diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch new file mode 100644 index 0000000..ebcb2e0 --- /dev/null +++ b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch @@ -0,0 +1,80 @@ +From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor +Date: Fri, 7 Jan 2022 18:36:47 -0500 +Subject: [PATCH] ikev1-policy defaults to drop + +IKEv2 has been available for 16 years (RFC 4306 was published December +2005). At some point, we should be discouraging IKEv1 adoption. + +To the extent that a user needs IKEv1, they can manually add +ikev1-policy=accept to /etc/ipsec.conf. +--- + configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++--- + include/ipsecconf/keywords.h | 2 +- + lib/libipsecconf/confread.c | 1 + + programs/pluto/server.c | 5 ----- + 4 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml +index 17d1747e3b..3bd6702564 100644 +--- a/configs/d.ipsec.conf/ikev1-policy.xml ++++ b/configs/d.ipsec.conf/ikev1-policy.xml +@@ -3,9 +3,10 @@ + + + What to do with received IKEv1 packets. Valid options are +-accept (default), reject which +-will reply with an error, and drop which will silently drop +-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an ++drop (default) which will silently drop ++any received IKEv1 packet, accept, and ++reject which will reply with an error. ++If this option is set to drop or reject, an attempt to load an + IKEv1 connection will fail, as these connections would never be able to receive a packet + for processing. + +diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h +index 660847733c..31b519242a 100644 +--- a/include/ipsecconf/keywords.h ++++ b/include/ipsecconf/keywords.h +@@ -111,7 +111,7 @@ enum keyword_numeric_config_field { + + KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */ + KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */ +- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */ ++ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */ + KBF_ROOF + }; + +diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c +index 5b5aba723f..68fbccf442 100644 +--- a/lib/libipsecconf/confread.c ++++ b/lib/libipsecconf/confread.c +@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) + /* Don't inflict BSI requirements on everyone */ + SOPT(KBF_SEEDBITS, 0); + SOPT(KBF_DROP_OPPO_NULL, false); ++ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP); + + #ifdef HAVE_LABELED_IPSEC + SOPT(KBF_SECCTX, SECCTX); +diff --git a/programs/pluto/server.c b/programs/pluto/server.c +index 665f0ed8b9..448dbca076 100644 +--- a/programs/pluto/server.c ++++ b/programs/pluto/server.c +@@ -188,12 +188,7 @@ bool pluto_listen_tcp = false; + enum ddos_mode pluto_ddos_mode = DDOS_AUTO; /* default to auto-detect */ + + enum global_ikev1_policy pluto_ikev1_pol = +-#ifdef USE_IKEv1 +- GLOBAL_IKEv1_ACCEPT; +-#else +- /* there is no IKEv1 code compiled in to send a REJECT */ + GLOBAL_IKEv1_DROP; +-#endif + + #ifdef HAVE_SECCOMP + enum seccomp_mode pluto_seccomp_mode = SECCOMP_DISABLED; +-- +2.34.1 + diff --git a/libreswan.spec b/libreswan.spec index 81e800e..7c641e6 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -31,7 +31,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script Version: 4.6 -Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -41,6 +41,7 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch0: libreswan-4.6-openssl3.patch +Patch1: libreswan-4.6-ikev1-policy-defaults-to-drop.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -95,6 +96,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} %patch0 -p1 -b .openssl3 +%patch1 -p1 -b .ikev1-drop # enable crypto-policies support sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in @@ -196,6 +198,10 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog +* Wed Feb 2 2022 Daiki Ueno - 4.6-3 +- Drop IKEv1 packets by default, based on the Debian patch + by Daniel Kahn Gillmor (rhbz#2039877) + * Mon Jan 17 2022 Daiki Ueno - 4.6-2 - Related: rhbz#2017355 rebuild to reflect gating.yaml change