From 3b845399a249dacf1b0003af5f6e369f3bdae53d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 30 2017 13:43:39 +0000 Subject: import libreswan-3.20-5.el7_4 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b4afa33 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +SOURCES/ikev1_dsa.fax.bz2 +SOURCES/ikev1_psk.fax.bz2 +SOURCES/ikev2.fax.bz2 +SOURCES/libreswan-3.20.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata new file mode 100644 index 0000000..d784875 --- /dev/null +++ b/.libreswan.metadata @@ -0,0 +1,4 @@ +b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 +861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 +fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 +ca8e56bf6a99d67201f5c4065991d72febf14eae SOURCES/libreswan-3.20.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/libreswan-3.2-1458227-cavp-fips.patch b/SOURCES/libreswan-3.2-1458227-cavp-fips.patch new file mode 100644 index 0000000..12b0e7b --- /dev/null +++ b/SOURCES/libreswan-3.2-1458227-cavp-fips.patch @@ -0,0 +1,25 @@ +diff -Naur libreswan-3.20-orig/lib/libswan/lswnss.c libreswan-3.20/lib/libswan/lswnss.c +--- libreswan-3.20-orig/lib/libswan/lswnss.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/lib/libswan/lswnss.c 2017-06-06 11:50:35.662776208 -0400 +@@ -63,16 +63,15 @@ + pfree(nssdir); + return FALSE; + } ++ if (PK11_IsFIPS() && get_password == NULL) { ++ snprintf(err, sizeof(lsw_nss_buf_t), ++ "on FIPS mode a password is required"); ++ return FALSE; ++ } + } else { + NSS_NoDB_Init("."); + } + +- if (PK11_IsFIPS() && get_password == NULL) { +- snprintf(err, sizeof(lsw_nss_buf_t), +- "on FIPS mode a password is required"); +- return FALSE; +- } +- + if (get_password) { + PK11_SetPasswordFunc(get_password); + } diff --git a/SOURCES/libreswan-3.20-1341353-psk-fips.patch b/SOURCES/libreswan-3.20-1341353-psk-fips.patch new file mode 100644 index 0000000..cb426ab --- /dev/null +++ b/SOURCES/libreswan-3.20-1341353-psk-fips.patch @@ -0,0 +1,246 @@ +diff -Naur libreswan-3.20-orig/lib/libswan/ike_info.c libreswan-3.20/lib/libswan/ike_info.c +--- libreswan-3.20-orig/lib/libswan/ike_info.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/lib/libswan/ike_info.c 2017-04-22 19:02:37.667000000 -0400 +@@ -64,6 +64,11 @@ + char *ptr = buf; + const char *sep = ""; + ++ if (alg_info == NULL) { ++ PEXPECT_LOG("%s", "parameter alg_info unexpectedly NULL"); ++ return; ++ } ++ + FOR_EACH_IKE_INFO(alg_info, ike_info) { + if (ike_info->ike_encrypt != NULL && + ike_info->ike_prf != NULL && +@@ -95,6 +100,12 @@ + char *ptr = buf; + char *be = buf + buflen; + ++ if (alg_info_ike == NULL) { ++ PEXPECT_LOG("%s", "parameter alg_info_ike unexpectedly NULL"); ++ return; ++ } ++ ++ + passert(buflen > 0); + + const char *sep = ""; +diff -Naur libreswan-3.20-orig/programs/pluto/crypt_prf.c libreswan-3.20/programs/pluto/crypt_prf.c +--- libreswan-3.20-orig/programs/pluto/crypt_prf.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/crypt_prf.c 2017-04-22 19:02:37.668000000 -0400 +@@ -35,6 +35,36 @@ + #include "crypt_symkey.h" + #include "crypto.h" + ++size_t crypt_prf_fips_key_size_min(const struct prf_desc *prf) ++{ ++ /* ++ * FIPS 198 Section 3 CRYPTOGRAPHIC KEYS requires keys to be ++ * >= "L/2" (where L is the block-size in bytes of the hash ++ * function). ++ * ++ * FIPS 198-1 Section 3 instead cites SP 800-107. Good luck ++ * reading the latter. ++ */ ++ return prf->prf_key_size / 2; ++} ++ ++size_t crypt_prf_fips_key_size_floor(void) ++{ ++ static size_t key_size_floor; ++ if (!key_size_floor) { ++ key_size_floor = SIZE_MAX; ++ for (const struct prf_desc **prfp = next_prf_desc(NULL); ++ prfp != NULL; prfp = next_prf_desc(prfp)) { ++ if (!(*prfp)->common.fips) { ++ continue; ++ } ++ key_size_floor = min(key_size_floor, ++ crypt_prf_fips_key_size_min(*prfp)); ++ } ++ } ++ return key_size_floor; ++} ++ + struct crypt_prf { + struct prf_context *context; + lset_t debug; +@@ -46,13 +76,19 @@ + const char *name, + struct prf_context *context) + { +- struct crypt_prf *prf = alloc_thing(struct crypt_prf, name); +- *prf = (struct crypt_prf) { +- .context = context, +- .debug = debug, +- .name = name, +- .desc = prf_desc, +- }; ++ struct crypt_prf *prf = NULL; ++ ++ if (context != NULL) { ++ prf = alloc_thing(struct crypt_prf, name); ++ *prf = (struct crypt_prf) { ++ .context = context, ++ .debug = debug, ++ .name = name, ++ .desc = prf_desc, ++ }; ++ } ++ DBG(debug, DBG_log("%s PRF %s crypt-prf@%p", ++ name, prf_desc->common.name, prf)); + return prf; + } + +diff -Naur libreswan-3.20-orig/programs/pluto/crypt_prf.h libreswan-3.20/programs/pluto/crypt_prf.h +--- libreswan-3.20-orig/programs/pluto/crypt_prf.h 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/crypt_prf.h 2017-04-22 19:02:37.668000000 -0400 +@@ -26,6 +26,14 @@ + struct crypt_prf; + + /* ++ * FIPS requires a minimum key size. In FIPS mode, when the key is ++ * less than this, the init will fail. Here the "floor" is the ++ * minimum of all the fips algorithms so failing this is really bad. ++ */ ++size_t crypt_prf_fips_key_size_min(const struct prf_desc *prf_desc); ++size_t crypt_prf_fips_key_size_floor(void); ++ ++/* + * Primitives implementing IKE PRFs. + * + * Some PRFs are implemented using the HMAC algorithm (described in +diff -Naur libreswan-3.20-orig/programs/pluto/ikev1_spdb_struct.c libreswan-3.20/programs/pluto/ikev1_spdb_struct.c +--- libreswan-3.20-orig/programs/pluto/ikev1_spdb_struct.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/ikev1_spdb_struct.c 2017-04-22 19:05:18.395000000 -0400 +@@ -52,6 +52,7 @@ + #include "ike_alg.h" + #include "db_ops.h" + #include "lswfips.h" /* for libreswan_fipsmode */ ++#include "crypt_prf.h" + + #include "nat_traversal.h" + +@@ -901,6 +902,7 @@ + bool xauth_init = FALSE, + xauth_resp = FALSE; + const char *const role = selection ? "initiator" : "responder"; ++ const chunk_t *pss = &empty_chunk; + + passert(c != NULL); + +@@ -1190,9 +1192,10 @@ + if ((iap & POLICY_PSK) == LEMPTY) { + ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication"; + } else { +- /* check that we can find a preshared secret */ +- if (get_preshared_secret(c) +- == NULL) ++ /* check that we can find a proper preshared secret */ ++ pss = get_preshared_secret(c); ++ ++ if (pss == NULL) + { + char mid[IDTOA_BUF], + hid[IDTOA_BUF]; +@@ -1212,6 +1215,8 @@ + ugh = builddiag( + "Can't authenticate: no preshared key found for `%s' and `%s'", + mid, hid); ++ } else { ++ DBG(DBG_PRIVATE, DBG_dump_chunk("User PSK:", *pss)); + } + ta.auth = OAKLEY_PRESHARED_KEY; + } +@@ -1398,6 +1403,31 @@ + } + } + ++ { ++ ++ if ((st->st_policy & POLICY_PSK) && pss != &empty_chunk && pss != NULL) { ++ const size_t key_size_min = crypt_prf_fips_key_size_min(ta.prf); ++ ++ if (pss->len < key_size_min) { ++ if (libreswan_fipsmode()) { ++ ugh = builddiag("FIPS: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ ta.prf->common.name, ++ key_size_min); ++ } else { ++ libreswan_log("WARNING: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ ta.prf->common.name, ++ key_size_min); ++ } ++ } ++ ++ } ++ ++ } ++ + /* + * ML: at last check for allowed transforms in alg_info_ike + */ +diff -Naur libreswan-3.20-orig/programs/pluto/ikev2_psk.c libreswan-3.20/programs/pluto/ikev2_psk.c +--- libreswan-3.20-orig/programs/pluto/ikev2_psk.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/ikev2_psk.c 2017-04-22 19:02:37.669000000 -0400 +@@ -57,6 +57,7 @@ + #include "keys.h" + #include "crypt_prf.h" + #include "crypt_symkey.h" ++#include "lswfips.h" + + #include + #include +@@ -91,6 +92,24 @@ + return FALSE; /* failure: no PSK to use */ + } + DBG(DBG_PRIVATE, DBG_dump_chunk("User PSK:", *pss)); ++ const size_t key_size_min = crypt_prf_fips_key_size_min(st->st_oakley.prf); ++ if (pss->len < key_size_min) { ++ if (libreswan_fipsmode()) { ++ loglog(RC_LOG_SERIOUS, ++ "FIPS: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ st->st_oakley.prf->common.name, ++ key_size_min); ++ return FALSE; ++ } else { ++ libreswan_log("WARNING: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", ++ st->st_connection->name, ++ pss->len, ++ st->st_oakley.prf->common.name, ++ key_size_min); ++ } ++ } + } else { + /* + * RFC-7619 +@@ -137,9 +156,19 @@ + { + struct crypt_prf *prf = + crypt_prf_init_chunk(" = prf(,\"Key Pad for IKEv2\")", +- DBG_CRYPT, +- st->st_oakley.prf, +- "shared secret", *pss); ++ DBG_CRYPT, ++ st->st_oakley.prf, ++ "shared secret", *pss); ++ if (prf == NULL) { ++ if (libreswan_fipsmode()) { ++ PASSERT_FAIL("FIPS: failure creating %s PRF context for digesting PSK", ++ st->st_oakley.prf->common.name); ++ } ++ loglog(RC_LOG_SERIOUS, ++ "failure creating %s PRF context for digesting PSK", ++ st->st_oakley.prf->common.name); ++ return FALSE; ++ } + crypt_prf_update_bytes(psk_key_pad_str/*name*/, prf, + psk_key_pad_str, psk_key_pad_str_len); + prf_psk = crypt_prf_final_symkey(&prf); diff --git a/SOURCES/libreswan-3.20-1372279-down-error.patch b/SOURCES/libreswan-3.20-1372279-down-error.patch new file mode 100644 index 0000000..d0ef6ea --- /dev/null +++ b/SOURCES/libreswan-3.20-1372279-down-error.patch @@ -0,0 +1,154 @@ +diff -Naur libreswan-3.20-orig/programs/pluto/connections.c libreswan-3.20/programs/pluto/connections.c +--- libreswan-3.20-orig/programs/pluto/connections.