From 7aef00aacb517490c21aa708c0c88ca13779e980 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2021 06:45:49 +0000 Subject: import libreswan-4.3-3.el8 --- diff --git a/.gitignore b/.gitignore index a1d30d3..373aff2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/ikev1_dsa.fax.bz2 SOURCES/ikev1_psk.fax.bz2 SOURCES/ikev2.fax.bz2 -SOURCES/libreswan-3.32.tar.gz +SOURCES/libreswan-4.3.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata index 8a34fc6..2725d11 100644 --- a/.libreswan.metadata +++ b/.libreswan.metadata @@ -1,4 +1,4 @@ b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 -d752c8df37c90733a01c24849d439733acd4e8f0 SOURCES/libreswan-3.32.tar.gz +6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz diff --git a/SOURCES/libreswan-3.32-1544463-seccomp.patch b/SOURCES/libreswan-3.32-1544463-seccomp.patch deleted file mode 100644 index 3b78fd2..0000000 --- a/SOURCES/libreswan-3.32-1544463-seccomp.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -Naur libreswan-3.32-orig/programs/pluto/pluto_seccomp.c libreswan-3.32/programs/pluto/pluto_seccomp.c ---- libreswan-3.32-orig/programs/pluto/pluto_seccomp.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/programs/pluto/pluto_seccomp.c 2020-07-01 20:33:38.918685784 -0400 -@@ -59,6 +59,7 @@ - - /* needed for pluto and updown, not helpers */ - if (main) { -+ LSW_SECCOMP_ADD(ctx, _llseek); - LSW_SECCOMP_ADD(ctx, accept); - LSW_SECCOMP_ADD(ctx, access); - LSW_SECCOMP_ADD(ctx, bind); -@@ -69,6 +70,7 @@ - LSW_SECCOMP_ADD(ctx, connect); - LSW_SECCOMP_ADD(ctx, dup); - LSW_SECCOMP_ADD(ctx, dup2); -+ LSW_SECCOMP_ADD(ctx, dup3); - LSW_SECCOMP_ADD(ctx, epoll_create); - LSW_SECCOMP_ADD(ctx, epoll_ctl); - LSW_SECCOMP_ADD(ctx, epoll_wait); -@@ -85,7 +87,7 @@ - LSW_SECCOMP_ADD(ctx, getgid); - LSW_SECCOMP_ADD(ctx, getgroups); - LSW_SECCOMP_ADD(ctx, getpgrp); -- LSW_SECCOMP_ADD(ctx, getpid); -+ LSW_SECCOMP_ADD(ctx, getpgid); - LSW_SECCOMP_ADD(ctx, getppid); - LSW_SECCOMP_ADD(ctx, getrandom); /* for unbound */ - LSW_SECCOMP_ADD(ctx, getrlimit); -@@ -102,10 +104,12 @@ - LSW_SECCOMP_ADD(ctx, pipe); - LSW_SECCOMP_ADD(ctx, pipe2); - LSW_SECCOMP_ADD(ctx, poll); -+ LSW_SECCOMP_ADD(ctx, ppoll); - LSW_SECCOMP_ADD(ctx, prctl); - LSW_SECCOMP_ADD(ctx, pread64); - LSW_SECCOMP_ADD(ctx, prlimit64); - LSW_SECCOMP_ADD(ctx, readlink); -+ LSW_SECCOMP_ADD(ctx, readlinkat); - LSW_SECCOMP_ADD(ctx, recvfrom); - LSW_SECCOMP_ADD(ctx, recvmsg); - LSW_SECCOMP_ADD(ctx, select); -@@ -126,6 +130,7 @@ - LSW_SECCOMP_ADD(ctx, arch_prctl); - LSW_SECCOMP_ADD(ctx, exit_group); - LSW_SECCOMP_ADD(ctx, exit); -+ LSW_SECCOMP_ADD(ctx, getpid); - LSW_SECCOMP_ADD(ctx, gettid); - LSW_SECCOMP_ADD(ctx, gettimeofday); - LSW_SECCOMP_ADD(ctx, fstat); -@@ -139,6 +144,7 @@ - LSW_SECCOMP_ADD(ctx, rt_sigprocmask); - LSW_SECCOMP_ADD(ctx, rt_sigreturn); - LSW_SECCOMP_ADD(ctx, sched_setparam); -+ LSW_SECCOMP_ADD(ctx, send); - LSW_SECCOMP_ADD(ctx, sendto); - LSW_SECCOMP_ADD(ctx, set_tid_address); - LSW_SECCOMP_ADD(ctx, sigaltstack); diff --git a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch b/SOURCES/libreswan-3.32-1840212-nss-gcm.patch deleted file mode 100644 index 5c47f71..0000000 --- a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c ---- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-06-17 15:06:12.340210966 -0400 -@@ -16,6 +16,12 @@ - #include - #include - -+/* -+ * Special advise from Bob Relyea - needs to go before any nss include -+ * -+ */ -+#define NSS_PKCS11_2_0_COMPAT 1 -+ - #include "lswlog.h" - #include "lswnss.h" - #include "prmem.h" diff --git a/SOURCES/libreswan-3.32-1842597-accounting.patch b/SOURCES/libreswan-3.32-1842597-accounting.patch deleted file mode 100644 index 7204372..0000000 --- a/SOURCES/libreswan-3.32-1842597-accounting.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c -index 28726cf82a..25ee52179a 100644 ---- a/programs/pluto/kernel.c -+++ b/programs/pluto/kernel.c -@@ -600,8 +600,8 @@ bool fmt_common_shell_out(char *buf, size_t blen, const struct connection *c, - * true==inbound: inbound updates OUR_BYTES; !inbound updates - * PEER_BYTES. - */ -- bool outbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, false, NULL); -- bool inbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, true, NULL); -+ bool outbytes = st != NULL && get_sa_info(st, false, NULL); -+ bool inbytes = st != NULL && get_sa_info(st, true, NULL); - jambuf_t jambuf = array_as_jambuf(buf, blen); - jam_common_shell_out(&jambuf, c, sr, st, inbytes, outbytes); - return jambuf_ok(&jambuf); diff --git a/SOURCES/libreswan-3.32-1847766-xfrmi.patch b/SOURCES/libreswan-3.32-1847766-xfrmi.patch deleted file mode 100644 index f7b69ec..0000000 --- a/SOURCES/libreswan-3.32-1847766-xfrmi.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 790a79ba9f8f16532040d9c8a51a27c20e13c154 -Author: Paul Wouters -Date: Tue Jun 16 20:57:01 2020 -0400 - - pluto: find_pluto_xfrmi_interface() would only check first interface - -diff --git a/programs/pluto/kernel_xfrm_interface.c b/programs/pluto/kernel_xfrm_interface.c -index 8fc27b727d..0dc1a7ec8c 100644 ---- a/programs/pluto/kernel_xfrm_interface.c -+++ b/programs/pluto/kernel_xfrm_interface.c -@@ -586,9 +586,10 @@ static struct pluto_xfrmi *find_pluto_xfrmi_interface(uint32_t if_id) - struct pluto_xfrmi *ret = NULL; - - for (h = pluto_xfrm_interfaces; h != NULL; h = h->next) { -- if (h->if_id == if_id) -- ret = h; -- break; -+ if (h->if_id == if_id) { -+ ret = h; -+ break; -+ } - } - - return ret; diff --git a/SOURCES/libreswan-3.32-1880466-labeled-ipsec.patch b/SOURCES/libreswan-3.32-1880466-labeled-ipsec.patch deleted file mode 100644 index fe22d8d..0000000 --- a/SOURCES/libreswan-3.32-1880466-labeled-ipsec.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -Naur libreswan-3.32-orig/lib/libipsecconf/starterwhack.c libreswan-3.32/lib/libipsecconf/starterwhack.c ---- libreswan-3.32-orig/lib/libipsecconf/starterwhack.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libipsecconf/starterwhack.c 2020-09-24 10:01:14.275131341 -0400 -@@ -663,7 +663,7 @@ - #endif - - #ifdef HAVE_LABELED_IPSEC -- if (conn->options_set[KSCF_POLICY_LABEL]) { -+ if (conn->strings_set[KSCF_POLICY_LABEL]) { - msg.policy_label = conn->policy_label; - starter_log(LOG_LEVEL_DEBUG, "conn: \"%s\" policy_label=%s", - conn->name, msg.policy_label); -diff -Naur libreswan-3.32-orig/programs/pluto/ikev1_spdb_struct.c libreswan-3.32/programs/pluto/ikev1_spdb_struct.c ---- libreswan-3.32-orig/programs/pluto/ikev1_spdb_struct.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/programs/pluto/ikev1_spdb_struct.c 2020-09-24 10:01:31.996278599 -0400 -@@ -59,8 +59,7 @@ - #include "nat_traversal.h" - - --#ifndef USE_LABELED_IPSEC -- -+#ifndef HAVE_LABELED_IPSEC - static bool parse_secctx_attr(pb_stream *pbs UNUSED, struct state *st UNUSED) - { - /* diff --git a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch b/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch deleted file mode 100644 index 423e871..0000000 --- a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c ---- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c 2020-04-28 22:27:20.000000000 -0400 -+++ libreswan-3.32rc1/lib/libipsecconf/confread.c 2020-04-30 13:41:18.612751661 -0400 -@@ -1332,13 +1332,16 @@ - - switch (conn->options[KNCF_IKEv2]) { - case fo_never: -- case fo_permit: - conn->policy |= POLICY_IKEV1_ALLOW; - /* clear any inherited default */ - conn->policy &= ~POLICY_IKEV2_ALLOW; - break; -- -+ case fo_permit: -+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never"); -+ return TRUE; - case fo_propose: -+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never"); -+ return TRUE; - case fo_insist: - conn->policy |= POLICY_IKEV2_ALLOW; - /* clear any inherited default */ -diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml ---- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-28 22:27:20.000000000 -0400 -+++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-30 13:45:14.847694267 -0400 -@@ -1,15 +1,15 @@ - - ikev2 - --Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used. --Currently the accepted values are no(the default), --signifying only IKEv1 is accepted, or yes, -+Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol. -+Currently the accepted values are no (or never) -+signifying only IKEv1 is accepted, or insist(the default), - signifying only IKEv2 is accepted. Previous versions allowed the keywords --propose or permit --that would allow either IKEv1 or IKEv2, but this is no longer supported. The --permit option is interpreted as no and the propose option is interpreted as --yes. Older versions also supported keyword --insist which is now interpreted as yes. -+propose, yes or permit -+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options -+now cause the connection to fail to load. WARNING: This behaviour differs from upstream -+libreswan, which only accepts yes or no where yes means -+the same as insist. - - - -diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c ---- libreswan-3.32rc1-orig/programs/whack/whack.c 2020-04-28 22:27:20.000000000 -0400 -+++ libreswan-3.32rc1/programs/whack/whack.c 2020-04-30 13:41:18.615751749 -0400 -@@ -775,7 +775,7 @@ - - PS("ikev1-allow", IKEV1_ALLOW), - PS("ikev2-allow", IKEV2_ALLOW), -- PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */ -+ /* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/ - - PS("allow-narrowing", IKEV2_ALLOW_NARROWING), - #ifdef XAUTH_HAVE_PAM -@@ -1737,7 +1737,7 @@ - - /* --ikev1-allow */ - case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX: -- /* --ikev2-allow (now also --ikev2-propose) */ -+ /* --ikev2-allow */ - case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX: - - /* --allow-narrowing */ diff --git a/SOURCES/libreswan-3.32-rebase-fixups.patch b/SOURCES/libreswan-3.32-rebase-fixups.patch deleted file mode 100644 index a3199a5..0000000 --- a/SOURCES/libreswan-3.32-rebase-fixups.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -Naur libreswan-3.32-orig/lib/libipsecconf/interfaces.c libreswan-3.32/lib/libipsecconf/interfaces.c ---- libreswan-3.32-orig/lib/libipsecconf/interfaces.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libipsecconf/interfaces.c 2020-06-04 18:51:39.508280352 -0400 -@@ -71,7 +71,11 @@ - if (sa->sa.sa_family == af) { - /* XXX: sizeof right? */ - ip_endpoint nhe; -- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &nhe)); -+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &nhe); -+ if (e != NULL) { -+ pexpect(e != NULL); -+ return false; -+ } - pexpect(endpoint_hport(&nhe) == 0); - *nh = endpoint_address(&nhe); - } -@@ -84,7 +88,11 @@ - if (sa->sa.sa_family == af) { - /* XXX: sizeof right? */ - ip_endpoint dste; -- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &dste)); -+ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &dste); -+ if (e != NULL) { -+ pexpect(e != NULL); -+ return false; -+ } - pexpect(endpoint_hport(&dste) == 0); - *dst = endpoint_address(&dste); - } -diff -Naur libreswan-3.32-orig/lib/libswan/ip_endpoint.c libreswan-3.32/lib/libswan/ip_endpoint.c ---- libreswan-3.32-orig/lib/libswan/ip_endpoint.c 2020-05-11 10:13:41.000000000 -0400 -+++ libreswan-3.32/lib/libswan/ip_endpoint.c 2020-06-04 18:51:39.508280352 -0400 -@@ -54,20 +54,12 @@ - switch (sa->sa.sa_family) { - case AF_INET: - { -- /* XXX: to strict? */ -- if (sa_len != sizeof(sa->sin)) { -- return "wrong length"; -- } - address = address_from_in_addr(&sa->sin.sin_addr); - port = ntohs(sa->sin.sin_port); - break; - } - case AF_INET6: - { -- /* XXX: to strict? */ -- if (sa_len != sizeof(sa->sin6)) { -- return "wrong length"; -- } - address = address_from_in6_addr(&sa->sin6.sin6_addr); - port = ntohs(sa->sin6.sin6_port); - break; diff --git a/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch new file mode 100644 index 0000000..539dcd1 --- /dev/null +++ b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch @@ -0,0 +1,123 @@ +diff -Naur libreswan-4.2-orig/lib/libipsecconf/keywords.c libreswan-4.2/lib/libipsecconf/keywords.c +--- libreswan-4.2-orig/lib/libipsecconf/keywords.c 2021-02-02 20:36:01.000000000 -0500 ++++ libreswan-4.2/lib/libipsecconf/keywords.c 2021-02-04 19:22:05.880228930 -0500 +@@ -374,6 +374,8 @@ + { "interfaces", kv_config, kt_string, KSF_INTERFACES, NULL, NULL, }, + { "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NULL, NULL, }, + { "curl-timeout", kv_config, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, ++ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */ ++ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, /* obsolete _ */ + + { "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NULL, NULL, }, + { "syslog", kv_config, kt_string, KSF_SYSLOG, NULL, NULL, }, +@@ -381,6 +383,7 @@ + { "logfile", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, + { "plutostderrlog", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */ + { "logtime", kv_config, kt_bool, KBF_LOGTIME, NULL, NULL, }, ++ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */ + { "logappend", kv_config, kt_bool, KBF_LOGAPPEND, NULL, NULL, }, + { "logip", kv_config, kt_bool, KBF_LOGIP, NULL, NULL, }, + { "audit-log", kv_config, kt_bool, KBF_AUDIT_LOG, NULL, NULL, }, +@@ -400,13 +403,20 @@ + { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, }, + + { "crl-strict", kv_config, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, ++ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */ + { "crlcheckinterval", kv_config, kt_time, KBF_CRL_CHECKINTERVAL, NULL, NULL, }, ++ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */ + + { "ocsp-strict", kv_config, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, ++ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */ + { "ocsp-enable", kv_config, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, ++ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */ + { "ocsp-uri", kv_config, kt_string, KSF_OCSP_URI, NULL, NULL, }, ++ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */ + { "ocsp-timeout", kv_config, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, ++ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */ + { "ocsp-trustname", kv_config, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, ++ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */ + { "ocsp-cache-size", kv_config, kt_number, KBF_OCSP_CACHE_SIZE, NULL, NULL, }, + { "ocsp-cache-min-age", kv_config, kt_time, KBF_OCSP_CACHE_MIN, NULL, NULL, }, + { "ocsp-cache-max-age", kv_config, kt_time, KBF_OCSP_CACHE_MAX, NULL, NULL, }, +@@ -426,6 +436,7 @@ + { "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */ + { "seedbits", kv_config, kt_number, KBF_SEEDBITS, NULL, NULL, }, + { "keep-alive", kv_config, kt_number, KBF_KEEPALIVE, NULL, NULL, }, ++ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */ + + { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL }, + { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL }, +@@ -437,6 +448,8 @@ + #ifdef HAVE_LABELED_IPSEC + { "ikev1-secctx-attr-type", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */ + { "secctx-attr-type", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, ++ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */ ++ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */ + #endif + + /* these options are obsoleted (and not old aliases) */ +@@ -467,6 +480,7 @@ + { "username", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, + /* xauthusername is still used in NetworkManager-libreswan :/ */ + { "xauthusername", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */ ++ { "xauthname", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */ + { "addresspool", kv_conn | kv_leftright, kt_range, KSCF_ADDRESSPOOL, NULL, NULL, }, + { "auth", kv_conn | kv_leftright, kt_enum, KNCF_AUTH, &kw_authby_lr_list, NULL, }, + { "cat", kv_conn | kv_leftright, kt_bool, KNCF_CAT, NULL, NULL, }, +@@ -489,6 +503,8 @@ + { "esn", kv_conn | kv_processed, kt_enum, KNCF_ESN, &kw_esn_list, NULL, }, + { "decap-dscp", kv_conn | kv_processed, kt_bool, KNCF_DECAP_DSCP, NULL, NULL, }, + { "nopmtudisc", kv_conn | kv_processed, kt_bool, KNCF_NOPMTUDISC, NULL, NULL, }, ++ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete _ */ ++ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete name */ + { "fragmentation", kv_conn | kv_processed, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, + { "mobike", kv_conn, kt_bool, KNCF_MOBIKE, NULL, NULL, }, + { "narrowing", kv_conn, kt_bool, KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, }, +@@ -499,13 +515,18 @@ + { "accept-redirect-to", kv_conn, kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, }, + { "pfs", kv_conn, kt_bool, KNCF_PFS, NULL, NULL, }, + ++ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */ + { "nat-keepalive", kv_conn, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, + ++ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */ + { "initial-contact", kv_conn, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, ++ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */ + { "cisco-unity", kv_conn, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, + { "send-no-esp-tfc", kv_conn, kt_bool, KNCF_NO_ESP_TFC, NULL, NULL, }, + { "fake-strongswan", kv_conn, kt_bool, KNCF_VID_STRONGSWAN, NULL, NULL, }, ++ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */ + { "send-vendorid", kv_conn, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, ++ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */ + { "sha2-truncbug", kv_conn, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, + { "ms-dh-downgrade", kv_conn, kt_bool, KNCF_MSDH_DOWNGRADE, NULL, NULL, }, + { "require-id-on-certificate", kv_conn, kt_bool, KNCF_SAN_ON_CERT, NULL, NULL, }, +@@ -520,7 +541,10 @@ + {"ikepad", kv_conn, kt_bool, KNCF_IKEPAD, NULL, NULL, }, + { "nat-ikev1-method", kv_conn | kv_processed, kt_enum, KNCF_IKEV1_NATT, &kw_ikev1natt_list, NULL, }, + ++ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ ++ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ + { "policy-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */ ++ { "policy_label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */ + { "sec-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */ + + /* Cisco interop: remote peer type */ +@@ -531,13 +555,17 @@ + /* Network Manager support */ + #ifdef HAVE_NM + { "nm-configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, ++ { "nm_configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */ + #endif + + { "xauthby", kv_conn, kt_enum, KNCF_XAUTHBY, &kw_xauthby, NULL, }, + { "xauthfail", kv_conn, kt_enum, KNCF_XAUTHFAIL, &kw_xauthfail, NULL, }, + { "modecfgpull", kv_conn, kt_invertbool, KNCF_MODECONFIGPULL, NULL, NULL, }, + { "modecfgdns", kv_conn, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, ++ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */ ++ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ + { "modecfgdomains", kv_conn, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, ++ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */ + { "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, }, + { "ignore-peer-dns", kv_conn, kt_bool, KNCF_IGNORE_PEER_DNS, NULL, NULL, }, + { "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, }, diff --git a/SOURCES/libreswan-4.3-1934186-config.patch b/SOURCES/libreswan-4.3-1934186-config.patch new file mode 100644 index 0000000..022fb47 --- /dev/null +++ b/SOURCES/libreswan-4.3-1934186-config.patch @@ -0,0 +1,11 @@ +diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in +--- libreswan-4.3-orig/configs/ipsec.conf.in 2021-03-04 14:29:50.591912834 -0500 ++++ libreswan-4.3/configs/ipsec.conf.in 2021-03-04 14:30:27.227389433 -0500 +@@ -32,6 +32,7 @@ + # listen-tcp=yes + # To enable IKE and IPsec over TCP for VPN client, also specify + # tcp-remote-port=4500 in the client's conn section. ++ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + + # if it exists, include system wide crypto-policy defaults + # include /etc/crypto-policies/back-ends/libreswan.config diff --git a/SOURCES/libreswan-4.3-ikev2-tcp.patch b/SOURCES/libreswan-4.3-ikev2-tcp.patch new file mode 100644 index 0000000..ffc8428 --- /dev/null +++ b/SOURCES/libreswan-4.3-ikev2-tcp.patch @@ -0,0 +1,146 @@ +commit 9a69641b34675de26c3989082795ab97325db55c +Author: Paul Wouters +Date: Mon Mar 1 14:57:31 2021 -0500 + + IKEv2: Fix TCP socket to have IP_XFRM_POLICY sockopt set. + + Without this, transport mode or host-to-host will not properly work + on a number of kernels, such as RHEL8 4.18.0-291.el8.x86_64 + + Reported by: Sabrina Dubroca + +diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c +index 9a66343f3f..3b4f57d07d 100644 +--- a/programs/pluto/iface_tcp.c ++++ b/programs/pluto/iface_tcp.c +@@ -52,6 +52,16 @@ + #include "nat_traversal.h" /* for nat_traversal_enabled which seems like a broken idea */ + #include "pluto_stats.h" + ++/* work around weird combo's of glibc and kernel header conflicts */ ++#ifndef GLIBC_KERN_FLIP_HEADERS ++# include "linux/xfrm.h" /* local (if configured) or system copy */ ++# include "libreswan.h" ++#else ++# include "libreswan.h" ++# include "linux/xfrm.h" /* local (if configured) or system copy */ ++#endif ++ ++ + static void accept_ike_in_tcp_cb(struct evconnlistener *evcon UNUSED, + int accepted_fd, + struct sockaddr *sockaddr, int sockaddr_len, +@@ -383,6 +393,8 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED, + struct logger from_logger = logger_from(&global_logger, &ifp->iketcp_remote_endpoint); + struct logger *logger = &from_logger; + ++ bool v6 = ifp->ip_dev->id_address.version == 6; ++ + switch (ifp->iketcp_state) { + + case IKETCP_OPEN: +@@ -443,7 +455,19 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED, + if (impair.tcp_skip_setsockopt_espintcp) { + llog(RC_LOG, logger, "IMPAIR: TCP: skipping setsockopt(ESPINTCP)"); + } else { ++ struct xfrm_userpolicy_info policy_in = { ++ .action = XFRM_POLICY_ALLOW, ++ .sel.family = v6 ? AF_INET6 :AF_INET, ++ .dir = XFRM_POLICY_IN, ++ }; ++ struct xfrm_userpolicy_info policy_out = { ++ .action = XFRM_POLICY_ALLOW, ++ .sel.family = v6 ? AF_INET6 :AF_INET, ++ .dir = XFRM_POLICY_OUT, ++ }; ++ + dbg("TCP: OPEN: socket %d enabling ESPINTCP", ifp->fd); ++ + if (setsockopt(ifp->fd, IPPROTO_TCP, TCP_ULP, + "espintcp", sizeof("espintcp"))) { + int e = errno; +@@ -459,6 +483,24 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED, + free_any_iface_endpoint(&ifp); + return; + } ++ ++ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) { ++ int e = errno; ++ llog(RC_LOG, logger, ++ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_in\") failed; closing socket "PRI_ERRNO, ++ ifp->fd, pri_errno(e)); ++ free_any_iface_endpoint(&ifp); ++ return; ++ } ++ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) { ++ int e = errno; ++ llog(RC_LOG, logger, ++ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_out\") failed; closing socket "PRI_ERRNO, ++ ifp->fd, pri_errno(e)); ++ free_any_iface_endpoint(&ifp); ++ return; ++ } ++ + } + + /* +@@ -650,6 +692,17 @@ stf_status create_tcp_interface(struct state *st) + if (impair.tcp_skip_setsockopt_espintcp) { + log_state(RC_LOG, st, "IMPAIR: TCP: skipping setsockopt(espintcp)"); + } else { ++ bool v6 = st->st_remote_endpoint.version == 6; ++ struct xfrm_userpolicy_info policy_in = { ++ .action = XFRM_POLICY_ALLOW, ++ .sel.family = v6 ? AF_INET6 :AF_INET, ++ .dir = XFRM_POLICY_IN, ++ }; ++ struct xfrm_userpolicy_info policy_out = { ++ .action = XFRM_POLICY_ALLOW, ++ .sel.family = v6 ? AF_INET6 :AF_INET, ++ .dir = XFRM_POLICY_OUT, ++ }; + dbg("TCP: socket %d enabling \"espintcp\"", fd); + if (setsockopt(fd, IPPROTO_TCP, TCP_ULP, "espintcp", sizeof("espintcp"))) { + log_errno(st->st_logger, errno, +@@ -657,6 +710,18 @@ stf_status create_tcp_interface(struct state *st) + close(fd); + return STF_FATAL; + } ++ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) { ++ log_errno(st->st_logger, errno, ++ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(in)) failed in netlink_espintcp()"); ++ close(fd); ++ return STF_FATAL; ++ } ++ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) { ++ log_errno(st->st_logger, errno, ++ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(out)) failed in netlink_espintcp()"); ++ close(fd); ++ return STF_FATAL; ++ } + } + + struct iface_endpoint *ifp = alloc_thing(struct iface_endpoint, "TCP iface initiator"); +commit 7c38cd473d89b8c860ee7e3b8b31cfe012370f1d +Author: Paul Wouters +Date: Mon Mar 1 15:09:16 2021 -0500 + + documentation: small TCP doc update in ipsec.conf.in + +diff --git a/configs/ipsec.conf.in b/configs/ipsec.conf.in +index bb2cc16e64..9fa3300176 100644 +--- a/configs/ipsec.conf.in ++++ b/configs/ipsec.conf.in +@@ -28,9 +28,10 @@ config setup + # dnssec-enable=no + # + # To enable IKE and IPsec over TCP for VPN server. Requires at least +- # Linux 5.7 kernel. For TCP support as a VPN client, specify +- # tcp-remote-port=4500 in the client conn section. ++ # Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291) + # listen-tcp=yes ++ # To enable IKE and IPsec over TCP for VPN client, also specify ++ # tcp-remote-port=4500 in the client's conn section. + + # if it exists, include system wide crypto-policy defaults + # include /etc/crypto-policies/back-ends/libreswan.config diff --git a/SOURCES/libreswan-4.3-labeled-ipsec.patch b/SOURCES/libreswan-4.3-labeled-ipsec.patch new file mode 100644 index 0000000..9dd18f0 --- /dev/null +++ b/SOURCES/libreswan-4.3-labeled-ipsec.patch @@ -0,0 +1,191 @@ +diff -Naur libreswan-4.3-orig/programs/pluto/connections.c libreswan-4.3/programs/pluto/connections.c +--- libreswan-4.3-orig/programs/pluto/connections.c 2021-02-21 12:03:03.000000000 -0500 ++++ libreswan-4.3/programs/pluto/connections.c 2021-02-24 16:28:05.608119041 -0500 +@@ -2475,9 +2475,8 @@ + endpoint_in_selector(local_client, &sr->this.client) && + endpoint_in_selector(remote_client, &sr->that.client) + #ifdef HAVE_LABELED_IPSEC +- && ((sec_label.ptr == NULL && +- sr->this.sec_label.ptr == NULL) || +- /* don't call with NULL, it confuses it */ ++ && ((sec_label.ptr == NULL && sr->this.sec_label.ptr == NULL) || ++ hunk_eq(sec_label, sr->this.sec_label) || + within_range((const char *)sec_label.ptr, + (const char *)sr->this.sec_label.ptr, logger)) + #endif +diff -Naur libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c libreswan-4.3/programs/pluto/ikev1_spdb_struct.c +--- libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c 2021-02-21 12:03:03.000000000 -0500 ++++ libreswan-4.3/programs/pluto/ikev1_spdb_struct.c 2021-02-24 16:28:59.819791102 -0500 +@@ -113,7 +113,9 @@ + return false; + } + +- if (!within_range(sec_label.ptr, /* we ensured NUL termination above */ ++ ++ if (!hunk_eq(sec_label, c->spd.this.sec_label) && ++ !within_range(sec_label.ptr, /* we ensured NUL termination above */ + (const char *)c->spd.this.sec_label.ptr, /* we ensured NUL termination earlier? */ + st->st_logger)) { + LLOG_JAMBUF(RC_LOG_SERIOUS, st->st_logger, buf) { +diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_ts.c libreswan-4.3/programs/pluto/ikev2_ts.c +--- libreswan-4.3-orig/programs/pluto/ikev2_ts.c 2021-02-21 12:03:03.000000000 -0500 ++++ libreswan-4.3/programs/pluto/ikev2_ts.c 2021-02-24 16:30:19.639780631 -0500 +@@ -862,7 +862,8 @@ + } + + #ifdef HAVE_LABELED_IPSEC +-static bool score_ends_seclabel(const struct ends *ends, ++static bool score_ends_seclabel(const chunk_t **selected_sec_label, ++ const struct ends *ends, + const struct connection *d, + const struct traffic_selectors *tsi, + const struct traffic_selectors *tsr, +@@ -875,6 +876,10 @@ + bool match_i = false; + bool match_r = false; + ++ if (selected_sec_label != NULL) { ++ *selected_sec_label = NULL; ++ } ++ + for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) { + const struct traffic_selector *cur = &tsi->ts[tsi_n]; + if (cur->ts_type == IKEv2_TS_SECLABEL) { +@@ -883,7 +888,8 @@ + // complain loudly + continue; + } else { +- if (within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { ++ if (hunk_eq(cur->sec_label, d->spd.this.sec_label) || ++ within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { + match_i = true; + dbg("ikev2ts #1: received label within range of our security label"); + } else { +@@ -902,9 +908,13 @@ + dbg("IKEv2_TS_SECLABEL but zero length cur->sec_label"); + continue; + } else { +- if (within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { ++ if (hunk_eq(ends->r->sec_label, d->spd.this.sec_label) || ++ within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { + dbg("ikev2ts #2: received label within range of our security label"); + match_r = true; ++ if (selected_sec_label != NULL) { ++ *selected_sec_label = &cur->sec_label; ++ } + } else { + dbg("ikev2ts #2: received label not within range of our security label"); + DBG_dump_hunk("ends->r->sec_label", ends->r->sec_label); +@@ -926,7 +936,8 @@ + return require_label == recv_label_i && match_i && match_r; + } + #else +-static bool score_ends_seclabel(const struct ends *ends UNUSED, ++static bool score_ends_seclabel(const chunk_t **selected_sec_label, ++ const struct ends *ends UNUSED, + const struct connection *d UNUSED, + const struct traffic_selectors *tsi UNUSED, + const struct traffic_selectors *tsr UNUSED, +@@ -1030,6 +1041,7 @@ + struct best_score best_score = NO_SCORE; + const struct spd_route *best_spd_route = NULL; + struct connection *best_connection = c; ++ const chunk_t *best_sec_label = NULL; + + /* find best spd in c */ + +@@ -1042,7 +1054,8 @@ + .r = &sra->this, + }; + +- if (!score_ends_seclabel(&ends, c, &tsi, &tsr, child->sa.st_logger)) { ++ const chunk_t* selected_sec_label = NULL; ++ if (!score_ends_seclabel(&selected_sec_label, &ends, c, &tsi, &tsr, child->sa.st_logger)) { + continue; + } + +@@ -1060,6 +1073,7 @@ + score.tsi - tsi.ts, score.tsr - tsr.ts); + best_score = score; + best_spd_route = sra; ++ best_sec_label = selected_sec_label; + passert(best_connection == c); + } + } +@@ -1143,7 +1157,8 @@ + ? END_NARROWER_THAN_TS + : END_EQUALS_TS; + +- if (!score_ends_seclabel(&ends, d, &tsi, &tsr, ++ const chunk_t* selected_sec_label = NULL; ++ if (!score_ends_seclabel(&selected_sec_label, &ends, d, &tsi, &tsr, + child->sa.st_logger)) + continue; + +@@ -1159,6 +1174,7 @@ + best_connection = d; + best_score = score; + best_spd_route = sr; ++ best_sec_label = selected_sec_label; + } + } + } +@@ -1389,6 +1405,13 @@ + */ + update_state_connection(&child->sa, best_connection); + ++ if (best_sec_label != NULL) { ++ if (child->sa.st_seen_sec_label.len != 0) { ++ free_chunk_content(&child->sa.st_seen_sec_label); ++ } ++ child->sa.st_seen_sec_label = clone_hunk(*best_sec_label, "st_seen_sec_label"); ++ } ++ + child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this, child->sa.st_acquired_sec_label); + child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that, child->sa.st_seen_sec_label); + +@@ -1424,7 +1447,8 @@ + ? END_WIDER_THAN_TS + : END_EQUALS_TS; + +- if (!score_ends_seclabel(&e, c, &tsi, &tsr, child->sa.st_logger)) ++ const chunk_t *selected_sec_label = NULL; ++ if (!score_ends_seclabel(&selected_sec_label, &e, c, &tsi, &tsr, child->sa.st_logger)) + return false; + + struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsi, &tsr); +@@ -1435,6 +1459,13 @@ + return false; + } + ++ if (selected_sec_label != NULL) { ++ if (child->sa.st_seen_sec_label.len != 0) { ++ free_chunk_content(&child->sa.st_seen_sec_label); ++ } ++ child->sa.st_seen_sec_label = clone_hunk(*selected_sec_label, "st_seen_sec_label"); ++ } ++ + /* XXX: check conversions */ + dbg("initiator saving acceptable TSi response in this"); + ts_to_end(best.tsi, &c->spd.this, &child->sa.st_ts_this); +@@ -1489,7 +1520,7 @@ + + enum fit fitness = END_NARROWER_THAN_TS; + +- if (!score_ends_seclabel(&ends, c, &their_tsis, &their_tsrs, ++ if (!score_ends_seclabel(NULL, &ends, c, &their_tsis, &their_tsrs, + child->sa.st_logger)) { + log_state(RC_LOG_SERIOUS, &child->sa, + "rekey: received Traffic Selectors mismatch configured selectors for Security Label"); +diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_parent.c libreswan-4.3/programs/pluto/ikev2_parent.c +--- libreswan-4.3-orig/programs/pluto/ikev2_parent.c 2021-02-21 12:03:03.000000000 -0500 ++++ libreswan-4.3/programs/pluto/ikev2_parent.c 2021-03-01 10:31:49.667207958 -0500 +@@ -5943,8 +5943,6 @@ + * from a policy we gave the kernel, so it _should_ be within our range? + */ + child->sa.st_acquired_sec_label = clone_hunk(p->sec_label, "st_acquired_sec_label"); +- c->spd.this.sec_label = clone_hunk(p->sec_label, "updated conn label"); +- c->spd.that.sec_label = clone_hunk(p->sec_label, "updated conn label"); + } + + } else { diff --git a/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch b/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch new file mode 100644 index 0000000..33bf0fb --- /dev/null +++ b/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch @@ -0,0 +1,70 @@ +diff -Naur libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml libreswan-4.3/configs/d.ipsec.conf/ikev2.xml +--- libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:03:03.000000000 -0500 ++++ libreswan-4.3/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:33:36.226284499 -0500 +@@ -1,15 +1,15 @@ + + ikev2 + +-Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used. +-Currently the accepted values are no(the default), +-signifying only IKEv1 is accepted, or yes, ++Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol. ++Currently the accepted values are no (or never) ++signifying only IKEv1 is accepted, or insist(the default), + signifying only IKEv2 is accepted. Previous versions allowed the keywords +-propose or permit +-that would allow either IKEv1 or IKEv2, but this is no longer supported. The +-permit option is interpreted as no and the propose option is interpreted as +-yes. Older versions also supported keyword +-insist which is now interpreted as yes. ++propose, yes or permit ++that would allow either IKEv1 or IKEv2, but this is no longer supported and both options ++now cause the connection to fail to load. WARNING: This behaviour differs from upstream ++libreswan, which only accepts yes or no where yes means ++the same as insist. + + + +diff -Naur libreswan-4.3-orig/lib/libipsecconf/confread.c libreswan-4.3/lib/libipsecconf/confread.c +--- libreswan-4.3-orig/lib/libipsecconf/confread.c 2021-02-21 12:03:03.000000000 -0500 ++++ libreswan-4.3/lib/libipsecconf/confread.c 2021-02-21 12:37:43.138031929 -0500 +@@ -1310,11 +1310,17 @@ + + switch (conn->options[KNCF_IKEv2]) { + case fo_never: +- case fo_permit: + conn->ike_version = IKEv1; + break; + ++ case fo_permit: ++ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return TRUE; ++ + case fo_propose: ++ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return TRUE; ++ + case fo_insist: + conn->ike_version = IKEv2; + break; +diff -Naur libreswan-4.3-orig/programs/whack/whack.c libreswan-4.3/programs/whack/whack.c +--- libreswan-4.3-orig/programs/whack/whack.c 2021-02-21 12:03:03.000000000 -0500 ++++ libreswan-4.3/programs/whack/whack.c 2021-02-21 12:39:27.066188354 -0500 +@@ -801,7 +801,7 @@ + { "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */ + { "ikev2", no_argument, NULL, CD_IKEv2 +OO }, + { "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */ +- { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */ ++ /* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */ + + PS("allow-narrowing", IKEV2_ALLOW_NARROWING), + #ifdef AUTH_HAVE_PAM +@@ -1762,7 +1762,7 @@ + end_seen = LEMPTY; + continue; + +- /* --ikev1 --ikev2 --ikev2-propose */ ++ /* --ikev1 --ikev2 */ + case CD_IKEv1: + case CD_IKEv2: + { diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 1e2f78b..07cbf57 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -5,17 +5,18 @@ %global with_cavstests 1 # minimum version for support for rhbz#1651314 # should prob update for nss with IKEv1 quick mode support -%global nss_version 3.53.1-3 +%global nss_version 3.53.1 %global unbound_version 1.6.6 %global libreswan_config \\\ FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ FINALMANDIR=%{_mandir} \\\ - INC_RCDEFAULT=%{_initrddir} \\\ - INC_USRLOCAL=%{_prefix} \\\ + FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\ INITSYSTEM=systemd \\\ - NSS_REQ_AVA_COPY=false \\\ NSS_HAS_IPSEC_PROFILE=true \\\ + NSS_REQ_AVA_COPY=false \\\ + PREFIX=%{_prefix} \\\ PYTHON_BINARY=%{__python3} \\\ + SHELL_BINARY=%{_bindir}/sh \\\ USE_DNSSEC=true \\\ USE_FIPSCHECK=false \\\ USE_LABELED_IPSEC=true \\\ @@ -24,11 +25,9 @@ USE_LIBCURL=true \\\ USE_LINUX_AUDIT=true \\\ USE_NM=true \\\ + USE_NSS_KDF=true \\\ USE_SECCOMP=true \\\ - USE_XAUTHPAM=true \\\ - USE_KLIPS=false \\\ - USE_NSS_PRF=true \\\ - USE_PRF_AES_XCBC=true \\\ + USE_AUTHPAM=true \\\ USE_DH2=true \\\ %{nil} @@ -37,8 +36,8 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script -Version: 3.32 -Release: %{?prever:0.}7%{?prever:.%{prever}}%{?dist} +Version: 4.3 +Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ @@ -49,20 +48,18 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif -Patch1: libreswan-3.32-maintain-different-v1v2-split.patch -Patch2: libreswan-3.32-rebase-fixups.patch -Patch3: libreswan-3.32-1842597-accounting.patch -Patch4: libreswan-3.32-1847766-xfrmi.patch -Patch5: libreswan-3.32-1840212-nss-gcm.patch -Patch6: libreswan-3.32-1544463-seccomp.patch -Patch7: libreswan-3.32-1861360-nodefault-rsa-pss.patch -Patch8: libreswan-3.32-1880466-labeled-ipsec.patch +Patch1: libreswan-4.3-maintain-different-v1v2-split.patch +Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch +Patch3: libreswan-4.1-maintain-obsolete-keywords.patch +Patch4: libreswan-4.3-labeled-ipsec.patch +Patch5: libreswan-4.3-ikev2-tcp.patch +Patch6: libreswan-4.3-1934186-config.patch BuildRequires: audit-libs-devel BuildRequires: bison BuildRequires: curl-devel BuildRequires: flex -BuildRequires: gcc +BuildRequires: gcc make BuildRequires: ldns-devel BuildRequires: libcap-ng-devel BuildRequires: libevent-devel @@ -70,7 +67,7 @@ BuildRequires: libseccomp-devel BuildRequires: libselinux-devel BuildRequires: nspr-devel BuildRequires: nss-devel >= %{nss_version} -buildRequires: nss-tools +BuildRequires: nss-tools BuildRequires: openldap-devel BuildRequires: pam-devel BuildRequires: pkgconfig @@ -117,21 +114,12 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 - -pathfix.py -i %{__python3} -pn testing/cert_verify/usage_test \ - testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py \ - testing/pluto/ikev2-15-fuzzer/send_bad_packets.py - -# replace unsupported KLIPS README -echo "KLIPS is not supported with RHEL8" > README.KLIPS # linking to freebl is not needed sed -i "s/-lfreebl //" mk/config.mk # enable crypto-policies support -sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in +sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in %build make %{?_smp_mflags} \ @@ -159,8 +147,6 @@ rm -rf %{buildroot}/usr/share/doc/libreswan rm -rf %{buildroot}%{_libexecdir}/ipsec/*check install -d -m 0755 %{buildroot}%{_rundir}/pluto -# used when setting --perpeerlog without --perpeerlogbase -install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_sysconfdir}/sysctl.d @@ -221,19 +207,33 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf -%attr(0700,root,root) %dir %{_localstatedir}/log/pluto -%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer %attr(0755,root,root) %dir %{_rundir}/pluto %attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf %attr(0644,root,root) %{_unitdir}/ipsec.service %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto +%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan %{_sbindir}/ipsec %{_libexecdir}/ipsec %attr(0644,root,root) %doc %{_mandir}/*/* %changelog -* Thu Sep 24 10:03:36 EDT 2020 Paul Wouters - 3.32-7 -- Resolves: rhbz#1882449 Labeled IPsec not working [rhel-8.3.0.z] +* Thu Mar 04 2021 Paul Wouters - 4.3-3 +- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229 +- Resolves: rhbz#1934186 virtual_private setting is missing in the default config + +* Mon Mar 01 2021 Paul Wouters - 4.3-2 +- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update] + +* Sun Feb 21 2021 Paul Wouters - 4.3-1 +- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update] + +* Thu Feb 04 2021 Paul Wouters - 4.2-1 +- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2 +- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec + +* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters - 4.1-1 +- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1 +- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch * Wed Jul 29 2020 Paul Wouters - 3.32-6 - Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss