Drop IKEv1 packets by default
Based on the Debian patch by Daniel Kahn Gillmor:
80fa99e9df
Resolves: #2039877
Signed-off-by: Daiki Ueno <dueno@redhat.com>
This commit is contained in:
Daiki Ueno
parent
9dad4dab06
commit
d36dffc2c8
80
libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Normal file
80
libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
||||
Date: Fri, 7 Jan 2022 18:36:47 -0500
|
||||
Subject: [PATCH] ikev1-policy defaults to drop
|
||||
|
||||
IKEv2 has been available for 16 years (RFC 4306 was published December
|
||||
2005). At some point, we should be discouraging IKEv1 adoption.
|
||||
|
||||
To the extent that a user needs IKEv1, they can manually add
|
||||
ikev1-policy=accept to /etc/ipsec.conf.
|
||||
---
|
||||
configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
|
||||
include/ipsecconf/keywords.h | 2 +-
|
||||
lib/libipsecconf/confread.c | 1 +
|
||||
programs/pluto/server.c | 5 -----
|
||||
4 files changed, 6 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
|
||||
index 17d1747e3b..3bd6702564 100644
|
||||
--- a/configs/d.ipsec.conf/ikev1-policy.xml
|
||||
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
|
||||
@@ -3,9 +3,10 @@
|
||||
<listitem>
|
||||
<para>
|
||||
What to do with received IKEv1 packets. Valid options are
|
||||
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
|
||||
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
|
||||
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
|
||||
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
|
||||
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
|
||||
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
|
||||
+If this option is set to drop or reject, an attempt to load an
|
||||
IKEv1 connection will fail, as these connections would never be able to receive a packet
|
||||
for processing.
|
||||
</para>
|
||||
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
|
||||
index 660847733c..31b519242a 100644
|
||||
--- a/include/ipsecconf/keywords.h
|
||||
+++ b/include/ipsecconf/keywords.h
|
||||
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
|
||||
|
||||
KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
|
||||
KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
|
||||
- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
|
||||
+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
|
||||
KBF_ROOF
|
||||
};
|
||||
|
||||
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
|
||||
index 5b5aba723f..68fbccf442 100644
|
||||
--- a/lib/libipsecconf/confread.c
|
||||
+++ b/lib/libipsecconf/confread.c
|
||||
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
|
||||
/* Don't inflict BSI requirements on everyone */
|
||||
SOPT(KBF_SEEDBITS, 0);
|
||||
SOPT(KBF_DROP_OPPO_NULL, false);
|
||||
+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
|
||||
|
||||
#ifdef HAVE_LABELED_IPSEC
|
||||
SOPT(KBF_SECCTX, SECCTX);
|
||||
diff --git a/programs/pluto/server.c b/programs/pluto/server.c
|
||||
index 665f0ed8b9..448dbca076 100644
|
||||
--- a/programs/pluto/server.c
|
||||
+++ b/programs/pluto/server.c
|
||||
@@ -188,12 +188,7 @@ bool pluto_listen_tcp = false;
|
||||
enum ddos_mode pluto_ddos_mode = DDOS_AUTO; /* default to auto-detect */
|
||||
|
||||
enum global_ikev1_policy pluto_ikev1_pol =
|
||||
-#ifdef USE_IKEv1
|
||||
- GLOBAL_IKEv1_ACCEPT;
|
||||
-#else
|
||||
- /* there is no IKEv1 code compiled in to send a REJECT */
|
||||
GLOBAL_IKEv1_DROP;
|
||||
-#endif
|
||||
|
||||
#ifdef HAVE_SECCOMP
|
||||
enum seccomp_mode pluto_seccomp_mode = SECCOMP_DISABLED;
|
||||
--
|
||||
2.34.1
|
||||
|
||||
@ -31,7 +31,7 @@ Name: libreswan
|
||||
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
|
||||
# version is generated in the release script
|
||||
Version: 4.6
|
||||
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
|
||||
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
|
||||
License: GPLv2
|
||||
Url: https://libreswan.org/
|
||||
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
|
||||
@ -41,6 +41,7 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
|
||||
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
||||
%endif
|
||||
Patch0: libreswan-4.6-openssl3.patch
|
||||
Patch1: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
|
||||
|
||||
BuildRequires: audit-libs-devel
|
||||
BuildRequires: bison
|
||||
@ -95,6 +96,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
||||
%prep
|
||||
%setup -q -n libreswan-%{version}%{?prever}
|
||||
%patch0 -p1 -b .openssl3
|
||||
%patch1 -p1 -b .ikev1-drop
|
||||
# enable crypto-policies support
|
||||
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
|
||||
|
||||
@ -196,6 +198,10 @@ certutil -N -d sql:$tmpdir --empty-password
|
||||
%doc %{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Wed Feb 2 2022 Daiki Ueno <dueno@redhat.com> - 4.6-3
|
||||
- Drop IKEv1 packets by default, based on the Debian patch
|
||||
by Daniel Kahn Gillmor (rhbz#2039877)
|
||||
|
||||
* Mon Jan 17 2022 Daiki Ueno <dueno@redhat.com> - 4.6-2
|
||||
- Related: rhbz#2017355 rebuild to reflect gating.yaml change
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user