import libreswan-4.4-1.el8

This commit is contained in:
CentOS Sources 2021-11-09 04:52:16 -05:00 committed by Stepan Oksanichenko
parent b575ba032d
commit f8df58aaed
5 changed files with 11 additions and 350 deletions

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/ikev1_dsa.fax.bz2
SOURCES/ikev1_psk.fax.bz2
SOURCES/ikev2.fax.bz2
SOURCES/libreswan-4.3.tar.gz
SOURCES/libreswan-4.4.tar.gz

View File

@ -1,4 +1,4 @@
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz
c75da86c032fe15979a13f4e779a9fe41386203a SOURCES/libreswan-4.4.tar.gz

View File

@ -1,146 +0,0 @@
commit 9a69641b34675de26c3989082795ab97325db55c
Author: Paul Wouters <pwouters@redhat.com>
Date: Mon Mar 1 14:57:31 2021 -0500
IKEv2: Fix TCP socket to have IP_XFRM_POLICY sockopt set.
Without this, transport mode or host-to-host will not properly work
on a number of kernels, such as RHEL8 4.18.0-291.el8.x86_64
Reported by: Sabrina Dubroca <sdubroca@redhat.com>
diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
index 9a66343f3f..3b4f57d07d 100644
--- a/programs/pluto/iface_tcp.c
+++ b/programs/pluto/iface_tcp.c
@@ -52,6 +52,16 @@
#include "nat_traversal.h" /* for nat_traversal_enabled which seems like a broken idea */
#include "pluto_stats.h"
+/* work around weird combo's of glibc and kernel header conflicts */
+#ifndef GLIBC_KERN_FLIP_HEADERS
+# include "linux/xfrm.h" /* local (if configured) or system copy */
+# include "libreswan.h"
+#else
+# include "libreswan.h"
+# include "linux/xfrm.h" /* local (if configured) or system copy */
+#endif
+
+
static void accept_ike_in_tcp_cb(struct evconnlistener *evcon UNUSED,
int accepted_fd,
struct sockaddr *sockaddr, int sockaddr_len,
@@ -383,6 +393,8 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
struct logger from_logger = logger_from(&global_logger, &ifp->iketcp_remote_endpoint);
struct logger *logger = &from_logger;
+ bool v6 = ifp->ip_dev->id_address.version == 6;
+
switch (ifp->iketcp_state) {
case IKETCP_OPEN:
@@ -443,7 +455,19 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
if (impair.tcp_skip_setsockopt_espintcp) {
llog(RC_LOG, logger, "IMPAIR: TCP: skipping setsockopt(ESPINTCP)");
} else {
+ struct xfrm_userpolicy_info policy_in = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_IN,
+ };
+ struct xfrm_userpolicy_info policy_out = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_OUT,
+ };
+
dbg("TCP: OPEN: socket %d enabling ESPINTCP", ifp->fd);
+
if (setsockopt(ifp->fd, IPPROTO_TCP, TCP_ULP,
"espintcp", sizeof("espintcp"))) {
int e = errno;
@@ -459,6 +483,24 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED,
free_any_iface_endpoint(&ifp);
return;
}
+
+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
+ int e = errno;
+ llog(RC_LOG, logger,
+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_in\") failed; closing socket "PRI_ERRNO,
+ ifp->fd, pri_errno(e));
+ free_any_iface_endpoint(&ifp);
+ return;
+ }
+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
+ int e = errno;
+ llog(RC_LOG, logger,
+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_out\") failed; closing socket "PRI_ERRNO,
+ ifp->fd, pri_errno(e));
+ free_any_iface_endpoint(&ifp);
+ return;
+ }
+
}
/*
@@ -650,6 +692,17 @@ stf_status create_tcp_interface(struct state *st)
if (impair.tcp_skip_setsockopt_espintcp) {
log_state(RC_LOG, st, "IMPAIR: TCP: skipping setsockopt(espintcp)");
} else {
+ bool v6 = st->st_remote_endpoint.version == 6;
+ struct xfrm_userpolicy_info policy_in = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_IN,
+ };
+ struct xfrm_userpolicy_info policy_out = {
+ .action = XFRM_POLICY_ALLOW,
+ .sel.family = v6 ? AF_INET6 :AF_INET,
+ .dir = XFRM_POLICY_OUT,
+ };
dbg("TCP: socket %d enabling \"espintcp\"", fd);
if (setsockopt(fd, IPPROTO_TCP, TCP_ULP, "espintcp", sizeof("espintcp"))) {
log_errno(st->st_logger, errno,
@@ -657,6 +710,18 @@ stf_status create_tcp_interface(struct state *st)
close(fd);
return STF_FATAL;
}
+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) {
+ log_errno(st->st_logger, errno,
+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(in)) failed in netlink_espintcp()");
+ close(fd);
+ return STF_FATAL;
+ }
+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) {
+ log_errno(st->st_logger, errno,
+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(out)) failed in netlink_espintcp()");
+ close(fd);
+ return STF_FATAL;
+ }
}
struct iface_endpoint *ifp = alloc_thing(struct iface_endpoint, "TCP iface initiator");
commit 7c38cd473d89b8c860ee7e3b8b31cfe012370f1d
Author: Paul Wouters <pwouters@redhat.com>
Date: Mon Mar 1 15:09:16 2021 -0500
documentation: small TCP doc update in ipsec.conf.in
diff --git a/configs/ipsec.conf.in b/configs/ipsec.conf.in
index bb2cc16e64..9fa3300176 100644
--- a/configs/ipsec.conf.in
+++ b/configs/ipsec.conf.in
@@ -28,9 +28,10 @@ config setup
# dnssec-enable=no
#
# To enable IKE and IPsec over TCP for VPN server. Requires at least
- # Linux 5.7 kernel. For TCP support as a VPN client, specify
- # tcp-remote-port=4500 in the client conn section.
+ # Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291)
# listen-tcp=yes
+ # To enable IKE and IPsec over TCP for VPN client, also specify
+ # tcp-remote-port=4500 in the client's conn section.
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

View File

@ -1,191 +0,0 @@
diff -Naur libreswan-4.3-orig/programs/pluto/connections.c libreswan-4.3/programs/pluto/connections.c
--- libreswan-4.3-orig/programs/pluto/connections.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/connections.c 2021-02-24 16:28:05.608119041 -0500
@@ -2475,9 +2475,8 @@
endpoint_in_selector(local_client, &sr->this.client) &&
endpoint_in_selector(remote_client, &sr->that.client)
#ifdef HAVE_LABELED_IPSEC
- && ((sec_label.ptr == NULL &&
- sr->this.sec_label.ptr == NULL) ||
- /* don't call with NULL, it confuses it */
+ && ((sec_label.ptr == NULL && sr->this.sec_label.ptr == NULL) ||
+ hunk_eq(sec_label, sr->this.sec_label) ||
within_range((const char *)sec_label.ptr,
(const char *)sr->this.sec_label.ptr, logger))
#endif
diff -Naur libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c libreswan-4.3/programs/pluto/ikev1_spdb_struct.c
--- libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/ikev1_spdb_struct.c 2021-02-24 16:28:59.819791102 -0500
@@ -113,7 +113,9 @@
return false;
}
- if (!within_range(sec_label.ptr, /* we ensured NUL termination above */
+
+ if (!hunk_eq(sec_label, c->spd.this.sec_label) &&
+ !within_range(sec_label.ptr, /* we ensured NUL termination above */
(const char *)c->spd.this.sec_label.ptr, /* we ensured NUL termination earlier? */
st->st_logger)) {
LLOG_JAMBUF(RC_LOG_SERIOUS, st->st_logger, buf) {
diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_ts.c libreswan-4.3/programs/pluto/ikev2_ts.c
--- libreswan-4.3-orig/programs/pluto/ikev2_ts.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/ikev2_ts.c 2021-02-24 16:30:19.639780631 -0500
@@ -862,7 +862,8 @@
}
#ifdef HAVE_LABELED_IPSEC
-static bool score_ends_seclabel(const struct ends *ends,
+static bool score_ends_seclabel(const chunk_t **selected_sec_label,
+ const struct ends *ends,
const struct connection *d,
const struct traffic_selectors *tsi,
const struct traffic_selectors *tsr,
@@ -875,6 +876,10 @@
bool match_i = false;
bool match_r = false;
+ if (selected_sec_label != NULL) {
+ *selected_sec_label = NULL;
+ }
+
for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) {
const struct traffic_selector *cur = &tsi->ts[tsi_n];
if (cur->ts_type == IKEv2_TS_SECLABEL) {
@@ -883,7 +888,8 @@
// complain loudly
continue;
} else {
- if (within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
+ if (hunk_eq(cur->sec_label, d->spd.this.sec_label) ||
+ within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
match_i = true;
dbg("ikev2ts #1: received label within range of our security label");
} else {
@@ -902,9 +908,13 @@
dbg("IKEv2_TS_SECLABEL but zero length cur->sec_label");
continue;
} else {
- if (within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
+ if (hunk_eq(ends->r->sec_label, d->spd.this.sec_label) ||
+ within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) {
dbg("ikev2ts #2: received label within range of our security label");
match_r = true;
+ if (selected_sec_label != NULL) {
+ *selected_sec_label = &cur->sec_label;
+ }
} else {
dbg("ikev2ts #2: received label not within range of our security label");
DBG_dump_hunk("ends->r->sec_label", ends->r->sec_label);
@@ -926,7 +936,8 @@
return require_label == recv_label_i && match_i && match_r;
}
#else
-static bool score_ends_seclabel(const struct ends *ends UNUSED,
+static bool score_ends_seclabel(const chunk_t **selected_sec_label,
+ const struct ends *ends UNUSED,
const struct connection *d UNUSED,
const struct traffic_selectors *tsi UNUSED,
const struct traffic_selectors *tsr UNUSED,
@@ -1030,6 +1041,7 @@
struct best_score best_score = NO_SCORE;
const struct spd_route *best_spd_route = NULL;
struct connection *best_connection = c;
+ const chunk_t *best_sec_label = NULL;
/* find best spd in c */
@@ -1042,7 +1054,8 @@
.r = &sra->this,
};
- if (!score_ends_seclabel(&ends, c, &tsi, &tsr, child->sa.st_logger)) {
+ const chunk_t* selected_sec_label = NULL;
+ if (!score_ends_seclabel(&selected_sec_label, &ends, c, &tsi, &tsr, child->sa.st_logger)) {
continue;
}
@@ -1060,6 +1073,7 @@
score.tsi - tsi.ts, score.tsr - tsr.ts);
best_score = score;
best_spd_route = sra;
+ best_sec_label = selected_sec_label;
passert(best_connection == c);
}
}
@@ -1143,7 +1157,8 @@
? END_NARROWER_THAN_TS
: END_EQUALS_TS;
- if (!score_ends_seclabel(&ends, d, &tsi, &tsr,
+ const chunk_t* selected_sec_label = NULL;
+ if (!score_ends_seclabel(&selected_sec_label, &ends, d, &tsi, &tsr,
child->sa.st_logger))
continue;
@@ -1159,6 +1174,7 @@
best_connection = d;
best_score = score;
best_spd_route = sr;
+ best_sec_label = selected_sec_label;
}
}
}
@@ -1389,6 +1405,13 @@
*/
update_state_connection(&child->sa, best_connection);
+ if (best_sec_label != NULL) {
+ if (child->sa.st_seen_sec_label.len != 0) {
+ free_chunk_content(&child->sa.st_seen_sec_label);
+ }
+ child->sa.st_seen_sec_label = clone_hunk(*best_sec_label, "st_seen_sec_label");
+ }
+
child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this, child->sa.st_acquired_sec_label);
child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that, child->sa.st_seen_sec_label);
@@ -1424,7 +1447,8 @@
? END_WIDER_THAN_TS
: END_EQUALS_TS;
- if (!score_ends_seclabel(&e, c, &tsi, &tsr, child->sa.st_logger))
+ const chunk_t *selected_sec_label = NULL;
+ if (!score_ends_seclabel(&selected_sec_label, &e, c, &tsi, &tsr, child->sa.st_logger))
return false;
struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsi, &tsr);
@@ -1435,6 +1459,13 @@
return false;
}
+ if (selected_sec_label != NULL) {
+ if (child->sa.st_seen_sec_label.len != 0) {
+ free_chunk_content(&child->sa.st_seen_sec_label);
+ }
+ child->sa.st_seen_sec_label = clone_hunk(*selected_sec_label, "st_seen_sec_label");
+ }
+
/* XXX: check conversions */
dbg("initiator saving acceptable TSi response in this");
ts_to_end(best.tsi, &c->spd.this, &child->sa.st_ts_this);
@@ -1489,7 +1520,7 @@
enum fit fitness = END_NARROWER_THAN_TS;
- if (!score_ends_seclabel(&ends, c, &their_tsis, &their_tsrs,
+ if (!score_ends_seclabel(NULL, &ends, c, &their_tsis, &their_tsrs,
child->sa.st_logger)) {
log_state(RC_LOG_SERIOUS, &child->sa,
"rekey: received Traffic Selectors mismatch configured selectors for Security Label");
diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_parent.c libreswan-4.3/programs/pluto/ikev2_parent.c
--- libreswan-4.3-orig/programs/pluto/ikev2_parent.c 2021-02-21 12:03:03.000000000 -0500
+++ libreswan-4.3/programs/pluto/ikev2_parent.c 2021-03-01 10:31:49.667207958 -0500
@@ -5943,8 +5943,6 @@
* from a policy we gave the kernel, so it _should_ be within our range?
*/
child->sa.st_acquired_sec_label = clone_hunk(p->sec_label, "st_acquired_sec_label");
- c->spd.this.sec_label = clone_hunk(p->sec_label, "updated conn label");
- c->spd.that.sec_label = clone_hunk(p->sec_label, "updated conn label");
}
} else {

View File

@ -36,8 +36,8 @@
Name: libreswan
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
# version is generated in the release script
Version: 4.3
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist}
Version: 4.4
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
@ -51,8 +51,6 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
Patch4: libreswan-4.3-labeled-ipsec.patch
Patch5: libreswan-4.3-ikev2-tcp.patch
Patch6: libreswan-4.3-1934186-config.patch
BuildRequires: audit-libs-devel
@ -111,8 +109,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
# linking to freebl is not needed
@ -217,12 +213,14 @@ certutil -N -d sql:$tmpdir --empty-password
%attr(0644,root,root) %doc %{_mandir}/*/*
%changelog
* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229
- Resolves: rhbz#1934186 virtual_private setting is missing in the default config
* Wed May 26 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
- Resolves: rhbz#1958968 Rebase libreswan to 4.4
- Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers
* Mon Mar 01 2021 Paul Wouters <pwouters@redhat.com> - 4.3-2
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
* Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
- Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec
- Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229
- Resolves: rhbz#1935339 virtual_private setting is missing in the default config
* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]