diff --git a/libreswan-3.10-autoroute.patch b/libreswan-3.10-autoroute.patch deleted file mode 100644 index 298a385..0000000 --- a/libreswan-3.10-autoroute.patch +++ /dev/null @@ -1,80 +0,0 @@ -commit dded96917330dc7726d2520ef74deff710ed7673 -Author: Paul Wouters -Date: Mon Sep 8 20:38:32 2014 -0400 - - addconn: routing should happen after listen (bug introduced in 3.10) - - This caused auto=route (auto=ondemand) connections to not load properly, - because pluto wasn't listening yet so these connections could not orient. - -diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c -index 5961a14..4c605a7 100644 ---- a/programs/addconn/addconn.c -+++ b/programs/addconn/addconn.c -@@ -1,8 +1,9 @@ - /* - * A program to read the configuration file and load a single conn - * Copyright (C) 2005 Michael Richardson -- * Copyright (C) 2012 Paul Wouters -- * Copyright (C) 2012 Kim B. Heino -+ * Copyright (C) 2012-2014 Paul Wouters -+ * Copyright (C) 2014 D. Hugh Redelmeier -+ * Copyright (C) 2012-2013 Kim B. Heino - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the -@@ -725,19 +726,37 @@ int main(int argc, char *argv[]) - conn->desired_state == STARTUP_START) { - if (verbose) - printf(" %s", conn->name); -- resolve_defaultroute(conn); - starter_whack_add_conn(cfg, conn); - } -- if (conn->desired_state == STARTUP_ONDEMAND) -- starter_whack_route_conn(cfg, conn); - } - -- /* We added all connections, let pluto listen, then startup our conns */ -+ /* -+ * We loaded all connections. Now tell pluto to listen, -+ * then route the conns and resolve default route. -+ */ - starter_whack_listen(cfg); - - if (verbose) -- printf(" Pass #2: Initiating auto=start connections\n"); -+ printf(" Pass #2: Routing auto=route and auto=start connections\n"); - -+ for (conn = cfg->conns.tqh_first; -+ conn != NULL; -+ conn = conn->link.tqe_next) { -+ if (conn->desired_state == STARTUP_ADD || -+ conn->desired_state == STARTUP_ONDEMAND || -+ conn->desired_state == STARTUP_START) { -+ if (verbose) -+ printf(" %s", conn->name); -+ resolve_defaultroute(conn); -+ if (conn->desired_state == STARTUP_ONDEMAND || -+ conn->desired_state == STARTUP_START) { -+ starter_whack_route_conn(cfg, conn); -+ } -+ } -+ } -+ -+ if (verbose) -+ printf(" Pass #3: Initiating auto=start connections\n"); - - for (conn = cfg->conns.tqh_first; - conn != NULL; -@@ -745,10 +764,10 @@ int main(int argc, char *argv[]) - if (conn->desired_state == STARTUP_START) { - if (verbose) - printf(" %s", conn->name); -- resolve_defaultroute(conn); - starter_whack_initiate_conn(cfg, conn); - } - } -+ - if (verbose) - printf("\n"); - } else { diff --git a/libreswan-3.10-coverity.patch b/libreswan-3.10-coverity.patch deleted file mode 100644 index 9380d31..0000000 --- a/libreswan-3.10-coverity.patch +++ /dev/null @@ -1,81 +0,0 @@ -diff --git a/programs/pluto/ikev2_crypto.c b/programs/pluto/ikev2_crypto.c -index 58c62c8..4a305c7 100644 ---- a/programs/pluto/ikev2_crypto.c -+++ b/programs/pluto/ikev2_crypto.c -@@ -65,8 +65,8 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role) - st->st_ah.present? &st->st_ah : - NULL; - -- assert(ipi != NULL); /* ESP or AH must be present */ -- assert(st->st_esp.present != st->st_ah.present); /* only one */ -+ passert(ipi != NULL); /* ESP or AH must be present */ -+ passert(st->st_esp.present != st->st_ah.present); /* only one */ - - /* ??? there is no kernel_alg_ah_info */ - ipi->attrs.transattrs.ei = kernel_alg_esp_info( -@@ -142,14 +142,6 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role) - v2genbytes(&rkeymat, ipi->keymat_len, - "responder keys", &childsacalc); - -- /* This should really be role == O_INITIATOR, but then our keys are -- * installed reversed. This is a workaround until we locate the -- * real problem. It's better not to release copies of our code -- * that will be incompatible with everything else, including our -- * own updated version -- * Found by Herbert Xu -- * if(role == O_INITIATOR) { -- */ - if (role != O_INITIATOR) { - DBG(DBG_CRYPT, { - DBG_dump_chunk("our keymat", ikeymat); -@@ -167,4 +159,3 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role) - } - - } -- -diff --git a/programs/pluto/pluto_crypt.c b/programs/pluto/pluto_crypt.c -index 7bf3a2a..080d2a0 100644 ---- a/programs/pluto/pluto_crypt.c -+++ b/programs/pluto/pluto_crypt.c -@@ -657,7 +657,7 @@ static void kill_helper(struct pluto_crypto_worker *w) - } - - void log_crypto_workers(void) { -- bool first_time = TRUE; -+ static bool first_time = TRUE; - int i; - - if (!first_time) -diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c -index 483f34c..9c6fb11 100644 ---- a/programs/pluto/rcv_whack.c -+++ b/programs/pluto/rcv_whack.c -@@ -690,7 +690,7 @@ bool whack_prompt_for(int whackfd, - return FALSE; - } - -- if (strlen(ansbuf) == 0) { -+ if (n == 0) { - whack_log(RC_LOG_SERIOUS, "no %s entered, aborted", prompt2); - return FALSE; - } -diff --git a/programs/rsasigkey/rsasigkey.c b/programs/rsasigkey/rsasigkey.c -index f3f0194..d853365 100644 ---- a/programs/rsasigkey/rsasigkey.c -+++ b/programs/rsasigkey/rsasigkey.c -@@ -321,7 +321,14 @@ int main(int argc, char *argv[]) - device = optarg; - break; - case 'H': /* set hostname for output */ -- strcpy(outputhostname, optarg); -+ { -+ size_t full_len = strlen(optarg); -+ bool oflow = sizeof(outputhostname) - 1 < full_len; -+ size_t copy_len = oflow ? sizeof(outputhostname) - 1 : full_len; -+ -+ memcpy(outputhostname, optarg, copy_len); -+ outputhostname[copy_len] = '\0'; -+ } - break; - case 'h': /* help */ - printf("Usage:\t%s\n", usage); diff --git a/libreswan-3.10-snprintf.patch b/libreswan-3.10-snprintf.patch deleted file mode 100644 index 55bae52..0000000 --- a/libreswan-3.10-snprintf.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -Naur libreswan-3.10-orig/programs/pluto/kernel.c libreswan-3.10/programs/pluto/kernel.c ---- libreswan-3.10-orig/programs/pluto/kernel.c 2014-09-01 17:44:22.000000000 -0400 -+++ libreswan-3.10/programs/pluto/kernel.c 2014-09-08 09:10:29.173718430 -0400 -@@ -441,7 +441,7 @@ - "PLUTO_STACK='%s' " - "%s" /* optional metric */ - "%s" /* optional mtu */ -- "PLUTO_ADDTIME='%lu' " -+ "PLUTO_ADDTIME='%" PRIu64 "' " - "PLUTO_CONN_POLICY='%s' " - "PLUTO_CONN_ADDRFAMILY='ipv%d' " - "XAUTH_FAILED=%d " -@@ -479,7 +479,7 @@ - kernel_ops->kern_name, - metric_str, - connmtu_str, -- st == NULL ? 0 : st->st_esp.add_time, -+ (u_int64_t)(st == NULL ? 0U : st->st_esp.add_time), - prettypolicy(c->policy), - (c->addr_family == AF_INET) ? 4 : 6, - (st && st->st_xauth_soft) ? 1 : 0, diff --git a/libreswan-3.19-configdir-compat.patch b/libreswan-3.19-configdir-compat.patch deleted file mode 100644 index e0b79d6..0000000 --- a/libreswan-3.19-configdir-compat.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff -Naur libreswan-3.19-orig/programs/ipsec/ipsec.in libreswan-3.19/programs/ipsec/ipsec.in ---- libreswan-3.19-orig/programs/ipsec/ipsec.in 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/ipsec/ipsec.in 2017-02-03 17:49:07.779187770 -0500 -@@ -38,7 +38,7 @@ - PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin - export PATH - --# supress ElectricFence banner changing our reference testing output -+# suppress ElectricFence banner changing our reference testing output - export EF_DISABLE_BANNER=1 - - # things not to be listed in --help command list -@@ -216,10 +216,14 @@ - # A lot of nss commands use -d to specify NSS db location. - # We use --nssdir. - if [ "${2}" = "-d" -o \ -+ "${2}" = "--configdir" -o \ - "${2}" = "--nssdir" ] - then - if [ -d "${3}" ]; then - IPSEC_NSSDIR="${3}" -+ if [ "${2}" = "--configdir" ]; then -+ echo "ipsec import warning: --configdir is obsoleted, use --nssdir" >&2 -+ fi - else - echo "usage: ipsec import [--nssdir ${IPSEC_NSSDIR}] /path/to/pkcs.12" >&2 - exit 1 -@@ -251,10 +255,14 @@ - # A lot of nss commands use -d to specify NSS db location. - # We use --nssdir. - if [ "${2}" = "-d" -o \ -+ "${2}" = "--configdir" -o \ - "${2}" = "--nssdir" ] - then - IPSEC_NSSDIR="${3}" - IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}" -+ if [ "${2}" = "--configdir" ]; then -+ echo "ipsec initnss warning: --configdir is obsoleted, use --nssdir" >&2 -+ fi - else - echo "usage: ipsec initnss [--nssdir ${IPSEC_NSSDIR}]" >&2 - exit 1 -diff -Naur libreswan-3.19-orig/programs/newhostkey/newhostkey.in libreswan-3.19/programs/newhostkey/newhostkey.in ---- libreswan-3.19-orig/programs/newhostkey/newhostkey.in 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/newhostkey/newhostkey.in 2017-02-03 17:49:16.131142346 -0500 -@@ -54,7 +54,7 @@ - exit 0 - ;; - --random) -- echo "$me warning: --random is obsoleted, using --seeddev" -+ echo "$me warning: --random is obsoleted, using --seeddev" >&2 - seeddev="--seeddev ${2}" - shift - ;; -@@ -62,6 +62,11 @@ - seeddev="--seeddev ${2}" - shift - ;; -+ --configdir) -+ echo "$me warning: --configdir is obsoleted, use --nssdir" >&2 -+ nssdir="${2}" -+ shift -+ ;; - --nssdir) - nssdir="${2}" - shift diff --git a/libreswan-3.19-suppress_delete.patch b/libreswan-3.19-suppress_delete.patch deleted file mode 100644 index ab3e073..0000000 --- a/libreswan-3.19-suppress_delete.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff -Naur libreswan-3.19-orig/programs/pluto/connections.c libreswan-3.19/programs/pluto/connections.c ---- libreswan-3.19-orig/programs/pluto/connections.c 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/pluto/connections.c 2017-02-03 17:44:29.009703914 -0500 -@@ -4334,3 +4334,27 @@ - unroute_connection(c); /* --unroute */ - } - } -+ -+/* -+ * When replacing an old existing connection, suppress sending delete notify -+ */ -+void suppress_delete(struct connection *c) -+{ -+ struct state *pst = state_with_serialno(c->newest_isakmp_sa); -+ struct state *cst = state_with_serialno(c->newest_ipsec_sa); -+ if (pst != NULL) { -+ pst->st_ikev2_no_del = TRUE; -+ DBG(DBG_CONTROL, DBG_log("Marked IKE state #%lu to suppress sending delete notify", -+ c->newest_isakmp_sa)); -+ } else { -+ libreswan_log("did not find old IKE state to mark for suppressing delete"); -+ } -+ -+ if (cst != NULL) { -+ cst->st_ikev2_no_del = TRUE; -+ DBG(DBG_CONTROL, DBG_log("Marked IPSEC state #%lu to suppress sending delete notify", -+ c->newest_ipsec_sa)); -+ } else { -+ libreswan_log("did not find old IPsec state to mark for suppressing delete"); -+ } -+} -diff -Naur libreswan-3.19-orig/programs/pluto/connections.h libreswan-3.19/programs/pluto/connections.h ---- libreswan-3.19-orig/programs/pluto/connections.h 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/pluto/connections.h 2017-02-03 17:44:29.009703914 -0500 -@@ -383,6 +383,7 @@ - extern void terminate_connection(const char *name); - extern void release_connection(struct connection *c, bool relations); - extern void delete_connection(struct connection *c, bool relations); -+extern void suppress_delete(struct connection *c); - extern void delete_connections_by_name(const char *name, bool strict); - extern void delete_every_connection(void); - extern char *add_group_instance(struct connection *group, -diff -Naur libreswan-3.19-orig/programs/pluto/initiate.c libreswan-3.19/programs/pluto/initiate.c ---- libreswan-3.19-orig/programs/pluto/initiate.c 2017-02-03 17:41:48.704575766 -0500 -+++ libreswan-3.19/programs/pluto/initiate.c 2017-02-03 17:44:34.470674213 -0500 -@@ -978,6 +978,7 @@ - same_id(&c->spd.that.id, &d->spd.that.id))) - { - DBG(DBG_CONTROL, DBG_log("Unorienting old connection with same IDs")); -+ suppress_delete(d); /* don't send a delete */ - release_connection(d, FALSE); - } - d = next; -diff -Naur libreswan-3.19-orig/programs/pluto/state.c libreswan-3.19/programs/pluto/state.c ---- libreswan-3.19-orig/programs/pluto/state.c 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/pluto/state.c 2017-02-03 17:44:34.471674208 -0500 -@@ -880,8 +880,8 @@ - } - - /* tell the other side of any IPSEC SAs that are going down */ -- if (IS_IPSEC_SA_ESTABLISHED(st->st_state) || -- IS_ISAKMP_SA_ESTABLISHED(st->st_state)) { -+ if (!st->st_ikev2_no_del && (IS_IPSEC_SA_ESTABLISHED(st->st_state) || -+ IS_ISAKMP_SA_ESTABLISHED(st->st_state))) { - if (st->st_ikev2 && IS_CHILD_SA(st) && - state_with_serialno(st->st_clonedfrom) == NULL) { - /* ??? in v2, there must be a parent */ -diff -Naur libreswan-3.19-orig/programs/pluto/state.h libreswan-3.19/programs/pluto/state.h ---- libreswan-3.19-orig/programs/pluto/state.h 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/pluto/state.h 2017-02-03 17:44:34.471674208 -0500 -@@ -245,6 +245,7 @@ - bool has_pam_thread; /* per state PAM thread flag */ - - bool st_ikev2; /* is this an IKEv2 state? */ -+ bool st_ikev2_no_del; /* suppress sending DELETE - eg replaced conn */ - bool st_rekeytov2; /* true if this IKEv1 is about - * to be replaced with IKEv2 - */ diff --git a/libreswan-3.19-testbuf.patch b/libreswan-3.19-testbuf.patch deleted file mode 100644 index 4f0cece..0000000 --- a/libreswan-3.19-testbuf.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 13560e2c4d340056c4381e4216c49950a350ed0b -Author: D. Hugh Redelmeier -Date: Fri Feb 3 18:16:10 2017 -0500 - - pluto: use %tu to format ptrdiff_t (%zu is for size_t) - -diff --git a/programs/pluto/test_buffer.c b/programs/pluto/test_buffer.c -index 6f24aa1..9b4ed0b 100644 ---- a/programs/pluto/test_buffer.c -+++ b/programs/pluto/test_buffer.c -@@ -66,7 +66,7 @@ chunk_t decode_hex_to_chunk(const char *original, const char *string) - buf[i] = '\0'; - if (i != 2) { - loglog(RC_INTERNALERR, -- "unexpected space or NUL character at offset %zu in hex buffer \"%s\" at \"%s\"\n", -+ "unexpected space or NUL character at offset %tu in hex buffer \"%s\" at \"%s\"\n", - pos - string, string, pos); - exit_pluto(PLUTO_EXIT_NSS_FAIL); - } -@@ -74,7 +74,7 @@ chunk_t decode_hex_to_chunk(const char *original, const char *string) - chunk.ptr[chunk.len] = strtoul(buf, &end, 16); - if (end - buf != 2) { - loglog(RC_INTERNALERR, -- "invalid character at offset %zu in hex buffer \"%s\" at \"%s\"\n", -+ "invalid character at offset %tu in hex buffer \"%s\" at \"%s\"\n", - pos-string, string, pos); - exit_pluto(PLUTO_EXIT_NSS_FAIL); - } diff --git a/libreswan-3.19-uniqueid_replace.patch b/libreswan-3.19-uniqueid_replace.patch deleted file mode 100644 index 14dae1c..0000000 --- a/libreswan-3.19-uniqueid_replace.patch +++ /dev/null @@ -1,195 +0,0 @@ -diff -Naur libreswan-3.19-orig/programs/configs/d.ipsec.conf/uniqueids.xml libreswan-3.19/programs/configs/d.ipsec.conf/uniqueids.xml ---- libreswan-3.19-orig/programs/configs/d.ipsec.conf/uniqueids.xml 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/configs/d.ipsec.conf/uniqueids.xml 2017-02-03 17:41:48.703575771 -0500 -@@ -1,17 +1,20 @@ - - uniqueids - --whether a particular participant ID should be kept unique, --with any new (automatically keyed) --connection using an ID from a different IP address --deemed to replace all old ones using that ID. --Acceptable values are yes --(the default) --and --no. --Participant IDs normally are unique, --so a new (automatically-keyed) connection using the same ID is --almost invariably intended to replace an old one. -- -+ Whether IDs should be considered identifying remote parties -+uniquely. Acceptable values are yes (the -+default) and no. Participant IDs normally -+are unique, so a new connection instance using the same remote ID is -+almost invariably intended to replace an old existing connection. -+ -+ When the connection is defined to be a server (using xauthserver=) -+and the connection policy is authby=secret, this option is ignored (as -+of 3.20) and old connections will never be replaced. This situation is -+commonly known as clients using a "Group ID". -+ -+ This option may disappear in the near future. People using identical -+X.509 certificates on multiple devices are urged to upgrade to use seperate -+certificates per client and device. -+ - - -diff -Naur libreswan-3.19-orig/programs/pluto/ikev1_aggr.c libreswan-3.19/programs/pluto/ikev1_aggr.c ---- libreswan-3.19-orig/programs/pluto/ikev1_aggr.c 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/pluto/ikev1_aggr.c 2017-02-03 17:41:42.320610486 -0500 -@@ -906,6 +906,9 @@ - */ - set_ph1_iv_from_new(st); - DBG(DBG_CONTROL, DBG_log("phase 1 complete")); -+ -+ ISAKMP_SA_established(st->st_connection, st->st_serialno); -+ - #ifdef USE_LINUX_AUDIT - linux_audit_conn(st, LAK_PARENT_START); - #endif -@@ -1012,6 +1015,9 @@ - */ - set_ph1_iv_from_new(st); - DBG(DBG_CONTROL, DBG_log("phase 1 complete")); -+ -+ ISAKMP_SA_established(st->st_connection, st->st_serialno); -+ - #ifdef USE_LINUX_AUDIT - linux_audit_conn(st, LAK_PARENT_START); - #endif -diff -Naur libreswan-3.19-orig/programs/pluto/ikev2_child.c libreswan-3.19/programs/pluto/ikev2_child.c ---- libreswan-3.19-orig/programs/pluto/ikev2_child.c 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/pluto/ikev2_child.c 2017-02-03 17:41:37.984634068 -0500 -@@ -1271,6 +1271,9 @@ - - ikev2_derive_child_keys(cst, role); - -+ /* Check to see if we need to release an old instance */ -+ ISAKMP_SA_established(pst->st_connection, pst->st_serialno); -+ - /* install inbound and outbound SPI info */ - if (!install_ipsec_sa(cst, TRUE)) - return STF_FATAL; -diff -Naur libreswan-3.19-orig/programs/pluto/initiate.c libreswan-3.19/programs/pluto/initiate.c ---- libreswan-3.19-orig/programs/pluto/initiate.c 2017-01-15 14:34:34.000000000 -0500 -+++ libreswan-3.19/programs/pluto/initiate.c 2017-02-03 17:41:48.704575766 -0500 -@@ -929,73 +929,58 @@ - bool uniqueIDs = FALSE; /* --uniqueids? */ - - /* -- * Called by main_inI3_outR3_tail() and ikev2_child_sa_respond() which is called for -- * initiator and responder alike! So this function should not be in initiate.c. -- * It is also not called in IKEv1 Aggressive Mode! -+ * Called by IKEv1 and IKEv2 when the IKE SA is established. -+ * It checks if the freshly established connection needs is -+ * replacing an established version of itself. -+ * -+ * The use of uniqueIDs is mostly historic and might be removed -+ * in a future version. It is ignored for PSK based connections, -+ * which only act based on being a "server using PSK". - */ - void ISAKMP_SA_established(struct connection *c, so_serial_t serial) - { - c->newest_isakmp_sa = serial; - -- if (uniqueIDs && !c->spd.this.xauth_server && -- (c->policy & POLICY_AUTH_NULL) == LEMPTY) { -- /* -- * for all connections: if the same Phase 1 IDs are used -- * for different IP addresses, unorient that connection. -- * We also check ports, since different Phase 1 ID's can -- * exist for the same IP when NAT is involved. -- */ -- struct connection *d; -- -- for (d = connections; d != NULL; ) { -- /* might move underneath us */ -- struct connection *next = d->ac_next; -- -- /* -- * We try to find duplicate instances of same -- * connection to clean up old ones when uniqueids=yes -- * -- * We are testing for all of: -- * 1: an appropriate kind to consider -- * 2: same ids, left and right -- * 3: same address family -- * 4: same connection name -- * 5: but different IP address or port -- * 6: differing dnsnames (sort of) -- * -- * DHR (2014-10-29): -- * Is the sense of the last clause inverted? -- * The logic kind of suggests that in fact the -- * same dnsnames should be the same, not different. -- * -- * Let's make 6 clearer: -- * if BOTH have dnsnames, they must be unequal. -- * -- * I suspect that it should be: -- * if BOTH have dnsnames, they must be equal. -- * -- * In other words the streq result should be negated. -- */ -- if ((d->kind == CK_PERMANENT || -- d->kind == CK_INSTANCE || -- d->kind == CK_GOING_AWAY) && -- (c->name == d->name) && -- same_id(&c->spd.this.id, &d->spd.this.id) && -- same_id(&c->spd.that.id, &d->spd.that.id) && -- addrtypeof(&c->spd.that.host_addr) == -- addrtypeof(&d->spd.that.host_addr) && -- (!sameaddr(&c->spd.that.host_addr, -- &d->spd.that.host_addr) || -- c->spd.that.host_port != -- d->spd.that.host_port) && -- !(c->dnshostname != NULL && -- d->dnshostname != NULL && -- streq(c->dnshostname, -- d->dnshostname))) { -- release_connection(d, FALSE); -- } -- d = next; -+ /* NULL authentication can never replaced - it is all anonnymous */ -+ if (LIN(POLICY_AUTH_NULL, c->policy) || -+ ( c->spd.that.authby == AUTH_NULL || c->spd.this.authby == AUTH_NULL)) { -+ -+ DBG(DBG_CONTROL, DBG_log("NULL Authentication - all clients appear identical")); -+ return; -+ } -+ -+ /* -+ * If we are a server and use PSK, all clients use the same group ID -+ * Note that "xauth_server" also refers to IKEv2 CP -+ */ -+ if (c->spd.this.xauth_server && LIN(POLICY_PSK, c->policy)) { -+ DBG(DBG_CONTROL, DBG_log("We are a server using PSK and clients are using a group ID")); -+ return; -+ } -+ -+ if (!uniqueIDs) { -+ DBG(DBG_CONTROL, DBG_log("uniqueIDs disabled, not contemplating releasing older self")); -+ return; -+ } -+ -+ /* -+ * for all existing connections: if the same Phase 1 IDs are used, -+ * unorient that (old) connection - This is a replacement. -+ */ -+ struct connection *d; -+ -+ for (d = connections; d != NULL; ) { -+ /* might move underneath us */ -+ struct connection *next = d->ac_next; -+ -+ if (c != d && c->kind == d->kind && streq(c->name, d->name) && -+ (same_id(&c->spd.this.id, &d->spd.this.id) && -+ same_id(&c->spd.that.id, &d->spd.that.id))) -+ { -+ DBG(DBG_CONTROL, DBG_log("Unorienting old connection with same IDs")); -+ release_connection(d, FALSE); - } -+ d = next; - } - } - diff --git a/libreswan-3.23-crypto-policies.patch b/libreswan-3.23-crypto-policies.patch new file mode 100644 index 0000000..1aca3db --- /dev/null +++ b/libreswan-3.23-crypto-policies.patch @@ -0,0 +1,66 @@ +diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l +index c41dd8048..cc2faf5c9 100644 +--- a/lib/libipsecconf/parser.l ++++ b/lib/libipsecconf/parser.l +@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis) + char ebuf[128]; + + snprintf(ebuf, sizeof(ebuf), +- "cannot open include filename: '%s': %s", ++ (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ? ++ "cannot open include filename: '%s': %s" : ++ "ignored loading default system-wide crypto-policies file '%s': %s", + iis->fileglob.gl_pathv[fcnt], + strerror(errno)); + yyerror(ebuf); +diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in +index 7374efc3c..974699f01 100644 +--- a/programs/configs/ipsec.conf.in ++++ b/programs/configs/ipsec.conf.in +@@ -1,27 +1,18 @@ + # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file + # +-# Manual: ipsec.conf.5 ++# see 'man ipsec.conf' and 'man pluto' for more information ++# ++# For example configurations and documentation, see https://libreswan.org/wiki/ + + config setup +- # Normally, pluto logs via syslog. If you want to log to a file, +- # specify below or to disable logging, eg for embedded systems, use +- # the file name /dev/null +- # Note: SElinux policies might prevent pluto writing to a log file at +- # an unusual location. ++ # Normally, pluto logs via syslog. + #logfile=/var/log/pluto.log + # + # Do not enable debug options to debug configuration issues! + # +- # plutodebug "all", "none" or a combation from below: +- # "raw crypt parsing emitting control controlmore kernel pfkey +- # natt x509 dpd dns oppo oppoinfo private". +- # Note: "private" is not included with "all", as it can show confidential +- # information. It must be specifically specified +- # examples: + # plutodebug="control parsing" + # plutodebug="all crypt" +- # Again: only enable plutodebug when asked by a developer +- #plutodebug=none ++ plutodebug=none + # + # NAT-TRAVERSAL support + # exclude networks used on server side by adding %v4:!a.b.c.0/24 +@@ -30,10 +21,8 @@ config setup + # This range has never been announced via BGP (at least up to 2015) + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + +-# For example connections, see your distribution's documentation directory, +-# or https://libreswan.org/wiki/ +-# +-# There is also a lot of information in the manual page, "man ipsec.conf" +-# ++# if it exists, include system wide crypto-policy defaults ++include /etc/crypto-policies/back-ends/libreswan.config ++ + # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/ + include @IPSEC_CONFDDIR@/*.conf diff --git a/libreswan-3.23-fixups.patch b/libreswan-3.23-fixups.patch new file mode 100644 index 0000000..f674916 --- /dev/null +++ b/libreswan-3.23-fixups.patch @@ -0,0 +1,507 @@ +diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c +--- libreswan-3.23-orig/programs/pluto/connections.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/connections.c 2018-02-05 14:38:49.372280712 -0500 +@@ -3158,10 +3158,8 @@ + matching_peer_id && matching_peer_ca && matching_requested_ca, + matching_peer_id, matching_peer_ca, matching_requested_ca);}); + +- /* Ignore template from which we instantiated - this should never happen */ + if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) { +- libreswan_log("Warning: not switching back to template of current instance (FIXME)"); +- continue; ++ DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance")); + } + + /* 'You Tarzan, me Jane' check based on received IDr */ +diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c +--- libreswan-3.23-orig/programs/pluto/hostpair.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/hostpair.c 2018-02-05 14:38:57.865635032 -0500 +@@ -144,17 +144,6 @@ + hisport = pluto_port; + + for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { +- if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) && +- (p->connections->spd.that.id.kind == ID_NULL)) +- { +- DBG(DBG_CONTROLMORE, { +- char ci[CONN_INST_BUF]; +- DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s", +- p->connections->name, +- fmt_conn_instance(p->connections, ci)); +- }); +- continue; +- } + + DBG(DBG_CONTROLMORE, { + ipstr_buf b1; +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h +--- libreswan-3.23-orig/programs/pluto/ikev2.h 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2.h 2018-02-05 14:39:11.171190105 -0500 +@@ -162,7 +162,9 @@ + extern bool ikev2_calculate_rsa_sha1(struct state *st, + enum original_role role, + unsigned char *idhash, +- pb_stream *a_pbs); ++ pb_stream *a_pbs, ++ bool calc_no_ppk_auth, ++ chunk_t *no_ppk_auth); + + extern bool ikev2_create_psk_auth(enum keyword_authby authby, + struct state *st, +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c +--- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-02-05 14:39:11.173190188 -0500 +@@ -2783,7 +2783,9 @@ + + switch (a.isaa_type) { + case IKEv2_AUTH_RSA: +- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { ++ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, ++ FALSE, /* store-only not set */ ++ NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "Failed to find our RSA key"); + return STF_FATAL; + } +@@ -2792,7 +2794,7 @@ + case IKEv2_AUTH_PSK: + case IKEv2_AUTH_NULL: + if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs, +- FALSE /* store-only not set */, ++ FALSE, /* store-only not set */ + NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key"); + return STF_FATAL; +@@ -2812,7 +2814,9 @@ + return STF_INTERNAL_ERROR; + } + +- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { ++ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, ++ FALSE, /* store-only not set */ ++ NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key"); + return STF_FATAL; + } +@@ -3224,7 +3228,7 @@ + hmac_update(&id_ctx, id_start, id_len); + hmac_final(idhash, &id_ctx); + +- if (pst->st_sk_pi_no_ppk != NULL) { ++ if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) { + struct hmac_ctx id_ctx_npa; + + hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk); +@@ -3371,7 +3375,7 @@ + notifies++; + + if (pst->st_seen_ppk) +- notifies++; /* used for two payloads */ ++ notifies++; /* used for one or two payloads */ + + /* code does not support AH + ESP, not recommend rfc8221 section-4 */ + struct ipsec_proto_info *proto_info +@@ -3437,21 +3441,24 @@ + } + if (pst->st_seen_ppk) { + chunk_t notify_data = create_unified_ppk_id(&ppk_id_p); ++ int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N; + +- notifies--; /* used for 2 payloads */ +- if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL, +- PROTO_v2_RESERVED, &empty_chunk, +- v2N_PPK_IDENTITY, ¬ify_data, +- &e_pbs_cipher)) +- return STF_INTERNAL_ERROR; ++ notifies--; /* used for one or two payloads */ ++ if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL, ++ PROTO_v2_RESERVED, &empty_chunk, ++ v2N_PPK_IDENTITY, ¬ify_data, ++ &e_pbs_cipher)) ++ return STF_INTERNAL_ERROR; + freeanychunk(notify_data); + +- ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); +- if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, +- PROTO_v2_RESERVED, &empty_chunk, +- v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, +- &e_pbs_cipher)) +- return STF_INTERNAL_ERROR; ++ if (!LIN(POLICY_PPK_INSIST, cc->policy)) { ++ ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); ++ if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, ++ PROTO_v2_RESERVED, &empty_chunk, ++ v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, ++ &e_pbs_cipher)) ++ return STF_INTERNAL_ERROR; ++ } + } + + passert(notifies == 0); +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c +--- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_ppk.c 2018-02-05 14:39:11.173190188 -0500 +@@ -113,7 +113,24 @@ + enum keyword_authby authby = c->spd.this.authby; + switch (authby) { + case AUTH_RSASIG: +- /* TODO */ ++ if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) { ++ if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) { ++ /* make blobs separately, and somehow combine them and no_ppk_auth ++ * to get an actual no_ppk_auth */ ++ int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len; ++ u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH"); ++ u_char *ret = blobs; ++ memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER); ++ blobs += ASN1_LEN_ALGO_IDENTIFIER; ++ memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE); ++ blobs += ASN1_SHA1_RSA_OID_SIZE; ++ memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len); ++ chunk_t release = *no_ppk_auth; ++ setchunk(*no_ppk_auth, ret, len); ++ freeanychunk(release); ++ } ++ } ++ return STF_OK; + break; + case AUTH_PSK: + if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth)) +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c +--- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_rsa.c 2018-02-05 14:39:11.173190188 -0500 +@@ -101,7 +101,9 @@ + bool ikev2_calculate_rsa_sha1(struct state *st, + enum original_role role, + unsigned char *idhash, +- pb_stream *a_pbs) ++ pb_stream *a_pbs, ++ bool calc_no_ppk_auth, ++ chunk_t *no_ppk_auth) + { + unsigned char signed_octets[SHA1_DIGEST_SIZE + 16]; + size_t signed_len; +@@ -136,8 +138,13 @@ + if (shr == 0) + return FALSE; + passert(shr == (int)sz); +- if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) +- return FALSE; ++ if (calc_no_ppk_auth == FALSE) { ++ if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) ++ return FALSE; ++ } else { ++ clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk"); ++ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth)); ++ } + } + + return TRUE; +diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c +--- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/nss_cert_verify.c 2018-02-05 14:38:52.685418927 -0500 +@@ -498,60 +498,83 @@ + + bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name) + { +- SECStatus rv; + SECItem subAltName; +- PLArenaPool *arena = NULL; +- CERTGeneralName *nameList = NULL; +- CERTGeneralName *current = NULL; +- bool san_ip = FALSE; +- unsigned int len = strlen(name); +- ip_address myip; +- +- rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, ++ SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, + &subAltName); + if (rv != SECSuccess) { + DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension")); + return FALSE; + } + +- if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL) +- san_ip = TRUE; ++ ip_address myip; ++ bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL); + +- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + passert(arena != NULL); + +- nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName); +- passert(current != NULL); ++ CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName); + +- do +- { ++ if (nameList == NULL) { ++ loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode"); ++ PORT_FreeArena(arena, PR_FALSE); ++ return FALSE; ++ } ++ ++ /* ++ * nameList is a pointer into a non-empty circular linked list. ++ * This loop visits each entry. ++ * We have visited each when we come back to the start. ++ * We test only at the end, after we advance, because we want to visit ++ * the first entry the first time we see it but stop when we get to it ++ * the second time. ++ */ ++ CERTGeneralName *current = nameList; ++ do { + switch (current->type) { + case certDNSName: + case certRFC822Name: +- if (san_ip) +- break; +- if (current->name.other.len == len) { +- if (memcmp(current->name.other.data, name, len) == 0) { +- DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name)); +- PORT_FreeArena(arena, PR_FALSE); +- return TRUE; +- } +- } ++ { ++ /* ++ * Match the parameter name with the name in the certificate. ++ * The name in the cert may start with "*."; that will match ++ * any initial component in name (up to the first '.'). ++ */ ++ /* we need to cast because name.other.data is unsigned char * */ ++ const char *c_ptr = (const void *) current->name.other.data; ++ size_t c_len = current->name.other.len; ++ ++ const char *n_ptr = name; ++ static const char wild[] = "*."; ++ const size_t wild_len = sizeof(wild) - 1; ++ ++ if (c_len > wild_len && startswith(c_ptr, wild)) { ++ /* wildcard in cert: ignore first component of name */ ++ c_ptr += wild_len; ++ c_len -= wild_len; ++ n_ptr = strchr(n_ptr, '.'); ++ if (n_ptr == NULL) ++ break; /* cannot match */ + +- if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) { +- char osan[IDTOA_BUF]; ++ n_ptr++; /* skip . */ ++ } + +- memcpy(osan,current->name.other.data, current->name.other.len); +- osan[current->name.other.len] = '\0'; +- DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name)); +- } else { +- DBG(DBG_X509, DBG_log("subjectAltname does not match %s", name)); ++ if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) { ++ /* ++ * ??? if current->name.other.data contains bad characters, ++ * what prevents them being logged? ++ */ ++ DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate", ++ name, current->name.other.len, current->name.other.data)); ++ PORT_FreeArena(arena, PR_FALSE); ++ return TRUE; + } + break; ++ } + + case certIPAddress: + if (!san_ip) + break; ++ + if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) { + if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) { + DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name)); +@@ -572,7 +595,7 @@ + break; + } + } +- DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name)); ++ DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name)); + break; + + default: +diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in +--- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in 2018-02-05 14:38:49.373280754 -0500 +@@ -1,31 +1,52 @@ + #!/usr/bin/python ++# ++# Copyright (C) 2018 Paul Wouters ++# ++# This program is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at your ++# option) any later version. See . ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# for more details. + + import sys +-import base64 +-import commands ++import subprocess + +-log = "" +- +-status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1") ++# Get my %defaultroute IP address ++myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True) + myip = myip.split("src")[1].strip().split()[0] + + argv = sys.argv +-argc = len(sys.argv) ++ourself = argv.pop(0) + +-#log += "Number or arguments is %d\n"%argc +-#if argc >= 4: +-# log += "QNAME:%s\n"%argv[1] +-# log += "TTL:%s\n"%argv[2] +-# log += "IP:%s\n"%argv[3] +-# log += "IPSECKEY:%s\n"%argv[4] +-# rr = argv[4] +-# pref, gwtype, algo, gw, pubkey = rr.split(" ") +-#log += "-----------------------------\n" +- +-cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey) +-cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey) +-cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3]) +-ret, output = commands.getstatusoutput(cmdname) +-ret, output = commands.getstatusoutput(cmdip) +-ret, output = commands.getstatusoutput(cmdoe) +-ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus") ++try: ++ qname = argv.pop(0) ++ ttl = argv.pop(0) ++ ip = argv.pop(0) ++except: ++ sys.exit("Bad arguments to ipsec _unbound") ++ ++while (argv != []): ++ try: ++ gwprec = argv.pop(0) ++ gwtype = argv.pop(0) ++ gwalg = argv.pop(0) ++ gwid = argv.pop(0) ++ pubkey = argv.pop(0) ++ addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) ++ addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) ++ print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) ++ print(subprocess.call(addkeyip, shell=True)) ++ print(subprocess.call(addkeyhostname, shell=True)) ++ except: ++ sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) ++ ++# done injecting all IPSECKEY records into pluto - try actual OE now ++cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip) ++print(subprocess.check_output(cmdoeip, shell=True)) ++#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname) ++#ret, output = commands.getstatusoutput(cmdoeqname) ++print(subprocess.check_output("ipsec whack --trafficstatus", shell=True)) +diff --git a/include/ietf_constants.h b/include/ietf_constants.h +index 8a1ba5d..38fa4de 100644 +--- a/include/ietf_constants.h ++++ b/include/ietf_constants.h +@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type { + IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23, + IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24, + IKEv2_INTERNAL_DNS_DOMAIN = 25, +- /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */ ++ IKEv2_INTERNAL_DNSSEC_TA = 26 + }; + + +diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c +index 9ea9872..ab6db3e 100644 +--- a/lib/libswan/constants.c ++++ b/lib/libswan/constants.c +@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = { + "IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */ + "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */ + "IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */ +- /* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */ ++ "IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */ + }; + + enum_names ikev2_cp_attribute_type_names = { + IKEv2_CP_ATTR_RESERVED, +- IKEv2_INTERNAL_DNS_DOMAIN, +- /* IKEv2_INTERNAL_DNSSEC_TA, */ ++ IKEv2_INTERNAL_DNSSEC_TA, + ARRAY_REF(ikev2_cp_attribute_type_name), + NULL, /* prefix */ + NULL +diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c +index ae56972..e818e0e 100644 +--- a/programs/addconn/addconn.c ++++ b/programs/addconn/addconn.c +@@ -416,12 +416,11 @@ int main(int argc, char *argv[]) + if (verbose) + printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { + if (conn->desired_state == STARTUP_ADD || + conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ conn->desired_state == STARTUP_START) ++ { + if (verbose) + printf(" %s", conn->name); + resolve_defaultroute(conn); +@@ -436,30 +435,22 @@ int main(int argc, char *argv[]) + starter_whack_listen(cfg); + + if (verbose) +- printf(" Pass #2: Routing auto=route and auto=start connections\n"); ++ printf(" Pass #2: Routing auto=route connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { +- if (conn->desired_state == STARTUP_ADD || +- conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { ++ if (conn->desired_state == STARTUP_ONDEMAND) ++ { + if (verbose) + printf(" %s", conn->name); +- resolve_defaultroute(conn); +- if (conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ if (conn->desired_state == STARTUP_ONDEMAND) + starter_whack_route_conn(cfg, conn); +- } + } + } + + if (verbose) + printf(" Pass #3: Initiating auto=start connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { + if (conn->desired_state == STARTUP_START) { + if (verbose) + printf(" %s", conn->name); +diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in +index 64b2808..b343445 100644 +--- a/programs/_updown.netkey/_updown.netkey.in ++++ b/programs/_updown.netkey/_updown.netkey.in +@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in + up-client) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. ++ addvtiiface + updateresolvconf + addcat + addsource diff --git a/libreswan-3.23-gcc8.patch b/libreswan-3.23-gcc8.patch new file mode 100644 index 0000000..10adc15 --- /dev/null +++ b/libreswan-3.23-gcc8.patch @@ -0,0 +1,64 @@ +diff -Naur libreswan-3.23-orig/programs/pluto/kernel_netlink.c libreswan-3.23/programs/pluto/kernel_netlink.c +--- libreswan-3.23-orig/programs/pluto/kernel_netlink.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/kernel_netlink.c 2018-02-19 18:07:08.654780313 -0500 +@@ -51,8 +51,9 @@ + #include + #include + +-#include "libreswan.h" /* before xfrm.h otherwise break on F22 */ ++//#include + #include "linux/xfrm.h" /* local (if configured) or system copy */ ++#include "libreswan.h" /* before xfrm.h otherwise break on F22 */ + + #include "libreswan/pfkeyv2.h" + #include "libreswan/pfkey.h" +diff -Naur libreswan-3.23-orig/programs/pluto/linux_audit.c libreswan-3.23/programs/pluto/linux_audit.c +--- libreswan-3.23-orig/programs/pluto/linux_audit.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/linux_audit.c 2018-02-19 18:07:08.654780313 -0500 +@@ -74,6 +74,15 @@ + + #include "pluto_stats.h" + ++#if __GNUC__ >= 7 ++ /* ++ * GCC 7+ warns about the following calls that truncate a string using ++ * snprintf(). We are truncating the log message for a reason. ++ */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wformat-truncation" ++#endif ++ + static bool log_to_audit = FALSE; /* audit log messages for kernel */ + + void linux_audit_init(void) +@@ -300,3 +309,6 @@ + AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA, + audit_str, raddr, AUDIT_RESULT_OK); + } ++#if __GNUC__ >= 7 ++#pragma GCC diagnostic pop ++#endif +diff -Naur libreswan-3.23-orig/programs/pluto/log.h libreswan-3.23/programs/pluto/log.h +--- libreswan-3.23-orig/programs/pluto/log.h 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/log.h 2018-02-19 18:07:08.655780307 -0500 +@@ -154,7 +154,7 @@ + + #ifdef USE_LINUX_AUDIT + #include /* from audit-libs devel */ +-#define AUDIT_LOG_SIZE 256 ++#define AUDIT_LOG_SIZE 512 + /* should really be in libaudit.h */ + #define AUDIT_RESULT_FAIL 0 + #define AUDIT_RESULT_OK 1 +diff -Naur libreswan-3.23-orig/programs/pluto/pluto_constants.c libreswan-3.23/programs/pluto/pluto_constants.c +--- libreswan-3.23-orig/programs/pluto/pluto_constants.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/pluto_constants.c 2018-02-19 18:08:22.359413451 -0500 +@@ -478,7 +478,7 @@ + policy & + ~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK), + pbitnamesbuf, sizeof(pbitnamesbuf)); +- static char buf[200]; /* NOT RE-ENTRANT! I hope that it is big enough! */ ++ static char buf[512]; /* NOT RE-ENTRANT! I hope that it is big enough! */ + lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT; + lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT; + diff --git a/libreswan-3.23-ppk-update.patch b/libreswan-3.23-ppk-update.patch new file mode 100644 index 0000000..fe9d9fb --- /dev/null +++ b/libreswan-3.23-ppk-update.patch @@ -0,0 +1,116 @@ +diff --git a/include/ietf_constants.h b/include/ietf_constants.h +index 38fa4de..08c8d9e 100644 +--- a/include/ietf_constants.h ++++ b/include/ietf_constants.h +@@ -1486,12 +1486,14 @@ typedef enum { + v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */ + v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */ + v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */ +- +- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- +- /* 16432 - 40969 Unassigned */ ++ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */ ++ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */ ++ v2N_PUZZLE = 16434, /* RFC-8019 */ ++ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */ ++ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */ ++ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */ ++ ++ /* 16438 - 40969 Unassigned */ + /* 40960 - 65535 Private Use */ + } v2_notification_t; + +diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c +index ab6db3e..a0dab63 100644 +--- a/lib/libswan/constants.c ++++ b/lib/libswan/constants.c +@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = { + }; + */ + +-static const char *const ikev2_notify_name_private[] = { +- "v2N_USE_PPK", +- "v2N_PPK_IDENTITY", +- "v2N_NO_PPK_AUTH", +-}; +- +-static enum_names ikev2_notify_names_private = { +- v2N_USE_PPK, +- v2N_NO_PPK_AUTH, +- ARRAY_REF(ikev2_notify_name_private), +- "v2N_", /* prefix */ +- NULL +-}; +- + /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */ + static const char *const ikev2_notify_name_16384[] = { + "v2N_INITIAL_CONTACT", /* 16384 */ +@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = { + "v2N_SENDER_REQUEST_ID", + "v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */ + "v2N_SIGNATURE_HASH_ALGORITHMS", ++ "v2N_CLONE_IKE_SA_SUPPORTED", ++ "v2N_CLONE_IKE_SA", ++ "v2N_PUZZLE", ++ "v2N_USE_PPK", /* 16435 */ ++ "v2N_PPK_IDENTITY", ++ "v2N_NO_PPK_AUTH", + }; + + static enum_names ikev2_notify_names_16384 = { + v2N_INITIAL_CONTACT, +- v2N_SIGNATURE_HASH_ALGORITHMS, ++ v2N_NO_PPK_AUTH, + ARRAY_REF(ikev2_notify_name_16384), + "v2N_", /* prefix */ +- &ikev2_notify_names_private ++ NULL + }; + + static const char *const ikev2_notify_name[] = { +diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c +index 258ba85..b86eea8 100644 +--- a/programs/pluto/ikev2_parent.c ++++ b/programs/pluto/ikev2_parent.c +@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) + break; + } + +- if (LIN(POLICY_PPK_ALLOW, policy)) { +- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); ++ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); + +- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { +- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); +- return STF_FATAL; +- } +- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); +- st->st_no_ppk_auth = no_ppk_auth; +- } else { +- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK"); ++ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { ++ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); ++ return STF_FATAL; + } ++ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); ++ st->st_no_ppk_auth = no_ppk_auth; + break; + } + case v2N_MOBIKE_SUPPORTED: +@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) + } + } + +- /* if we found proper PPK ID, we should use that without fallback to no ppk */ +- if (found_ppk) ++ /* ++ * If we found proper PPK ID and policy allows PPK, use that. ++ * Otherwise use NO_PPK_AUTH ++ */ ++ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy)) + freeanychunk(st->st_no_ppk_auth); + + if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) { diff --git a/libreswan-3.23-seccomp.patch b/libreswan-3.23-seccomp.patch new file mode 100644 index 0000000..0e3679a --- /dev/null +++ b/libreswan-3.23-seccomp.patch @@ -0,0 +1,24 @@ +diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c +--- libreswan-3.23-orig/programs/addconn/addconn.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/addconn/addconn.c 2018-02-05 14:13:25.758711788 -0500 +@@ -140,7 +140,9 @@ + rc |= S_RULE_ADD(set_robust_list); + rc |= S_RULE_ADD(set_tid_address); + rc |= S_RULE_ADD(socket); ++ rc |= S_RULE_ADD(socketcall); + rc |= S_RULE_ADD(socketpair); ++ rc |= S_RULE_ADD(stat); + rc |= S_RULE_ADD(statfs); + rc |= S_RULE_ADD(uname); + rc |= S_RULE_ADD(write); +diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c +--- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/pluto_seccomp.c 2018-02-05 14:13:38.390239502 -0500 +@@ -109,6 +109,7 @@ + rc |= S_RULE_ADD(set_robust_list); + rc |= S_RULE_ADD(setsockopt); + rc |= S_RULE_ADD(socket); ++ rc |= S_RULE_ADD(socketcall); + rc |= S_RULE_ADD(socketpair); + rc |= S_RULE_ADD(sysinfo); + rc |= S_RULE_ADD(uname); diff --git a/libreswan-3.5-cisco-interop.patch b/libreswan-3.5-cisco-interop.patch deleted file mode 100644 index 6c43595..0000000 --- a/libreswan-3.5-cisco-interop.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8 -Author: Paul Wouters -Date: Sun Jul 14 13:27:39 2013 -0400 - - pluto: work around for Cisco VPN clients sending extraneous bytes - -diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c -index cc4be99..1ae2f40 100644 ---- a/programs/pluto/demux.c -+++ b/programs/pluto/demux.c -@@ -146,12 +146,29 @@ void process_packet(struct msg_digest **mdp) - } - } - -- if (md->packet_pbs.roof != md->message_pbs.roof) { -+ if (md->packet_pbs.roof < md->message_pbs.roof) { - libreswan_log( -- "size (%u) differs from size specified in ISAKMP HDR (%u)", -- (unsigned) pbs_room( -- &md->packet_pbs), md->hdr.isa_length); -+ "received packet size (%u) is smaller than from " -+ "size specified in ISAKMP HDR (%u) - packet dropped", -+ (unsigned) pbs_room(&md->packet_pbs), -+ md->hdr.isa_length); -+ /* abort processing corrupt packet */ - return; -+ } else if (md->packet_pbs.roof > md->message_pbs.roof) { -+ /* -+ * Some (old?) versions of the Cisco VPN client send an additional -+ * 16 bytes of zero bytes - Complain but accept it -+ */ -+ DBG(DBG_CONTROL, { -+ DBG_log( -+ "size (%u) in received packet is larger than the size " -+ "specified in ISAKMP HDR (%u) - ignoring extraneous bytes", -+ (unsigned) pbs_room(&md->packet_pbs), -+ md->hdr.isa_length); -+ DBG_dump("extraneous bytes:", md->message_pbs.roof, -+ md->packet_pbs.roof - md->message_pbs.roof); -+ /* continue */ -+ }); - } - - maj = (md->hdr.isa_version >> ISA_MAJ_SHIFT); diff --git a/libreswan.spec b/libreswan.spec index e08e758..fe79170 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -22,7 +22,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script Version: 3.23 -Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.1 +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -31,6 +31,13 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 +Patch1: libreswan-3.23-seccomp.patch +Patch2: libreswan-3.23-fixups.patch +Patch3: libreswan-3.23-ppk-update.patch +Patch4: libreswan-3.23-crypto-policies.patch +Patch5: libreswan-3.23-gcc8.patch + + %endif Group: System Environment/Daemons BuildRequires: bison flex pkgconfig @@ -98,6 +105,11 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %if %{buildefence} @@ -179,6 +191,9 @@ make \ FS=$(pwd) rm -rf %{buildroot}/usr/share/doc/libreswan +# enable crypto-policies support +sed -i "s:# include\(.*\)/crypto-policies/back-ends/libreswan.config:include\1:" %{buildroot}/%{_sysconfdir}/ipsec.conf + install -d -m 0700 %{buildroot}%{_localstatedir}/run/pluto # used when setting --perpeerlog without --perpeerlogbase install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer @@ -256,6 +271,11 @@ OBJ.linux.%{_arch}/programs/cavp/cavp -v1psk ikev1_psk.fax | \ %endif %changelog +* Mon Feb 19 2018 Paul Wouters - 3.23-2 +- Support crypto-policies package +- Pull in some patches from upstream and IANA registry updates +- gcc7 format-truncate fixes and workarounds + * Wed Feb 07 2018 Fedora Release Engineering - 3.23-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild