|
|
89d32f |
diff -Naur libreswan-3.27-orig/lib/libipsecconf/confread.c libreswan-3.27/lib/libipsecconf/confread.c
|
|
|
89d32f |
--- libreswan-3.27-orig/lib/libipsecconf/confread.c 2018-12-09 12:45:14.559217654 -0500
|
|
|
89d32f |
+++ libreswan-3.27/lib/libipsecconf/confread.c 2018-12-09 13:05:01.641609352 -0500
|
|
|
89d32f |
@@ -148,7 +148,7 @@
|
|
|
89d32f |
cfg->conn_default.policy =
|
|
|
89d32f |
POLICY_TUNNEL |
|
|
|
89d32f |
POLICY_ENCRYPT | POLICY_PFS |
|
|
|
89d32f |
- POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW | /* ikev2=permit */
|
|
|
89d32f |
+ POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE | /* ikev2=insist */
|
|
|
89d32f |
POLICY_SAREF_TRACK | /* sareftrack=yes */
|
|
|
89d32f |
POLICY_IKE_FRAG_ALLOW | /* ike_frag=yes */
|
|
|
89d32f |
POLICY_ESN_NO; /* esn=no */
|
|
|
89d32f |
@@ -1257,16 +1257,15 @@
|
|
|
89d32f |
break;
|
|
|
89d32f |
|
|
|
89d32f |
case fo_permit:
|
|
|
89d32f |
- /* this is the default for now */
|
|
|
89d32f |
- pv2 = POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW;
|
|
|
89d32f |
- break;
|
|
|
89d32f |
+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=yes or ikev2=no");
|
|
|
89d32f |
+ return TRUE;
|
|
|
89d32f |
|
|
|
89d32f |
case fo_propose:
|
|
|
89d32f |
- pv2 = POLICY_IKEV1_ALLOW | POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
|
|
|
89d32f |
- break;
|
|
|
89d32f |
+ starter_error_append(perrl, "ikev2=propose is no longer accepted. Use ikev2=yes or ikev2=no");
|
|
|
89d32f |
+ return TRUE;
|
|
|
89d32f |
|
|
|
89d32f |
case fo_insist:
|
|
|
89d32f |
- pv2 = POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
|
|
|
89d32f |
+ pv2 = POLICY_IKEV2_ALLOW | POLICY_IKEV2_PROPOSE;
|
|
|
89d32f |
break;
|
|
|
89d32f |
}
|
|
|
89d32f |
conn->policy = (conn->policy & ~POLICY_IKEV2_MASK) | pv2;
|
|
|
89d32f |
diff -Naur libreswan-3.27-orig/lib/libipsecconf/keywords.c libreswan-3.27/lib/libipsecconf/keywords.c
|
|
|
89d32f |
--- libreswan-3.27-orig/lib/libipsecconf/keywords.c 2018-10-07 22:52:09.000000000 -0400
|
|
|
89d32f |
+++ libreswan-3.27/lib/libipsecconf/keywords.c 2018-12-09 13:02:15.541619284 -0500
|
|
|
89d32f |
@@ -74,7 +74,7 @@
|
|
|
89d32f |
static const struct keyword_enum_values kw_keyexchange_list = VALUES_INITIALIZER(kw_keyexchange_values);
|
|
|
89d32f |
|
|
|
89d32f |
/*
|
|
|
89d32f |
- * Values for Four-State options, such as ikev2
|
|
|
89d32f |
+ * Values for Four-State options, such as ppk
|
|
|
89d32f |
*/
|
|
|
89d32f |
static const struct keyword_enum_value kw_fourvalued_values[] = {
|
|
|
89d32f |
{ "never", fo_never },
|
|
|
89d32f |
diff -Naur libreswan-3.27-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.27/programs/configs/d.ipsec.conf/ikev2.xml
|
|
|
89d32f |
--- libreswan-3.27-orig/programs/configs/d.ipsec.conf/ikev2.xml 2018-10-07 22:52:09.000000000 -0400
|
|
|
89d32f |
+++ libreswan-3.27/programs/configs/d.ipsec.conf/ikev2.xml 2018-12-09 13:02:15.541619284 -0500
|
|
|
89d32f |
@@ -1,25 +1,13 @@
|
|
|
89d32f |
<varlistentry>
|
|
|
89d32f |
<term><emphasis remap='B'>ikev2</emphasis></term>
|
|
|
89d32f |
<listitem>
|
|
|
89d32f |
-<para>IKEv2 (RFC 7296) settings to be used. Currently the accepted
|
|
|
89d32f |
-values are <emphasis remap='B'>permit</emphasis>(the default),
|
|
|
89d32f |
-signifying IKEv2 will be accepted if received, but IKEv1 will be used
|
|
|
89d32f |
-when initiating; <emphasis remap='B'>never</emphasis> or
|
|
|
89d32f |
-remap='B'>no</emphasis> signifying no IKEv2 negotiation should be
|
|
|
89d32f |
-transmitted or accepted; <emphasis remap='B'>propose</emphasis> or
|
|
|
89d32f |
-<emphasis remap='B'>yes</emphasis> signifying that we permit IKEv1
|
|
|
89d32f |
-and IKEv2, and use IKEv2 as the default to initiate; and
|
|
|
89d32f |
-remap='B'>insist</emphasis>signifying we only accept and receive IKEv2 -
|
|
|
89d32f |
-IKEv1 negotiations will be rejected.
|
|
|
89d32f |
-</para><para>
|
|
|
89d32f |
-If the ikev2= setting is set to <emphasis remap='B'>permit</emphasis>
|
|
|
89d32f |
-or <emphasis remap='B'>propose</emphasis>, Libreswan will try and detect a
|
|
|
89d32f |
-"bid down" attack from IKEv2 to IKEv1. Since there is no standard for
|
|
|
89d32f |
-transmitting the IKEv2 capability with IKEv1, Libreswan uses a special
|
|
|
89d32f |
-Vendor ID "CAN-IKEv2". If a fall back from IKEv2 to IKEv1 was detected,
|
|
|
89d32f |
-and the IKEv1 negotiation contains Vendor ID "CAN-IKEv2", Libreswan will
|
|
|
89d32f |
-immediately attempt and IKEv2 rekey and refuse to use the IKEv1 connection.
|
|
|
89d32f |
-With an ikev2= setting of <emphasis remap='B'>insist</emphasis>, no IKEv1
|
|
|
89d32f |
-negotiation is allowed, and no bid down attack is possible.</para>
|
|
|
89d32f |
+<para>Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.
|
|
|
89d32f |
+Currently the accepted values are <emphasis remap='B'>no</emphasis> (or <emphasis remap='B'>never</emphasis>)
|
|
|
89d32f |
+signifying only IKEv1 is accepted, or <emphasis remap='B'>insist</emphasis>(the default),
|
|
|
89d32f |
+signifying only IKEv2 is accepted. Previous versions allowed the keywords
|
|
|
89d32f |
+<emphasis remap='B'>propose</emphasis>, <emphasis remap='B'>yes</emphasis> or <emphasis remap='B'>permit</emphasis>
|
|
|
89d32f |
+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
|
|
|
89d32f |
+now cause the connection to fail to load.
|
|
|
89d32f |
+</para>
|
|
|
89d32f |
</listitem>
|
|
|
89d32f |
</varlistentry>
|
|
|
89d32f |
diff -Naur libreswan-3.27-orig/programs/whack/whack.c libreswan-3.27/programs/whack/whack.c
|
|
|
89d32f |
--- libreswan-3.27-orig/programs/whack/whack.c 2018-10-07 22:52:09.000000000 -0400
|
|
|
89d32f |
+++ libreswan-3.27/programs/whack/whack.c 2018-12-09 13:06:01.825333781 -0500
|
|
|
89d32f |
@@ -108,7 +108,7 @@
|
|
|
89d32f |
" [--mtu <mtu>] \\\n"
|
|
|
89d32f |
" [--priority <prio>] [--reqid <reqid>] \\\n"
|
|
|
89d32f |
" [--tfc <size>] [--send-no-esp-tfc] \\\n"
|
|
|
89d32f |
- " [--ikev1-allow | --ikev2-allow | --ikev2-propose] \\\n"
|
|
|
89d32f |
+ " [--ikev1-allow | --ikev2-allow ] \\\n"
|
|
|
89d32f |
" [--allow-narrowing] [--sareftrack] [--sarefconntrack] \\\n"
|
|
|
89d32f |
" [--ikefrag-allow | --ikefrag-force] [--no-ikepad] \\\n"
|
|
|
89d32f |
" [--esn ] [--no-esn] [--decap-dscp] [--nopmtudisc] [--mobike] \\\n"
|
|
|
89d32f |
@@ -711,7 +711,6 @@
|
|
|
89d32f |
|
|
|
89d32f |
PS("ikev1-allow", IKEV1_ALLOW),
|
|
|
89d32f |
PS("ikev2-allow", IKEV2_ALLOW),
|
|
|
89d32f |
- PS("ikev2-propose", IKEV2_PROPOSE),
|
|
|
89d32f |
|
|
|
89d32f |
PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
|
|
|
89d32f |
#ifdef XAUTH_HAVE_PAM
|
|
|
89d32f |
@@ -1627,8 +1626,6 @@
|
|
|
89d32f |
case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX:
|
|
|
89d32f |
/* --ikev2-allow */
|
|
|
89d32f |
case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX:
|
|
|
89d32f |
- /* --ikev2-propose */
|
|
|
89d32f |
- case CDP_SINGLETON + POLICY_IKEV2_PROPOSE_IX:
|
|
|
89d32f |
|
|
|
89d32f |
/* --allow-narrowing */
|
|
|
89d32f |
case CDP_SINGLETON + POLICY_IKEV2_ALLOW_NARROWING_IX:
|
|
|
89d32f |
@@ -2191,6 +2188,15 @@
|
|
|
89d32f |
break;
|
|
|
89d32f |
}
|
|
|
89d32f |
|
|
|
89d32f |
+ /* fixup old to new style IKEv1/IKEv2 settings */
|
|
|
89d32f |
+ if (msg.policy & POLICY_IKEV2_ALLOW) {
|
|
|
89d32f |
+ /* IKEv2 now always has ALLOW+PROPOSE */
|
|
|
89d32f |
+ msg.policy |= POLICY_IKEV2_PROPOSE;
|
|
|
89d32f |
+ }
|
|
|
89d32f |
+ if (msg.policy & POLICY_IKEV2_ALLOW &&
|
|
|
89d32f |
+ msg.policy & POLICY_IKEV1_ALLOW) {
|
|
|
89d32f |
+ diag("connection cannot be both ikev1 and ikev2");
|
|
|
89d32f |
+ }
|
|
|
89d32f |
|
|
|
89d32f |
if (oppo_dport != 0)
|
|
|
89d32f |
setportof(htons(oppo_dport), &msg.oppo_peer_client);
|
|
|
89d32f |
@@ -2267,11 +2273,12 @@
|
|
|
89d32f |
diag("must specify connection authentication, eg --rsasig, --psk or --auth-null for non-shunt connection");
|
|
|
89d32f |
|
|
|
89d32f |
/*
|
|
|
89d32f |
- * If neither v1 nor v2, default to v1
|
|
|
89d32f |
- * (backward compatibility)
|
|
|
89d32f |
+ * If neither v1 nor v2, default to v2
|
|
|
89d32f |
*/
|
|
|
89d32f |
- if (!(msg.policy & POLICY_IKEV2_MASK))
|
|
|
89d32f |
- msg.policy |= POLICY_IKEV1_ALLOW;
|
|
|
89d32f |
+ if (!(msg.policy & POLICY_IKEV2_MASK)) {
|
|
|
89d32f |
+ msg.policy |= POLICY_IKEV2_ALLOW;
|
|
|
89d32f |
+ msg.policy |= POLICY_IKEV2_PROPOSE;
|
|
|
89d32f |
+ }
|
|
|
89d32f |
|
|
|
89d32f |
/*
|
|
|
89d32f |
* ??? this test can never fail:
|