|
||||
}
|
||||
}
|
||||
|
||||
@@ -473,7 +550,8 @@ static void check_addresses_to(void)
|
||||
|
||||
void ip_address_check(void)
|
||||
{
|
||||
- check_shunk_to_address();
|
||||
+ check_ttoaddress_num();
|
||||
+ check_ttoaddress_dns();
|
||||
check_str_address_sensitive();
|
||||
check_str_address_reversed();
|
||||
check_address_is();
|
||||
diff --git a/testing/programs/ipcheck/ip_info_check.c b/testing/programs/ipcheck/ip_info_check.c
|
||||
index a7553a6029..f1566f4607 100644
|
||||
--- a/testing/programs/ipcheck/ip_info_check.c
|
||||
+++ b/testing/programs/ipcheck/ip_info_check.c
|
||||
@@ -31,10 +31,12 @@
|
||||
/*hack*/const typeof(L##_tests[0]) *t = &L##_tests[tl]; \
|
||||
/*hack*/size_t ti = tl; \
|
||||
const ip_##L *l = L##_tests[tl].L; \
|
||||
- if (l == NULL) continue; \
|
||||
+ if (l == NULL) \
|
||||
+ continue; \
|
||||
for (size_t tr = 0; tr < elemsof(R##_tests); tr++) { \
|
||||
const ip_##R *r = R##_tests[tr].R; \
|
||||
- if (r == NULL) continue; \
|
||||
+ if (r == NULL) \
|
||||
+ continue; \
|
||||
bool expected = false; \
|
||||
for (size_t to = 0; to < elemsof(L##_op_##R); to++) { \
|
||||
const typeof(L##_op_##R[0]) *op = &L##_op_##R[to]; \
|
||||
diff --git a/testing/programs/ipcheck/ip_range_check.c b/testing/programs/ipcheck/ip_range_check.c
|
||||
index 256cf76c70..9f9a27db58 100644
|
||||
--- a/testing/programs/ipcheck/ip_range_check.c
|
||||
+++ b/testing/programs/ipcheck/ip_range_check.c
|
||||
@@ -389,7 +389,7 @@ static void check_range_op_range(void)
|
||||
FAIL("ttorange(%s) failed: %s", t->R, oops); \
|
||||
} \
|
||||
} else { \
|
||||
- l = unset_range; \
|
||||
+ R = unset_range; \
|
||||
}
|
||||
TT(l);
|
||||
TT(r);
|
||||
diff --git a/testing/programs/ipcheck/ip_sockaddr_check.c b/testing/programs/ipcheck/ip_sockaddr_check.c
|
||||
index 538154b6e6..d9affb54f9 100644
|
||||
--- a/testing/programs/ipcheck/ip_sockaddr_check.c
|
||||
+++ b/testing/programs/ipcheck/ip_sockaddr_check.c
|
||||
@@ -20,6 +20,8 @@
|
||||
#include "ip_info.h"
|
||||
#include "ip_protocol.h"
|
||||
|
||||
+#include "lswlog.h" /* for DBG_dump_thing() */
|
||||
+
|
||||
#include "ipcheck.h"
|
||||
|
||||
static void check_sockaddr_as_endpoint(void)
|
||||
@@ -52,20 +54,25 @@ static void check_sockaddr_as_endpoint(void)
|
||||
PRINT("%s '%s' -> '%s' len=%zd", pri_family(t->family), t->in, expect_out, t->size);
|
||||
|
||||
/* construct a raw sockaddr */
|
||||
- ip_sockaddr sa = {
|
||||
- .sa.sa = {
|
||||
- .sa_family = SA_FAMILY(t->family),
|
||||
- },
|
||||
+ ip_sockaddr sa = {
|
||||
.len = t->size,
|
||||
};
|
||||
switch (t->family) {
|
||||
case 4:
|
||||
memcpy(&sa.sa.sin.sin_addr, t->addr, sizeof(sa.sa.sin.sin_addr));
|
||||
+ sa.sa.sin.sin_family = AF_INET;
|
||||
sa.sa.sin.sin_port = htons(t->port);
|
||||
+#ifdef NEED_SIN_LEN
|
||||
+ sa.sa.sin.sin_len = sizeof(struct sockaddr_in);
|
||||
+#endif
|
||||
break;
|
||||
case 6:
|
||||
memcpy(&sa.sa.sin6.sin6_addr, t->addr, sizeof(sa.sa.sin6.sin6_addr));
|
||||
+ sa.sa.sin6.sin6_family = AF_INET6;
|
||||
sa.sa.sin6.sin6_port = htons(t->port);
|
||||
+#ifdef NEED_SIN_LEN
|
||||
+ sa.sa.sin6.sin6_len = sizeof(struct sockaddr_in6);
|
||||
+#endif
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -107,6 +114,8 @@ static void check_sockaddr_as_endpoint(void)
|
||||
esa.len, sizeof(esa.sa));
|
||||
} else if (!memeq(&esa.sa, &sa.sa, sizeof(esa.sa))) {
|
||||
/* compare the entire buffer, not just size */
|
||||
+ DBG_dump_thing("esa.sa", esa.sa);
|
||||
+ DBG_dump_thing("sa.sa", sa.sa);
|
||||
FAIL("endpoint_to_sockaddr() returned a different value");
|
||||
}
|
||||
} else {
|
||||
diff --git a/testing/programs/ipcheck/ipcheck.c b/testing/programs/ipcheck/ipcheck.c
|
||||
index ed13d1ed5c..8df45b5fd4 100644
|
||||
--- a/testing/programs/ipcheck/ipcheck.c
|
||||
+++ b/testing/programs/ipcheck/ipcheck.c
|
||||
@@ -25,21 +25,37 @@
|
||||
#include "lswtool.h"
|
||||
|
||||
unsigned fails;
|
||||
-bool use_dns = true;
|
||||
+enum have_dns have_dns = DNS_NO;
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
- struct logger *logger = tool_init_log(argv[0]);
|
||||
+ leak_detective = true;
|
||||
log_ip = false; /* force sensitive */
|
||||
+ struct logger *logger = tool_init_log(argv[0]);
|
||||
+
|
||||
+ if (argc != 2) {
|
||||
+ fprintf(stderr, "usage: %s --dns={no,hosts-file,yes}\n", argv[0]);
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ /* only one option for now */
|
||||
+ const char *dns = argv[1];
|
||||
+ if (!eat(dns, "--dns")) {
|
||||
+ fprintf(stderr, "%s: unknown option '%s'\n",
|
||||
+ argv[0], argv[1]);
|
||||
+ return 1;
|
||||
+ }
|
||||
|
||||
- for (char **argp = argv+1; argp < argv+argc; argp++) {
|
||||
- if (streq(*argp, "--nodns")) {
|
||||
- use_dns = false;
|
||||
- } else {
|
||||
- fprintf(stderr, "%s: unknown option '%s'\n",
|
||||
- argv[0], *argp);
|
||||
- return 1;
|
||||
- }
|
||||
+ if (streq(dns, "=no")) {
|
||||
+ have_dns = DNS_NO;
|
||||
+ } else if (streq(dns, "=hosts-file") || streq(dns, "")) {
|
||||
+ have_dns = HAVE_HOSTS_FILE;
|
||||
+ } else if (streq(dns, "=yes")) {
|
||||
+ have_dns = DNS_YES;
|
||||
+ } else {
|
||||
+ fprintf(stderr, "%s: unknown --dns param '%s'\n",
|
||||
+ argv[0], dns);
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
ip_address_check();
|
||||
@@ -55,6 +71,10 @@ int main(int argc, char *argv[])
|
||||
ip_port_range_check();
|
||||
ip_cidr_check();
|
||||
|
||||
+ report_leaks(logger);
|
||||
+
|
||||
+
|
||||
+
|
||||
if (fails > 0) {
|
||||
fprintf(stderr, "TOTAL FAILURES: %d\n", fails);
|
||||
return 1;
|
||||
diff --git a/testing/programs/ipcheck/ipcheck.h b/testing/programs/ipcheck/ipcheck.h
|
||||
index 7e7c2a284b..5cfdbf05f7 100644
|
||||
--- a/testing/programs/ipcheck/ipcheck.h
|
||||
+++ b/testing/programs/ipcheck/ipcheck.h
|
||||
@@ -44,7 +44,7 @@ extern void ip_cidr_check(void);
|
||||
*/
|
||||
|
||||
extern unsigned fails;
|
||||
-extern bool use_dns;
|
||||
+extern enum have_dns { DNS_NO, HAVE_HOSTS_FILE, DNS_YES, } have_dns;
|
||||
|
||||
#define pri_family(FAMILY) ((FAMILY) == 0 ? "0" : \
|
||||
(FAMILY) == 4 ? "IPv4" : \
|
487
SPECS/libreswan.spec
Normal file
487
SPECS/libreswan.spec
Normal file
@ -0,0 +1,487 @@
|
||||
%global _hardened_build 1
|
||||
# These are rpm macros and are 0 or 1
|
||||
%global with_efence 0
|
||||
%global with_development 0
|
||||
%global with_cavstests 1
|
||||
%global nss_version 3.52
|
||||
%global unbound_version 1.6.6
|
||||
# Libreswan config options
|
||||
%global libreswan_config \\\
|
||||
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
|
||||
FINALMANDIR=%{_mandir} \\\
|
||||
PREFIX=%{_prefix} \\\
|
||||
INITSYSTEM=systemd \\\
|
||||
PYTHON_BINARY=%{__python3} \\\
|
||||
SHELL_BINARY=%{_bindir}/sh \\\
|
||||
USE_DNSSEC=true \\\
|
||||
USE_LABELED_IPSEC=true \\\
|
||||
USE_LDAP=true \\\
|
||||
USE_LIBCAP_NG=true \\\
|
||||
USE_LIBCURL=true \\\
|
||||
USE_LINUX_AUDIT=true \\\
|
||||
USE_NM=true \\\
|
||||
USE_NSS_IPSEC_PROFILE=true \\\
|
||||
USE_SECCOMP=true \\\
|
||||
USE_AUTHPAM=true \\\
|
||||
%{nil}
|
||||
|
||||
#global prever dr1
|
||||
|
||||
Name: libreswan
|
||||
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
|
||||
# version is generated in the release script
|
||||
Version: 4.4
|
||||
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}.1
|
||||
License: GPLv2
|
||||
Url: https://libreswan.org/
|
||||
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
|
||||
%if 0%{with_cavstests}
|
||||
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
|
||||
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
|
||||
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
||||
%endif
|
||||
Patch0: libreswan-4.2-openssl3.patch
|
||||
Patch1: libreswan-4.4-ipcheck.patch
|
||||
# Partially backported https://github.com/libreswan/libreswan/commit/4af9072e62237daad9fea9bb769f6dfbdf2e4ea1
|
||||
Patch2: libreswan-4.4-getaddrinfo.patch
|
||||
Patch3: libreswan-4.4-covscan.patch
|
||||
|
||||
BuildRequires: audit-libs-devel
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc make
|
||||
BuildRequires: hostname
|
||||
BuildRequires: ldns-devel
|
||||
BuildRequires: libcap-ng-devel
|
||||
BuildRequires: libevent-devel
|
||||
BuildRequires: libseccomp-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: nss-devel >= %{nss_version}
|
||||
BuildRequires: nss-tools >= %{nss_version}
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: unbound-devel >= %{unbound_version}
|
||||
BuildRequires: xmlto
|
||||
%if 0%{with_efence}
|
||||
BuildRequires: ElectricFence
|
||||
%endif
|
||||
Requires: iproute >= 2.6.8
|
||||
Requires: nss >= %{nss_version}
|
||||
Requires: nss-softokn
|
||||
Requires: nss-tools
|
||||
Requires: unbound-libs >= %{unbound_version}
|
||||
Requires(post): bash
|
||||
Requires(post): coreutils
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
|
||||
%description
|
||||
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
|
||||
the Internet Protocol Security and uses strong cryptography to provide
|
||||
both authentication and encryption services. These services allow you
|
||||
to build secure tunnels through untrusted networks. Everything passing
|
||||
through the untrusted net is encrypted by the ipsec gateway machine and
|
||||
decrypted by the gateway at the other end of the tunnel. The resulting
|
||||
tunnel is a virtual private network or VPN.
|
||||
|
||||
This package contains the daemons and userland tools for setting up
|
||||
Libreswan.
|
||||
|
||||
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
|
||||
|
||||
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
||||
|
||||
%prep
|
||||
%setup -q -n libreswan-%{version}%{?prever}
|
||||
%patch0 -b .openssl3
|
||||
# enable crypto-policies support
|
||||
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
|
||||
# disable some testing tools that throw warnings on arm
|
||||
%patch1 -p1
|
||||
sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
|
||||
%patch2 -p1 -b .getaddrinfo
|
||||
%patch3 -p1 -b .covscan
|
||||
|
||||
%build
|
||||
make %{?_smp_mflags} \
|
||||
%if 0%{with_development}
|
||||
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
|
||||
%else
|
||||
OPTIMIZE_CFLAGS="%{optflags}" \
|
||||
%endif
|
||||
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
|
||||
%if 0%{with_efence}
|
||||
USE_EFENCE=true \
|
||||
%endif
|
||||
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
|
||||
%{libreswan_config} \
|
||||
programs
|
||||
FS=$(pwd)
|
||||
|
||||
|
||||
%install
|
||||
make \
|
||||
DESTDIR=%{buildroot} \
|
||||
%{libreswan_config} \
|
||||
install
|
||||
FS=$(pwd)
|
||||
rm -rf %{buildroot}/usr/share/doc/libreswan
|
||||
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
|
||||
|
||||
install -d -m 0755 %{buildroot}%{_rundir}/pluto
|
||||
install -d %{buildroot}%{_sbindir}
|
||||
|
||||
install -d %{buildroot}%{_sysconfdir}/sysctl.d
|
||||
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
|
||||
%{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
|
||||
|
||||
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
|
||||
> %{buildroot}%{_sysconfdir}/ipsec.secrets
|
||||
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
|
||||
|
||||
%if 0%{with_cavstests}
|
||||
%check
|
||||
# There is an elaborate upstream testing infrastructure which we do not
|
||||
# run here - it takes hours and uses kvm
|
||||
# We only run the CAVS tests.
|
||||
cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
|
||||
bunzip2 *.fax.bz2
|
||||
|
||||
: starting CAVS test for IKEv2
|
||||
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
|
||||
diff -u ikev2.fax - > /dev/null
|
||||
: starting CAVS test for IKEv1 RSASIG
|
||||
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
|
||||
diff -u ikev1_dsa.fax - > /dev/null
|
||||
: starting CAVS test for IKEv1 PSK
|
||||
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
|
||||
diff -u ikev1_psk.fax - > /dev/null
|
||||
: CAVS tests passed
|
||||
%endif
|
||||
|
||||
# Some of these tests will show ERROR for negative testing - it will exit on real errors
|
||||
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
|
||||
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
|
||||
: Algorithm parser tests passed
|
||||
|
||||
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
|
||||
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
|
||||
certutil -N -d sql:$tmpdir --empty-password
|
||||
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
|
||||
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
|
||||
|
||||
%post
|
||||
%systemd_post ipsec.service
|
||||
|
||||
%preun
|
||||
%systemd_preun ipsec.service
|
||||
|
||||
%postun
|
||||
%systemd_postun_with_restart ipsec.service
|
||||
|
||||
%files
|
||||
%doc CHANGES COPYING CREDITS README* LICENSE
|
||||
%doc docs/*.* docs/examples
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
|
||||
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
|
||||
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
|
||||
%attr(0755,root,root) %dir %{_rundir}/pluto
|
||||
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
|
||||
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
|
||||
%attr(0644,root,root) %{_unitdir}/ipsec.service
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
|
||||
%{_sbindir}/ipsec
|
||||
%{_libexecdir}/ipsec
|
||||
%doc %{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.4-3.1
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Wed Jul 21 2021 Daiki Ueno <dueno@redhat.com> - 4.4-3
|
||||
- Backport removal gethostbyname2 uses from the upstream
|
||||
- Fix issues spotted by covscan (rhbz#1938784)
|
||||
|
||||
* Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 4.4-2
|
||||
- Rebuild with newer GCC to fix annocheck failures
|
||||
|
||||
* Thu Jul 1 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
|
||||
- Update to 4.4. Resolves: rhbz#1975812
|
||||
- Port compiler warning suppression by Paul Wouters:
|
||||
https://src.fedoraproject.org/rpms/libreswan/c/8d7f98d41444ac77c562f735b4b93038f5346ce2?branch=rawhide
|
||||
|
||||
* Thu Jun 24 2021 Daiki Ueno <dueno@redhat.com> - 4.2-1.3
|
||||
- Fix FTBFS with OpenSSL 3.0 (rhbz#1975439)
|
||||
|
||||
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.2
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.1
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
|
||||
- Update to 4.2
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Sat Dec 19 19:59:55 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.2-0.1.rc1
|
||||
- Resolves: rhbz#1867580 pluto process frequently dumps core
|
||||
(disable USE_NSS_KDF until nss fixes have propagated)
|
||||
|
||||
* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 4.1-4
|
||||
- Rebuild for ldns soname bump
|
||||
|
||||
* Mon Nov 23 11:50:41 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.1-3
|
||||
- Resolves: rhbz#1894381 Libreswan 4.1-2 breaks l2tp connection to Windows VPN server
|
||||
|
||||
* Mon Oct 26 10:21:57 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-2
|
||||
- Resolves: rhbz#1889538 libreswan's /var/lib/ipsec/nss missing
|
||||
|
||||
* Sun Oct 18 21:49:39 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
|
||||
- Updated to 4.1 - interop fix for Cisco
|
||||
|
||||
* Thu Oct 15 10:27:14 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-1
|
||||
- Resolves: rhbz#1888448 libreswan-4.0 is available
|
||||
|
||||
* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.2.rc1
|
||||
- Rebuild for libevent 2.1.12 with a soname bump
|
||||
|
||||
* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
|
||||
- Updated to 4.0rc1
|
||||
|
||||
* Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
|
||||
- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
|
||||
|
||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.2
|
||||
- Second attempt - Rebuilt for
|
||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 3.32-3
|
||||
- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
|
||||
object
|
||||
|
||||
* Tue May 26 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
|
||||
- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
|
||||
|
||||
* Mon May 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
|
||||
- Resolves: rhbz#1809770 libreswan-3.32 is available
|
||||
|
||||
* Tue Apr 14 2020 Paul Wouters <pwouters@redhat.com> - 3.31-2
|
||||
- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
|
||||
|
||||
* Tue Mar 03 2020 Paul Wouters <pwouters@redhat.com> - 3.31-1
|
||||
- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
|
||||
|
||||
* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
|
||||
- Resolves: rhbz#1802896 libreswan-3.30 is available
|
||||
- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
|
||||
- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
|
||||
- _updown.netkey: fix syntax error in checking routes
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
|
||||
- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
|
||||
|
||||
* Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
|
||||
- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.27-1.2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.27-1.1
|
||||
- Rebuilt for libcrypt.so.2 (#1666033)
|
||||
|
||||
* Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
|
||||
- Updated to 3.27 (various bugfixes)
|
||||
|
||||
* Thu Sep 27 2018 Paul Wouters <pwouters@redhat.com> - 3.26-3
|
||||
- Add fedora python fixup for _unbound-hook
|
||||
|
||||
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-2
|
||||
- linking against freebl is no longer needed (and wasn't done in 3.25)
|
||||
|
||||
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
|
||||
- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support)
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.25-3.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
|
||||
- Fix Opportunistic IPsec _unbound-hook argument parsing
|
||||
- Make rundir readable for all (so we can hand out permissions later)
|
||||
|
||||
* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
|
||||
- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
|
||||
|
||||
* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
|
||||
- Updated to 3.25
|
||||
|
||||
* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
|
||||
- Support crypto-policies package
|
||||
- Pull in some patches from upstream and IANA registry updates
|
||||
- gcc7 format-truncate fixes and workarounds
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.23-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Thu Jan 25 2018 Paul Wouters <pwouters@redhat.com> - 3.23-1
|
||||
- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements
|
||||
|
||||
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 3.22-1.1
|
||||
- Rebuilt for switch to libxcrypt
|
||||
|
||||
* Mon Oct 23 2017 Paul Wouters <pwouters@redhat.com> - 3.22-1
|
||||
- Updated to 3.22 - many bugfixes, and unbound ipsecmod support
|
||||
|
||||
* Wed Aug 9 2017 Paul Wouters <pwouters@redhat.com> - 3.21-1
|
||||
- Updated to 3.21
|
||||
|
||||
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Tue Mar 14 2017 Paul Wouters <pwouters@redhat.com> - 3.20-1
|
||||
- Updated to 3.20
|
||||
|
||||
* Fri Mar 03 2017 Paul Wouters <pwouters@redhat.com> - 3.20-0.1.dr4
|
||||
- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.19-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Fri Feb 03 2017 Paul Wouters <pwouters@redhat.com> - 3.19-2
|
||||
- Resolves: rhbz#1392191 libreswan: crash when OSX client connects
|
||||
- Improved uniqueid and session replacing support
|
||||
- Test Buffer warning fix on size_t
|
||||
- Re-introduce --configdir for backwards compatibility
|
||||
|
||||
* Sun Jan 15 2017 Paul Wouters <pwouters@redhat.com> - 3.19-1
|
||||
- Updated to 3.19 (see download.libreswan.org/CHANGES)
|
||||
|
||||
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 3.18-1.1
|
||||
- Rebuild for Python 3.6
|
||||
|
||||
* Fri Jul 29 2016 Paul Wouters <pwouters@redhat.com> - 3.18-1
|
||||
- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support
|
||||
- Remove support for /etc/sysconfig/pluto (use native systemd instead)
|
||||
|
||||
* Thu May 05 2016 Paul Wouters <pwouters@redhat.com> - 3.17-2
|
||||
- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
|
||||
|
||||
* Thu Apr 07 2016 Paul Wouters <pwouters@redhat.com> - 3.17-1
|
||||
- Updated to 3.17 for CVE-2016-3071
|
||||
- Disable LIBCAP_NG as it prevents unbound-control from working properly
|
||||
- Temporarilly disable WERROR due to a few minor known issues
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.16-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Fri Dec 18 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
|
||||
- Updated to 3.16 (see https://download.libreswan.org/CHANGES)
|
||||
|
||||
* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
|
||||
- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
|
||||
- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
|
||||
- NSS database creation moved from spec file to service file
|
||||
- Run CAVS tests on package build
|
||||
- Added BuildRequire systemd-units and xmlto
|
||||
- Bumped minimum required nss to 3.16.1
|
||||
- Install tmpfiles
|
||||
- Install sysctl file
|
||||
- Update doc files to include
|
||||
|
||||
* Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
|
||||
- Resolves: rhbz#1238967 Switch libreswan to use python3
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Mon Jun 01 2015 Paul Wouters <pwouters@redhat.com> - 3.13-1
|
||||
- Updated to 3.13 for CVE-2015-3204
|
||||
|
||||
* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
|
||||
- Updated to 3.12 Various IKEv2 fixes
|
||||
|
||||
* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
|
||||
- Updated to 3.11 (many fixes, including startup fixes)
|
||||
- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs
|
||||
- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade
|
||||
- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running
|
||||
|
||||
* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
|
||||
- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines
|
||||
|
||||
* Mon Sep 01 2014 Paul Wouters <pwouters@redhat.com> - 3.10-1
|
||||
- Updated to 3.10, major bugfix release, new xauth status options
|
||||
|
||||
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Thu Jul 10 2014 Paul Wouters <pwouters@redhat.com> - 3.9-1
|
||||
- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements
|
||||
- Mark libreswan-fips.conf as config file
|
||||
- attr modifier for man pages no longer needed
|
||||
- BUGS file no longer exists upstream
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Sat Jan 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
|
||||
- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102)
|
||||
|
||||
* Wed Dec 11 2013 Paul Wouters <pwouters@redhat.com> - 3.7-1
|
||||
- Updated to 3.7, fixes CVE-2013-4564
|
||||
- Fixes creating a bogus NSS db on startup (rhbz#1005410)
|
||||
|
||||
* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
|
||||
- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes)
|
||||
- Generate empty NSS db if none exists
|
||||
|
||||
* Mon Aug 19 2013 Paul Wouters <pwouters@redhat.com> - 3.5-3
|
||||
- Add a Provides: for openswan-doc
|
||||
|
||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.5-1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
|
||||
- Added interop patch for (some?) Cisco VPN clients sending 16 zero
|
||||
bytes of extraneous IKE data
|
||||
- Removed fipscheck_version
|
||||
|
||||
* Sat Jul 13 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
|
||||
- Updated to 3.5
|
||||
|
||||
* Thu Jun 06 2013 Paul Wouters <pwouters@redhat.com> - 3.4-1
|
||||
- Updated to 3.4, which only contains style changes to kernel coding style
|
||||
- IN MEMORIAM: June 3rd, 2013 Hugh Daniel
|
||||
|
||||
* Mon May 13 2013 Paul Wouters <pwouters@redhat.com> - 3.3-1
|
||||
- Updated to 3.3, which resolves CVE-2013-2052
|
||||
|
||||
* Sat Apr 13 2013 Paul Wouters <pwouters@redhat.com> - 3.2-1
|
||||
- Initial package for Fedora
|
Loading…
Reference in New Issue
Block a user