libreswan/libreswan-3.23-crypto-policies.patch
Paul Wouters f9eee4360c * Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
- Support crypto-policies package
- Pull in some patches from upstream and IANA registry updates
- gcc7 format-truncate fixes and workarounds
2018-02-19 18:13:58 -05:00

67 lines
2.7 KiB
Diff

diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
index c41dd8048..cc2faf5c9 100644
--- a/lib/libipsecconf/parser.l
+++ b/lib/libipsecconf/parser.l
@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
char ebuf[128];
snprintf(ebuf, sizeof(ebuf),
- "cannot open include filename: '%s': %s",
+ (strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
+ "cannot open include filename: '%s': %s" :
+ "ignored loading default system-wide crypto-policies file '%s': %s",
iis->fileglob.gl_pathv[fcnt],
strerror(errno));
yyerror(ebuf);
diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
index 7374efc3c..974699f01 100644
--- a/programs/configs/ipsec.conf.in
+++ b/programs/configs/ipsec.conf.in
@@ -1,27 +1,18 @@
# @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
#
-# Manual: ipsec.conf.5
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
- # Normally, pluto logs via syslog. If you want to log to a file,
- # specify below or to disable logging, eg for embedded systems, use
- # the file name /dev/null
- # Note: SElinux policies might prevent pluto writing to a log file at
- # an unusual location.
+ # Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
- # plutodebug "all", "none" or a combation from below:
- # "raw crypt parsing emitting control controlmore kernel pfkey
- # natt x509 dpd dns oppo oppoinfo private".
- # Note: "private" is not included with "all", as it can show confidential
- # information. It must be specifically specified
- # examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
- # Again: only enable plutodebug when asked by a developer
- #plutodebug=none
+ plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
@@ -30,10 +21,8 @@ config setup
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
-# For example connections, see your distribution's documentation directory,
-# or https://libreswan.org/wiki/
-#
-# There is also a lot of information in the manual page, "man ipsec.conf"
-#
+# if it exists, include system wide crypto-policy defaults
+include /etc/crypto-policies/back-ends/libreswan.config
+
# It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
include @IPSEC_CONFDDIR@/*.conf