From ae22f2539e73164afe4946f036cf88f1e6821891 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 30 2017 13:44:12 +0000 Subject: import libreswan-3.20-5.el7_4 --- diff --git a/SOURCES/libreswan-3.21-xauth-passwd.patch b/SOURCES/libreswan-3.21-xauth-passwd.patch new file mode 100644 index 0000000..38cad62 --- /dev/null +++ b/SOURCES/libreswan-3.21-xauth-passwd.patch @@ -0,0 +1,13 @@ +diff --git a/programs/pluto/ikev1_xauth.c b/programs/pluto/ikev1_xauth.c +index 5a8e92b68..f023e119f 100644 +--- a/programs/pluto/ikev1_xauth.c ++++ b/programs/pluto/ikev1_xauth.c +@@ -2103,7 +2103,7 @@ static stf_status xauth_client_resp(struct state *st, + } + + if (st->st_xauth_password.ptr == NULL) { +- char xauth_password[64]; ++ char xauth_password[XAUTH_MAX_PASS_LENGTH]; + + if (st->st_whack_sock == -1) { + loglog(RC_LOG_SERIOUS, diff --git a/SOURCES/libreswan-3.21-xauth-state.patch b/SOURCES/libreswan-3.21-xauth-state.patch new file mode 100644 index 0000000..fae458c --- /dev/null +++ b/SOURCES/libreswan-3.21-xauth-state.patch @@ -0,0 +1,45 @@ +diff -Naur libreswan-3.21-orig/programs/pluto/ikev1.c libreswan-3.21/programs/pluto/ikev1.c +--- libreswan-3.21-orig/programs/pluto/ikev1.c 2017-08-09 13:47:34.000000000 -0700 ++++ libreswan-3.21/programs/pluto/ikev1.c 2017-10-16 14:43:10.057639590 -0700 +@@ -2273,16 +2273,17 @@ + * actual end of phase 1. With modecfg, negotiation ends with + * STATE_MAIN_I4 already. + */ +-#if 0 /* ??? what's this code for? */ + if (st->st_connection->spd.this.xauth_client +- && st->hidden_variables.st_xauth_client_done +- && !st->st_connection->spd.this.modecfg_client +- && st->st_state == STATE_XAUTH_I1) { +- DBG(DBG_CONTROL, +- DBG_log("As XAUTH is done and modecfg is not configured, so Phase 1 neogtiation finishes successfully")); +- change_state(st, STATE_MAIN_I4); ++ && st->hidden_variables.st_xauth_client_done ++ && !st->st_connection->spd.this.modecfg_client ++ && st->st_state == STATE_XAUTH_I1) ++ { ++ bool aggrmode = (st->st_connection->policy & POLICY_AGGRESSIVE); ++ ++ libreswan_log("XAUTH completed, ModeCFG skipped as per configuration"); ++ change_state(st, aggrmode ? STATE_AGGR_I2 : STATE_MAIN_I4); ++ st->st_msgid_phase15 = v1_MAINMODE_MSGID; + } +-#endif + + /* Schedule for whatever timeout is specified */ + if (!md->event_already_set) { +@@ -2332,6 +2333,15 @@ + bool agreed_time = FALSE; + struct connection *c = st->st_connection; + ++ /* fixup in case of state machine jump for xauth without modecfg */ ++ if (c->spd.this.xauth_client ++ && st->hidden_variables.st_xauth_client_done ++ && !c->spd.this.modecfg_client ++ && (st->st_state == STATE_MAIN_I4 || st->st_state == STATE_AGGR_I2)) { ++ DBG(DBG_CONTROL, DBG_log("fixup XAUTH without ModeCFG event from EVENT_v1_RETRANSMIT to EVENT_SA_REPLACE")); ++ kind = EVENT_SA_REPLACE; ++ } ++ + switch (kind) { + case EVENT_v1_RETRANSMIT: /* Retransmit packet */ + delay_ms = c->r_interval; diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 96c007b..eb3c4c4 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -5,7 +5,7 @@ %global USE_NM true %global USE_LINUX_AUDIT true %global USE_SECCOMP 0 -%global USE_DNSSEC false +%global USE_DNSSEC true %global _hardened_build 1 %global buildefence 0 @@ -21,7 +21,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols Version: 3.20 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist} License: GPLv2 Group: System Environment/Daemons Url: https://libreswan.org/ @@ -34,6 +34,8 @@ Patch1: libreswan-3.20-1372279-down-error.patch Patch2: libreswan-3.20-1444115-fips-F4.patch Patch3: libreswan-3.20-1341353-psk-fips.patch Patch4: libreswan-3.2-1458227-cavp-fips.patch +Patch5: libreswan-3.21-xauth-state.patch +Patch6: libreswan-3.21-xauth-passwd.patch Requires: iproute >= 2.6.8 nss-tools nss-softokn @@ -117,8 +119,8 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch2 -p1 %patch3 -p1 %patch4 -p1 -echo "USE_LINUX_AUDIT=true" > Makefile.inc.local -echo "USE_DNSSEC=false" >> Makefile.inc.local +%patch5 -p1 +%patch6 -p1 %build %if %{buildefence} @@ -200,6 +202,26 @@ make \ %else INITSYSTEM=systemd \ %endif + USE_NM=%{USE_NM} \ + USE_XAUTHPAM=true \ +%if %{USE_FIPSCHECK} + USE_FIPSCHECK="%{USE_FIPSCHECK}" \ + FIPSPRODUCTCHECK=/etc/system-fips \ +%endif + USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ + USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ + USE_LINUX_AUDIT=true \ +%if %{USE_CRL_FETCHING} + USE_LDAP=true \ + USE_LIBCURL=true \ +%endif + USE_DNSSEC=true \ + INC_USRLOCAL=%{_prefix} \ + FINALLIBDIR=%{_libexecdir}/ipsec \ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + MODPROBE="modprobe -q -b" \ + USE_DH22=true \ + USE_SECCOMP="%{USE_SECCOMP}" \ install FS=$(pwd) rm -rf %{buildroot}/usr/share/doc/libreswan @@ -313,6 +335,13 @@ fi %endif %changelog +* Tue Oct 24 2017 Paul Wouters - 3.20-5 +- Resolves: rhbz#1503949 [updated - USE_DNSSEC setting was updated] + +* Thu Oct 19 2017 Paul Wouters - 3.20-4 +- Resolves: rhbz#1501809 libreswan does not establish IKE with xauth enabled but modecfg disabled +- Resolves: rhbz#1503949 xauth password length limited to 64 bytes while XAUTH_MAX_PASS_LENGTH (128) + * Mon Jun 12 2017 Paul Wouters - 3.20-3 - Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels [updated] - Resolves: rhbz#1458227 CAVS test driver does not work in FIPS mode