From 0f28479d21e388f7edbb103206ac7607996c3da7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:45:59 +0000 Subject: import libreswan-3.20-3.el7 --- diff --git a/.gitignore b/.gitignore index 9f1434e..b4afa33 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/ikev1_dsa.fax.bz2 SOURCES/ikev1_psk.fax.bz2 SOURCES/ikev2.fax.bz2 -SOURCES/libreswan-3.15.tar.gz +SOURCES/libreswan-3.20.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata index 992bed3..d784875 100644 --- a/.libreswan.metadata +++ b/.libreswan.metadata @@ -1,4 +1,4 @@ b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 -f2f7f4c0e6ffc979d3cc3b301dc56b49a9dcc2f3 SOURCES/libreswan-3.15.tar.gz +ca8e56bf6a99d67201f5c4065991d72febf14eae SOURCES/libreswan-3.20.tar.gz diff --git a/SOURCES/libreswan-3.15-1166146.patch b/SOURCES/libreswan-3.15-1166146.patch deleted file mode 100644 index a65133e..0000000 --- a/SOURCES/libreswan-3.15-1166146.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/connections.c libreswan-3.15/programs/pluto/connections.c ---- libreswan-3.15-orig/programs/pluto/connections.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/programs/pluto/connections.c 2015-09-24 13:19:16.151982555 -0400 -@@ -3334,6 +3334,11 @@ - struct connection *d; - struct spd_route *sr; - -+ /* weird things can happen to our interfaces */ -+ if (!oriented(*c)) { -+ return NULL; -+ } -+ - DBG(DBG_CONTROLMORE, { - char s1[SUBNETTOT_BUF]; - char d1[SUBNETTOT_BUF]; -@@ -3378,7 +3383,6 @@ - (sr->that.protocol == peer_protocol) && - (!sr->that.port || - sr->that.port == peer_port)) { -- passert(oriented(*c)); - if (routed(sr->routing)) - return c; - diff --git a/SOURCES/libreswan-3.15-1219049-ikev1-del.patch b/SOURCES/libreswan-3.15-1219049-ikev1-del.patch deleted file mode 100644 index d0177d5..0000000 --- a/SOURCES/libreswan-3.15-1219049-ikev1-del.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit bfb1f15c0f2d22987f67dd4dd41316eac28bdc26 -Author: Wolfgang Nothdurft -Date: Fri Oct 2 13:20:14 2015 -0400 - - pluto: Resolves lbz#233 - - pluto sends delete SAs in wrong order and reconnection issues - - Signed-off-by: Paul Wouters - -diff --git a/programs/pluto/state.c b/programs/pluto/state.c -index 7d0821f..b45c1ae 100644 ---- a/programs/pluto/state.c -+++ b/programs/pluto/state.c -@@ -789,7 +789,7 @@ void delete_state(struct state *st) - /* tell the other side of any IPSEC SAs that are going down */ - if (IS_IPSEC_SA_ESTABLISHED(st->st_state) || - IS_ISAKMP_SA_ESTABLISHED(st->st_state)) { -- if (IS_CHILD_SA(st) && -+ if (st->st_ikev2 && IS_CHILD_SA(st) && - state_with_serialno(st->st_clonedfrom) == NULL) { - /* ??? in v2, there must be a parent */ - DBG(DBG_CONTROL, DBG_log("deleting state but IKE SA does not exist for this child SA so Informational Exchange cannot be sent")); -@@ -971,8 +971,8 @@ static void foreach_states_by_connection_func_delete(struct connection *c, - DBG_log("index %d state #%lu", i, - this->st_serialno)); - -- /* on pass 2, ignore phase2 states */ -- if (pass == 1 && -+ /* on pass 1, ignore established ISAKMP SA's */ -+ if (pass == 0 && - IS_ISAKMP_SA_ESTABLISHED(this->st_state)) - continue; - diff --git a/SOURCES/libreswan-3.15-1229766-ipclash.patch b/SOURCES/libreswan-3.15-1229766-ipclash.patch deleted file mode 100644 index 788a2d0..0000000 --- a/SOURCES/libreswan-3.15-1229766-ipclash.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/kernel.c libreswan-3.15/programs/pluto/kernel.c ---- libreswan-3.15-orig/programs/pluto/kernel.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/kernel.c 2016-07-05 06:32:18.384000000 -0400 -@@ -503,7 +503,7 @@ - "%s" /* nflog-group - if any */ - - , c->name, -- c->interface->ip_dev->id_vname, -+ c->interface == NULL ? "NULL" : c->interface->ip_dev->id_vname, - nexthop_str, - ipstr(&sr->this.host_addr, &bme), - secure_myid_str, /* 5 */ -diff --git a/programs/pluto/security_selinux.c b/programs/pluto/security_selinux.c -index 2ca1a63..ac5028e 100644 ---- a/programs/pluto/security_selinux.c -+++ b/programs/pluto/security_selinux.c -@@ -68,8 +68,8 @@ int within_range(security_context_t sl, security_context_t range) - /* - ** Straight up test between sl and range - **/ -- tclass = SECCLASS_ASSOCIATION; -- av = ASSOCIATION__POLMATCH; -+ tclass = string_to_security_class("association"); -+ av = string_to_av_perm(tclass, "polmatch"); - rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd); - if (rtn != 0) { - DBG_log("within_range: The sl (%s) is not within range of (%s)", sl, -diff --git a/programs/pluto/security_selinux.h b/programs/pluto/security_selinux.h -index e95bf5a..cccd60f 100644 ---- a/programs/pluto/security_selinux.h -+++ b/programs/pluto/security_selinux.h -@@ -16,8 +16,6 @@ - #define _SECURITY_SELINUX_H - - #include --#include --#include - #include - #include - diff --git a/SOURCES/libreswan-3.15-1257079-nm-updown.patch b/SOURCES/libreswan-3.15-1257079-nm-updown.patch deleted file mode 100644 index 727ede3..0000000 --- a/SOURCES/libreswan-3.15-1257079-nm-updown.patch +++ /dev/null @@ -1,272 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/_updown.klips/_updown.klips.in libreswan-3.15/programs/_updown.klips/_updown.klips.in ---- libreswan-3.15-orig/programs/_updown.klips/_updown.klips.in 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/_updown.klips/_updown.klips.in 2016-06-21 09:59:03.071283432 -0400 -@@ -263,18 +263,6 @@ - rm -f -- ${ORIG_RESOLV_CONF} - printf "${RESOLVE_CONF}" > ${ORIG_RESOLV_CONF} - return $? -- -- else -- echo "Updating resolv.conf is controlled by Network Manager" -- libreswan_reason=connect -- export libreswan_reason -- export PLUTO_PEER_DOMAIN_INFO -- export PLUTO_PEER_DNS_INFO -- export PLUTO_PEER_BANNER -- export PLUTO_MY_SOURCEIP -- export PLUTO_PEER -- /usr/libexec/nm-libreswan-service-helper -- return 0 - fi - } - -@@ -306,29 +294,27 @@ - - rm -f -- "${LIBRESWAN_RESOLV_CONF}" - return 0 -- else -- # Here disconnect signal is sent to NetworkManager -- # whenever an already established connection is being terminated. -- unset libreswan_reason -- unset PLUTO_PEER_DOMAIN_INFO -- unset PLUTO_PEER_DNS_INFO -- unset PLUTO_PEER_BANNER -- unset PLUTO_MY_SOURCEIP -- unset PLUTO_PEER -- echo "Restoring resolv.conf is controlled by Network Manager" -- disconnectNM - fi - } - --disconnectNM() { -- # This will be called whenever a connection fails to establish -- # due to a state (either phase 1, xauth phase, or phase 2) fails. -+notifyNM() { -+ # This will be called whenever a connection is established or -+ # fails to establish (either phase 1, xauth phase, or phase 2) -+ # or whenever an already established connection is being terminated. - # This will send a singal to NetworkManager over dbus so that NM -- # can clear up coonnections. -- libreswan_reason=disconnect -- export libreswan_reason -- echo "sending disconnect signal to NetworkManager" -- /usr/libexec/nm-libreswan-service-helper -+ # can keep track of the coonnections. -+ -+ if [ -n "${PLUTO_NM_CONFIGURED}" -a "${PLUTO_NM_CONFIGURED}" != 0 ]; then -+ echo "sending $1 signal to NetworkManager" -+ libreswan_reason=$1 -+ export libreswan_reason -+ export PLUTO_PEER_DOMAIN_INFO -+ export PLUTO_PEER_DNS_INFO -+ export PLUTO_PEER_BANNER -+ export PLUTO_MY_SOURCEIP -+ export PLUTO_PEER -+ /usr/libexec/nm-libreswan-service-helper -+ fi - return 0 - } - -@@ -623,16 +609,20 @@ - uprule - # If you are doing a custom version, firewall commands go here. - updateresolvconf -+ # sending connect signal to NM, as something went wrong. -+ notifyNM connect - ;; - down-client:) - # connection to my client subnet going down - downrule - # If you are doing a custom version, firewall commands go here. - restoreresolvconf -+ # sending disconnect signal to NM, as something went wrong. -+ notifyNM disconnect - ;; - disconnectNM-host|disconnectNM-client) - # sending disconnect signal to NM, as something went wrong. -- disconnectNM -+ notifyNM disconnect - ;; - # - # IPv6 -diff -Naur libreswan-3.15-orig/programs/_updown.mast/_updown.mast.in libreswan-3.15/programs/_updown.mast/_updown.mast.in ---- libreswan-3.15-orig/programs/_updown.mast/_updown.mast.in 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/_updown.mast/_updown.mast.in 2016-06-21 09:59:03.072283425 -0400 -@@ -374,18 +374,6 @@ - rm -f -- ${ORIG_RESOLV_CONF} - printf "${RESOLVE_CONF}" > ${ORIG_RESOLV_CONF} - return $? -- -- else -- echo "Updating resolv.conf is controlled by Network Manager" -- libreswan_reason=connect -- export libreswan_reason -- export PLUTO_PEER_DOMAIN_INFO -- export PLUTO_PEER_DNS_INFO -- export PLUTO_PEER_BANNER -- export PLUTO_MY_SOURCEIP -- export PLUTO_PEER -- /usr/libexec/nm-libreswan-service-helper -- return 0 - fi - } - -@@ -417,29 +405,27 @@ - - rm -f -- "${LIBRESWAN_RESOLV_CONF}" - return 0 -- else -- # Here disconnect signal is sent to NetworkManager -- # whenever an already established connection is being terminated. -- unset libreswan_reason -- unset PLUTO_PEER_DOMAIN_INFO -- unset PLUTO_PEER_DNS_INFO -- unset PLUTO_PEER_BANNER -- unset PLUTO_MY_SOURCEIP -- unset PLUTO_PEER -- echo "Restoring resolv.conf is controlled by Network Manager" -- disconnectNM - fi - } - --disconnectNM() { -- # This will be called whenever a connection fails to establish -- # due to a state (either phase 1, xauth phase, or phase 2) fails. -+notifyNM() { -+ # This will be called whenever a connection is established or -+ # fails to establish (either phase 1, xauth phase, or phase 2) -+ # or whenever an already established connection is being terminated. - # This will send a singal to NetworkManager over dbus so that NM -- # can clear up coonnections. -- libreswan_reason=disconnect -- export libreswan_reason -- echo "sending disconnect signal to NetworkManager" -- /usr/libexec/nm-libreswan-service-helper -+ # can keep track of the coonnections. -+ -+ if [ -n "${PLUTO_NM_CONFIGURED}" -a "${PLUTO_NM_CONFIGURED}" != 0 ]; then -+ echo "sending $1 signal to NetworkManager" -+ libreswan_reason=$1 -+ export libreswan_reason -+ export PLUTO_PEER_DOMAIN_INFO -+ export PLUTO_PEER_DNS_INFO -+ export PLUTO_PEER_BANNER -+ export PLUTO_MY_SOURCEIP -+ export PLUTO_PEER -+ /usr/libexec/nm-libreswan-service-helper -+ fi - return 0 - } - -@@ -581,14 +567,18 @@ - up-client:) - # If you are doing a custom version, firewall commands go here. - updateresolvconf -+ # sending disconnect signal to NM, as something went wrong. -+ notifyNM connect - ;; - down-client:) - # If you are doing a custom version, firewall commands go here. - restoreresolvconf -+ # sending disconnect signal to NM, as something went wrong. -+ notifyNM disconnect - ;; - disconnectNM-host|disconnectNM-client) - # sending disconnect signal to NM, as something went wrong. -- disconnectNM -+ notifyNM disconnect - ;; - # - # IPv6 -diff -Naur libreswan-3.15-orig/programs/_updown.netkey/_updown.netkey.in libreswan-3.15/programs/_updown.netkey/_updown.netkey.in ---- libreswan-3.15-orig/programs/_updown.netkey/_updown.netkey.in 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/_updown.netkey/_updown.netkey.in 2016-06-21 10:00:21.398778848 -0400 -@@ -263,18 +263,6 @@ - rm -f -- ${ORIG_RESOLV_CONF} - printf "${RESOLVE_CONF}" > ${ORIG_RESOLV_CONF} - return $? -- -- else -- echo "Updating resolv.conf is controlled by Network Manager" -- libreswan_reason=connect -- export libreswan_reason -- export PLUTO_PEER_DOMAIN_INFO -- export PLUTO_PEER_DNS_INFO -- export PLUTO_PEER_BANNER -- export PLUTO_MY_SOURCEIP -- export PLUTO_PEER -- /usr/libexec/nm-libreswan-service-helper -- return 0 - fi - } - -@@ -306,29 +294,27 @@ - - rm -f -- "${LIBRESWAN_RESOLV_CONF}" - return 0 -- else -- # Here disconnect signal is sent to NetworkManager -- # whenever an already established connection is being terminated. -- unset libreswan_reason -- unset PLUTO_PEER_DOMAIN_INFO -- unset PLUTO_PEER_DNS_INFO -- unset PLUTO_PEER_BANNER -- unset PLUTO_MY_SOURCEIP -- unset PLUTO_PEER -- echo "Restoring resolv.conf is controlled by Network Manager" -- disconnectNM - fi - } - --disconnectNM() { -- # This will be called whenever a connection fails to establish -- # due to a state (either phase 1, xauth phase, or phase 2) fails. -+notifyNM() { -+ # This will be called whenever a connection is established or -+ # fails to establish (either phase 1, xauth phase, or phase 2) -+ # or whenever an already established connection is being terminated. - # This will send a singal to NetworkManager over dbus so that NM -- # can clear up coonnections. -- libreswan_reason=disconnect -- export libreswan_reason -- echo "sending disconnect signal to NetworkManager" -- /usr/libexec/nm-libreswan-service-helper -+ # can keep track of the coonnections. -+ -+ if [ -n "${PLUTO_NM_CONFIGURED}" -a "${PLUTO_NM_CONFIGURED}" != 0 ]; then -+ echo "sending $1 signal to NetworkManager" -+ libreswan_reason=$1 -+ export libreswan_reason -+ export PLUTO_PEER_DOMAIN_INFO -+ export PLUTO_PEER_DNS_INFO -+ export PLUTO_PEER_BANNER -+ export PLUTO_MY_SOURCEIP -+ export PLUTO_PEER -+ /usr/libexec/nm-libreswan-service-helper -+ fi - return 0 - } - -@@ -533,6 +519,8 @@ - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - updateresolvconf -+ # sending connect signal to NM, as something went wrong. -+ notifyNM connect - ;; - down-client) - # connection to my client subnet going down -@@ -540,10 +528,12 @@ - delnflog - # If you are doing a custom version, firewall commands go here. - restoreresolvconf -+ # sending disconnect signal to NM, as something went wrong. -+ notifyNM disconnect - ;; - disconnectNM-host|disconnectNM-client) - # sending disconnect signal to NM, as something went wrong. -- disconnectNM -+ notifyNM disconnect - ;; - # - # IPv6 diff --git a/SOURCES/libreswan-3.15-1271811-fipsfiles.patch b/SOURCES/libreswan-3.15-1271811-fipsfiles.patch deleted file mode 100644 index 2735548..0000000 --- a/SOURCES/libreswan-3.15-1271811-fipsfiles.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit 19b50a501772a06fb7648b531852fb588efb0021 -Author: Paul Wouters -Date: Tue Oct 13 13:41:24 2015 -0400 - - pluto: fixup fips.h to only require libexec/ components that are compiled. - - When disabling MAST, the fips.h file list wanted to checksum updown.mast - which was not installed, and cause a FIPS selftest failure. - -diff --git a/programs/pluto/fips.h b/programs/pluto/fips.h -index 10bfff0..9c550d8 100644 ---- a/programs/pluto/fips.h -+++ b/programs/pluto/fips.h -@@ -22,32 +22,40 @@ - - const char *fips_package_files[] = { IPSEC_EXECDIR "/pluto", - IPSEC_EXECDIR "/setup", -+#ifdef USE_ADNS -+ IPSEC_EXECDIR "/_pluto_adns", -+#endif - IPSEC_EXECDIR "/addconn", - IPSEC_EXECDIR "/auto", - IPSEC_EXECDIR "/barf", -- IPSEC_EXECDIR "/eroute", - IPSEC_EXECDIR "/ikeping", - IPSEC_EXECDIR "/readwriteconf", - IPSEC_EXECDIR "/_keycensor", -- IPSEC_EXECDIR "/klipsdebug", - IPSEC_EXECDIR "/look", - IPSEC_EXECDIR "/newhostkey", -- IPSEC_EXECDIR "/pf_key", -- IPSEC_EXECDIR "/_pluto_adns", - IPSEC_EXECDIR "/_plutorun", -- IPSEC_EXECDIR "/rsasigkey", - IPSEC_EXECDIR "/_secretcensor", -+ IPSEC_EXECDIR "/rsasigkey", - IPSEC_EXECDIR "/secrets", - IPSEC_EXECDIR "/showhostkey", -- IPSEC_EXECDIR "/spi", -- IPSEC_EXECDIR "/spigrp", - IPSEC_EXECDIR "/_stackmanager", -- IPSEC_EXECDIR "/tncfg", - IPSEC_EXECDIR "/_updown", -- IPSEC_EXECDIR "/_updown.klips", -- IPSEC_EXECDIR "/_updown.mast", -- IPSEC_EXECDIR "/_updown.netkey", - IPSEC_EXECDIR "/verify", - IPSEC_EXECDIR "/whack", - IPSEC_SBINDIR "/ipsec", -+#ifdef KLIPS -+ IPSEC_EXECDIR "/pf_key", -+ IPSEC_EXECDIR "/klipsdebug", -+ IPSEC_EXECDIR "/eroute", -+ IPSEC_EXECDIR "/spi", -+ IPSEC_EXECDIR "/spigrp", -+ IPSEC_EXECDIR "/_updown.klips", -+ IPSEC_EXECDIR "/tncfg", -+#ifdef KLIPS_MAST -+ IPSEC_EXECDIR "/_updown.mast", -+#endif -+#endif -+#ifdef NETKEY_SUPPORT -+ IPSEC_EXECDIR "/_updown.netkey", -+#endif - NULL }; diff --git a/SOURCES/libreswan-3.15-1272112-whack-man.patch b/SOURCES/libreswan-3.15-1272112-whack-man.patch deleted file mode 100644 index c62313d..0000000 --- a/SOURCES/libreswan-3.15-1272112-whack-man.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/ipsec_pluto.8.xml libreswan-3.15/programs/pluto/ipsec_pluto.8.xml ---- libreswan-3.15-orig/programs/pluto/ipsec_pluto.8.xml 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/ipsec_pluto.8.xml 2016-06-21 10:11:48.483293124 -0400 -@@ -18,6 +18,7 @@ - - - ipsec pluto -+ ipsec whack - pluto - - ipsec whack : IPsec IKE keying daemon and control interface diff --git a/SOURCES/libreswan-3.15-1276524-informational.patch b/SOURCES/libreswan-3.15-1276524-informational.patch deleted file mode 100644 index 32e5929..0000000 --- a/SOURCES/libreswan-3.15-1276524-informational.patch +++ /dev/null @@ -1,119 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/ikev2.c libreswan-3.15/programs/pluto/ikev2.c ---- libreswan-3.15-orig/programs/pluto/ikev2.c 2016-09-07 10:10:59.477000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev2.c 2016-09-07 10:14:14.222000000 -0400 -@@ -73,13 +73,6 @@ - - #include "plutoalg.h" /* for default_ike_groups */ - --/* Note: same definition appears in programs/pluto/ikev2_parent.c */ --#define SEND_V2_NOTIFICATION(t) { \ -- if (st != NULL) \ -- send_v2_notification_from_state(st, t, NULL); \ -- else \ -- send_v2_notification_from_md(md, t, NULL); } -- - enum smf2_flags { - /* - * Check the value of the IKE_I flag in the header. -@@ -400,16 +393,6 @@ - * <-- HDR, SK {[N,] [D,] [CP], ...