diff --git a/SOURCES/libreswan-3.15-1219049-ikev1-del.patch b/SOURCES/libreswan-3.15-1219049-ikev1-del.patch new file mode 100644 index 0000000..d0177d5 --- /dev/null +++ b/SOURCES/libreswan-3.15-1219049-ikev1-del.patch @@ -0,0 +1,34 @@ +commit bfb1f15c0f2d22987f67dd4dd41316eac28bdc26 +Author: Wolfgang Nothdurft +Date: Fri Oct 2 13:20:14 2015 -0400 + + pluto: Resolves lbz#233 + + pluto sends delete SAs in wrong order and reconnection issues + + Signed-off-by: Paul Wouters + +diff --git a/programs/pluto/state.c b/programs/pluto/state.c +index 7d0821f..b45c1ae 100644 +--- a/programs/pluto/state.c ++++ b/programs/pluto/state.c +@@ -789,7 +789,7 @@ void delete_state(struct state *st) + /* tell the other side of any IPSEC SAs that are going down */ + if (IS_IPSEC_SA_ESTABLISHED(st->st_state) || + IS_ISAKMP_SA_ESTABLISHED(st->st_state)) { +- if (IS_CHILD_SA(st) && ++ if (st->st_ikev2 && IS_CHILD_SA(st) && + state_with_serialno(st->st_clonedfrom) == NULL) { + /* ??? in v2, there must be a parent */ + DBG(DBG_CONTROL, DBG_log("deleting state but IKE SA does not exist for this child SA so Informational Exchange cannot be sent")); +@@ -971,8 +971,8 @@ static void foreach_states_by_connection_func_delete(struct connection *c, + DBG_log("index %d state #%lu", i, + this->st_serialno)); + +- /* on pass 2, ignore phase2 states */ +- if (pass == 1 && ++ /* on pass 1, ignore established ISAKMP SA's */ ++ if (pass == 0 && + IS_ISAKMP_SA_ESTABLISHED(this->st_state)) + continue; + diff --git a/SOURCES/libreswan-3.15-1229766-ipclash.patch b/SOURCES/libreswan-3.15-1229766-ipclash.patch new file mode 100644 index 0000000..788a2d0 --- /dev/null +++ b/SOURCES/libreswan-3.15-1229766-ipclash.patch @@ -0,0 +1,40 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/kernel.c libreswan-3.15/programs/pluto/kernel.c +--- libreswan-3.15-orig/programs/pluto/kernel.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/kernel.c 2016-07-05 06:32:18.384000000 -0400 +@@ -503,7 +503,7 @@ + "%s" /* nflog-group - if any */ + + , c->name, +- c->interface->ip_dev->id_vname, ++ c->interface == NULL ? "NULL" : c->interface->ip_dev->id_vname, + nexthop_str, + ipstr(&sr->this.host_addr, &bme), + secure_myid_str, /* 5 */ +diff --git a/programs/pluto/security_selinux.c b/programs/pluto/security_selinux.c +index 2ca1a63..ac5028e 100644 +--- a/programs/pluto/security_selinux.c ++++ b/programs/pluto/security_selinux.c +@@ -68,8 +68,8 @@ int within_range(security_context_t sl, security_context_t range) + /* + ** Straight up test between sl and range + **/ +- tclass = SECCLASS_ASSOCIATION; +- av = ASSOCIATION__POLMATCH; ++ tclass = string_to_security_class("association"); ++ av = string_to_av_perm(tclass, "polmatch"); + rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd); + if (rtn != 0) { + DBG_log("within_range: The sl (%s) is not within range of (%s)", sl, +diff --git a/programs/pluto/security_selinux.h b/programs/pluto/security_selinux.h +index e95bf5a..cccd60f 100644 +--- a/programs/pluto/security_selinux.h ++++ b/programs/pluto/security_selinux.h +@@ -16,8 +16,6 @@ + #define _SECURITY_SELINUX_H + + #include +-#include +-#include + #include + #include + diff --git a/SOURCES/libreswan-3.15-1257079-nm-updown.patch b/SOURCES/libreswan-3.15-1257079-nm-updown.patch new file mode 100644 index 0000000..727ede3 --- /dev/null +++ b/SOURCES/libreswan-3.15-1257079-nm-updown.patch @@ -0,0 +1,272 @@ +diff -Naur libreswan-3.15-orig/programs/_updown.klips/_updown.klips.in libreswan-3.15/programs/_updown.klips/_updown.klips.in +--- libreswan-3.15-orig/programs/_updown.klips/_updown.klips.in 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/_updown.klips/_updown.klips.in 2016-06-21 09:59:03.071283432 -0400 +@@ -263,18 +263,6 @@ + rm -f -- ${ORIG_RESOLV_CONF} + printf "${RESOLVE_CONF}" > ${ORIG_RESOLV_CONF} + return $? +- +- else +- echo "Updating resolv.conf is controlled by Network Manager" +- libreswan_reason=connect +- export libreswan_reason +- export PLUTO_PEER_DOMAIN_INFO +- export PLUTO_PEER_DNS_INFO +- export PLUTO_PEER_BANNER +- export PLUTO_MY_SOURCEIP +- export PLUTO_PEER +- /usr/libexec/nm-libreswan-service-helper +- return 0 + fi + } + +@@ -306,29 +294,27 @@ + + rm -f -- "${LIBRESWAN_RESOLV_CONF}" + return 0 +- else +- # Here disconnect signal is sent to NetworkManager +- # whenever an already established connection is being terminated. +- unset libreswan_reason +- unset PLUTO_PEER_DOMAIN_INFO +- unset PLUTO_PEER_DNS_INFO +- unset PLUTO_PEER_BANNER +- unset PLUTO_MY_SOURCEIP +- unset PLUTO_PEER +- echo "Restoring resolv.conf is controlled by Network Manager" +- disconnectNM + fi + } + +-disconnectNM() { +- # This will be called whenever a connection fails to establish +- # due to a state (either phase 1, xauth phase, or phase 2) fails. ++notifyNM() { ++ # This will be called whenever a connection is established or ++ # fails to establish (either phase 1, xauth phase, or phase 2) ++ # or whenever an already established connection is being terminated. + # This will send a singal to NetworkManager over dbus so that NM +- # can clear up coonnections. +- libreswan_reason=disconnect +- export libreswan_reason +- echo "sending disconnect signal to NetworkManager" +- /usr/libexec/nm-libreswan-service-helper ++ # can keep track of the coonnections. ++ ++ if [ -n "${PLUTO_NM_CONFIGURED}" -a "${PLUTO_NM_CONFIGURED}" != 0 ]; then ++ echo "sending $1 signal to NetworkManager" ++ libreswan_reason=$1 ++ export libreswan_reason ++ export PLUTO_PEER_DOMAIN_INFO ++ export PLUTO_PEER_DNS_INFO ++ export PLUTO_PEER_BANNER ++ export PLUTO_MY_SOURCEIP ++ export PLUTO_PEER ++ /usr/libexec/nm-libreswan-service-helper ++ fi + return 0 + } + +@@ -623,16 +609,20 @@ + uprule + # If you are doing a custom version, firewall commands go here. + updateresolvconf ++ # sending connect signal to NM, as something went wrong. ++ notifyNM connect + ;; + down-client:) + # connection to my client subnet going down + downrule + # If you are doing a custom version, firewall commands go here. + restoreresolvconf ++ # sending disconnect signal to NM, as something went wrong. ++ notifyNM disconnect + ;; + disconnectNM-host|disconnectNM-client) + # sending disconnect signal to NM, as something went wrong. +- disconnectNM ++ notifyNM disconnect + ;; + # + # IPv6 +diff -Naur libreswan-3.15-orig/programs/_updown.mast/_updown.mast.in libreswan-3.15/programs/_updown.mast/_updown.mast.in +--- libreswan-3.15-orig/programs/_updown.mast/_updown.mast.in 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/_updown.mast/_updown.mast.in 2016-06-21 09:59:03.072283425 -0400 +@@ -374,18 +374,6 @@ + rm -f -- ${ORIG_RESOLV_CONF} + printf "${RESOLVE_CONF}" > ${ORIG_RESOLV_CONF} + return $? +- +- else +- echo "Updating resolv.conf is controlled by Network Manager" +- libreswan_reason=connect +- export libreswan_reason +- export PLUTO_PEER_DOMAIN_INFO +- export PLUTO_PEER_DNS_INFO +- export PLUTO_PEER_BANNER +- export PLUTO_MY_SOURCEIP +- export PLUTO_PEER +- /usr/libexec/nm-libreswan-service-helper +- return 0 + fi + } + +@@ -417,29 +405,27 @@ + + rm -f -- "${LIBRESWAN_RESOLV_CONF}" + return 0 +- else +- # Here disconnect signal is sent to NetworkManager +- # whenever an already established connection is being terminated. +- unset libreswan_reason +- unset PLUTO_PEER_DOMAIN_INFO +- unset PLUTO_PEER_DNS_INFO +- unset PLUTO_PEER_BANNER +- unset PLUTO_MY_SOURCEIP +- unset PLUTO_PEER +- echo "Restoring resolv.conf is controlled by Network Manager" +- disconnectNM + fi + } + +-disconnectNM() { +- # This will be called whenever a connection fails to establish +- # due to a state (either phase 1, xauth phase, or phase 2) fails. ++notifyNM() { ++ # This will be called whenever a connection is established or ++ # fails to establish (either phase 1, xauth phase, or phase 2) ++ # or whenever an already established connection is being terminated. + # This will send a singal to NetworkManager over dbus so that NM +- # can clear up coonnections. +- libreswan_reason=disconnect +- export libreswan_reason +- echo "sending disconnect signal to NetworkManager" +- /usr/libexec/nm-libreswan-service-helper ++ # can keep track of the coonnections. ++ ++ if [ -n "${PLUTO_NM_CONFIGURED}" -a "${PLUTO_NM_CONFIGURED}" != 0 ]; then ++ echo "sending $1 signal to NetworkManager" ++ libreswan_reason=$1 ++ export libreswan_reason ++ export PLUTO_PEER_DOMAIN_INFO ++ export PLUTO_PEER_DNS_INFO ++ export PLUTO_PEER_BANNER ++ export PLUTO_MY_SOURCEIP ++ export PLUTO_PEER ++ /usr/libexec/nm-libreswan-service-helper ++ fi + return 0 + } + +@@ -581,14 +567,18 @@ + up-client:) + # If you are doing a custom version, firewall commands go here. + updateresolvconf ++ # sending disconnect signal to NM, as something went wrong. ++ notifyNM connect + ;; + down-client:) + # If you are doing a custom version, firewall commands go here. + restoreresolvconf ++ # sending disconnect signal to NM, as something went wrong. ++ notifyNM disconnect + ;; + disconnectNM-host|disconnectNM-client) + # sending disconnect signal to NM, as something went wrong. +- disconnectNM ++ notifyNM disconnect + ;; + # + # IPv6 +diff -Naur libreswan-3.15-orig/programs/_updown.netkey/_updown.netkey.in libreswan-3.15/programs/_updown.netkey/_updown.netkey.in +--- libreswan-3.15-orig/programs/_updown.netkey/_updown.netkey.in 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/_updown.netkey/_updown.netkey.in 2016-06-21 10:00:21.398778848 -0400 +@@ -263,18 +263,6 @@ + rm -f -- ${ORIG_RESOLV_CONF} + printf "${RESOLVE_CONF}" > ${ORIG_RESOLV_CONF} + return $? +- +- else +- echo "Updating resolv.conf is controlled by Network Manager" +- libreswan_reason=connect +- export libreswan_reason +- export PLUTO_PEER_DOMAIN_INFO +- export PLUTO_PEER_DNS_INFO +- export PLUTO_PEER_BANNER +- export PLUTO_MY_SOURCEIP +- export PLUTO_PEER +- /usr/libexec/nm-libreswan-service-helper +- return 0 + fi + } + +@@ -306,29 +294,27 @@ + + rm -f -- "${LIBRESWAN_RESOLV_CONF}" + return 0 +- else +- # Here disconnect signal is sent to NetworkManager +- # whenever an already established connection is being terminated. +- unset libreswan_reason +- unset PLUTO_PEER_DOMAIN_INFO +- unset PLUTO_PEER_DNS_INFO +- unset PLUTO_PEER_BANNER +- unset PLUTO_MY_SOURCEIP +- unset PLUTO_PEER +- echo "Restoring resolv.conf is controlled by Network Manager" +- disconnectNM + fi + } + +-disconnectNM() { +- # This will be called whenever a connection fails to establish +- # due to a state (either phase 1, xauth phase, or phase 2) fails. ++notifyNM() { ++ # This will be called whenever a connection is established or ++ # fails to establish (either phase 1, xauth phase, or phase 2) ++ # or whenever an already established connection is being terminated. + # This will send a singal to NetworkManager over dbus so that NM +- # can clear up coonnections. +- libreswan_reason=disconnect +- export libreswan_reason +- echo "sending disconnect signal to NetworkManager" +- /usr/libexec/nm-libreswan-service-helper ++ # can keep track of the coonnections. ++ ++ if [ -n "${PLUTO_NM_CONFIGURED}" -a "${PLUTO_NM_CONFIGURED}" != 0 ]; then ++ echo "sending $1 signal to NetworkManager" ++ libreswan_reason=$1 ++ export libreswan_reason ++ export PLUTO_PEER_DOMAIN_INFO ++ export PLUTO_PEER_DNS_INFO ++ export PLUTO_PEER_BANNER ++ export PLUTO_MY_SOURCEIP ++ export PLUTO_PEER ++ /usr/libexec/nm-libreswan-service-helper ++ fi + return 0 + } + +@@ -533,6 +519,8 @@ + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + updateresolvconf ++ # sending connect signal to NM, as something went wrong. ++ notifyNM connect + ;; + down-client) + # connection to my client subnet going down +@@ -540,10 +528,12 @@ + delnflog + # If you are doing a custom version, firewall commands go here. + restoreresolvconf ++ # sending disconnect signal to NM, as something went wrong. ++ notifyNM disconnect + ;; + disconnectNM-host|disconnectNM-client) + # sending disconnect signal to NM, as something went wrong. +- disconnectNM ++ notifyNM disconnect + ;; + # + # IPv6 diff --git a/SOURCES/libreswan-3.15-1272112-whack-man.patch b/SOURCES/libreswan-3.15-1272112-whack-man.patch new file mode 100644 index 0000000..c62313d --- /dev/null +++ b/SOURCES/libreswan-3.15-1272112-whack-man.patch @@ -0,0 +1,11 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/ipsec_pluto.8.xml libreswan-3.15/programs/pluto/ipsec_pluto.8.xml +--- libreswan-3.15-orig/programs/pluto/ipsec_pluto.8.xml 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/ipsec_pluto.8.xml 2016-06-21 10:11:48.483293124 -0400 +@@ -18,6 +18,7 @@ + + + ipsec pluto ++ ipsec whack + pluto + + ipsec whack : IPsec IKE keying daemon and control interface diff --git a/SOURCES/libreswan-3.15-1276524-informational.patch b/SOURCES/libreswan-3.15-1276524-informational.patch new file mode 100644 index 0000000..32e5929 --- /dev/null +++ b/SOURCES/libreswan-3.15-1276524-informational.patch @@ -0,0 +1,119 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/ikev2.c libreswan-3.15/programs/pluto/ikev2.c +--- libreswan-3.15-orig/programs/pluto/ikev2.c 2016-09-07 10:10:59.477000000 -0400 ++++ libreswan-3.15/programs/pluto/ikev2.c 2016-09-07 10:14:14.222000000 -0400 +@@ -73,13 +73,6 @@ + + #include "plutoalg.h" /* for default_ike_groups */ + +-/* Note: same definition appears in programs/pluto/ikev2_parent.c */ +-#define SEND_V2_NOTIFICATION(t) { \ +- if (st != NULL) \ +- send_v2_notification_from_state(st, t, NULL); \ +- else \ +- send_v2_notification_from_md(md, t, NULL); } +- + enum smf2_flags { + /* + * Check the value of the IKE_I flag in the header. +@@ -400,16 +393,6 @@ + * <-- HDR, SK {[N,] [D,] [CP], ...} + */ + +- { .story = "I2: process INFORMATIONAL", +- .state = STATE_PARENT_I2, +- .next_state = STATE_PARENT_I2, +- .flags = SMF2_IKE_I_CLEAR, +- .req_clear_payloads = P(SK), +- .opt_enc_payloads = P(N) | P(D) | P(CP), +- .processor = process_encrypted_informational_ikev2, +- .recv_type = ISAKMP_v2_INFORMATIONAL, +- .timeout_event = EVENT_RETAIN, }, +- + { .story = "I3: INFORMATIONAL", + .state = STATE_PARENT_I3, + .next_state = STATE_PARENT_I3, +@@ -420,16 +403,6 @@ + .recv_type = ISAKMP_v2_INFORMATIONAL, + .timeout_event = EVENT_RETAIN, }, + +- { .story = "R1: process INFORMATIONAL", +- .state = STATE_PARENT_R1, +- .next_state = STATE_PARENT_R1, +- .flags = SMF2_IKE_I_SET, +- .req_clear_payloads = P(SK), +- .opt_enc_payloads = P(N) | P(D) | P(CP), +- .processor = process_encrypted_informational_ikev2, +- .recv_type = ISAKMP_v2_INFORMATIONAL, +- .timeout_event = EVENT_RETAIN, }, +- + { .story = "R2: process INFORMATIONAL", + .state = STATE_PARENT_R2, + .next_state = STATE_PARENT_R2, +@@ -1061,7 +1034,7 @@ + * XXX: Returning INVALID_MESSAGE_ID seems + * pretty bogus. + */ +- SEND_V2_NOTIFICATION(v2N_INVALID_MESSAGE_ID); ++ SEND_V2_NOTIFICATION(v2N_INVALID_IKE_SPI); + } + return; + } +@@ -1353,6 +1326,7 @@ + st.st_localport = md->iface->port; + cnx.interface = md->iface; + st.st_interface = md->iface; ++ st.st_reply_xchg = md->hdr.isa_xchg; + + send_v2_notification(&st, type, NULL, + md->hdr.isa_icookie, md->hdr.isa_rcookie, data); +diff -Naur libreswan-3.15-orig/programs/pluto/ikev2.h libreswan-3.15/programs/pluto/ikev2.h +--- libreswan-3.15-orig/programs/pluto/ikev2.h 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/ikev2.h 2016-09-07 10:12:30.357000000 -0400 +@@ -235,3 +235,9 @@ + void ikev2_log_payload_errors(struct ikev2_payload_errors errors, + struct state *st); + ++#define SEND_V2_NOTIFICATION(t) { \ ++ if (st != NULL) \ ++ send_v2_notification_from_state(st, t, NULL); \ ++ else \ ++ send_v2_notification_from_md(md, t, NULL); } ++ +diff -Naur libreswan-3.15-orig/programs/pluto/ikev2_parent.c libreswan-3.15/programs/pluto/ikev2_parent.c +--- libreswan-3.15-orig/programs/pluto/ikev2_parent.c 2016-09-07 10:10:59.478000000 -0400 ++++ libreswan-3.15/programs/pluto/ikev2_parent.c 2016-09-07 10:12:30.357000000 -0400 +@@ -70,14 +70,6 @@ + + #include "ietf_constants.h" + +-/* Note: same definition appears in programs/pluto/ikev2.c */ +-#define SEND_V2_NOTIFICATION(t) { \ +- if (st != NULL) \ +- send_v2_notification_from_state(st, t, NULL); \ +- else \ +- send_v2_notification_from_md(md, t, NULL); \ +- } +- + #ifdef XAUTH_HAVE_PAM + struct ikev2_pam_helper { + struct pam_thread_arg pam; /* writable inside thread */ +@@ -3628,6 +3620,8 @@ + hdr.isa_xchg = ISAKMP_v2_SA_INIT; + break; + } ++ if (p1st->st_reply_xchg != 0) ++ hdr.isa_xchg = p1st->st_reply_xchg; /* use received exchange type */ + + hdr.isa_np = ISAKMP_NEXT_v2N; + /* XXX unconditionally clearing original initiator flag is wrong */ +diff -Naur libreswan-3.15-orig/programs/pluto/state.h libreswan-3.15/programs/pluto/state.h +--- libreswan-3.15-orig/programs/pluto/state.h 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/state.h 2016-09-07 10:14:43.847000000 -0400 +@@ -480,6 +480,7 @@ + bool st_xauth_soft; /* XAUTH failed but policy is to soft fail */ + bool st_seen_fragvid; /* should really use st_seen_vendorid, but no one else is */ + bool st_seen_fragments; /* did we receive ike fragments from peer, if so use them in return as well */ ++ u_int8_t st_reply_xchg; + }; + + /* global variables */ diff --git a/SOURCES/libreswan-3.15-1278063-ikev1-pam.patch b/SOURCES/libreswan-3.15-1278063-ikev1-pam.patch new file mode 100644 index 0000000..5e8bcb9 --- /dev/null +++ b/SOURCES/libreswan-3.15-1278063-ikev1-pam.patch @@ -0,0 +1,21 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/pam_conv.c libreswan-3.15/programs/pluto/pam_conv.c +--- libreswan-3.15-orig/programs/pluto/pam_conv.c 2016-06-14 16:15:34.810507979 -0400 ++++ libreswan-3.15/programs/pluto/pam_conv.c 2016-06-14 16:20:43.958424650 -0400 +@@ -159,16 +159,14 @@ + */ + what = "pam_authenticate"; + retval = pam_authenticate(pamh, PAM_SILENT); /* is user really user? */ +- + if (retval != PAM_SUCCESS) + break; + log_pam_step(arg, what, "SUCCESS"); + ++ what = "pam_acct_mgmt"; + retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ + if (retval != PAM_SUCCESS) + break; +- +- what = "pam"; + log_pam_step(arg, what, "SUCCESS"); + + /* success! */ diff --git a/SOURCES/libreswan-3.15-1280449-cap_dac_read_search.patch b/SOURCES/libreswan-3.15-1280449-cap_dac_read_search.patch new file mode 100644 index 0000000..f10e215 --- /dev/null +++ b/SOURCES/libreswan-3.15-1280449-cap_dac_read_search.patch @@ -0,0 +1,11 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/plutomain.c libreswan-3.15/programs/pluto/plutomain.c +--- libreswan-3.15-orig/programs/pluto/plutomain.c 2016-06-21 10:37:03.635299030 -0400 ++++ libreswan-3.15/programs/pluto/plutomain.c 2016-06-21 10:37:50.604989303 -0400 +@@ -1395,6 +1395,7 @@ + CAP_IPC_LOCK, CAP_AUDIT_WRITE, + /* for google authenticator pam */ + CAP_SETGID, CAP_SETUID, ++ CAP_DAC_READ_SEARCH, + -1); + /* + * We need to retain some capabilities for our children (updown): diff --git a/SOURCES/libreswan-3.15-1283468-keyingtries.patch b/SOURCES/libreswan-3.15-1283468-keyingtries.patch new file mode 100644 index 0000000..032e8a7 --- /dev/null +++ b/SOURCES/libreswan-3.15-1283468-keyingtries.patch @@ -0,0 +1,21 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/timer.c libreswan-3.15/programs/pluto/timer.c +--- libreswan-3.15-orig/programs/pluto/timer.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/timer.c 2016-06-14 11:02:52.232524053 -0400 +@@ -180,7 +180,7 @@ + st->st_retransmit, + enum_show(&state_names, st->st_state), + details); +- if (try != 0 && try <= try_limit) { ++ if (try != 0 && (try <= try_limit || try_limit == 0)) { + /* + * A lot like EVENT_SA_REPLACE, but over again. + * Since we know that st cannot be in use, +@@ -296,7 +296,7 @@ + details); + } + +- if (try != 0 && try <= try_limit) { ++ if (try != 0 && (try <= try_limit || try_limit == 0)) { + /* + * A lot like EVENT_SA_REPLACE, but over again. + * Since we know that st cannot be in use, diff --git a/SOURCES/libreswan-3.15-1290907-configdir.patch b/SOURCES/libreswan-3.15-1290907-configdir.patch new file mode 100644 index 0000000..79ea658 --- /dev/null +++ b/SOURCES/libreswan-3.15-1290907-configdir.patch @@ -0,0 +1,63 @@ +diff -Naur libreswan-3.15-orig/programs/ipsec/ipsec.in libreswan-3.15/programs/ipsec/ipsec.in +--- libreswan-3.15-orig/programs/ipsec/ipsec.in 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/ipsec/ipsec.in 2016-06-22 09:59:10.786787783 -0400 +@@ -212,18 +212,28 @@ + ;; + + import|--import) +- if [ $(id -u) -ne 0 ]; then +- echo "permision denied on nss operation (must be superuser)" +- exit 4 ++ if [ -n "${2}" ]; then ++ # A lot of nss commands use -d or --configdir to specify ++ # NSS db location. We use --ipsecdir so we are consistent ++ # with pluto options ++ if [ "${2}" = "-d" -o \ ++ "${2}" = "--configdir" -o \ ++ "${2}" = "--ipsecdir" ] ++ then ++ if [ -d "${3}" ]; then ++ IPSEC_NSSDIR="${3}" ++ else ++ echo "usage: ipsec import [--configdir|--ipsecdir /etc/ipsec.d] /path/to/pkcs.12" >&2 ++ exit 1 ++ fi ++ shift ++ shift ++ fi ++ IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}" + fi +- if [ -z "${2}" ]; then +- echo "usage: ipsec import /path/to/pkcs.12" >&2 ++ if [ -z "${2}" -o ! -f "${2}" ]; then ++ echo "usage: ipsec import [--configdir|--ipsecdir /etc/ipsec.d] /path/to/pkcs.12" >&2 + exit 1 +- else +- if [ ! -f "${2}" ]; then +- echo "usage: ipsec import /path/to/pkcs.12" >&2 +- exit 1 +- fi + fi + pk12util -i "${2}" -d "${IPSEC_NSSDIR_SQL}" + # check and correct trust bits +@@ -233,12 +243,17 @@ + initnss|--initnss|checknss|--checknss) + if [ -n "${2}" ]; then + # A lot of nss commands use -d or --configdir to specify +- # NSS db location +- if [ "${2}" = "-d" -o "${2}" = "--configdir" ]; then ++ # NSS db location. We use --ipsecdir so we are consistent ++ # with pluto options ++ if [ "${2}" = "-d" -o \ ++ "${2}" = "--configdir" -o \ ++ "${2}" = "--ipsecdir" ] ++ then + IPSEC_NSSDIR="${3}" +- else ++ else + IPSEC_NSSDIR="${2}" + fi ++ IPSEC_NSSDIR_SQL="sql:${IPSEC_NSSDIR}" + fi + if [ ! -d "${IPSEC_NSSDIR}" ]; then + mkdir -p "${IPSEC_NSSDIR}" diff --git a/SOURCES/libreswan-3.15-1297816-nonce-dcookies.patch b/SOURCES/libreswan-3.15-1297816-nonce-dcookies.patch new file mode 100644 index 0000000..e62bac5 --- /dev/null +++ b/SOURCES/libreswan-3.15-1297816-nonce-dcookies.patch @@ -0,0 +1,358 @@ +diff -Naur libreswan-3.15-orig/include/ietf_constants.h libreswan-3.15/include/ietf_constants.h +--- libreswan-3.15-orig/include/ietf_constants.h 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/include/ietf_constants.h 2016-06-14 11:36:09.865743133 -0400 +@@ -270,10 +270,29 @@ + + #define LOCALSECRETSIZE BYTES_FOR_BITS(256) + +-/* limits on nonce sizes. See RFC2409 "The internet key exchange (IKE)" 5 */ +-#define MINIMUM_NONCE_SIZE 8 /* bytes */ +-#define DEFAULT_NONCE_SIZE 16 /* bytes */ +-#define MAXIMUM_NONCE_SIZE 256 /* bytes */ ++ ++/* Limits on nonce sizes */ ++ ++/* ++ * IKEv1 RFC-2409: ++ * The length of nonce payload MUST be between 8 and 256 bytes inclusive. ++ */ ++#define IKEv1_MINIMUM_NONCE_SIZE 8 /* bytes */ ++#define IKEv1_MAXIMUM_NONCE_SIZE 256 /* bytes */ ++ ++/* ++ * IKEv2 RFC-7296: ++ * Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 bits ++ * in size, and MUST be at least half the key size of the negotiated ++ * pseudorandom function (PRF). However, the initiator chooses the nonce ++ * before the outcome of the negotiation is known. Because of that, the ++ * nonce has to be long enough for all the PRFs being proposed. ++ */ ++#define IKEv2_MINIMUM_NONCE_SIZE 16 /* bytes */ ++#define IKEv2_MAXIMUM_NONCE_SIZE 256 /* bytes */ ++ ++/* Default is based on minimum IKEv2 requirement */ ++#define DEFAULT_NONCE_SIZE 32 /* bytes */ + + #define COOKIE_SIZE 8 + #define MAX_ISAKMP_SPI_SIZE 16 +diff -Naur libreswan-3.15-orig/include/pluto_constants.h libreswan-3.15/include/pluto_constants.h +--- libreswan-3.15-orig/include/pluto_constants.h 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/include/pluto_constants.h 2016-06-14 11:36:09.865743133 -0400 +@@ -260,6 +260,7 @@ + IMPAIR_FORCE_FIPS_IX, /* causes pluto to believe we are in fips mode, NSS needs its own hack */ + IMPAIR_SEND_KEY_SIZE_CHECK_IX, /* causes pluto to omit checking configured ESP key sizes for testing */ + IMPAIR_SEND_ZERO_GX_IX, /* causes pluto to send a g^x that is zero, breaking DH calculation */ ++ IMPAIR_SEND_BOGUS_DCOOKIE_IX, /* causes pluto to send a a bogus IKEv2 DCOOKIE */ + IMPAIR_roof_IX /* first unassigned IMPAIR */ + }; + +@@ -304,6 +305,7 @@ + #define IMPAIR_FORCE_FIPS LELEM(IMPAIR_FORCE_FIPS_IX) + #define IMPAIR_SEND_KEY_SIZE_CHECK LELEM(IMPAIR_SEND_KEY_SIZE_CHECK_IX) + #define IMPAIR_SEND_ZERO_GX LELEM(IMPAIR_SEND_ZERO_GX_IX) ++#define IMPAIR_SEND_BOGUS_DCOOKIE LELEM(IMPAIR_SEND_BOGUS_DCOOKIE_IX) + + /* State of exchanges + * +diff -Naur libreswan-3.15-orig/lib/libswan/constants.c libreswan-3.15/lib/libswan/constants.c +--- libreswan-3.15-orig/lib/libswan/constants.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/lib/libswan/constants.c 2016-06-14 11:36:09.866743168 -0400 +@@ -196,6 +196,7 @@ + "impair-force-fips", + "impair-send-key-size-check", + "impair-send-zero-gx", ++ "impair-send-bogus-dcookie", + NULL /* termination for bitnamesof() */ + }; + +diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_main.c libreswan-3.15/programs/pluto/ikev1_main.c +--- libreswan-3.15-orig/programs/pluto/ikev1_main.c 2016-06-14 11:35:30.808370130 -0400 ++++ libreswan-3.15/programs/pluto/ikev1_main.c 2016-06-14 11:36:09.867743203 -0400 +@@ -492,9 +492,9 @@ + pb_stream *nonce_pbs = &md->chain[ISAKMP_NEXT_NONCE]->pbs; + size_t len = pbs_left(nonce_pbs); + +- if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len) { ++ if (len < IKEv1_MINIMUM_NONCE_SIZE || IKEv1_MAXIMUM_NONCE_SIZE < len) { + loglog(RC_LOG_SERIOUS, "%s length not between %d and %d", +- name, MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE); ++ name, IKEv1_MINIMUM_NONCE_SIZE, IKEv1_MAXIMUM_NONCE_SIZE); + return PAYLOAD_MALFORMED; /* ??? */ + } + clonereplacechunk(*dest, nonce_pbs->cur, len, "nonce"); +diff -Naur libreswan-3.15-orig/programs/pluto/ikev2.c libreswan-3.15/programs/pluto/ikev2.c +--- libreswan-3.15-orig/programs/pluto/ikev2.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/ikev2.c 2016-06-14 11:36:09.868743239 -0400 +@@ -1856,9 +1856,22 @@ + nonce_pbs = &md->chain[ISAKMP_NEXT_v2Ni]->pbs; + len = pbs_left(nonce_pbs); + +- if (len < MINIMUM_NONCE_SIZE || MAXIMUM_NONCE_SIZE < len) { +- loglog(RC_LOG_SERIOUS, "%s length not between %d and %d", +- name, MINIMUM_NONCE_SIZE, MAXIMUM_NONCE_SIZE); ++ /* ++ * RFC 7296 Section 2.10: ++ * Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 ++ * bits in size, and MUST be at least half the key size of the ++ * negotiated pseudorandom function (PRF). However, the initiator ++ * chooses the nonce before the outcome of the negotiation is known. ++ * Because of that, the nonce has to be long enough for all the PRFs ++ * being proposed. ++ * ++ * We will check for a minimum/maximum here. Once the PRF is selected, ++ * we verify the nonce is big enough. ++ */ ++ ++ if (len < IKEv2_MINIMUM_NONCE_SIZE || len > IKEv2_MAXIMUM_NONCE_SIZE) { ++ loglog(RC_LOG_SERIOUS, "%s length %zu not between %d and %d", ++ name, len, IKEv2_MINIMUM_NONCE_SIZE, IKEv2_MAXIMUM_NONCE_SIZE); + return v2N_INVALID_SYNTAX; /* ??? */ + } + clonereplacechunk(*dest, nonce_pbs->cur, len, "nonce"); +diff -Naur libreswan-3.15-orig/programs/pluto/ikev2_parent.c libreswan-3.15/programs/pluto/ikev2_parent.c +--- libreswan-3.15-orig/programs/pluto/ikev2_parent.c 2016-06-14 11:35:30.801369884 -0400 ++++ libreswan-3.15/programs/pluto/ikev2_parent.c 2016-06-14 12:09:35.881321956 -0400 +@@ -102,7 +102,7 @@ + static stf_status ikev2_parent_outI1_tail(struct pluto_crypto_req_cont *ke, + struct pluto_crypto_req *r); + +-static bool ikev2_get_dcookie(u_char *dcookie, chunk_t st_ni, ++static void ikev2_get_dcookie(u_char *dcookie, chunk_t st_ni, + ip_address *addr, chunk_t spiI); + + static stf_status ikev2_parent_outI1_common(struct msg_digest *md, +@@ -426,6 +426,15 @@ + init_out_pbs(&reply_stream, reply_buffer, sizeof(reply_buffer), + "reply packet"); + ++ if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE)) { ++ /* add or mangle a dcookie so what we will send is bogus */ ++ DBG_log("Mangling dcookie because --impair-send-bogus-dcookie is set"); ++ freeanychunk(st->st_dcookie); ++ st->st_dcookie.ptr = alloc_bytes(1, "mangled dcookie"); ++ st->st_dcookie.len = 1; ++ messupn(st->st_dcookie.ptr, 1); ++ } ++ + /* HDR out */ + { + struct isakmp_hdr hdr; +@@ -434,7 +443,7 @@ + /* Impair function will raise major/minor by 1 for testing */ + hdr.isa_version = build_ikev2_version(); + +- hdr.isa_np = st->st_dcookie.ptr != NULL? ++ hdr.isa_np = st->st_dcookie.ptr != NULL ? + ISAKMP_NEXT_v2N : ISAKMP_NEXT_v2SA; + hdr.isa_xchg = ISAKMP_v2_SA_INIT; + /* add original initiator flag - version flag could be set */ +@@ -615,13 +624,36 @@ + + stf_status ikev2parent_inI1outR1(struct msg_digest *md) + { ++ bool seen_dcookie = FALSE; ++ bool require_dcookie = require_ddos_cookies(); ++ struct payload_digest *ntfy; ++ + if (drop_new_exchanges()) { + /* only log for debug to prevent disk filling up */ + DBG(DBG_CONTROL,DBG_log("pluto is overloaded with half-open IKE SAs - dropping IKE_INIT request")); + return STF_IGNORE; + } + +- if (require_ddos_cookies()) { ++ /* Did we receive a DCOOKIE? */ ++ for (ntfy = md->chain[ISAKMP_NEXT_v2N]; ntfy != NULL; ntfy = ntfy->next) { ++ switch (ntfy->payload.v2n.isan_type) { ++ case v2N_COOKIE: ++ DBG(DBG_CONTROLMORE, DBG_log("Received a NOTIFY payload of type COOKIE - we will verify the COOKIE")); ++ seen_dcookie = TRUE; ++ break; ++ default: ++ DBG(DBG_CONTROLMORE, DBG_log("Received unauthenticated %s notify - ignored", ++ enum_name(&ikev2_notify_names, ++ ntfy->payload.v2n.isan_type))); ++ } ++ } ++ ++ /* ++ * The RFC states we should ignore unexpected cookies. We purposefully ++ * violate the RFC and validate the cookie anyway. This prevents an ++ * attacker from being able to inject a lot of data used later to HMAC ++ */ ++ if (seen_dcookie || require_dcookie) { + u_char dcookie[SHA1_DIGEST_SIZE]; + chunk_t dc, ni, spiI; + +@@ -635,7 +667,12 @@ + * size of the negotiated pseudorandom function (PRF). + * (We can check for minimum 128bit length) + */ +- if (ni.len < BYTES_FOR_BITS(128)) { ++ /* ++ * XXX: Note that we check the nonce size in accept_v2_nonce() so this ++ * check is extra. I guess since we need to extract the nonce to calculate ++ * the cookie, it is cheap to check here and reject. ++ */ ++ if (ni.len < IKEv2_MINIMUM_NONCE_SIZE || IKEv2_MAXIMUM_NONCE_SIZE < ni.len) { + /* + * If this were a DDOS, we cannot afford to log. + * We do log if we are debugging. +@@ -646,11 +683,10 @@ + + ikev2_get_dcookie(dcookie, ni, &md->sender, spiI); + dc.ptr = dcookie; +- dc.len = SHA1_DIGEST_SIZE; +- ++ dc.len = SHA2_256_DIGEST_SIZE; ++ + /* check a v2N payload with type COOKIE */ +- if (md->chain[ISAKMP_NEXT_v2N] != NULL && +- md->chain[ISAKMP_NEXT_v2N]->payload.v2n.isan_type == v2N_COOKIE) { ++ if (seen_dcookie) { + const pb_stream *dc_pbs; + chunk_t idc; + +@@ -670,19 +706,19 @@ + DBG(DBG_CONTROLMORE, + DBG_dump_chunk("received dcookie", idc); + DBG_dump("dcookie computed", dcookie, +- SHA1_DIGEST_SIZE)); ++ SHA2_256_DIGEST_SIZE)); + +- if (idc.len != SHA1_DIGEST_SIZE || +- !memeq(idc.ptr, dcookie, SHA1_DIGEST_SIZE)) { ++ if (idc.len != SHA2_256_DIGEST_SIZE || ++ !memeq(idc.ptr, dcookie, SHA2_256_DIGEST_SIZE)) { + DBG(DBG_CONTROLMORE, DBG_log( +- "mismatch in DOS v2N_COOKIE: dropping message (possible DoS attack)" ++ "mismatch in DOS v2N_COOKIE: dropping message (possible attack)" + )); + return STF_IGNORE; + } + DBG(DBG_CONTROLMORE, DBG_log( + "dcookie received matched computed one")); + } else { +- /* we are under DOS attack I1 contains no DOS COOKIE */ ++ /* we are under DOS attack I1 contains no COOKIE */ + DBG(DBG_CONTROLMORE, + DBG_log("busy mode on. received I1 without a valid dcookie"); + DBG_log("send a dcookie and forget this state")); +@@ -691,7 +727,7 @@ + } + } else { + DBG(DBG_CONTROLMORE, +- DBG_log("anti-DDoS cookies not required")); ++ DBG_log("anti-DDoS cookies not required (and no cookie received)")); + } + + /* authentication policy alternatives in order of decreasing preference */ +@@ -1534,6 +1570,14 @@ + integ_start, integ_size)); + } + ++ if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE)) { ++ /* add or mangle a dcookie so what we will send is bogus */ ++ DBG_log("Mangling dcookie because --impair-send-bogus-dcookie is set"); ++ freeanychunk(st->st_dcookie); ++ st->st_dcookie.ptr = alloc_bytes(1, "mangled dcookie"); ++ st->st_dcookie.len = 1; ++ messupn(st->st_dcookie.ptr, 1); ++ } + + return STF_OK; + } +@@ -3479,45 +3523,38 @@ + + /* + * Cookie = | Hash(Ni | IPi | SPIi | ) +- * where is a randomly generated secret known only to the +- * in LSW implementation is not used. ++ * where is a randomly generated secret known only to us ++ * ++ * Our implementation does not use which means ++ * once a day and while under DOS attack, we could fail a few cookies ++ * until the peer restarts from scratch. + */ +-static bool ikev2_get_dcookie(u_char *dcookie, chunk_t ni, ++static void ikev2_get_dcookie(u_char *dcookie, chunk_t ni, + ip_address *addr, chunk_t spiI) + { + size_t addr_length; +- SHA1_CTX ctx_sha1; ++ sha256_context ctx_sha256; + unsigned char addr_buff[ + sizeof(union { struct in_addr A; + struct in6_addr B; + })]; + + addr_length = addrbytesof(addr, addr_buff, sizeof(addr_buff)); +- SHA1Init(&ctx_sha1); +- SHA1Update(&ctx_sha1, ni.ptr, ni.len); +- SHA1Update(&ctx_sha1, addr_buff, addr_length); +- SHA1Update(&ctx_sha1, spiI.ptr, spiI.len); +- SHA1Update(&ctx_sha1, ikev2_secret_of_the_day, +- SHA1_DIGEST_SIZE); +- SHA1Final(dcookie, &ctx_sha1); ++ sha256_init(&ctx_sha256); ++ sha256_write(&ctx_sha256, ni.ptr, ni.len); ++ sha256_write(&ctx_sha256, addr_buff, addr_length); ++ sha256_write(&ctx_sha256, spiI.ptr, spiI.len); ++ sha256_write(&ctx_sha256, ikev2_secret_of_the_day, ++ SHA2_256_DIGEST_SIZE); ++ sha256_final(dcookie, &ctx_sha256); + DBG(DBG_PRIVATE, + DBG_log("ikev2 secret_of_the_day used %s, length %d", + ikev2_secret_of_the_day, +- SHA1_DIGEST_SIZE)); ++ SHA2_256_DIGEST_SIZE)); + + DBG(DBG_CRYPT, + DBG_dump("computed dcookie: HASH(Ni | IPi | SPIi | )", +- dcookie, SHA1_DIGEST_SIZE)); +-#if 0 +- ikev2_secrets_recycle++; +- if (ikev2_secrets_recycle >= 32768) { +- /* handed out too many cookies, cycle secrets */ +- ikev2_secrets_recycle = 0; +- /* can we call init_secrets() without adding an EVENT? */ +- init_secrets(); +- } +-#endif +- return TRUE; ++ dcookie, SHA2_256_DIGEST_SIZE)); + } + + /* +diff -Naur libreswan-3.15-orig/programs/pluto/plutomain.c libreswan-3.15/programs/pluto/plutomain.c +--- libreswan-3.15-orig/programs/pluto/plutomain.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/plutomain.c 2016-06-14 11:36:09.872743379 -0400 +@@ -571,6 +571,7 @@ + I("send-no-ikev2-auth\0", IMPAIR_SEND_NO_IKEV2_AUTH_IX), + I("force-fips\0", IMPAIR_FORCE_FIPS_IX), + I("send-zero-gx\0", IMPAIR_SEND_ZERO_GX_IX), ++ I("send-bogus-dcookie\0", IMPAIR_SEND_BOGUS_DCOOKIE_IX), + #undef I + { 0, 0, 0, 0 } + }; +@@ -1564,6 +1565,8 @@ + libreswan_log("Warning: IMPAIR_SEND_NO_IKEV2_AUTH enabled"); + if (DBGP(IMPAIR_SEND_ZERO_GX)) + libreswan_log("Warning: IMPAIR_SEND_ZERO_GX enabled"); ++ if (DBGP(IMPAIR_SEND_BOGUS_DCOOKIE)) ++ libreswan_log("Warning: IMPAIR_SEND_BOGUS_DCOOKIE enabled"); + + /* Initialize all of the various features */ + +diff -Naur libreswan-3.15-orig/programs/pluto/whack.c libreswan-3.15/programs/pluto/whack.c +--- libreswan-3.15-orig/programs/pluto/whack.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/whack.c 2016-06-14 11:36:09.872743379 -0400 +@@ -701,6 +701,8 @@ + IMPAIR_SEND_KEY_SIZE_CHECK_IX + DO }, + { "impair-send-zero-gx", no_argument, NULL, + IMPAIR_SEND_ZERO_GX_IX + DO }, ++ { "impair-send-bogus-dcookie", no_argument, NULL, ++ IMPAIR_SEND_BOGUS_DCOOKIE_IX + DO }, + # undef DO + { "whackrecord", required_argument, NULL, OPT_WHACKRECORD + OO }, + { "whackstoprecord", no_argument, NULL, OPT_WHACKSTOPRECORD + OO }, diff --git a/SOURCES/libreswan-3.15-1302778.fipslist.patch b/SOURCES/libreswan-3.15-1302778.fipslist.patch new file mode 100644 index 0000000..b74dd3a --- /dev/null +++ b/SOURCES/libreswan-3.15-1302778.fipslist.patch @@ -0,0 +1,13 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/fips.h libreswan-3.15/programs/pluto/fips.h +--- libreswan-3.15-orig/programs/pluto/fips.h 2016-06-14 15:38:16.662610551 -0400 ++++ libreswan-3.15/programs/pluto/fips.h 2016-06-14 15:40:22.581887678 -0400 +@@ -31,7 +31,9 @@ + IPSEC_EXECDIR "/ikeping", + IPSEC_EXECDIR "/readwriteconf", + IPSEC_EXECDIR "/_keycensor", ++ IPSEC_EXECDIR "/_import_crl", + IPSEC_EXECDIR "/look", ++ IPSEC_EXECDIR "/cavp", + IPSEC_EXECDIR "/newhostkey", + IPSEC_EXECDIR "/_plutorun", + IPSEC_EXECDIR "/_secretcensor", diff --git a/SOURCES/libreswan-3.15-1309764-barf.patch b/SOURCES/libreswan-3.15-1309764-barf.patch new file mode 100644 index 0000000..347c724 --- /dev/null +++ b/SOURCES/libreswan-3.15-1309764-barf.patch @@ -0,0 +1,102 @@ +diff -Naur libreswan-3.15-orig/programs/barf/barf.in libreswan-3.15/programs/barf/barf.in +--- libreswan-3.15-orig/programs/barf/barf.in 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/barf/barf.in 2016-09-04 23:25:03.457442558 -0400 +@@ -97,22 +97,25 @@ + findlog_startline=1 # arbitrary + } + +-# try to guess where logs are +-findlog "$fstart" "klips" messages syslog auth.log daemon.log +-if test " $findlog_file" = " /dev/null" ++if test ! -x /usr/bin/journalctl + then +-echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." +-fi +-klog=$findlog_file +-kline=$findlog_startline ++ # no systemd, need to figure out log file location ++ findlog "$fstart" "klips" messages syslog auth.log daemon.log ++ if test " $findlog_file" = " /dev/null" ++ then ++ echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." ++ fi ++ klog=$findlog_file ++ kline=$findlog_startline + +-findlog "$pstart" "Pluto" secure auth.log daemon.log debug +-if test " $findlog_file" = " /dev/null" +-then +-echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." ++ findlog "$pstart" "Pluto" secure auth.log daemon.log debug ++ if test " $findlog_file" = " /dev/null" ++ then ++ echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run Libreswan for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." ++ fi ++ plog=$findlog_file ++ pline=$findlog_startline + fi +-plog=$findlog_file +-pline=$findlog_startline + + # /lib/modules examiner + modulegoo() { +@@ -394,18 +397,22 @@ + tail -100 $LOGS/kern.debug + fi + _________________________ klog +-sed -n $kline,'$'p $klog | +- egrep -i 'ipsec|klips|pluto' | +- case "$1" in +- --short) tail -500 ;; +- *) cat ;; +- esac ++dmesg | egrep -i "klips|ipsec" + _________________________ plog +-sed -n $pline,'$'p $plog | +- egrep -i 'pluto' | +- case "$1" in +- --short) tail -500 ;; +- *) cat ;; +- esac ++if test -x /usr/bin/journalctl ++then ++ journalctl -u ipsec.service --no-pager --since "1 hour ago" | ++ case "$1" in ++ --short) tail -500 ;; ++ *) cat ;; ++ esac ++else ++ sed -n $pline,'$'p $plog | ++ egrep -i 'pluto' | ++ case "$1" in ++ --short) tail -500 ;; ++ *) cat ;; ++ esac ++fi + _________________________ date + date +diff -Naur libreswan-3.15-orig/programs/barf/ipsec_barf.8.xml libreswan-3.15/programs/barf/ipsec_barf.8.xml +--- libreswan-3.15-orig/programs/barf/ipsec_barf.8.xml 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/barf/ipsec_barf.8.xml 2016-09-04 23:22:39.743238821 -0400 +@@ -9,7 +9,7 @@ + + IPSEC_BARF + 8 +-17 March 2002 ++4 September 2016 + libreswan + Executable programs + +@@ -50,6 +50,12 @@ + currently netstat -rn. Useful on boxes where the routing + table is thousands of lines long. Default is 100. + ++On systems with systemd, ipsec barf will look for logs ++using the journalctl command. ++ ++If the logfile= option is used, logs will also not be found ++by the ipsec barf command. ++ + Barf + censors its output, + replacing keys diff --git a/SOURCES/libreswan-3.15-1313747-ipsec-man.patch b/SOURCES/libreswan-3.15-1313747-ipsec-man.patch new file mode 100644 index 0000000..940dcec --- /dev/null +++ b/SOURCES/libreswan-3.15-1313747-ipsec-man.patch @@ -0,0 +1,21 @@ +diff -Naur libreswan-3.15-orig/programs/ipsec/ipsec.8.xml libreswan-3.15/programs/ipsec/ipsec.8.xml +--- libreswan-3.15-orig/programs/ipsec/ipsec.8.xml 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/ipsec/ipsec.8.xml 2016-06-14 15:32:35.907563449 -0400 +@@ -90,8 +90,16 @@ + + + ++RETURN CODE ++The ipsec command passes the return code of the sub-command ++back to the caller. The only exception is when ipsec pluto ++is used without --nofork, as it will fork into the background ++and the ipsec command returns success while the pluto daemon ++may in fact exit with an error code after the fork. ++ ++ + FILES +-/usr/local/libexec/ipsec usual utilities directory ++/usr/libexec/ipsec is the usual utilities directory + + + SEE ALSO diff --git a/SOURCES/libreswan-3.15-1315412-crl-manpage.patch b/SOURCES/libreswan-3.15-1315412-crl-manpage.patch new file mode 100644 index 0000000..b7ea066 --- /dev/null +++ b/SOURCES/libreswan-3.15-1315412-crl-manpage.patch @@ -0,0 +1,19 @@ +diff -Naur libreswan-3.15-orig/programs/configs/d.ipsec.conf/strictcrlpolicy.xml libreswan-3.15/programs/configs/d.ipsec.conf/strictcrlpolicy.xml +--- libreswan-3.15-orig/programs/configs/d.ipsec.conf/strictcrlpolicy.xml 2015-08-25 05:28:32.000000000 +0300 ++++ libreswan-3.15/programs/configs/d.ipsec.conf/strictcrlpolicy.xml 2016-07-02 23:35:49.908711469 +0300 +@@ -1,5 +1,5 @@ + +- strictcrlpolicy ++ crl-strict + + if not set, pluto is tolerant about missing or expired X.509 Certificate + Revocation Lists (CRL's), and will allow peer certificates as long as they +@@ -10,7 +10,7 @@ + entire VPN server will be dead in the water until a new CRL is manually + transferred to the machine (if it allows non-IPsec connections). + Acceptable values are yes or no +-(the default). ++(the default). This option used to be called strictcrlpolicy= + + + diff --git a/SOURCES/libreswan-3.15-1344567-ikev1-retransmit.patch b/SOURCES/libreswan-3.15-1344567-ikev1-retransmit.patch new file mode 100644 index 0000000..15aa720 --- /dev/null +++ b/SOURCES/libreswan-3.15-1344567-ikev1-retransmit.patch @@ -0,0 +1,36 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/ikev1.c libreswan-3.15/programs/pluto/ikev1.c +--- libreswan-3.15-orig/programs/pluto/ikev1.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/ikev1.c 2016-06-14 15:13:52.309906626 -0400 +@@ -245,7 +245,7 @@ + { STATE_MAIN_R0, STATE_MAIN_R1, + SMF_ALL_AUTH | SMF_REPLY, + P(SA), P(VID) | P(CR), PT(NONE), +- EVENT_v1_RETRANSMIT, main_inI1_outR1 }, ++ EVENT_SA_REPLACE, main_inI1_outR1 }, + + /* STATE_MAIN_I1: R1 --> I2 + * HDR, SA --> auth dependent +@@ -394,7 +394,7 @@ + { STATE_AGGR_R0, STATE_AGGR_R1, + SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY, + P(SA) | P(KE) | P(NONCE) | P(ID), P(VID) | P(NATD_RFC), PT(NONE), +- EVENT_v1_RETRANSMIT, aggr_inI1_outR1 }, ++ EVENT_SA_REPLACE, aggr_inI1_outR1 }, + + /* STATE_AGGR_I1: + * SMF_PSK_AUTH: HDR, SA, KE, Nr, IDir, HASH_R +@@ -571,12 +571,12 @@ + { STATE_XAUTH_I0, STATE_XAUTH_I1, + SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2, + P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH), +- EVENT_SA_REPLACE, xauth_inI0 }, ++ EVENT_v1_RETRANSMIT, xauth_inI0 }, + + { STATE_XAUTH_I1, STATE_MAIN_I4, + SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY | SMF_RELEASE_PENDING_P2, + P(MCFG_ATTR) | P(HASH), P(VID), PT(HASH), +- EVENT_SA_REPLACE, xauth_inI1 }, ++ EVENT_v1_RETRANSMIT, xauth_inI1 }, + + #undef P + #undef PT diff --git a/SOURCES/libreswan-3.15-1347735-multicrl.patch b/SOURCES/libreswan-3.15-1347735-multicrl.patch new file mode 100644 index 0000000..532fe30 --- /dev/null +++ b/SOURCES/libreswan-3.15-1347735-multicrl.patch @@ -0,0 +1,69 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/x509.c libreswan-3.15/programs/pluto/x509.c +--- libreswan-3.15-orig/programs/pluto/x509.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/x509.c 2016-06-23 15:54:33.992702860 -0400 +@@ -423,9 +423,6 @@ + generalName_t *gndp_from_nss_cert(CERTCertificate *cert) + { + SECItem crlval; +- CERTCrlDistributionPoints *dps = NULL; +- CRLDistributionPoint *point = NULL; +- generalName_t *gndp = NULL; + + if (cert == NULL) + return NULL; +@@ -437,25 +434,45 @@ + return NULL; + } + +- if ((dps = CERT_DecodeCRLDistributionPoints(cert->arena, +- &crlval)) == NULL) { ++ CERTCrlDistributionPoints *dps = CERT_DecodeCRLDistributionPoints(cert->arena, &crlval); ++ ++ if (dps == NULL) { + DBG(DBG_X509, + DBG_log("could not decode distribution points ext %d", + PORT_GetError())); + return NULL; + } + +- /* some common code, refactor */ +- point = dps->distPoints[0]; ++ CRLDistributionPoint **points = dps->distPoints; ++ generalName_t *gndp_list = NULL; + +- if (point != NULL && point->distPointType == generalName && +- point->distPoint.fullName != NULL && +- point->distPoint.fullName->type == certURI) { +- gndp = alloc_thing(generalName_t, "converted gn"); +- convert_nss_gn_to_pluto_gn(point->distPoint.fullName, gndp); ++ /* Certificate can have multiple distribution points */ ++ for (; points != NULL && *points != NULL; points++) { ++ CRLDistributionPoint *point = *points; ++ ++ if (point->distPointType == generalName && ++ point->distPoint.fullName != NULL) { ++ CERTGeneralName *first_name, *name; ++ ++ /* Each point is a linked list. */ ++ first_name = name = point->distPoint.fullName; ++ do { ++ if (name->type == certURI) { ++ generalName_t *gndp; ++ ++ /* Add single point to return list */ ++ gndp = alloc_thing(generalName_t, ++ "converted gn"); ++ convert_nss_gn_to_pluto_gn(name, gndp); ++ gndp->next = gndp_list; ++ gndp_list = gndp; ++ } ++ name = CERT_GetNextGeneralName(name); ++ } while (name != NULL && name != first_name); ++ } + } + +- return gndp; ++ return gndp_list; + } + + char *find_dercrl_uri(chunk_t *dercrl) diff --git a/SOURCES/libreswan-3.15-1361721-delete.patch b/SOURCES/libreswan-3.15-1361721-delete.patch new file mode 100644 index 0000000..fcba308 --- /dev/null +++ b/SOURCES/libreswan-3.15-1361721-delete.patch @@ -0,0 +1,47 @@ +diff -Naur libreswan-3.15-orig/include/pluto_constants.h libreswan-3.15/include/pluto_constants.h +--- libreswan-3.15-orig/include/pluto_constants.h 2016-09-06 22:44:24.279780559 -0400 ++++ libreswan-3.15/include/pluto_constants.h 2016-09-06 22:47:42.345765986 -0400 +@@ -138,7 +138,7 @@ + + #define RETRANSMIT_TIMEOUT_DEFAULT 60 /* seconds */ + #define RETRANSMIT_INTERVAL_DEFAULT 500 /* wait time doubled each retransmit - in milliseconds */ +-#define DELETE_SA_DELAY RETRANSMIT_TIMEOUT_DEFAULT /* wait until the other side giveup on us */ ++#define DELETE_SA_DELAY 20 /* seconds */ + #define EVENT_CRYPTO_FAILED_DELAY RETRANSMIT_TIMEOUT_DEFAULT /* wait till the other side give up on us */ + + /* +diff -Naur libreswan-3.15-orig/programs/pluto/ikev1_main.c libreswan-3.15/programs/pluto/ikev1_main.c +--- libreswan-3.15-orig/programs/pluto/ikev1_main.c 2016-09-06 22:44:24.280780554 -0400 ++++ libreswan-3.15/programs/pluto/ikev1_main.c 2016-09-06 22:47:09.165935946 -0400 +@@ -3046,15 +3046,15 @@ + mononow()))); + } else { + loglog(RC_LOG_SERIOUS, +- "received Delete SA payload: replace IPSEC State #%lu in %d seconds", ++ "received Delete SA payload: replace IPSEC State #%lu in 25ms, letting old IPsec SA linger for %d seconds", + dst->st_serialno, + DELETE_SA_DELAY); + dst->st_margin = deltatime( + DELETE_SA_DELAY); + delete_event(dst); +- event_schedule( ++ event_schedule_ms( + EVENT_SA_REPLACE, +- DELETE_SA_DELAY, dst); ++ 25 , dst); + } + } else { + loglog(RC_LOG_SERIOUS, +diff -Naur libreswan-3.15-orig/programs/pluto/terminate.c libreswan-3.15/programs/pluto/terminate.c +--- libreswan-3.15-orig/programs/pluto/terminate.c 2016-09-06 22:44:24.304780431 -0400 ++++ libreswan-3.15/programs/pluto/terminate.c 2016-09-06 22:45:40.095392201 -0400 +@@ -77,7 +77,8 @@ + flush_pending_by_connection(c); + if (shared_phase1_connection(c)) { + libreswan_log("IKE SA is shared - only terminating IPsec SA"); +- delete_state(state_with_serialno(c->newest_ipsec_sa)); ++ if (c->newest_ipsec_sa != SOS_NOBODY) ++ delete_state(state_with_serialno(c->newest_ipsec_sa)); + } else { + DBG(DBG_CONTROL, DBG_log("connection not shared pkilling phase1 and phase2")); + delete_states_by_connection(c, FALSE); diff --git a/SOURCES/libreswan-3.16-1311360-sharedike.patch b/SOURCES/libreswan-3.16-1311360-sharedike.patch new file mode 100644 index 0000000..969e844 --- /dev/null +++ b/SOURCES/libreswan-3.16-1311360-sharedike.patch @@ -0,0 +1,110 @@ +diff -Naur libreswan-3.15-orig/programs/pluto/connections.c libreswan-3.15/programs/pluto/connections.c +--- libreswan-3.15-orig/programs/pluto/connections.c 2016-03-24 12:23:58.563262638 -0400 ++++ libreswan-3.15/programs/pluto/connections.c 2016-03-24 12:24:31.462320143 -0400 +@@ -2498,6 +2498,8 @@ + struct connection *c, + lset_t req_policy, lset_t policy_exact_mask) + { ++ struct connection *candidate = NULL; ++ + DBG(DBG_CONTROLMORE, + DBG_log("find_next_host_connection policy=%s", + bitnamesof(sa_policy_bit_names, req_policy))); +@@ -2547,10 +2549,22 @@ + * Success if all specified policy bits are in candidate's policy. + * It works even when the exact-match bits are included. + */ +- if ((req_policy & ~c->policy) == LEMPTY) +- break; ++ if ((req_policy & ~c->policy) == LEMPTY) { ++ if (c->newest_isakmp_sa != SOS_NOBODY) { ++ break; ++ } else { ++ /* ++ * We prefer connections with an IKE SA. ++ * so remember this, but keep looking ++ */ ++ candidate = c; ++ } ++ } + } + ++ if (c == NULL && candidate != NULL) ++ c = candidate; ++ + DBG(DBG_CONTROLMORE, + DBG_log("find_next_host_connection returns %s", + c ? c->name : "empty")); +diff -Naur libreswan-3.15-orig/programs/pluto/state.c libreswan-3.15/programs/pluto/state.c +--- libreswan-3.15-orig/programs/pluto/state.c 2016-03-24 12:23:58.560262542 -0400 ++++ libreswan-3.15/programs/pluto/state.c 2016-03-24 12:24:33.929399445 -0400 +@@ -939,6 +939,28 @@ + return FALSE; + } + ++bool shared_phase1_connection(const struct connection *c) ++{ ++ int i; ++ ++ so_serial_t serial_us = c->newest_isakmp_sa; ++ ++ if (serial_us == SOS_NOBODY) ++ return FALSE; ++ ++ for (i = 0; i < STATE_TABLE_SIZE; i++) { ++ struct state *st; ++ ++ FOR_EACH_ENTRY(st, i, { ++ if (st->st_connection == c) ++ continue; ++ if (st->st_clonedfrom == serial_us) ++ return TRUE; ++ }); ++ } ++ return FALSE; ++} ++ + /* + * delete all states that were created for a given connection, + * additionally delete any states for which func(st, c) +@@ -1108,8 +1130,9 @@ + { + if (IS_ISAKMP_SA_ESTABLISHED(this->st_state)) + return FALSE; +- else ++ if (c->kind == CK_INSTANCE) + return same_phase1_sa_relations(this, c); ++ return FALSE; + } + + void delete_p2states_by_connection(struct connection *c) +diff -Naur libreswan-3.15-orig/programs/pluto/state.h libreswan-3.15/programs/pluto/state.h +--- libreswan-3.15-orig/programs/pluto/state.h 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/state.h 2016-03-24 12:24:33.929399445 -0400 +@@ -587,6 +587,7 @@ + extern bool require_ddos_cookies(void); + extern void show_globalstate_status(void); + extern void log_newest_sa_change(char *f, struct state *const st); ++bool shared_phase1_connection(const struct connection *c); + + #ifdef XAUTH_HAVE_PAM + void ikev2_free_auth_pam(so_serial_t st_serialno); +diff -Naur libreswan-3.15-orig/programs/pluto/terminate.c libreswan-3.15/programs/pluto/terminate.c +--- libreswan-3.15-orig/programs/pluto/terminate.c 2015-08-24 22:28:32.000000000 -0400 ++++ libreswan-3.15/programs/pluto/terminate.c 2016-03-24 12:24:33.930399477 -0400 +@@ -75,7 +75,14 @@ + libreswan_log("terminating SAs using this connection"); + c->policy &= ~POLICY_UP; + flush_pending_by_connection(c); +- delete_states_by_connection(c, FALSE); ++ if (shared_phase1_connection(c)) { ++ libreswan_log("IKE SA is shared - only terminating IPsec SA"); ++ delete_state(state_with_serialno(c->newest_ipsec_sa)); ++ } else { ++ DBG(DBG_CONTROL, DBG_log("connection not shared pkilling phase1 and phase2")); ++ delete_states_by_connection(c, FALSE); ++ } ++ + reset_cur_connection(); + + return 1; diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index bca4df7..9905fe8 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -20,7 +20,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols Version: 3.15 -Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}8%{?prever:.%{prever}}%{?dist} License: GPLv2 Group: System Environment/Daemons Url: https://libreswan.org/ @@ -41,8 +41,25 @@ Patch9: libreswan-3.15-cisco-delete.patch Patch10: libreswan-3.15-migration.patch Patch11: libreswan-3.15-1166146.patch Patch12: libreswan-3.15-609343.patch -# rhbz#1273719 Patch13: libreswan-3.15-1271811-fipsfiles.patch +Patch14: libreswan-3.15-1283468-keyingtries.patch +Patch15: libreswan-3.15-1297816-nonce-dcookies.patch +Patch16: libreswan-3.15-1344567-ikev1-retransmit.patch +Patch17: libreswan-3.15-1313747-ipsec-man.patch +Patch18: libreswan-3.15-1302778.fipslist.patch +Patch19: libreswan-3.15-1278063-ikev1-pam.patch +Patch20: libreswan-3.15-1257079-nm-updown.patch +Patch21: libreswan-3.15-1272112-whack-man.patch +Patch22: libreswan-3.15-1280449-cap_dac_read_search.patch +Patch23: libreswan-3.15-1290907-configdir.patch +Patch24: libreswan-3.15-1309764-barf.patch +Patch25: libreswan-3.15-1347735-multicrl.patch +Patch26: libreswan-3.15-1219049-ikev1-del.patch +Patch27: libreswan-3.15-1276524-informational.patch +Patch28: libreswan-3.15-1315412-crl-manpage.patch +Patch29: libreswan-3.15-1229766-ipclash.patch +Patch30: libreswan-3.16-1311360-sharedike.patch +Patch31: libreswan-3.15-1361721-delete.patch Requires: iproute >= 2.6.8 nss-tools nss-softokn @@ -135,6 +152,24 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 %build %if %{buildefence} @@ -328,18 +363,43 @@ fi %endif %changelog -* Wed Oct 21 2015 Paul Wouters - 3.15-5 -- Resolves: rhbz#1273719 libreswan FIPS test mistakenly looks for non-existent file hashes - -* Wed Oct 07 2015 Paul Wouters - 3.15-4 -- Resolves: rhbz#1268775 libreswan should support strictcrlpolicy alias -- Resolves: rhbz#1268776 Pluto crashes after stop when I use floating ip address -- Resolves: rhbz#1268773 Pluto crashes on INITIATOR site during 'service ipsec stop' -- Resolves: rhbz#1208022 libreswan ignores module blacklist rules -- Resolves: rhbz#1270673 ipsec does not work properly on loopback +* Wed Sep 07 2016 Paul Wouters - 3.15-8 +- Resolves: rhbz#1361721 libreswan pluto segfault [UPDATED] +- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request [UPDATED] +- Resolves: rhbz#1309764 ipsec barf [additional man page update and --no-pager] + +* Mon Aug 08 2016 Paul Wouters - 3.15-7 +- Resolves: rhbz#1311360 When IKE rekeys, if on a different tunnel, all subsequent attempts to rekey fail +- Resolves: rhbz#1361721 libreswan pluto segfault + +* Tue Jul 05 2016 Paul Wouters - 3.15-6 +- Resolves: rhbz#1283468 keyingtries=0 is broken +- Resolves: rhbz#1297816 When using SHA2 as PRF algorithm, nonce payload is below the RFC minimum size +- Resolves: rhbz#1344567 CVE-2016-5361 libreswan: IKEv1 protocol is vulnerable to DoS amplification attack +- Resolves: rhbz#1313747 ipsec pluto returns zero even if it fails +- Resolves: rhbz#1302778 fips does not check hash of some files (like _import_crl) +- Resolves: rhbz#1278063 Unable to authenticate with PAM for IKEv1 XAUTH +- Resolves: rhbz#1257079 Libreswan doesn't call NetworkManager helper in case of a connection error +- Resolves: rhbz#1272112 ipsec whack man page discrepancies +- Resolves: rhbz#1280449 PAM xauth method does not work with pam_sss +- Resolves: rhbz#1290907 ipsec initnss/checknss custom directory not recognized +- Resolves: rhbz#1309764 ipsec barf does not show pluto log correctly in the output +- Resolves: rhbz#1347735 libreswan needs to check additional CRLs after LDAP CRL distributionpoint fails +- Resolves: rhbz#1219049 Pluto does not handle delete message from responder site in ikev1 +- Resolves: rhbz#1276524 [USGv6] IKEv2.EN.R.1.1.3.2 case failed due to response to bad INFORMATIONAL request +- Resolves: rhbz#1315412 ipsec.conf manpage does not contain any mention about crl-strict option +- Resolves: rhbz#1229766 Pluto crashes after stop when I use floating ip address -* Tue Sep 15 2015 Paul Wouters - 3.15-2 -- Resolves: rhbz#1259208 CVE-2015-3240 +* Wed Oct 21 2015 Paul Wouters - 3.15-5 +- Resolves: rhbz#1271811 libreswan FIPS test mistakenly looks for non-existent file hashes + +* Wed Sep 30 2015 Paul Wouters - 3.15-4 +- Resolves: rhbz#1267370 libreswan should support strictcrlpolicy alias +- Resolves: rhbz#1229766 Pluto crashes after stop when I use floating ip address +- Resolves: rhbz#1166146 Pluto crashes on INITIATOR site during 'service ipsec stop' +- Resolves: rhbz#1259209 CVE-2015-3240 +- Resolves: rhbz#1199374 libreswan does not enforce all FIPS or IPsec Suite B restrictions +- Resolves: rhbz#1207689 libreswan ignores module blacklist rules - Merge rhel6 and rhel7 spec into one - Be lenient for racoon padding behaviour - Fix seedev option to /dev/random @@ -350,28 +410,25 @@ fi - Workaround for wrong padding by racoon2 - Disable NSS HW GCM to workaround rhel6 xen builers bug -* Fri May 29 2015 Paul Wouters - 3.12-10.1 -- Resolves: rhbz#1226407 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart - -* Tue May 05 2015 Paul Wouters - 3.12-10 -- Resolves: rhbz#1213652 Support CAVS [updated another prf() free symkey, bogus fips mode fix] - -* Tue Apr 28 2015 Paul Wouters - 3.12-9 -- Resolves: rhbz#1213652 Support CAVS [updated to kill another copy of prf()] -- Resolves: rhbz#1208023 Libreswan with IPv6 [updated patch by Jaroslav Aster] -- Resolves: rhbz#1208022 libreswan ignores module blacklist [updated modprobe handling] +* Fri May 29 2015 Paul Wouters - 3.12-12 +- Resolves: rhbz#1212121 Support CAVS [updated bogus fips mode fix] -* Mon Apr 20 2015 Paul Wouters - 3.12-8 -- Resolves: rhbz#1213652 Support CAVS testing of the PRF/PRF+ functions +* Fri May 29 2015 Paul Wouters - 3.12-11 +- Resolves: rhbz#1226408 CVE-2015-3204 libreswan: crafted IKE packet causes daemon restart -* Mon Apr 13 2015 Paul Wouters - 3.12-7 -- Resolves: rhbz#1208022 libreswan ignores module blacklist rules -- Resolves: rhbz#1208023 Libreswan with IPv6 in RHEL7 fails after reboot -- Resolves: rhbz#1211146 pluto crashes in fips mode - -* Tue Mar 17 2015 Paul Wouters - 3.12-6 -- Resolves: rhbz#1198650 SELinux context string size limit -- Resolves: rhbz#1198649 Add new option for BSI random requirement +* Tue May 05 2015 Paul Wouters - 3.12-10 +- Resolves: rhbz#1212121 Support CAVS testing of the PRF/PRF+ functions +- Resolves: rhbz#1127313 Libreswan with IPv6 [updated patch by Jaroslav Aster] +- Resolves: rhbz#1207689 libreswan ignores module blacklist [updated modprobe handling] +- Resolves: rhbz#1218358 pluto crashes in fips mode without dracut-fips package + +* Sat Feb 21 2015 Paul Wouters - 3.12-6 +- Resolves: rhbz#1056559 loopback support deprecated +- Resolves: rhbz#1182224 Add new option for BSI random requirement +- Resolves: rhbz#1170018 [increase] SELinux context string size limit +- Resolves: rhbz#1127313 Libreswan with IPv6 in RHEL7 fails after reboot +- Resolves: rhbz#1207689 libreswan ignores module blacklist rules +- Resolves: rhbz#1203794 pluto crashes in fips mode * Tue Jan 20 2015 Paul Wouters - 3.12-5 - Resolves: rhbz#826264 aes-gcm implementation support (for IKEv2)