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/connections.c 2017-05-30 15:00:02.409386255 -0400 +@@ -97,13 +97,13 @@ + * Move the winner (if any) to the front. + * If none is found, and strict, a diagnostic is logged to whack. + */ +-struct connection *con_by_name(const char *nm, bool strict) ++struct connection *con_by_name(const char *nm, bool strict, bool quiet) + { + struct connection *p, *prev; + + for (prev = NULL, p = connections;; prev = p, p = p->ac_next) { + if (p == NULL) { +- if (strict) ++ if (strict && !quiet) + whack_log(RC_UNKNOWN_NAME, + "no connection named \"%s\"", nm); + break; +@@ -401,13 +401,13 @@ + bool f = FALSE; + + passert(name != NULL); +- struct connection *c = con_by_name(name, strict); ++ struct connection *c = con_by_name(name, strict, TRUE); + + if (c == NULL) { + (void)foreach_connection_by_alias(name, delete_connection_wrap, + &f); + } else { +- for (; c != NULL; c = con_by_name(name, FALSE)) ++ for (; c != NULL; c = con_by_name(name, FALSE, FALSE)) + delete_connection(c, FALSE); + } + } +@@ -1269,7 +1269,7 @@ + + alg_info_ike = NULL; + +- if (con_by_name(wm->name, FALSE) != NULL) { ++ if (con_by_name(wm->name, FALSE, FALSE) != NULL) { + loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", + wm->name); + return; +@@ -1927,7 +1927,7 @@ + snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf); + } + +- if (con_by_name(namebuf, FALSE) != NULL) { ++ if (con_by_name(namebuf, FALSE, FALSE) != NULL) { + loglog(RC_DUPNAME, + "group name + target yields duplicate name \"%s\"", + namebuf); +diff -Naur libreswan-3.20-orig/programs/pluto/connections.h libreswan-3.20/programs/pluto/connections.h +--- libreswan-3.20-orig/programs/pluto/connections.h 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/connections.h 2017-05-30 15:00:21.716149232 -0400 +@@ -413,7 +413,7 @@ + + struct state; /* forward declaration of tag (defined in state.h) */ + extern struct connection +-*con_by_name(const char *nm, bool strict); ++*con_by_name(const char *nm, bool strict, bool quiet); + + stf_status ikev2_find_host_connection(struct connection **cp, + const ip_address *me, u_int16_t my_port, const ip_address *him, +diff -Naur libreswan-3.20-orig/programs/pluto/foodgroups.c libreswan-3.20/programs/pluto/foodgroups.c +--- libreswan-3.20-orig/programs/pluto/foodgroups.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/foodgroups.c 2017-05-30 15:00:02.409386255 -0400 +@@ -344,7 +344,7 @@ + for (t = targets; t != NULL; t = t->next) { + if (t->group == g) { + struct connection *ci = con_by_name(t->name, +- FALSE); ++ FALSE, FALSE); + + if (ci != NULL) { + set_cur_connection(ci); +@@ -367,7 +367,7 @@ + g->connection->policy &= ~POLICY_GROUTED; + for (t = targets; t != NULL; t = t->next) { + if (t->group == g) { +- struct connection *ci = con_by_name(t->name, FALSE); ++ struct connection *ci = con_by_name(t->name, FALSE, FALSE); + + if (ci != NULL) { + set_cur_connection(ci); +diff -Naur libreswan-3.20-orig/programs/pluto/ikev1.c libreswan-3.20/programs/pluto/ikev1.c +--- libreswan-3.20-orig/programs/pluto/ikev1.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/ikev1.c 2017-05-30 15:00:02.410386295 -0400 +@@ -696,7 +696,7 @@ + + /* to find and store the connection associated with tmp_name */ + /* ??? how do we know that tmp_name hasn't been freed? */ +- struct connection *tmp_c = con_by_name(tmp_name, FALSE); ++ struct connection *tmp_c = con_by_name(tmp_name, FALSE, FALSE); + + DBG_cond_dump(DBG_PARSING, + "redirected remote end info:", n_pbs->cur + pbs_left( +diff -Naur libreswan-3.20-orig/programs/pluto/initiate.c libreswan-3.20/programs/pluto/initiate.c +--- libreswan-3.20-orig/programs/pluto/initiate.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/initiate.c 2017-05-30 15:00:02.410386295 -0400 +@@ -344,7 +344,7 @@ + char *remote_host) + { + struct initiate_stuff is; +- struct connection *c = con_by_name(name, FALSE); ++ struct connection *c = con_by_name(name, FALSE, FALSE); + int count; + + passert(name != NULL); +diff -Naur libreswan-3.20-orig/programs/pluto/rcv_whack.c libreswan-3.20/programs/pluto/rcv_whack.c +--- libreswan-3.20-orig/programs/pluto/rcv_whack.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/rcv_whack.c 2017-05-30 15:00:02.411386334 -0400 +@@ -301,7 +301,7 @@ + set_debugging(base_debugging); + } else if (!m->whack_connection) { + struct connection *c = con_by_name(m->name, +- TRUE); ++ TRUE, FALSE); + + if (c != NULL) { + c->extra_debugging = m->debugging; +@@ -456,7 +456,7 @@ + if (!listening) { + whack_log(RC_DEAF, "need --listen before --route"); + } else { +- struct connection *c = con_by_name(m->name, TRUE); ++ struct connection *c = con_by_name(m->name, TRUE, FALSE); + + if (c != NULL) { + set_cur_connection(c); +@@ -476,7 +476,7 @@ + } + + if (m->whack_unroute) { +- struct connection *c = con_by_name(m->name, TRUE); ++ struct connection *c = con_by_name(m->name, TRUE, FALSE); + + if (c != NULL) { + const struct spd_route *sr; +diff -Naur libreswan-3.20-orig/programs/pluto/terminate.c libreswan-3.20/programs/pluto/terminate.c +--- libreswan-3.20-orig/programs/pluto/terminate.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/pluto/terminate.c 2017-05-30 15:00:02.411386334 -0400 +@@ -92,8 +92,9 @@ + /* + * Loop because more than one may match (master and instances) + * But at least one is required (enforced by con_by_name). ++ * Don't log an error if not found before we checked aliases + */ +- struct connection *c = con_by_name(name, TRUE); ++ struct connection *c = con_by_name(name, TRUE, TRUE); + + if (c != NULL) { + while (c != NULL) { diff --git a/SOURCES/libreswan-3.20-1444115-fips-F4.patch b/SOURCES/libreswan-3.20-1444115-fips-F4.patch new file mode 100644 index 0000000..7dc7447 --- /dev/null +++ b/SOURCES/libreswan-3.20-1444115-fips-F4.patch @@ -0,0 +1,103 @@ +diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml +--- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml 2017-04-21 10:31:57.902023584 -0400 +@@ -89,12 +89,12 @@ + The output format looks like this (with long numbers trimmed down for clarity): + + +- # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 ++ # RSA 3744 bits road.toad.com Mon Apr 17 22:20:35 2017 + # for signatures only, UNSAFE FOR ENCRYPTION +- #pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/ +- #ckaid=7ddad7f1d5842e...043c499babf0a +- Modulus: 0xcc2a86fcf440...cf1011abb82d1 +- PublicExponent: 0x03 ++ #ckaid=a953473e6014dd4e08eb051e4679dc39be160fea ++ #pubkey=0sBAEAA...sKbTzwE= ++ Modulus: 0xb84ae7d...b0a6d3cf01 ++ PublicExponent: 0x010001 + + + The first (comment) line, indicating the nature and date of the key, and +diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c libreswan-3.20/programs/rsasigkey/rsasigkey.c +--- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c 2017-03-14 11:53:11.000000000 -0400 ++++ libreswan-3.20/programs/rsasigkey/rsasigkey.c 2017-04-21 10:31:57.902023584 -0400 +@@ -5,7 +5,7 @@ + * Copyright (C) 2003-2008 Michael C Richardson + * Copyright (C) 2003-2009 Paul Wouters + * Copyright (C) 2009 Avesh Agarwal +- * Copyright (C) 2012-2015 Paul Wouters ++ * Copyright (C) 2012-2017 Paul Wouters + * Copyright (C) 2016 Andrew Cagney + * Copyright (C) 2016 Tuomo Soini + * +@@ -18,6 +18,8 @@ + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. ++ * ++ * NOTE: This should probably be rewritten to use NSS RSA_NewKey() + */ + + #include +@@ -76,8 +78,8 @@ + + #define DEFAULT_SEED_BITS 60 /* 480 bits of random seed */ + +-#define E 3 /* standard public exponent */ +-/* #define F4 65537 */ /* possible future public exponent, Fermat's 4th number */ ++/* No longer use E=3 to comply to FIPS 186-4, section B.3.1 */ ++#define F4 65537 + + char usage[] = + "rsasigkey [--verbose] [--seeddev ] [--nssdir ]\n" +@@ -111,17 +113,15 @@ + /* + * bundle - bundle e and n into an RFC2537-format chunk_t + */ +-static char *base64_bundle(int e, chunk_t modulus) ++static char *base64_bundle(int f4, chunk_t modulus) + { + /* +- * Pack the single-byte exponent into a byte array. ++ * Pack the exponent into a byte array. + */ +- assert(e <= 255); +- u_char exponent_byte = e; +- chunk_t exponent = { +- .ptr = &exponent_byte, +- .len = 1, +- }; ++ chunk_t exponent; ++ u_int32_t f4_bytes = (u_int32_t)f4; ++ ++ clonetochunk(exponent, &f4_bytes, sizeof(u_int32_t), "exponent"); + + /* + * Create the resource record. +@@ -134,6 +134,7 @@ + exit(1); + } + ++ freeanychunk(exponent); + return bundle; + } + +@@ -293,7 +294,7 @@ + */ + void rsasigkey(int nbits, int seedbits, const struct lsw_conf_options *oco) + { +- PK11RSAGenParams rsaparams = { nbits, (long) E }; ++ PK11RSAGenParams rsaparams = { nbits, (long) F4 }; + PK11SlotInfo *slot = NULL; + SECKEYPrivateKey *privkey = NULL; + SECKEYPublicKey *pubkey = NULL; +@@ -373,7 +374,7 @@ + + /* RFC2537/RFC3110-ish format */ + { +- char *bundle = base64_bundle(E, public_modulus); ++ char *bundle = base64_bundle(F4, public_modulus); + printf("\t#pubkey=%s\n", bundle); + pfree(bundle); + } diff --git a/SOURCES/libreswan-3.21-xauth-passwd.patch b/SOURCES/libreswan-3.21-xauth-passwd.patch new file mode 100644 index 0000000..38cad62 --- /dev/null +++ b/SOURCES/libreswan-3.21-xauth-passwd.patch @@ -0,0 +1,13 @@ +diff --git a/programs/pluto/ikev1_xauth.c b/programs/pluto/ikev1_xauth.c +index 5a8e92b68..f023e119f 100644 +--- a/programs/pluto/ikev1_xauth.c ++++ b/programs/pluto/ikev1_xauth.c +@@ -2103,7 +2103,7 @@ static stf_status xauth_client_resp(struct state *st, + } + + if (st->st_xauth_password.ptr == NULL) { +- char xauth_password[64]; ++ char xauth_password[XAUTH_MAX_PASS_LENGTH]; + + if (st->st_whack_sock == -1) { + loglog(RC_LOG_SERIOUS, diff --git a/SOURCES/libreswan-3.21-xauth-state.patch b/SOURCES/libreswan-3.21-xauth-state.patch new file mode 100644 index 0000000..fae458c --- /dev/null +++ b/SOURCES/libreswan-3.21-xauth-state.patch @@ -0,0 +1,45 @@ +diff -Naur libreswan-3.21-orig/programs/pluto/ikev1.c libreswan-3.21/programs/pluto/ikev1.c +--- libreswan-3.21-orig/programs/pluto/ikev1.c 2017-08-09 13:47:34.000000000 -0700 ++++ libreswan-3.21/programs/pluto/ikev1.c 2017-10-16 14:43:10.057639590 -0700 +@@ -2273,16 +2273,17 @@ + * actual end of phase 1. With modecfg, negotiation ends with + * STATE_MAIN_I4 already. + */ +-#if 0 /* ??? what's this code for? */ + if (st->st_connection->spd.this.xauth_client +- && st->hidden_variables.st_xauth_client_done +- && !st->st_connection->spd.this.modecfg_client +- && st->st_state == STATE_XAUTH_I1) { +- DBG(DBG_CONTROL, +- DBG_log("As XAUTH is done and modecfg is not configured, so Phase 1 neogtiation finishes successfully")); +- change_state(st, STATE_MAIN_I4); ++ && st->hidden_variables.st_xauth_client_done ++ && !st->st_connection->spd.this.modecfg_client ++ && st->st_state == STATE_XAUTH_I1) ++ { ++ bool aggrmode = (st->st_connection->policy & POLICY_AGGRESSIVE); ++ ++ libreswan_log("XAUTH completed, ModeCFG skipped as per configuration"); ++ change_state(st, aggrmode ? STATE_AGGR_I2 : STATE_MAIN_I4); ++ st->st_msgid_phase15 = v1_MAINMODE_MSGID; + } +-#endif + + /* Schedule for whatever timeout is specified */ + if (!md->event_already_set) { +@@ -2332,6 +2333,15 @@ + bool agreed_time = FALSE; + struct connection *c = st->st_connection; + ++ /* fixup in case of state machine jump for xauth without modecfg */ ++ if (c->spd.this.xauth_client ++ && st->hidden_variables.st_xauth_client_done ++ && !c->spd.this.modecfg_client ++ && (st->st_state == STATE_MAIN_I4 || st->st_state == STATE_AGGR_I2)) { ++ DBG(DBG_CONTROL, DBG_log("fixup XAUTH without ModeCFG event from EVENT_v1_RETRANSMIT to EVENT_SA_REPLACE")); ++ kind = EVENT_SA_REPLACE; ++ } ++ + switch (kind) { + case EVENT_v1_RETRANSMIT: /* Retransmit packet */ + delay_ms = c->r_interval; diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec new file mode 100644 index 0000000..eb3c4c4 --- /dev/null +++ b/SPECS/libreswan.spec @@ -0,0 +1,520 @@ +%global USE_FIPSCHECK true +%global USE_LIBCAP_NG true +%global USE_LABELED_IPSEC true +%global USE_CRL_FETCHING true +%global USE_NM true +%global USE_LINUX_AUDIT true +%global USE_SECCOMP 0 +%global USE_DNSSEC true + +%global _hardened_build 1 +%global buildefence 0 +%global development 0 +%global cavstests 1 + +%if 0%{?fedora} +%global rhel 7 +%endif + +#global prever rc1 + +Name: libreswan +Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols +Version: 3.20 +Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist} +License: GPLv2 +Group: System Environment/Daemons +Url: https://libreswan.org/ +Source: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz +Source1: ikev1_dsa.fax.bz2 +Source2: ikev1_psk.fax.bz2 +Source3: ikev2.fax.bz2 + +Patch1: libreswan-3.20-1372279-down-error.patch +Patch2: libreswan-3.20-1444115-fips-F4.patch +Patch3: libreswan-3.20-1341353-psk-fips.patch +Patch4: libreswan-3.2-1458227-cavp-fips.patch +Patch5: libreswan-3.21-xauth-state.patch +Patch6: libreswan-3.21-xauth-passwd.patch + +Requires: iproute >= 2.6.8 nss-tools nss-softokn + +BuildRequires: bison flex redhat-rpm-config pkgconfig +BuildRequires: nss-devel >= 3.16.1 nspr-devel +BuildRequires: pam-devel +BuildRequires: xmlto + +%if %{?rhel} <= 6 +BuildRequires: libevent2-devel net-tools + +Requires(post): coreutils bash +Requires(preun): initscripts chkconfig +Requires(post): /sbin/chkconfig +Requires(preun): /sbin/chkconfig +Requires(preun): /sbin/service +%else +BuildRequires: libevent-devel hostname + +BuildRequires: systemd-devel +Requires(post): coreutils bash systemd +Requires(preun): systemd +Requires(postun): systemd +%endif + +%if %{USE_DNSSEC} +BuildRequires: unbound-devel +%endif + +%if %{USE_FIPSCHECK} +BuildRequires: fipscheck-devel +# we need fipshmac +Requires: fipscheck%{_isa} +%endif + +%if %{USE_LINUX_AUDIT} +Buildrequires: audit-libs-devel +%endif + +%if %{USE_LIBCAP_NG} +BuildRequires: libcap-ng-devel +%endif + +%if %{USE_CRL_FETCHING} +BuildRequires: openldap-devel curl-devel +%endif + +%if %{buildefence} +BuildRequires: ElectricFence +%endif + +Conflicts: openswan < %{version}-%{release} +Provides: openswan = %{version}-%{release} +Provides: openswan-doc = %{version}-%{release} + +%if %{?rhel} == 7 +# Will be obsoleted in RHEL6 when moved from optional to core +Obsoletes: openswan < %{version}-%{release} +%endif + +%description +Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is +the Internet Protocol Security and uses strong cryptography to provide +both authentication and encryption services. These services allow you +to build secure tunnels through untrusted networks. Everything passing +through the untrusted net is encrypted by the ipsec gateway machine and +decrypted by the gateway at the other end of the tunnel. The resulting +tunnel is a virtual private network or VPN. + +This package contains the daemons and userland tools for setting up +Libreswan. It supports the NETKEY/XFRM IPsec kernel stack that exists +in the default Linux kernel. + +Libreswan also supports IKEv2 (RFC-7296) and Secure Labeling + +Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 + +%prep +%setup -q -n libreswan-%{version}%{?prever} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 + +%build +%if %{buildefence} + %define efence "-lefence" +%endif + +make %{?_smp_mflags} \ +%if %{development} + USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \ +%else + USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \ +%endif + USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \ +%if %{?rhel} <= 6 + INITSYSTEM=sysvinit \ +%else + INITSYSTEM=systemd \ +%endif + USE_NM=%{USE_NM} \ + USE_XAUTHPAM=true \ +%if %{USE_FIPSCHECK} + USE_FIPSCHECK="%{USE_FIPSCHECK}" \ + FIPSPRODUCTCHECK=/etc/system-fips \ +%endif + USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ + USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ + USE_LINUX_AUDIT=true \ +%if %{USE_CRL_FETCHING} + USE_LDAP=true \ + USE_LIBCURL=true \ +%endif + USE_DNSSEC=false \ + INC_USRLOCAL=%{_prefix} \ + FINALLIBDIR=%{_libexecdir}/ipsec \ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + MANTREE=%{_mandir} \ + INC_RCDEFAULT=%{_initrddir} \ + MODPROBE="modprobe -q -b" \ + USE_DH22=true \ + USE_SECCOMP="%{USE_SECCOMP}" \ + programs +FS=$(pwd) + +%if %{USE_FIPSCHECK} +# Add generation of HMAC checksums of the final stripped binaries +%if %{?rhel} <= 6 +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + fipshmac %{buildroot}%{_libexecdir}/ipsec/* \ + fipshmac %{buildroot}%{_sbindir}/ipsec \ +%{nil} + +%else +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + mkdir -p %{buildroot}%{_libdir}/fipscheck/ \ + fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \ + fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \ +%{nil} +%endif +%endif + +%install +rm -rf ${RPM_BUILD_ROOT} +make \ + DESTDIR=%{buildroot} \ + INC_USRLOCAL=%{_prefix} \ + FINALLIBDIR=%{_libexecdir}/ipsec \ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + MANTREE=%{buildroot}%{_mandir} \ + INC_RCDEFAULT=%{_initrddir} \ + INSTMANFLAGS="-m 644" \ +%if %{?rhel} <= 6 + INITSYSTEM=sysvinit \ +%else + INITSYSTEM=systemd \ +%endif + USE_NM=%{USE_NM} \ + USE_XAUTHPAM=true \ +%if %{USE_FIPSCHECK} + USE_FIPSCHECK="%{USE_FIPSCHECK}" \ + FIPSPRODUCTCHECK=/etc/system-fips \ +%endif + USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ + USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ + USE_LINUX_AUDIT=true \ +%if %{USE_CRL_FETCHING} + USE_LDAP=true \ + USE_LIBCURL=true \ +%endif + USE_DNSSEC=true \ + INC_USRLOCAL=%{_prefix} \ + FINALLIBDIR=%{_libexecdir}/ipsec \ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + MODPROBE="modprobe -q -b" \ + USE_DH22=true \ + USE_SECCOMP="%{USE_SECCOMP}" \ + install +FS=$(pwd) +rm -rf %{buildroot}/usr/share/doc/libreswan +# needed to activate v6neighbor-hole.conf +sed -i "s:^#include /etc/ipsec.d/\*.conf$:include /etc/ipsec.d/*.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf + +install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto +# used when setting --perpeerlog without --perpeerlogbase +install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer +install -d %{buildroot}%{_sbindir} +%if %{?rhel} <= 6 +# replace with rhel6 specific version +install -m 0755 initsystems/sysvinit/init.rhel %{buildroot}%{_initrddir}/ipsec +rm -fr %{buildroot}/etc/rc.d/rc* +%endif + +%if %{USE_FIPSCHECK} +%if %{?rhel} == 7 +mkdir -p %{buildroot}%{_libdir}/fipscheck +%endif +install -d %{buildroot}%{_sysconfdir}/prelink.conf.d/ +install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf +%endif + +echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets + +# cavs testing +cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec + +%if %{cavstests} +%check +# There is an elaborate upstream testing infrastructure which we do not run here +# We only run the CAVS tests here +cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . +bunzip2 *.fax.bz2 + +# work around for rhel6 builders on xen +export NSS_DISABLE_HW_GCM=1 + +: "starting CAVS test for IKEv2" +OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null +: "starting CAVS test for IKEv1 RSASIG" +OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null +: "starting CAVS test for IKEv1 PSK" +OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null +: "CAVS tests passed" +%endif + +%if %{?rhel} <= 6 +%post +/sbin/chkconfig --add ipsec || : +%if %{USE_FIPSCHECK} +prelink -u %{_libexecdir}/ipsec/* 2>/dev/null || : +%endif + +%preun +if [ $1 -eq 0 ]; then + /sbin/service ipsec stop > /dev/null 2>&1 || : + /sbin/chkconfig --del ipsec +fi + +%postun +if [ $1 -ge 1 ] ; then + /sbin/service ipsec condrestart 2>&1 >/dev/null || : +fi +%else +%preun +%systemd_preun ipsec.service + +%postun +%systemd_postun_with_restart ipsec.service + +%post +%systemd_post ipsec.service +%endif + +%files +%doc CHANGES COPYING CREDITS README* LICENSE +%doc docs/*.* docs/examples packaging/rhel/libreswan-sysctl.conf + +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d +%attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* +%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer +%attr(0755,root,root) %dir %{_localstatedir}/run/pluto +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto +%{_sbindir}/ipsec +%attr(0755,root,root) %dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/* +%attr(0644,root,root) %{_mandir}/*/*.gz +%if %{?rhel} <= 6 +%{_initrddir}/ipsec +%else +%attr(0644,root,root) %{_unitdir}/ipsec.service +%endif + +%if %{USE_FIPSCHECK} +%if %{?rhel} <= 6 +%{_sbindir}/.ipsec.hmac +%{_libexecdir}/ipsec/.*.hmac +%else +%{_libdir}/fipscheck/*.hmac +%endif + +# We own the directory so we don't have to require prelink +%attr(0755,root,root) %dir %{_sysconfdir}/prelink.conf.d/ +%{_sysconfdir}/prelink.conf.d/libreswan-fips.conf +%endif + +%changelog +* Tue Oct 24 2017 Paul Wouters - 3.20-5 +- Resolves: rhbz#1503949 [updated - USE_DNSSEC setting was updated] + +* Thu Oct 19 2017 Paul Wouters - 3.20-4 +- Resolves: rhbz#1501809 libreswan does not establish IKE with xauth enabled but modecfg disabled +- Resolves: rhbz#1503949 xauth password length limited to 64 bytes while XAUTH_MAX_PASS_LENGTH (128) + +* Mon Jun 12 2017 Paul Wouters - 3.20-3 +- Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels [updated] +- Resolves: rhbz#1458227 CAVS test driver does not work in FIPS mode +- Resolves: rhbz#1452672 (new-ksk-libreswan-el7) DNSSEC trust anchor cannot be updated without recompilation + +* Thu Apr 13 2017 Paul Wouters - 3.20-2 +- Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels +- Resolves: rhbz#1444115 FIPS: libreswan must generate RSA keys with a minimal exponent of F4, nor E=3 +- Resolves: rhbz#1341353 Allow Preshared Key authentication in FIPS mode for libreswan + +* Tue Mar 14 2017 Paul Wouters - 3.20-1 +- Resolves: rhbz#1399883 rebase libreswan to 3.20 (full release) + +* Mon Feb 20 2017 Paul Wouters - 3.20-0.1.dr3 +- Resolves: rhbz#1399883 rebase libreswan to 3.20 + +* Wed Sep 07 2016 Paul Wouters - 3.15-8 +- Resolves: rhbz#1361721 libreswan pluto segfault [UPDATED] +- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request [UPDATED] +- Resolves: rhbz#1309764 ipsec barf [additional man page update and --no-pager] + +* Mon Aug 08 2016 Paul Wouters - 3.15-7 +- Resolves: rhbz#1311360 When IKE rekeys, if on a different tunnel, all subsequent attempts to rekey fail +- Resolves: rhbz#1361721 libreswan pluto segfault + +* Tue Jul 05 2016 Paul Wouters - 3.15-6 +- Resolves: rhbz#1283468 keyingtries=0 is broken +- Resolves: rhbz#1297816 When using SHA2 as PRF algorithm, nonce payload is below the RFC minimum size +- Resolves: rhbz#1344567 CVE-2016-5361 libreswan: IKEv1 protocol is vulnerable to DoS amplification attack +- Resolves: rhbz#1313747 ipsec pluto returns zero even if it fails +- Resolves: rhbz#1302778 fips does not check hash of some files (like _import_crl) +- Resolves: rhbz#1278063 Unable to authenticate with PAM for IKEv1 XAUTH +- Resolves: rhbz#1257079 Libreswan doesn't call NetworkManager helper in case of a connection error +- Resolves: rhbz#1272112 ipsec whack man page discrepancies +- Resolves: rhbz#1280449 PAM xauth method does not work with pam_sss +- Resolves: rhbz#1290907 ipsec initnss/checknss custom directory not recognized +- Resolves: rhbz#1309764 ipsec barf does not show pluto log correctly in the output +- Resolves: rhbz#1347735 libreswan needs to check additional CRLs after LDAP CRL distributionpoint fails +- Resolves: rhbz#1219049 Pluto does not handle delete message from responder site in ikev1 +- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request +- Resolves: rhbz#1315412 ipsec.conf manpage does not contain any mention about crl-strict option +- Resolves: rhbz#1229766 Pluto crashes after stop when I use floating ip address + +* Wed Oct 21 2015 Paul Wouters - 3.15-5 +- Resolves: rhbz#1271811 libreswan FIPS test mistakenly looks for non-existent file hashes + +* Wed Sep 30 2015 Paul Wouters - 3.15-4 +- Resolves: rhbz#1267370 libreswan should support strictcrlpolicy alias +- Resolves: rhbz#1229766 Pluto crashes after stop when I use floating ip address +- Resolves: rhbz#1166146 Pluto crashes on INITIATOR site during 'service ipsec stop' +- Resolves: rhbz#1259209 CVE-2015-3240 +- Resolves: rhbz#1199374 libreswan does not enforce all FIPS or IPsec Suite B restrictions +- Resolves: rhbz#1207689 libreswan ignores module blacklist rules +- Merge rhel6 and rhel7 spec into one +- Be lenient for racoon padding behaviour +- Fix seedev option to /dev/random +- Some IKEv1 PAM methods always gave 'Permission denied' +- Parser workarounds for differences in gcc/flex/bison on rhel6/rhel7 +- Parser fix to allow specifying time without unit (openswan compat) +- Fix Labeled IPsec on rekeyed IPsec SA's +- Workaround for wrong padding by racoon2 +- Disable NSS HW GCM to workaround rhel6 xen builers bug + +* Fri May 29 2015 Paul Wouters - 3.12-12 +- Resolves: rhbz#1212121 Support CAVS [updated bogus fips mode fix] + +* Fri May 29 2015 Paul Wouters - 3.12-11 +- Resolves: rhbz#1226408 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart + +* Tue May 05 2015 Paul Wouters - 3.12-10 +- Resolves: rhbz#1212121 Support CAVS testing of the PRF/PRF+ functions +- Resolves: rhbz#1127313 Libreswan with IPv6 [updated patch by Jaroslav Aster] +- Resolves: rhbz#1207689 libreswan ignores module blacklist [updated modprobe handling] +- Resolves: rhbz#1218358 pluto crashes in fips mode without dracut-fips package + +* Sat Feb 21 2015 Paul Wouters - 3.12-6 +- Resolves: rhbz#1056559 loopback support deprecated +- Resolves: rhbz#1182224 Add new option for BSI random requirement +- Resolves: rhbz#1170018 [increase] SELinux context string size limit +- Resolves: rhbz#1127313 Libreswan with IPv6 in RHEL7 fails after reboot +- Resolves: rhbz#1207689 libreswan ignores module blacklist rules +- Resolves: rhbz#1203794 pluto crashes in fips mode + +* Tue Jan 20 2015 Paul Wouters - 3.12-5 +- Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2) +- Resolves: rhbz#1074018 Audit key agreement (integ gcm fixup) + +* Tue Dec 30 2014 Paul Wouters - 3.12-4 +- Resolves: rhbz#1134297 aes-ctr cipher is not supported +- Resolves: rhbz#1131503 non-zero rSPI on INVALID_KE (and proper INVALID_KE handling) + +* Thu Dec 04 2014 Paul Wouters - 3.12-2 +- Resolves: rhbz#1105171 (Update man page entry) +- Resolves: rhbz#1144120 (Update for ESP CAMELLIA with IKEv2) +- Resolves: rhbz#1074018 Audit key agreement + +* Fri Nov 07 2014 Paul Wouters - 3.12-1 +- Resolves: rhbz#1136124 rebase to libreswan 3.12 +- Resolves: rhbz#1052811 [TAHI] (also clear reserved flags for isakmp_sa header) +- Resolves: rhbz#1157379 [TAHI][IKEv2] IKEv2.EN.R.1.3.3.1: Non RESERVED fields in INFORMATIONAL request + +* Mon Oct 27 2014 Paul Wouters - 3.11-2 +- Resolves: rhbz#1136124 rebase to libreswan 3.11 (coverity fixup, dpdaction=clear fix) + +* Wed Oct 22 2014 Paul Wouters - 3.11-1 +- Resolves: rhbz#1136124 rebase to libreswan 3.11 +- Resolves: rhbz#1099905 ikev2 delete payloads are not delivered to peer +- Resolves: rhbz#1147693 NetworkManger-libreswan can not connect to Red Hat IPSec Xauth VPN +- Resolves: rhbz#1055865 [TAHI][IKEv2] libreswan do not ignore the content of version bit +- Resolves: rhbz#1146106 Pluto crashes after start when some ah algorithms are used +- Resolves: rhbz#1108256 addconn compatibility with openswan +- Resolves: rhbz#1152625 [TAHI][IKEv2] IKEv2.EN.I.1.1.6.2 Part D: Integrity Algorithm AUTH_AES_XCBC_96 fail +- Resolves: rhbz#1119704 [TAHI][IKEv2]IKEv2Interop.1.13a test fail +- Resolves: rhbz#1100261 libreswan does not send response when when it receives Delete Payload for a CHILD_SA +- Resolves: rhbz#1100239 ikev2 IKE SA responder does not send delete request to IKE SA initiator +- Resolves: rhbz#1052811 [TAHI][IKEv2]IKEv2.EN.I.1.1.11.1: Non zero RESERVED fields in IKE_SA_INIT response +- Resolves: rhbz#1126868 ikev2 sequence numbers are implemented incorrectly +- Resolves: rhbz#1145245 Libreswan appears to start with systemd before all the NICs are up and running. +- Resolves: rhbz#1145231 libreswan 3.10 upgrade breaks old ipsec.secrets configs +- Resolves: rhbz#1144123 Add ESP support for AES_XCBC hash for USGv6 and IPsec-v3 compliance +- Resolves: rhbz#1144120 Add ESP support for CAMELLIA for USGv6 and IPsec-v3 compliance +- Resolves: rhbz#1099877 Missing man-pages ipsec_whack, ipsec_manual +- Resolves: rhbz#1100255 libreswan Ikev2 implementation does not send an INFORMATIONAL response when it receives an INFORMATIONAL request with a Delete Payload for an IKE_SA + +* Tue Sep 09 2014 Paul Wouters - 3.10-3 +- Resolves: rhbz#1136124 rebase to 3.10 (auto=route bug on startup) + +* Mon Sep 08 2014 Paul Wouters - 3.10-2 +- Resolves: rhbz#1136124 rebase to libreswan 3.10 + +* Mon Jul 14 2014 Paul Wouters - 3.8-6 +- Resolves: rhbz#1092047 pluto cannot write to directories not owned by root + +* Thu Apr 10 2014 Paul Wouters - 3.8-5 +- Resolves: rhbz#1052834 create_child_sa message ID handling + + +* Tue Mar 18 2014 Paul Wouters - 3.8-4 +- Resolves: rhbz#1052834 create_child_sa response + +* Wed Mar 05 2014 Paul Wouters - 3.8-3 +- Resolves: rhbz#1069024 erroneous debug line with mixture [...] +- Resolves: rhbz#1030939 update nss/x509 documents, don't load acerts +- Resolves: rhbz#1058813 newhostkey returns zero value when it fails + +* Fri Jan 24 2014 Daniel Mach - 3.8-2 +- Mass rebuild 2014-01-24 + +* Thu Jan 16 2014 Paul Wouters - 3.8-1 +- Resolves: rhbz#CVE-2013-6467 +- Resolves: rhbz#1043642 rebase to version 3.8 +- Resolves: rhbz#1029912 ipsec force-reload doesn't work +- Resolves: rhbz#826261 Implement SHA384/512 support for Openswan +- Resolves: rhbz#1039655 ipsec newhostkey generates false configuration + +* Fri Dec 27 2013 Daniel Mach - 3.6-3 +- Mass rebuild 2013-12-27 + +* Fri Nov 08 2013 Paul Wouters - 3.6-2 +- Fix race condition in post for creating nss db + +* Thu Oct 31 2013 Paul Wouters - 3.6-1 +- Updated to version 3.6 (IKEv2, MODECFG, Cisco interop fixes) +- Generate empty NSS db if none exists +- FIPS update using /etc/system-fips +- Provide: openswan-doc + +* Fri Aug 09 2013 Paul Wouters - 3.5-2 +- rebuilt and bumped EVR to avoid confusion of import->delete->import +- require iproute + +* Mon Jul 15 2013 Paul Wouters - 3.5-1 +- Initial package for RHEL7 +- Added interop patch for (some?) Cisco VPN clients sending 16 zero + bytes of extraneous IKE data +- Removed fipscheck_version