From 418cb8ccb0634dd84e635ed17c968d087ac913de Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 26 2020 16:10:13 +0000 Subject: import libreswan-4.1-1.el8 --- diff --git a/.gitignore b/.gitignore index a1d30d3..b8b59db 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/ikev1_dsa.fax.bz2 SOURCES/ikev1_psk.fax.bz2 SOURCES/ikev2.fax.bz2 -SOURCES/libreswan-3.32.tar.gz +SOURCES/libreswan-4.1.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata index 8a34fc6..0694fd7 100644 --- a/.libreswan.metadata +++ b/.libreswan.metadata @@ -1,4 +1,4 @@ b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 -d752c8df37c90733a01c24849d439733acd4e8f0 SOURCES/libreswan-3.32.tar.gz +ae1bbe86a2223aa008f8bf2768e7320c5a7aae9d SOURCES/libreswan-4.1.tar.gz diff --git a/SOURCES/libreswan-3.32-1544463-seccomp.patch b/SOURCES/libreswan-3.32-1544463-seccomp.patch deleted file mode 100644 index 3b78fd2..0000000 --- a/SOURCES/libreswan-3.32-1544463-seccomp.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -Naur libreswan-3.32-orig/programs/pluto/pluto_seccomp.c libreswan-3.32/programs/pluto/pluto_seccomp.c ---- libreswan-3.32-orig/programs/pluto/pluto_seccomp.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/programs/pluto/pluto_seccomp.c 2020-07-01 20:33:38.918685784 -0400 -@@ -59,6 +59,7 @@ - - /* needed for pluto and updown, not helpers */ - if (main) { -+ LSW_SECCOMP_ADD(ctx, _llseek); - LSW_SECCOMP_ADD(ctx, accept); - LSW_SECCOMP_ADD(ctx, access); - LSW_SECCOMP_ADD(ctx, bind); -@@ -69,6 +70,7 @@ - LSW_SECCOMP_ADD(ctx, connect); - LSW_SECCOMP_ADD(ctx, dup); - LSW_SECCOMP_ADD(ctx, dup2); -+ LSW_SECCOMP_ADD(ctx, dup3); - LSW_SECCOMP_ADD(ctx, epoll_create); - LSW_SECCOMP_ADD(ctx, epoll_ctl); - LSW_SECCOMP_ADD(ctx, epoll_wait); -@@ -85,7 +87,7 @@ - LSW_SECCOMP_ADD(ctx, getgid); - LSW_SECCOMP_ADD(ctx, getgroups); - LSW_SECCOMP_ADD(ctx, getpgrp); -- LSW_SECCOMP_ADD(ctx, getpid); -+ LSW_SECCOMP_ADD(ctx, getpgid); - LSW_SECCOMP_ADD(ctx, getppid); - LSW_SECCOMP_ADD(ctx, getrandom); /* for unbound */ - LSW_SECCOMP_ADD(ctx, getrlimit); -@@ -102,10 +104,12 @@ - LSW_SECCOMP_ADD(ctx, pipe); - LSW_SECCOMP_ADD(ctx, pipe2); - LSW_SECCOMP_ADD(ctx, poll); -+ LSW_SECCOMP_ADD(ctx, ppoll); - LSW_SECCOMP_ADD(ctx, prctl); - LSW_SECCOMP_ADD(ctx, pread64); - LSW_SECCOMP_ADD(ctx, prlimit64); - LSW_SECCOMP_ADD(ctx, readlink); -+ LSW_SECCOMP_ADD(ctx, readlinkat); - LSW_SECCOMP_ADD(ctx, recvfrom); - LSW_SECCOMP_ADD(ctx, recvmsg); - LSW_SECCOMP_ADD(ctx, select); -@@ -126,6 +130,7 @@ - LSW_SECCOMP_ADD(ctx, arch_prctl); - LSW_SECCOMP_ADD(ctx, exit_group); - LSW_SECCOMP_ADD(ctx, exit); -+ LSW_SECCOMP_ADD(ctx, getpid); - LSW_SECCOMP_ADD(ctx, gettid); - LSW_SECCOMP_ADD(ctx, gettimeofday); - LSW_SECCOMP_ADD(ctx, fstat); -@@ -139,6 +144,7 @@ - LSW_SECCOMP_ADD(ctx, rt_sigprocmask); - LSW_SECCOMP_ADD(ctx, rt_sigreturn); - LSW_SECCOMP_ADD(ctx, sched_setparam); -+ LSW_SECCOMP_ADD(ctx, send); - LSW_SECCOMP_ADD(ctx, sendto); - LSW_SECCOMP_ADD(ctx, set_tid_address); - LSW_SECCOMP_ADD(ctx, sigaltstack); diff --git a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch b/SOURCES/libreswan-3.32-1840212-nss-gcm.patch deleted file mode 100644 index 5c47f71..0000000 --- a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c ---- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-06-17 15:06:12.340210966 -0400 -@@ -16,6 +16,12 @@ - #include - #include - -+/* -+ * Special advise from Bob Relyea - needs to go before any nss include -+ * -+ */ -+#define NSS_PKCS11_2_0_COMPAT 1 -+ - #include "lswlog.h" - #include "lswnss.h" - #include "prmem.h" diff --git a/SOURCES/libreswan-3.32-1842597-accounting.patch b/SOURCES/libreswan-3.32-1842597-accounting.patch deleted file mode 100644 index 7204372..0000000 --- a/SOURCES/libreswan-3.32-1842597-accounting.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c -index 28726cf82a..25ee52179a 100644 ---- a/programs/pluto/kernel.c -+++ b/programs/pluto/kernel.c -@@ -600,8 +600,8 @@ bool fmt_common_shell_out(char *buf, size_t blen, const struct connection *c, - * true==inbound: inbound updates OUR_BYTES; !inbound updates - * PEER_BYTES. - */ -- bool outbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, false, NULL); -- bool inbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, true, NULL); -+ bool outbytes = st != NULL && get_sa_info(st, false, NULL); -+ bool inbytes = st != NULL && get_sa_info(st, true, NULL); - jambuf_t jambuf = array_as_jambuf(buf, blen); - jam_common_shell_out(&jambuf, c, sr, st, inbytes, outbytes); - return jambuf_ok(&jambuf); diff --git a/SOURCES/libreswan-3.32-1847766-xfrmi.patch b/SOURCES/libreswan-3.32-1847766-xfrmi.patch deleted file mode 100644 index f7b69ec..0000000 --- a/SOURCES/libreswan-3.32-1847766-xfrmi.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 790a79ba9f8f16532040d9c8a51a27c20e13c154 -Author: Paul Wouters -Date: Tue Jun 16 20:57:01 2020 -0400 - - pluto: find_pluto_xfrmi_interface() would only check first interface - -diff --git a/programs/pluto/kernel_xfrm_interface.c b/programs/pluto/kernel_xfrm_interface.c -index 8fc27b727d..0dc1a7ec8c 100644 ---- a/programs/pluto/kernel_xfrm_interface.c -+++ b/programs/pluto/kernel_xfrm_interface.c -@@ -586,9 +586,10 @@ static struct pluto_xfrmi *find_pluto_xfrmi_interface(uint32_t if_id) - struct pluto_xfrmi *ret = NULL; - - for (h = pluto_xfrm_interfaces; h != NULL; h = h->next) { -- if (h->if_id == if_id) -- ret = h; -- break; -+ if (h->if_id == if_id) { -+ ret = h; -+ break; -+ } - } - - return ret; diff --git a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch b/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch deleted file mode 100644 index 423e871..0000000 --- a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c ---- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c 2020-04-28 22:27:20.000000000 -0400 -+++ libreswan-3.32rc1/lib/libipsecconf/confread.c 2020-04-30 13:41:18.612751661 -0400 -@@ -1332,13 +1332,16 @@ - - switch (conn->options[KNCF_IKEv2]) { - case fo_never: -- case fo_permit: - conn->policy |= POLICY_IKEV1_ALLOW; - /* clear any inherited default */ - conn->policy &= ~POLICY_IKEV2_ALLOW; - break; -- -+ case fo_permit: -+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never"); -+ return TRUE; - case fo_propose: -+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never"); -+ return TRUE; - case fo_insist: - conn->policy |= POLICY_IKEV2_ALLOW; - /* clear any inherited default */ -diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml ---- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-28 22:27:20.000000000 -0400 -+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-30 13:45:14.847694267 -0400 -@@ -1,15 +1,15 @@ - - ikev2 - --Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used. --Currently the accepted values are no(the default), --signifying only IKEv1 is accepted, or yes, -+Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol. -+Currently the accepted values are no (or never) -+signifying only IKEv1 is accepted, or insist(the default), - signifying only IKEv2 is accepted. Previous versions allowed the keywords --propose or permit --that would allow either IKEv1 or IKEv2, but this is no longer supported. The --permit option is interpreted as no and the propose option is interpreted as --yes. Older versions also supported keyword --insist which is now interpreted as yes. -+propose, yes or permit -+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options -+now cause the connection to fail to load. WARNING: This behaviour differs from upstream -+libreswan, which only accepts yes or no where yes means -+the same as insist. - - - -diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c ---- libreswan-3.32rc1-orig/programs/whack/whack.c 2020-04-28 22:27:20.000000000 -0400 -+++ libreswan-3.32rc1/programs/whack/whack.c 2020-04-30 13:41:18.615751749 -0400 -@@ -775,7 +775,7 @@ - - PS("ikev1-allow", IKEV1_ALLOW), - PS("ikev2-allow", IKEV2_ALLOW), -- PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */ -+ /* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/ - - PS("allow-narrowing", IKEV2_ALLOW_NARROWING), - #ifdef XAUTH_HAVE_PAM -@@ -1737,7 +1737,7 @@ - - /* --ikev1-allow */ - case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX: -- /* --ikev2-allow (now also --ikev2-propose) */ -+ /* --ikev2-allow */ - case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX: - - /* --allow-narrowing */ diff --git a/SOURCES/libreswan-3.32-rebase-fixups.patch b/SOURCES/libreswan-3.32-rebase-fixups.patch deleted file mode 100644 index a3199a5..0000000 --- a/SOURCES/libreswan-3.32-rebase-fixups.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -Naur libreswan-3.32-orig/lib/libipsecconf/interfaces.c libreswan-3.32/lib/libipsecconf/interfaces.c ---- libreswan-3.32-orig/lib/libipsecconf/interfaces.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libipsecconf/interfaces.c 2020-06-04 18:51:39.508280352 -0400 -@@ -71,7 +71,11 @@ - if (sa->sa.sa_family == af) { - /* XXX: sizeof right? */ - ip_endpoint nhe; -- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &nhe)); -+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &nhe); -+ if (e != NULL) { -+ pexpect(e != NULL); -+ return false; -+ } - pexpect(endpoint_hport(&nhe) == 0); - *nh = endpoint_address(&nhe); - } -@@ -84,7 +88,11 @@ - if (sa->sa.sa_family == af) { - /* XXX: sizeof right? */ - ip_endpoint dste; -- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &dste)); -+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &dste); -+ if (e != NULL) { -+ pexpect(e != NULL); -+ return false; -+ } - pexpect(endpoint_hport(&dste) == 0); - *dst = endpoint_address(&dste); - } -diff -Naur libreswan-3.32-orig/lib/libswan/ip_endpoint.c libreswan-3.32/lib/libswan/ip_endpoint.c ---- libreswan-3.32-orig/lib/libswan/ip_endpoint.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libswan/ip_endpoint.c 2020-06-04 18:51:39.508280352 -0400 -@@ -54,20 +54,12 @@ - switch (sa->sa.sa_family) { - case AF_INET: - { -- /* XXX: to strict? */ -- if (sa_len != sizeof(sa->sin)) { -- return "wrong length"; -- } - address = address_from_in_addr(&sa->sin.sin_addr); - port = ntohs(sa->sin.sin_port); - break; - } - case AF_INET6: - { -- /* XXX: to strict? */ -- if (sa_len != sizeof(sa->sin6)) { -- return "wrong length"; -- } - address = address_from_in6_addr(&sa->sin6.sin6_addr); - port = ntohs(sa->sin6.sin6_port); - break; diff --git a/SOURCES/libreswan-4.1-maintain-different-v1v2-split.patch b/SOURCES/libreswan-4.1-maintain-different-v1v2-split.patch new file mode 100644 index 0000000..a8ec8e5 --- /dev/null +++ b/SOURCES/libreswan-4.1-maintain-different-v1v2-split.patch @@ -0,0 +1,70 @@ +diff -Naur libreswan-4.1-orig/configs/d.ipsec.conf/ikev2.xml libreswan-4.1/configs/d.ipsec.conf/ikev2.xml +--- libreswan-4.1-orig/configs/d.ipsec.conf/ikev2.xml 2020-10-18 21:11:05.000000000 -0400 ++++ libreswan-4.1/configs/d.ipsec.conf/ikev2.xml 2020-10-27 23:31:41.943387992 -0400 +@@ -1,15 +1,15 @@ + + ikev2 + +-Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used. +-Currently the accepted values are no(the default), +-signifying only IKEv1 is accepted, or yes, ++Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol. ++Currently the accepted values are no (or never) ++signifying only IKEv1 is accepted, or insist(the default), + signifying only IKEv2 is accepted. Previous versions allowed the keywords +-propose or permit +-that would allow either IKEv1 or IKEv2, but this is no longer supported. The +-permit option is interpreted as no and the propose option is interpreted as +-yes. Older versions also supported keyword +-insist which is now interpreted as yes. ++propose, yes or permit ++that would allow either IKEv1 or IKEv2, but this is no longer supported and both options ++now cause the connection to fail to load. WARNING: This behaviour differs from upstream ++libreswan, which only accepts yes or no where yes means ++the same as insist. + + + +diff -Naur libreswan-4.1-orig/lib/libipsecconf/confread.c libreswan-4.1/lib/libipsecconf/confread.c +--- libreswan-4.1-orig/lib/libipsecconf/confread.c 2020-10-18 21:11:05.000000000 -0400 ++++ libreswan-4.1/lib/libipsecconf/confread.c 2020-10-27 23:28:15.199171781 -0400 +@@ -1299,13 +1299,16 @@ + + switch (conn->options[KNCF_IKEv2]) { + case fo_never: +- case fo_permit: + conn->policy |= POLICY_IKEV1_ALLOW; + /* clear any inherited default */ + conn->policy &= ~POLICY_IKEV2_ALLOW; + break; +- ++ case fo_permit: ++ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return TRUE; + case fo_propose: ++ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return TRUE; + case fo_insist: + conn->policy |= POLICY_IKEV2_ALLOW; + /* clear any inherited default */ +diff -Naur libreswan-4.1-orig/programs/whack/whack.c libreswan-4.1/programs/whack/whack.c +--- libreswan-4.1-orig/programs/whack/whack.c 2020-10-18 21:11:05.000000000 -0400 ++++ libreswan-4.1/programs/whack/whack.c 2020-10-27 23:33:01.065215832 -0400 +@@ -780,7 +780,7 @@ + PS("ikev1-allow", IKEV1_ALLOW), /* obsolete name */ + PS("ikev2", IKEV2_ALLOW), + PS("ikev2-allow", IKEV2_ALLOW), /* obsolete name */ +- PS("ikev2-propose", IKEV2_ALLOW), /* obsolete, map onto allow */ ++ /* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW), */ + + PS("allow-narrowing", IKEV2_ALLOW_NARROWING), + #ifdef XAUTH_HAVE_PAM +@@ -1707,7 +1707,7 @@ + + /* --ikev1 */ + case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX: +- /* --ikev2 (now also --ikev2-propose) */ ++ /* --ikev2 */ + case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX: + + /* --allow-narrowing */ diff --git a/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch new file mode 100644 index 0000000..b288334 --- /dev/null +++ b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch @@ -0,0 +1,126 @@ +diff -Naur libreswan-4.1-orig/lib/libipsecconf/keywords.c libreswan-4.1/lib/libipsecconf/keywords.c +--- libreswan-4.1-orig/lib/libipsecconf/keywords.c 2020-10-18 21:11:05.000000000 -0400 ++++ libreswan-4.1/lib/libipsecconf/keywords.c 2020-10-27 23:47:09.999098076 -0400 +@@ -366,6 +366,8 @@ + { "interfaces", kv_config, kt_string, KSF_INTERFACES, NULL, NULL, }, + { "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NULL, NULL, }, + { "curl-timeout", kv_config, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, ++ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */ ++ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, /* obsolete _ */ + + { "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NULL, NULL, }, + { "syslog", kv_config, kt_string, KSF_SYSLOG, NULL, NULL, }, +@@ -373,6 +375,7 @@ + { "logfile", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, + { "plutostderrlog", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */ + { "logtime", kv_config, kt_bool, KBF_LOGTIME, NULL, NULL, }, ++ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */ + { "logappend", kv_config, kt_bool, KBF_LOGAPPEND, NULL, NULL, }, + { "logip", kv_config, kt_bool, KBF_LOGIP, NULL, NULL, }, + { "audit-log", kv_config, kt_bool, KBF_AUDIT_LOG, NULL, NULL, }, +@@ -392,13 +395,20 @@ + { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, }, + + { "crl-strict", kv_config, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, ++ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */ + { "crlcheckinterval", kv_config, kt_time, KBF_CRL_CHECKINTERVAL, NULL, NULL, }, ++ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */ + + { "ocsp-strict", kv_config, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, ++ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */ + { "ocsp-enable", kv_config, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, ++ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */ + { "ocsp-uri", kv_config, kt_string, KSF_OCSP_URI, NULL, NULL, }, ++ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */ + { "ocsp-timeout", kv_config, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, ++ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */ + { "ocsp-trustname", kv_config, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, ++ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */ + { "ocsp-cache-size", kv_config, kt_number, KBF_OCSP_CACHE_SIZE, NULL, NULL, }, + { "ocsp-cache-min-age", kv_config, kt_time, KBF_OCSP_CACHE_MIN, NULL, NULL, }, + { "ocsp-cache-max-age", kv_config, kt_time, KBF_OCSP_CACHE_MAX, NULL, NULL, }, +@@ -418,6 +428,7 @@ + { "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */ + { "seedbits", kv_config, kt_number, KBF_SEEDBITS, NULL, NULL, }, + { "keep-alive", kv_config, kt_number, KBF_KEEPALIVE, NULL, NULL, }, ++ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */ + + { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL }, + { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL }, +@@ -429,6 +440,8 @@ + #ifdef HAVE_LABELED_IPSEC + { "ikev1-secctx-attr-type", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */ + { "secctx-attr-type", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, ++ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */ ++ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */ + #endif + + /* these options are obsoleted (and not old aliases) */ +@@ -457,6 +470,8 @@ + { "modecfgserver", kv_conn | kv_leftright, kt_bool, KNCF_MODECONFIGSERVER, NULL, NULL, }, + { "modecfgclient", kv_conn | kv_leftright, kt_bool, KNCF_MODECONFIGCLIENT, NULL, NULL, }, + { "username", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, ++ { "xauthusername", kv_conn | kv_leftright | kv_alias, kt_string, KSCF_USERNAME, NULL, NULL, }, /* obsolete name */ ++ { "xauthname", kv_conn | kv_leftright | kv_alias, kt_string, KSCF_USERNAME, NULL, NULL, }, /* obsolete name */ + { "addresspool", kv_conn | kv_leftright, kt_range, KSCF_ADDRESSPOOL, NULL, NULL, }, + { "auth", kv_conn | kv_leftright, kt_enum, KNCF_AUTH, &kw_authby_lr_list, NULL, }, + { "cat", kv_conn | kv_leftright, kt_bool, KNCF_CAT, NULL, NULL, }, +@@ -479,6 +494,8 @@ + { "esn", kv_conn | kv_processed, kt_enum, KNCF_ESN, &kw_esn_list, NULL, }, + { "decap-dscp", kv_conn | kv_processed, kt_bool, KNCF_DECAP_DSCP, NULL, NULL, }, + { "nopmtudisc", kv_conn | kv_processed, kt_bool, KNCF_NOPMTUDISC, NULL, NULL, }, ++ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete _ */ ++ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete name */ + { "fragmentation", kv_conn | kv_processed, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, + { "mobike", kv_conn, kt_bool, KNCF_MOBIKE, NULL, NULL, }, + { "narrowing", kv_conn, kt_bool, KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, }, +@@ -489,13 +506,18 @@ + { "accept-redirect-to", kv_conn, kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, }, + { "pfs", kv_conn, kt_bool, KNCF_PFS, NULL, NULL, }, + ++ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */ + { "nat-keepalive", kv_conn, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, + ++ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */ + { "initial-contact", kv_conn, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, ++ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */ + { "cisco-unity", kv_conn, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, + { "send-no-esp-tfc", kv_conn, kt_bool, KNCF_NO_ESP_TFC, NULL, NULL, }, + { "fake-strongswan", kv_conn, kt_bool, KNCF_VID_STRONGSWAN, NULL, NULL, }, ++ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */ + { "send-vendorid", kv_conn, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, ++ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */ + { "sha2-truncbug", kv_conn, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, + { "ms-dh-downgrade", kv_conn, kt_bool, KNCF_MSDH_DOWNGRADE, NULL, NULL, }, + { "require-id-on-certificate", kv_conn, kt_bool, KNCF_SAN_ON_CERT, NULL, NULL, }, +@@ -511,14 +533,19 @@ + { "nat-ikev1-method", kv_conn | kv_processed, kt_enum, KNCF_IKEV1_NATT, &kw_ikev1natt_list, NULL, }, + #ifdef HAVE_LABELED_IPSEC + /* only policy label is used, non-zero means wanting labeled IPsec */ ++ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ ++ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ ++ { "policy_label", kv_conn | kv_alias, kt_string, KSCF_POLICY_LABEL, NULL, NULL, }, /* obsolete _ */ + { "policy-label", kv_conn, kt_string, KSCF_POLICY_LABEL, NULL, NULL, }, + #endif + + /* Cisco interop: remote peer type */ ++ { "remote_peer_type", kv_conn | kv_alias, kt_enum, KNCF_REMOTEPEERTYPE, &kw_remote_peer_type, NULL, }, /* obsolete _ */ + { "remote-peer-type", kv_conn, kt_enum, KNCF_REMOTEPEERTYPE, &kw_remote_peer_type, NULL, }, + + /* Network Manager support */ + #ifdef HAVE_NM ++ { "nm_configured", kv_conn | kv_alias, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */ + { "nm-configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, + #endif + +@@ -526,7 +553,10 @@ + { "xauthfail", kv_conn, kt_enum, KNCF_XAUTHFAIL, &kw_xauthfail, NULL, }, + { "modecfgpull", kv_conn, kt_invertbool, KNCF_MODECONFIGPULL, NULL, NULL, }, + { "modecfgdns", kv_conn, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, ++ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */ ++ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ + { "modecfgdomains", kv_conn, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, ++ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */ + { "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, }, + { "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, }, + { "mark-in", kv_conn, kt_string, KSCF_CONN_MARK_IN, NULL, NULL, }, diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index e256104..a350118 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -5,17 +5,18 @@ %global with_cavstests 1 # minimum version for support for rhbz#1651314 # should prob update for nss with IKEv1 quick mode support -%global nss_version 3.53.1-3 +%global nss_version 3.53.1 %global unbound_version 1.6.6 %global libreswan_config \\\ FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ FINALMANDIR=%{_mandir} \\\ - INC_RCDEFAULT=%{_initrddir} \\\ - INC_USRLOCAL=%{_prefix} \\\ + FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\ INITSYSTEM=systemd \\\ - NSS_REQ_AVA_COPY=false \\\ NSS_HAS_IPSEC_PROFILE=true \\\ + NSS_REQ_AVA_COPY=false \\\ + PREFIX=%{_prefix} \\\ PYTHON_BINARY=%{__python3} \\\ + SHELL_BINARY=%{_bindir}/sh \\\ USE_DNSSEC=true \\\ USE_FIPSCHECK=false \\\ USE_LABELED_IPSEC=true \\\ @@ -24,10 +25,9 @@ USE_LIBCURL=true \\\ USE_LINUX_AUDIT=true \\\ USE_NM=true \\\ + USE_NSS_KDF=true \\\ USE_SECCOMP=true \\\ - USE_XAUTHPAM=true \\\ - USE_KLIPS=false \\\ - USE_NSS_PRF=true \\\ + USE_AUTHPAM=true \\\ USE_PRF_AES_XCBC=true \\\ USE_DH2=true \\\ %{nil} @@ -37,8 +37,8 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script -Version: 3.32 -Release: %{?prever:0.}6%{?prever:.%{prever}}%{?dist} +Version: 4.1 +Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ @@ -49,20 +49,15 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif -Patch1: libreswan-3.32-maintain-different-v1v2-split.patch -Patch2: libreswan-3.32-rebase-fixups.patch -Patch3: libreswan-3.32-1842597-accounting.patch -Patch4: libreswan-3.32-1847766-xfrmi.patch -Patch5: libreswan-3.32-1840212-nss-gcm.patch -Patch6: libreswan-3.32-1544463-seccomp.patch -Patch7: libreswan-3.32-1861360-nodefault-rsa-pss.patch - +Patch1: libreswan-4.1-maintain-different-v1v2-split.patch +Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch +Patch3: libreswan-4.1-maintain-obsolete-keywords.patch BuildRequires: audit-libs-devel BuildRequires: bison BuildRequires: curl-devel BuildRequires: flex -BuildRequires: gcc +BuildRequires: gcc make BuildRequires: ldns-devel BuildRequires: libcap-ng-devel BuildRequires: libevent-devel @@ -114,23 +109,12 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 - -pathfix.py -i %{__python3} -pn testing/cert_verify/usage_test \ - testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py \ - testing/pluto/ikev2-15-fuzzer/send_bad_packets.py - -# replace unsupported KLIPS README -echo "KLIPS is not supported with RHEL8" > README.KLIPS # linking to freebl is not needed sed -i "s/-lfreebl //" mk/config.mk # enable crypto-policies support -sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in +sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in %build make %{?_smp_mflags} \ @@ -158,8 +142,6 @@ rm -rf %{buildroot}/usr/share/doc/libreswan rm -rf %{buildroot}%{_libexecdir}/ipsec/*check install -d -m 0755 %{buildroot}%{_rundir}/pluto -# used when setting --perpeerlog without --perpeerlogbase -install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_sysconfdir}/sysctl.d @@ -220,8 +202,6 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf -%attr(0700,root,root) %dir %{_localstatedir}/log/pluto -%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer %attr(0755,root,root) %dir %{_rundir}/pluto %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf %attr(0644,root,root) %{_unitdir}/ipsec.service @@ -231,6 +211,10 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0644,root,root) %doc %{_mandir}/*/* %changelog +* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters - 4.1-1 +- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1 +- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch + * Wed Jul 29 2020 Paul Wouters - 3.32-6 - Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss