import libreswan-4.4-1.el8
This commit is contained in:
parent
b575ba032d
commit
f8df58aaed
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,4 +1,4 @@
|
||||
SOURCES/ikev1_dsa.fax.bz2
|
||||
SOURCES/ikev1_psk.fax.bz2
|
||||
SOURCES/ikev2.fax.bz2
|
||||
SOURCES/libreswan-4.3.tar.gz
|
||||
SOURCES/libreswan-4.4.tar.gz
|
||||
|
@ -1,4 +1,4 @@
|
||||
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
|
||||
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
|
||||
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
|
||||
6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz
|
||||
c75da86c032fe15979a13f4e779a9fe41386203a SOURCES/libreswan-4.4.tar.gz
|
||||
|
@ -1,146 +0,0 @@
|
||||
commit 9a69641b34675de26c3989082795ab97325db55c
|
||||
Author: Paul Wouters <pwouters@redhat.com>
|
||||
Date: Mon Mar 1 14:57:31 2021 -0500
|
||||
|
||||
IKEv2: Fix TCP socket to have IP_XFRM_POLICY sockopt set.
|
||||
|
||||
Without this, transport mode or host-to-host will not properly work
|
||||
on a number of kernels, such as RHEL8 4.18.0-291.el8.x86_64
|
||||
|
||||
Reported by: Sabrina Dubroca <sdubroca@redhat.com>
|
||||
|
||||
diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
|
||||
index 9a66343f3f..3b4f57d07d 100644
|
||||
--- a/programs/pluto/iface_tcp.c
|
||||
+++ b/programs/pluto/iface_tcp.c
|
||||
@@ -52,6 +52,16 @@
|
||||
#include "nat_traversal.h" /* for nat_traversal_enabled which seems like a broken idea */
|
||||
#include "pluto_stats.h"
|
||||
|
||||
+/* work around weird combo's of glibc and kernel header conflicts */
|
||||
+#ifndef GLIBC_KERN_FLIP_HEADERS
|
||||
+# include "linux/xfrm.h" /* local (if configured) or system copy */
|
||||
+# include "libreswan.h"
|
||||
+#else
|
||||
+# include "libreswan.h"
|
||||
+# include "linux/xfrm.h" /* local (if configured) or system copy */
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
static void accept_ike_in_tcp_cb(struct evconnlistener *evcon UNUSED,
|
||||
int accepted_fd,
|
||||
struct sockaddr *sockaddr, int sockaddr_len,
|
||||
@@ -383,6 +393,8 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
|
||||
struct logger from_logger = logger_from(&global_logger, &ifp->iketcp_remote_endpoint);
|
||||
struct logger *logger = &from_logger;
|
||||
|
||||
+ bool v6 = ifp->ip_dev->id_address.version == 6;
|
||||
+
|
||||
switch (ifp->iketcp_state) {
|
||||
|
||||
case IKETCP_OPEN:
|
||||
@@ -443,7 +455,19 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
|
||||
if (impair.tcp_skip_setsockopt_espintcp) {
|
||||
llog(RC_LOG, logger, "IMPAIR: TCP: skipping setsockopt(ESPINTCP)");
|
||||
} else {
|
||||
+ struct xfrm_userpolicy_info policy_in = {
|
||||
+ .action = XFRM_POLICY_ALLOW,
|
||||
+ .sel.family = v6 ? AF_INET6 :AF_INET,
|
||||
+ .dir = XFRM_POLICY_IN,
|
||||
+ };
|
||||
+ struct xfrm_userpolicy_info policy_out = {
|
||||
+ .action = XFRM_POLICY_ALLOW,
|
||||
+ .sel.family = v6 ? AF_INET6 :AF_INET,
|
||||
+ .dir = XFRM_POLICY_OUT,
|
||||
+ };
|
||||
+
|
||||
dbg("TCP: OPEN: socket %d enabling ESPINTCP", ifp->fd);
|
||||
+
|
||||
if (setsockopt(ifp->fd, IPPROTO_TCP, TCP_ULP,
|
||||
"espintcp", sizeof("espintcp"))) {
|
||||
int e = errno;
|
||||
@@ -459,6 +483,24 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
