Compare commits

...

No commits in common. "changed/a9/libreswan-4.12-2.el9_4.alma.1" and "c8" have entirely different histories.

9 changed files with 577 additions and 436 deletions

View File

@ -0,0 +1,31 @@
From 1dddaa3226fe1b71b68ec9665d93864a5ec69801 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 9 Jan 2023 23:26:10 +0900
Subject: [PATCH] libreswan-3.32-1861360-nodefault-rsa-pss.patch
---
lib/libipsecconf/confread.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 0444118..ec87646 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -1501,9 +1501,14 @@ static bool load_conn(struct starter_conn *conn,
hunk_streq(val, "rsa")) {
conn->authby.rsasig = true;
conn->authby.rsasig_v1_5 = true;
+ /*
+ * These cause failure with RSA 1024 bits because it uses RSA-PSS
+ */
+#if 0
conn->sighash_policy |= POL_SIGHASH_SHA2_256;
conn->sighash_policy |= POL_SIGHASH_SHA2_384;
conn->sighash_policy |= POL_SIGHASH_SHA2_512;
+#endif
} else if (hunk_streq(val, "never")) {
conn->authby.never = true;
/* everything else is only supported for IKEv2 */
--
2.39.0

View File

@ -0,0 +1,136 @@
From a2cc5f8c80e8cb9be0b65f8e8544689e8b093c09 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 10 Jan 2023 00:18:48 +0900
Subject: [PATCH] libreswan-4.1-maintain-obsolete-keywords.patch
---
lib/libipsecconf/keywords.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c
index fa8f0e0..03fb863 100644
--- a/lib/libipsecconf/keywords.c
+++ b/lib/libipsecconf/keywords.c
@@ -343,6 +343,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
{ "ikev1-policy", kv_config, kt_enum, KBF_GLOBAL_IKEv1, kw_global_ikev1_list, NULL, },
{ "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NULL, NULL, },
{ "curl-timeout", kv_config, kt_time, KBF_CURLTIMEOUT_MS, NULL, NULL, },
+ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */
+ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT_MS, NULL, NULL, }, /* obsolete _ */
{ "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NULL, NULL, },
{ "syslog", kv_config, kt_string, KSF_SYSLOG, NULL, NULL, },
@@ -350,6 +352,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
{ "logfile", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, },
{ "plutostderrlog", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
{ "logtime", kv_config, kt_bool, KBF_LOGTIME, NULL, NULL, },
+ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */
{ "logappend", kv_config, kt_bool, KBF_LOGAPPEND, NULL, NULL, },
{ "logip", kv_config, kt_bool, KBF_LOGIP, NULL, NULL, },
{ "audit-log", kv_config, kt_bool, KBF_AUDIT_LOG, NULL, NULL, },
@@ -369,13 +372,20 @@ const struct keyword_def ipsec_conf_keywords[] = {
{ "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
{ "crl-strict", kv_config, kt_bool, KBF_CRL_STRICT, NULL, NULL, },
+ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */
{ "crlcheckinterval", kv_config, kt_time, KBF_CRL_CHECKINTERVAL_MS, NULL, NULL, },
+ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */
{ "ocsp-strict", kv_config, kt_bool, KBF_OCSP_STRICT, NULL, NULL, },
+ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */
{ "ocsp-enable", kv_config, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, },
+ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */
{ "ocsp-uri", kv_config, kt_string, KSF_OCSP_URI, NULL, NULL, },
+ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */
{ "ocsp-timeout", kv_config, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, },
+ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */
{ "ocsp-trustname", kv_config, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, },
+ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */
{ "ocsp-cache-size", kv_config, kt_number, KBF_OCSP_CACHE_SIZE, NULL, NULL, },
{ "ocsp-cache-min-age", kv_config, kt_time, KBF_OCSP_CACHE_MIN_AGE_MS, NULL, NULL, },
{ "ocsp-cache-max-age", kv_config, kt_time, KBF_OCSP_CACHE_MAX_AGE_MS, NULL, NULL, },
@@ -399,6 +409,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
{ "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
{ "seedbits", kv_config, kt_number, KBF_SEEDBITS, NULL, NULL, },
{ "keep-alive", kv_config, kt_number, KBF_KEEPALIVE, NULL, NULL, },
+ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
{ "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
{ "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
@@ -410,6 +421,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
#ifdef HAVE_LABELED_IPSEC
{ "ikev1-secctx-attr-type", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
{ "secctx-attr-type", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, },
+ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */
+ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
#endif
{ "interfaces", kv_config, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsoleted but often present keyword */
@@ -446,6 +459,7 @@ const struct keyword_def ipsec_conf_keywords[] = {
{ "username", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, },
/* xauthusername is still used in NetworkManager-libreswan :/ */
{ "xauthusername", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
+ { "xauthname", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
{ "addresspool", kv_conn | kv_leftright, kt_range, KSCF_ADDRESSPOOL, NULL, NULL, },
{ "auth", kv_conn | kv_leftright, kt_enum, KNCF_AUTH, kw_auth_list, NULL, },
#ifdef HAVE_IPTABLES
@@ -471,6 +485,8 @@ const struct keyword_def ipsec_conf_keywords[] = {
{ "esn", kv_conn | kv_processed, kt_enum, KNCF_ESN, kw_esn_list, NULL, },
{ "decap-dscp", kv_conn | kv_processed, kt_bool, KNCF_DECAP_DSCP, NULL, NULL, },
{ "nopmtudisc", kv_conn | kv_processed, kt_bool, KNCF_NOPMTUDISC, NULL, NULL, },
+ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, kw_ynf_list, NULL, }, /* obsolete _ */
+ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, kw_ynf_list, NULL, }, /* obsolete name */
{ "fragmentation", kv_conn | kv_processed, kt_enum, KNCF_IKE_FRAG, kw_ynf_list, NULL, },
{ "mobike", kv_conn, kt_bool, KNCF_MOBIKE, NULL, NULL, },
{ "narrowing", kv_conn, kt_bool, KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
@@ -481,13 +497,18 @@ const struct keyword_def ipsec_conf_keywords[] = {
{ "accept-redirect-to", kv_conn, kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
{ "pfs", kv_conn, kt_bool, KNCF_PFS, NULL, NULL, },
+ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
{ "nat-keepalive", kv_conn, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, },
+ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */
{ "initial-contact", kv_conn, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, },
+ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */
{ "cisco-unity", kv_conn, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, },
{ "send-no-esp-tfc", kv_conn, kt_bool, KNCF_NO_ESP_TFC, NULL, NULL, },
{ "fake-strongswan", kv_conn, kt_bool, KNCF_VID_STRONGSWAN, NULL, NULL, },
+ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */
{ "send-vendorid", kv_conn, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, },
+ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */
{ "sha2-truncbug", kv_conn, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, },
{ "ms-dh-downgrade", kv_conn, kt_bool, KNCF_MSDH_DOWNGRADE, NULL, NULL, },
{ "require-id-on-certificate", kv_conn, kt_bool, KNCF_SAN_ON_CERT, NULL, NULL, },
@@ -505,7 +526,10 @@ const struct keyword_def ipsec_conf_keywords[] = {
{"ikepad", kv_conn, kt_bool, KNCF_IKEPAD, NULL, NULL, },
{ "nat-ikev1-method", kv_conn | kv_processed, kt_enum, KNCF_IKEV1_NATT, kw_ikev1natt_list, NULL, },
+ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
+ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
{ "policy-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
+ { "policy_label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
{ "sec-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
/* Cisco interop: remote peer type */
@@ -516,13 +540,17 @@ const struct keyword_def ipsec_conf_keywords[] = {
/* Network Manager support */
#ifdef HAVE_NM
{ "nm-configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, },
+ { "nm_configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
#endif
{ "xauthby", kv_conn, kt_enum, KNCF_XAUTHBY, kw_xauthby_list, NULL, },
{ "xauthfail", kv_conn, kt_enum, KNCF_XAUTHFAIL, kw_xauthfail_list, NULL, },
{ "modecfgpull", kv_conn, kt_invertbool, KNCF_MODECONFIGPULL, NULL, NULL, },
{ "modecfgdns", kv_conn, kt_string, KSCF_MODECFGDNS, NULL, NULL, },
+ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
+ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
{ "modecfgdomains", kv_conn, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, },
+ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
{ "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, },
{ "ignore-peer-dns", kv_conn, kt_bool, KNCF_IGNORE_PEER_DNS, NULL, NULL, },
{ "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, },
--
2.39.0

