import libreswan-4.3-1.el8
This commit is contained in:
parent
8bef08924d
commit
ccb65ec817
.gitignore.libreswan.metadata
SOURCES
libreswan-3.32-1840212-nss-gcm.patchlibreswan-3.32-1842597-accounting.patchlibreswan-3.32-1847766-xfrmi.patchlibreswan-3.32-1861360-nodefault-rsa-pss.patchlibreswan-3.32-rebase-fixups.patchlibreswan-4.1-maintain-obsolete-keywords.patchlibreswan-4.3-maintain-different-v1v2-split.patch
SPECS
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,4 +1,4 @@
|
||||
SOURCES/ikev1_dsa.fax.bz2
|
||||
SOURCES/ikev1_psk.fax.bz2
|
||||
SOURCES/ikev2.fax.bz2
|
||||
SOURCES/libreswan-3.32.tar.gz
|
||||
SOURCES/libreswan-4.3.tar.gz
|
||||
|
@ -1,4 +1,4 @@
|
||||
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
|
||||
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
|
||||
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
|
||||
d752c8df37c90733a01c24849d439733acd4e8f0 SOURCES/libreswan-3.32.tar.gz
|
||||
6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz
|
||||
|
@ -1,16 +0,0 @@
|
||||
diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c
|
||||
--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400
|
||||
+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-06-17 15:06:12.340210966 -0400
|
||||
@@ -16,6 +16,12 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
+/*
|
||||
+ * Special advise from Bob Relyea - needs to go before any nss include
|
||||
+ *
|
||||
+ */
|
||||
+#define NSS_PKCS11_2_0_COMPAT 1
|
||||
+
|
||||
#include "lswlog.h"
|
||||
#include "lswnss.h"
|
||||
#include "prmem.h"
|
@ -1,15 +0,0 @@
|
||||
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
|
||||
index 28726cf82a..25ee52179a 100644
|
||||
--- a/programs/pluto/kernel.c
|
||||
+++ b/programs/pluto/kernel.c
|
||||
@@ -600,8 +600,8 @@ bool fmt_common_shell_out(char *buf, size_t blen, const struct connection *c,
|
||||
* true==inbound: inbound updates OUR_BYTES; !inbound updates
|
||||
* PEER_BYTES.
|
||||
*/
|
||||
- bool outbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, false, NULL);
|
||||
- bool inbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, true, NULL);
|
||||
+ bool outbytes = st != NULL && get_sa_info(st, false, NULL);
|
||||
+ bool inbytes = st != NULL && get_sa_info(st, true, NULL);
|
||||
jambuf_t jambuf = array_as_jambuf(buf, blen);
|
||||
jam_common_shell_out(&jambuf, c, sr, st, inbytes, outbytes);
|
||||
return jambuf_ok(&jambuf);
|
@ -1,24 +0,0 @@
|
||||
commit 790a79ba9f8f16532040d9c8a51a27c20e13c154
|
||||
Author: Paul Wouters <pwouters@redhat.com>
|
||||
Date: Tue Jun 16 20:57:01 2020 -0400
|
||||
|
||||
pluto: find_pluto_xfrmi_interface() would only check first interface
|
||||
|
||||
diff --git a/programs/pluto/kernel_xfrm_interface.c b/programs/pluto/kernel_xfrm_interface.c
|
||||
index 8fc27b727d..0dc1a7ec8c 100644
|
||||
--- a/programs/pluto/kernel_xfrm_interface.c
|
||||
+++ b/programs/pluto/kernel_xfrm_interface.c
|
||||
@@ -586,9 +586,10 @@ static struct pluto_xfrmi *find_pluto_xfrmi_interface(uint32_t if_id)
|
||||
struct pluto_xfrmi *ret = NULL;
|
||||
|
||||
for (h = pluto_xfrm_interfaces; h != NULL; h = h->next) {
|
||||
- if (h->if_id == if_id)
|
||||
- ret = h;
|
||||
- break;
|
||||
+ if (h->if_id == if_id) {
|
||||
+ ret = h;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
|
||||
return ret;
|
18
SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch
Normal file
18
SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff -Naur libreswan-3.32-orig/lib/libipsecconf/confread.c libreswan-3.32/lib/libipsecconf/confread.c
|
||||
--- libreswan-3.32-orig/lib/libipsecconf/confread.c 2020-07-28 20:25:54.618261606 -0400
|
||||
+++ libreswan-3.32/lib/libipsecconf/confread.c 2020-07-28 20:28:03.952421236 -0400
|
||||
@@ -1498,9 +1498,14 @@
|
||||
} else if (streq(val, "rsasig") || streq(val, "rsa")) {
|
||||
conn->policy |= POLICY_RSASIG;
|
||||
conn->policy |= POLICY_RSASIG_v1_5;
|
||||
+ /*
|
||||
+ * These cause failure with RSA 1024 bits because it uses RSA-PSS
|
||||
+ */
|
||||
+#if 0
|
||||
conn->sighash_policy |= POL_SIGHASH_SHA2_256;
|
||||
conn->sighash_policy |= POL_SIGHASH_SHA2_384;
|
||||
conn->sighash_policy |= POL_SIGHASH_SHA2_512;
|
||||
+#endif
|
||||
} else if (streq(val, "never")) {
|
||||
conn->policy |= POLICY_AUTH_NEVER;
|
||||
/* everything else is only supported for IKEv2 */
|
@ -1,53 +0,0 @@
|
||||
diff -Naur libreswan-3.32-orig/lib/libipsecconf/interfaces.c libreswan-3.32/lib/libipsecconf/interfaces.c
|
||||
--- libreswan-3.32-orig/lib/libipsecconf/interfaces.c 2020-05-11 10:13:41.000000000 -0400
|
||||
+++ libreswan-3.32/lib/libipsecconf/interfaces.c 2020-06-04 18:51:39.508280352 -0400
|
||||
@@ -71,7 +71,11 @@
|
||||
if (sa->sa.sa_family == af) {
|
||||
/* XXX: sizeof right? */
|
||||
ip_endpoint nhe;
|
||||
- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &nhe));
|
||||
+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &nhe);
|
||||
+ if (e != NULL) {
|
||||
+ pexpect(e != NULL);
|
||||
+ return false;
|
||||
+ }
|
||||
pexpect(endpoint_hport(&nhe) == 0);
|
||||
*nh = endpoint_address(&nhe);
|
||||
}
|
||||
@@ -84,7 +88,11 @@
|
||||
if (sa->sa.sa_family == af) {
|
||||
/* XXX: sizeof right? */
|
||||
ip_endpoint dste;
|
||||
- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &dste));
|
||||
+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &dste);
|
||||
+ if (e != NULL) {
|
||||
+ pexpect(e != NULL);
|
||||
+ return false;
|
||||
+ }
|
||||
pexpect(endpoint_hport(&dste) == 0);
|
||||
*dst = endpoint_address(&dste);
|
||||
}
|
||||
diff -Naur libreswan-3.32-orig/lib/libswan/ip_endpoint.c libreswan-3.32/lib/libswan/ip_endpoint.c
|
||||
--- libreswan-3.32-orig/lib/libswan/ip_endpoint.c 2020-05-11 10:13:41.000000000 -0400
|
||||
+++ libreswan-3.32/lib/libswan/ip_endpoint.c 2020-06-04 18:51:39.508280352 -0400
|
||||
@@ -54,20 +54,12 @@
|
||||
switch (sa->sa.sa_family) {
|
||||
case AF_INET:
|
||||
{
|
||||
- /* XXX: to strict? */
|
||||
- if (sa_len != sizeof(sa->sin)) {
|
||||
- return "wrong length";
|
||||
- }
|
||||
address = address_from_in_addr(&sa->sin.sin_addr);
|
||||
port = ntohs(sa->sin.sin_port);
|
||||
break;
|
||||
}
|
||||
case AF_INET6:
|
||||
{
|
||||
- /* XXX: to strict? */
|
||||
- if (sa_len != sizeof(sa->sin6)) {
|
||||
- return "wrong length";
|
||||
- }
|
||||
address = address_from_in6_addr(&sa->sin6.sin6_addr);
|
||||
port = ntohs(sa->sin6.sin6_port);
|
||||
break;
|
123
SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
Normal file
123
SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch
Normal file
@ -0,0 +1,123 @@
|
||||
diff -Naur libreswan-4.2-orig/lib/libipsecconf/keywords.c libreswan-4.2/lib/libipsecconf/keywords.c
|
||||
--- libreswan-4.2-orig/lib/libipsecconf/keywords.c 2021-02-02 20:36:01.000000000 -0500
|
||||
+++ libreswan-4.2/lib/libipsecconf/keywords.c 2021-02-04 19:22:05.880228930 -0500
|
||||
@@ -374,6 +374,8 @@
|
||||
{ "interfaces", kv_config, kt_string, KSF_INTERFACES, NULL, NULL, },
|
||||
{ "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NULL, NULL, },
|
||||
{ "curl-timeout", kv_config, kt_time, KBF_CURLTIMEOUT, NULL, NULL, },
|
||||
+ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */
|
||||
+ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, /* obsolete _ */
|
||||
|
||||
{ "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NULL, NULL, },
|
||||
{ "syslog", kv_config, kt_string, KSF_SYSLOG, NULL, NULL, },
|
||||
@@ -381,6 +383,7 @@
|
||||
{ "logfile", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, },
|
||||
{ "plutostderrlog", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
|
||||
{ "logtime", kv_config, kt_bool, KBF_LOGTIME, NULL, NULL, },
|
||||
+ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */
|
||||
{ "logappend", kv_config, kt_bool, KBF_LOGAPPEND, NULL, NULL, },
|
||||
{ "logip", kv_config, kt_bool, KBF_LOGIP, NULL, NULL, },
|
||||
{ "audit-log", kv_config, kt_bool, KBF_AUDIT_LOG, NULL, NULL, },
|
||||
@@ -400,13 +403,20 @@
|
||||
{ "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
|
||||
|
||||
{ "crl-strict", kv_config, kt_bool, KBF_CRL_STRICT, NULL, NULL, },
|
||||
+ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */
|
||||
{ "crlcheckinterval", kv_config, kt_time, KBF_CRL_CHECKINTERVAL, NULL, NULL, },
|
||||
+ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */
|
||||
|
||||
{ "ocsp-strict", kv_config, kt_bool, KBF_OCSP_STRICT, NULL, NULL, },
|
||||
+ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */
|
||||
{ "ocsp-enable", kv_config, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, },
|
||||
+ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */
|
||||
{ "ocsp-uri", kv_config, kt_string, KSF_OCSP_URI, NULL, NULL, },
|
||||
+ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */
|
||||
{ "ocsp-timeout", kv_config, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, },
|
||||
+ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */
|
||||
{ "ocsp-trustname", kv_config, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, },
|
||||
+ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */
|
||||
{ "ocsp-cache-size", kv_config, kt_number, KBF_OCSP_CACHE_SIZE, NULL, NULL, },
|
||||
{ "ocsp-cache-min-age", kv_config, kt_time, KBF_OCSP_CACHE_MIN, NULL, NULL, },
|
||||
{ "ocsp-cache-max-age", kv_config, kt_time, KBF_OCSP_CACHE_MAX, NULL, NULL, },
|
||||
@@ -426,6 +436,7 @@
|
||||
{ "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
|
||||
{ "seedbits", kv_config, kt_number, KBF_SEEDBITS, NULL, NULL, },
|
||||
{ "keep-alive", kv_config, kt_number, KBF_KEEPALIVE, NULL, NULL, },
|
||||
+ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
|
||||
|
||||
{ "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
|
||||
{ "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
|
||||
@@ -437,6 +448,8 @@
|
||||
#ifdef HAVE_LABELED_IPSEC
|
||||
{ "ikev1-secctx-attr-type", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
|
||||
{ "secctx-attr-type", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, },
|
||||
+ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */
|
||||
+ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
|
||||
#endif
|
||||
|
||||
/* these options are obsoleted (and not old aliases) */
|
||||
@@ -467,6 +480,7 @@
|
||||
{ "username", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, },
|
||||
/* xauthusername is still used in NetworkManager-libreswan :/ */
|
||||
{ "xauthusername", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
|
||||
+ { "xauthname", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
|
||||
{ "addresspool", kv_conn | kv_leftright, kt_range, KSCF_ADDRESSPOOL, NULL, NULL, },
|
||||
{ "auth", kv_conn | kv_leftright, kt_enum, KNCF_AUTH, &kw_authby_lr_list, NULL, },
|
||||
{ "cat", kv_conn | kv_leftright, kt_bool, KNCF_CAT, NULL, NULL, },
|
||||
@@ -489,6 +503,8 @@
|
||||
{ "esn", kv_conn | kv_processed, kt_enum, KNCF_ESN, &kw_esn_list, NULL, },
|
||||
{ "decap-dscp", kv_conn | kv_processed, kt_bool, KNCF_DECAP_DSCP, NULL, NULL, },
|
||||
{ "nopmtudisc", kv_conn | kv_processed, kt_bool, KNCF_NOPMTUDISC, NULL, NULL, },
|
||||
+ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete _ */
|
||||
+ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete name */
|
||||
{ "fragmentation", kv_conn | kv_processed, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, },
|
||||
{ "mobike", kv_conn, kt_bool, KNCF_MOBIKE, NULL, NULL, },
|
||||
{ "narrowing", kv_conn, kt_bool, KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
|
||||
@@ -499,13 +515,18 @@
|
||||
{ "accept-redirect-to", kv_conn, kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
|
||||
{ "pfs", kv_conn, kt_bool, KNCF_PFS, NULL, NULL, },
|
||||
|
||||
+ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
|
||||
{ "nat-keepalive", kv_conn, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, },
|
||||
|
||||
+ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */
|
||||
{ "initial-contact", kv_conn, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, },
|
||||
+ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */
|
||||
{ "cisco-unity", kv_conn, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, },
|
||||
{ "send-no-esp-tfc", kv_conn, kt_bool, KNCF_NO_ESP_TFC, NULL, NULL, },
|
||||
{ "fake-strongswan", kv_conn, kt_bool, KNCF_VID_STRONGSWAN, NULL, NULL, },
|
||||
+ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */
|
||||
{ "send-vendorid", kv_conn, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, },
|
||||
+ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */
|
||||
{ "sha2-truncbug", kv_conn, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, },
|
||||
{ "ms-dh-downgrade", kv_conn, kt_bool, KNCF_MSDH_DOWNGRADE, NULL, NULL, },
|
||||
{ "require-id-on-certificate", kv_conn, kt_bool, KNCF_SAN_ON_CERT, NULL, NULL, },
|
||||
@@ -520,7 +541,10 @@
|
||||
{"ikepad", kv_conn, kt_bool, KNCF_IKEPAD, NULL, NULL, },
|
||||
{ "nat-ikev1-method", kv_conn | kv_processed, kt_enum, KNCF_IKEV1_NATT, &kw_ikev1natt_list, NULL, },
|
||||
|
||||
+ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
|
||||
+ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
|
||||
{ "policy-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
|
||||
+ { "policy_label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
|
||||
{ "sec-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
|
||||
|
||||
/* Cisco interop: remote peer type */
|
||||
@@ -531,13 +555,17 @@
|
||||
/* Network Manager support */
|
||||
#ifdef HAVE_NM
|
||||
{ "nm-configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, },
|
||||
+ { "nm_configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
|
||||
#endif
|
||||
|
||||
{ "xauthby", kv_conn, kt_enum, KNCF_XAUTHBY, &kw_xauthby, NULL, },
|
||||
{ "xauthfail", kv_conn, kt_enum, KNCF_XAUTHFAIL, &kw_xauthfail, NULL, },
|
||||
{ "modecfgpull", kv_conn, kt_invertbool, KNCF_MODECONFIGPULL, NULL, NULL, },
|
||||
{ "modecfgdns", kv_conn, kt_string, KSCF_MODECFGDNS, NULL, NULL, },
|
||||
+ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
|
||||
+ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
|
||||
{ "modecfgdomains", kv_conn, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, },
|
||||
+ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
|
||||
{ "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, },
|
||||
{ "ignore-peer-dns", kv_conn, kt_bool, KNCF_IGNORE_PEER_DNS, NULL, NULL, },
|
||||
{ "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, },
|
@ -1,28 +1,6 @@
|
||||
diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c
|
||||
--- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c 2020-04-28 22:27:20.000000000 -0400
|
||||
+++ libreswan-3.32rc1/lib/libipsecconf/confread.c 2020-04-30 13:41:18.612751661 -0400
|
||||
@@ -1332,13 +1332,16 @@
|
||||
|
||||
switch (conn->options[KNCF_IKEv2]) {
|
||||
case fo_never:
|
||||
- case fo_permit:
|
||||
conn->policy |= POLICY_IKEV1_ALLOW;
|
||||
/* clear any inherited default */
|
||||
conn->policy &= ~POLICY_IKEV2_ALLOW;
|
||||
break;
|
||||
-
|
||||
+ case fo_permit:
|
||||
+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
|
||||
+ return TRUE;
|
||||
case fo_propose:
|
||||
+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
|
||||
+ return TRUE;
|
||||
case fo_insist:
|
||||
conn->policy |= POLICY_IKEV2_ALLOW;
|
||||
/* clear any inherited default */
|
||||
diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml
|
||||
--- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-28 22:27:20.000000000 -0400
|
||||
+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-30 13:45:14.847694267 -0400
|
||||
diff -Naur libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml libreswan-4.3/configs/d.ipsec.conf/ikev2.xml
|
||||
--- libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:03:03.000000000 -0500
|
||||
+++ libreswan-4.3/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:33:36.226284499 -0500
|
||||
@@ -1,15 +1,15 @@
|
||||
<varlistentry>
|
||||
<term><emphasis remap='B'>ikev2</emphasis></term>
|
||||
@ -47,24 +25,46 @@ diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libres
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c
|
||||
--- libreswan-3.32rc1-orig/programs/whack/whack.c 2020-04-28 22:27:20.000000000 -0400
|
||||
+++ libreswan-3.32rc1/programs/whack/whack.c 2020-04-30 13:41:18.615751749 -0400
|
||||
@@ -775,7 +775,7 @@
|
||||
diff -Naur libreswan-4.3-orig/lib/libipsecconf/confread.c libreswan-4.3/lib/libipsecconf/confread.c
|
||||
--- libreswan-4.3-orig/lib/libipsecconf/confread.c 2021-02-21 12:03:03.000000000 -0500
|
||||
+++ libreswan-4.3/lib/libipsecconf/confread.c 2021-02-21 12:37:43.138031929 -0500
|
||||
@@ -1310,11 +1310,17 @@
|
||||
|
||||
PS("ikev1-allow", IKEV1_ALLOW),
|
||||
PS("ikev2-allow", IKEV2_ALLOW),
|
||||
- PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */
|
||||
+ /* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/
|
||||
switch (conn->options[KNCF_IKEv2]) {
|
||||
case fo_never:
|
||||
- case fo_permit:
|
||||
conn->ike_version = IKEv1;
|
||||
break;
|
||||
|
||||
+ case fo_permit:
|
||||
+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
|
||||
+ return TRUE;
|
||||
+
|
||||
case fo_propose:
|
||||
+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
|
||||
+ return TRUE;
|
||||
+
|
||||
case fo_insist:
|
||||
conn->ike_version = IKEv2;
|
||||
break;
|
||||
diff -Naur libreswan-4.3-orig/programs/whack/whack.c libreswan-4.3/programs/whack/whack.c
|
||||
--- libreswan-4.3-orig/programs/whack/whack.c 2021-02-21 12:03:03.000000000 -0500
|
||||
+++ libreswan-4.3/programs/whack/whack.c 2021-02-21 12:39:27.066188354 -0500
|
||||
@@ -801,7 +801,7 @@
|
||||
{ "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
|
||||
{ "ikev2", no_argument, NULL, CD_IKEv2 +OO },
|
||||
{ "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
|
||||
- { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
|
||||
+ /* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
|
||||
|
||||
PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
|
||||
#ifdef XAUTH_HAVE_PAM
|
||||
@@ -1737,7 +1737,7 @@
|
||||
#ifdef AUTH_HAVE_PAM
|
||||
@@ -1762,7 +1762,7 @@
|
||||
end_seen = LEMPTY;
|
||||
continue;
|
||||
|
||||
/* --ikev1-allow */
|
||||
case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
|
||||
- /* --ikev2-allow (now also --ikev2-propose) */
|
||||
+ /* --ikev2-allow */
|
||||
case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
|
||||
|
||||
/* --allow-narrowing */
|
||||
- /* --ikev1 --ikev2 --ikev2-propose */
|
||||
+ /* --ikev1 --ikev2 */
|
||||
case CD_IKEv1:
|
||||
case CD_IKEv2:
|
||||
{
|
@ -5,18 +5,18 @@
|
||||
%global with_cavstests 1
|
||||
# minimum version for support for rhbz#1651314
|
||||
# should prob update for nss with IKEv1 quick mode support
|
||||
%global nss_version 3.39.0-1.4
|
||||
%global nss_version 3.53.1
|
||||
%global unbound_version 1.6.6
|
||||
# Libreswan config options - temporarilly without USE_NSS_PRF while waiting for updated nss to become available
|
||||
%global libreswan_config \\\
|
||||
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
|
||||
FINALMANDIR=%{_mandir} \\\
|
||||
INC_RCDEFAULT=%{_initrddir} \\\
|
||||
INC_USRLOCAL=%{_prefix} \\\
|
||||
FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
|
||||
INITSYSTEM=systemd \\\
|
||||
NSS_REQ_AVA_COPY=false \\\
|
||||
NSS_HAS_IPSEC_PROFILE=true \\\
|
||||
NSS_REQ_AVA_COPY=false \\\
|
||||
PREFIX=%{_prefix} \\\
|
||||
PYTHON_BINARY=%{__python3} \\\
|
||||
SHELL_BINARY=%{_bindir}/sh \\\
|
||||
USE_DNSSEC=true \\\
|
||||
USE_FIPSCHECK=false \\\
|
||||
USE_LABELED_IPSEC=true \\\
|
||||
@ -25,11 +25,9 @@
|
||||
USE_LIBCURL=true \\\
|
||||
USE_LINUX_AUDIT=true \\\
|
||||
USE_NM=true \\\
|
||||
USE_NSS_KDF=true \\\
|
||||
USE_SECCOMP=true \\\
|
||||
USE_XAUTHPAM=true \\\
|
||||
USE_KLIPS=false \\\
|
||||
USE_NSS_PRF=false \\\
|
||||
USE_PRF_AES_XCBC=true \\\
|
||||
USE_AUTHPAM=true \\\
|
||||
USE_DH2=true \\\
|
||||
%{nil}
|
||||
|
||||
@ -38,8 +36,8 @@
|
||||
Name: libreswan
|
||||
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
||||
# version is generated in the release script
|
||||
Version: 3.32
|
||||
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
|
||||
Version: 4.3
|
||||
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
|
||||
License: GPLv2
|
||||
Url: https://libreswan.org/
|
||||
|
||||
@ -50,17 +48,15 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
|
||||
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
||||
%endif
|
||||
|
||||
Patch1: libreswan-3.32-maintain-different-v1v2-split.patch
|
||||
Patch2: libreswan-3.32-rebase-fixups.patch
|
||||
Patch3: libreswan-3.32-1842597-accounting.patch
|
||||
Patch4: libreswan-3.32-1847766-xfrmi.patch
|
||||
Patch5: libreswan-3.32-1840212-nss-gcm.patch
|
||||
Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
|
||||
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
|
||||
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
||||
|
||||
BuildRequires: audit-libs-devel
|
||||
BuildRequires: bison
|
||||
BuildRequires: curl-devel
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc make
|
||||
BuildRequires: ldns-devel
|
||||
BuildRequires: libcap-ng-devel
|
||||
BuildRequires: libevent-devel
|
||||
@ -68,7 +64,7 @@ BuildRequires: libseccomp-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: nss-devel >= %{nss_version}
|
||||
buildRequires: nss-tools
|
||||
BuildRequires: nss-tools
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
@ -112,21 +108,12 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
pathfix.py -i %{__python3} -pn testing/cert_verify/usage_test \
|
||||
testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py \
|
||||
testing/pluto/ikev2-15-fuzzer/send_bad_packets.py
|
||||
|
||||
# replace unsupported KLIPS README
|
||||
echo "KLIPS is not supported with RHEL8" > README.KLIPS
|
||||
|
||||
# linking to freebl is not needed
|
||||
sed -i "s/-lfreebl //" mk/config.mk
|
||||
|
||||
# enable crypto-policies support
|
||||
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in
|
||||
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
|
||||
|
||||
%build
|
||||
make %{?_smp_mflags} \
|
||||
@ -154,8 +141,6 @@ rm -rf %{buildroot}/usr/share/doc/libreswan
|
||||
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
|
||||
|
||||
install -d -m 0755 %{buildroot}%{_rundir}/pluto
|
||||
# used when setting --perpeerlog without --perpeerlogbase
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
|
||||
install -d %{buildroot}%{_sbindir}
|
||||
|
||||
install -d %{buildroot}%{_sysconfdir}/sysctl.d
|
||||
@ -216,17 +201,36 @@ certutil -N -d sql:$tmpdir --empty-password
|
||||
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
|
||||
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto
|
||||
%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer
|
||||
%attr(0755,root,root) %dir %{_rundir}/pluto
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
|
||||
%attr(0644,root,root) %{_unitdir}/ipsec.service
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
|
||||
%{_sbindir}/ipsec
|
||||
%{_libexecdir}/ipsec
|
||||
%attr(0644,root,root) %doc %{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
|
||||
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
|
||||
|
||||
* Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
|
||||
- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
|
||||
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
|
||||
|
||||
* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
|
||||
- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
|
||||
- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
|
||||
|
||||
* Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
|
||||
- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss
|
||||
|
||||
* Wed Jul 22 2020 Paul Wouters <pwouters@redhat.com> - 3.32-5
|
||||
- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF]
|
||||
|
||||
* Wed Jul 01 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
|
||||
- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled
|
||||
|
||||
* Wed Jun 17 2020 Paul Wouters <pwouters@redhat.com> - 3.32-3
|
||||
- Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script
|
||||
- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly
|
||||
|
Loading…
Reference in New Issue
Block a user