|
||||
free_any_iface_endpoint(&ifp);
|
||||
return;
|
||||
}
|
||||
+
|
||||
+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
|
||||
+ int e = errno;
|
||||
+ llog(RC_LOG, logger,
|
||||
+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_in\") failed; closing socket "PRI_ERRNO,
|
||||
+ ifp->fd, pri_errno(e));
|
||||
+ free_any_iface_endpoint(&ifp);
|
||||
+ return;
|
||||
+ }
|
||||
+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
|
||||
+ int e = errno;
|
||||
+ llog(RC_LOG, logger,
|
||||
+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_out\") failed; closing socket "PRI_ERRNO,
|
||||
+ ifp->fd, pri_errno(e));
|
||||
+ free_any_iface_endpoint(&ifp);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -650,6 +692,17 @@ stf_status create_tcp_interface(struct state *st)
|
||||
if (impair.tcp_skip_setsockopt_espintcp) {
|
||||
log_state(RC_LOG, st, "IMPAIR: TCP: skipping setsockopt(espintcp)");
|
||||
} else {
|
||||
+ bool v6 = st->st_remote_endpoint.version == 6;
|
||||
+ struct xfrm_userpolicy_info policy_in = {
|
||||
+ .action = XFRM_POLICY_ALLOW,
|
||||
+ .sel.family = v6 ? AF_INET6 :AF_INET,
|
||||
+ .dir = XFRM_POLICY_IN,
|
||||
+ };
|
||||
+ struct xfrm_userpolicy_info policy_out = {
|
||||
+ .action = XFRM_POLICY_ALLOW,
|
||||
+ .sel.family = v6 ? AF_INET6 :AF_INET,
|
||||
+ .dir = XFRM_POLICY_OUT,
|
||||
+ };
|
||||
dbg("TCP: socket %d enabling \"espintcp\"", fd);
|
||||
if (setsockopt(fd, IPPROTO_TCP, TCP_ULP, "espintcp", sizeof("espintcp"))) {
|
||||
log_errno(st->st_logger, errno,
|
||||
@@ -657,6 +710,18 @@ stf_status create_tcp_interface(struct state *st)
|
||||
close(fd);
|
||||
return STF_FATAL;
|
||||
}
|
||||
+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
|
||||
+ log_errno(st->st_logger, errno,
|
||||
+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(in)) failed in netlink_espintcp()");
|
||||
+ close(fd);
|
||||
+ return STF_FATAL;
|
||||
+ }
|
||||
+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
|
||||
+ log_errno(st->st_logger, errno,
|
||||
+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(out)) failed in netlink_espintcp()");
|
||||
+ close(fd);
|
||||
+ return STF_FATAL;
|
||||
+ }
|
||||
}
|
||||
|
||||
struct iface_endpoint *ifp = alloc_thing(struct iface_endpoint, "TCP iface initiator");
|
||||
commit 7c38cd473d89b8c860ee7e3b8b31cfe012370f1d
|
||||
Author: Paul Wouters <pwouters@redhat.com>
|
||||
Date: Mon Mar 1 15:09:16 2021 -0500
|
||||
|
||||
documentation: small TCP doc update in ipsec.conf.in
|
||||
|
||||
diff --git a/configs/ipsec.conf.in b/configs/ipsec.conf.in
|
||||
index bb2cc16e64..9fa3300176 100644
|
||||
--- a/configs/ipsec.conf.in
|
||||
+++ b/configs/ipsec.conf.in
|
||||
@@ -28,9 +28,10 @@ config setup
|
||||
# dnssec-enable=no
|
||||
#
|
||||
# To enable IKE and IPsec over TCP for VPN server. Requires at least
|
||||
- # Linux 5.7 kernel. For TCP support as a VPN client, specify
|
||||
- # tcp-remote-port=4500 in the client conn section.
|
||||
+ # Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291)
|
||||
# listen-tcp=yes
|
||||
+ # To enable IKE and IPsec over TCP for VPN client, also specify
|
||||
+ # tcp-remote-port=4500 in the client's conn section.
|
||||
|
||||
# if it exists, include system wide crypto-policy defaults
|
||||
# include /etc/crypto-policies/back-ends/libreswan.config
|
@ -1,191 +0,0 @@
|
||||
diff -Naur libreswan-4.3-orig/programs/pluto/connections.c libreswan-4.3/programs/pluto/connections.c
|
||||
--- libreswan-4.3-orig/programs/pluto/connections.c 2021-02-21 12:03:03.000000000 -0500
|
||||
+++ libreswan-4.3/programs/pluto/connections.c 2021-02-24 16:28:05.608119041 -0500
|
||||
@@ -2475,9 +2475,8 @@
|
||||
endpoint_in_selector(local_client, &sr->this.client) &&
|
||||
endpoint_in_selector(remote_client, &sr->that.client)
|
||||
#ifdef HAVE_LABELED_IPSEC
|
||||
- && ((sec_label.ptr == NULL &&
|
||||
- sr->this.sec_label.ptr == NULL) ||
|
||||
- /* don't call with NULL, it confuses it */
|
||||
+ && ((sec_label.ptr == NULL && sr->this.sec_label.ptr == NULL) ||
|
||||
+ hunk_eq(sec_label, sr->this.sec_label) ||
|
||||
within_range((const char *)sec_label.ptr,
|
||||
(const char *)sr->this.sec_label.ptr, logger))
|
||||
#endif
|
||||
diff -Naur libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c libreswan-4.3/programs/pluto/ikev1_spdb_struct.c
|
||||
--- libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c 2021-02-21 12:03:03.000000000 -0500
|
||||
+++ libreswan-4.3/programs/pluto/ikev1_spdb_struct.c 2021-02-24 16:28:59.819791102 -0500
|
||||
@@ -113,7 +113,9 @@
|
||||
return false;
|
||||
}
|
||||
|
||||
- if (!within_range(sec_label.ptr, /* we ensured NUL termination above */
|
||||
+
|
||||
+ if (!hunk_eq(sec_label, c->spd.this.sec_label) &&
|
||||
+ !within_range(sec_label.ptr, /* we ensured NUL termination above */
|
||||
(const char *)c->spd.this.sec_label.ptr, /* we ensured NUL termination earlier? */
|
||||
st->st_logger)) {
|
||||
LLOG_JAMBUF(RC_LOG_SERIOUS, st->st_logger, buf) {
|
||||
diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_ts.c libreswan-4.3/programs/pluto/ikev2_ts.c
|
||||
--- libreswan-4.3-orig/programs/pluto/ikev2_ts.c 2021-02-21 12:03:03.000000000 -0500
|
||||
+++ libreswan-4.3/programs/pluto/ikev2_ts.c 2021-02-24 16:30:19.639780631 -0500
|
||||
@@ -862,7 +862,8 @@
|
||||
}
|
||||
|
||||
#ifdef HAVE_LABELED_IPSEC
|
||||
-static bool score_ends_seclabel(const struct ends *ends,
|
||||
+static bool score_ends_seclabel(const chunk_t **selected_sec_label,
|
||||
+ const struct ends *ends,
|
||||
const struct connection *d,
|
||||
const struct traffic_selectors *tsi,
|
||||
const struct traffic_selectors *tsr,
|
||||
@@ -875,6 +876,10 @@
|
||||
bool match_i = false;
|
||||
bool match_r = false;
|
||||
|
||||
+ if (selected_sec_label != NULL) {
|
||||
+ *selected_sec_label = NULL;
|
||||
+ }
|
||||
+
|
||||
for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) {
|
||||
const struct traffic_selector *cur = &tsi->ts[tsi_n];
|
||||
if (cur->ts_type == IKEv2_TS_SECLABEL) {
|
||||
@@ -883,7 +888,8 @@
|
||||
// complain loudly
|
||||
continue;
|
||||
} else {
|
||||
- if (within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
|
||||
+ if (hunk_eq(cur->sec_label, d->spd.this.sec_label) ||
|
||||
+ within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
|
||||
match_i = true;
|
||||
dbg("ikev2ts #1: received label within range of our security label");
|
||||
} else {
|
||||
@@ -902,9 +908,13 @@
|
||||
dbg("IKEv2_TS_SECLABEL but zero length cur->sec_label");
|
||||
continue;
|
||||
} else {
|
||||
- if (within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
|
||||
+ if (hunk_eq(ends->r->sec_label, d->spd.this.sec_label) ||
|
||||
+ within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
|
||||
dbg("ikev2ts #2: received label within range of our security label");
|
||||
match_r = true;
|
||||
+ if (selected_sec_label != NULL) {
|
||||
+ *selected_sec_label = &cur->sec_label;
|
||||
+ }
|
||||
} else {
|
||||
dbg("ikev2ts #2: received label not within range of our security label");
|
||||
DBG_dump_hunk("ends->r->sec_label", ends->r->sec_label);
|
||||
@@ -926,7 +936,8 @@
|
||||
return require_label == recv_label_i && match_i && match_r;
|
||||
}
|
||||
#else
|
||||
-static bool score_ends_seclabel(const struct ends *ends UNUSED,
|
||||
+static bool score_ends_seclabel(const chunk_t **selected_sec_label,
|
||||
+ const struct ends *ends UNUSED,
|
||||
const struct connection *d UNUSED,
|
||||
const struct traffic_selectors *tsi UNUSED,
|
||||
const struct traffic_selectors *tsr UNUSED,
|
||||
@@ -1030,6 +1041,7 @@
|
||||
struct best_score best_score = NO_SCORE;
|
||||
const struct spd_route *best_spd_route = NULL;
|
||||
struct connection *best_connection = c;
|
||||
+ const chunk_t *best_sec_label = NULL;
|
||||
|
||||
/* find best spd in c */
|
||||
|
||||
@@ -1042,7 +1054,8 @@
|
||||
.r = &sra->this,
|
||||
};
|
||||
|
||||
- if (!score_ends_seclabel(&ends, c, &tsi, &tsr, child->sa.st_logger)) {
|
||||
+ const chunk_t* selected_sec_label = NULL;
|
||||
+ if (!score_ends_seclabel(&selected_sec_label, &ends, c, &tsi, &tsr, child->sa.st_logger)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -1060,6 +1073,7 @@
|
||||
score.tsi - tsi.ts, score.tsr - tsr.ts);
|
||||
best_score = score;
|
||||
best_spd_route = sra;
|
||||
+ best_sec_label = selected_sec_label;
|
||||
passert(best_connection == c);
|
||||
}
|
||||
}
|
||||
@@ -1143,7 +1157,8 @@
|
||||
? END_NARROWER_THAN_TS
|
||||
: END_EQUALS_TS;
|
||||
|
||||
- if (!score_ends_seclabel(&ends, d, &tsi, &tsr,
|
||||
+ const chunk_t* selected_sec_label = NULL;
|
||||
+ if (!score_ends_seclabel(&selected_sec_label, &ends, d, &tsi, &tsr,
|
||||
child->sa.st_logger))
|
||||
continue;
|
||||
|
||||
@@ -1159,6 +1174,7 @@
|
||||
best_connection = d;
|
||||
best_score = score;
|
||||
best_spd_route = sr;
|
||||
+ best_sec_label = selected_sec_label;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1389,6 +1405,13 @@
|
||||
*/
|
||||
update_state_connection(&child->sa, best_connection);
|
||||
|
||||
+ if (best_sec_label != NULL) {
|
||||
+ if (child->sa.st_seen_sec_label.len != 0) {
|
||||
+ free_chunk_content(&child->sa.st_seen_sec_label);
|
||||
+ }
|
||||
+ child->sa.st_seen_sec_label = clone_hunk(*best_sec_label, "st_seen_sec_label");
|
||||
+ }
|
||||
+
|
||||
child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this, child->sa.st_acquired_sec_label);
|
||||
child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that, child->sa.st_seen_sec_label);
|
||||
|
||||
@@ -1424,7 +1447,8 @@
|
||||
? END_WIDER_THAN_TS
|
||||
: END_EQUALS_TS;
|
||||
|
||||
- if (!score_ends_seclabel(&e, c, &tsi, &tsr, child->sa.st_logger))
|
||||
+ const chunk_t *selected_sec_label = NULL;
|
||||
+ if (!score_ends_seclabel(&selected_sec_label, &e, c, &tsi, &tsr, child->sa.st_logger))
|
||||
return false;
|
||||
|
||||
struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsi, &tsr);
|
||||
@@ -1435,6 +1459,13 @@
|
||||
return false;
|
||||
}
|
||||
|
||||
+ if (selected_sec_label != NULL) {
|
||||
+ if (child->sa.st_seen_sec_label.len != 0) {
|
||||
