rpms/libreswan
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2

Browse Source 
- Support crypto-policies package
- Pull in some patches from upstream and IANA registry updates
- gcc7 format-truncate fixes and workarounds
This commit is contained in:
Paul Wouters 2018-02-19 18:13:58 -05:00
parent 21239f49d4
commit f9eee4360c
14 changed files with 798 additions and 594 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
libreswan-3.10-autoroute.patch
View File

@ -1,80 +0,0 @@
commit dded96917330dc7726d2520ef74deff710ed7673
Author: Paul Wouters <pwouters@redhat.com>
Date: Mon Sep 8 20:38:32 2014 -0400
addconn: routing should happen after listen (bug introduced in 3.10)
This caused auto=route (auto=ondemand) connections to not load properly,
because pluto wasn't listening yet so these connections could not orient.
diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c
index 5961a14..4c605a7 100644
--- a/programs/addconn/addconn.c
+++ b/programs/addconn/addconn.c
@@ -1,8 +1,9 @@
/*
* A program to read the configuration file and load a single conn
* Copyright (C) 2005 Michael Richardson <mcr@xelerance.com>
- * Copyright (C) 2012 Paul Wouters <paul@libreswan.org>
- * Copyright (C) 2012 Kim B. Heino <b@bbbs.net>
+ * Copyright (C) 2012-2014 Paul Wouters <paul@libreswan.org>
+ * Copyright (C) 2014 D. Hugh Redelmeier <hugh@mimosa.com>
+ * Copyright (C) 2012-2013 Kim B. Heino <b@bbbs.net>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -725,19 +726,37 @@ int main(int argc, char *argv[])
conn->desired_state == STARTUP_START) {
if (verbose)
printf(" %s", conn->name);
- resolve_defaultroute(conn);
starter_whack_add_conn(cfg, conn);
}
- if (conn->desired_state == STARTUP_ONDEMAND)
- starter_whack_route_conn(cfg, conn);
}
- /* We added all connections, let pluto listen, then startup our conns */
+ /*
+ * We loaded all connections. Now tell pluto to listen,
+ * then route the conns and resolve default route.
+ */
starter_whack_listen(cfg);
if (verbose)
- printf(" Pass #2: Initiating auto=start connections\n");
+ printf(" Pass #2: Routing auto=route and auto=start connections\n");
+ for (conn = cfg->conns.tqh_first;
+ conn != NULL;
+ conn = conn->link.tqe_next) {
+ if (conn->desired_state == STARTUP_ADD ||
+ conn->desired_state == STARTUP_ONDEMAND ||
+ conn->desired_state == STARTUP_START) {
+ if (verbose)
+ printf(" %s", conn->name);
+ resolve_defaultroute(conn);
+ if (conn->desired_state == STARTUP_ONDEMAND ||
+ conn->desired_state == STARTUP_START) {
+ starter_whack_route_conn(cfg, conn);
+ }
+ }
+ }
+
+ if (verbose)
+ printf(" Pass #3: Initiating auto=start connections\n");
for (conn = cfg->conns.tqh_first;
conn != NULL;
@@ -745,10 +764,10 @@ int main(int argc, char *argv[])
if (conn->desired_state == STARTUP_START) {
if (verbose)
printf(" %s", conn->name);
- resolve_defaultroute(conn);
starter_whack_initiate_conn(cfg, conn);
}
}
+
if (verbose)
printf("\n");
} else {

81
libreswan-3.10-coverity.patch
View File

@ -1,81 +0,0 @@
diff --git a/programs/pluto/ikev2_crypto.c b/programs/pluto/ikev2_crypto.c
index 58c62c8..4a305c7 100644
--- a/programs/pluto/ikev2_crypto.c
+++ b/programs/pluto/ikev2_crypto.c
@@ -65,8 +65,8 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role)
st->st_ah.present? &st->st_ah :
NULL;
- assert(ipi != NULL); /* ESP or AH must be present */
- assert(st->st_esp.present != st->st_ah.present); /* only one */
+ passert(ipi != NULL); /* ESP or AH must be present */
+ passert(st->st_esp.present != st->st_ah.present); /* only one */
/* ??? there is no kernel_alg_ah_info */
ipi->attrs.transattrs.ei = kernel_alg_esp_info(
@@ -142,14 +142,6 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role)
v2genbytes(&rkeymat, ipi->keymat_len,
"responder keys", &childsacalc);
- /* This should really be role == O_INITIATOR, but then our keys are
- * installed reversed. This is a workaround until we locate the
- * real problem. It's better not to release copies of our code
- * that will be incompatible with everything else, including our
- * own updated version
- * Found by Herbert Xu
- * if(role == O_INITIATOR) {
- */
if (role != O_INITIATOR) {
DBG(DBG_CRYPT, {
DBG_dump_chunk("our keymat", ikeymat);
@@ -167,4 +159,3 @@ void ikev2_derive_child_keys(struct state *st, enum phase1_role role)
}
}
-
diff --git a/programs/pluto/pluto_crypt.c b/programs/pluto/pluto_crypt.c
index 7bf3a2a..080d2a0 100644
--- a/programs/pluto/pluto_crypt.c
+++ b/programs/pluto/pluto_crypt.c
@@ -657,7 +657,7 @@ static void kill_helper(struct pluto_crypto_worker *w)
}
void log_crypto_workers(void) {
- bool first_time = TRUE;
+ static bool first_time = TRUE;
int i;
if (!first_time)
diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c
index 483f34c..9c6fb11 100644
--- a/programs/pluto/rcv_whack.c
+++ b/programs/pluto/rcv_whack.c
@@ -690,7 +690,7 @@ bool whack_prompt_for(int whackfd,
return FALSE;
}
- if (strlen(ansbuf) == 0) {
+ if (n == 0) {
whack_log(RC_LOG_SERIOUS, "no %s entered, aborted", prompt2);
return FALSE;
}
diff --git a/programs/rsasigkey/rsasigkey.c b/programs/rsasigkey/rsasigkey.c
index f3f0194..d853365 100644
--- a/programs/rsasigkey/rsasigkey.c
+++ b/programs/rsasigkey/rsasigkey.c
@@ -321,7 +321,14 @@ int main(int argc, char *argv[])
device = optarg;
break;
case 'H': /* set hostname for output */
- strcpy(outputhostname, optarg);
+ {
+ size_t full_len = strlen(optarg);
+ bool oflow = sizeof(outputhostname) - 1 < full_len;
+ size_t copy_len = oflow ? sizeof(outputhostname) - 1 : full_len;
+
+ memcpy(outputhostname, optarg, copy_len);
+ outputhostname[copy_len] = '\0';
+ }
break;
case 'h': /* help */
printf("Usage:\t%s\n", usage);

21
libreswan-3.10-snprintf.patch
View File

@ -1,21 +0,0 @@
diff -Naur libreswan-3.10-orig/programs/pluto/kernel.c libreswan-3.10/programs/pluto/kernel.c
--- libreswan-3.10-orig/programs/pluto/kernel.c 2014-09-01 17:44:22.000000000 -0400
+++ libreswan-3.10/programs/pluto/kernel.c 2014-09-08 09:10:29.173718430 -0400
@@ -441,7 +441,7 @@
"PLUTO_STACK='%s' "
"%s" /* optional metric */
"%s" /* optional mtu */
- "PLUTO_ADDTIME='%lu' "
+ "PLUTO_ADDTIME='%" PRIu64 "' "
"PLUTO_CONN_POLICY='%s' "
"PLUTO_CONN_ADDRFAMILY='ipv%d' "
"XAUTH_FAILED=%d "
@@ -479,7 +479,7 @@
kernel_ops->kern_name,
metric_str,
connmtu_str,
- st == NULL ? 0 : st->st_esp.add_time,
+ (u_int64_t)(st == NULL ? 0U : st->st_esp.add_time),
prettypolicy(c->policy),
(c->addr_family == AF_INET) ? 4 : 6,
(st && st->st_xauth_soft) ? 1 : 0,

66
libreswan-3.19-configdir-compat.patch
View File

@ -1,66 +0,0 @@
diff -Naur libreswan-3.19-orig/programs/ipsec/ipsec.in libreswan-3.19/programs/ipsec/ipsec.in
--- libreswan-3.19-orig/programs/ipsec/ipsec.in 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/ipsec/ipsec.in 2017-02-03 17:49:07.779187770 -0500
@@ -38,7 +38,7 @@
PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
export PATH
-# supress ElectricFence banner changing our reference testing output
+# suppress ElectricFence banner changing our reference testing output
export EF_DISABLE_BANNER=1
# things not to be listed in --help command list
@@ -216,10 +216,14 @@
# A lot of nss commands use -d to specify NSS db location.
# We use --nssdir.
if [ "${2}" = "-d" -o \
+ "${2}" = "--configdir" -o \
"${2}" = "--nssdir" ]
then
if [ -d "${3}" ]; then
IPSEC_NSSDIR="${3}"
+ if [ "${2}" = "--configdir" ]; then
+ echo "ipsec import warning: --configdir is obsoleted, use --nssdir" >&2
+ fi
else
echo "usage: ipsec import [--nssdir ${IPSEC_NSSDIR}] /path/to/pkcs.12" >&2
exit 1
@@ -251,10 +255,14 @@
# A lot of nss commands use -d to specify NSS db location.
# We use --nssdir.
if [ "${2}" = "-d" -o \
+ "${2}" = "--configdir" -o \
"${2}" = "--nssdir" ]
then
IPSEC_NSSDIR="${3}"
IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}"
+ if [ "${2}" = "--configdir" ]; then
+ echo "ipsec initnss warning: --configdir is obsoleted, use --nssdir" >&2
+ fi
else
echo "usage: ipsec initnss [--nssdir ${IPSEC_NSSDIR}]" >&2
exit 1
diff -Naur libreswan-3.19-orig/programs/newhostkey/newhostkey.in libreswan-3.19/programs/newhostkey/newhostkey.in
--- libreswan-3.19-orig/programs/newhostkey/newhostkey.in 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/newhostkey/newhostkey.in 2017-02-03 17:49:16.131142346 -0500
@@ -54,7 +54,7 @@
exit 0
;;
--random)
- echo "$me warning: --random is obsoleted, using --seeddev"
+ echo "$me warning: --random is obsoleted, using --seeddev" >&2
seeddev="--seeddev ${2}"
shift
;;
@@ -62,6 +62,11 @@
seeddev="--seeddev ${2}"
shift
;;
+ --configdir)
+ echo "$me warning: --configdir is obsoleted, use --nssdir" >&2
+ nssdir="${2}"
+ shift
+ ;;
--nssdir)
nssdir="${2}"
shift

78
libreswan-3.19-suppress_delete.patch
View File

@ -1,78 +0,0 @@
diff -Naur libreswan-3.19-orig/programs/pluto/connections.c libreswan-3.19/programs/pluto/connections.c
--- libreswan-3.19-orig/programs/pluto/connections.c 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/pluto/connections.c 2017-02-03 17:44:29.009703914 -0500
@@ -4334,3 +4334,27 @@
unroute_connection(c); /* --unroute */
}
}
+
+/*
+ * When replacing an old existing connection, suppress sending delete notify
+ */
+void suppress_delete(struct connection *c)
+{
+ struct state *pst = state_with_serialno(c->newest_isakmp_sa);
+ struct state *cst = state_with_serialno(c->newest_ipsec_sa);
+ if (pst != NULL) {
+ pst->st_ikev2_no_del = TRUE;
+ DBG(DBG_CONTROL, DBG_log("Marked IKE state #%lu to suppress sending delete notify",
+ c->newest_isakmp_sa));
+ } else {
+ libreswan_log("did not find old IKE state to mark for suppressing delete");
+ }
+
+ if (cst != NULL) {
+ cst->st_ikev2_no_del = TRUE;
+ DBG(DBG_CONTROL, DBG_log("Marked IPSEC state #%lu to suppress sending delete notify",
+ c->newest_ipsec_sa));
+ } else {
+ libreswan_log("did not find old IPsec state to mark for suppressing delete");
+ }
+}
diff -Naur libreswan-3.19-orig/programs/pluto/connections.h libreswan-3.19/programs/pluto/connections.h
--- libreswan-3.19-orig/programs/pluto/connections.h 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/pluto/connections.h 2017-02-03 17:44:29.009703914 -0500
@@ -383,6 +383,7 @@
extern void terminate_connection(const char *name);
extern void release_connection(struct connection *c, bool relations);
extern void delete_connection(struct connection *c, bool relations);
+extern void suppress_delete(struct connection *c);
extern void delete_connections_by_name(const char *name, bool strict);
extern void delete_every_connection(void);
extern char *add_group_instance(struct connection *group,
diff -Naur libreswan-3.19-orig/programs/pluto/initiate.c libreswan-3.19/programs/pluto/initiate.c
--- libreswan-3.19-orig/programs/pluto/initiate.c 2017-02-03 17:41:48.704575766 -0500
+++ libreswan-3.19/programs/pluto/initiate.c 2017-02-03 17:44:34.470674213 -0500
@@ -978,6 +978,7 @@
same_id(&c->spd.that.id, &d->spd.that.id)))
{
DBG(DBG_CONTROL, DBG_log("Unorienting old connection with same IDs"));
+ suppress_delete(d); /* don't send a delete */
release_connection(d, FALSE);
}
d = next;
diff -Naur libreswan-3.19-orig/programs/pluto/state.c libreswan-3.19/programs/pluto/state.c
--- libreswan-3.19-orig/programs/pluto/state.c 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/pluto/state.c 2017-02-03 17:44:34.471674208 -0500
@@ -880,8 +880,8 @@
}
/* tell the other side of any IPSEC SAs that are going down */
- if (IS_IPSEC_SA_ESTABLISHED(st->st_state) ||
- IS_ISAKMP_SA_ESTABLISHED(st->st_state)) {
+ if (!st->st_ikev2_no_del && (IS_IPSEC_SA_ESTABLISHED(st->st_state) ||
+ IS_ISAKMP_SA_ESTABLISHED(st->st_state))) {
if (st->st_ikev2 && IS_CHILD_SA(st) &&
state_with_serialno(st->st_clonedfrom) == NULL) {
/* ??? in v2, there must be a parent */
diff -Naur libreswan-3.19-orig/programs/pluto/state.h libreswan-3.19/programs/pluto/state.h
--- libreswan-3.19-orig/programs/pluto/state.h 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/pluto/state.h 2017-02-03 17:44:34.471674208 -0500
@@ -245,6 +245,7 @@
bool has_pam_thread; /* per state PAM thread flag */
bool st_ikev2; /* is this an IKEv2 state? */
+ bool st_ikev2_no_del; /* suppress sending DELETE - eg replaced conn */
bool st_rekeytov2; /* true if this IKEv1 is about
* to be replaced with IKEv2
*/