View File

@ -0,0 +1,92 @@
From 5101913b1e623121a9222f11eefa18f0a2708b00 Mon Sep 17 00:00:00 2001
From: Andrew Cagney <cagney@gnu.org>
Date: Wed, 27 Mar 2024 10:43:19 -0400
Subject: [PATCH] ikev1: in compute_proto_keymat() only allow explicitly
handled ESP algorithms
---
programs/pluto/ikev1_quick.c | 41 ++++++++++++++----------------------
1 file changed, 16 insertions(+), 25 deletions(-)
diff --git a/programs/pluto/ikev1_quick.c b/programs/pluto/ikev1_quick.c
index 81c522c148..22c346afb4 100644
--- a/programs/pluto/ikev1_quick.c
+++ b/programs/pluto/ikev1_quick.c
@@ -203,7 +203,7 @@ static bool emit_subnet_id(enum perspective perspective,
* RFC 2409 "IKE" section 5.5
* specifies how this is to be done.
*/
-static void compute_proto_keymat(struct state *st,
+static bool compute_proto_keymat(struct state *st,
uint8_t protoid,
struct ipsec_proto_info *pi,
const char *satypename)
@@ -297,27 +297,13 @@ static void compute_proto_keymat(struct state *st,
}
break;
- case ESP_CAST:
- case ESP_TWOFISH:
- case ESP_SERPENT:
- /* ESP_SEED is for IKEv1 only and not supported. Its number in IKEv2 has been re-used */
- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
-
default:
- /* bytes */
- needed_len = encrypt_max_key_bit_length(pi->attrs.transattrs.ta_encrypt) / BITS_PER_BYTE;
- if (needed_len > 0) {
- /* XXX: check key_len coupling with kernel.c's */
- if (pi->attrs.transattrs.enckeylen) {
- needed_len =
- pi->attrs.transattrs.enckeylen
- / BITS_PER_BYTE;
- dbg("compute_proto_keymat: key_len=%d from peer",
- (int)needed_len);
- }
- break;
- }
- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
+ {
+ enum_buf eb;
+ llog(RC_LOG, st->st_logger, "rejecting request for keymat for %s",
+ str_enum(&esp_transformid_names, protoid, &eb));
+ return false;
+ }
}
dbg("compute_proto_keymat: needed_len (after ESP enc)=%d", (int)needed_len);
needed_len += pi->attrs.transattrs.ta_integ->integ_keymat_size;
@@ -359,14 +345,17 @@ static void compute_proto_keymat(struct state *st,
DBG_dump_hunk(" inbound:", pi->inbound.keymat);
DBG_dump_hunk(" outbound:", pi->outbound.keymat);
}
+
+ return true;
}
-static void compute_keymats(struct state *st)
+static bool compute_keymats(struct state *st)
{
if (st->st_ah.present)
- compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
+ return compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
if (st->st_esp.present)
- compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
+ return compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
+ return false;
}
/*
@@ -1460,7 +1449,9 @@ static stf_status quick_inI1_outR1_continue12_tail(struct state *st, struct msg_
fixup_v1_HASH(st, &hash_fixup, st->st_v1_msgid.id, rbody.cur);
/* Derive new keying material */
- compute_keymats(st);
+ if (!compute_keymats(st)) {
+ return STF_FATAL;
+ }
/* Tell the kernel to establish the new inbound SA
* (unless the commit bit is set -- which we don't support).
--
2.45.0

View File

@ -1,198 +0,0 @@
From 474d75be074799efa9e38f346d3fdb76dec3eead Mon Sep 17 00:00:00 2001
From: Andrew Cagney <cagney@gnu.org>
Date: Tue, 5 Dec 2023 13:55:37 -0500
Subject: [PATCH] x509: unpack IPv6 general names based on length
fix #1321
---
programs/pluto/x509.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/programs/pluto/x509.c b/programs/pluto/x509.c
index fbbf5a553e..f7e97b9979 100644
--- a/programs/pluto/x509.c
+++ b/programs/pluto/x509.c
@@ -336,7 +336,7 @@ generalName_t *collect_rw_ca_candidates(struct msg_digest *md)
*/
static void gntoid(struct id *id, const generalName_t *gn, struct logger *logger)
{
- *id = empty_id;
+ *id = empty_id; /* aka ID_NONE */
switch (gn->kind) {
case GN_DNS_NAME: /* ID type: ID_FQDN */
@@ -345,18 +345,37 @@ static void gntoid(struct id *id, const generalName_t *gn, struct logger *logger
break;
case GN_IP_ADDRESS: /* ID type: ID_IPV4_ADDR */
{
+ const struct ip_info *afi = NULL;
+ for (enum ip_index i = 0; i < IP_INDEX_ROOF; i++) {
+ if (ip_families[i].ip_size == gn->name.len) {
+ afi = &ip_families[i];
+ break;
+ }
+ }
+ if (afi == NULL) {
+ llog(RC_LOG, logger,
+ "warning: invalid IP_ADDRESS general name: %zu byte length is not valid",
+ gn->name.len);
+ PEXPECT(logger, id->kind == ID_NONE);
+ return;
+ }
+
/*
* XXX: why could this fail; and what happens when it
* is ignored?
*/
- const struct ip_info *afi = &ipv4_info;
- id->kind = afi->id_ip_addr;
- err_t ugh = hunk_to_address(gn->name, afi, &id->ip_addr);
+ ip_address addr;
+ err_t ugh = hunk_to_address(gn->name, afi, &addr);
if (ugh != NULL) {
llog(RC_LOG, logger,
- "warning: gntoid() failed to initaddr(): %s",
- ugh);
+ "warning: invalid IP_ADDRESS general name: %s",
+ ugh);
+ PEXPECT(logger, id->kind == ID_NONE);
+ return;
}
+
+ id->kind = afi->id_ip_addr;
+ id->ip_addr = addr;
break;
}
case GN_RFC822_NAME: /* ID type: ID_USER_FQDN */
@@ -464,14 +483,18 @@ bool add_pubkey_from_nss_cert(struct pubkey_list **pubkey_db,
return false;
}
+ ldbg(logger, "adding cert using subject name");
replace_public_key(pubkey_db, &pk);
passert(pk == NULL); /*stolen*/
+ ldbg(logger, "adding cert using general names");
add_cert_san_pubkeys(pubkey_db, cert, logger);
if (keyid != NULL && keyid->kind != ID_DER_ASN1_DN &&
keyid->kind != ID_NONE &&
keyid->kind != ID_FROMCERT) {
+ id_buf idb;
+ ldbg(logger, "adding cert using keyid %s", str_id(keyid, &idb));
struct pubkey *pk2 = NULL;
diag_t d = create_pubkey_from_cert(keyid, cert, &pk2, logger);
if (d != NULL) {
--
2.44.0
From 1e27be95cd710a840681d1a51913e6a32ce75a2a Mon Sep 17 00:00:00 2001
From: Andrew Cagney <cagney@gnu.org>
Date: Mon, 11 Mar 2024 17:18:51 -0400
Subject: [PATCH] building: back-port ip_families[] and ip_index
---
include/ip_index.h | 27 +++++++++++++++++++++++++++
include/ip_info.h | 7 +++++--
lib/libswan/ip_info.c | 9 ++++++---
3 files changed, 38 insertions(+), 5 deletions(-)
create mode 100644 include/ip_index.h
diff --git a/include/ip_index.h b/include/ip_index.h
new file mode 100644
index 0000000000..508589b05e
--- /dev/null
+++ b/include/ip_index.h
@@ -0,0 +1,27 @@
+/* ip address type index, for libreswan
+ *
+ * Copyright (C) 2022 Andrew Cagney
+ *
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <https://www.gnu.org/licenses/lgpl-2.1.txt>.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
+ * License for more details.
+ *
+ */
+
+#ifndef IP_INDEX_H
+#define IP_INDEX_H
+
+enum ip_index {
+ IPv4_INDEX,
+ IPv6_INDEX,
+};
+
+#define IP_INDEX_ROOF (IPv6_INDEX+1)
+
+#endif
diff --git a/include/ip_info.h b/include/ip_info.h
index 40e99ef687..c1329a8569 100644
--- a/include/ip_info.h
+++ b/include/ip_info.h
@@ -9,6 +9,7 @@
#include "ip_subnet.h"
#include "ip_selector.h"
#include "ip_sockaddr.h"
+#include "ip_index.h"
struct ip_info {
/*
@@ -113,8 +114,10 @@ struct ip_info {
};
-extern const struct ip_info ipv4_info;
-extern const struct ip_info ipv6_info;
+extern const struct ip_info ip_families[IP_INDEX_ROOF];
+
+#define ipv4_info ip_families[IPv4_INDEX]
+#define ipv6_info ip_families[IPv6_INDEX]
extern const struct ip_info *aftoinfo(int af);
diff --git a/lib/libswan/ip_info.c b/lib/libswan/ip_info.c
index 70cd6a368f..97296d3a11 100644
--- a/lib/libswan/ip_info.c
+++ b/lib/libswan/ip_info.c
@@ -158,7 +158,9 @@ static ip_port port_from_ipv6_sockaddr(const ip_sockaddr sa)
#define IPv4_FF { { 255, 255, 255, 255, }, }
-const struct ip_info ipv4_info = {
+const struct ip_info ip_families[IP_INDEX_ROOF] = {
+
+ [IPv4_INDEX] = {
.ip_version = IPv4,
.ip_size = sizeof(struct in_addr),
@@ -210,11 +212,11 @@ const struct ip_info ipv4_info = {
.id_ip_addr = ID_IPV4_ADDR,
.id_ip_addr_subnet = ID_IPV4_ADDR_SUBNET,
.id_ip_addr_range = ID_IPV4_ADDR_RANGE,
-};
+ },
#define IPv6_FF { { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, }, }
-const struct ip_info ipv6_info = {
+ [IPv6_INDEX] = {
.ip_version = IPv6,
.ip_size = sizeof(struct in6_addr),
@@ -266,6 +268,7 @@ const struct ip_info ipv6_info = {
.id_ip_addr = ID_IPV6_ADDR,
.id_ip_addr_subnet = ID_IPV6_ADDR_SUBNET,
.id_ip_addr_range = ID_IPV6_ADDR_RANGE,
+ }
};
const struct ip_info *aftoinfo(int af)
--
2.44.0

View File

@ -0,0 +1,11 @@
diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in
--- libreswan-4.3-orig/configs/ipsec.conf.in 2021-03-04 14:29:50.591912834 -0500
+++ libreswan-4.3/configs/ipsec.conf.in 2021-03-04 14:30:27.227389433 -0500
@@ -32,6 +32,7 @@
# listen-tcp=yes
# To enable IKE and IPsec over TCP for VPN client, also specify
# tcp-remote-port=4500 in the client's conn section.
+ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

View File

@ -0,0 +1,85 @@
From 83487373fdd77437e51cfccd41532e270e279e05 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 10 Jan 2023 00:11:26 +0900
Subject: [PATCH] libreswan-4.3-maintain-different-v1v2-split.patch
---
configs/d.ipsec.conf/ikev2.xml | 14 +++++++-------
lib/libipsecconf/confread.c | 8 +++++++-
programs/whack/whack.c | 4 ++--
3 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/configs/d.ipsec.conf/ikev2.xml b/configs/d.ipsec.conf/ikev2.xml
index 3d03825..285db1b 100644
--- a/configs/d.ipsec.conf/ikev2.xml
+++ b/configs/d.ipsec.conf/ikev2.xml
@@ -2,14 +2,14 @@
<term><emphasis remap='B'>ikev2</emphasis></term>
<listitem>
<para>Whether to use IKEv2 (RFC 7296) or IKEv1 (RFC 4301).
-Currently the accepted values are <emphasis remap='B'>yes</emphasis> (the default),
-signifying only IKEv2 is accepted, or <emphasis remap='B'>no</emphasis>,
+Currently the accepted values are <emphasis remap='B'>insist</emphasis> (the default),
+signifying only IKEv2 is accepted, or <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>),
signifying only IKEv1 is accepted. Previous versions allowed the keywords
-<emphasis remap='B'>propose</emphasis> or <emphasis remap='B'>permit</emphasis>
-that would allow either IKEv1 or IKEv2, but this is no longer supported. The
-permit option is interpreted as no and the propose option is interpreted as
-yes. Older versions also supported keyword
-<emphasis remap='B'>insist</emphasis> which is now interpreted as yes.
+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
+now cause the connection to fail to load. <emphasis remap='B'>WARNING:</emphasis> This behaviour differs from upstream
+libreswan, which only accepts <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>no</emphasis> where yes means
+the same as insist.
</para>
</listitem>
</varlistentry>
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index b95c90a..e752441 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -1340,11 +1340,17 @@ static bool load_conn(struct starter_conn *conn,
switch (conn->options[KNCF_IKEv2]) {
case fo_never:
- case fo_permit:
conn->ike_version = IKEv1;
break;
+ case fo_permit:
+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
+ return true;
+
case fo_propose:
+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
+ return true;
+
case fo_insist:
conn->ike_version = IKEv2;
break;
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index b512b04..3de020e 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -815,7 +815,7 @@ static const struct option long_opts[] = {
{ "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
{ "ikev2", no_argument, NULL, CD_IKEv2 +OO },
{ "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
- { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
+ /* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
#ifdef AUTH_HAVE_PAM
@@ -1802,7 +1802,7 @@ int main(int argc, char **argv)
end_seen = LEMPTY;
continue;
- /* --ikev1 --ikev2 --ikev2-propose */
+ /* --ikev1 --ikev2 */
case CD_IKEv1:
case CD_IKEv2:
{
--
2.39.0

View File

@ -1,63 +0,0 @@
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 7 Jan 2022 18:36:47 -0500
Subject: [PATCH] ikev1-policy defaults to drop
IKEv2 has been available for 16 years (RFC 4306 was published December
2005). At some point, we should be discouraging IKEv1 adoption.
To the extent that a user needs IKEv1, they can manually add
ikev1-policy=accept to /etc/ipsec.conf.
---
configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
include/ipsecconf/keywords.h | 2 +-
lib/libipsecconf/confread.c | 1 +
programs/pluto/server.c | 5 -----
4 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
index 17d1747e3b..3bd6702564 100644
--- a/configs/d.ipsec.conf/ikev1-policy.xml
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
@@ -3,9 +3,10 @@
<listitem>
<para>
What to do with received IKEv1 packets. Valid options are
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
+If this option is set to drop or reject, an attempt to load an
IKEv1 connection will fail, as these connections would never be able to receive a packet
for processing.
</para>
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 660847733c..31b519242a 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
KBF_ROOF
};
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 5b5aba723f..68fbccf442 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
/* Don't inflict BSI requirements on everyone */
SOPT(KBF_SEEDBITS, 0);
SOPT(KBF_DROP_OPPO_NULL, false);
+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
#ifdef HAVE_LABELED_IPSEC
SOPT(KBF_SECCTX, SECCTX);
--
2.34.1

View File

@ -0,0 +1,52 @@
From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 14 Apr 2023 14:10:47 +0900
Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
authby=rsa-sha1
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
index 38b44ab61d..9a7c0bc6a8 100644
--- a/lib/libswan/pubkey_rsa.c
+++ b/lib/libswan/pubkey_rsa.c
@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
* used to generate the signature.
*/
SECItem signature_result = {0};
+
+ /* ignore system crypto-policies for the hash algorithm */
+ PRUint32 saved_policy;
+
+ if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
+ /* PR_GetError() returns the thread-local error */
+ enum_buf tb;
+ llog_nss_error(RC_LOG_SERIOUS, logger,
+ "NSS_SetAlgorithmPolicy(%s) function failed",
+ str_nss_oid(hash_algo->nss.oid_tag, &tb));
+ return (struct hash_signature) { .len = 0, };
+ }
+
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
+ NSS_USE_ALG_IN_SIGNATURE, 0);
+ }
+
SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
hash_algo->nss.oid_tag,
&signature_result, &digest);
+
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
+ saved_policy, ~saved_policy);
+ }
+
if (s != SECSuccess) {
/* PR_GetError() returns the thread-local error */
enum_buf tb;
--
2.40.0

View File

@ -3,57 +3,64 @@
%global with_efence 0 %global with_efence 0
%global with_development 0 %global with_development 0
%global with_cavstests 1 %global with_cavstests 1
%global nss_version 3.52 # minimum version for support for rhbz#1651314
# should prob update for nss with IKEv1 quick mode support
%global nss_version 3.53.1
%global unbound_version 1.6.6 %global unbound_version 1.6.6
# Libreswan config options
%global libreswan_config \\\ %global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\ FINALMANDIR=%{_mandir} \\\
PREFIX=%{_prefix} \\\ FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
INITSYSTEM=systemd \\\ INITSYSTEM=systemd \\\
NSS_HAS_IPSEC_PROFILE=true \\\
NSS_REQ_AVA_COPY=false \\\
PREFIX=%{_prefix} \\\
PYTHON_BINARY=%{__python3} \\\ PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\ SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\ USE_DNSSEC=true \\\
USE_FIPSCHECK=false \\\
USE_LABELED_IPSEC=true \\\ USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\ USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\ USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\ USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\ USE_LINUX_AUDIT=true \\\
USE_NM=true \\\ USE_NM=true \\\
USE_NSS_IPSEC_PROFILE=true \\\ USE_NSS_KDF=true \\\
USE_SECCOMP=true \\\ USE_SECCOMP=true \\\
USE_AUTHPAM=true \\\ USE_AUTHPAM=true \\\
USE_DH2=true \\\
%{nil} %{nil}
#global prever dr1 #global prever rc1
Name: libreswan Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
# version is generated in the release script # version is generated in the release script
Version: 4.12 Version: 4.12
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.alma.1 Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.4
License: GPLv2 License: GPLv2
Url: https://libreswan.org/ Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
%if 0%{with_cavstests} %if 0%{with_cavstests}
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif %endif
Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
# Patches were taken from: Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
# https://gitlab.com/redhat/centos-stream/rpms/libreswan/-/commit/673a1e34141cc37fdec71192b4ef6590d8f92cba Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
Patch: libreswan-4.12-ikev2-auth-delete-state.patch Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
# https://gitlab.com/redhat/centos-stream/rpms/libreswan/-/commit/75c01c300bf0ebbb89059e6bde72e88f5a5ceb49 Patch6: libreswan-4.3-1934186-config.patch
Patch: libreswan-4.12-ipv6-san.patch Patch7: libreswan-4.9-2176248-authby-rsasig.patch
Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
Patch9: libreswan-4.12-ikev1-compute-keymat-default.patch
BuildRequires: audit-libs-devel BuildRequires: audit-libs-devel
BuildRequires: bison BuildRequires: bison
BuildRequires: curl-devel BuildRequires: curl-devel
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: hostname
BuildRequires: ldns-devel BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel BuildRequires: libevent-devel
@ -61,10 +68,12 @@ BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel BuildRequires: libselinux-devel
BuildRequires: nspr-devel BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version} BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools >= %{nss_version} BuildRequires: nss-tools
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: hostname
BuildRequires: redhat-rpm-config
BuildRequires: systemd-devel BuildRequires: systemd-devel
BuildRequires: unbound-devel >= %{unbound_version} BuildRequires: unbound-devel >= %{unbound_version}
BuildRequires: xmlto BuildRequires: xmlto
@ -83,7 +92,7 @@ Requires(preun): systemd
Requires(postun): systemd Requires(postun): systemd
%description %description
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is Libreswan is a free implementation of IKE/IPsec for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing to build secure tunnels through untrusted networks. Everything passing
@ -100,9 +109,19 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep %prep
%setup -q -n libreswan-%{version}%{?prever} %setup -q -n libreswan-%{version}%{?prever}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
# linking to freebl is not needed
sed -i "s/-lfreebl //" mk/config.mk
# enable crypto-policies support # enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
%autopatch -p1
%build %build
make %{?_smp_mflags} \ make %{?_smp_mflags} \
@ -111,21 +130,20 @@ make %{?_smp_mflags} \
%else %else
OPTIMIZE_CFLAGS="%{optflags}" \ OPTIMIZE_CFLAGS="%{optflags}" \
%endif %endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence} %if 0%{with_efence}
USE_EFENCE=true \ USE_EFENCE=true \
%endif %endif
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \ WERROR_CFLAGS="-Werror -Wno-missing-field-initializers" \
USERLINK="%{?__global_ldflags}" \
%{libreswan_config} \ %{libreswan_config} \
programs programs
FS=$(pwd) FS=$(pwd)
%install %install
make \ make \
DESTDIR=%{buildroot} \ DESTDIR=%{buildroot} \
%{libreswan_config} \ %{libreswan_config} \
install install
FS=$(pwd) FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
@ -135,10 +153,10 @@ install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/sysctl.d install -d %{buildroot}%{_sysconfdir}/sysctl.d
install -m 0644 packaging/fedora/libreswan-sysctl.conf \ install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \ echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
> %{buildroot}%{_sysconfdir}/ipsec.secrets > %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%if 0%{with_cavstests} %if 0%{with_cavstests}
@ -159,7 +177,6 @@ bunzip2 *.fax.bz2
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed : CAVS tests passed
%endif
# Some of these tests will show ERROR for negative testing - it will exit on real errors # Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } %{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
@ -172,6 +189,8 @@ certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir %{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST : pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
%endif
%post %post
%systemd_post ipsec.service %systemd_post ipsec.service
@ -191,199 +210,175 @@ certutil -N -d sql:$tmpdir --empty-password
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto %attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service %attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan %config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec %{_sbindir}/ipsec
%{_libexecdir}/ipsec %{_libexecdir}/ipsec
%doc %{_mandir}/*/* %attr(0644,root,root) %doc %{_mandir}/*/*
%changelog %changelog
* Tue Apr 30 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.12-2.alma.1 * Thu Jun 6 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.4
- Bump release - Fix CVE-2024-3652 (RHEL-32482)
* Wed Apr 24 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.12-1.1.alma.1 * Wed Apr 17 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.3
- ikev2: return STF_FATAL when initiator fails to emit AUTH - Bump release to ensure el8 package is greater than el8_* packages
packet
- x509: unpack IPv6 general names based on length * Tue Apr 16 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2
- Fix patch application in the previous change
* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.1
- Fix CVE-2024-2357 (RHEL-28742)
* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
* Wed Aug 9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1 * Wed Aug 9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1
- Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712 - Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
- Resolves: rhbz#2215956 - Resolves: rhbz#2215955
* Fri May 05 2023 Sahana Prasad <sahana@redhat.com> - 4.9-5 * Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-2
- Just bumping up the version to include bugs for CVE-2023-2295. There is no - Fix CVE-2023-30570 Malicious IKEv1 Aggressive Mode packets can crash libreswan
code fix for it. Fix for it is including the code fix for CVE-2023-30570. - Resolves: rhbz#2187179
- Fix CVE-2023-2295 Regression of CVE-2023-30570 fixes in the
Red Hat Enterprise Linux
- Resolves: rhbz#2189777, rhbz#2190148
* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-4 * Mon Jan 9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
- Just bumping up the version as an incorrect 9.3 build was created. - Resolves: rhbz#2128672 Rebase libreswan to 4.9
- Related: rhbz#2187171 - Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary
* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-3 * Thu Jan 13 2022 Daiki Ueno <dueno@redhat.com> - 4.5-1
- Fix CVE-2023-30570:Malicious IKEv1 Aggressive Mode packets can crash - Resolves: rhbz#2017352 Rebase libreswan to 4.5
libreswan - Resolves: rhbz#2036903 ikev1: disable diagnostics logging on receiving malformed packets
- Resolves: rhbz#2187171
* Tue Apr 4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2 * Wed May 26 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1
- Fix CVE-2023-23009: remote DoS via crafted TS payload with an - Resolves: rhbz#1958968 Rebase libreswan to 4.4
incorrect selector length (rhbz#2173674) - Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers
* Wed Jan 4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1 * Thu Mar 04 2021 Paul Wouters <pwouters@redhat.com> - 4.3-3
- Update to 4.9. Resolves: rhbz#2128669 - Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec
- Switch to using %%autopatch as in Fedora - Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229
- Resolves: rhbz#1935339 virtual_private setting is missing in the default config
* Wed Feb 2 2022 Daiki Ueno <dueno@redhat.com> - 4.6-3 * Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
- Drop IKEv1 packets by default, based on the Debian patch - Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
by Daniel Kahn Gillmor (rhbz#2039877)
* Mon Jan 17 2022 Daiki Ueno <dueno@redhat.com> - 4.6-2 * Thu Feb 04 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
- Related: rhbz#2017355 rebuild to reflect gating.yaml change - Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
* Mon Jan 17 2022 Daiki Ueno <dueno@redhat.com> - 4.6-1 * Tue Oct 27 22:11:42 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
- Update to 4.6. Resolves: rhbz#2017355 - Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
* Mon Jan 10 2022 Daiki Ueno <dueno@redhat.com> - 4.5-1 * Wed Jul 29 2020 Paul Wouters <pwouters@redhat.com> - 3.32-6
- Update to 4.5. Resolves: rhbz#2017355 - Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.4-3.1 * Wed Jul 22 2020 Paul Wouters <pwouters@redhat.com> - 3.32-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF]
Related: rhbz#1991688
* Wed Jul 21 2021 Daiki Ueno <dueno@redhat.com> - 4.4-3 * Wed Jul 01 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
- Backport removal gethostbyname2 uses from the upstream - Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled
- Fix issues spotted by covscan (rhbz#1938784)
* Tue Jul 13 2021 Daiki Ueno <dueno@redhat.com> - 4.4-2 * Wed Jun 17 2020 Paul Wouters <pwouters@redhat.com> - 3.32-3
- Rebuild with newer GCC to fix annocheck failures - Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script
- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly
- Resolves: rhbz#1840212 protect libreswan against unannounced nss ABI change
* Thu Jul 1 2021 Daiki Ueno <dueno@redhat.com> - 4.4-1 * Thu Jun 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
- Update to 4.4. Resolves: rhbz#1975812 - Resolves: rhbz#1820206 Rebase to libreswan 3.32 [addconn fix]
- Port compiler warning suppression by Paul Wouters:
https://src.fedoraproject.org/rpms/libreswan/c/8d7f98d41444ac77c562f735b4b93038f5346ce2?branch=rawhide
* Thu Jun 24 2021 Daiki Ueno <dueno@redhat.com> - 4.2-1.3 * Thu Apr 30 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
- Fix FTBFS with OpenSSL 3.0 (rhbz#1975439) - Resolves: rhbz#1820206 Rebase to libreswan 3.32
- Resolves: rhbz#1816265 Use NSS to check whether FIPS mode is enabled
- Resolves: rhbz#1826337 libreswan in FIPS mode rejects ECDSA keys based on faulty RSA key size check being applied
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.2 * Tue Aug 13 2019 Paul Wouters <pwouters@redhat.com> - 3.29-6
- Rebuilt for RHEL 9 BETA for openssl 3.0 - Resolves: rhbz#1714331 support NSS based IKE KDF's [require updated nss for rhbz 1738689, memleak fix]
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.2-1.1 * Thu Aug 08 2019 Paul Wouters <pwouters@redhat.com> - 3.29-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Resolves: rhbz#1714331 support NSS based IKE KDF's so libreswan does not need FIPS certification
* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1 * Thu Aug 01 2019 Paul Wouters <pwouters@redhat.com> - 3.29-4
- Update to 4.2 - Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1 * Thu Jul 04 2019 Paul Wouters <pwouters@redhat.com> - 3.29-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Resolves: rhbz#1725205 XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire
* Sat Dec 19 19:59:55 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.2-0.1.rc1 * Thu Jun 27 2019 Paul Wouters <pwouters@redhat.com> - 3.29-2
- Resolves: rhbz#1867580 pluto process frequently dumps core - Resolves: rhbz#1723957 libreswan is missing linux audit calls for failed IKE SAs and failed IPsec SAs required for Common Criteria
(disable USE_NSS_KDF until nss fixes have propagated)
* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 4.1-4
- Rebuild for ldns soname bump
* Mon Nov 23 11:50:41 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.1-3
- Resolves: rhbz#1894381 Libreswan 4.1-2 breaks l2tp connection to Windows VPN server
* Mon Oct 26 10:21:57 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-2
- Resolves: rhbz#1889538 libreswan's /var/lib/ipsec/nss missing
* Sun Oct 18 21:49:39 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
- Updated to 4.1 - interop fix for Cisco
* Thu Oct 15 10:27:14 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-1
- Resolves: rhbz#1888448 libreswan-4.0 is available
* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.2.rc1
- Rebuild for libevent 2.1.12 with a soname bump
* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
- Updated to 4.0rc1
* Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.2
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 3.32-3
- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
object
* Tue May 26 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
* Mon May 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
- Resolves: rhbz#1809770 libreswan-3.32 is available
* Tue Apr 14 2020 Paul Wouters <pwouters@redhat.com> - 3.31-2
- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
* Tue Mar 03 2020 Paul Wouters <pwouters@redhat.com> - 3.31-1
- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
- Resolves: rhbz#1802896 libreswan-3.30 is available
- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
- _updown.netkey: fix syntax error in checking routes
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1 * Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155 - Resolves: rhbz#1712555 libreswan rebase to 3.29
* Tue May 28 2019 Paul Wouters <pwouters@redhat.com> - 3.28-2
- Resolves: rhbz#1713734: barf: shell syntax error in barf diagnostic tool
* Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1 * Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312) - Resolves: rhbz#1712555 libreswan rebase to 3.28
- Resolves: rhbz#1683706 Libreswan shows incorrect error messages
- Resolves: rhbz#1706180 Remove last usage of old (unused) PF_KEY API
- Resolves: rhbz#1677045 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart
- Resolves: rhbz#1686990 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE
- Resolves: rhbz#1608353 /usr/sbin/ipsec part of the libreswan packages still invokes commands that were deprecated a decade ago
- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
- Resolves: rhbz#1679394 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.27-1.2 * Thu Feb 21 2019 Paul Wouters <pwouters@redhat.com> - 3.27-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default [man page update]
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.27-1.1 * Fri Feb 15 2019 Paul Wouters <pwouters@redhat.com> - 3.27-8
- Rebuilt for libcrypt.so.2 (#1666033) - Resolves: rhbz#1664101 system wide crypto policies causing IKE_INIT packet fragmentation
* Tue Feb 05 2019 Paul Wouters <pwouters@redhat.com> - 3.27-7
- Resolves: rhbz#1671793 proessing ISAKMP_NEXT_D with additional payloads causes dangling pointer to deleted state
* Fri Feb 01 2019 Paul Wouters <pwouters@redhat.com> - 3.27-6
- Resolves: rhbz#1668342 SELinux prevents libreswan from using some outbound ports causing DNS resolution failures at connection at load time
* Thu Jan 10 2019 Paul Wouters <pwouters@redhat.com> - 3.27-5
- Resolves: rhbz#1664522 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits
* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 3.27-4
- Resolves: rhbz#1657846 libreswan no longer needs to provide openswan in rhel8
- Resolves: rhbz#1643388 libreswan: Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth
- Resolves: rhbz#1657854 remove userland support for deprecated KLIPS IPsec stack support
* Sun Dec 09 2018 Paul Wouters <pwouters@redhat.com> - 3.27-3
- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default
* Thu Nov 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-2
- Resolves: rhbz#1645137 Libreswan segfaults when it loads configuration file with more then 5 connections
* Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1 * Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
- Updated to 3.27 (various bugfixes) - Resolves: rhbz#1566574 Rebase to libreswan 3.27
* Thu Sep 27 2018 Paul Wouters <pwouters@redhat.com> - 3.26-3
- Add fedora python fixup for _unbound-hook
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-2
- linking against freebl is no longer needed (and wasn't done in 3.25)
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1 * Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support) - Resolves: rhbz#1566574 Rebase to libreswan 3.26
- Resolves: rhbz#1527037 libreswan IPSEC implementation: should follow the policies of system-wide crypto policy
- Resolves: rhbz#1375779 [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed
- Resolves: rhbz#1085758 [TAHI][IKEv2] IKEv2.EN.I.1.2.1.1: Can't observe CREATE_CHILD_SA request for rekey
- Resolves: rhbz#1053048 [TAHI][IKEv2] IKEv2.EN.I.1.2.4.1-7: libreswan doesn't sent CREATE_CHILD_SA after IKE_SA Lifetime timeout
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.25-3.1 * Mon Aug 13 2018 Paul Wouters <pwouters@redhat.com> - 3.25-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Resolves: rhbz#1590823 libreswan: Use Python 3 in RHEL 8
* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.25-3.1
- Rebuild for platform-python
* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3 * Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
- Fix Opportunistic IPsec _unbound-hook argument parsing - Cleanup shebangs for python3
- Make rundir readable for all (so we can hand out permissions later) - Use the same options via macro for make programs and make install
- Remove old ifdefs
- Sync up patches to new upstream version
- Add Requires: for unbound-libs >= 1.6.6
- Enable crypto-policies support
- Make rundir world readable for easier permission granting for socket
* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2 * Tue Jun 26 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.23-2.2
- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors - Make python shebangs point to python3
* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1 * Fri Jun 22 2018 Troy Dawson <tdawson@redhat.com> - 3.23-2.1
- Updated to 3.25 - Fix python shebangs (#1580773)
* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2 * Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
- Support crypto-policies package - Support crypto-policies package