+ free_chunk_content(&child->sa.st_seen_sec_label);
|
||||
+ }
|
||||
+ child->sa.st_seen_sec_label = clone_hunk(*selected_sec_label, "st_seen_sec_label");
|
||||
+ }
|
||||
+
|
||||
/* XXX: check conversions */
|
||||
dbg("initiator saving acceptable TSi response in this");
|
||||
ts_to_end(best.tsi, &c->spd.this, &child->sa.st_ts_this);
|
||||
@@ -1489,7 +1520,7 @@
|
||||
|
||||
enum fit fitness = END_NARROWER_THAN_TS;
|
||||
|
||||
- if (!score_ends_seclabel(&ends, c, &their_tsis, &their_tsrs,
|
||||
+ if (!score_ends_seclabel(NULL, &ends, c, &their_tsis, &their_tsrs,
|
||||
child->sa.st_logger)) {
|
||||
log_state(RC_LOG_SERIOUS, &child->sa,
|
||||
"rekey: received Traffic Selectors mismatch configured selectors for Security Label");
|
||||
diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_parent.c libreswan-4.3/programs/pluto/ikev2_parent.c
|
||||
--- libreswan-4.3-orig/programs/pluto/ikev2_parent.c 2021-02-21 12:03:03.000000000 -0500
|
||||
+++ libreswan-4.3/programs/pluto/ikev2_parent.c 2021-03-01 10:31:49.667207958 -0500
|
||||
@@ -5943,8 +5943,6 @@
|
||||
* from a policy we gave the kernel, so it _should_ be within our range?
|
||||
*/
|
||||
child->sa.st_acquired_sec_label = clone_hunk(p->sec_label, "st_acquired_sec_label");
|
||||
- c->spd.this.sec_label = clone_hunk(p->sec_label, "updated conn label");
|
||||
- c->spd.that.sec_label = clone_hunk(p->sec_label, "updated conn label");
|
||||
}
|
||||
|
||||
} else {
|
@ -36,8 +36,8 @@
|
||||
Name: libreswan
|
||||
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
||||
# version is generated in the release script
|
||||
Version: 4.3
|
||||
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
|
||||
Version: 4.4
|
||||
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
|
||||
License: GPLv2
|
||||
Url: https://libreswan.org/
|
||||
|
||||
@ -51,8 +51,6 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
||||
Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
|
||||
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
|
||||
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
||||
Patch4: libreswan-4.3-labeled-ipsec.patch
|
||||
Patch5: libreswan-4.3-ikev2-tcp.patch
|
||||
Patch6: libreswan-4.3-1934186-config.patch
|
||||
|
||||
BuildRequires: audit-libs-devel
|
||||
@ -111,8 +109,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
|
||||
# linking to freebl is not needed
|
||||
@ -217,12 +213,14 @@ certutil -N -d sql:$tmpdir --empty-password
|
||||
%attr(0644,root,root) %doc %{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
|
||||
- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229
|
||||
- Resolves: rhbz#1934186 virtual_private setting is missing in the default config
|
||||
* Wed May 26 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
|
||||
- Resolves: rhbz#1958968 Rebase libreswan to 4.4
|
||||
- Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers
|
||||
|
||||
* Mon Mar 01 2021 Paul Wouters <pwouters@redhat.com> - 4.3-2
|
||||
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
|
||||
* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
|
||||
- Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec
|
||||
- Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229
|
||||
- Resolves: rhbz#1935339 virtual_private setting is missing in the default config
|
||||
|
||||
* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
|
||||
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
|
||||
|
Loading…
Reference in New Issue
Block a user