} - */ - -- { .story = "I2: process INFORMATIONAL", -- .state = STATE_PARENT_I2, -- .next_state = STATE_PARENT_I2, -- .flags = SMF2_IKE_I_CLEAR, -- .req_clear_payloads = P(SK), -- .opt_enc_payloads = P(N) | P(D) | P(CP), -- .processor = process_encrypted_informational_ikev2, -- .recv_type = ISAKMP_v2_INFORMATIONAL, -- .timeout_event = EVENT_RETAIN, }, -- - { .story = "I3: INFORMATIONAL", - .state = STATE_PARENT_I3, - .next_state = STATE_PARENT_I3, -@@ -420,16 +403,6 @@ - .recv_type = ISAKMP_v2_INFORMATIONAL, - .timeout_event = EVENT_RETAIN, }, - -- { .story = "R1: process INFORMATIONAL", -- .state = STATE_PARENT_R1, -- .next_state = STATE_PARENT_R1, -- .flags = SMF2_IKE_I_SET, -- .req_clear_payloads = P(SK), -- .opt_enc_payloads = P(N) | P(D) | P(CP), -- .processor = process_encrypted_informational_ikev2, -- .recv_type = ISAKMP_v2_INFORMATIONAL, -- .timeout_event = EVENT_RETAIN, }, -- - { .story = "R2: process INFORMATIONAL", - .state = STATE_PARENT_R2, - .next_state = STATE_PARENT_R2, -@@ -1061,7 +1034,7 @@ - * XXX: Returning INVALID_MESSAGE_ID seems - * pretty bogus. - */ -- SEND_V2_NOTIFICATION(v2N_INVALID_MESSAGE_ID); -+ SEND_V2_NOTIFICATION(v2N_INVALID_IKE_SPI); - } - return; - } -@@ -1353,6 +1326,7 @@ - st.st_localport = md->iface->port; - cnx.interface = md->iface; - st.st_interface = md->iface; -+ st.st_reply_xchg = md->hdr.isa_xchg; - - send_v2_notification(&st, type, NULL, - md->hdr.isa_icookie, md->hdr.isa_rcookie, data); -diff -Naur libreswan-3.15-orig/programs/pluto/ikev2.h libreswan-3.15/programs/pluto/ikev2.h ---- libreswan-3.15-orig/programs/pluto/ikev2.h 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev2.h 2016-09-07 10:12:30.357000000 -0400 -@@ -235,3 +235,9 @@ - void ikev2_log_payload_errors(struct ikev2_payload_errors errors, - struct state *st); - -+#define SEND_V2_NOTIFICATION(t) { \ -+ if (st != NULL) \ -+ send_v2_notification_from_state(st, t, NULL); \ -+ else \ -+ send_v2_notification_from_md(md, t, NULL); } -+ -diff -Naur libreswan-3.15-orig/programs/pluto/ikev2_parent.c libreswan-3.15/programs/pluto/ikev2_parent.c ---- libreswan-3.15-orig/programs/pluto/ikev2_parent.c 2016-09-07 10:10:59.478000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev2_parent.c 2016-09-07 10:12:30.357000000 -0400 -@@ -70,14 +70,6 @@ - - #include "ietf_constants.h" - --/* Note: same definition appears in programs/pluto/ikev2.c */ --#define SEND_V2_NOTIFICATION(t) { \ -- if (st != NULL) \ -- send_v2_notification_from_state(st, t, NULL); \ -- else \ -- send_v2_notification_from_md(md, t, NULL); \ -- } -- - #ifdef XAUTH_HAVE_PAM - struct ikev2_pam_helper { - struct pam_thread_arg pam; /* writable inside thread */ -@@ -3628,6 +3620,8 @@ - hdr.isa_xchg = ISAKMP_v2_SA_INIT; - break; - } -+ if (p1st->st_reply_xchg != 0) -+ hdr.isa_xchg = p1st->st_reply_xchg; /* use received exchange type */ - - hdr.isa_np = ISAKMP_NEXT_v2N; - /* XXX unconditionally clearing original initiator flag is wrong */ -diff -Naur libreswan-3.15-orig/programs/pluto/state.h libreswan-3.15/programs/pluto/state.h ---- libreswan-3.15-orig/programs/pluto/state.h 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/state.h 2016-09-07 10:14:43.847000000 -0400 -@@ -480,6 +480,7 @@ - bool st_xauth_soft; /* XAUTH failed but policy is to soft fail */ - bool st_seen_fragvid; /* should really use st_seen_vendorid, but no one else is */ - bool st_seen_fragments; /* did we receive ike fragments from peer, if so use them in return as well */ -+ u_int8_t st_reply_xchg; - }; - - /* global variables */ diff --git a/SOURCES/libreswan-3.15-1278063-ikev1-pam.patch b/SOURCES/libreswan-3.15-1278063-ikev1-pam.patch deleted file mode 100644 index 5e8bcb9..0000000 --- a/SOURCES/libreswan-3.15-1278063-ikev1-pam.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.c libreswan-3.15/programs/pluto/pam_conv.c ---- libreswan-3.15-orig/programs/pluto/pam_conv.c 2016-06-14 16:15:34.810507979 -0400 -+++ libreswan-3.15/programs/pluto/pam_conv.c 2016-06-14 16:20:43.958424650 -0400 -@@ -159,16 +159,14 @@ - */ - what = "pam_authenticate"; - retval = pam_authenticate(pamh, PAM_SILENT); /* is user really user? */ -- - if (retval != PAM_SUCCESS) - break; - log_pam_step(arg, what, "SUCCESS"); - -+ what = "pam_acct_mgmt"; - retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ - if (retval != PAM_SUCCESS) - break; -- -- what = "pam"; - log_pam_step(arg, what, "SUCCESS"); - - /* success! */ diff --git a/SOURCES/libreswan-3.15-1280449-cap_dac_read_search.patch b/SOURCES/libreswan-3.15-1280449-cap_dac_read_search.patch deleted file mode 100644 index f10e215..0000000 --- a/SOURCES/libreswan-3.15-1280449-cap_dac_read_search.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/plutomain.c libreswan-3.15/programs/pluto/plutomain.c ---- libreswan-3.15-orig/programs/pluto/plutomain.c 2016-06-21 10:37:03.635299030 -0400 -+++ libreswan-3.15/programs/pluto/plutomain.c 2016-06-21 10:37:50.604989303 -0400 -@@ -1395,6 +1395,7 @@ - CAP_IPC_LOCK, CAP_AUDIT_WRITE, - /* for google authenticator pam */ - CAP_SETGID, CAP_SETUID, -+ CAP_DAC_READ_SEARCH, - -1); - /* - * We need to retain some capabilities for our children (updown): diff --git a/SOURCES/libreswan-3.15-1283468-keyingtries.patch b/SOURCES/libreswan-3.15-1283468-keyingtries.patch deleted file mode 100644 index 032e8a7..0000000 --- a/SOURCES/libreswan-3.15-1283468-keyingtries.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/timer.c libreswan-3.15/programs/pluto/timer.c ---- libreswan-3.15-orig/programs/pluto/timer.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/timer.c 2016-06-14 11:02:52.232524053 -0400 -@@ -180,7 +180,7 @@ - st->st_retransmit, - enum_show(&state_names, st->st_state), - details); -- if (try != 0 && try <= try_limit) { -+ if (try != 0 && (try <= try_limit || try_limit == 0)) { - /* - * A lot like EVENT_SA_REPLACE, but over again. - * Since we know that st cannot be in use, -@@ -296,7 +296,7 @@ - details); - } - -- if (try != 0 && try <= try_limit) { -+ if (try != 0 && (try <= try_limit || try_limit == 0)) { - /* - * A lot like EVENT_SA_REPLACE, but over again. - * Since we know that st cannot be in use, diff --git a/SOURCES/libreswan-3.15-1290907-configdir.patch b/SOURCES/libreswan-3.15-1290907-configdir.patch deleted file mode 100644 index 79ea658..0000000 --- a/SOURCES/libreswan-3.15-1290907-configdir.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/ipsec/ipsec.in libreswan-3.15/programs/ipsec/ipsec.in ---- libreswan-3.15-orig/programs/ipsec/ipsec.in 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/ipsec/ipsec.in 2016-06-22 09:59:10.786787783 -0400 -@@ -212,18 +212,28 @@ - ;; - - import|--import) -- if [ $(id -u) -ne 0 ]; then -- echo "permision denied on nss operation (must be superuser)" -- exit 4 -+ if [ -n "${2}" ]; then -+ # A lot of nss commands use -d or --configdir to specify -+ # NSS db location. We use --ipsecdir so we are consistent -+ # with pluto options -+ if [ "${2}" = "-d" -o \ -+ "${2}" = "--configdir" -o \ -+ "${2}" = "--ipsecdir" ] -+ then -+ if [ -d "${3}" ]; then -+ IPSEC_NSSDIR="${3}" -+ else -+ echo "usage: ipsec import [--configdir|--ipsecdir /etc/ipsec.d] /path/to/pkcs.12" >&2 -+ exit 1 -+ fi -+ shift -+ shift -+ fi -+ IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}" - fi -- if [ -z "${2}" ]; then -- echo "usage: ipsec import /path/to/pkcs.12" >&2 -+ if [ -z "${2}" -o ! -f "${2}" ]; then -+ echo "usage: ipsec import [--configdir|--ipsecdir /etc/ipsec.d] /path/to/pkcs.12" >&2 - exit 1 -- else -- if [ ! -f "${2}" ]; then -- echo "usage: ipsec import /path/to/pkcs.12" >&2 -- exit 1 -- fi - fi - pk12util -i "${2}" -d "${IPSEC_NSSDIR_SQL}" - # check and correct trust bits -@@ -233,12 +243,17 @@ - initnss|--initnss|checknss|--checknss) - if [ -n "${2}" ]; then - # A lot of nss commands use -d or --configdir to specify -- # NSS db location -- if [ "${2}" = "-d" -o "${2}" = "--configdir" ]; then -+ # NSS db location. We use --ipsecdir so we are consistent -+ # with pluto options -+ if [ "${2}" = "-d" -o \ -+ "${2}" = "--configdir" -o \ -+ "${2}" = "--ipsecdir" ] -+ then - IPSEC_NSSDIR="${3}" -- else -+ else - IPSEC_NSSDIR="${2}" - fi -+ IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}" - fi - if [ ! -d "${IPSEC_NSSDIR}" ]; then - mkdir -p "${IPSEC_NSSDIR}" diff --git a/SOURCES/libreswan-3.15-1297816-nonce-dcookies.patch b/SOURCES/libreswan-3.15-1297816-nonce-dcookies.patch deleted file mode 100644 index e62bac5..0000000 --- a/SOURCES/libreswan-3.15-1297816-nonce-dcookies.patch +++ /dev/null @@ -1,358 +0,0 @@ -diff -Naur libreswan-3.15-orig/include/ietf_constants.h libreswan-3.15/include/ietf_constants.h ---- libreswan-3.15-orig/include/ietf_constants.h 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/include/ietf_constants.h 2016-06-14 11:36:09.865743133 -0400 -@@ -270,10 +270,29 @@ - - #define LOCALSECRETSIZE BYTES_FOR_BITS(256) - --/* limits on nonce sizes. See RFC2409 "The internet key exchange (IKE)" 5 */ --#define MINIMUM_NONCE_SIZE 8 /* bytes */ --#define DEFAULT_NONCE_SIZE 16 /* bytes */ --#define MAXIMUM_NONCE_SIZE 256 /* bytes */ -+ -+/* Limits on nonce sizes */ -+ -+/* -+ * IKEv1 RFC-2409: -+ * The length of nonce payload MUST be between 8 and 256 bytes inclusive. -+ */ -+#define IKEv1_MINIMUM_NONCE_SIZE 8 /* bytes */ -+#define IKEv1_MAXIMUM_NONCE_SIZE 256 /* bytes */ -+ -+/* -+ * IKEv2 RFC-7296: -+ * Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 bits -+ * in size, and MUST be at least half the key size of the negotiated -+ * pseudorandom function (PRF). However, the initiator chooses the nonce -+ * before the outcome of the negotiation is known. Because of that, the -+ * nonce has to be long enough for all the PRFs being proposed. -+ */ -+#define IKEv2_MINIMUM_NONCE_SIZE 16 /* bytes */ -+#define IKEv2_MAXIMUM_NONCE_SIZE 256 /* bytes */ -+ -+/* Default is based on minimum IKEv2 requirement */ -+#define DEFAULT_NONCE_SIZE 32 /* bytes */ - - #define COOKIE_SIZE 8 - #define MAX_ISAKMP_SPI_SIZE 16 -diff -Naur libreswan-3.15-orig/include/pluto_constants.h libreswan-3.15/include/pluto_constants.h ---- libreswan-3.15-orig/include/pluto_constants.h 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/include/pluto_constants.h 2016-06-14 11:36:09.865743133 -0400 -@@ -260,6 +260,7 @@ - IMPAIR_FORCE_FIPS_IX, /* causes pluto to believe we are in fips mode, NSS needs its own hack */ - IMPAIR_SEND_KEY_SIZE_CHECK_IX, /* causes pluto to omit checking configured ESP key sizes for testing */ - IMPAIR_SEND_ZERO_GX_IX, /* causes pluto to send a g^x that is zero, breaking DH calculation */ -+ IMPAIR_SEND_BOGUS_DCOOKIE_IX, /* causes pluto to send a a bogus IKEv2 DCOOKIE */ - IMPAIR_roof_IX /* first unassigned IMPAIR */ - }; - -@@ -304,6 +305,7 @@ - #define IMPAIR_FORCE_FIPS LELEM(IMPAIR_FORCE_FIPS_IX) - #define IMPAIR_SEND_KEY_SIZE_CHECK LELEM(IMPAIR_SEND_KEY_SIZE_CHECK_IX) - #define IMPAIR_SEND_ZERO_GX LELEM(IMPAIR_SEND_ZERO_GX_IX) -+#define IMPAIR_SEND_BOGUS_DCOOKIE LELEM(IMPAIR_SEND_BOGUS_DCOOKIE_IX) - - /* State of exchanges - * -diff -Naur libreswan-3.15-orig/lib/libswan/constants.c libreswan-3.15/lib/libswan/constants.c ---- libreswan-3.15-orig/lib/libswan/constants.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/lib/libswan/constants.c 2016-06-14 11:36:09.866743168 -0400 -@@ -196,6 +196,7 @@ - "impair-force-fips", - "impair-send-key-size-check", - "impair-send-zero-gx", -+ "impair-send-bogus-dcookie", - NULL /* termination for bitnamesof() */ - }; - -diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_main.c libreswan-3.15/programs/pluto/ikev1_main.c ---- libreswan-3.15-orig/programs/pluto/ikev1_main.c 2016-06-14 11:35:30.808370130 -0400 -+++ libreswan-3.15/programs/pluto/ikev1_main.c 2016-06-14 11:36:09.867743203 -0400 -@@ -492,9 +492,9 @@ - pb_stream *nonce_pbs = &md->chain[ISAKMP_NEXT_NONCE]->pbs; - size_t len = pbs_left(nonce_pbs); - -- if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len) { -+ if (len < IKEv1_MINIMUM_NONCE_SIZE || IKEv1_MAXIMUM_NONCE_SIZE < len) { - loglog(RC_LOG_SERIOUS, "%s length not between %d and %d", -- name, MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE); -+ name, IKEv1_MINIMUM_NONCE_SIZE, IKEv1_MAXIMUM_NONCE_SIZE); - return PAYLOAD_MALFORMED; /* ??? */ - } - clonereplacechunk(*dest, nonce_pbs->cur, len, "nonce"); -diff -Naur libreswan-3.15-orig/programs/pluto/ikev2.c libreswan-3.15/programs/pluto/ikev2.c ---- libreswan-3.15-orig/programs/pluto/ikev2.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev2.c 2016-06-14 11:36:09.868743239 -0400 -@@ -1856,9 +1856,22 @@ - nonce_pbs = &md->chain[ISAKMP_NEXT_v2Ni]->pbs; - len = pbs_left(nonce_pbs); - -- if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len) { -- loglog(RC_LOG_SERIOUS, "%s length not between %d and %d", -- name, MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE); -+ /* -+ * RFC 7296 Section 2.10: -+ * Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 -+ * bits in size, and MUST be at least half the key size of the -+ * negotiated pseudorandom function (PRF). However, the initiator -+ * chooses the nonce before the outcome of the negotiation is known. -+ * Because of that, the nonce has to be long enough for all the PRFs -+ * being proposed. -+ * -+ * We will check for a minimum/maximum here. Once the PRF is selected, -+ * we verify the nonce is big enough. -+ */ -+ -+ if (len < IKEv2_MINIMUM_NONCE_SIZE || len > IKEv2_MAXIMUM_NONCE_SIZE) { -+ loglog(RC_LOG_SERIOUS, "%s length %zu not between %d and %d", -+ name, len, IKEv2_MINIMUM_NONCE_SIZE, IKEv2_MAXIMUM_NONCE_SIZE); - return v2N_INVALID_SYNTAX; /* ??? */ - } - clonereplacechunk(*dest, nonce_pbs->cur, len, "nonce"); -diff -Naur libreswan-3.15-orig/programs/pluto/ikev2_parent.c libreswan-3.15/programs/pluto/ikev2_parent.c ---- libreswan-3.15-orig/programs/pluto/ikev2_parent.c 2016-06-14 11:35:30.801369884 -0400 -+++ libreswan-3.15/programs/pluto/ikev2_parent.c 2016-06-14 12:09:35.881321956 -0400 -@@ -102,7 +102,7 @@ - static stf_status ikev2_parent_outI1_tail(struct pluto_crypto_req_cont *ke, - struct pluto_crypto_req *r); - --static bool ikev2_get_dcookie(u_char *dcookie, chunk_t st_ni, -+static void ikev2_get_dcookie(u_char *dcookie, chunk_t st_ni, - ip_address *addr, chunk_t spiI); - - static stf_status ikev2_parent_outI1_common(struct msg_digest *md, -@@ -426,6 +426,15 @@ - init_out_pbs(&reply_stream, reply_buffer, sizeof(reply_buffer), - "reply packet"); - -+ if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE)) { -+ /* add or mangle a dcookie so what we will send is bogus */ -+ DBG_log("Mangling dcookie because --impair-send-bogus-dcookie is set"); -+ freeanychunk(st->st_dcookie); -+ st->st_dcookie.ptr = alloc_bytes(1, "mangled dcookie"); -+ st->st_dcookie.len = 1; -+ messupn(st->st_dcookie.ptr, 1); -+ } -+ - /* HDR out */ - { - struct isakmp_hdr hdr; -@@ -434,7 +443,7 @@ - /* Impair function will raise major/minor by 1 for testing */ - hdr.isa_version = build_ikev2_version(); - -- hdr.isa_np = st->st_dcookie.ptr != NULL? -+ hdr.isa_np = st->st_dcookie.ptr != NULL ? - ISAKMP_NEXT_v2N : ISAKMP_NEXT_v2SA; - hdr.isa_xchg = ISAKMP_v2_SA_INIT; - /* add original initiator flag - version flag could be set */ -@@ -615,13 +624,36 @@ - - stf_status ikev2parent_inI1outR1(struct msg_digest *md) - { -+ bool seen_dcookie = FALSE; -+ bool require_dcookie = require_ddos_cookies(); -+ struct payload_digest *ntfy; -+ - if (drop_new_exchanges()) { - /* only log for debug to prevent disk filling up */ - DBG(DBG_CONTROL,DBG_log("pluto is overloaded with half-open IKE SAs - dropping IKE_INIT request")); - return STF_IGNORE; - } - -- if (require_ddos_cookies()) { -+ /* Did we receive a DCOOKIE? */ -+ for (ntfy = md->chain[ISAKMP_NEXT_v2N]; ntfy != NULL; ntfy = ntfy->next) { -+ switch (ntfy->payload.v2n.isan_type) { -+ case v2N_COOKIE: -+ DBG(DBG_CONTROLMORE, DBG_log("Received a NOTIFY payload of type COOKIE - we will verify the COOKIE")); -+ seen_dcookie = TRUE; -+ break; -+ default: -+ DBG(DBG_CONTROLMORE, DBG_log("Received unauthenticated %s notify - ignored", -+ enum_name(&ikev2_notify_names, -+ ntfy->payload.v2n.isan_type))); -+ } -+ } -+ -+ /* -+ * The RFC states we should ignore unexpected cookies. We purposefully -+ * violate the RFC and validate the cookie anyway. This prevents an -+ * attacker from being able to inject a lot of data used later to HMAC -+ */ -+ if (seen_dcookie || require_dcookie) { - u_char dcookie[SHA1_DIGEST_SIZE]; - chunk_t dc, ni, spiI; - -@@ -635,7 +667,12 @@ - * size of the negotiated pseudorandom function (PRF). - * (We can check for minimum 128bit length) - */ -- if (ni.len < BYTES_FOR_BITS(128)) { -+ /* -+ * XXX: Note that we check the nonce size in accept_v2_nonce() so this -+ * check is extra. I guess since we need to extract the nonce to calculate -+ * the cookie, it is cheap to check here and reject. -+ */ -+ if (ni.len < IKEv2_MINIMUM_NONCE_SIZE || IKEv2_MAXIMUM_NONCE_SIZE < ni.len) { - /* - * If this were a DDOS, we cannot afford to log. - * We do log if we are debugging. -@@ -646,11 +683,10 @@ - - ikev2_get_dcookie(dcookie, ni, &md->sender, spiI); - dc.ptr = dcookie; -- dc.len = SHA1_DIGEST_SIZE; -- -+ dc.len = SHA2_256_DIGEST_SIZE; -+ - /* check a v2N payload with type COOKIE */ -- if (md->chain[ISAKMP_NEXT_v2N] != NULL && -- md->chain[ISAKMP_NEXT_v2N]->payload.v2n.isan_type == v2N_COOKIE) { -+ if (seen_dcookie) { - const pb_stream *dc_pbs; - chunk_t idc; - -@@ -670,19 +706,19 @@ - DBG(DBG_CONTROLMORE, - DBG_dump_chunk("received dcookie", idc); - DBG_dump("dcookie computed", dcookie, -- SHA1_DIGEST_SIZE)); -+ SHA2_256_DIGEST_SIZE)); - -- if (idc.len != SHA1_DIGEST_SIZE || -- !memeq(idc.ptr, dcookie, SHA1_DIGEST_SIZE)) { -+ if (idc.len != SHA2_256_DIGEST_SIZE || -+ !memeq(idc.ptr, dcookie, SHA2_256_DIGEST_SIZE)) { - DBG(DBG_CONTROLMORE, DBG_log( -- "mismatch in DOS v2N_COOKIE: dropping message (possible DoS attack)" -+ "mismatch in DOS v2N_COOKIE: dropping message (possible attack)" - )); - return STF_IGNORE; - } - DBG(DBG_CONTROLMORE, DBG_log( - "dcookie received matched computed one")); - } else { -- /* we are under DOS attack I1 contains no DOS COOKIE */ -+ /* we are under DOS attack I1 contains no COOKIE */ - DBG(DBG_CONTROLMORE, - DBG_log("busy mode on. received I1 without a valid dcookie"); - DBG_log("send a dcookie and forget this state")); -@@ -691,7 +727,7 @@ - } - } else { - DBG(DBG_CONTROLMORE, -- DBG_log("anti-DDoS cookies not required")); -+ DBG_log("anti-DDoS cookies not required (and no cookie received)")); - } - - /* authentication policy alternatives in order of decreasing preference */ -@@ -1534,6 +1570,14 @@ - integ_start, integ_size)); - } - -+ if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE)) { -+ /* add or mangle a dcookie so what we will send is bogus */ -+ DBG_log("Mangling dcookie because --impair-send-bogus-dcookie is set"); -+ freeanychunk(st->st_dcookie); -+ st->st_dcookie.ptr = alloc_bytes(1, "mangled dcookie"); -+ st->st_dcookie.len = 1; -+ messupn(st->st_dcookie.ptr, 1); -+ } - - return STF_OK; - } -@@ -3479,45 +3523,38 @@ - - /* - * Cookie = | Hash(Ni | IPi | SPIi | ) -- * where is a randomly generated secret known only to the -- * in LSW implementation is not used. -+ * where is a randomly generated secret known only to us -+ * -+ * Our implementation does not use which means -+ * once a day and while under DOS attack, we could fail a few cookies -+ * until the peer restarts from scratch. - */ --static bool ikev2_get_dcookie(u_char *dcookie, chunk_t ni, -+static void ikev2_get_dcookie(u_char *dcookie, chunk_t ni, - ip_address *addr, chunk_t spiI) - { - size_t addr_length; -- SHA1_CTX ctx_sha1; -+ sha256_context ctx_sha256; - unsigned char addr_buff[ - sizeof(union { struct in_addr A; - struct in6_addr B; - })]; - - addr_length = addrbytesof(addr, addr_buff, sizeof(addr_buff)); -- SHA1Init(&ctx_sha1); -- SHA1Update(&ctx_sha1, ni.ptr, ni.len); -- SHA1Update(&ctx_sha1, addr_buff, addr_length); -- SHA1Update(&ctx_sha1, spiI.ptr, spiI.len); -- SHA1Update(&ctx_sha1, ikev2_secret_of_the_day, -- SHA1_DIGEST_SIZE); -- SHA1Final(dcookie, &ctx_sha1); -+ sha256_init(&ctx_sha256); -+ sha256_write(&ctx_sha256, ni.ptr, ni.len); -+ sha256_write(&ctx_sha256, addr_buff, addr_length); -+ sha256_write(&ctx_sha256, spiI.ptr, spiI.len); -+ sha256_write(&ctx_sha256, ikev2_secret_of_the_day, -+ SHA2_256_DIGEST_SIZE); -+ sha256_final(dcookie, &ctx_sha256); - DBG(DBG_PRIVATE, - DBG_log("ikev2 secret_of_the_day used %s, length %d", - ikev2_secret_of_the_day, -- SHA1_DIGEST_SIZE)); -+ SHA2_256_DIGEST_SIZE)); - - DBG(DBG_CRYPT, - DBG_dump("computed dcookie: HASH(Ni | IPi | SPIi | )", -- dcookie, SHA1_DIGEST_SIZE)); --#if 0 -- ikev2_secrets_recycle++; -- if (ikev2_secrets_recycle >= 32768) { -- /* handed out too many cookies, cycle secrets */ -- ikev2_secrets_recycle = 0; -- /* can we call init_secrets() without adding an EVENT? */ -- init_secrets(); -- } --#endif -- return TRUE; -+ dcookie, SHA2_256_DIGEST_SIZE)); - } - - /* -diff -Naur libreswan-3.15-orig/programs/pluto/plutomain.c libreswan-3.15/programs/pluto/plutomain.c ---- libreswan-3.15-orig/programs/pluto/plutomain.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/plutomain.c 2016-06-14 11:36:09.872743379 -0400 -@@ -571,6 +571,7 @@ - I("send-no-ikev2-auth\0", IMPAIR_SEND_NO_IKEV2_AUTH_IX), - I("force-fips\0", IMPAIR_FORCE_FIPS_IX), - I("send-zero-gx\0", IMPAIR_SEND_ZERO_GX_IX), -+ I("send-bogus-dcookie\0", IMPAIR_SEND_BOGUS_DCOOKIE_IX), - #undef I - { 0, 0, 0, 0 } - }; -@@ -1564,6 +1565,8 @@ - libreswan_log("Warning: IMPAIR_SEND_NO_IKEV2_AUTH enabled"); - if (DBGP(IMPAIR_SEND_ZERO_GX)) - libreswan_log("Warning: IMPAIR_SEND_ZERO_GX enabled"); -+ if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE)) -+ libreswan_log("Warning: IMPAIR_SEND_BOGUS_DCOOKIE enabled"); - - /* Initialize all of the various features */ - -diff -Naur libreswan-3.15-orig/programs/pluto/whack.c libreswan-3.15/programs/pluto/whack.c ---- libreswan-3.15-orig/programs/pluto/whack.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/whack.c 2016-06-14 11:36:09.872743379 -0400 -@@ -701,6 +701,8 @@ - IMPAIR_SEND_KEY_SIZE_CHECK_IX + DO }, - { "impair-send-zero-gx", no_argument, NULL, - IMPAIR_SEND_ZERO_GX_IX + DO }, -+ { "impair-send-bogus-dcookie", no_argument, NULL, -+ IMPAIR_SEND_BOGUS_DCOOKIE_IX + DO }, - # undef DO - { "whackrecord", required_argument, NULL, OPT_WHACKRECORD + OO }, - { "whackstoprecord", no_argument, NULL, OPT_WHACKSTOPRECORD + OO }, diff --git a/SOURCES/libreswan-3.15-1302778.fipslist.patch b/SOURCES/libreswan-3.15-1302778.fipslist.patch deleted file mode 100644 index b74dd3a..0000000 --- a/SOURCES/libreswan-3.15-1302778.fipslist.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/fips.h libreswan-3.15/programs/pluto/fips.h ---- libreswan-3.15-orig/programs/pluto/fips.h 2016-06-14 15:38:16.662610551 -0400 -+++ libreswan-3.15/programs/pluto/fips.h 2016-06-14 15:40:22.581887678 -0400 -@@ -31,7 +31,9 @@ - IPSEC_EXECDIR "/ikeping", - IPSEC_EXECDIR "/readwriteconf", - IPSEC_EXECDIR "/_keycensor", -+ IPSEC_EXECDIR "/_import_crl", - IPSEC_EXECDIR "/look", -+ IPSEC_EXECDIR "/cavp", - IPSEC_EXECDIR "/newhostkey", - IPSEC_EXECDIR "/_plutorun", - IPSEC_EXECDIR "/_secretcensor", diff --git a/SOURCES/libreswan-3.15-1309764-barf.patch b/SOURCES/libreswan-3.15-1309764-barf.patch deleted file mode 100644 index 347c724..0000000 --- a/SOURCES/libreswan-3.15-1309764-barf.patch +++ /dev/null @@ -1,102 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/barf/barf.in libreswan-3.15/programs/barf/barf.in ---- libreswan-3.15-orig/programs/barf/barf.in 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/barf/barf.in 2016-09-04 23:25:03.457442558 -0400 -@@ -97,22 +97,25 @@ - findlog_startline=1 # arbitrary - } - --# try to guess where logs are --findlog "$fstart" "klips" messages syslog auth.log daemon.log --if test " $findlog_file" = " /dev/null" -+if test ! -x /usr/bin/journalctl - then --echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." --fi --klog=$findlog_file --kline=$findlog_startline -+ # no systemd, need to figure out log file location -+ findlog "$fstart" "klips" messages syslog auth.log daemon.log -+ if test " $findlog_file" = " /dev/null" -+ then -+ echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." -+ fi -+ klog=$findlog_file -+ kline=$findlog_startline - --findlog "$pstart" "Pluto" secure auth.log daemon.log debug --if test " $findlog_file" = " /dev/null" --then --echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." -+ findlog "$pstart" "Pluto" secure auth.log daemon.log debug -+ if test " $findlog_file" = " /dev/null" -+ then -+ echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." -+ fi -+ plog=$findlog_file -+ pline=$findlog_startline - fi --plog=$findlog_file --pline=$findlog_startline - - # /lib/modules examiner - modulegoo() { -@@ -394,18 +397,22 @@ - tail -100 $LOGS/kern.debug - fi - _________________________ klog --sed -n $kline,'$'p $klog | -- egrep -i 'ipsec|klips|pluto' | -- case "$1" in -- --short) tail -500 ;; -- *) cat ;; -- esac -+dmesg | egrep -i "klips|ipsec" - _________________________ plog --sed -n $pline,'$'p $plog | -- egrep -i 'pluto' | -- case "$1" in -- --short) tail -500 ;; -- *) cat ;; -- esac -+if test -x /usr/bin/journalctl -+then -+ journalctl -u ipsec.service --no-pager --since "1 hour ago" | -+ case "$1" in -+ --short) tail -500 ;; -+ *) cat ;; -+ esac -+else -+ sed -n $pline,'$'p $plog | -+ egrep -i 'pluto' | -+ case "$1" in -+ --short) tail -500 ;; -+ *) cat ;; -+ esac -+fi - _________________________ date - date -diff -Naur libreswan-3.15-orig/programs/barf/ipsec_barf.8.xml libreswan-3.15/programs/barf/ipsec_barf.8.xml ---- libreswan-3.15-orig/programs/barf/ipsec_barf.8.xml 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/barf/ipsec_barf.8.xml 2016-09-04 23:22:39.743238821 -0400 -@@ -9,7 +9,7 @@ - - IPSEC_BARF - 8 --17 March 2002 -+4 September 2016 - libreswan - Executable programs - -@@ -50,6 +50,12 @@ - currently netstat -rn. Useful on boxes where the routing - table is thousands of lines long. Default is 100. - -+On systems with systemd, ipsec barf will look for logs -+using the journalctl command. -+ -+If the logfile= option is used, logs will also not be found -+by the ipsec barf command. -+ - Barf - censors its output, - replacing keys diff --git a/SOURCES/libreswan-3.15-1313747-ipsec-man.patch b/SOURCES/libreswan-3.15-1313747-ipsec-man.patch deleted file mode 100644 index 940dcec..0000000 --- a/SOURCES/libreswan-3.15-1313747-ipsec-man.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/ipsec/ipsec.8.xml libreswan-3.15/programs/ipsec/ipsec.8.xml ---- libreswan-3.15-orig/programs/ipsec/ipsec.8.xml 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/ipsec/ipsec.8.xml 2016-06-14 15:32:35.907563449 -0400 -@@ -90,8 +90,16 @@ - - - -+RETURN CODE -+The ipsec command passes the return code of the sub-command -+back to the caller. The only exception is when ipsec pluto -+is used without --nofork, as it will fork into the background -+and the ipsec command returns success while the pluto daemon -+may in fact exit with an error code after the fork. -+ -+ - FILES --/usr/local/libexec/ipsec usual utilities directory -+/usr/libexec/ipsec is the usual utilities directory - - - SEE ALSO diff --git a/SOURCES/libreswan-3.15-1315412-crl-manpage.patch b/SOURCES/libreswan-3.15-1315412-crl-manpage.patch deleted file mode 100644 index b7ea066..0000000 --- a/SOURCES/libreswan-3.15-1315412-crl-manpage.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/configs/d.ipsec.conf/strictcrlpolicy.xml libreswan-3.15/programs/configs/d.ipsec.conf/strictcrlpolicy.xml ---- libreswan-3.15-orig/programs/configs/d.ipsec.conf/strictcrlpolicy.xml 2015-08-25 05:28:32.000000000 +0300 -+++ libreswan-3.15/programs/configs/d.ipsec.conf/strictcrlpolicy.xml 2016-07-02 23:35:49.908711469 +0300 -@@ -1,5 +1,5 @@ - -- strictcrlpolicy -+ crl-strict - - if not set, pluto is tolerant about missing or expired X.509 Certificate - Revocation Lists (CRL's), and will allow peer certificates as long as they -@@ -10,7 +10,7 @@ - entire VPN server will be dead in the water until a new CRL is manually - transferred to the machine (if it allows non-IPsec connections). - Acceptable values are yes or no --(the default). -+(the default). This option used to be called strictcrlpolicy= - - - diff --git a/SOURCES/libreswan-3.15-1344567-ikev1-retransmit.patch b/SOURCES/libreswan-3.15-1344567-ikev1-retransmit.patch deleted file mode 100644 index 15aa720..0000000 --- a/SOURCES/libreswan-3.15-1344567-ikev1-retransmit.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/ikev1.c libreswan-3.15/programs/pluto/ikev1.c ---- libreswan-3.15-orig/programs/pluto/ikev1.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev1.c 2016-06-14 15:13:52.309906626 -0400 -@@ -245,7 +245,7 @@ - { STATE_MAIN_R0, STATE_MAIN_R1, - SMF_ALL_AUTH | SMF_REPLY, - P(SA), P(VID) | P(CR), PT(NONE), -- EVENT_v1_RETRANSMIT, main_inI1_outR1 }, -+ EVENT_SA_REPLACE, main_inI1_outR1 }, - - /* STATE_MAIN_I1: R1 --> I2 - * HDR, SA --> auth dependent -@@ -394,7 +394,7 @@ - { STATE_AGGR_R0, STATE_AGGR_R1, - SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY, - P(SA) | P(KE) | P(NONCE) | P(ID), P(VID) | P(NATD_RFC), PT(NONE), -- EVENT_v1_RETRANSMIT, aggr_inI1_outR1 }, -+ EVENT_SA_REPLACE, aggr_inI1_outR1 }, - - /* STATE_AGGR_I1: - * SMF_PSK_AUTH: HDR, SA, KE, Nr, IDir, HASH_R -@@ -571,12 +571,12 @@ - { STATE_XAUTH_I0, STATE_XAUTH_I1, - SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2, - P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH), -- EVENT_SA_REPLACE, xauth_inI0 }, -+ EVENT_v1_RETRANSMIT, xauth_inI0 }, - - { STATE_XAUTH_I1, STATE_MAIN_I4, - SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2, - P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH), -- EVENT_SA_REPLACE, xauth_inI1 }, -+ EVENT_v1_RETRANSMIT, xauth_inI1 }, - - #undef P - #undef PT diff --git a/SOURCES/libreswan-3.15-1347735-multicrl.patch b/SOURCES/libreswan-3.15-1347735-multicrl.patch deleted file mode 100644 index 532fe30..0000000 --- a/SOURCES/libreswan-3.15-1347735-multicrl.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/x509.c libreswan-3.15/programs/pluto/x509.c ---- libreswan-3.15-orig/programs/pluto/x509.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/x509.c 2016-06-23 15:54:33.992702860 -0400 -@@ -423,9 +423,6 @@ - generalName_t *gndp_from_nss_cert(CERTCertificate *cert) - { - SECItem crlval; -- CERTCrlDistributionPoints *dps = NULL; -- CRLDistributionPoint *point = NULL; -- generalName_t *gndp = NULL; - - if (cert == NULL) - return NULL; -@@ -437,25 +434,45 @@ - return NULL; - } - -- if ((dps = CERT_DecodeCRLDistributionPoints(cert->arena, -- &crlval)) == NULL) { -+ CERTCrlDistributionPoints *dps = CERT_DecodeCRLDistributionPoints(cert->arena, &crlval); -+ -+ if (dps == NULL) { - DBG(DBG_X509, - DBG_log("could not decode distribution points ext %d", - PORT_GetError())); - return NULL; - } - -- /* some common code, refactor */ -- point = dps->distPoints[0]; -+ CRLDistributionPoint **points = dps->distPoints; -+ generalName_t *gndp_list = NULL; - -- if (point != NULL && point->distPointType == generalName && -- point->distPoint.fullName != NULL && -- point->distPoint.fullName->type == certURI) { -- gndp = alloc_thing(generalName_t, "converted gn"); -- convert_nss_gn_to_pluto_gn(point->distPoint.fullName, gndp); -+ /* Certificate can have multiple distribution points */ -+ for (; points != NULL && *points != NULL; points++) { -+ CRLDistributionPoint *point = *points; -+ -+ if (point->distPointType == generalName && -+ point->distPoint.fullName != NULL) { -+ CERTGeneralName *first_name, *name; -+ -+ /* Each point is a linked list. */ -+ first_name = name = point->distPoint.fullName; -+ do { -+ if (name->type == certURI) { -+ generalName_t *gndp; -+ -+ /* Add single point to return list */ -+ gndp = alloc_thing(generalName_t, -+ "converted gn"); -+ convert_nss_gn_to_pluto_gn(name, gndp); -+ gndp->next = gndp_list; -+ gndp_list = gndp; -+ } -+ name = CERT_GetNextGeneralName(name); -+ } while (name != NULL && name != first_name); -+ } - } - -- return gndp; -+ return gndp_list; - } - - char *find_dercrl_uri(chunk_t *dercrl) diff --git a/SOURCES/libreswan-3.15-1361721-delete.patch b/SOURCES/libreswan-3.15-1361721-delete.patch deleted file mode 100644 index fcba308..0000000 --- a/SOURCES/libreswan-3.15-1361721-delete.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff -Naur libreswan-3.15-orig/include/pluto_constants.h libreswan-3.15/include/pluto_constants.h ---- libreswan-3.15-orig/include/pluto_constants.h 2016-09-06 22:44:24.279780559 -0400 -+++ libreswan-3.15/include/pluto_constants.h 2016-09-06 22:47:42.345765986 -0400 -@@ -138,7 +138,7 @@ - - #define RETRANSMIT_TIMEOUT_DEFAULT 60 /* seconds */ - #define RETRANSMIT_INTERVAL_DEFAULT 500 /* wait time doubled each retransmit - in milliseconds */ --#define DELETE_SA_DELAY RETRANSMIT_TIMEOUT_DEFAULT /* wait until the other side giveup on us */ -+#define DELETE_SA_DELAY 20 /* seconds */ - #define EVENT_CRYPTO_FAILED_DELAY RETRANSMIT_TIMEOUT_DEFAULT /* wait till the other side give up on us */ - - /* -diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_main.c libreswan-3.15/programs/pluto/ikev1_main.c ---- libreswan-3.15-orig/programs/pluto/ikev1_main.c 2016-09-06 22:44:24.280780554 -0400 -+++ libreswan-3.15/programs/pluto/ikev1_main.c 2016-09-06 22:47:09.165935946 -0400 -@@ -3046,15 +3046,15 @@ - mononow()))); - } else { - loglog(RC_LOG_SERIOUS, -- "received Delete SA payload: replace IPSEC State #%lu in %d seconds", -+ "received Delete SA payload: replace IPSEC State #%lu in 25ms, letting old IPsec SA linger for %d seconds", - dst->st_serialno, - DELETE_SA_DELAY); - dst->st_margin = deltatime( - DELETE_SA_DELAY); - delete_event(dst); -- event_schedule( -+ event_schedule_ms( - EVENT_SA_REPLACE, -- DELETE_SA_DELAY, dst); -+ 25 , dst); - } - } else { - loglog(RC_LOG_SERIOUS, -diff -Naur libreswan-3.15-orig/programs/pluto/terminate.c libreswan-3.15/programs/pluto/terminate.c ---- libreswan-3.15-orig/programs/pluto/terminate.c 2016-09-06 22:44:24.304780431 -0400 -+++ libreswan-3.15/programs/pluto/terminate.c 2016-09-06 22:45:40.095392201 -0400 -@@ -77,7 +77,8 @@ - flush_pending_by_connection(c); - if (shared_phase1_connection(c)) { - libreswan_log("IKE SA is shared - only terminating IPsec SA"); -- delete_state(state_with_serialno(c->newest_ipsec_sa)); -+ if (c->newest_ipsec_sa != SOS_NOBODY) -+ delete_state(state_with_serialno(c->newest_ipsec_sa)); - } else { - DBG(DBG_CONTROL, DBG_log("connection not shared pkilling phase1 and phase2")); - delete_states_by_connection(c, FALSE); diff --git a/SOURCES/libreswan-3.15-609343.patch b/SOURCES/libreswan-3.15-609343.patch deleted file mode 100644 index 02dd768..0000000 --- a/SOURCES/libreswan-3.15-609343.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/programs/pluto/hostpair.c b/programs/pluto/hostpair.c -index 9b14341..e3afecd 100644 ---- a/programs/pluto/hostpair.c -+++ b/programs/pluto/hostpair.c -@@ -284,7 +284,8 @@ void release_dead_interfaces(void) - */ - passert(p == *pp); - -- p->interface = NULL; -+ terminate_connection(p->name); -+ p->interface = NULL; /* withdraw orientation */ - - *pp = p->hp_next; /* advance *pp */ - p->host_pair = NULL; -diff --git a/programs/pluto/initiate.c b/programs/pluto/initiate.c -index 056af59..eed8bf3 100644 ---- a/programs/pluto/initiate.c -+++ b/programs/pluto/initiate.c -@@ -119,6 +119,7 @@ bool orient(struct connection *c) - c->name, c->interface->ip_dev->id_rname, - p->ip_dev->id_rname); - } -+ terminate_connection(c->name); - c->interface = NULL; /* withdraw orientation */ - return FALSE; - } diff --git a/SOURCES/libreswan-3.15-NLMSG_OK.patch b/SOURCES/libreswan-3.15-NLMSG_OK.patch deleted file mode 100644 index dbd552b..0000000 --- a/SOURCES/libreswan-3.15-NLMSG_OK.patch +++ /dev/null @@ -1,444 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/addconn/addconn.c libreswan-3.15/programs/addconn/addconn.c ---- libreswan-3.15-orig/programs/addconn/addconn.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/programs/addconn/addconn.c 2015-09-04 09:21:23.866861084 -0400 -@@ -64,6 +64,8 @@ - * If DST is not specified, full route table will be returned. - * 16kB was too small for biggish router, so do 32kB. - * TODO: This should be dynamic! Fix it in netlink_read_reply(). -+ * Note: due to our hack to dodge a bug in NLMSG_OK, -+ * RTNL_BUFSIZE must be less than or equal to USHRT_MAX. - */ - #define RTNL_BUFSIZE 32768 - -@@ -139,30 +141,34 @@ - static - ssize_t netlink_read_reply(int sock, char *buf, unsigned int seqnum, __u32 pid) - { -- struct nlmsghdr *nlhdr; -- struct sockaddr_nl sa; -- socklen_t salen = sizeof(sa); -- ssize_t readlen = 0; - ssize_t msglen = 0; - - /* TODO: use dynamic buf */ -- do { -+ for (;;) { -+ struct sockaddr_nl sa; -+ ssize_t readlen; -+ - /* Read netlink message, verifying kernel origin. */ - do { -+ socklen_t salen = sizeof(sa); -+ - readlen = recvfrom(sock, buf, RTNL_BUFSIZE - msglen, 0, - (struct sockaddr *)&sa, &salen); -- if (readlen < 0) -+ if (readlen < 0 || salen != sizeof(sa)) - return -1; - } while (sa.nl_pid != 0); - - /* Verify it's valid */ -- nlhdr = (struct nlmsghdr *) buf; -+ struct nlmsghdr *nlhdr = (struct nlmsghdr *) buf; -+ - /* -- * CAST TO unsigned short IS TO AVOID netlink.h:NLMSG_OK error -- * which triggers a GCC warning in recent GCCs: -+ * The cast to unsigned short is to dodge an error in -+ * netlink.h:NLMSG_OK() which triggers a GCC warning in recent -+ * versions of GCC (2014 August): - * error: comparison between signed and unsigned integer expressions -+ * Note: as long as RTNL_BUFSIZE <= USHRT_MAX, this is safe. - */ -- if (NLMSG_OK(nlhdr, (unsigned short)readlen) == 0 || -+ if (!NLMSG_OK(nlhdr, (unsigned short)readlen) || - nlhdr->nlmsg_type == NLMSG_ERROR) - return -1; - -@@ -174,11 +180,16 @@ - buf += readlen; - msglen += readlen; - -- /* All done if it's not a multi part */ -+ /* all done if it's not a multi part */ - if ((nlhdr->nlmsg_flags & NLM_F_MULTI) == 0) - break; -- } while (nlhdr->nlmsg_seq != seqnum || -- nlhdr->nlmsg_pid != pid); -+ -+ /* all done if this is the one we were searching for */ -+ if (nlhdr->nlmsg_seq == seqnum && -+ nlhdr->nlmsg_pid == pid) -+ break; -+ } -+ - return msglen; - } - -@@ -188,31 +199,33 @@ - static - ssize_t netlink_query(char *msgbuf) - { -- struct nlmsghdr *nlmsg; -- int sock; -+ int sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE); - -- /* Create socket */ -- if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)) < 0) { -+ if (sock < 0) { - int e = errno; -- printf("create netlink socket: (%d: %s)", e, strerror(e)); -+ -+ printf("create netlink socket failure: (%d: %s)\n", e, strerror(e)); - return -1; - } - - /* Send request */ -- nlmsg = (struct nlmsghdr *)msgbuf; -+ struct nlmsghdr *nlmsg = (struct nlmsghdr *)msgbuf; -+ - if (send(sock, nlmsg, nlmsg->nlmsg_len, 0) < 0) { - int e = errno; -- printf("write netlink socket: (%d: %s)", e, strerror(e)); -+ -+ printf("write netlink socket failure: (%d: %s)\n", e, strerror(e)); - return -1; - } - - /* Read response */ -+ errno = 0; /* in case failure does not set it */ - ssize_t len = netlink_read_reply(sock, msgbuf, 1, getpid()); - - if (len < 0) { - int e = errno; - -- printf("read netlink socket: (%d: %s)", e, strerror(e)); -+ printf("read netlink socket failure: (%d: %s)\n", e, strerror(e)); - return -1; - } - close(sock); -@@ -331,11 +344,9 @@ - * 1) find out default gateway - * 2) find out src for that default gateway - */ -- if (!has_dst) { -- if (seeking_src && seeking_gateway) { -- seeking_src = FALSE; -- query_again = 1; -- } -+ if (!has_dst && seeking_src && seeking_gateway) { -+ seeking_src = FALSE; -+ query_again = 1; - } - if (seeking_gateway) { - struct nlmsghdr *nlmsg = (struct nlmsghdr *)msgbuf; -@@ -358,19 +369,17 @@ - struct nlmsghdr *nlmsg = (struct nlmsghdr *)msgbuf; - - /* -- * CAST TO unsigned short IS TO AVOID netlink.h:NLMSG_OK error -- * which triggers a GCC warning in recent GCCs: -+ * The cast to unsigned short is to dodge an error in -+ * netlink.h:NLMSG_OK() which triggers a GCC warning in recent -+ * versions of GCC (2014 August): - * error: comparison between signed and unsigned integer expressions -+ * Note: as long as RTNL_BUFSIZE <= USHRT_MAX, this is safe. - */ -- for (; NLMSG_OK(nlmsg, (unsigned short)len); nlmsg = NLMSG_NEXT(nlmsg, len)) { -- struct rtmsg *rtmsg; -- struct rtattr *rtattr; -- int rtlen; -+ for (; NLMSG_OK(nlmsg, (unsigned short)len); nlmsg = NLMSG_NEXT(nlmsg, len)) { - char r_interface[IF_NAMESIZE+1]; - char r_source[ADDRTOT_BUF]; - char r_gateway[ADDRTOT_BUF]; - char r_destination[ADDRTOT_BUF]; -- bool ignore; - - if (nlmsg->nlmsg_type == NLMSG_DONE) - break; -@@ -378,23 +387,23 @@ - if (nlmsg->nlmsg_type == NLMSG_ERROR) { - printf("netlink error\n"); - return -1; -- break; - } - - /* ignore all but IPv4 and IPv6 */ -- rtmsg = (struct rtmsg *) NLMSG_DATA(nlmsg); -+ struct rtmsg *rtmsg = (struct rtmsg *) NLMSG_DATA(nlmsg); -+ - if (rtmsg->rtm_family != AF_INET && - rtmsg->rtm_family != AF_INET6) - continue; - - /* Parse one route entry */ -- r_interface[0] = r_interface[IF_NAMESIZE] = r_source[0] = -- r_gateway[0] = r_destination[0] = '\0'; -- rtattr = (struct rtattr *) RTM_RTA(rtmsg); -- rtlen = RTM_PAYLOAD(nlmsg); -- for (; -- RTA_OK(rtattr, rtlen); -- rtattr = RTA_NEXT(rtattr, rtlen)) { -+ zero(&r_interface); -+ r_source[0] = r_gateway[0] = r_destination[0] = '\0'; -+ -+ struct rtattr *rtattr = (struct rtattr *) RTM_RTA(rtmsg); -+ int rtlen = RTM_PAYLOAD(nlmsg); -+ -+ while (RTA_OK(rtattr, rtlen)) { - switch (rtattr->rta_type) { - case RTA_OIF: - if_indextoname(*(int *)RTA_DATA(rtattr), -@@ -417,13 +426,14 @@ - sizeof(r_destination)); - break; - } -+ rtattr = RTA_NEXT(rtattr, rtlen); - } - - /* - * Ignore if not main table. - * Ignore ipsecX or mastX interfaces. - */ -- ignore = rtmsg->rtm_table != RT_TABLE_MAIN || -+ bool ignore = rtmsg->rtm_table != RT_TABLE_MAIN || - startswith(r_interface, "ipsec") || - startswith(r_interface, "mast"); - -@@ -548,20 +558,23 @@ - int main(int argc, char *argv[]) - { - int opt = 0; -- int autoall = 0; -+ bool autoall = FALSE; - int configsetup = 0; - int checkconfig = 0; -- char *export = "export"; /* display export before the foo=bar or not */ -- int listroute = 0, liststart = 0, listignore = 0, listadd = 0, -- listall = 0, dolist = 0, liststack = 0; -- struct starter_config *cfg = NULL; -- err_t err = NULL; -- char *confdir = NULL; -+ const char *export = "export"; /* display export before the foo=bar or not */ -+ bool -+ dolist = FALSE, -+ listadd = FALSE, -+ listroute = FALSE, -+ liststart = FALSE, -+ listignore = FALSE, -+ listall = FALSE, -+ liststack = FALSE; - char *configfile = NULL; -- char *varprefix = ""; -+ const char *varprefix = ""; - int exit_status = 0; - struct starter_conn *conn = NULL; -- char *ctlbase = NULL; -+ const char *ctlbase = NULL; - bool resolvip = TRUE; /* default to looking up names */ - - #if 0 -@@ -586,7 +599,7 @@ - break; - - case 'a': -- autoall = 1; -+ autoall = TRUE; - break; - - case 'D': -@@ -595,11 +608,11 @@ - break; - - case 'T': -- configsetup++; -+ configsetup++; /* ??? is this not idempotent? */ - break; - - case 'K': -- checkconfig++; -+ checkconfig++; /* ??? is this not idempotent? */ - break; - - case 'N': -@@ -615,33 +628,33 @@ - break; - - case 'L': -- listadd = 1; -- dolist = 1; -+ listadd = TRUE; -+ dolist = TRUE; - break; - - case 'r': -- listroute = 1; -- dolist = 1; -+ listroute = TRUE; -+ dolist = TRUE; - break; - - case 's': -- liststart = 1; -- dolist = 1; -+ liststart = TRUE; -+ dolist = TRUE; - break; - - case 'S': -- liststack = 1; -- dolist = 1; -+ liststack = TRUE; -+ dolist = TRUE; - break; - - case 'i': -- listignore = 1; -- dolist = 1; -+ listignore = TRUE; -+ dolist = TRUE; - break; - - case 'A': -- listall = 1; -- dolist = 1; -+ listall = TRUE; -+ dolist = TRUE; - break; - - case 'P': -@@ -672,9 +685,7 @@ - yydebug = 1; - } - -- /* find config file */ -- if (confdir == NULL) -- confdir = IPSEC_CONFDIR; -+ char *confdir = IPSEC_CONFDIR; - - if (configfile == NULL) { - /* ??? see code clone in programs/readwriteconf/readwriteconf.c */ -@@ -694,29 +705,32 @@ - - starter_use_log(verbose != 0, TRUE, verbose == 0); - -- err = NULL; /* reset to no error */ -- - if (configsetup || checkconfig || dolist) { - /* skip if we have no use for them... causes delays */ - resolvip = FALSE; - } - -- cfg = confread_load(configfile, &err, resolvip, ctlbase, configsetup); -+ struct starter_config *cfg = NULL; - -- if (cfg == NULL) { -- fprintf(stderr, "cannot load config '%s': %s\n", -- configfile, err); -- exit(3); -- } else if (checkconfig) { -- confread_free(cfg); -- exit(0); -+ { -+ err_t err = NULL; -+ -+ cfg = confread_load(configfile, &err, resolvip, ctlbase, configsetup); -+ -+ if (cfg == NULL) { -+ fprintf(stderr, "cannot load config '%s': %s\n", -+ configfile, err); -+ exit(3); -+ } else if (checkconfig) { -+ confread_free(cfg); -+ exit(0); -+ } - } - - if (autoall) { - if (verbose) - printf("loading all conns according to their auto= settings\n"); - -- - /* - * Load all conns marked as auto=add or better. - * First, do the auto=route and auto=add conns to quickly -@@ -727,7 +741,6 @@ - if (verbose) - printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n"); - -- - for (conn = cfg->conns.tqh_first; - conn != NULL; - conn = conn->link.tqe_next) { -@@ -828,7 +841,6 @@ - conn-> - strings[KSF_CONNALIAS] - )) { -- - if (conn->state == - STATE_ADDED) { - printf("\nalias: %s conn %s already added\n", -@@ -875,12 +887,10 @@ - printf("%s ", conn->name); - printf("\n"); - } else { -- - if (listadd) { - if (verbose) - printf("listing all conns marked as auto=add\n"); - -- - /* list all conns marked as auto=add */ - for (conn = cfg->conns.tqh_first; - conn != NULL; -@@ -893,7 +903,6 @@ - if (verbose) - printf("listing all conns marked as auto=route and auto=start\n"); - -- - /* - * list all conns marked as auto=route or start or - * better -@@ -911,7 +920,6 @@ - if (verbose) - printf("listing all conns marked as auto=start\n"); - -- - /* list all conns marked as auto=start */ - for (conn = cfg->conns.tqh_first; - conn != NULL; -@@ -925,7 +933,6 @@ - if (verbose) - printf("listing all conns marked as auto=ignore\n"); - -- - /* list all conns marked as auto=start */ - for (conn = cfg->conns.tqh_first; - conn != NULL; -@@ -942,14 +949,14 @@ - - for (kd = ipsec_conf_keywords_v2; kd->keyname != NULL; kd++) { - if (strstr(kd->keyname, "protostack")) { -- if (cfg->setup.strings[kd->field]) -+ if (cfg->setup.strings[kd->field]) { - printf("%s\n", - cfg->setup.strings[kd->field]); -- else -+ } else { - /* implicit default */ - printf("netkey\n"); -+ } - } -- - } - confread_free(cfg); - exit(0); -@@ -1008,7 +1015,6 @@ - } - confread_free(cfg); - exit(0); -- - } - - confread_free(cfg); diff --git a/SOURCES/libreswan-3.15-cisco-delete.patch b/SOURCES/libreswan-3.15-cisco-delete.patch deleted file mode 100644 index 6cea96e..0000000 --- a/SOURCES/libreswan-3.15-cisco-delete.patch +++ /dev/null @@ -1,107 +0,0 @@ -diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c -index de20a83..31d959b 100644 ---- a/programs/pluto/ikev1_main.c -+++ b/programs/pluto/ikev1_main.c -@@ -2983,13 +2983,12 @@ bool accept_delete(struct msg_digest *md, - * IPSEC (ESP/AH) - */ - ipsec_spi_t spi; /* network order */ -- bool bogus; -- struct state *dst; - - if (!in_raw(&spi, sizeof(spi), &p->pbs, "SPI")) - return self_delete; - -- dst = find_phase2_state_to_delete(st, -+ bool bogus; -+ struct state *dst = find_phase2_state_to_delete(st, - d->isad_protoid, - spi, - &bogus); -@@ -2997,14 +2996,19 @@ bool accept_delete(struct msg_digest *md, - passert(dst != st); /* st is an IKE SA */ - if (dst == NULL) { - loglog(RC_LOG_SERIOUS, -- "ignoring Delete SA payload: %s SA(0x%08" PRIx32 ") not found (%s)", -+ "ignoring Delete SA payload: %s SA(0x%08" PRIx32 ") not found (maybe expired)", - enum_show(&protocol_names, - d->isad_protoid), -- ntohl(spi), -- bogus ? -- "our SPI - bogus implementation" : -- "maybe expired"); -+ ntohl(spi)); - } else { -+ if (bogus) { -+ loglog(RC_LOG_SERIOUS, -+ "warning: Delete SA payload: %s SA(0x%08" PRIx32 ") is our own SPI (bogus implementation) - deleting anyway", -+ enum_show(&protocol_names, -+ d->isad_protoid), -+ ntohl(spi)); -+ } -+ - struct connection *rc = dst->st_connection; - struct connection *oldc = cur_connection; - -diff --git a/programs/pluto/state.c b/programs/pluto/state.c -index b2eac62..c5d4484 100644 ---- a/programs/pluto/state.c -+++ b/programs/pluto/state.c -@@ -1537,37 +1537,52 @@ struct state *find_likely_sender(size_t packet_len, u_char *packet) - return NULL; - } - -+/* -+ * find_phase2_state_to_delete: find an AH or ESP SA to delete -+ * -+ * We are supposed to be given the other side's SPI. -+ * Certain CISCO implementations send our side's SPI instead. -+ * We'll accept this, but mark it as bogus. -+ */ - struct state *find_phase2_state_to_delete(const struct state *p1st, - u_int8_t protoid, - ipsec_spi_t spi, - bool *bogus) - { -- struct state *st; -+ struct state *bogusst = NULL; - int i; - - *bogus = FALSE; - for (i = 0; i < STATE_TABLE_SIZE; i++) { -+ struct state *st; -+ - FOR_EACH_ENTRY(st, i, { - if (IS_IPSEC_SA_ESTABLISHED(st->st_state) && - p1st->st_connection->host_pair == - st->st_connection->host_pair && - same_peer_ids(p1st->st_connection, -- st->st_connection, NULL)) { -+ st->st_connection, NULL)) -+ { - struct ipsec_proto_info *pr = - protoid == PROTO_IPSEC_AH ? - &st->st_ah : &st->st_esp; - - if (pr->present) { -- if (pr->attrs.spi == spi) -+ if (pr->attrs.spi == spi) { -+ *bogus = FALSE; - return st; -+ } - -- if (pr->our_spi == spi) -+ if (pr->our_spi == spi) { - *bogus = TRUE; -+ bogusst = st; -+ /* don't return! */ -+ } - } - } - }); - } -- return NULL; -+ return bogusst; - } - - /* diff --git a/SOURCES/libreswan-3.15-gcc-osw-interop-conf.patch b/SOURCES/libreswan-3.15-gcc-osw-interop-conf.patch deleted file mode 100644 index 27fe3f5..0000000 --- a/SOURCES/libreswan-3.15-gcc-osw-interop-conf.patch +++ /dev/null @@ -1,910 +0,0 @@ -diff -Naur libreswan-3.15-orig/include/ipsecconf/confread.h libreswan-3.15/include/ipsecconf/confread.h ---- libreswan-3.15-orig/include/ipsecconf/confread.h 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/include/ipsecconf/confread.h 2015-09-03 11:43:09.630000000 -0400 -@@ -132,7 +132,7 @@ - extern struct starter_config *confread_load(const char *file, - err_t *perr, - bool resolvip, -- char *ctlbase, -+ const char *ctlbase, - bool setuponly); - extern struct starter_conn *alloc_add_conn(struct starter_config *cfg, - char *name); -diff -Naur libreswan-3.15-orig/include/ipsecconf/keywords.h libreswan-3.15/include/ipsecconf/keywords.h ---- libreswan-3.15-orig/include/ipsecconf/keywords.h 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/include/ipsecconf/keywords.h 2015-09-03 11:43:10.538000000 -0400 -@@ -305,8 +305,7 @@ - struct kw_list { - struct kw_list *next; - struct keyword keyword; -- char *string; -- double decimal; -+ char *string; - unsigned int number; - }; - -diff -Naur libreswan-3.15-orig/lib/libipsecconf/confread.c libreswan-3.15/lib/libipsecconf/confread.c ---- libreswan-3.15-orig/lib/libipsecconf/confread.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/lib/libipsecconf/confread.c 2015-09-03 11:42:22.941000000 -0400 -@@ -1418,7 +1418,7 @@ - struct starter_config *confread_load(const char *file, - err_t *perr, - bool resolvip, -- char *ctlbase, -+ const char *ctlbase, - bool setuponly) - { - struct starter_config *cfg = NULL; -diff -Naur libreswan-3.15-orig/lib/libipsecconf/confwrite.c libreswan-3.15/lib/libipsecconf/confwrite.c ---- libreswan-3.15-orig/lib/libipsecconf/confwrite.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/lib/libipsecconf/confwrite.c 2015-09-03 11:42:22.941000000 -0400 -@@ -412,9 +412,9 @@ - - int alsoplace = 0; - -- fprintf(out, "\t#also = "); -+ fprintf(out, "\t#also ="); - while (conn->alsos[alsoplace] != NULL) { -- fprintf(out, "%s ", conn->alsos[alsoplace]); -+ fprintf(out, " %s", conn->alsos[alsoplace]); - alsoplace++; - } - fprintf(out, "\n"); -diff -Naur libreswan-3.15-orig/lib/libipsecconf/Makefile libreswan-3.15/lib/libipsecconf/Makefile ---- libreswan-3.15-orig/lib/libipsecconf/Makefile 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/lib/libipsecconf/Makefile 2015-09-03 11:42:22.941000000 -0400 -@@ -38,21 +38,45 @@ - # since all the $(OBJS) indirectly depend on the header anyway. - $(OBJS): parser.tab.h - --# Use UNIX basename to strip off the directory. Use grep to workaround flex < 2.5.35 -+# Use UNIX basename to strip off the directory. -+# Use sed to work around two bugs: -+# -+# - flex < 2.5.35 generates an extern that isn't good -+# -+# - flex on RHEL 7 generates code that provokes GCC to warn -+# about comparing a signed value with an unsigned value -+# (Combination of a new GCC and an old flex). -+# Adding one cast makes RHEL 6's GCC unhappy, so we add two. -+# On RHEL 6, i is int and _yybytes_len is int. -+# On RHEL 7, i is int and _yybytes_len is yy_size_t -+# On Fedora 21, i is yy_size_t and _yybytes_len is yy_size_t -+# On some architectures, yy_size_t is wider than int; -+# which makes a mixed comparison OK. -+# -+# Avoid sed -i which somehow causes unwritable files -+# on fedora 20 with 9p filesystem mount. -+# Avoid creating the target file until it is done. - lex.yy.c: parser.l -- cd $(builddir) && $(LEX) -t $(srcdir)/$$(basename $<) | grep -v '^extern int isatty' > $@ -+ cd $(builddir) && \ -+ $(LEX) -o $@.$$$$ $(srcdir)/$$(basename $<) && \ -+ sed -e 's/for ( i = 0; i < _yybytes_len; ++i )$$/for ( i = 0; (yy_size_t)i < (yy_size_t)_yybytes_len; ++i )/' \ -+ -e '/^extern int isatty.*$$/d' $@.$$$$ >SEDTMP$$$$ && \ -+ rm $@.$$$$ && \ -+ mv SEDTMP$$$$ $@ - - # Use wild card rule so that GNU Make knows that both are output from - # a single recipe. - # - sed command for workaround for older bison vs GCC warning - # - avoid sed -i which somehow causes unwritable files - # on fedora 20 with 9p filesystem mount -+# - avoid creating the target file until it is done - %.tab.h %.tab.c: %.y - cd $(builddir) && \ -- $(BISON) ${BISONOSFLAGS} -v -d $(srcdir)/$$(basename $<) && \ -+ $(BISON) ${BISONOSFLAGS} -v --defines=$$(basename $< .y).tab.h -o $$(basename $< .y).tab.c$$$$ $(srcdir)/$$(basename $<) && \ - sed -e '/^ *#/s/if YYENABLE_NLS/if defined(YYENABLE_NLS) \&\& YYENABLE_NLS/' \ - -e '/^ *#/s/if YYLTYPE_IS_TRIVIAL/if defined(YYLTYPE_IS_TRIVIAL) \&\& YYLTYPE_IS_TRIVIAL/' \ -- $$(basename $< .y).tab.c >SEDTMP$$$$ && \ -+ $$(basename $< .y).tab.c$$$$ >SEDTMP$$$$ && \ -+ rm $$(basename $< .y).tab.c$$$$ && \ - mv SEDTMP$$$$ $$(basename $< .y).tab.c - - clean: parser-clean -diff -Naur libreswan-3.15-orig/lib/libipsecconf/parser.l libreswan-3.15/lib/libipsecconf/parser.l ---- libreswan-3.15-orig/lib/libipsecconf/parser.l 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/lib/libipsecconf/parser.l 2015-09-03 11:42:22.942000000 -0400 -@@ -373,7 +373,17 @@ - - [0-9]+ { - /* process a number */ -- yylval.num = strtoul(yytext, NULL, 10); -+ unsigned long val = (errno = 0, strtoul(yytext, NULL, 10)); -+ -+ if (errno != 0 || val > UINT_MAX) { -+ char ebuf[128]; -+ -+ snprintf(ebuf, sizeof(ebuf), -+ "number too large: %s", -+ yytext); -+ yyerror(ebuf); -+ } -+ yylval.num = val; - BEGIN INITIAL; - return INTEGER; - } -diff -Naur libreswan-3.15-orig/lib/libipsecconf/parser.y libreswan-3.15/lib/libipsecconf/parser.y ---- libreswan-3.15-orig/lib/libipsecconf/parser.y 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/lib/libipsecconf/parser.y 2015-09-03 11:42:22.942000000 -0400 -@@ -26,7 +26,7 @@ - #include - #include - #include -- -+#include - #define YYDEBUG 1 - - #include "ipsecconf/keywords.h" -@@ -41,16 +41,15 @@ - * Bison - */ - static char parser_errstring[ERRSTRING_LEN+1]; --static struct kw_list *alloc_kwlist(void); --static struct starter_comments *alloc_comment(void); - - /** - * Static Globals - */ --static int _save_errors_; --static struct config_parsed *_parser_cfg; --static struct kw_list **_parser_kw, *_parser_kw_last; --static struct starter_comments_list *_parser_comments; -+static bool save_errors; -+static struct config_parsed *parser_cfg; -+static struct kw_list **parser_kw, *parser_kw_last; -+static void new_parser_kw(struct keyword *keyword, char *string, unsigned int number); /* forward */ -+static struct starter_comments_list *parser_comments; - - /** - * Functions -@@ -60,7 +59,7 @@ - - %union { - char *s; -- unsigned int num; -+ unsigned int num; - struct keyword k; - } - %token EQUAL FIRST_SPACES EOL CONFIG SETUP CONN INCLUDE VERSION -@@ -72,6 +71,8 @@ - %token BOOLWORD - %token PERCENTWORD - %token COMMENT -+ -+%type duration - %% - - /* -@@ -84,8 +85,8 @@ - /* we have configs shipped with version 2 (INTEGER) and with version 2.0 (STRING, now NUMBER/float was removed */ - - versionstmt: /* NULL */ -- | VERSION STRING EOL blanklines -- | VERSION INTEGER EOL blanklines -+ | VERSION STRING EOL blanklines -+ | VERSION INTEGER EOL blanklines - ; - - blanklines: /* NULL */ -@@ -98,40 +99,40 @@ - - section_or_include: - CONFIG SETUP EOL { -- _parser_kw = &(_parser_cfg->config_setup); -- _parser_kw_last = NULL; -- _parser_comments = &_parser_cfg->comments; -+ parser_kw = &parser_cfg->config_setup; -+ parser_kw_last = NULL; -+ parser_comments = &parser_cfg->comments; - if (yydebug) - fprintf(stderr, "\nconfig setup read\n"); - - } kw_sections - | CONN STRING EOL { -- struct section_list *section; -- section = (struct section_list *)malloc(sizeof(struct section_list)); -- if (section != NULL) { -+ struct section_list *section = malloc(sizeof(struct section_list)); -+ -+ if (section == NULL) { -+ parser_kw = NULL; -+ parser_kw_last = NULL; -+ yyerror("can't allocate memory in section_or_include/conn"); -+ } else { - section->name = $2; - section->kw = NULL; - -- TAILQ_INSERT_TAIL(&_parser_cfg->sections, section, link); -+ TAILQ_INSERT_TAIL(&parser_cfg->sections, section, link); - -- /* setup keyword section to record values */ -- _parser_kw = &(section->kw); -- _parser_kw_last = NULL; -+ /* setup keyword section to record values */ -+ parser_kw = §ion->kw; -+ parser_kw_last = NULL; - - /* and comments */ - TAILQ_INIT(§ion->comments); -- _parser_comments = §ion->comments; -+ parser_comments = §ion->comments; - -- if(yydebug) -+ if (yydebug) - fprintf(stderr, "\nread conn %s\n", section->name); -- } else { -- _parser_kw = NULL; -- _parser_kw_last = NULL; -- yyerror("can't allocate memory in section_or_include/conn"); - } - } kw_sections - | INCLUDE STRING EOL { -- parser_y_include($2); -+ parser_y_include($2); - } - ; - -@@ -144,198 +145,174 @@ - - statement_kw: - KEYWORD EQUAL KEYWORD { -- struct kw_list *new; -+ struct keyword kw = $1; - -- assert(_parser_kw != NULL); -- new = alloc_kwlist(); -- if (new == NULL) { -- yyerror("can't allocate memory in statement_kw"); -- } else { -- struct keyword kw; -- /* because the third argument was also a keyword, we dig up the string representation. */ -- const char *value = $3.keydef->keyname; -- -- kw = $1; -- new->keyword = kw; -- -- switch(kw.keydef->type) { -- case kt_list: -- new->number = parser_enum_list(kw.keydef, value, TRUE); -- break; -- case kt_enum: -- new->number = parser_enum_list(kw.keydef, value, FALSE); -- break; -- case kt_rsakey: -- case kt_loose_enum: -- new->number = parser_loose_enum(&new->keyword, value); -- break; -- case kt_string: -- case kt_appendstring: -- case kt_appendlist: -- case kt_filename: -- case kt_dirname: -- case kt_ipaddr: -- case kt_bitstring: -- case kt_idtype: -- case kt_range: -- case kt_subnet: -- new->string = strdup(value); -- break; -- -- case kt_bool: -- case kt_invertbool: -- case kt_number: -- case kt_time: -- case kt_percent: -+ /* because the third argument was also a keyword, we dig up the string representation. */ -+ const char *value = $3.keydef->keyname; -+ -+ char *string = NULL; /* neutral placeholding value */ -+ unsigned int number = 0; /* neutral placeholding value */ -+ -+ switch(kw.keydef->type) { -+ case kt_list: -+ number = parser_enum_list(kw.keydef, value, TRUE); -+ break; -+ case kt_enum: -+ number = parser_enum_list(kw.keydef, value, FALSE); -+ break; -+ case kt_rsakey: -+ case kt_loose_enum: -+ number = parser_loose_enum(&kw, value); -+ break; -+ case kt_string: -+ case kt_appendstring: -+ case kt_appendlist: -+ case kt_filename: -+ case kt_dirname: -+ case kt_ipaddr: -+ case kt_bitstring: -+ case kt_idtype: -+ case kt_range: -+ case kt_subnet: -+ string = strdup(value); -+ break; -+ -+ case kt_bool: -+ case kt_invertbool: -+ case kt_number: -+ case kt_time: -+ case kt_percent: - yyerror("keyword value is a keyword, but type not a string"); - assert(kw.keydef->type != kt_bool); - break; - -- case kt_comment: -- break; -+ case kt_comment: -+ break; - -- case kt_obsolete: -- case kt_obsolete_quiet: -- break; -- } -- new->next = NULL; -- -- if (_parser_kw_last) -- _parser_kw_last->next = new; -- _parser_kw_last = new; -- if (*_parser_kw == NULL) -- *_parser_kw = new; -+ case kt_obsolete: -+ case kt_obsolete_quiet: -+ break; - } -+ -+ new_parser_kw(&kw, string, number); - } - | COMMENT EQUAL STRING { -- struct starter_comments *new; -+ struct starter_comments *new = -+ malloc(sizeof(struct starter_comments)); - -- new = alloc_comment(); - if (new == NULL) { -- yyerror("can't allocate memory in statement_kw"); -+ yyerror("can't allocate memory in statement_kw"); - } else { -- new->x_comment = strdup($1.string); -- new->commentvalue = strdup($3); -- TAILQ_INSERT_TAIL(_parser_comments, new, link); -+ new->x_comment = strdup($1.string); -+ new->commentvalue = strdup($3); -+ TAILQ_INSERT_TAIL(parser_comments, new, link); - } - } - | KEYWORD EQUAL STRING { -- struct kw_list *new; -+ struct keyword kw = $1; - -- assert(_parser_kw != NULL); -- new = alloc_kwlist(); -- if (new == NULL) { -- yyerror("can't allocate memory in statement_kw"); -- } else { -- struct keyword kw; -+ char *string = NULL; /* neutral placeholding value */ -+ unsigned int number = 0; /* neutral placeholding value */ - -- kw = $1; -- new->keyword = kw; -+ switch(kw.keydef->type) { -+ case kt_list: -+ number = parser_enum_list(kw.keydef, $3, TRUE); -+ break; -+ case kt_enum: -+ number = parser_enum_list(kw.keydef, $3, FALSE); -+ break; -+ case kt_rsakey: -+ case kt_loose_enum: -+ number = parser_loose_enum(&kw, $3); -+ break; -+ case kt_string: -+ case kt_appendstring: -+ case kt_appendlist: -+ case kt_filename: -+ case kt_dirname: -+ case kt_ipaddr: -+ case kt_bitstring: -+ case kt_idtype: -+ case kt_range: -+ case kt_subnet: -+ string = $3; -+ break; - -- switch(kw.keydef->type) { -- case kt_list: -- new->number = parser_enum_list(kw.keydef, $3, TRUE); -- break; -- case kt_enum: -- new->number = parser_enum_list(kw.keydef, $3, FALSE); -- break; -- case kt_rsakey: -- case kt_loose_enum: -- new->number = parser_loose_enum(&new->keyword, $3); -- break; -- case kt_string: -- case kt_appendstring: -- case kt_appendlist: -- case kt_filename: -- case kt_dirname: -- case kt_ipaddr: -- case kt_bitstring: -- case kt_idtype: -- case kt_range: -- case kt_subnet: -- new->string = $3; -- break; -- -- case kt_bool: -- case kt_invertbool: -- case kt_number: -- case kt_time: -- case kt_percent: -+ case kt_bool: -+ case kt_invertbool: -+ case kt_number: -+ case kt_time: -+ case kt_percent: - yyerror("valid keyword, but value is not a number"); -- assert(!(kw.keydef->type == kt_bool)); -+ assert(kw.keydef->type != kt_bool); -+ break; -+ case kt_comment: -+ break; -+ case kt_obsolete: -+ case kt_obsolete_quiet: - break; -- case kt_comment: -- break; -- case kt_obsolete: -- case kt_obsolete_quiet: -- break; -- } -- new->next = NULL; -- -- if (_parser_kw_last) -- _parser_kw_last->next = new; -- _parser_kw_last = new; -- if (!*_parser_kw) *_parser_kw = new; - } -+ -+ new_parser_kw(&kw, string, number); - } - - | BOOLWORD EQUAL BOOL { -- struct kw_list *new; -- -- assert(_parser_kw != NULL); -- new = alloc_kwlist(); -- if (new == NULL) { -- yyerror("can't allocate memory in statement_kw"); -- } else { -- new->keyword = $1; -- new->number = $3; /* Should not be necessary! */ -- new->next = NULL; -- if (_parser_kw_last) -- _parser_kw_last->next = new; -- _parser_kw_last = new; -- if (!*_parser_kw) *_parser_kw = new; -- } -+ new_parser_kw(&$1, NULL, $3); - } - | KEYWORD EQUAL INTEGER { -- struct kw_list *new; -- -- assert(_parser_kw != NULL); -- new = alloc_kwlist(); -- if (new == NULL) { -- yyerror("can't allocate memory in statement_kw"); -- } else { -- new->keyword = $1; -- new->number = $3; /* Should not be necessary! */ -- new->next = NULL; -- if (_parser_kw_last) -- _parser_kw_last->next = new; -- _parser_kw_last = new; -- if (!*_parser_kw) *_parser_kw = new; -- } -+ new_parser_kw(&$1, NULL, $3); - } -- | TIMEWORD EQUAL STRING { -- struct kw_list *new; -- char *endptr, *str; -- unsigned int val; -+ | TIMEWORD EQUAL duration { -+ new_parser_kw(&$1, NULL, $3); -+ } -+ | PERCENTWORD EQUAL STRING { - struct keyword kw = $1; -- bool fail; -- char buf[80]; -- -- -- fail = FALSE; -- -- str = $3; -- -- val = strtoul(str, &endptr, 10); -- -- if(endptr == str) { -- snprintf(buf, sizeof(buf), "bad duration value %s=%s", kw.keydef->keyname, str); -- yyerror(buf); -- fail = TRUE; -+ const char *const str = $3; -+ /*const*/ char *endptr; -+ char buf[80]; -+ unsigned long val = (errno = 0, strtoul(str, &endptr, 10)); -+ -+ if (endptr == str) { -+ snprintf(buf, sizeof(buf), -+ "malformed percentage %s=%s", -+ kw.keydef->keyname, str); -+ yyerror(buf); -+ } else if (*endptr != '%' || endptr[1] != '\0') { -+ snprintf(buf, sizeof(buf), -+ "bad percentage multiplier \"%s\" on %s", -+ endptr, str); -+ yyerror(buf); -+ } else if (errno != 0 || val > UINT_MAX) { -+ snprintf(buf, sizeof(buf), -+ "percentage way too large \"%s\"", str); -+ yyerror(buf); -+ } else { -+ new_parser_kw(&kw, NULL, (unsigned int)val); - } -+ } -+ | KEYWORD EQUAL BOOL { -+ new_parser_kw(&$1, NULL, $3); -+ } -+ | KEYWORD EQUAL { /* this is meaningless, we ignore it */ } -+ ; - -- if(!fail) -- { -+duration: -+ INTEGER { -+ $$ = $1; -+ } -+ | STRING { -+ const char *const str = $1; -+ /*const*/ char *endptr; -+ char buf[80]; -+ -+ unsigned long val = (errno = 0, strtoul(str, &endptr, 10)); -+ int strtoul_errno = errno; -+ -+ if (endptr == str) { -+ snprintf(buf, sizeof(buf), "bad duration value \"%s\"", str); -+ yyerror(buf); -+ } else { -+ bool bad_suffix = FALSE; - unsigned scale; - - if (*endptr == '\0') { -@@ -350,194 +327,87 @@ - case 'd': scale = secs_per_day; break; - case 'w': scale = 7*secs_per_day; break; - default: -- snprintf(buf, sizeof(buf), -- "bad duration multiplier '%c' on %s", -- *endptr, str); -- yyerror(buf); -- fail=TRUE; -+ bad_suffix = TRUE; - } - } else { -+ bad_suffix = TRUE; -+ } -+ -+ if (bad_suffix) { - snprintf(buf, sizeof(buf), - "bad duration multiplier \"%s\" on %s", - endptr, str); - yyerror(buf); -- fail=TRUE; -- } -- -- if (!fail) { -- if (UINT_MAX / scale < val) { -- snprintf(buf, sizeof(buf), -- "overflow scaling %s", -- str); -- yyerror(buf); -- fail=TRUE; -- } else { -- val *= scale; -- } -+ } else if (strtoul_errno != 0 || UINT_MAX / scale < val) { -+ snprintf(buf, sizeof(buf), -+ "duration too large: \"%s\" is more than %u seconds", -+ str, UINT_MAX); -+ yyerror(buf); -+ } else { -+ $$ = val * scale; - } -- } -- -- if(!fail) -- { -- assert(_parser_kw != NULL); -- new = alloc_kwlist(); -- if (new == NULL) { -- yyerror("can't allocate memory in statement_kw"); -- } else { -- new->keyword = $1; -- new->number = val; -- new->next = NULL; -- if (_parser_kw_last) -- _parser_kw_last->next = new; -- _parser_kw_last = new; -- if (*_parser_kw == NULL) -- *_parser_kw = new; -- } -- } -- } -- | PERCENTWORD EQUAL STRING { -- struct kw_list *new; -- char *endptr, *str; -- struct keyword kw = $1; -- unsigned int val; -- bool fail; -- char buf[80]; -- -- -- fail = FALSE; -- -- str = $3; -- -- val = strtoul(str, &endptr, 10); -- -- if(endptr == str) { -- snprintf(buf, sizeof(buf), "bad percent value %s=%s", kw.keydef->keyname, str); -- yyerror(buf); -- fail = TRUE; -- -- } -- -- if(!fail) -- { -- if ((*endptr == '%') && (endptr[1] == '\0')) { } -- else { -- snprintf(buf, sizeof(buf), "bad percentage multiplier '%c' on %s", *endptr, str); -- yyerror(buf); -- fail=TRUE; -- } -- } -- -- if(!fail) -- { -- assert(_parser_kw != NULL); -- new = alloc_kwlist(); -- if (new == NULL) { -- yyerror("can't allocate memory in statement_kw"); -- } else { -- new->keyword = $1; -- new->number = val; -- new->next = NULL; -- if (_parser_kw_last) -- _parser_kw_last->next = new; -- _parser_kw_last = new; -- if (*_parser_kw == NULL) -- *_parser_kw = new; -- } -- } -- } -- | KEYWORD EQUAL BOOL { -- struct kw_list *new; -- -- assert(_parser_kw != NULL); -- new = alloc_kwlist(); -- if (new != NULL) { -- yyerror("can't allocate memory in statement_kw"); -- } else { -- new->keyword = $1; -- new->number = $3; /* Should not be necessary! */ -- new->next = NULL; -- if (_parser_kw_last) -- _parser_kw_last->next = new; -- _parser_kw_last = new; -- if (*_parser_kw == NULL) -- *_parser_kw = new; - } -- } -- | KEYWORD EQUAL { /* this is meaningless, we ignore it */ } -- ; -- -+ }; - %% - - void yyerror(const char *s) - { -- if (_save_errors_) -+ if (save_errors) - parser_y_error(parser_errstring, ERRSTRING_LEN, s); - } - - struct config_parsed *parser_load_conf(const char *file, err_t *perr) - { -- struct config_parsed *cfg=NULL; -- int err = 0; -- FILE *f; -- -- zero(&parser_errstring); -+ parser_errstring[0] = '\0'; - if (perr != NULL) - *perr = NULL; - -- cfg = (struct config_parsed *)malloc(sizeof(struct config_parsed)); -- if (cfg == NULL) -- { -- snprintf(parser_errstring, ERRSTRING_LEN, "can't allocate memory"); -- err++; -- goto end; -+ struct config_parsed *cfg = malloc(sizeof(struct config_parsed)); -+ -+ if (cfg == NULL) { -+ snprintf(parser_errstring, ERRSTRING_LEN, "can't allocate memory"); -+ goto err; - } - zero(cfg); /* ??? pointer fields may not be NULLed */ -- if (strncmp(file, "-", sizeof("-")) == 0) { -- f = fdopen(STDIN_FILENO, "r"); -- } -- else { -- f = fopen(file, "r"); -- } -- if (!f) -- { -- snprintf(parser_errstring, ERRSTRING_LEN, "can't load file '%s'", -- file); -- err++; -- goto end; -+ -+ FILE *f = streq(file, "-") ? -+ fdopen(STDIN_FILENO, "r") : fopen(file, "r"); -+ -+ if (f == NULL) { -+ snprintf(parser_errstring, ERRSTRING_LEN, "can't load file '%s'", -+ file); -+ goto err; - } - - yyin = f; - parser_y_init(file, f); -- _save_errors_=1; -+ save_errors = TRUE; - TAILQ_INIT(&cfg->sections); - TAILQ_INIT(&cfg->comments); -- _parser_cfg = cfg; -+ parser_cfg = cfg; - -- if (yyparse()!=0) { -- if (parser_errstring[0]=='\0') { -- snprintf(parser_errstring, ERRSTRING_LEN, -- "Unknown error..."); -- } -- _save_errors_=0; -- while (yyparse()!=0); -- err++; -- goto end; -- } -- if (parser_errstring[0]!='\0') { -- err++; -- goto end; -- } -- /** -- * Config valid -- */ --end: -- if (err) { -- if (perr) *perr = (err_t)strdup(parser_errstring); -- if (cfg) parser_free_conf (cfg); -- cfg = NULL; -+ if (yyparse() != 0) { -+ if (parser_errstring[0] == '\0') { -+ snprintf(parser_errstring, ERRSTRING_LEN, -+ "Unknown error..."); -+ } -+ save_errors = FALSE; -+ do {} while (yyparse() != 0); -+ } else if (parser_errstring[0] == '\0') { -+ /** -+ * Config valid -+ */ -+ return cfg; - } -+ /* falls through on error */ -+ -+err: -+ if (perr != NULL) -+ *perr = (err_t)strdup(parser_errstring); -+ if (cfg != NULL) -+ parser_free_conf(cfg); - -- return cfg; -+ return NULL; - } - - static void parser_free_kwlist(struct kw_list *list) -@@ -546,7 +416,7 @@ - struct kw_list *elt = list; - - list = list->next; -- if (elt->string) -+ if (elt->string != NULL) - free(elt->string); - free(elt); - } -@@ -554,16 +424,18 @@ - - void parser_free_conf(struct config_parsed *cfg) - { -- struct section_list *seci, *sec; -- if (cfg) { -+ if (cfg != NULL) { -+ struct section_list *seci; -+ - parser_free_kwlist(cfg->config_setup); - -- for(seci = cfg->sections.tqh_first; seci != NULL; ) -- { -- sec = seci; -+ for (seci = cfg->sections.tqh_first; seci != NULL; ) { -+ struct section_list *sec = seci; -+ - seci = seci->link.tqe_next; - -- if (sec->name) free(sec->name); -+ if (sec->name != NULL) -+ free(sec->name); - parser_free_kwlist(sec->kw); - free(sec); - } -@@ -572,20 +444,32 @@ - } - } - --static struct kw_list *alloc_kwlist(void) -+static void new_parser_kw(struct keyword *keyword, char *string, unsigned int number) - { -- struct kw_list *new; -- -- new = (struct kw_list *)malloc(sizeof(struct kw_list)); -- zero(new); /* ??? pointer members might not be set to NULL */ -- return new; --} -+ struct kw_list *new = malloc(sizeof(struct kw_list)); - --static struct starter_comments *alloc_comment(void) --{ -- struct starter_comments *new; -+ if (new == NULL) { -+ yyerror("cannot allocate memory for a kw_list"); -+ } else { -+ /* -+ * fill the values into new -+ * (either string or number might have a placeholder value -+ */ -+ new->keyword = *keyword; -+ new->string = string; -+ new->number = number; -+ new->next = NULL; -+ -+ /* link the new kw_list into the list */ -+ -+ if (*parser_kw == NULL) -+ *parser_kw = new; /* first in (some) list */ -+ -+ /* connect to previous last on list */ -+ if (parser_kw_last != NULL) -+ parser_kw_last->next = new; - -- new = (struct starter_comments *)malloc(sizeof(struct starter_comments)); -- zero(new); /* ??? pointer members might not be set to NULL */ -- return new; -+ /* new is new last on list */ -+ parser_kw_last = new; -+ } - } diff --git a/SOURCES/libreswan-3.15-ikev1-pam.patch b/SOURCES/libreswan-3.15-ikev1-pam.patch deleted file mode 100644 index 178fe26..0000000 --- a/SOURCES/libreswan-3.15-ikev1-pam.patch +++ /dev/null @@ -1,263 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_xauth.c libreswan-3.15/programs/pluto/ikev1_xauth.c ---- libreswan-3.15-orig/programs/pluto/ikev1_xauth.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev1_xauth.c 2015-09-03 11:32:27.525000000 -0400 -@@ -1001,81 +1001,6 @@ - return STF_OK; - } - --#ifdef XAUTH_HAVE_PAM -- --/** Do authentication via PAM (Plugable Authentication Modules) -- * -- * We try to authenticate the user in our own PAM session. -- * -- * @return bool success -- */ --/* IN AN AUTH THREAD */ --static bool do_pam_authentication(void *varg) --{ -- struct xauth_thread_arg *arg = varg; -- int retval; -- pam_handle_t *pamh = NULL; -- struct pam_conv conv; -- const char *what; -- -- /* This do-while structure is designed to allow a logical cascade -- * without excessive indentation. No actual looping happens. -- * Failure is handled by "break". -- */ -- do { -- ipstr_buf ra; -- -- conv.conv = pam_conv; -- conv.appdata_ptr = varg; -- -- what = "pam_start"; -- retval = pam_start("pluto", arg->name, &conv, &pamh); -- if (retval != PAM_SUCCESS) -- break; -- -- DBG(DBG_CONTROL, DBG_log("pam_start SUCCESS")); -- -- /* Send the remote host address to PAM */ -- what = "pam_set_item"; -- retval = pam_set_item(pamh, PAM_RHOST, -- ipstr(&arg->st->st_remoteaddr, &ra)); -- if (retval != PAM_SUCCESS) -- break; -- -- DBG(DBG_CONTROL, DBG_log("pam_set_item SUCCESS")); -- -- /* Two factor authentication - Check that the user is valid, -- * and then check if they are permitted access -- */ -- what = "pam_authenticate"; -- retval = pam_authenticate(pamh, PAM_SILENT); /* is user really user? */ -- -- if (retval != PAM_SUCCESS) -- break; -- -- DBG(DBG_CONTROL, DBG_log("pam_authenticate SUCCESS")); -- -- what = "pam_acct_mgmt"; -- retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ -- if (retval != PAM_SUCCESS) -- break; -- -- /* success! */ -- libreswan_log("XAUTH: PAM_SUCCESS"); -- pam_end(pamh, PAM_SUCCESS); -- return TRUE; -- } while (FALSE); -- -- /* common failure code */ -- -- DBG(DBG_CONTROL, -- DBG_log("%s failed with '%s", what, pam_strerror(pamh, retval))); -- libreswan_log("XAUTH: %s failed with '%s'", what, pam_strerror(pamh, retval)); -- pam_end(pamh, retval); -- return FALSE; --} --#endif /* XAUTH_HAVE_PAM */ -- - /** Do authentication via /etc/ipsec.d/passwd file using MD5 passwords - * - * Structure is one entry per line. -@@ -1256,6 +1181,43 @@ - return win; - } - -+/* IN AN AUTH THREAD */ -+static bool ikev1_do_pam_authentication(const struct xauth_thread_arg *arg) -+{ -+ struct state *st = arg->st; -+ libreswan_log("XAUTH: pam authentication being called to authenticate user %s", -+ arg->name); -+ struct pam_thread_arg parg; -+ ipstr_buf ra; -+ struct timeval start_time; -+ struct timeval served_time; -+ struct timeval served_delta; -+ bool results = FALSE; -+ -+ parg.name = arg->name; -+ parg.password = arg->password; -+ parg.c_name = arg->connname; -+ parg.ra = clone_str(ipstr(&st->st_remoteaddr, &ra), "st remote address"); -+ parg.st_serialno = st->st_serialno; -+ parg.c_instance_serial = st->st_connection->instance_serial; -+ parg.atype = "XAUTH"; -+ gettimeofday(&start_time, NULL); -+ results = do_pam_authentication(&parg); -+ gettimeofday(&served_time, NULL); -+ timersub(&served_time, &start_time, &served_delta); -+ DBG(DBG_CONTROL, DBG_log("XAUTH PAM helper thread call " -+ "state #%lu, %s[%lu] user=%s %s. " -+ "elapsed time %lu.%06lu", -+ parg.st_serialno, parg.c_name, -+ parg.c_instance_serial, parg.name, -+ results ? "SUCCESS" : "FAIL", -+ (unsigned long)served_delta.tv_sec, -+ (unsigned long)(served_delta.tv_usec * 1000000))); -+ -+ pfreeany(parg.ra); -+ return (results); -+} -+ - /* - * Main authentication routine will then call the actual compiled-in - * method to verify the user/password -@@ -1330,10 +1292,7 @@ - switch (st->st_connection->xauthby) { - #ifdef XAUTH_HAVE_PAM - case XAUTHBY_PAM: -- libreswan_log( -- "XAUTH: pam authentication being called to authenticate user %s", -- arg->name); -- results = do_pam_authentication(varg); -+ results = ikev1_do_pam_authentication(arg); - break; - #endif - case XAUTHBY_FILE: -diff -Naur libreswan-3.15-orig/programs/pluto/ikev2_parent.c libreswan-3.15/programs/pluto/ikev2_parent.c ---- libreswan-3.15-orig/programs/pluto/ikev2_parent.c 2015-09-03 11:29:05.518000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev2_parent.c 2015-09-03 11:32:27.526000000 -0400 -@@ -2417,7 +2417,7 @@ - pthread_setcanceltype (PTHREAD_CANCEL_ASYNCHRONOUS, NULL); - pthread_setcancelstate (PTHREAD_CANCEL_ASYNCHRONOUS, NULL); - -- p->pam_status = ikev2_do_pam_authentication(&p->pam); -+ p->pam_status = do_pam_authentication(&p->pam); - gettimeofday(&p->done_time, NULL); - timersub(&p->done_time, &p->start_time, &done_delta); - -@@ -2580,6 +2580,7 @@ - p->pam.ra = clone_str(ipstr(&st->st_remoteaddr, &ra), "st remote address"); - p->pam.c_instance_serial = st->st_connection->instance_serial; - p->pam.st_serialno = st->st_serialno; -+ p->pam.atype = "IKEv2"; - - p->next = pluto_v2_pam_helpers; - pluto_v2_pam_helpers = p; -diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.c libreswan-3.15/programs/pluto/pam_conv.c ---- libreswan-3.15-orig/programs/pluto/pam_conv.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/programs/pluto/pam_conv.c 2015-09-03 11:32:27.526000000 -0400 -@@ -10,7 +10,7 @@ - * Copyright (C) 2012-2013 Paul Wouters - * Copyright (C) 2012-2013 Philippe Vouters - * Copyright (C) 2013 David McCullough -- * Copyright (C) 2013 Antony Antony -+ * Copyright (C) 2013-2015 Antony Antony - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the -@@ -109,15 +109,25 @@ - return PAM_SUCCESS; - } - -+static void log_pam_step(const struct pam_thread_arg *arg, const char *what, -+ const char *how) -+{ -+ DBG(DBG_CONTROL, DBG_log("%s helper thread %s %s for " -+ "state #%lu, %s[%lu] user=%s.", -+ arg->atype, what, how, -+ arg->st_serialno, arg->c_name, -+ arg->c_instance_serial, arg->name)); -+ -+} -+ - /* - * Do IKEv2 second authentication via PAM (Plugable Authentication Modules) - * - * @return bool success - */ - /* IN AN AUTH THREAD */ --bool ikev2_do_pam_authentication(void *varg) -+bool do_pam_authentication(struct pam_thread_arg *arg) - { -- struct pam_thread_arg *arg = varg; - int retval; - pam_handle_t *pamh = NULL; - struct pam_conv conv; -@@ -129,22 +139,20 @@ - */ - do { - conv.conv = pam_conv; -- conv.appdata_ptr = varg; -+ conv.appdata_ptr = arg; - - what = "pam_start"; - retval = pam_start("pluto", arg->name, &conv, &pamh); - if (retval != PAM_SUCCESS) - break; -- -- DBG(DBG_CONTROL, DBG_log("pam_start SUCCESS")); -+ log_pam_step(arg, what, "SUCCESS"); - - /* Send the remote host address to PAM */ - what = "pam_set_item"; - retval = pam_set_item(pamh, PAM_RHOST, arg->ra); - if (retval != PAM_SUCCESS) - break; -- -- DBG(DBG_CONTROL, DBG_log("pam_set_item SUCCESS")); -+ log_pam_step(arg, what, "SUCCESS"); - - /* Two factor authentication - Check that the user is valid, - * and then check if they are permitted access -@@ -154,16 +162,16 @@ - - if (retval != PAM_SUCCESS) - break; -+ log_pam_step(arg, what, "SUCCESS"); - -- DBG(DBG_CONTROL, DBG_log("pam_authenticate SUCCESS")); -- -- what = "pam_acct_mgmt"; - retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ - if (retval != PAM_SUCCESS) - break; - -+ what = "pam"; -+ log_pam_step(arg, what, "SUCCESS"); -+ - /* success! */ -- libreswan_log("IKEv2: PAM_SUCCESS"); - pam_end(pamh, PAM_SUCCESS); - return TRUE; - } while (FALSE); -diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.h libreswan-3.15/programs/pluto/pam_conv.h ---- libreswan-3.15-orig/programs/pluto/pam_conv.h 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/programs/pluto/pam_conv.h 2015-09-03 11:32:27.527000000 -0400 -@@ -23,9 +23,10 @@ - char *ra; - so_serial_t st_serialno; - unsigned long c_instance_serial; -+ char *atype; /* string XAUTH or IKEv2 */ - }; - --extern bool ikev2_do_pam_authentication(void *varg); -+extern bool do_pam_authentication(struct pam_thread_arg *arg); - int pam_conv(int num_msg, const struct pam_message **msgm, - struct pam_response **response, void - *appdata_ptr); diff --git a/SOURCES/libreswan-3.15-migration.patch b/SOURCES/libreswan-3.15-migration.patch deleted file mode 100644 index 0b3c664..0000000 --- a/SOURCES/libreswan-3.15-migration.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -Naur libreswan-3.15-orig/lib/libipsecconf/keywords.c libreswan-3.15/lib/libipsecconf/keywords.c ---- libreswan-3.15-orig/lib/libipsecconf/keywords.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/lib/libipsecconf/keywords.c 2015-09-24 12:52:54.377592510 -0400 -@@ -342,6 +342,8 @@ - { "interfaces", kv_config, kt_string, KSF_INTERFACES, NOT_ENUM }, - { "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NOT_ENUM }, - { "curl-timeout", kv_config, kt_number, KBF_CURLTIMEOUT, NOT_ENUM }, -+ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NOT_ENUM }, -+ { "curl_timeout", kv_config | kv_alias, kt_number, KBF_CURLTIMEOUT, NOT_ENUM }, - { "myid", kv_config, kt_string, KSF_MYID, NOT_ENUM }, - { "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NOT_ENUM }, - { "syslog", kv_config, kt_string, KSF_SYSLOG, NOT_ENUM }, -@@ -383,6 +385,7 @@ - { "ocsp-trustname", kv_config, kt_string, KSF_OCSPTRUSTNAME, NOT_ENUM }, - { "crlcheckinterval", kv_config, kt_time, KBF_CRLCHECKINTERVAL, NOT_ENUM }, - { "crl_strict", kv_config | kv_alias, kt_bool, KBF_STRICTCRLPOLICY, NOT_ENUM }, /* obsolete _ */ -+ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_STRICTCRLPOLICY, NOT_ENUM }, /* obsolete used on openswan */ - { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_STRICTOCSPPOLICY, NOT_ENUM }, /* obsolete _ */ - { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSPENABLE, NOT_ENUM }, /* obsolete _ */ - { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSPURI, NOT_ENUM }, /* obsolete _ */ diff --git a/SOURCES/libreswan-3.15-newest-labeled.patch b/SOURCES/libreswan-3.15-newest-labeled.patch deleted file mode 100644 index f2c1e42..0000000 --- a/SOURCES/libreswan-3.15-newest-labeled.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_main.c libreswan-3.15/programs/pluto/ikev1_main.c ---- libreswan-3.15-orig/programs/pluto/ikev1_main.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/programs/pluto/ikev1_main.c 2015-09-03 11:57:52.632000000 -0400 -@@ -3011,6 +3011,9 @@ - dst); - - if (rc->newest_ipsec_sa == dst->st_serialno && -+#ifdef HAVE_LABELED_IPSEC -+ dst->sec_ctx == NULL && -+#endif - (rc->policy & POLICY_UP)) { - /* - * Last IPsec SA for a permanent diff --git a/SOURCES/libreswan-3.15-racoon-padding.patch b/SOURCES/libreswan-3.15-racoon-padding.patch deleted file mode 100644 index 114fa0d..0000000 --- a/SOURCES/libreswan-3.15-racoon-padding.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c -index 28e93b0..cc033aa 100644 ---- a/programs/pluto/ikev2_parent.c -+++ b/programs/pluto/ikev2_parent.c -@@ -1601,16 +1601,21 @@ static stf_status ikev2_verify_and_decrypt_sk_payload(struct msg_digest *md, - size_t enc_size = integ_start - enc_start; - - /* -- * Check if block-size is valid. Do this before the payload's -- * integrity has been verified as block-alignment requirements -- * aren't exactly secret (originally this was being done -- * beteen integrity and decrypt). -+ * Check that the payload is block-size aligned. -+ * -+ * Per rfc7296 "the recipient MUST accept any length that -+ * results in proper alignment". -+ * -+ * Do this before the payload's integrity has been verified as -+ * block-alignment requirements aren't exactly secret -+ * (originally this was being done between integrity and -+ * decrypt). - */ - size_t enc_blocksize = pst->st_oakley.encrypter->enc_blocksize; - bool pad_to_blocksize = pst->st_oakley.encrypter->pad_to_blocksize; - if (pad_to_blocksize) { - if (enc_size % enc_blocksize != 0) { -- libreswan_log("cyphertext length (%zu) not a multiple of blocksize (%zu)", -+ libreswan_log("discarding invalid packet: %zu octet payload length is not a multiple of encryption block-size (%zu)", - enc_size, enc_blocksize); - return STF_FAIL; - } -@@ -1707,17 +1712,47 @@ static stf_status ikev2_verify_and_decrypt_sk_payload(struct msg_digest *md, - enc_start, enc_size + integ_size)); - } - -- -- u_char padlen = enc_start[enc_size - 1] + 1; -- if (padlen > enc_blocksize || padlen > enc_size) { -- libreswan_log("invalid padding-length octet: 0x%2x", padlen - 1); -+ /* -+ * Check the padding. -+ * -+ * Per rfc7296 "The sender SHOULD set the Pad Length to the -+ * minimum value that makes the combination of the payloads, -+ * the Padding, and the Pad Length a multiple of the block -+ * size, but the recipient MUST accept any length that results -+ * in proper alignment." -+ * -+ * Notice the "should". RACOON, for instance, sends extra -+ * blocks of padding that contain random bytes. -+ */ -+ u_int8_t padlen = enc_start[enc_size - 1] + 1; -+ if (padlen > enc_size) { -+ libreswan_log("discarding invalid packet: padding-length %u (octet 0x%02x) is larger than %zu octet payload length", -+ padlen, padlen - 1, enc_size); - return STF_FAIL; - } -+ if (pad_to_blocksize) { -+ if (padlen > enc_blocksize) { -+ /* probably racoon */ -+ DBG(DBG_CRYPT, -+ DBG_log("payload contains %zu blocks of extra padding (padding-length: %d (octet 0x%2x), encryption block-size: %zu)", -+ (padlen - 1) / enc_blocksize, -+ padlen, padlen - 1, enc_blocksize)); -+ } -+ } else { -+ if (padlen > 1) { -+ DBG(DBG_CRYPT, -+ DBG_log("payload contains %u octets of extra padding (padding-length: %u (octet 0x%2x))", -+ padlen - 1, padlen, padlen - 1)); -+ } -+ } - -- /* don't bother to check any other pad octets */ -- DBG(DBG_CRYPT, DBG_log("striping %u bytes as pad", padlen)); -- -+ /* -+ * Don't check the contents of the pad octets; racoon, for -+ * instance, sets them to random values. -+ */ -+ DBG(DBG_CRYPT, DBG_log("stripping %u octets as pad", padlen)); - setchunk(*chunk, enc_start, enc_size - padlen); -+ - return STF_OK; - } - diff --git a/SOURCES/libreswan-3.15-s90-gcc.patch b/SOURCES/libreswan-3.15-s90-gcc.patch deleted file mode 100644 index 309e3da..0000000 --- a/SOURCES/libreswan-3.15-s90-gcc.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c -index 8fd0bba..db890f5 100644 ---- a/programs/pluto/ikev2_parent.c -+++ b/programs/pluto/ikev2_parent.c -@@ -1596,8 +1596,8 @@ static stf_status ikev2_verify_and_decrypt_sk_payload(struct msg_digest *md, - */ - u_char *payload_end = chunk->ptr + chunk->len; - if (payload_end < (wire_iv_start + wire_iv_size + 1 + integ_size)) { -- libreswan_log("encrypted payload impossibly short (%zu)", -- payload_end - wire_iv_start); -+ libreswan_log("encrypted payload impossibly short (%tu)", -+ payload_end - wire_iv_start); - return STF_FAIL; - } - -@@ -4105,9 +4105,9 @@ stf_status process_encrypted_informational_ikev2(struct msg_digest *md) - } - - if (v2del->isad_nrspi * v2del->isad_spisize != pbs_left(&p->pbs)) { -- libreswan_log("IPsec Delete Notification payload size is %tu but %u is required", -- pbs_left(&p->pbs), -- v2del->isad_nrspi * v2del->isad_spisize); -+ libreswan_log("IPsec Delete Notification payload size is %lu but %lu is required", -+ (long unsigned int) pbs_left(&p->pbs), -+ (long unsigned int) (v2del->isad_nrspi * v2del->isad_spisize)); - return STF_FAIL + v2N_INVALID_SYNTAX; - } - diff --git a/SOURCES/libreswan-3.15-seeddev.patch b/SOURCES/libreswan-3.15-seeddev.patch deleted file mode 100644 index 1492a56..0000000 --- a/SOURCES/libreswan-3.15-seeddev.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/programs/newhostkey/newhostkey.in b/programs/newhostkey/newhostkey.in -index a25583e..31226c2 100755 ---- a/programs/newhostkey/newhostkey.in -+++ b/programs/newhostkey/newhostkey.in -@@ -24,7 +24,7 @@ usage="Usage: $me [--output filename] [--seeddev device] [--bits n] \\ - bits= - verbose= - host= --seeddev="--seeddev /dev/seeddev" -+seeddev="--seeddev /dev/random" - output="@FINALCONFDIR@/ipsec.secrets" - configdir="@FINALNSSDIR@" - password= diff --git a/SOURCES/libreswan-3.15-trafficstatus.patch b/SOURCES/libreswan-3.15-trafficstatus.patch deleted file mode 100644 index 90712de..0000000 --- a/SOURCES/libreswan-3.15-trafficstatus.patch +++ /dev/null @@ -1,96 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/state.c libreswan-3.15/programs/pluto/state.c ---- libreswan-3.15-orig/programs/pluto/state.c 2015-08-24 16:52:43.000000000 -0400 -+++ libreswan-3.15/programs/pluto/state.c 2015-09-04 09:31:28.815818376 -0400 -@@ -1652,21 +1652,20 @@ - char *mbcp = traffic_buf + snprintf(traffic_buf, - sizeof(traffic_buf) - 1, ", type=%s, add_time=%" PRIu64, mode, st->st_esp.add_time); - -- if (get_sa_info(st, TRUE, NULL)) { -+ if (get_sa_info(st, FALSE, NULL)) { - size_t buf_len = traffic_buf + sizeof(traffic_buf) - mbcp; -- u_int inb = st->st_esp.present ? st->st_esp.peer_bytes : -+ u_int outb = st->st_esp.present ? st->st_esp.peer_bytes : - st->st_ah.present ? st->st_ah.peer_bytes : - st->st_ipcomp.present ? st->st_ipcomp.peer_bytes : 0; -- -- mbcp += snprintf(mbcp, buf_len - 1, ", inBytes=%u", inb); -+ mbcp += snprintf(mbcp, buf_len - 1, ", outBytes=%u", outb); - } -- if (get_sa_info(st, FALSE, NULL)) { -+ -+ if (get_sa_info(st, TRUE, NULL)) { - size_t buf_len = traffic_buf + sizeof(traffic_buf) - mbcp; -- u_int outb = st->st_esp.present ? st->st_esp.our_bytes : -+ u_int inb = st->st_esp.present ? st->st_esp.our_bytes: - st->st_ah.present ? st->st_ah.our_bytes : - st->st_ipcomp.present ? st->st_ipcomp.our_bytes : 0; -- -- snprintf(mbcp, buf_len - 1, ", outBytes=%u", outb); -+ snprintf(mbcp, buf_len - 1, ", inBytes=%u", inb); - } - } - -@@ -1815,7 +1814,7 @@ - mbcp, - traffic_buf + - sizeof(traffic_buf), -- " AHin="); -+ " AHout="); - } - #endif - add_said(&c->spd.this.host_addr, st->st_ah.our_spi, -@@ -1826,7 +1825,7 @@ - mbcp, - traffic_buf + - sizeof(traffic_buf), -- " AHout="); -+ " AHin="); - } - #endif - mbcp = humanize_number( -@@ -1842,23 +1841,23 @@ - SA_ESP); - /* ??? needs proper fix, via kernel_ops? */ - #if defined(linux) && defined(NETKEY_SUPPORT) -- if (get_sa_info(st, FALSE, NULL)) { -+ if (get_sa_info(st, TRUE, NULL)) { - mbcp = humanize_number(st->st_esp.peer_bytes, - mbcp, - traffic_buf + - sizeof(traffic_buf), -- " ESPin="); -+ " ESPout="); - } - #endif - add_said(&c->spd.this.host_addr, st->st_esp.our_spi, - SA_ESP); - #if defined(linux) && defined(NETKEY_SUPPORT) -- if (get_sa_info(st, TRUE, NULL)) { -+ if (get_sa_info(st, FALSE, NULL)) { - mbcp = humanize_number(st->st_esp.our_bytes, - mbcp, - traffic_buf + - sizeof(traffic_buf), -- " ESPout="); -+ " ESPin="); - } - #endif - -@@ -1879,7 +1878,7 @@ - mbcp, - traffic_buf + - sizeof(traffic_buf), -- " IPCOMPin="); -+ " IPCOMPout="); - } - #endif - add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, -@@ -1891,7 +1890,7 @@ - mbcp, - traffic_buf + - sizeof(traffic_buf), -- " IPCOMPout="); -+ " IPCOMPin="); - } - #endif - diff --git a/SOURCES/libreswan-3.16-1311360-sharedike.patch b/SOURCES/libreswan-3.16-1311360-sharedike.patch deleted file mode 100644 index 969e844..0000000 --- a/SOURCES/libreswan-3.16-1311360-sharedike.patch +++ /dev/null @@ -1,110 +0,0 @@ -diff -Naur libreswan-3.15-orig/programs/pluto/connections.c libreswan-3.15/programs/pluto/connections.c ---- libreswan-3.15-orig/programs/pluto/connections.c 2016-03-24 12:23:58.563262638 -0400 -+++ libreswan-3.15/programs/pluto/connections.c 2016-03-24 12:24:31.462320143 -0400 -@@ -2498,6 +2498,8 @@ - struct connection *c, - lset_t req_policy, lset_t policy_exact_mask) - { -+ struct connection *candidate = NULL; -+ - DBG(DBG_CONTROLMORE, - DBG_log("find_next_host_connection policy=%s", - bitnamesof(sa_policy_bit_names, req_policy))); -@@ -2547,10 +2549,22 @@ - * Success if all specified policy bits are in candidate's policy. - * It works even when the exact-match bits are included. - */ -- if ((req_policy & ~c->policy) == LEMPTY) -- break; -+ if ((req_policy & ~c->policy) == LEMPTY) { -+ if (c->newest_isakmp_sa != SOS_NOBODY) { -+ break; -+ } else { -+ /* -+ * We prefer connections with an IKE SA. -+ * so remember this, but keep looking -+ */ -+ candidate = c; -+ } -+ } - } - -+ if (c == NULL && candidate != NULL) -+ c = candidate; -+ - DBG(DBG_CONTROLMORE, - DBG_log("find_next_host_connection returns %s", - c ? c->name : "empty")); -diff -Naur libreswan-3.15-orig/programs/pluto/state.c libreswan-3.15/programs/pluto/state.c ---- libreswan-3.15-orig/programs/pluto/state.c 2016-03-24 12:23:58.560262542 -0400 -+++ libreswan-3.15/programs/pluto/state.c 2016-03-24 12:24:33.929399445 -0400 -@@ -939,6 +939,28 @@ - return FALSE; - } - -+bool shared_phase1_connection(const struct connection *c) -+{ -+ int i; -+ -+ so_serial_t serial_us = c->newest_isakmp_sa; -+ -+ if (serial_us == SOS_NOBODY) -+ return FALSE; -+ -+ for (i = 0; i < STATE_TABLE_SIZE; i++) { -+ struct state *st; -+ -+ FOR_EACH_ENTRY(st, i, { -+ if (st->st_connection == c) -+ continue; -+ if (st->st_clonedfrom == serial_us) -+ return TRUE; -+ }); -+ } -+ return FALSE; -+} -+ - /* - * delete all states that were created for a given connection, - * additionally delete any states for which func(st, c) -@@ -1108,8 +1130,9 @@ - { - if (IS_ISAKMP_SA_ESTABLISHED(this->st_state)) - return FALSE; -- else -+ if (c->kind == CK_INSTANCE) - return same_phase1_sa_relations(this, c); -+ return FALSE; - } - - void delete_p2states_by_connection(struct connection *c) -diff -Naur libreswan-3.15-orig/programs/pluto/state.h libreswan-3.15/programs/pluto/state.h ---- libreswan-3.15-orig/programs/pluto/state.h 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/state.h 2016-03-24 12:24:33.929399445 -0400 -@@ -587,6 +587,7 @@ - extern bool require_ddos_cookies(void); - extern void show_globalstate_status(void); - extern void log_newest_sa_change(char *f, struct state *const st); -+bool shared_phase1_connection(const struct connection *c); - - #ifdef XAUTH_HAVE_PAM - void ikev2_free_auth_pam(so_serial_t st_serialno); -diff -Naur libreswan-3.15-orig/programs/pluto/terminate.c libreswan-3.15/programs/pluto/terminate.c ---- libreswan-3.15-orig/programs/pluto/terminate.c 2015-08-24 22:28:32.000000000 -0400 -+++ libreswan-3.15/programs/pluto/terminate.c 2016-03-24 12:24:33.930399477 -0400 -@@ -75,7 +75,14 @@ - libreswan_log("terminating SAs using this connection"); - c->policy &= ~POLICY_UP; - flush_pending_by_connection(c); -- delete_states_by_connection(c, FALSE); -+ if (shared_phase1_connection(c)) { -+ libreswan_log("IKE SA is shared - only terminating IPsec SA"); -+ delete_state(state_with_serialno(c->newest_ipsec_sa)); -+ } else { -+ DBG(DBG_CONTROL, DBG_log("connection not shared pkilling phase1 and phase2")); -+ delete_states_by_connection(c, FALSE); -+ } -+ - reset_cur_connection(); - - return 1; diff --git a/SOURCES/libreswan-3.2-1458227-cavp-fips.patch b/SOURCES/libreswan-3.2-1458227-cavp-fips.patch new file mode 100644 index 0000000..12b0e7b --- /dev/null +++ b/SOURCES/libreswan-3.2-1458227-cavp-fips.patch @@ -0,0 +1,25 @@ +diff -Naur libreswan-3.20-orig/lib/libswan/lswnss.c libreswan-3.20/lib/libswan/lswnss.c +--- libreswan-3.20-orig/lib/libswan/lswnss.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/lib/libswan/lswnss.c 2017-06-06 11:50:35.662776208 -0400 +@@ -63,16 +63,15 @@ + pfree(nssdir); + return FALSE; + } ++ if (PK11_IsFIPS() && get_password == NULL) { ++ snprintf(err, sizeof(lsw_nss_buf_t), ++ "on FIPS mode a password is required"); ++ return FALSE; ++ } + } else { + NSS_NoDB_Init("."); + } + +- if (PK11_IsFIPS() && get_password == NULL) { +- snprintf(err, sizeof(lsw_nss_buf_t), +- "on FIPS mode a password is required"); +- return FALSE; +- } +- + if (get_password) { + PK11_SetPasswordFunc(get_password); + } diff --git a/SOURCES/libreswan-3.20-1341353-psk-fips.patch b/SOURCES/libreswan-3.20-1341353-psk-fips.patch new file mode 100644 index 0000000..cb426ab --- /dev/null +++ b/SOURCES/libreswan-3.20-1341353-psk-fips.patch @@ -0,0 +1,246 @@ +diff -Naur libreswan-3.20-orig/lib/libswan/ike_info.c libreswan-3.20/lib/libswan/ike_info.c +--- libreswan-3.20-orig/lib/libswan/ike_info.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/lib/libswan/ike_info.c 2017-04-22 19:02:37.667000000 -0400 +@@ -64,6 +64,11 @@ + char *ptr = buf; + const char *sep = ""; + ++ if (alg_info == NULL) { ++ PEXPECT_LOG("%s", "parameter alg_info unexpectedly NULL"); ++ return; ++ } ++ + FOR_EACH_IKE_INFO(alg_info, ike_info) { + if (ike_info->ike_encrypt != NULL && + ike_info->ike_prf != NULL && +@@ -95,6 +100,12 @@ + char *ptr = buf; + char *be = buf + buflen; + ++ if (alg_info_ike == NULL) { ++ PEXPECT_LOG("%s", "parameter alg_info_ike unexpectedly NULL"); ++ return; ++ } ++ ++ + passert(buflen > 0); + + const char *sep = ""; +diff -Naur libreswan-3.20-orig/programs/pluto/crypt_prf.c libreswan-3.20/programs/pluto/crypt_prf.c +--- libreswan-3.20-orig/programs/pluto/crypt_prf.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/crypt_prf.c 2017-04-22 19:02:37.668000000 -0400 +@@ -35,6 +35,36 @@ + #include "crypt_symkey.h" + #include "crypto.h" + ++size_t crypt_prf_fips_key_size_min(const struct prf_desc *prf) ++{ ++ /* ++ * FIPS 198 Section 3 CRYPTOGRAPHIC KEYS requires keys to be ++ * >= "L/2" (where L is the block-size in bytes of the hash ++ * function). ++ * ++ * FIPS 198-1 Section 3 instead cites SP 800-107. Good luck ++ * reading the latter. ++ */ ++ return prf->prf_key_size / 2; ++} ++ ++size_t crypt_prf_fips_key_size_floor(void) ++{ ++ static size_t key_size_floor; ++ if (!key_size_floor) { ++ key_size_floor = SIZE_MAX; ++ for (const struct prf_desc **prfp = next_prf_desc(NULL); ++ prfp != NULL; prfp = next_prf_desc(prfp)) { ++ if (!(*prfp)->common.fips) { ++ continue; ++ } ++ key_size_floor = min(key_size_floor, ++ crypt_prf_fips_key_size_min(*prfp)); ++ } ++ } ++ return key_size_floor; ++} ++ + struct crypt_prf { + struct prf_context *context; + lset_t debug; +@@ -46,13 +76,19 @@ + const char *name, + struct prf_context *context) + { +- struct crypt_prf *prf = alloc_thing(struct crypt_prf, name); +- *prf = (struct crypt_prf) { +- .context = context, +- .debug = debug, +- .name = name, +- .desc = prf_desc, +- }; ++ struct crypt_prf *prf = NULL; ++ ++ if (context != NULL) { ++ prf = alloc_thing(struct crypt_prf, name); ++ *prf = (struct crypt_prf) { ++ .context = context, ++ .debug = debug, ++ .name = name, ++ .desc = prf_desc, ++ }; ++ } ++ DBG(debug, DBG_log("%s PRF %s crypt-prf@%p", ++ name, prf_desc->common.name, prf)); + return prf; + } + +diff -Naur libreswan-3.20-orig/programs/pluto/crypt_prf.h libreswan-3.20/programs/pluto/crypt_prf.h +--- libreswan-3.20-orig/programs/pluto/crypt_prf.h 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/crypt_prf.h 2017-04-22 19:02:37.668000000 -0400 +@@ -26,6 +26,14 @@ + struct crypt_prf; + + /* ++ * FIPS requires a minimum key size. In FIPS mode, when the key is ++ * less than this, the init will fail. Here the "floor" is the ++ * minimum of all the fips algorithms so failing this is really bad. ++ */ ++size_t crypt_prf_fips_key_size_min(const struct prf_desc *prf_desc); ++size_t crypt_prf_fips_key_size_floor(void); ++ ++/* + * Primitives implementing IKE PRFs. + * + * Some PRFs are implemented using the HMAC algorithm (described in +diff -Naur libreswan-3.20-orig/programs/pluto/ikev1_spdb_struct.c libreswan-3.20/programs/pluto/ikev1_spdb_struct.c +--- libreswan-3.20-orig/programs/pluto/ikev1_spdb_struct.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/ikev1_spdb_struct.c 2017-04-22 19:05:18.395000000 -0400 +@@ -52,6 +52,7 @@ + #include "ike_alg.h" + #include "db_ops.h" + #include "lswfips.h" /* for libreswan_fipsmode */ ++#include "crypt_prf.h" + + #include "nat_traversal.h" + +@@ -901,6 +902,7 @@ + bool xauth_init = FALSE, + xauth_resp = FALSE; + const char *const role = selection ? "initiator" : "responder"; ++ const chunk_t *pss = &empty_chunk; + + passert(c != NULL); + +@@ -1190,9 +1192,10 @@ + if ((iap & POLICY_PSK) == LEMPTY) { + ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication"; + } else { +- /* check that we can find a preshared secret */ +- if (get_preshared_secret(c) +- == NULL) ++ /* check that we can find a proper preshared secret */ ++ pss = get_preshared_secret(c); ++ ++ if (pss == NULL) + { + char mid[IDTOA_BUF], + hid[IDTOA_BUF]; +@@ -1212,6 +1215,8 @@ + ugh = builddiag( + "Can't authenticate: no preshared key found for `%s' and `%s'", + mid, hid); ++ } else { ++ DBG(DBG_PRIVATE, DBG_dump_chunk("User PSK:", *pss)); + } + ta.auth = OAKLEY_PRESHARED_KEY; + } +@@ -1398,6 +1403,31 @@ + } + } + ++ { ++ ++ if ((st->st_policy & POLICY_PSK) && pss != &empty_chunk && pss != NULL) { ++ const size_t key_size_min = crypt_prf_fips_key_size_min(ta.prf); ++ ++ if (pss->len < key_size_min) { ++ if (libreswan_fipsmode()) { ++ ugh = builddiag("FIPS: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ ta.prf->common.name, ++ key_size_min); ++ } else { ++ libreswan_log("WARNING: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ ta.prf->common.name, ++ key_size_min); ++ } ++ } ++ ++ } ++ ++ } ++ + /* + * ML: at last check for allowed transforms in alg_info_ike + */ +diff -Naur libreswan-3.20-orig/programs/pluto/ikev2_psk.c libreswan-3.20/programs/pluto/ikev2_psk.c +--- libreswan-3.20-orig/programs/pluto/ikev2_psk.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/ikev2_psk.c 2017-04-22 19:02:37.669000000 -0400 +@@ -57,6 +57,7 @@ + #include "keys.h" + #include "crypt_prf.h" + #include "crypt_symkey.h" ++#include "lswfips.h" + + #include + #include +@@ -91,6 +92,24 @@ + return FALSE; /* failure: no PSK to use */ + } + DBG(DBG_PRIVATE, DBG_dump_chunk("User PSK:", *pss)); ++ const size_t key_size_min = crypt_prf_fips_key_size_min(st->st_oakley.prf); ++ if (pss->len < key_size_min) { ++ if (libreswan_fipsmode()) { ++ loglog(RC_LOG_SERIOUS, ++ "FIPS: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ st->st_oakley.prf->common.name, ++ key_size_min); ++ return FALSE; ++ } else { ++ libreswan_log("WARNING: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ st->st_oakley.prf->common.name, ++ key_size_min); ++ } ++ } + } else { + /* + * RFC-7619 +@@ -137,9 +156,19 @@ + { + struct crypt_prf *prf = + crypt_prf_init_chunk(" = prf(,\"Key Pad for IKEv2\")", +- DBG_CRYPT, +- st->st_oakley.prf, +- "shared secret", *pss); ++ DBG_CRYPT, ++ st->st_oakley.prf, ++ "shared secret", *pss); ++ if (prf == NULL) { ++ if (libreswan_fipsmode()) { ++ PASSERT_FAIL("FIPS: failure creating %s PRF context for digesting PSK", ++ st->st_oakley.prf->common.name); ++ } ++ loglog(RC_LOG_SERIOUS, ++ "failure creating %s PRF context for digesting PSK", ++ st->st_oakley.prf->common.name); ++ return FALSE; ++ } + crypt_prf_update_bytes(psk_key_pad_str/*name*/, prf, + psk_key_pad_str, psk_key_pad_str_len); + prf_psk = crypt_prf_final_symkey(&prf); diff --git a/SOURCES/libreswan-3.20-1372279-down-error.patch b/SOURCES/libreswan-3.20-1372279-down-error.patch new file mode 100644 index 0000000..d0ef6ea --- /dev/null +++ b/SOURCES/libreswan-3.20-1372279-down-error.patch @@ -0,0 +1,154 @@ +diff -Naur libreswan-3.20-orig/programs/pluto/connections.c libreswan-3.20/programs/pluto/connections.c +--- libreswan-3.20-orig/programs/pluto/connections.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/connections.c 2017-05-30 15:00:02.409386255 -0400 +@@ -97,13 +97,13 @@ + * Move the winner (if any) to the front. + * If none is found, and strict, a diagnostic is logged to whack. + */ +-struct connection *con_by_name(const char *nm, bool strict) ++struct connection *con_by_name(const char *nm, bool strict, bool quiet) + { + struct connection *p, *prev; + + for (prev = NULL, p = connections;; prev = p, p = p->ac_next) { + if (p == NULL) { +- if (strict) ++ if (strict && !quiet) + whack_log(RC_UNKNOWN_NAME, + "no connection named \"%s\"", nm); + break; +@@ -401,13 +401,13 @@ + bool f = FALSE; + + passert(name != NULL); +- struct connection *c = con_by_name(name, strict); ++ struct connection *c = con_by_name(name, strict, TRUE); + + if (c == NULL) { + (void)foreach_connection_by_alias(name, delete_connection_wrap, + &f); + } else { +- for (; c != NULL; c = con_by_name(name, FALSE)) ++ for (; c != NULL; c = con_by_name(name, FALSE, FALSE)) + delete_connection(c, FALSE); + } + } +@@ -1269,7 +1269,7 @@ + + alg_info_ike = NULL; + +- if (con_by_name(wm->name, FALSE) != NULL) { ++ if (con_by_name(wm->name, FALSE, FALSE) != NULL) { + loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", + wm->name); + return; +@@ -1927,7 +1927,7 @@ + snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf); + } + +- if (con_by_name(namebuf, FALSE) != NULL) { ++ if (con_by_name(namebuf, FALSE, FALSE) != NULL) { + loglog(RC_DUPNAME, + "group name + target yields duplicate name \"%s\"", + namebuf); +diff -Naur libreswan-3.20-orig/programs/pluto/connections.h libreswan-3.20/programs/pluto/connections.h +--- libreswan-3.20-orig/programs/pluto/connections.h 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/connections.h 2017-05-30 15:00:21.716149232 -0400 +@@ -413,7 +413,7 @@ + + struct state; /* forward declaration of tag (defined in state.h) */ + extern struct connection +-*con_by_name(const char *nm, bool strict); ++*con_by_name(const char *nm, bool strict, bool quiet); + + stf_status ikev2_find_host_connection(struct connection **cp, + const ip_address *me, u_int16_t my_port, const ip_address *him, +diff -Naur libreswan-3.20-orig/programs/pluto/foodgroups.c libreswan-3.20/programs/pluto/foodgroups.c +--- libreswan-3.20-orig/programs/pluto/foodgroups.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/foodgroups.c 2017-05-30 15:00:02.409386255 -0400 +@@ -344,7 +344,7 @@ + for (t = targets; t != NULL; t = t->next) { + if (t->group == g) { + struct connection *ci = con_by_name(t->name, +- FALSE); ++ FALSE, FALSE); + + if (ci != NULL) { + set_cur_connection(ci); +@@ -367,7 +367,7 @@ + g->connection->policy &= ~POLICY_GROUTED; + for (t = targets; t != NULL; t = t->next) { + if (t->group == g) { +- struct connection *ci = con_by_name(t->name, FALSE); ++ struct connection *ci = con_by_name(t->name, FALSE, FALSE); + + if (ci != NULL) { + set_cur_connection(ci); +diff -Naur libreswan-3.20-orig/programs/pluto/ikev1.c libreswan-3.20/programs/pluto/ikev1.c +--- libreswan-3.20-orig/programs/pluto/ikev1.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/ikev1.c 2017-05-30 15:00:02.410386295 -0400 +@@ -696,7 +696,7 @@ + + /* to find and store the connection associated with tmp_name */ + /* ??? how do we know that tmp_name hasn't been freed? */ +- struct connection *tmp_c = con_by_name(tmp_name, FALSE); ++ struct connection *tmp_c = con_by_name(tmp_name, FALSE, FALSE); + + DBG_cond_dump(DBG_PARSING, + "redirected remote end info:", n_pbs->cur + pbs_left( +diff -Naur libreswan-3.20-orig/programs/pluto/initiate.c libreswan-3.20/programs/pluto/initiate.c +--- libreswan-3.20-orig/programs/pluto/initiate.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/initiate.c 2017-05-30 15:00:02.410386295 -0400 +@@ -344,7 +344,7 @@ + char *remote_host) + { + struct initiate_stuff is; +- struct connection *c = con_by_name(name, FALSE); ++ struct connection *c = con_by_name(name, FALSE, FALSE); + int count; + + passert(name != NULL); +diff -Naur libreswan-3.20-orig/programs/pluto/rcv_whack.c libreswan-3.20/programs/pluto/rcv_whack.c +--- libreswan-3.20-orig/programs/pluto/rcv_whack.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/rcv_whack.c 2017-05-30 15:00:02.411386334 -0400 +@@ -301,7 +301,7 @@ + set_debugging(base_debugging); + } else if (!m->whack_connection) { + struct connection *c = con_by_name(m->name, +- TRUE); ++ TRUE, FALSE); + + if (c != NULL) { + c->extra_debugging = m->debugging; +@@ -456,7 +456,7 @@ + if (!listening) { + whack_log(RC_DEAF, "need --listen before --route"); + } else { +- struct connection *c = con_by_name(m->name, TRUE); ++ struct connection *c = con_by_name(m->name, TRUE, FALSE); + + if (c != NULL) { + set_cur_connection(c); +@@ -476,7 +476,7 @@ + } + + if (m->whack_unroute) { +- struct connection *c = con_by_name(m->name, TRUE); ++ struct connection *c = con_by_name(m->name, TRUE, FALSE); + + if (c != NULL) { + const struct spd_route *sr; +diff -Naur libreswan-3.20-orig/programs/pluto/terminate.c libreswan-3.20/programs/pluto/terminate.c +--- libreswan-3.20-orig/programs/pluto/terminate.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/terminate.c 2017-05-30 15:00:02.411386334 -0400 +@@ -92,8 +92,9 @@ + /* + * Loop because more than one may match (master and instances) + * But at least one is required (enforced by con_by_name). ++ * Don't log an error if not found before we checked aliases + */ +- struct connection *c = con_by_name(name, TRUE); ++ struct connection *c = con_by_name(name, TRUE, TRUE); + + if (c != NULL) { + while (c != NULL) { diff --git a/SOURCES/libreswan-3.20-1444115-fips-F4.patch b/SOURCES/libreswan-3.20-1444115-fips-F4.patch new file mode 100644 index 0000000..7dc7447 --- /dev/null +++ b/SOURCES/libreswan-3.20-1444115-fips-F4.patch @@ -0,0 +1,103 @@ +diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml +--- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml 2017-04-21 10:31:57.902023584 -0400 +@@ -89,12 +89,12 @@ + The output format looks like this (with long numbers trimmed down for clarity): + + +- # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 ++ # RSA 3744 bits road.toad.com Mon Apr 17 22:20:35 2017 + # for signatures only, UNSAFE FOR ENCRYPTION +- #pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/ +- #ckaid=7ddad7f1d5842e...043c499babf0a +- Modulus: 0xcc2a86fcf440...cf1011abb82d1 +- PublicExponent: 0x03 ++ #ckaid=a953473e6014dd4e08eb051e4679dc39be160fea ++ #pubkey=0sBAEAA...sKbTzwE= ++ Modulus: 0xb84ae7d...b0a6d3cf01 ++ PublicExponent: 0x010001 + + + The first (comment) line, indicating the nature and date of the key, and +diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c libreswan-3.20/programs/rsasigkey/rsasigkey.c +--- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/rsasigkey/rsasigkey.c 2017-04-21 10:31:57.902023584 -0400 +@@ -5,7 +5,7 @@ + * Copyright (C) 2003-2008 Michael C Richardson + * Copyright (C) 2003-2009 Paul Wouters + * Copyright (C) 2009 Avesh Agarwal +- * Copyright (C) 2012-2015 Paul Wouters ++ * Copyright (C) 2012-2017 Paul Wouters + * Copyright (C) 2016 Andrew Cagney + * Copyright (C) 2016 Tuomo Soini + * +@@ -18,6 +18,8 @@ + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. ++ * ++ * NOTE: This should probably be rewritten to use NSS RSA_NewKey() + */ + + #include +@@ -76,8 +78,8 @@ + + #define DEFAULT_SEED_BITS 60 /* 480 bits of random seed */ + +-#define E 3 /* standard public exponent */ +-/* #define F4 65537 */ /* possible future public exponent, Fermat's 4th number */ ++/* No longer use E=3 to comply to FIPS 186-4, section B.3.1 */ ++#define F4 65537 + + char usage[] = + "rsasigkey [--verbose] [--seeddev ] [--nssdir ]\n" +@@ -111,17 +113,15 @@ + /* + * bundle - bundle e and n into an RFC2537-format chunk_t + */ +-static char *base64_bundle(int e, chunk_t modulus) ++static char *base64_bundle(int f4, chunk_t modulus) + { + /* +- * Pack the single-byte exponent into a byte array. ++ * Pack the exponent into a byte array. + */ +- assert(e <= 255); +- u_char exponent_byte = e; +- chunk_t exponent = { +- .ptr = &exponent_byte, +- .len = 1, +- }; ++ chunk_t exponent; ++ u_int32_t f4_bytes = (u_int32_t)f4; ++ ++ clonetochunk(exponent, &f4_bytes, sizeof(u_int32_t), "exponent"); + + /* + * Create the resource record. +@@ -134,6 +134,7 @@ + exit(1); + } + ++ freeanychunk(exponent); + return bundle; + } + +@@ -293,7 +294,7 @@ + */ + void rsasigkey(int nbits, int seedbits, const struct lsw_conf_options *oco) + { +- PK11RSAGenParams rsaparams = { nbits, (long) E }; ++ PK11RSAGenParams rsaparams = { nbits, (long) F4 }; + PK11SlotInfo *slot = NULL; + SECKEYPrivateKey *privkey = NULL; + SECKEYPublicKey *pubkey = NULL; +@@ -373,7 +374,7 @@ + + /* RFC2537/RFC3110-ish format */ + { +- char *bundle = base64_bundle(E, public_modulus); ++ char *bundle = base64_bundle(F4, public_modulus); + printf("\t#pubkey=%s\n", bundle); + pfree(bundle); + } diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 9905fe8..96c007b 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -2,9 +2,10 @@ %global USE_LIBCAP_NG true %global USE_LABELED_IPSEC true %global USE_CRL_FETCHING true -%global USE_DNSSEC true %global USE_NM true %global USE_LINUX_AUDIT true +%global USE_SECCOMP 0 +%global USE_DNSSEC false %global _hardened_build 1 %global buildefence 0 @@ -19,8 +20,8 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols -Version: 3.15 -Release: %{?prever:0.}8%{?prever:.%{prever}}%{?dist} +Version: 3.20 +Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} License: GPLv2 Group: System Environment/Daemons Url: https://libreswan.org/ @@ -29,41 +30,14 @@ Source1: ikev1_dsa.fax.bz2 Source2: ikev1_psk.fax.bz2 Source3: ikev2.fax.bz2 -Patch1: libreswan-3.15-racoon-padding.patch -Patch2: libreswan-3.15-seeddev.patch -Patch3: libreswan-3.15-ikev1-pam.patch -Patch4: libreswan-3.15-gcc-osw-interop-conf.patch -Patch5: libreswan-3.15-newest-labeled.patch -Patch6: libreswan-3.15-s90-gcc.patch -Patch7: libreswan-3.15-NLMSG_OK.patch -Patch8: libreswan-3.15-trafficstatus.patch -Patch9: libreswan-3.15-cisco-delete.patch -Patch10: libreswan-3.15-migration.patch -Patch11: libreswan-3.15-1166146.patch -Patch12: libreswan-3.15-609343.patch -Patch13: libreswan-3.15-1271811-fipsfiles.patch -Patch14: libreswan-3.15-1283468-keyingtries.patch -Patch15: libreswan-3.15-1297816-nonce-dcookies.patch -Patch16: libreswan-3.15-1344567-ikev1-retransmit.patch -Patch17: libreswan-3.15-1313747-ipsec-man.patch -Patch18: libreswan-3.15-1302778.fipslist.patch -Patch19: libreswan-3.15-1278063-ikev1-pam.patch -Patch20: libreswan-3.15-1257079-nm-updown.patch -Patch21: libreswan-3.15-1272112-whack-man.patch -Patch22: libreswan-3.15-1280449-cap_dac_read_search.patch -Patch23: libreswan-3.15-1290907-configdir.patch -Patch24: libreswan-3.15-1309764-barf.patch -Patch25: libreswan-3.15-1347735-multicrl.patch -Patch26: libreswan-3.15-1219049-ikev1-del.patch -Patch27: libreswan-3.15-1276524-informational.patch -Patch28: libreswan-3.15-1315412-crl-manpage.patch -Patch29: libreswan-3.15-1229766-ipclash.patch -Patch30: libreswan-3.16-1311360-sharedike.patch -Patch31: libreswan-3.15-1361721-delete.patch +Patch1: libreswan-3.20-1372279-down-error.patch +Patch2: libreswan-3.20-1444115-fips-F4.patch +Patch3: libreswan-3.20-1341353-psk-fips.patch +Patch4: libreswan-3.2-1458227-cavp-fips.patch Requires: iproute >= 2.6.8 nss-tools nss-softokn -BuildRequires: gmp-devel bison flex redhat-rpm-config pkgconfig +BuildRequires: bison flex redhat-rpm-config pkgconfig BuildRequires: nss-devel >= 3.16.1 nspr-devel BuildRequires: pam-devel BuildRequires: xmlto @@ -79,7 +53,7 @@ Requires(preun): /sbin/service %else BuildRequires: libevent-devel hostname -BuildRequires: systemd +BuildRequires: systemd-devel Requires(post): coreutils bash systemd Requires(preun): systemd Requires(postun): systemd @@ -143,33 +117,8 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 +echo "USE_LINUX_AUDIT=true" > Makefile.inc.local +echo "USE_DNSSEC=false" >> Makefile.inc.local %build %if %{buildefence} @@ -196,18 +145,20 @@ make %{?_smp_mflags} \ %endif USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ - USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \ + USE_LINUX_AUDIT=true \ %if %{USE_CRL_FETCHING} USE_LDAP=true \ USE_LIBCURL=true \ %endif - USE_DNSSEC="%{USE_DNSSEC}" \ + USE_DNSSEC=false \ INC_USRLOCAL=%{_prefix} \ FINALLIBDIR=%{_libexecdir}/ipsec \ FINALLIBEXECDIR=%{_libexecdir}/ipsec \ MANTREE=%{_mandir} \ INC_RCDEFAULT=%{_initrddir} \ MODPROBE="modprobe -q -b" \ + USE_DH22=true \ + USE_SECCOMP="%{USE_SECCOMP}" \ programs FS=$(pwd) @@ -331,7 +282,6 @@ fi %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/pluto %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d %attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies @@ -363,6 +313,22 @@ fi %endif %changelog +* Mon Jun 12 2017 Paul Wouters - 3.20-3 +- Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels [updated] +- Resolves: rhbz#1458227 CAVS test driver does not work in FIPS mode +- Resolves: rhbz#1452672 (new-ksk-libreswan-el7) DNSSEC trust anchor cannot be updated without recompilation + +* Thu Apr 13 2017 Paul Wouters - 3.20-2 +- Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels +- Resolves: rhbz#1444115 FIPS: libreswan must generate RSA keys with a minimal exponent of F4, nor E=3 +- Resolves: rhbz#1341353 Allow Preshared Key authentication in FIPS mode for libreswan + +* Tue Mar 14 2017 Paul Wouters - 3.20-1 +- Resolves: rhbz#1399883 rebase libreswan to 3.20 (full release) + +* Mon Feb 20 2017 Paul Wouters - 3.20-0.1.dr3 +- Resolves: rhbz#1399883 rebase libreswan to 3.20 + * Wed Sep 07 2016 Paul Wouters - 3.15-8 - Resolves: rhbz#1361721 libreswan pluto segfault [UPDATED] - Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request [UPDATED]