diff --git a/.gitignore b/.gitignore index 373aff2..62078de 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/ikev1_dsa.fax.bz2 SOURCES/ikev1_psk.fax.bz2 SOURCES/ikev2.fax.bz2 -SOURCES/libreswan-4.3.tar.gz +SOURCES/libreswan-4.4.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata index 2725d11..201074d 100644 --- a/.libreswan.metadata +++ b/.libreswan.metadata @@ -1,4 +1,4 @@ b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 -6f86811420df8873f43e8ff98f718f1aee5836f3 SOURCES/libreswan-4.3.tar.gz +c75da86c032fe15979a13f4e779a9fe41386203a SOURCES/libreswan-4.4.tar.gz diff --git a/SOURCES/libreswan-4.3-ikev2-tcp.patch b/SOURCES/libreswan-4.3-ikev2-tcp.patch deleted file mode 100644 index ffc8428..0000000 --- a/SOURCES/libreswan-4.3-ikev2-tcp.patch +++ /dev/null @@ -1,146 +0,0 @@ -commit 9a69641b34675de26c3989082795ab97325db55c -Author: Paul Wouters -Date: Mon Mar 1 14:57:31 2021 -0500 - - IKEv2: Fix TCP socket to have IP_XFRM_POLICY sockopt set. - - Without this, transport mode or host-to-host will not properly work - on a number of kernels, such as RHEL8 4.18.0-291.el8.x86_64 - - Reported by: Sabrina Dubroca - -diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c -index 9a66343f3f..3b4f57d07d 100644 ---- a/programs/pluto/iface_tcp.c -+++ b/programs/pluto/iface_tcp.c -@@ -52,6 +52,16 @@ - #include "nat_traversal.h" /* for nat_traversal_enabled which seems like a broken idea */ - #include "pluto_stats.h" - -+/* work around weird combo's of glibc and kernel header conflicts */ -+#ifndef GLIBC_KERN_FLIP_HEADERS -+# include "linux/xfrm.h" /* local (if configured) or system copy */ -+# include "libreswan.h" -+#else -+# include "libreswan.h" -+# include "linux/xfrm.h" /* local (if configured) or system copy */ -+#endif -+ -+ - static void accept_ike_in_tcp_cb(struct evconnlistener *evcon UNUSED, - int accepted_fd, - struct sockaddr *sockaddr, int sockaddr_len, -@@ -383,6 +393,8 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED, - struct logger from_logger = logger_from(&global_logger, &ifp->iketcp_remote_endpoint); - struct logger *logger = &from_logger; - -+ bool v6 = ifp->ip_dev->id_address.version == 6; -+ - switch (ifp->iketcp_state) { - - case IKETCP_OPEN: -@@ -443,7 +455,19 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED, - if (impair.tcp_skip_setsockopt_espintcp) { - llog(RC_LOG, logger, "IMPAIR: TCP: skipping setsockopt(ESPINTCP)"); - } else { -+ struct xfrm_userpolicy_info policy_in = { -+ .action = XFRM_POLICY_ALLOW, -+ .sel.family = v6 ? AF_INET6 :AF_INET, -+ .dir = XFRM_POLICY_IN, -+ }; -+ struct xfrm_userpolicy_info policy_out = { -+ .action = XFRM_POLICY_ALLOW, -+ .sel.family = v6 ? AF_INET6 :AF_INET, -+ .dir = XFRM_POLICY_OUT, -+ }; -+ - dbg("TCP: OPEN: socket %d enabling ESPINTCP", ifp->fd); -+ - if (setsockopt(ifp->fd, IPPROTO_TCP, TCP_ULP, - "espintcp", sizeof("espintcp"))) { - int e = errno; -@@ -459,6 +483,24 @@ static void iketcp_message_listener_cb(evutil_socket_t unused_fd UNUSED, - free_any_iface_endpoint(&ifp); - return; - } -+ -+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) { -+ int e = errno; -+ llog(RC_LOG, logger, -+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_in\") failed; closing socket "PRI_ERRNO, -+ ifp->fd, pri_errno(e)); -+ free_any_iface_endpoint(&ifp); -+ return; -+ } -+ if (setsockopt(ifp->fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) { -+ int e = errno; -+ llog(RC_LOG, logger, -+ "TCP: setsockopt(%d, SOL_TCP, IP_XFRM_POLICY, \"policy_out\") failed; closing socket "PRI_ERRNO, -+ ifp->fd, pri_errno(e)); -+ free_any_iface_endpoint(&ifp); -+ return; -+ } -+ - } - - /* -@@ -650,6 +692,17 @@ stf_status create_tcp_interface(struct state *st) - if (impair.tcp_skip_setsockopt_espintcp) { - log_state(RC_LOG, st, "IMPAIR: TCP: skipping setsockopt(espintcp)"); - } else { -+ bool v6 = st->st_remote_endpoint.version == 6; -+ struct xfrm_userpolicy_info policy_in = { -+ .action = XFRM_POLICY_ALLOW, -+ .sel.family = v6 ? AF_INET6 :AF_INET, -+ .dir = XFRM_POLICY_IN, -+ }; -+ struct xfrm_userpolicy_info policy_out = { -+ .action = XFRM_POLICY_ALLOW, -+ .sel.family = v6 ? AF_INET6 :AF_INET, -+ .dir = XFRM_POLICY_OUT, -+ }; - dbg("TCP: socket %d enabling \"espintcp\"", fd); - if (setsockopt(fd, IPPROTO_TCP, TCP_ULP, "espintcp", sizeof("espintcp"))) { - log_errno(st->st_logger, errno, -@@ -657,6 +710,18 @@ stf_status create_tcp_interface(struct state *st) - close(fd); - return STF_FATAL; - } -+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_in, sizeof(policy_in))) { -+ log_errno(st->st_logger, errno, -+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(in)) failed in netlink_espintcp()"); -+ close(fd); -+ return STF_FATAL; -+ } -+ if (setsockopt(fd, IPPROTO_IP, IP_XFRM_POLICY, &policy_out, sizeof(policy_out))) { -+ log_errno(st->st_logger, errno, -+ "setsockopt(PPROTO_IP, IP_XFRM_POLICY(out)) failed in netlink_espintcp()"); -+ close(fd); -+ return STF_FATAL; -+ } - } - - struct iface_endpoint *ifp = alloc_thing(struct iface_endpoint, "TCP iface initiator"); -commit 7c38cd473d89b8c860ee7e3b8b31cfe012370f1d -Author: Paul Wouters -Date: Mon Mar 1 15:09:16 2021 -0500 - - documentation: small TCP doc update in ipsec.conf.in - -diff --git a/configs/ipsec.conf.in b/configs/ipsec.conf.in -index bb2cc16e64..9fa3300176 100644 ---- a/configs/ipsec.conf.in -+++ b/configs/ipsec.conf.in -@@ -28,9 +28,10 @@ config setup - # dnssec-enable=no - # - # To enable IKE and IPsec over TCP for VPN server. Requires at least -- # Linux 5.7 kernel. For TCP support as a VPN client, specify -- # tcp-remote-port=4500 in the client conn section. -+ # Linux 5.7 kernel or a kernel with TCP backport (like RHEL8 4.18.0-291) - # listen-tcp=yes -+ # To enable IKE and IPsec over TCP for VPN client, also specify -+ # tcp-remote-port=4500 in the client's conn section. - - # if it exists, include system wide crypto-policy defaults - # include /etc/crypto-policies/back-ends/libreswan.config diff --git a/SOURCES/libreswan-4.3-labeled-ipsec.patch b/SOURCES/libreswan-4.3-labeled-ipsec.patch deleted file mode 100644 index 9dd18f0..0000000 --- a/SOURCES/libreswan-4.3-labeled-ipsec.patch +++ /dev/null @@ -1,191 +0,0 @@ -diff -Naur libreswan-4.3-orig/programs/pluto/connections.c libreswan-4.3/programs/pluto/connections.c ---- libreswan-4.3-orig/programs/pluto/connections.c 2021-02-21 12:03:03.000000000 -0500 -+++ libreswan-4.3/programs/pluto/connections.c 2021-02-24 16:28:05.608119041 -0500 -@@ -2475,9 +2475,8 @@ - endpoint_in_selector(local_client, &sr->this.client) && - endpoint_in_selector(remote_client, &sr->that.client) - #ifdef HAVE_LABELED_IPSEC -- && ((sec_label.ptr == NULL && -- sr->this.sec_label.ptr == NULL) || -- /* don't call with NULL, it confuses it */ -+ && ((sec_label.ptr == NULL && sr->this.sec_label.ptr == NULL) || -+ hunk_eq(sec_label, sr->this.sec_label) || - within_range((const char *)sec_label.ptr, - (const char *)sr->this.sec_label.ptr, logger)) - #endif -diff -Naur libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c libreswan-4.3/programs/pluto/ikev1_spdb_struct.c ---- libreswan-4.3-orig/programs/pluto/ikev1_spdb_struct.c 2021-02-21 12:03:03.000000000 -0500 -+++ libreswan-4.3/programs/pluto/ikev1_spdb_struct.c 2021-02-24 16:28:59.819791102 -0500 -@@ -113,7 +113,9 @@ - return false; - } - -- if (!within_range(sec_label.ptr, /* we ensured NUL termination above */ -+ -+ if (!hunk_eq(sec_label, c->spd.this.sec_label) && -+ !within_range(sec_label.ptr, /* we ensured NUL termination above */ - (const char *)c->spd.this.sec_label.ptr, /* we ensured NUL termination earlier? */ - st->st_logger)) { - LLOG_JAMBUF(RC_LOG_SERIOUS, st->st_logger, buf) { -diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_ts.c libreswan-4.3/programs/pluto/ikev2_ts.c ---- libreswan-4.3-orig/programs/pluto/ikev2_ts.c 2021-02-21 12:03:03.000000000 -0500 -+++ libreswan-4.3/programs/pluto/ikev2_ts.c 2021-02-24 16:30:19.639780631 -0500 -@@ -862,7 +862,8 @@ - } - - #ifdef HAVE_LABELED_IPSEC --static bool score_ends_seclabel(const struct ends *ends, -+static bool score_ends_seclabel(const chunk_t **selected_sec_label, -+ const struct ends *ends, - const struct connection *d, - const struct traffic_selectors *tsi, - const struct traffic_selectors *tsr, -@@ -875,6 +876,10 @@ - bool match_i = false; - bool match_r = false; - -+ if (selected_sec_label != NULL) { -+ *selected_sec_label = NULL; -+ } -+ - for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) { - const struct traffic_selector *cur = &tsi->ts[tsi_n]; - if (cur->ts_type == IKEv2_TS_SECLABEL) { -@@ -883,7 +888,8 @@ - // complain loudly - continue; - } else { -- if (within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { -+ if (hunk_eq(cur->sec_label, d->spd.this.sec_label) || -+ within_range((const char *)cur->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { - match_i = true; - dbg("ikev2ts #1: received label within range of our security label"); - } else { -@@ -902,9 +908,13 @@ - dbg("IKEv2_TS_SECLABEL but zero length cur->sec_label"); - continue; - } else { -- if (within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { -+ if (hunk_eq(ends->r->sec_label, d->spd.this.sec_label) || -+ within_range((const char *)ends->r->sec_label.ptr, (const char *)d->spd.this.sec_label.ptr, logger)) { - dbg("ikev2ts #2: received label within range of our security label"); - match_r = true; -+ if (selected_sec_label != NULL) { -+ *selected_sec_label = &cur->sec_label; -+ } - } else { - dbg("ikev2ts #2: received label not within range of our security label"); - DBG_dump_hunk("ends->r->sec_label", ends->r->sec_label); -@@ -926,7 +936,8 @@ - return require_label == recv_label_i && match_i && match_r; - } - #else --static bool score_ends_seclabel(const struct ends *ends UNUSED, -+static bool score_ends_seclabel(const chunk_t **selected_sec_label, -+ const struct ends *ends UNUSED, - const struct connection *d UNUSED, - const struct traffic_selectors *tsi UNUSED, - const struct traffic_selectors *tsr UNUSED, -@@ -1030,6 +1041,7 @@ - struct best_score best_score = NO_SCORE; - const struct spd_route *best_spd_route = NULL; - struct connection *best_connection = c; -+ const chunk_t *best_sec_label = NULL; - - /* find best spd in c */ - -@@ -1042,7 +1054,8 @@ - .r = &sra->this, - }; - -- if (!score_ends_seclabel(&ends, c, &tsi, &tsr, child->sa.st_logger)) { -+ const chunk_t* selected_sec_label = NULL; -+ if (!score_ends_seclabel(&selected_sec_label, &ends, c, &tsi, &tsr, child->sa.st_logger)) { - continue; - } - -@@ -1060,6 +1073,7 @@ - score.tsi - tsi.ts, score.tsr - tsr.ts); - best_score = score; - best_spd_route = sra; -+ best_sec_label = selected_sec_label; - passert(best_connection == c); - } - } -@@ -1143,7 +1157,8 @@ - ? END_NARROWER_THAN_TS - : END_EQUALS_TS; - -- if (!score_ends_seclabel(&ends, d, &tsi, &tsr, -+ const chunk_t* selected_sec_label = NULL; -+ if (!score_ends_seclabel(&selected_sec_label, &ends, d, &tsi, &tsr, - child->sa.st_logger)) - continue; - -@@ -1159,6 +1174,7 @@ - best_connection = d; - best_score = score; - best_spd_route = sr; -+ best_sec_label = selected_sec_label; - } - } - } -@@ -1389,6 +1405,13 @@ - */ - update_state_connection(&child->sa, best_connection); - -+ if (best_sec_label != NULL) { -+ if (child->sa.st_seen_sec_label.len != 0) { -+ free_chunk_content(&child->sa.st_seen_sec_label); -+ } -+ child->sa.st_seen_sec_label = clone_hunk(*best_sec_label, "st_seen_sec_label"); -+ } -+ - child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this, child->sa.st_acquired_sec_label); - child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that, child->sa.st_seen_sec_label); - -@@ -1424,7 +1447,8 @@ - ? END_WIDER_THAN_TS - : END_EQUALS_TS; - -- if (!score_ends_seclabel(&e, c, &tsi, &tsr, child->sa.st_logger)) -+ const chunk_t *selected_sec_label = NULL; -+ if (!score_ends_seclabel(&selected_sec_label, &e, c, &tsi, &tsr, child->sa.st_logger)) - return false; - - struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsi, &tsr); -@@ -1435,6 +1459,13 @@ - return false; - } - -+ if (selected_sec_label != NULL) { -+ if (child->sa.st_seen_sec_label.len != 0) { -+ free_chunk_content(&child->sa.st_seen_sec_label); -+ } -+ child->sa.st_seen_sec_label = clone_hunk(*selected_sec_label, "st_seen_sec_label"); -+ } -+ - /* XXX: check conversions */ - dbg("initiator saving acceptable TSi response in this"); - ts_to_end(best.tsi, &c->spd.this, &child->sa.st_ts_this); -@@ -1489,7 +1520,7 @@ - - enum fit fitness = END_NARROWER_THAN_TS; - -- if (!score_ends_seclabel(&ends, c, &their_tsis, &their_tsrs, -+ if (!score_ends_seclabel(NULL, &ends, c, &their_tsis, &their_tsrs, - child->sa.st_logger)) { - log_state(RC_LOG_SERIOUS, &child->sa, - "rekey: received Traffic Selectors mismatch configured selectors for Security Label"); -diff -Naur libreswan-4.3-orig/programs/pluto/ikev2_parent.c libreswan-4.3/programs/pluto/ikev2_parent.c ---- libreswan-4.3-orig/programs/pluto/ikev2_parent.c 2021-02-21 12:03:03.000000000 -0500 -+++ libreswan-4.3/programs/pluto/ikev2_parent.c 2021-03-01 10:31:49.667207958 -0500 -@@ -5943,8 +5943,6 @@ - * from a policy we gave the kernel, so it _should_ be within our range? - */ - child->sa.st_acquired_sec_label = clone_hunk(p->sec_label, "st_acquired_sec_label"); -- c->spd.this.sec_label = clone_hunk(p->sec_label, "updated conn label"); -- c->spd.that.sec_label = clone_hunk(p->sec_label, "updated conn label"); - } - - } else { diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 07cbf57..81671a4 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -36,8 +36,8 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script -Version: 4.3 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} +Version: 4.4 +Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ @@ -51,8 +51,6 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 Patch1: libreswan-4.3-maintain-different-v1v2-split.patch Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch Patch3: libreswan-4.1-maintain-obsolete-keywords.patch -Patch4: libreswan-4.3-labeled-ipsec.patch -Patch5: libreswan-4.3-ikev2-tcp.patch Patch6: libreswan-4.3-1934186-config.patch BuildRequires: audit-libs-devel @@ -111,8 +109,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 %patch6 -p1 # linking to freebl is not needed @@ -217,12 +213,14 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0644,root,root) %doc %{_mandir}/*/* %changelog -* Thu Mar 04 2021 Paul Wouters - 4.3-3 -- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229 -- Resolves: rhbz#1934186 virtual_private setting is missing in the default config +* Wed May 26 2021 Daiki Ueno - 4.4-1 +- Resolves: rhbz#1958968 Rebase libreswan to 4.4 +- Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers -* Mon Mar 01 2021 Paul Wouters - 4.3-2 -- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update] +* Thu Mar 04 2021 Paul Wouters - 4.3-3 +- Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec +- Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229 +- Resolves: rhbz#1935339 virtual_private setting is missing in the default config * Sun Feb 21 2021 Paul Wouters - 4.3-1 - Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]