From f301eef962466872ece54e84b16af36c36eb7e5e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 14 2020 01:33:39 +0000 Subject: import libreswan-3.32-4.el8 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a1d30d3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +SOURCES/ikev1_dsa.fax.bz2 +SOURCES/ikev1_psk.fax.bz2 +SOURCES/ikev2.fax.bz2 +SOURCES/libreswan-3.32.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata new file mode 100644 index 0000000..8a34fc6 --- /dev/null +++ b/.libreswan.metadata @@ -0,0 +1,4 @@ +b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 +861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 +fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 +d752c8df37c90733a01c24849d439733acd4e8f0 SOURCES/libreswan-3.32.tar.gz diff --git a/SOURCES/libreswan-3.32-1544463-seccomp.patch b/SOURCES/libreswan-3.32-1544463-seccomp.patch new file mode 100644 index 0000000..3b78fd2 --- /dev/null +++ b/SOURCES/libreswan-3.32-1544463-seccomp.patch @@ -0,0 +1,57 @@ +diff -Naur libreswan-3.32-orig/programs/pluto/pluto_seccomp.c libreswan-3.32/programs/pluto/pluto_seccomp.c +--- libreswan-3.32-orig/programs/pluto/pluto_seccomp.c 2020-05-11 10:13:41.000000000 -0400 ++++ libreswan-3.32/programs/pluto/pluto_seccomp.c 2020-07-01 20:33:38.918685784 -0400 +@@ -59,6 +59,7 @@ + + /* needed for pluto and updown, not helpers */ + if (main) { ++ LSW_SECCOMP_ADD(ctx, _llseek); + LSW_SECCOMP_ADD(ctx, accept); + LSW_SECCOMP_ADD(ctx, access); + LSW_SECCOMP_ADD(ctx, bind); +@@ -69,6 +70,7 @@ + LSW_SECCOMP_ADD(ctx, connect); + LSW_SECCOMP_ADD(ctx, dup); + LSW_SECCOMP_ADD(ctx, dup2); ++ LSW_SECCOMP_ADD(ctx, dup3); + LSW_SECCOMP_ADD(ctx, epoll_create); + LSW_SECCOMP_ADD(ctx, epoll_ctl); + LSW_SECCOMP_ADD(ctx, epoll_wait); +@@ -85,7 +87,7 @@ + LSW_SECCOMP_ADD(ctx, getgid); + LSW_SECCOMP_ADD(ctx, getgroups); + LSW_SECCOMP_ADD(ctx, getpgrp); +- LSW_SECCOMP_ADD(ctx, getpid); ++ LSW_SECCOMP_ADD(ctx, getpgid); + LSW_SECCOMP_ADD(ctx, getppid); + LSW_SECCOMP_ADD(ctx, getrandom); /* for unbound */ + LSW_SECCOMP_ADD(ctx, getrlimit); +@@ -102,10 +104,12 @@ + LSW_SECCOMP_ADD(ctx, pipe); + LSW_SECCOMP_ADD(ctx, pipe2); + LSW_SECCOMP_ADD(ctx, poll); ++ LSW_SECCOMP_ADD(ctx, ppoll); + LSW_SECCOMP_ADD(ctx, prctl); + LSW_SECCOMP_ADD(ctx, pread64); + LSW_SECCOMP_ADD(ctx, prlimit64); + LSW_SECCOMP_ADD(ctx, readlink); ++ LSW_SECCOMP_ADD(ctx, readlinkat); + LSW_SECCOMP_ADD(ctx, recvfrom); + LSW_SECCOMP_ADD(ctx, recvmsg); + LSW_SECCOMP_ADD(ctx, select); +@@ -126,6 +130,7 @@ + LSW_SECCOMP_ADD(ctx, arch_prctl); + LSW_SECCOMP_ADD(ctx, exit_group); + LSW_SECCOMP_ADD(ctx, exit); ++ LSW_SECCOMP_ADD(ctx, getpid); + LSW_SECCOMP_ADD(ctx, gettid); + LSW_SECCOMP_ADD(ctx, gettimeofday); + LSW_SECCOMP_ADD(ctx, fstat); +@@ -139,6 +144,7 @@ + LSW_SECCOMP_ADD(ctx, rt_sigprocmask); + LSW_SECCOMP_ADD(ctx, rt_sigreturn); + LSW_SECCOMP_ADD(ctx, sched_setparam); ++ LSW_SECCOMP_ADD(ctx, send); + LSW_SECCOMP_ADD(ctx, sendto); + LSW_SECCOMP_ADD(ctx, set_tid_address); + LSW_SECCOMP_ADD(ctx, sigaltstack); diff --git a/SOURCES/libreswan-3.32-1840212-nss-gcm.patch b/SOURCES/libreswan-3.32-1840212-nss-gcm.patch new file mode 100644 index 0000000..5c47f71 --- /dev/null +++ b/SOURCES/libreswan-3.32-1840212-nss-gcm.patch @@ -0,0 +1,16 @@ +diff -Naur libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c +--- libreswan-3.32-orig/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-05-11 10:13:41.000000000 -0400 ++++ libreswan-3.32/lib/libswan/ike_alg_encrypt_nss_gcm_ops.c 2020-06-17 15:06:12.340210966 -0400 +@@ -16,6 +16,12 @@ + #include + #include + ++/* ++ * Special advise from Bob Relyea - needs to go before any nss include ++ * ++ */ ++#define NSS_PKCS11_2_0_COMPAT 1 ++ + #include "lswlog.h" + #include "lswnss.h" + #include "prmem.h" diff --git a/SOURCES/libreswan-3.32-1842597-accounting.patch b/SOURCES/libreswan-3.32-1842597-accounting.patch new file mode 100644 index 0000000..7204372 --- /dev/null +++ b/SOURCES/libreswan-3.32-1842597-accounting.patch @@ -0,0 +1,15 @@ +diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c +index 28726cf82a..25ee52179a 100644 +--- a/programs/pluto/kernel.c ++++ b/programs/pluto/kernel.c +@@ -600,8 +600,8 @@ bool fmt_common_shell_out(char *buf, size_t blen, const struct connection *c, + * true==inbound: inbound updates OUR_BYTES; !inbound updates + * PEER_BYTES. + */ +- bool outbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, false, NULL); +- bool inbytes = st != NULL && IS_IKE_SA(st) && get_sa_info(st, true, NULL); ++ bool outbytes = st != NULL && get_sa_info(st, false, NULL); ++ bool inbytes = st != NULL && get_sa_info(st, true, NULL); + jambuf_t jambuf = array_as_jambuf(buf, blen); + jam_common_shell_out(&jambuf, c, sr, st, inbytes, outbytes); + return jambuf_ok(&jambuf); diff --git a/SOURCES/libreswan-3.32-1847766-xfrmi.patch b/SOURCES/libreswan-3.32-1847766-xfrmi.patch new file mode 100644 index 0000000..f7b69ec --- /dev/null +++ b/SOURCES/libreswan-3.32-1847766-xfrmi.patch @@ -0,0 +1,24 @@ +commit 790a79ba9f8f16532040d9c8a51a27c20e13c154 +Author: Paul Wouters +Date: Tue Jun 16 20:57:01 2020 -0400 + + pluto: find_pluto_xfrmi_interface() would only check first interface + +diff --git a/programs/pluto/kernel_xfrm_interface.c b/programs/pluto/kernel_xfrm_interface.c +index 8fc27b727d..0dc1a7ec8c 100644 +--- a/programs/pluto/kernel_xfrm_interface.c ++++ b/programs/pluto/kernel_xfrm_interface.c +@@ -586,9 +586,10 @@ static struct pluto_xfrmi *find_pluto_xfrmi_interface(uint32_t if_id) + struct pluto_xfrmi *ret = NULL; + + for (h = pluto_xfrm_interfaces; h != NULL; h = h->next) { +- if (h->if_id == if_id) +- ret = h; +- break; ++ if (h->if_id == if_id) { ++ ret = h; ++ break; ++ } + } + + return ret; diff --git a/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch b/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch new file mode 100644 index 0000000..423e871 --- /dev/null +++ b/SOURCES/libreswan-3.32-maintain-different-v1v2-split.patch @@ -0,0 +1,70 @@ +diff -Naur libreswan-3.32rc1-orig/lib/libipsecconf/confread.c libreswan-3.32rc1/lib/libipsecconf/confread.c +--- libreswan-3.32rc1-orig/lib/libipsecconf/confread.c 2020-04-28 22:27:20.000000000 -0400 ++++ libreswan-3.32rc1/lib/libipsecconf/confread.c 2020-04-30 13:41:18.612751661 -0400 +@@ -1332,13 +1332,16 @@ + + switch (conn->options[KNCF_IKEv2]) { + case fo_never: +- case fo_permit: + conn->policy |= POLICY_IKEV1_ALLOW; + /* clear any inherited default */ + conn->policy &= ~POLICY_IKEV2_ALLOW; + break; +- ++ case fo_permit: ++ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return TRUE; + case fo_propose: ++ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return TRUE; + case fo_insist: + conn->policy |= POLICY_IKEV2_ALLOW; + /* clear any inherited default */ +diff -Naur libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml +--- libreswan-3.32rc1-orig/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-28 22:27:20.000000000 -0400 ++++ libreswan-3.32rc1/programs/configs/d.ipsec.conf/ikev2.xml 2020-04-30 13:45:14.847694267 -0400 +@@ -1,15 +1,15 @@ + + ikev2 + +-Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used. +-Currently the accepted values are no(the default), +-signifying only IKEv1 is accepted, or yes, ++Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol. ++Currently the accepted values are no (or never) ++signifying only IKEv1 is accepted, or insist(the default), + signifying only IKEv2 is accepted. Previous versions allowed the keywords +-propose or permit +-that would allow either IKEv1 or IKEv2, but this is no longer supported. The +-permit option is interpreted as no and the propose option is interpreted as +-yes. Older versions also supported keyword +-insist which is now interpreted as yes. ++propose, yes or permit ++that would allow either IKEv1 or IKEv2, but this is no longer supported and both options ++now cause the connection to fail to load. WARNING: This behaviour differs from upstream ++libreswan, which only accepts yes or no where yes means ++the same as insist. + + + +diff -Naur libreswan-3.32rc1-orig/programs/whack/whack.c libreswan-3.32rc1/programs/whack/whack.c +--- libreswan-3.32rc1-orig/programs/whack/whack.c 2020-04-28 22:27:20.000000000 -0400 ++++ libreswan-3.32rc1/programs/whack/whack.c 2020-04-30 13:41:18.615751749 -0400 +@@ -775,7 +775,7 @@ + + PS("ikev1-allow", IKEV1_ALLOW), + PS("ikev2-allow", IKEV2_ALLOW), +- PS("ikev2-propose", IKEV2_ALLOW), /* map onto allow */ ++ /* not in RHEL8 PS("ikev2-propose", IKEV2_ALLOW),*/ + + PS("allow-narrowing", IKEV2_ALLOW_NARROWING), + #ifdef XAUTH_HAVE_PAM +@@ -1737,7 +1737,7 @@ + + /* --ikev1-allow */ + case CDP_SINGLETON + POLICY_IKEV1_ALLOW_IX: +- /* --ikev2-allow (now also --ikev2-propose) */ ++ /* --ikev2-allow */ + case CDP_SINGLETON + POLICY_IKEV2_ALLOW_IX: + + /* --allow-narrowing */ diff --git a/SOURCES/libreswan-3.32-rebase-fixups.patch b/SOURCES/libreswan-3.32-rebase-fixups.patch new file mode 100644 index 0000000..a3199a5 --- /dev/null +++ b/SOURCES/libreswan-3.32-rebase-fixups.patch @@ -0,0 +1,53 @@ +diff -Naur libreswan-3.32-orig/lib/libipsecconf/interfaces.c libreswan-3.32/lib/libipsecconf/interfaces.c +--- libreswan-3.32-orig/lib/libipsecconf/interfaces.c 2020-05-11 10:13:41.000000000 -0400 ++++ libreswan-3.32/lib/libipsecconf/interfaces.c 2020-06-04 18:51:39.508280352 -0400 +@@ -71,7 +71,11 @@ + if (sa->sa.sa_family == af) { + /* XXX: sizeof right? */ + ip_endpoint nhe; +- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &nhe)); ++ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &nhe); ++ if (e != NULL) { ++ pexpect(e != NULL); ++ return false; ++ } + pexpect(endpoint_hport(&nhe) == 0); + *nh = endpoint_address(&nhe); + } +@@ -84,7 +88,11 @@ + if (sa->sa.sa_family == af) { + /* XXX: sizeof right? */ + ip_endpoint dste; +- happy(sockaddr_to_endpoint(sa, sizeof(*sa), &dste)); ++ err_t e = sockaddr_to_endpoint(sa, sizeof(*sa), &dste); ++ if (e != NULL) { ++ pexpect(e != NULL); ++ return false; ++ } + pexpect(endpoint_hport(&dste) == 0); + *dst = endpoint_address(&dste); + } +diff -Naur libreswan-3.32-orig/lib/libswan/ip_endpoint.c libreswan-3.32/lib/libswan/ip_endpoint.c +--- libreswan-3.32-orig/lib/libswan/ip_endpoint.c 2020-05-11 10:13:41.000000000 -0400 ++++ libreswan-3.32/lib/libswan/ip_endpoint.c 2020-06-04 18:51:39.508280352 -0400 +@@ -54,20 +54,12 @@ + switch (sa->sa.sa_family) { + case AF_INET: + { +- /* XXX: to strict? */ +- if (sa_len != sizeof(sa->sin)) { +- return "wrong length"; +- } + address = address_from_in_addr(&sa->sin.sin_addr); + port = ntohs(sa->sin.sin_port); + break; + } + case AF_INET6: + { +- /* XXX: to strict? */ +- if (sa_len != sizeof(sa->sin6)) { +- return "wrong length"; +- } + address = address_from_in6_addr(&sa->sin6.sin6_addr); + port = ntohs(sa->sin6.sin6_port); + break; diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec new file mode 100644 index 0000000..78e2a45 --- /dev/null +++ b/SPECS/libreswan.spec @@ -0,0 +1,481 @@ +%global _hardened_build 1 +# These are rpm macros and are 0 or 1 +%global with_efence 0 +%global with_development 0 +%global with_cavstests 1 +# minimum version for support for rhbz#1651314 +# should prob update for nss with IKEv1 quick mode support +%global nss_version 3.39.0-1.4 +%global unbound_version 1.6.6 +# Libreswan config options - temporarilly without USE_NSS_PRF while waiting for updated nss to become available +%global libreswan_config \\\ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ + FINALMANDIR=%{_mandir} \\\ + INC_RCDEFAULT=%{_initrddir} \\\ + INC_USRLOCAL=%{_prefix} \\\ + INITSYSTEM=systemd \\\ + NSS_REQ_AVA_COPY=false \\\ + NSS_HAS_IPSEC_PROFILE=true \\\ + PYTHON_BINARY=%{__python3} \\\ + USE_DNSSEC=true \\\ + USE_FIPSCHECK=false \\\ + USE_LABELED_IPSEC=true \\\ + USE_LDAP=true \\\ + USE_LIBCAP_NG=true \\\ + USE_LIBCURL=true \\\ + USE_LINUX_AUDIT=true \\\ + USE_NM=true \\\ + USE_SECCOMP=true \\\ + USE_XAUTHPAM=true \\\ + USE_KLIPS=false \\\ + USE_NSS_PRF=false \\\ + USE_PRF_AES_XCBC=true \\\ + USE_DH2=true \\\ +%{nil} + +#global prever rc1 + +Name: libreswan +Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols +# version is generated in the release script +Version: 3.32 +Release: %{?prever:0.}4%{?prever:.%{prever}}%{?dist} +License: GPLv2 +Url: https://libreswan.org/ + +Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz +%if 0%{with_cavstests} +Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 +Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 +Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 +%endif + +Patch1: libreswan-3.32-maintain-different-v1v2-split.patch +Patch2: libreswan-3.32-rebase-fixups.patch +Patch3: libreswan-3.32-1842597-accounting.patch +Patch4: libreswan-3.32-1847766-xfrmi.patch +Patch5: libreswan-3.32-1840212-nss-gcm.patch +Patch6: libreswan-3.32-1544463-seccomp.patch + +BuildRequires: audit-libs-devel +BuildRequires: bison +BuildRequires: curl-devel +BuildRequires: flex +BuildRequires: gcc +BuildRequires: ldns-devel +BuildRequires: libcap-ng-devel +BuildRequires: libevent-devel +BuildRequires: libseccomp-devel +BuildRequires: libselinux-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel >= %{nss_version} +buildRequires: nss-tools +BuildRequires: openldap-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: hostname +BuildRequires: redhat-rpm-config +BuildRequires: systemd-devel +BuildRequires: unbound-devel >= %{unbound_version} +BuildRequires: xmlto +%if 0%{with_efence} +BuildRequires: ElectricFence +%endif +Requires: iproute >= 2.6.8 +Requires: nss >= %{nss_version} +Requires: nss-softokn +Requires: nss-tools +Requires: unbound-libs >= %{unbound_version} +Requires(post): bash +Requires(post): coreutils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description +Libreswan is a free implementation of IKE/IPsec for Linux. IPsec is +the Internet Protocol Security and uses strong cryptography to provide +both authentication and encryption services. These services allow you +to build secure tunnels through untrusted networks. Everything passing +through the untrusted net is encrypted by the ipsec gateway machine and +decrypted by the gateway at the other end of the tunnel. The resulting +tunnel is a virtual private network or VPN. + +This package contains the daemons and userland tools for setting up +Libreswan. + +Libreswan also supports IKEv2 (RFC7296) and Secure Labeling + +Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 + +%prep +%setup -q -n libreswan-%{version}%{?prever} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 + +pathfix.py -i %{__python3} -pn testing/cert_verify/usage_test \ + testing/pluto/ikev1-01-fuzzer/cve-2015-3204.py \ + testing/pluto/ikev2-15-fuzzer/send_bad_packets.py + +# replace unsupported KLIPS README +echo "KLIPS is not supported with RHEL8" > README.KLIPS + +# linking to freebl is not needed +sed -i "s/-lfreebl //" mk/config.mk + +# enable crypto-policies support +sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" programs/configs/ipsec.conf.in + +%build +make %{?_smp_mflags} \ +%if 0%{with_development} + OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \ +%else + OPTIMIZE_CFLAGS="%{optflags}" \ +%endif +%if 0%{with_efence} + USE_EFENCE=true \ +%endif + WERROR_CFLAGS="-Werror -Wno-missing-field-initializers" \ + USERLINK="%{?__global_ldflags}" \ + %{libreswan_config} \ + programs +FS=$(pwd) + +%install +make \ + DESTDIR=%{buildroot} \ + %{libreswan_config} \ + install +FS=$(pwd) +rm -rf %{buildroot}/usr/share/doc/libreswan +rm -rf %{buildroot}%{_libexecdir}/ipsec/*check + +install -d -m 0755 %{buildroot}%{_rundir}/pluto +# used when setting --perpeerlog without --perpeerlogbase +install -d -m 0700 %{buildroot}%{_localstatedir}/log/pluto/peer +install -d %{buildroot}%{_sbindir} + +install -d %{buildroot}%{_sysconfdir}/sysctl.d +install -m 0644 packaging/fedora/libreswan-sysctl.conf \ + %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf + +echo "include %{_sysconfdir}/ipsec.d/*.secrets" \ + > %{buildroot}%{_sysconfdir}/ipsec.secrets +rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* + +%if 0%{with_cavstests} +%check +# There is an elaborate upstream testing infrastructure which we do not +# run here - it takes hours and uses kvm +# We only run the CAVS tests. +cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . +bunzip2 *.fax.bz2 + +: starting CAVS test for IKEv2 +%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \ + diff -u ikev2.fax - > /dev/null +: starting CAVS test for IKEv1 RSASIG +%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \ + diff -u ikev1_dsa.fax - > /dev/null +: starting CAVS test for IKEv1 PSK +%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ + diff -u ikev1_psk.fax - > /dev/null +: CAVS tests passed + +# Some of these tests will show ERROR for negative testing - it will exit on real errors +%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } +%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } +: Algorithm parser tests passed + +# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode +tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) +certutil -N -d sql:$tmpdir --empty-password +%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir +: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST + +%endif + +%post +%systemd_post ipsec.service + +%preun +%systemd_preun ipsec.service + +%postun +%systemd_postun_with_restart ipsec.service + +%files +%doc CHANGES COPYING CREDITS README* LICENSE +%doc docs/*.* docs/examples +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf +%attr(0700,root,root) %dir %{_localstatedir}/log/pluto +%attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer +%attr(0755,root,root) %dir %{_rundir}/pluto +%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf +%attr(0644,root,root) %{_unitdir}/ipsec.service +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto +%{_sbindir}/ipsec +%{_libexecdir}/ipsec +%attr(0644,root,root) %doc %{_mandir}/*/* + +%changelog +* Wed Jul 01 2020 Paul Wouters - 3.32-4 +- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled + +* Wed Jun 17 2020 Paul Wouters - 3.32-3 +- Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script +- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly +- Resolves: rhbz#1840212 protect libreswan against unannounced nss ABI change + +* Thu Jun 11 2020 Paul Wouters - 3.32-2 +- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [addconn fix] + +* Thu Apr 30 2020 Paul Wouters - 3.32-1 +- Resolves: rhbz#1820206 Rebase to libreswan 3.32 +- Resolves: rhbz#1816265 Use NSS to check whether FIPS mode is enabled +- Resolves: rhbz#1826337 libreswan in FIPS mode rejects ECDSA keys based on faulty RSA key size check being applied + +* Tue Aug 13 2019 Paul Wouters - 3.29-6 +- Resolves: rhbz#1714331 support NSS based IKE KDF's [require updated nss for rhbz 1738689, memleak fix] + +* Thu Aug 08 2019 Paul Wouters - 3.29-5 +- Resolves: rhbz#1714331 support NSS based IKE KDF's so libreswan does not need FIPS certification + +* Thu Aug 01 2019 Paul Wouters - 3.29-4 +- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax + +* Thu Jul 04 2019 Paul Wouters - 3.29-3 +- Resolves: rhbz#1725205 XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire + +* Thu Jun 27 2019 Paul Wouters - 3.29-2 +- Resolves: rhbz#1723957 libreswan is missing linux audit calls for failed IKE SAs and failed IPsec SAs required for Common Criteria + +* Mon Jun 10 2019 Paul Wouters - 3.29-1 +- Resolves: rhbz#1712555 libreswan rebase to 3.29 + +* Tue May 28 2019 Paul Wouters - 3.28-2 +- Resolves: rhbz#1713734: barf: shell syntax error in barf diagnostic tool + +* Tue May 21 2019 Paul Wouters - 3.28-1 +- Resolves: rhbz#1712555 libreswan rebase to 3.28 +- Resolves: rhbz#1683706 Libreswan shows incorrect error messages +- Resolves: rhbz#1706180 Remove last usage of old (unused) PF_KEY API +- Resolves: rhbz#1677045 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart +- Resolves: rhbz#1686990 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE +- Resolves: rhbz#1608353 /usr/sbin/ipsec part of the libreswan packages still invokes commands that were deprecated a decade ago +- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax +- Resolves: rhbz#1679394 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure + +* Thu Feb 21 2019 Paul Wouters - 3.27-9 +- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default [man page update] + +* Fri Feb 15 2019 Paul Wouters - 3.27-8 +- Resolves: rhbz#1664101 system wide crypto policies causing IKE_INIT packet fragmentation + +* Tue Feb 05 2019 Paul Wouters - 3.27-7 +- Resolves: rhbz#1671793 proessing ISAKMP_NEXT_D with additional payloads causes dangling pointer to deleted state + +* Fri Feb 01 2019 Paul Wouters - 3.27-6 +- Resolves: rhbz#1668342 SELinux prevents libreswan from using some outbound ports causing DNS resolution failures at connection at load time + +* Thu Jan 10 2019 Paul Wouters - 3.27-5 +- Resolves: rhbz#1664522 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits + +* Mon Dec 10 2018 Paul Wouters - 3.27-4 +- Resolves: rhbz#1657846 libreswan no longer needs to provide openswan in rhel8 +- Resolves: rhbz#1643388 libreswan: Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth +- Resolves: rhbz#1657854 remove userland support for deprecated KLIPS IPsec stack support + +* Sun Dec 09 2018 Paul Wouters - 3.27-3 +- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default + +* Thu Nov 08 2018 Paul Wouters - 3.27-2 +- Resolves: rhbz#1645137 Libreswan segfaults when it loads configuration file with more then 5 connections + +* Mon Oct 08 2018 Paul Wouters - 3.27-1 +- Resolves: rhbz#1566574 Rebase to libreswan 3.27 + +* Mon Sep 17 2018 Paul Wouters - 3.26-1 +- Resolves: rhbz#1566574 Rebase to libreswan 3.26 +- Resolves: rhbz#1527037 libreswan IPSEC implementation: should follow the policies of system-wide crypto policy +- Resolves: rhbz#1375779 [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed +- Resolves: rhbz#1085758 [TAHI][IKEv2] IKEv2.EN.I.1.2.1.1: Can't observe CREATE_CHILD_SA request for rekey +- Resolves: rhbz#1053048 [TAHI][IKEv2] IKEv2.EN.I.1.2.4.1-7: libreswan doesn't sent CREATE_CHILD_SA after IKE_SA Lifetime timeout + +* Mon Aug 13 2018 Paul Wouters - 3.25-4 +- Resolves: rhbz#1590823 libreswan: Use Python 3 in RHEL 8 + +* Wed Aug 01 2018 Charalampos Stratakis - 3.25-3.1 +- Rebuild for platform-python + +* Mon Jul 09 2018 Paul Wouters - 3.25-3 +- Cleanup shebangs for python3 +- Use the same options via macro for make programs and make install +- Remove old ifdefs +- Sync up patches to new upstream version +- Add Requires: for unbound-libs >= 1.6.6 +- Enable crypto-policies support +- Make rundir world readable for easier permission granting for socket + +* Tue Jun 26 2018 Charalampos Stratakis - 3.23-2.2 +- Make python shebangs point to python3 + +* Fri Jun 22 2018 Troy Dawson - 3.23-2.1 +- Fix python shebangs (#1580773) + +* Mon Feb 19 2018 Paul Wouters - 3.23-2 +- Support crypto-policies package +- Pull in some patches from upstream and IANA registry updates +- gcc7 format-truncate fixes and workarounds + +* Wed Feb 07 2018 Fedora Release Engineering - 3.23-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Paul Wouters - 3.23-1 +- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements + +* Sat Jan 20 2018 Björn Esser - 3.22-1.1 +- Rebuilt for switch to libxcrypt + +* Mon Oct 23 2017 Paul Wouters - 3.22-1 +- Updated to 3.22 - many bugfixes, and unbound ipsecmod support + +* Wed Aug 9 2017 Paul Wouters - 3.21-1 +- Updated to 3.21 + +* Thu Aug 03 2017 Fedora Release Engineering - 3.20-1.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.20-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Mar 14 2017 Paul Wouters - 3.20-1 +- Updated to 3.20 + +* Fri Mar 03 2017 Paul Wouters - 3.20-0.1.dr4 +- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA + +* Fri Feb 10 2017 Fedora Release Engineering - 3.19-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 03 2017 Paul Wouters - 3.19-2 +- Resolves: rhbz#1392191 libreswan: crash when OSX client connects +- Improved uniqueid and session replacing support +- Test Buffer warning fix on size_t +- Re-introduce --configdir for backwards compatibility + +* Sun Jan 15 2017 Paul Wouters - 3.19-1 +- Updated to 3.19 (see download.libreswan.org/CHANGES) + +* Mon Dec 19 2016 Miro Hrončok - 3.18-1.1 +- Rebuild for Python 3.6 + +* Fri Jul 29 2016 Paul Wouters - 3.18-1 +- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support +- Remove support for /etc/sysconfig/pluto (use native systemd instead) + +* Thu May 05 2016 Paul Wouters - 3.17-2 +- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used + +* Thu Apr 07 2016 Paul Wouters - 3.17-1 +- Updated to 3.17 for CVE-2016-3071 +- Disable LIBCAP_NG as it prevents unbound-control from working properly +- Temporarilly disable WERROR due to a few minor known issues + +* Thu Feb 04 2016 Fedora Release Engineering - 3.16-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Dec 18 2015 Paul Wouters - 3.16-1 +- Updated to 3.16 (see https://download.libreswan.org/CHANGES) + +* Tue Aug 11 2015 Paul Wouters - 3.15-1 +- Updated to 3.15 (see http://download.libreswan.org/CHANGES) +- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx +- NSS database creation moved from spec file to service file +- Run CAVS tests on package build +- Added BuildRequire systemd-units and xmlto +- Bumped minimum required nss to 3.16.1 +- Install tmpfiles +- Install sysctl file +- Update doc files to include + +* Mon Jul 13 2015 Paul Wouters - 3.13-2 +- Resolves: rhbz#1238967 Switch libreswan to use python3 + +* Wed Jun 17 2015 Fedora Release Engineering - 3.13-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 01 2015 Paul Wouters - 3.13-1 +- Updated to 3.13 for CVE-2015-3204 + +* Fri Nov 07 2014 Paul Wouters - 3.12-1 +- Updated to 3.12 Various IKEv2 fixes + +* Wed Oct 22 2014 Paul Wouters - 3.11-1 +- Updated to 3.11 (many fixes, including startup fixes) +- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs +- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade +- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running + +* Tue Sep 09 2014 Paul Wouters - 3.10-3 +- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines + +* Mon Sep 01 2014 Paul Wouters - 3.10-1 +- Updated to 3.10, major bugfix release, new xauth status options + +* Sun Aug 17 2014 Fedora Release Engineering - 3.9-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Jul 10 2014 Paul Wouters - 3.9-1 +- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements +- Mark libreswan-fips.conf as config file +- attr modifier for man pages no longer needed +- BUGS file no longer exists upstream + +* Sat Jun 07 2014 Fedora Release Engineering - 3.8-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Jan 18 2014 Paul Wouters - 3.8-1 +- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102) + +* Wed Dec 11 2013 Paul Wouters - 3.7-1 +- Updated to 3.7, fixes CVE-2013-4564 +- Fixes creating a bogus NSS db on startup (rhbz#1005410) + +* Thu Oct 31 2013 Paul Wouters - 3.6-1 +- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes) +- Generate empty NSS db if none exists + +* Mon Aug 19 2013 Paul Wouters - 3.5-3 +- Add a Provides: for openswan-doc + +* Sat Aug 03 2013 Fedora Release Engineering - 3.5-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Paul Wouters - 3.5-2 +- Added interop patch for (some?) Cisco VPN clients sending 16 zero + bytes of extraneous IKE data +- Removed fipscheck_version + +* Sat Jul 13 2013 Paul Wouters - 3.5-1 +- Updated to 3.5 + +* Thu Jun 06 2013 Paul Wouters - 3.4-1 +- Updated to 3.4, which only contains style changes to kernel coding style +- IN MEMORIAM: June 3rd, 2013 Hugh Daniel + +* Mon May 13 2013 Paul Wouters - 3.3-1 +- Updated to 3.3, which resolves CVE-2013-2052 + +* Sat Apr 13 2013 Paul Wouters - 3.2-1 +- Initial package for Fedora