28
libreswan-3.19-testbuf.patch
View File

@ -1,28 +0,0 @@
commit 13560e2c4d340056c4381e4216c49950a350ed0b
Author: D. Hugh Redelmeier <hugh@mimosa.com>
Date: Fri Feb 3 18:16:10 2017 -0500
pluto: use %tu to format ptrdiff_t (%zu is for size_t)
diff --git a/programs/pluto/test_buffer.c b/programs/pluto/test_buffer.c
index 6f24aa1..9b4ed0b 100644
--- a/programs/pluto/test_buffer.c
+++ b/programs/pluto/test_buffer.c
@@ -66,7 +66,7 @@ chunk_t decode_hex_to_chunk(const char *original, const char *string)
buf[i] = '\0';
if (i != 2) {
loglog(RC_INTERNALERR,
- "unexpected space or NUL character at offset %zu in hex buffer \"%s\" at \"%s\"\n",
+ "unexpected space or NUL character at offset %tu in hex buffer \"%s\" at \"%s\"\n",
pos - string, string, pos);
exit_pluto(PLUTO_EXIT_NSS_FAIL);
}
@@ -74,7 +74,7 @@ chunk_t decode_hex_to_chunk(const char *original, const char *string)
chunk.ptr[chunk.len] = strtoul(buf, &end, 16);
if (end - buf != 2) {
loglog(RC_INTERNALERR,
- "invalid character at offset %zu in hex buffer \"%s\" at \"%s\"\n",
+ "invalid character at offset %tu in hex buffer \"%s\" at \"%s\"\n",
pos-string, string, pos);
exit_pluto(PLUTO_EXIT_NSS_FAIL);
}

195
libreswan-3.19-uniqueid_replace.patch
View File

@ -1,195 +0,0 @@
diff -Naur libreswan-3.19-orig/programs/configs/d.ipsec.conf/uniqueids.xml libreswan-3.19/programs/configs/d.ipsec.conf/uniqueids.xml
--- libreswan-3.19-orig/programs/configs/d.ipsec.conf/uniqueids.xml 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/configs/d.ipsec.conf/uniqueids.xml 2017-02-03 17:41:48.703575771 -0500
@@ -1,17 +1,20 @@
<varlistentry>
<term><emphasis remap='B'>uniqueids</emphasis></term>
<listitem>
-<para>whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID.
-Acceptable values are <emphasis remap='B'>yes</emphasis>
-(the default)
-and
-<emphasis remap='B'>no</emphasis>.
-Participant IDs normally <emphasis remap='I'>are</emphasis> unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.</para>
-
+<para> Whether IDs should be considered identifying remote parties
+uniquely. Acceptable values are <emphasis remap='B'>yes</emphasis> (the
+default) and <emphasis remap='B'>no</emphasis>. Participant IDs normally
+are unique, so a new connection instance using the same remote ID is
+almost invariably intended to replace an old existing connection.
+</para>
+<para> When the connection is defined to be a server (using xauthserver=)
+and the connection policy is authby=secret, this option is ignored (as
+of 3.20) and old connections will never be replaced. This situation is
+commonly known as clients using a "Group ID".
+</para>
+<para> This option may disappear in the near future. People using identical
+X.509 certificates on multiple devices are urged to upgrade to use seperate
+certificates per client and device.
+</para>
</listitem>
</varlistentry>
diff -Naur libreswan-3.19-orig/programs/pluto/ikev1_aggr.c libreswan-3.19/programs/pluto/ikev1_aggr.c
--- libreswan-3.19-orig/programs/pluto/ikev1_aggr.c 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/pluto/ikev1_aggr.c 2017-02-03 17:41:42.320610486 -0500
@@ -906,6 +906,9 @@
*/
set_ph1_iv_from_new(st);
DBG(DBG_CONTROL, DBG_log("phase 1 complete"));
+
+ ISAKMP_SA_established(st->st_connection, st->st_serialno);
+
#ifdef USE_LINUX_AUDIT
linux_audit_conn(st, LAK_PARENT_START);
#endif
@@ -1012,6 +1015,9 @@
*/
set_ph1_iv_from_new(st);
DBG(DBG_CONTROL, DBG_log("phase 1 complete"));
+
+ ISAKMP_SA_established(st->st_connection, st->st_serialno);
+
#ifdef USE_LINUX_AUDIT
linux_audit_conn(st, LAK_PARENT_START);
#endif
diff -Naur libreswan-3.19-orig/programs/pluto/ikev2_child.c libreswan-3.19/programs/pluto/ikev2_child.c
--- libreswan-3.19-orig/programs/pluto/ikev2_child.c 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/pluto/ikev2_child.c 2017-02-03 17:41:37.984634068 -0500
@@ -1271,6 +1271,9 @@
ikev2_derive_child_keys(cst, role);
+ /* Check to see if we need to release an old instance */
+ ISAKMP_SA_established(pst->st_connection, pst->st_serialno);
+
/* install inbound and outbound SPI info */
if (!install_ipsec_sa(cst, TRUE))
return STF_FATAL;
diff -Naur libreswan-3.19-orig/programs/pluto/initiate.c libreswan-3.19/programs/pluto/initiate.c
--- libreswan-3.19-orig/programs/pluto/initiate.c 2017-01-15 14:34:34.000000000 -0500
+++ libreswan-3.19/programs/pluto/initiate.c 2017-02-03 17:41:48.704575766 -0500
@@ -929,73 +929,58 @@
bool uniqueIDs = FALSE; /* --uniqueids? */
/*
- * Called by main_inI3_outR3_tail() and ikev2_child_sa_respond() which is called for
- * initiator and responder alike! So this function should not be in initiate.c.
- * It is also not called in IKEv1 Aggressive Mode!
+ * Called by IKEv1 and IKEv2 when the IKE SA is established.
+ * It checks if the freshly established connection needs is
+ * replacing an established version of itself.
+ *
+ * The use of uniqueIDs is mostly historic and might be removed
+ * in a future version. It is ignored for PSK based connections,
+ * which only act based on being a "server using PSK".
*/
void ISAKMP_SA_established(struct connection *c, so_serial_t serial)
{
c->newest_isakmp_sa = serial;
- if (uniqueIDs && !c->spd.this.xauth_server &&
- (c->policy & POLICY_AUTH_NULL) == LEMPTY) {
- /*
- * for all connections: if the same Phase 1 IDs are used
- * for different IP addresses, unorient that connection.
- * We also check ports, since different Phase 1 ID's can
- * exist for the same IP when NAT is involved.
- */
- struct connection *d;
-
- for (d = connections; d != NULL; ) {
- /* might move underneath us */
- struct connection *next = d->ac_next;
-
- /*
- * We try to find duplicate instances of same
- * connection to clean up old ones when uniqueids=yes
- *
- * We are testing for all of:
- * 1: an appropriate kind to consider
- * 2: same ids, left and right
- * 3: same address family
- * 4: same connection name
- * 5: but different IP address or port
- * 6: differing dnsnames (sort of)
- *
- * DHR (2014-10-29):
- * Is the sense of the last clause inverted?
- * The logic kind of suggests that in fact the
- * same dnsnames should be the same, not different.
- *
- * Let's make 6 clearer:
- * if BOTH have dnsnames, they must be unequal.
- *
- * I suspect that it should be:
- * if BOTH have dnsnames, they must be equal.
- *
- * In other words the streq result should be negated.
- */
- if ((d->kind == CK_PERMANENT ||
- d->kind == CK_INSTANCE ||
- d->kind == CK_GOING_AWAY) &&
- (c->name == d->name) &&
- same_id(&c->spd.this.id, &d->spd.this.id) &&
- same_id(&c->spd.that.id, &d->spd.that.id) &&
- addrtypeof(&c->spd.that.host_addr) ==
- addrtypeof(&d->spd.that.host_addr) &&
- (!sameaddr(&c->spd.that.host_addr,
- &d->spd.that.host_addr) ||
- c->spd.that.host_port !=
- d->spd.that.host_port) &&
- !(c->dnshostname != NULL &&
- d->dnshostname != NULL &&
- streq(c->dnshostname,
- d->dnshostname))) {
- release_connection(d, FALSE);
- }
- d = next;
+ /* NULL authentication can never replaced - it is all anonnymous */
+ if (LIN(POLICY_AUTH_NULL, c->policy) ||
+ ( c->spd.that.authby == AUTH_NULL || c->spd.this.authby == AUTH_NULL)) {
+
+ DBG(DBG_CONTROL, DBG_log("NULL Authentication - all clients appear identical"));
+ return;
+ }
+
+ /*
+ * If we are a server and use PSK, all clients use the same group ID
+ * Note that "xauth_server" also refers to IKEv2 CP
+ */
+ if (c->spd.this.xauth_server && LIN(POLICY_PSK, c->policy)) {
+ DBG(DBG_CONTROL, DBG_log("We are a server using PSK and clients are using a group ID"));
+ return;
+ }
+
+ if (!uniqueIDs) {
+ DBG(DBG_CONTROL, DBG_log("uniqueIDs disabled, not contemplating releasing older self"));
+ return;
+ }
+
+ /*
+ * for all existing connections: if the same Phase 1 IDs are used,
+ * unorient that (old) connection - This is a replacement.
+ */
+ struct connection *d;
+
+ for (d = connections; d != NULL; ) {
+ /* might move underneath us */
+ struct connection *next = d->ac_next;
+
+ if (c != d && c->kind == d->kind && streq(c->name, d->name) &&
+ (same_id(&c->spd.this.id, &d->spd.this.id) &&
+ same_id(&c->spd.that.id, &d->spd.that.id)))
+ {
+ DBG(DBG_CONTROL, DBG_log("Unorienting old connection with same IDs"));
+ release_connection(d, FALSE);
}
+ d = next;
}
}

66
libreswan-3.23-crypto-policies.patch Normal file
View File

@ -0,0 +1,66 @@
diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
index c41dd8048..cc2faf5c9 100644
--- a/lib/libipsecconf/parser.l
+++ b/lib/libipsecconf/parser.l
@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
char ebuf[128];
snprintf(ebuf, sizeof(ebuf),
- "cannot open include filename: '%s': %s",
+ (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
+ "cannot open include filename: '%s': %s" :
+ "ignored loading default system-wide crypto-policies file '%s': %s",
iis->fileglob.gl_pathv[fcnt],
strerror(errno));
yyerror(ebuf);
diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
index 7374efc3c..974699f01 100644
--- a/programs/configs/ipsec.conf.in
+++ b/programs/configs/ipsec.conf.in
@@ -1,27 +1,18 @@
# @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
#
-# Manual: ipsec.conf.5
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
- # Normally, pluto logs via syslog. If you want to log to a file,
- # specify below or to disable logging, eg for embedded systems, use
- # the file name /dev/null
- # Note: SElinux policies might prevent pluto writing to a log file at
- # an unusual location.
+ # Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
- # plutodebug "all", "none" or a combation from below:
- # "raw crypt parsing emitting control controlmore kernel pfkey
- # natt x509 dpd dns oppo oppoinfo private".
- # Note: "private" is not included with "all", as it can show confidential
- # information. It must be specifically specified
- # examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
- # Again: only enable plutodebug when asked by a developer
- #plutodebug=none
+ plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
@@ -30,10 +21,8 @@ config setup
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
-# For example connections, see your distribution's documentation directory,
-# or https://libreswan.org/wiki/
-#
-# There is also a lot of information in the manual page, "man ipsec.conf"
-#
+# if it exists, include system wide crypto-policy defaults
+include /etc/crypto-policies/back-ends/libreswan.config
+
# It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
include @IPSEC_CONFDDIR@/*.conf

507
libreswan-3.23-fixups.patch Normal file
View File

@ -0,0 +1,507 @@
diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c
--- libreswan-3.23-orig/programs/pluto/connections.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/connections.c 2018-02-05 14:38:49.372280712 -0500
@@ -3158,10 +3158,8 @@
matching_peer_id && matching_peer_ca && matching_requested_ca,
matching_peer_id, matching_peer_ca, matching_requested_ca);});
- /* Ignore template from which we instantiated - this should never happen */
if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) {
- libreswan_log("Warning: not switching back to template of current instance (FIXME)");
- continue;
+ DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance"));
}
/* 'You Tarzan, me Jane' check based on received IDr */
diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c
--- libreswan-3.23-orig/programs/pluto/hostpair.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/hostpair.c 2018-02-05 14:38:57.865635032 -0500
@@ -144,17 +144,6 @@
hisport = pluto_port;
for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) {
- if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) &&
- (p->connections->spd.that.id.kind == ID_NULL))
- {
- DBG(DBG_CONTROLMORE, {
- char ci[CONN_INST_BUF];
- DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s",
- p->connections->name,
- fmt_conn_instance(p->connections, ci));
- });
- continue;
- }
DBG(DBG_CONTROLMORE, {
ipstr_buf b1;
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h
--- libreswan-3.23-orig/programs/pluto/ikev2.h 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2.h 2018-02-05 14:39:11.171190105 -0500
@@ -162,7 +162,9 @@
extern bool ikev2_calculate_rsa_sha1(struct state *st,
enum original_role role,
unsigned char *idhash,
- pb_stream *a_pbs);
+ pb_stream *a_pbs,
+ bool calc_no_ppk_auth,
+ chunk_t *no_ppk_auth);
extern bool ikev2_create_psk_auth(enum keyword_authby authby,
struct state *st,
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c
--- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-02-05 14:39:11.173190188 -0500
@@ -2783,7 +2783,9 @@
switch (a.isaa_type) {
case IKEv2_AUTH_RSA:
- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
+ FALSE, /* store-only not set */
+ NULL /* store-only chunk unused */)) {
loglog(RC_LOG_SERIOUS, "Failed to find our RSA key");
return STF_FATAL;
}
@@ -2792,7 +2794,7 @@
case IKEv2_AUTH_PSK:
case IKEv2_AUTH_NULL:
if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs,
- FALSE /* store-only not set */,
+ FALSE, /* store-only not set */
NULL /* store-only chunk unused */)) {
loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key");
return STF_FATAL;
@@ -2812,7 +2814,9 @@
return STF_INTERNAL_ERROR;
}
- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) {
+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs,
+ FALSE, /* store-only not set */
+ NULL /* store-only chunk unused */)) {
loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key");
return STF_FATAL;
}
@@ -3224,7 +3228,7 @@
hmac_update(&id_ctx, id_start, id_len);
hmac_final(idhash, &id_ctx);
- if (pst->st_sk_pi_no_ppk != NULL) {
+ if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) {
struct hmac_ctx id_ctx_npa;
hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk);
@@ -3371,7 +3375,7 @@
notifies++;
if (pst->st_seen_ppk)
- notifies++; /* used for two payloads */
+ notifies++; /* used for one or two payloads */
/* code does not support AH + ESP, not recommend rfc8221 section-4 */
struct ipsec_proto_info *proto_info
@@ -3437,21 +3441,24 @@
}
if (pst->st_seen_ppk) {
chunk_t notify_data = create_unified_ppk_id(&ppk_id_p);
+ int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N;
- notifies--; /* used for 2 payloads */
- if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL,
- PROTO_v2_RESERVED, &empty_chunk,
- v2N_PPK_IDENTITY, &notify_data,
- &e_pbs_cipher))
- return STF_INTERNAL_ERROR;
+ notifies--; /* used for one or two payloads */
+ if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL,
+ PROTO_v2_RESERVED, &empty_chunk,
+ v2N_PPK_IDENTITY, &notify_data,
+ &e_pbs_cipher))
+ return STF_INTERNAL_ERROR;
freeanychunk(notify_data);
- ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
- if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
- PROTO_v2_RESERVED, &empty_chunk,
- v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
- &e_pbs_cipher))
- return STF_INTERNAL_ERROR;
+ if (!LIN(POLICY_PPK_INSIST, cc->policy)) {
+ ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth);
+ if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL,
+ PROTO_v2_RESERVED, &empty_chunk,
+ v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth,
+ &e_pbs_cipher))
+ return STF_INTERNAL_ERROR;
+ }
}
passert(notifies == 0);
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c
--- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2_ppk.c 2018-02-05 14:39:11.173190188 -0500
@@ -113,7 +113,24 @@
enum keyword_authby authby = c->spd.this.authby;
switch (authby) {
case AUTH_RSASIG:
- /* TODO */
+ if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) {
+ if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) {
+ /* make blobs separately, and somehow combine them and no_ppk_auth
+ * to get an actual no_ppk_auth */
+ int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len;
+ u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH");
+ u_char *ret = blobs;
+ memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER);
+ blobs += ASN1_LEN_ALGO_IDENTIFIER;
+ memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE);
+ blobs += ASN1_SHA1_RSA_OID_SIZE;
+ memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len);
+ chunk_t release = *no_ppk_auth;
+ setchunk(*no_ppk_auth, ret, len);
+ freeanychunk(release);
+ }
+ }
+ return STF_OK;
break;
case AUTH_PSK:
if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth))
diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c
--- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/ikev2_rsa.c 2018-02-05 14:39:11.173190188 -0500
@@ -101,7 +101,9 @@
bool ikev2_calculate_rsa_sha1(struct state *st,
enum original_role role,
unsigned char *idhash,
- pb_stream *a_pbs)
+ pb_stream *a_pbs,
+ bool calc_no_ppk_auth,
+ chunk_t *no_ppk_auth)
{
unsigned char signed_octets[SHA1_DIGEST_SIZE + 16];
size_t signed_len;
@@ -136,8 +138,13 @@
if (shr == 0)
return FALSE;
passert(shr == (int)sz);
- if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
- return FALSE;
+ if (calc_no_ppk_auth == FALSE) {
+ if (!out_raw(sig_val, sz, a_pbs, "rsa signature"))
+ return FALSE;
+ } else {
+ clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk");
+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth));
+ }
}
return TRUE;
diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c
--- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/nss_cert_verify.c 2018-02-05 14:38:52.685418927 -0500
@@ -498,60 +498,83 @@
bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name)
{
- SECStatus rv;
SECItem subAltName;
- PLArenaPool *arena = NULL;
- CERTGeneralName *nameList = NULL;
- CERTGeneralName *current = NULL;
- bool san_ip = FALSE;
- unsigned int len = strlen(name);
- ip_address myip;
-
- rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
+ SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
&subAltName);
if (rv != SECSuccess) {
DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension"));
return FALSE;
}
- if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL)
- san_ip = TRUE;
+ ip_address myip;
+ bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL);
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
passert(arena != NULL);
- nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName);
- passert(current != NULL);
+ CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName);
- do
- {
+ if (nameList == NULL) {
+ loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode");
+ PORT_FreeArena(arena, PR_FALSE);
+ return FALSE;
+ }
+
+ /*
+ * nameList is a pointer into a non-empty circular linked list.
+ * This loop visits each entry.
+ * We have visited each when we come back to the start.
+ * We test only at the end, after we advance, because we want to visit
+ * the first entry the first time we see it but stop when we get to it
+ * the second time.
+ */
+ CERTGeneralName *current = nameList;
+ do {
switch (current->type) {
case certDNSName:
case certRFC822Name:
- if (san_ip)
- break;
- if (current->name.other.len == len) {
- if (memcmp(current->name.other.data, name, len) == 0) {
- DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name));
- PORT_FreeArena(arena, PR_FALSE);
- return TRUE;
- }
- }
+ {
+ /*
+ * Match the parameter name with the name in the certificate.
+ * The name in the cert may start with "*."; that will match
+ * any initial component in name (up to the first '.').
+ */
+ /* we need to cast because name.other.data is unsigned char * */
+ const char *c_ptr = (const void *) current->name.other.data;
+ size_t c_len = current->name.other.len;
+
+ const char *n_ptr = name;
+ static const char wild[] = "*.";
+ const size_t wild_len = sizeof(wild) - 1;
+
+ if (c_len > wild_len && startswith(c_ptr, wild)) {
+ /* wildcard in cert: ignore first component of name */
+ c_ptr += wild_len;
+ c_len -= wild_len;
+ n_ptr = strchr(n_ptr, '.');
+ if (n_ptr == NULL)
+ break; /* cannot match */
- if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) {
- char osan[IDTOA_BUF];
+ n_ptr++; /* skip . */
+ }
- memcpy(osan,current->name.other.data, current->name.other.len);
- osan[current->name.other.len] = '\0';
- DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name));
- } else {
- DBG(DBG_X509, DBG_log("subjectAltname <TOO BIG TO PRINT> does not match %s", name));
+ if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) {
+ /*
+ * ??? if current->name.other.data contains bad characters,
+ * what prevents them being logged?
+ */
+ DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate",
+ name, current->name.other.len, current->name.other.data));
+ PORT_FreeArena(arena, PR_FALSE);
+ return TRUE;
}
break;
+ }
case certIPAddress:
if (!san_ip)
break;
+
if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) {
if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) {
DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name));
@@ -572,7 +595,7 @@
break;
}
}
- DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name));
+ DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name));
break;
default:
diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in
--- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in 2018-02-05 14:38:49.373280754 -0500
@@ -1,31 +1,52 @@
#!/usr/bin/python
+#
+# Copyright (C) 2018 Paul Wouters <pwouters@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
import sys
-import base64
-import commands
+import subprocess
-log = ""
-
-status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1")
+# Get my %defaultroute IP address
+myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True)
myip = myip.split("src")[1].strip().split()[0]
argv = sys.argv
-argc = len(sys.argv)
+ourself = argv.pop(0)
-#log += "Number or arguments is %d\n"%argc
-#if argc >= 4:
-# log += "QNAME:%s\n"%argv[1]
-# log += "TTL:%s\n"%argv[2]
-# log += "IP:%s\n"%argv[3]
-# log += "IPSECKEY:%s\n"%argv[4]
-# rr = argv[4]
-# pref, gwtype, algo, gw, pubkey = rr.split(" ")
-#log += "-----------------------------\n"
-
-cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey)
-cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey)
-cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3])
-ret, output = commands.getstatusoutput(cmdname)
-ret, output = commands.getstatusoutput(cmdip)
-ret, output = commands.getstatusoutput(cmdoe)
-ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus")
+try:
+ qname = argv.pop(0)
+ ttl = argv.pop(0)
+ ip = argv.pop(0)
+except:
+ sys.exit("Bad arguments to ipsec _unbound")
+
+while (argv != []):
+ try:
+ gwprec = argv.pop(0)
+ gwtype = argv.pop(0)
+ gwalg = argv.pop(0)
+ gwid = argv.pop(0)
+ pubkey = argv.pop(0)
+ addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey)
+ addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey)
+ print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+ print(subprocess.call(addkeyip, shell=True))
+ print(subprocess.call(addkeyhostname, shell=True))
+ except:
+ sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip))
+
+# done injecting all IPSECKEY records into pluto - try actual OE now
+cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip)
+print(subprocess.check_output(cmdoeip, shell=True))
+#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname)
+#ret, output = commands.getstatusoutput(cmdoeqname)
+print(subprocess.check_output("ipsec whack --trafficstatus", shell=True))
diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 8a1ba5d..38fa4de 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type {
IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23,
IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24,
IKEv2_INTERNAL_DNS_DOMAIN = 25,
- /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */
+ IKEv2_INTERNAL_DNSSEC_TA = 26
};
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index 9ea9872..ab6db3e 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = {
"IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */
"IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */
"IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */
- /* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */
+ "IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */
};
enum_names ikev2_cp_attribute_type_names = {
IKEv2_CP_ATTR_RESERVED,
- IKEv2_INTERNAL_DNS_DOMAIN,
- /* IKEv2_INTERNAL_DNSSEC_TA, */
+ IKEv2_INTERNAL_DNSSEC_TA,
ARRAY_REF(ikev2_cp_attribute_type_name),
NULL, /* prefix */
NULL
diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c
index ae56972..e818e0e 100644
--- a/programs/addconn/addconn.c
+++ b/programs/addconn/addconn.c
@@ -416,12 +416,11 @@ int main(int argc, char *argv[])
if (verbose)
printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n");
- for (conn = cfg->conns.tqh_first;
- conn != NULL;
- conn = conn->link.tqe_next) {
+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_ADD ||
conn->desired_state == STARTUP_ONDEMAND ||
- conn->desired_state == STARTUP_START) {
+ conn->desired_state == STARTUP_START)
+ {
if (verbose)
printf(" %s", conn->name);
resolve_defaultroute(conn);
@@ -436,30 +435,22 @@ int main(int argc, char *argv[])
starter_whack_listen(cfg);
if (verbose)
- printf(" Pass #2: Routing auto=route and auto=start connections\n");
+ printf(" Pass #2: Routing auto=route connections\n");
- for (conn = cfg->conns.tqh_first;
- conn != NULL;
- conn = conn->link.tqe_next) {
- if (conn->desired_state == STARTUP_ADD ||
- conn->desired_state == STARTUP_ONDEMAND ||
- conn->desired_state == STARTUP_START) {
+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
+ if (conn->desired_state == STARTUP_ONDEMAND)
+ {
if (verbose)
printf(" %s", conn->name);
- resolve_defaultroute(conn);
- if (conn->desired_state == STARTUP_ONDEMAND ||
- conn->desired_state == STARTUP_START) {
+ if (conn->desired_state == STARTUP_ONDEMAND)
starter_whack_route_conn(cfg, conn);
- }
}
}
if (verbose)
printf(" Pass #3: Initiating auto=start connections\n");
- for (conn = cfg->conns.tqh_first;
- conn != NULL;
- conn = conn->link.tqe_next) {
+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) {
if (conn->desired_state == STARTUP_START) {
if (verbose)
printf(" %s", conn->name);
diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
index 64b2808..b343445 100644
--- a/programs/_updown.netkey/_updown.netkey.in
+++ b/programs/_updown.netkey/_updown.netkey.in
@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in
up-client)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
+ addvtiiface
updateresolvconf
addcat
addsource

64
libreswan-3.23-gcc8.patch Normal file
View File

@ -0,0 +1,64 @@
diff -Naur libreswan-3.23-orig/programs/pluto/kernel_netlink.c libreswan-3.23/programs/pluto/kernel_netlink.c
--- libreswan-3.23-orig/programs/pluto/kernel_netlink.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/kernel_netlink.c 2018-02-19 18:07:08.654780313 -0500
@@ -51,8 +51,9 @@
#include <linux/if_addr.h>
#include <linux/if_link.h>
-#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
+//#include <netinet/in.h>
#include "linux/xfrm.h" /* local (if configured) or system copy */
+#include "libreswan.h" /* before xfrm.h otherwise break on F22 */
#include "libreswan/pfkeyv2.h"
#include "libreswan/pfkey.h"
diff -Naur libreswan-3.23-orig/programs/pluto/linux_audit.c libreswan-3.23/programs/pluto/linux_audit.c
--- libreswan-3.23-orig/programs/pluto/linux_audit.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/linux_audit.c 2018-02-19 18:07:08.654780313 -0500
@@ -74,6 +74,15 @@
#include "pluto_stats.h"
+#if __GNUC__ >= 7
+ /*
+ * GCC 7+ warns about the following calls that truncate a string using
+ * snprintf(). We are truncating the log message for a reason.
+ */
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+#endif
+
static bool log_to_audit = FALSE; /* audit log messages for kernel */
void linux_audit_init(void)
@@ -300,3 +309,6 @@
AUDIT_CRYPTO_IPSEC_SA : AUDIT_CRYPTO_IKE_SA,
audit_str, raddr, AUDIT_RESULT_OK);
}
+#if __GNUC__ >= 7
+#pragma GCC diagnostic pop
+#endif
diff -Naur libreswan-3.23-orig/programs/pluto/log.h libreswan-3.23/programs/pluto/log.h
--- libreswan-3.23-orig/programs/pluto/log.h 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/log.h 2018-02-19 18:07:08.655780307 -0500
@@ -154,7 +154,7 @@
#ifdef USE_LINUX_AUDIT
#include <libaudit.h> /* from audit-libs devel */
-#define AUDIT_LOG_SIZE 256
+#define AUDIT_LOG_SIZE 512
/* should really be in libaudit.h */
#define AUDIT_RESULT_FAIL 0
#define AUDIT_RESULT_OK 1
diff -Naur libreswan-3.23-orig/programs/pluto/pluto_constants.c libreswan-3.23/programs/pluto/pluto_constants.c
--- libreswan-3.23-orig/programs/pluto/pluto_constants.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/pluto_constants.c 2018-02-19 18:08:22.359413451 -0500
@@ -478,7 +478,7 @@
policy &
~(POLICY_SHUNT_MASK | POLICY_FAIL_MASK),
pbitnamesbuf, sizeof(pbitnamesbuf));
- static char buf[200]; /* NOT RE-ENTRANT! I hope that it is big enough! */
+ static char buf[512]; /* NOT RE-ENTRANT! I hope that it is big enough! */
lset_t shunt = (policy & POLICY_SHUNT_MASK) >> POLICY_SHUNT_SHIFT;
lset_t fail = (policy & POLICY_FAIL_MASK) >> POLICY_FAIL_SHIFT;

116
libreswan-3.23-ppk-update.patch Normal file
View File

@ -0,0 +1,116 @@
diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 38fa4de..08c8d9e 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -1486,12 +1486,14 @@ typedef enum {
v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */
v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */
v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */
-
- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */
- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */
- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */
-
- /* 16432 - 40969 Unassigned */
+ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */
+ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */
+ v2N_PUZZLE = 16434, /* RFC-8019 */
+ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */
+ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */
+ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */
+
+ /* 16438 - 40969 Unassigned */
/* 40960 - 65535 Private Use */
} v2_notification_t;
diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c
index ab6db3e..a0dab63 100644
--- a/lib/libswan/constants.c
+++ b/lib/libswan/constants.c
@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = {
};
*/
-static const char *const ikev2_notify_name_private[] = {
- "v2N_USE_PPK",
- "v2N_PPK_IDENTITY",
- "v2N_NO_PPK_AUTH",
-};
-
-static enum_names ikev2_notify_names_private = {
- v2N_USE_PPK,
- v2N_NO_PPK_AUTH,
- ARRAY_REF(ikev2_notify_name_private),
- "v2N_", /* prefix */
- NULL
-};
-
/* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */
static const char *const ikev2_notify_name_16384[] = {
"v2N_INITIAL_CONTACT", /* 16384 */
@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = {
"v2N_SENDER_REQUEST_ID",
"v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */
"v2N_SIGNATURE_HASH_ALGORITHMS",
+ "v2N_CLONE_IKE_SA_SUPPORTED",
+ "v2N_CLONE_IKE_SA",
+ "v2N_PUZZLE",
+ "v2N_USE_PPK", /* 16435 */
+ "v2N_PPK_IDENTITY",
+ "v2N_NO_PPK_AUTH",
};
static enum_names ikev2_notify_names_16384 = {
v2N_INITIAL_CONTACT,
- v2N_SIGNATURE_HASH_ALGORITHMS,
+ v2N_NO_PPK_AUTH,
ARRAY_REF(ikev2_notify_name_16384),
"v2N_", /* prefix */
- &ikev2_notify_names_private
+ NULL
};
static const char *const ikev2_notify_name[] = {
diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
index 258ba85..b86eea8 100644
--- a/programs/pluto/ikev2_parent.c
+++ b/programs/pluto/ikev2_parent.c
@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
break;
}
- if (LIN(POLICY_PPK_ALLOW, policy)) {
- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
+ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH");
- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
- return STF_FATAL;
- }
- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
- st->st_no_ppk_auth = no_ppk_auth;
- } else {
- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK");
+ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) {
+ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len);
+ return STF_FATAL;
}
+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth));
+ st->st_no_ppk_auth = no_ppk_auth;
break;
}
case v2N_MOBIKE_SUPPORTED:
@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md)
}
}
- /* if we found proper PPK ID, we should use that without fallback to no ppk */
- if (found_ppk)
+ /*
+ * If we found proper PPK ID and policy allows PPK, use that.
+ * Otherwise use NO_PPK_AUTH
+ */
+ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy))
freeanychunk(st->st_no_ppk_auth);
if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) {

24
libreswan-3.23-seccomp.patch Normal file
View File

@ -0,0 +1,24 @@
diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c
--- libreswan-3.23-orig/programs/addconn/addconn.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/addconn/addconn.c 2018-02-05 14:13:25.758711788 -0500
@@ -140,7 +140,9 @@
rc |= S_RULE_ADD(set_robust_list);
rc |= S_RULE_ADD(set_tid_address);
rc |= S_RULE_ADD(socket);
+ rc |= S_RULE_ADD(socketcall);
rc |= S_RULE_ADD(socketpair);
+ rc |= S_RULE_ADD(stat);
rc |= S_RULE_ADD(statfs);
rc |= S_RULE_ADD(uname);
rc |= S_RULE_ADD(write);
diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c
--- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c 2018-01-25 15:19:46.000000000 -0500
+++ libreswan-3.23/programs/pluto/pluto_seccomp.c 2018-02-05 14:13:38.390239502 -0500
@@ -109,6 +109,7 @@
rc |= S_RULE_ADD(set_robust_list);
rc |= S_RULE_ADD(setsockopt);
rc |= S_RULE_ADD(socket);
+ rc |= S_RULE_ADD(socketcall);
rc |= S_RULE_ADD(socketpair);
rc |= S_RULE_ADD(sysinfo);
rc |= S_RULE_ADD(uname);

44
libreswan-3.5-cisco-interop.patch
View File

@ -1,44 +0,0 @@
commit 08f735e881d314f5b38b55cbc8a9d7abdb9b18f8
Author: Paul Wouters <pwouters@redhat.com>
Date: Sun Jul 14 13:27:39 2013 -0400
pluto: work around for Cisco VPN clients sending extraneous bytes
diff --git a/programs/pluto/demux.c b/programs/pluto/demux.c
index cc4be99..1ae2f40 100644
--- a/programs/pluto/demux.c
+++ b/programs/pluto/demux.c
@@ -146,12 +146,29 @@ void process_packet(struct msg_digest **mdp)
}
}
- if (md->packet_pbs.roof != md->message_pbs.roof) {
+ if (md->packet_pbs.roof < md->message_pbs.roof) {
libreswan_log(
- "size (%u) differs from size specified in ISAKMP HDR (%u)",
- (unsigned) pbs_room(
- &md->packet_pbs), md->hdr.isa_length);
+ "received packet size (%u) is smaller than from "
+ "size specified in ISAKMP HDR (%u) - packet dropped",
+ (unsigned) pbs_room(&md->packet_pbs),
+ md->hdr.isa_length);
+ /* abort processing corrupt packet */
return;
+ } else if (md->packet_pbs.roof > md->message_pbs.roof) {
+ /*
+ * Some (old?) versions of the Cisco VPN client send an additional
+ * 16 bytes of zero bytes - Complain but accept it
+ */
+ DBG(DBG_CONTROL, {
+ DBG_log(
+ "size (%u) in received packet is larger than the size "
+ "specified in ISAKMP HDR (%u) - ignoring extraneous bytes",
+ (unsigned) pbs_room(&md->packet_pbs),
+ md->hdr.isa_length);
+ DBG_dump("extraneous bytes:", md->message_pbs.roof,
+ md->packet_pbs.roof - md->message_pbs.roof);
+ /* continue */
+ });
}
maj = (md->hdr.isa_version >> ISA_MAJ_SHIFT);

22
libreswan.spec
View File

@ -22,7 +22,7 @@ Name: libreswan
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
# version is generated in the release script
Version: 3.23
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}.1
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -31,6 +31,13 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
Patch1: libreswan-3.23-seccomp.patch
Patch2: libreswan-3.23-fixups.patch
Patch3: libreswan-3.23-ppk-update.patch
Patch4: libreswan-3.23-crypto-policies.patch
Patch5: libreswan-3.23-gcc8.patch
%endif
Group: System Environment/Daemons
BuildRequires: bison flex pkgconfig
@ -98,6 +105,11 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%setup -q -n libreswan-%{version}%{?prever}
sed -i "s:/usr/bin/python:/usr/bin/python3:" programs/verify/verify.in
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
%if %{buildefence}
@ -179,6 +191,9 @@ make \
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
# enable crypto-policies support
sed -i "s:# include\(.*\)/crypto-policies/back-ends/libreswan.config:include\1:" %{buildroot}/%{_sysconfdir}/ipsec.conf
install -d -m 0700 %{buildroot}%{_localstatedir}/run/pluto
# used when setting --perpeerlog without --perpeerlogbase
install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer
@ -256,6 +271,11 @@ OBJ.linux.%{_arch}/programs/cavp/cavp -v1psk ikev1_psk.fax | \
%endif
%changelog
* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
- Support crypto-policies package
- Pull in some patches from upstream and IANA registry updates
- gcc7 format-truncate fixes and workarounds
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.23-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild