diff --git a/SOURCES/libreswan-3.23-del-with-notify-1630355.patch b/SOURCES/libreswan-3.23-del-with-notify-1630355.patch index cefecfa..09c41bd 100644 --- a/SOURCES/libreswan-3.23-del-with-notify-1630355.patch +++ b/SOURCES/libreswan-3.23-del-with-notify-1630355.patch @@ -1,33 +1,81 @@ -diff -Naur libreswan-3.25-orig/programs/pluto/ikev1.c libreswan-3.25/programs/pluto/ikev1.c ---- libreswan-3.25-orig/programs/pluto/ikev1.c 2018-06-27 22:42:26.000000000 +0700 -+++ libreswan-3.25/programs/pluto/ikev1.c 2018-11-22 20:04:44.961824151 +0700 -@@ -727,28 +727,7 @@ - return dpd_inR(st, n, n_pbs); +diff -Naur libreswan-3.25-orig/include/pluto_constants.h libreswan-3.25/include/pluto_constants.h +--- libreswan-3.25-orig/include/pluto_constants.h 2018-06-27 11:42:26.000000000 -0400 ++++ libreswan-3.25/include/pluto_constants.h 2019-02-23 20:46:36.030789127 -0500 +@@ -421,6 +421,7 @@ + IMPAIR_REPLAY_DUPLICATES_IX, /* replay duplicates of each incoming packet */ + IMPAIR_REPLAY_FORWARD_IX, /* replay all earlier packets old-to-new */ + IMPAIR_REPLAY_BACKWARD_IX, /* replay all earlier packets new-to-old */ ++ IMPAIR_IKEv1_DEL_WITH_NOTIFY_IX, /* causes pluto send send IKE Delete with additional bogus Notify */ - case PAYLOAD_MALFORMED: -- if (st != NULL) { -- st->hidden_variables.st_malformed_received++; -- -- libreswan_log( -- "received %u malformed payload notifies", -- st->hidden_variables.st_malformed_received); -- -- if (st->hidden_variables.st_malformed_sent > -- MAXIMUM_MALFORMED_NOTIFY / 2 && -- ((st->hidden_variables.st_malformed_sent + -- st->hidden_variables. -- st_malformed_received) > -- MAXIMUM_MALFORMED_NOTIFY)) { -- libreswan_log( -- "too many malformed payloads (we sent %u and received %u", -- st->hidden_variables.st_malformed_sent, -- st->hidden_variables.st_malformed_received); -- delete_state(st); -- md->st = st = NULL; -- } -- } + IMPAIR_REPLAY_ENCRYPTED_IX, /* replay encrypted packets */ + IMPAIR_CORRUPT_ENCRYPTED_IX, /* corrupts the encrypted packet so that the decryption fails */ +@@ -480,6 +481,7 @@ + #define IMPAIR_REPLAY_DUPLICATES LELEM(IMPAIR_REPLAY_DUPLICATES_IX) + #define IMPAIR_REPLAY_FORWARD LELEM(IMPAIR_REPLAY_FORWARD_IX) + #define IMPAIR_REPLAY_BACKWARD LELEM(IMPAIR_REPLAY_BACKWARD_IX) ++#define IMPAIR_IKEv1_DEL_WITH_NOTIFY LELEM(IMPAIR_IKEv1_DEL_WITH_NOTIFY_IX) + + #define IMPAIR_REPLAY_ENCRYPTED LELEM(IMPAIR_REPLAY_ENCRYPTED_IX) + #define IMPAIR_CORRUPT_ENCRYPTED LELEM(IMPAIR_CORRUPT_ENCRYPTED_IX) +diff -Naur libreswan-3.25-orig/lib/libswan/impair.c libreswan-3.25/lib/libswan/impair.c +--- libreswan-3.25-orig/lib/libswan/impair.c 2018-06-27 11:42:26.000000000 -0400 ++++ libreswan-3.25/lib/libswan/impair.c 2019-02-23 20:47:28.556333015 -0500 +@@ -61,6 +61,7 @@ + I(IMPAIR_REPLAY_DUPLICATES, "impair-replay-duplicates"), + I(IMPAIR_REPLAY_FORWARD, "impair-replay-forward"), + I(IMPAIR_REPLAY_BACKWARD, "impair-replay-backward"), ++ I(IMPAIR_IKEv1_DEL_WITH_NOTIFY, "impair-ikev1-del-with-notify"), + + I(IMPAIR_REPLAY_ENCRYPTED, "impair-replay-encrypted"), + I(IMPAIR_CORRUPT_ENCRYPTED, "impair-corrupt-encrypted"), +diff -Naur libreswan-3.25-orig/programs/pluto/ikev1_main.c libreswan-3.25/programs/pluto/ikev1_main.c +--- libreswan-3.25-orig/programs/pluto/ikev1_main.c 2018-06-27 11:42:26.000000000 -0400 ++++ libreswan-3.25/programs/pluto/ikev1_main.c 2019-02-23 20:44:30.295457365 -0500 +@@ -2489,14 +2489,36 @@ + said ? ISAKMP_NEXT_NONE : ISAKMP_NEXT_D; + isad.isad_spisize = sizeof(ipsec_spi_t); + isad.isad_protoid = ns->proto; - -+ libreswan_log("received PAYLOAD_MALFORMED"); - return STF_IGNORE; + isad.isad_nospi = 1; ++ ++ if (DBGP(IMPAIR_IKEv1_DEL_WITH_NOTIFY)) ++ isad.isad_np = ISAKMP_NEXT_N; /* Notify */ ++ + passert(out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, + &del_pbs)); + passert(out_raw(&ns->spi, sizeof(ipsec_spi_t), + &del_pbs, + "delete payload")); + close_output_pbs(&del_pbs); ++ ++ if (DBGP(IMPAIR_IKEv1_DEL_WITH_NOTIFY)) { ++ pb_stream cruft_pbs; ++ ++ libreswan_log("IMPAIR: adding bogus Notify payload after IKE Delete payload"); ++ struct isakmp_notification isan = { ++ .isan_np = ISAKMP_NEXT_NONE, ++ .isan_doi = ISAKMP_DOI_IPSEC, ++ .isan_protoid = PROTO_ISAKMP, ++ .isan_spisize = COOKIE_SIZE * 2, ++ .isan_type = INVALID_PAYLOAD_TYPE, ++ }; ++ ++ passert(out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs, ++ &cruft_pbs)); ++ passert(out_raw(&ns->spi, sizeof(ipsec_spi_t), &cruft_pbs, ++ "notify payload")); ++ close_output_pbs(&cruft_pbs); ++ } + } + } - case ISAKMP_N_CISCO_LOAD_BALANCE: +@@ -2743,7 +2765,9 @@ + rc->policy &= ~POLICY_UP; + if (!shared_phase1_connection(rc)) { + flush_pending_by_connection(rc); ++ /* This also deletes the IKE SA, clear pointer */ + delete_states_by_connection(rc, FALSE); ++ md->st = NULL; + } + reset_cur_connection(); + } diff --git a/SOURCES/libreswan-3.25-1623279-xauth-null-pwd.patch b/SOURCES/libreswan-3.25-1623279-xauth-null-pwd.patch new file mode 100644 index 0000000..b9b3598 --- /dev/null +++ b/SOURCES/libreswan-3.25-1623279-xauth-null-pwd.patch @@ -0,0 +1,47 @@ +diff -Naur libreswan-3.25-orig/include/chunk.h libreswan-3.25/include/chunk.h +--- libreswan-3.25-orig/include/chunk.h 2018-06-27 11:42:26.000000000 -0400 ++++ libreswan-3.25/include/chunk.h 2018-12-14 13:30:29.269684194 -0500 +@@ -55,6 +55,9 @@ + + chunk_t clone_chunk(chunk_t old, const char *name); + ++/* always NUL terminated; NULL is NULL */ ++char *clone_chunk_as_string(chunk_t chunk, const char *name); ++ + /* note: the caller must free the result */ + char *str_from_chunk(chunk_t c, const char *name); + +diff -Naur libreswan-3.25-orig/lib/libswan/chunk.c libreswan-3.25/lib/libswan/chunk.c +--- libreswan-3.25-orig/lib/libswan/chunk.c 2018-06-27 11:42:26.000000000 -0400 ++++ libreswan-3.25/lib/libswan/chunk.c 2018-12-14 13:29:24.077050581 -0500 +@@ -49,3 +49,16 @@ + s[c.len] = '\0'; /* redundant */ + return s; + } ++ ++char *clone_chunk_as_string(chunk_t chunk, const char *name) ++{ ++ if (chunk.ptr == NULL) { ++ return NULL; ++ } else if (chunk.len > 0 && chunk.ptr[chunk.len - 1] == '\0') { ++ return clone_bytes(chunk.ptr, chunk.len, name); ++ } else { ++ char *string = alloc_things(char, chunk.len + 1, name); ++ memcpy(string, chunk.ptr, chunk.len); ++ return string; ++ } ++} +diff -Naur libreswan-3.25-orig/programs/pluto/ikev1_xauth.c libreswan-3.25/programs/pluto/ikev1_xauth.c +--- libreswan-3.25-orig/programs/pluto/ikev1_xauth.c 2018-06-27 11:42:26.000000000 -0400 ++++ libreswan-3.25/programs/pluto/ikev1_xauth.c 2018-12-14 13:29:24.078050590 -0500 +@@ -1214,8 +1214,8 @@ + return 0; + #endif + +- char *arg_name = str_from_chunk(*name, "XAUTH Name"); +- char *arg_password = str_from_chunk(*password, "XAUTH Name"); ++ char *arg_name = clone_chunk_as_string(*name, "XAUTH Name"); ++ char *arg_password = clone_chunk_as_string(*password, "XAUTH Name"); + + /* + * For XAUTH, we're flipping between retransmitting the packet diff --git a/SOURCES/libreswan-3.25-1664244-xauth-null-pwd.patch b/SOURCES/libreswan-3.25-1664244-xauth-null-pwd.patch deleted file mode 100644 index b9b3598..0000000 --- a/SOURCES/libreswan-3.25-1664244-xauth-null-pwd.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff -Naur libreswan-3.25-orig/include/chunk.h libreswan-3.25/include/chunk.h ---- libreswan-3.25-orig/include/chunk.h 2018-06-27 11:42:26.000000000 -0400 -+++ libreswan-3.25/include/chunk.h 2018-12-14 13:30:29.269684194 -0500 -@@ -55,6 +55,9 @@ - - chunk_t clone_chunk(chunk_t old, const char *name); - -+/* always NUL terminated; NULL is NULL */ -+char *clone_chunk_as_string(chunk_t chunk, const char *name); -+ - /* note: the caller must free the result */ - char *str_from_chunk(chunk_t c, const char *name); - -diff -Naur libreswan-3.25-orig/lib/libswan/chunk.c libreswan-3.25/lib/libswan/chunk.c ---- libreswan-3.25-orig/lib/libswan/chunk.c 2018-06-27 11:42:26.000000000 -0400 -+++ libreswan-3.25/lib/libswan/chunk.c 2018-12-14 13:29:24.077050581 -0500 -@@ -49,3 +49,16 @@ - s[c.len] = '\0'; /* redundant */ - return s; - } -+ -+char *clone_chunk_as_string(chunk_t chunk, const char *name) -+{ -+ if (chunk.ptr == NULL) { -+ return NULL; -+ } else if (chunk.len > 0 && chunk.ptr[chunk.len - 1] == '\0') { -+ return clone_bytes(chunk.ptr, chunk.len, name); -+ } else { -+ char *string = alloc_things(char, chunk.len + 1, name); -+ memcpy(string, chunk.ptr, chunk.len); -+ return string; -+ } -+} -diff -Naur libreswan-3.25-orig/programs/pluto/ikev1_xauth.c libreswan-3.25/programs/pluto/ikev1_xauth.c ---- libreswan-3.25-orig/programs/pluto/ikev1_xauth.c 2018-06-27 11:42:26.000000000 -0400 -+++ libreswan-3.25/programs/pluto/ikev1_xauth.c 2018-12-14 13:29:24.078050590 -0500 -@@ -1214,8 +1214,8 @@ - return 0; - #endif - -- char *arg_name = str_from_chunk(*name, "XAUTH Name"); -- char *arg_password = str_from_chunk(*password, "XAUTH Name"); -+ char *arg_name = clone_chunk_as_string(*name, "XAUTH Name"); -+ char *arg_password = clone_chunk_as_string(*password, "XAUTH Name"); - - /* - * For XAUTH, we're flipping between retransmitting the packet diff --git a/SOURCES/libreswan-3.25-1679735-critical_flag.patch b/SOURCES/libreswan-3.25-1679735-critical_flag.patch index 9371c31..da9daca 100644 --- a/SOURCES/libreswan-3.25-1679735-critical_flag.patch +++ b/SOURCES/libreswan-3.25-1679735-critical_flag.patch @@ -1,6 +1,6 @@ diff -Naur libreswan-3.25-orig/programs/pluto/nss_cert_verify.c libreswan-3.25/programs/pluto/nss_cert_verify.c ---- libreswan-3.25-orig/programs/pluto/nss_cert_verify.c 2019-04-11 12:50:35.423733161 +0200 -+++ libreswan-3.25/programs/pluto/nss_cert_verify.c 2019-04-11 12:51:58.832735953 +0200 +--- libreswan-3.25-orig/programs/pluto/nss_cert_verify.c 2019-02-23 21:15:03.910589319 -0500 ++++ libreswan-3.25/programs/pluto/nss_cert_verify.c 2019-02-23 21:42:05.955565629 -0500 @@ -121,7 +121,7 @@ return FALSE; } @@ -54,15 +54,6 @@ diff -Naur libreswan-3.25-orig/programs/pluto/nss_cert_verify.c libreswan-3.25/p /* kludge alert!! * verification may be performed twice: once with the * 'client' usage and once with 'server', which is an NSS -@@ -332,7 +336,7 @@ - - for (usage = certificateUsageSSLClient; ; usage = certificateUsageSSLServer) { - SECStatus rv = CERT_PKIXVerifyCert(end_cert, usage, cvin, cvout, NULL); -- if (rv != SECSuccess || cur_log->count > 0) { -+ if (rv != SECSuccess) { - if (cur_log->count > 0 && cur_log->head != NULL) { - if (usage == certificateUsageSSLClient && - RETRYABLE_TYPE(cur_log->head->error)) { @@ -348,7 +352,8 @@ cvout[1].value.pointer.chain = NULL; continue; diff --git a/SOURCES/libreswan-3.25-1724200-halfopen-shunt.patch b/SOURCES/libreswan-3.25-1724200-halfopen-shunt.patch new file mode 100644 index 0000000..839b7c3 --- /dev/null +++ b/SOURCES/libreswan-3.25-1724200-halfopen-shunt.patch @@ -0,0 +1,13 @@ +diff -Naur libreswan-3.25-orig/programs/pluto/state.c libreswan-3.25/programs/pluto/state.c +--- libreswan-3.25-orig/programs/pluto/state.c 2019-07-03 15:52:47.246474906 -0400 ++++ libreswan-3.25/programs/pluto/state.c 2019-07-03 15:54:37.671850020 -0400 +@@ -1101,7 +1101,8 @@ + #endif + + /* If we are failed OE initiator, make shunt bare */ +- if (IS_IKE_SA(st) && (c->policy & POLICY_OPPORTUNISTIC) && ++ if (IS_IKE_SA(st) && c->newest_isakmp_sa == st->st_serialno && ++ (c->policy & POLICY_OPPORTUNISTIC) && + (st->st_state == STATE_PARENT_I1 || st->st_state == STATE_PARENT_I2)) { + ipsec_spi_t failure_shunt = shunt_policy_spi(c, FALSE /* failure_shunt */); + ipsec_spi_t nego_shunt = shunt_policy_spi(c, TRUE /* negotiation shunt */); diff --git a/SOURCES/libreswan-3.27-1672921-delete.patch b/SOURCES/libreswan-3.27-1672921-delete.patch deleted file mode 100644 index 87447ad..0000000 --- a/SOURCES/libreswan-3.27-1672921-delete.patch +++ /dev/null @@ -1,82 +0,0 @@ -diff -Naur libreswan-3.25-orig/include/pluto_constants.h libreswan-3.25/include/pluto_constants.h ---- libreswan-3.25-orig/include/pluto_constants.h 2018-06-27 11:42:26.000000000 -0400 -+++ libreswan-3.25/include/pluto_constants.h 2019-02-15 17:41:06.954865678 -0500 -@@ -436,6 +436,8 @@ - - IMPAIR_SEND_PKCS7_THINGIE_IX, /* send certificates as a PKCS7 thingie */ - -+ IMPAIR_IKEv1_DEL_WITH_NOTIFY_IX, -+ - IMPAIR_roof_IX /* first unassigned IMPAIR */ - }; - -@@ -495,6 +497,7 @@ - - #define IMPAIR_SEND_PKCS7_THINGIE LELEM(IMPAIR_SEND_PKCS7_THINGIE_IX) - -+#define IMPAIR_IKEv1_DEL_WITH_NOTIFY LELEM(IMPAIR_IKEv1_DEL_WITH_NOTIFY_IX) - /* State of exchanges - * - * The name of the state describes the last message sent, not the -diff -Naur libreswan-3.25-orig/lib/libswan/impair.c libreswan-3.25/lib/libswan/impair.c ---- libreswan-3.25-orig/lib/libswan/impair.c 2018-06-27 11:42:26.000000000 -0400 -+++ libreswan-3.25/lib/libswan/impair.c 2019-02-15 17:41:06.954865678 -0500 -@@ -75,6 +75,8 @@ - I(IMPAIR_ALLOW_DNS_INSECURE, "impair-allow-dns-insecure"), - - I(IMPAIR_SEND_PKCS7_THINGIE, "impair-send-pkcs7-thingie"), -+ -+ I(IMPAIR_IKEv1_DEL_WITH_NOTIFY, "impair-ikev1-del-with-notify"), - }; - - const enum_names impair_names = { -diff -Naur libreswan-3.25-orig/programs/pluto/ikev1_main.c libreswan-3.25/programs/pluto/ikev1_main.c ---- libreswan-3.25-orig/programs/pluto/ikev1_main.c 2018-06-27 11:42:26.000000000 -0400 -+++ libreswan-3.25/programs/pluto/ikev1_main.c 2019-02-15 17:42:50.876885416 -0500 -@@ -2491,12 +2491,36 @@ - isad.isad_protoid = ns->proto; - - isad.isad_nospi = 1; -+ -+ if (DBGP(IMPAIR_IKEv1_DEL_WITH_NOTIFY)) -+ isad.isad_np = ISAKMP_NEXT_N; /* Notify */ -+ - passert(out_struct(&isad, &isakmp_delete_desc, &r_hdr_pbs, - &del_pbs)); - passert(out_raw(&ns->spi, sizeof(ipsec_spi_t), - &del_pbs, - "delete payload")); - close_output_pbs(&del_pbs); -+ -+ if (DBGP(IMPAIR_IKEv1_DEL_WITH_NOTIFY)) { -+ pb_stream cruft_pbs; -+ -+ libreswan_log("IMPAIR: adding bogus Notify payload after IKE Delete payload"); -+ struct isakmp_notification isan = { -+ .isan_np = ISAKMP_NEXT_NONE, -+ .isan_doi = ISAKMP_DOI_IPSEC, -+ .isan_protoid = PROTO_ISAKMP, -+ .isan_spisize = COOKIE_SIZE * 2, -+ .isan_type = INVALID_PAYLOAD_TYPE, -+ }; -+ -+ passert(out_struct(&isan, &isakmp_notification_desc, &r_hdr_pbs, -+ &cruft_pbs)); -+ passert(out_raw(&ns->spi, sizeof(ipsec_spi_t), &cruft_pbs, -+ "notify payload")); -+ close_output_pbs(&cruft_pbs); -+ } -+ - } - } - -@@ -2743,7 +2767,9 @@ - rc->policy &= ~POLICY_UP; - if (!shared_phase1_connection(rc)) { - flush_pending_by_connection(rc); -+ /* This also deletes the IKE SA, clear pointer */ - delete_states_by_connection(rc, FALSE); -+ md->st = NULL; - } - reset_cur_connection(); - } diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 0d803d7..417d0ef 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -24,7 +24,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols Version: 3.25 -Release: %{?prever:0.}4.8%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}8.1%{?prever:.%{prever}}%{?dist} License: GPLv2 Group: System Environment/Daemons Url: https://libreswan.org/ @@ -36,15 +36,15 @@ Source3: ikev2.fax.bz2 Patch1: libreswan-3.25-alg_info.patch Patch2: libreswan-3.25-relax-delete.patch Patch3: libreswan-3.25-EKU-1639404.patch -Patch4: libreswan-3.23-zerolengthkey.patch -Patch5: libreswan-3.25-1625303-recursive-incl.patch -Patch6: libreswan-3.23-del-with-notify-1630355.patch -Patch7: libreswan-3.25-1664244-xauth-null-pwd.patch +Patch4: libreswan-3.23-del-with-notify-1630355.patch +Patch5: libreswan-3.23-zerolengthkey.patch +Patch6: libreswan-3.25-1625303-recursive-incl.patch +Patch7: libreswan-3.25-1623279-xauth-null-pwd.patch Patch8: libreswan-3.25-1664521-fips-keysize.patch -Patch9: libreswan-3.27-1672921-delete.patch -Patch10: libreswan-3.25-1679735-critical_flag.patch -Patch11: libreswan-3.25-1673105-down-restart.patch -Patch12: libreswan-3.25-1686991-ikev1-del.patch +Patch9: libreswan-3.25-1679735-critical_flag.patch +Patch10: libreswan-3.25-1673105-down-restart.patch +Patch11: libreswan-3.25-1686991-ikev1-del.patch +Patch12: libreswan-3.25-1724200-halfopen-shunt.patch Requires: iproute >= 2.6.8 Requires: nss-tools nss-softokn @@ -54,8 +54,8 @@ BuildRequires: nspr-devel BuildRequires: pam-devel BuildRequires: xmlto # minimum nss version for IPsec profile support, see rhbz#1212132 -Requires: nss >= 3.36.0-7.1 -BuildRequires: nss-devel >= 3.36.0-7.1 +Requires: nss >= 3.36.0-8 +BuildRequires: nss-devel >= 3.36.0-8 %if %{?rhel} <= 6 BuildRequires: libevent2-devel net-tools @@ -349,38 +349,26 @@ fi %endif %changelog -* Thu May 09 2019 Paul Wouters - 3.25-4.8 -- Resolves: rhbz#1708060 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE [rhel-7.6.z] - -* Thu May 02 2019 Paul Wouters - 3.25-4.7 -- Resolves: rhbz#1683577 Opportunistic IPsec instances of /32 groups or auto=start [updated for eclipsed handling] - -* Thu Apr 11 2019 Paul Wouters - 3.25-4.6 -- Resolves: rhbz#1680483 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure [rhel-7.6.z] [updated] - -* Sun Mar 31 2019 Paul Wouters - 3.25-4.5 -- Resolves: rhbz#1683577 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart [rhel-7.6.z] [updated] - -* Tue Feb 26 2019 Paul Wouters - 3.25-4.4 -- Resolves: rhbz#1683577 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart [rhel-7.6.z] - -* Mon Feb 25 2019 Paul Wouters - 3.25-4.3 -- Resolves: rhbz#1680483 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure [rhel-7.6.z] - -* Fri Feb 15 2019 Paul Wouters - 3.25-4.2 -- Resolves: rhbz#1672921 - Libreswan crash upon receiving ISAKMP_NEXT_D with appended ISAKMP_NEXT_N [updated bugfix] - -* Fri Jan 11 2019 Paul Wouters - 3.25-4.1 -- Resolves: rhbz#1665369 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits [rhel-7.6.z] - -* Tue Jan 08 2019 Paul Wouters - 3.25-4 -- Resolves: rhbz#1660536 libreswan assertion failed when OAKLEY_KEY_LENGTH is zero for IKE using AES_CBC -- Resolves: rhbz#1660544 config: recursive include check doesn't work -- Resolves: rhbz#1660542 Libreswan crash upon receiving ISAKMP_NEXT_D with appended ISAKMP_NEXT_N -- Resolves: rhbz#1664244 [abrt] [faf] libreswan: strncpy(): /usr/libexec/ipsec/pluto killed by 11 - -* Mon Dec 03 2018 Paul Wouters - 3.25-3 -- Resolves: rhbz#1655440 Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth +* Wed Aug 28 2019 Paul Wouters - 3.25-8.1 +- Resolves: rhbz#1746052 libreswan: XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire [rhel-7.7.z] + +* Tue May 07 2019 Paul Wouters - 3.25-8 +- Resolves: rhbz#1686991 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE + +* Wed Feb 27 2019 Paul Wouters - 3.25-7 +- Resolves: rhbz#1673105 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart + +* Mon Feb 04 2019 Paul Wouters - 3.25-6 +- Resolves: rhbz#1630355 Libreswan crash upon receiving ISAKMP_NEXT_D with appended ISAKMP_NEXT_N [updated] +- Resolves: rhbz#1679735 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure + +* Thu Dec 20 2018 Paul Wouters - 3.25-5 +- Resolves: rhbz#1639404 Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth +- Resolves: rhbz#1630355 Libreswan crash upon receiving ISAKMP_NEXT_D with appended ISAKMP_NEXT_N +- Resolves: rhbz#1629902 libreswan assertion failed when OAKLEY_KEY_LENGTH is zero for IKE using AES_CBC +- Resolves: rhbz#1623279 [abrt] [faf] libreswan: strncpy(): /usr/libexec/ipsec/pluto killed by 11 +- Resolves: rhbz#1625303 config: recursive include check doesn't work +- Resolves: rhbz#1664521 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits * Mon Jul 02 2018 Paul Wouters - 3.25-2 - Resolves: rhbz#1597322 Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors