diff --git a/.gitignore b/.gitignore index b4afa33..2b43563 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/ikev1_dsa.fax.bz2 SOURCES/ikev1_psk.fax.bz2 SOURCES/ikev2.fax.bz2 -SOURCES/libreswan-3.20.tar.gz +SOURCES/libreswan-3.23.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata index d784875..0e65554 100644 --- a/.libreswan.metadata +++ b/.libreswan.metadata @@ -1,4 +1,4 @@ b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 -ca8e56bf6a99d67201f5c4065991d72febf14eae SOURCES/libreswan-3.20.tar.gz +1ea51c629c0f52f0dd3dce67de368ba4efc87f86 SOURCES/libreswan-3.23.tar.gz diff --git a/SOURCES/libreswan-3.2-1458227-cavp-fips.patch b/SOURCES/libreswan-3.2-1458227-cavp-fips.patch deleted file mode 100644 index 12b0e7b..0000000 --- a/SOURCES/libreswan-3.2-1458227-cavp-fips.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -Naur libreswan-3.20-orig/lib/libswan/lswnss.c libreswan-3.20/lib/libswan/lswnss.c ---- libreswan-3.20-orig/lib/libswan/lswnss.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/lib/libswan/lswnss.c 2017-06-06 11:50:35.662776208 -0400 -@@ -63,16 +63,15 @@ - pfree(nssdir); - return FALSE; - } -+ if (PK11_IsFIPS() && get_password == NULL) { -+ snprintf(err, sizeof(lsw_nss_buf_t), -+ "on FIPS mode a password is required"); -+ return FALSE; -+ } - } else { - NSS_NoDB_Init("."); - } - -- if (PK11_IsFIPS() && get_password == NULL) { -- snprintf(err, sizeof(lsw_nss_buf_t), -- "on FIPS mode a password is required"); -- return FALSE; -- } -- - if (get_password) { - PK11_SetPasswordFunc(get_password); - } diff --git a/SOURCES/libreswan-3.20-1341353-psk-fips.patch b/SOURCES/libreswan-3.20-1341353-psk-fips.patch deleted file mode 100644 index cb426ab..0000000 --- a/SOURCES/libreswan-3.20-1341353-psk-fips.patch +++ /dev/null @@ -1,246 +0,0 @@ -diff -Naur libreswan-3.20-orig/lib/libswan/ike_info.c libreswan-3.20/lib/libswan/ike_info.c ---- libreswan-3.20-orig/lib/libswan/ike_info.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/lib/libswan/ike_info.c 2017-04-22 19:02:37.667000000 -0400 -@@ -64,6 +64,11 @@ - char *ptr = buf; - const char *sep = ""; - -+ if (alg_info == NULL) { -+ PEXPECT_LOG("%s", "parameter alg_info unexpectedly NULL"); -+ return; -+ } -+ - FOR_EACH_IKE_INFO(alg_info, ike_info) { - if (ike_info->ike_encrypt != NULL && - ike_info->ike_prf != NULL && -@@ -95,6 +100,12 @@ - char *ptr = buf; - char *be = buf + buflen; - -+ if (alg_info_ike == NULL) { -+ PEXPECT_LOG("%s", "parameter alg_info_ike unexpectedly NULL"); -+ return; -+ } -+ -+ - passert(buflen > 0); - - const char *sep = ""; -diff -Naur libreswan-3.20-orig/programs/pluto/crypt_prf.c libreswan-3.20/programs/pluto/crypt_prf.c ---- libreswan-3.20-orig/programs/pluto/crypt_prf.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/crypt_prf.c 2017-04-22 19:02:37.668000000 -0400 -@@ -35,6 +35,36 @@ - #include "crypt_symkey.h" - #include "crypto.h" - -+size_t crypt_prf_fips_key_size_min(const struct prf_desc *prf) -+{ -+ /* -+ * FIPS 198 Section 3 CRYPTOGRAPHIC KEYS requires keys to be -+ * >= "L/2" (where L is the block-size in bytes of the hash -+ * function). -+ * -+ * FIPS 198-1 Section 3 instead cites SP 800-107. Good luck -+ * reading the latter. -+ */ -+ return prf->prf_key_size / 2; -+} -+ -+size_t crypt_prf_fips_key_size_floor(void) -+{ -+ static size_t key_size_floor; -+ if (!key_size_floor) { -+ key_size_floor = SIZE_MAX; -+ for (const struct prf_desc **prfp = next_prf_desc(NULL); -+ prfp != NULL; prfp = next_prf_desc(prfp)) { -+ if (!(*prfp)->common.fips) { -+ continue; -+ } -+ key_size_floor = min(key_size_floor, -+ crypt_prf_fips_key_size_min(*prfp)); -+ } -+ } -+ return key_size_floor; -+} -+ - struct crypt_prf { - struct prf_context *context; - lset_t debug; -@@ -46,13 +76,19 @@ - const char *name, - struct prf_context *context) - { -- struct crypt_prf *prf = alloc_thing(struct crypt_prf, name); -- *prf = (struct crypt_prf) { -- .context = context, -- .debug = debug, -- .name = name, -- .desc = prf_desc, -- }; -+ struct crypt_prf *prf = NULL; -+ -+ if (context != NULL) { -+ prf = alloc_thing(struct crypt_prf, name); -+ *prf = (struct crypt_prf) { -+ .context = context, -+ .debug = debug, -+ .name = name, -+ .desc = prf_desc, -+ }; -+ } -+ DBG(debug, DBG_log("%s PRF %s crypt-prf@%p", -+ name, prf_desc->common.name, prf)); - return prf; - } - -diff -Naur libreswan-3.20-orig/programs/pluto/crypt_prf.h libreswan-3.20/programs/pluto/crypt_prf.h ---- libreswan-3.20-orig/programs/pluto/crypt_prf.h 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/crypt_prf.h 2017-04-22 19:02:37.668000000 -0400 -@@ -26,6 +26,14 @@ - struct crypt_prf; - - /* -+ * FIPS requires a minimum key size. In FIPS mode, when the key is -+ * less than this, the init will fail. Here the "floor" is the -+ * minimum of all the fips algorithms so failing this is really bad. -+ */ -+size_t crypt_prf_fips_key_size_min(const struct prf_desc *prf_desc); -+size_t crypt_prf_fips_key_size_floor(void); -+ -+/* - * Primitives implementing IKE PRFs. - * - * Some PRFs are implemented using the HMAC algorithm (described in -diff -Naur libreswan-3.20-orig/programs/pluto/ikev1_spdb_struct.c libreswan-3.20/programs/pluto/ikev1_spdb_struct.c ---- libreswan-3.20-orig/programs/pluto/ikev1_spdb_struct.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/ikev1_spdb_struct.c 2017-04-22 19:05:18.395000000 -0400 -@@ -52,6 +52,7 @@ - #include "ike_alg.h" - #include "db_ops.h" - #include "lswfips.h" /* for libreswan_fipsmode */ -+#include "crypt_prf.h" - - #include "nat_traversal.h" - -@@ -901,6 +902,7 @@ - bool xauth_init = FALSE, - xauth_resp = FALSE; - const char *const role = selection ? "initiator" : "responder"; -+ const chunk_t *pss = &empty_chunk; - - passert(c != NULL); - -@@ -1190,9 +1192,10 @@ - if ((iap & POLICY_PSK) == LEMPTY) { - ugh = "policy does not allow OAKLEY_PRESHARED_KEY authentication"; - } else { -- /* check that we can find a preshared secret */ -- if (get_preshared_secret(c) -- == NULL) -+ /* check that we can find a proper preshared secret */ -+ pss = get_preshared_secret(c); -+ -+ if (pss == NULL) - { - char mid[IDTOA_BUF], - hid[IDTOA_BUF]; -@@ -1212,6 +1215,8 @@ - ugh = builddiag( - "Can't authenticate: no preshared key found for `%s' and `%s'", - mid, hid); -+ } else { -+ DBG(DBG_PRIVATE, DBG_dump_chunk("User PSK:", *pss)); - } - ta.auth = OAKLEY_PRESHARED_KEY; - } -@@ -1398,6 +1403,31 @@ - } - } - -+ { -+ -+ if ((st->st_policy & POLICY_PSK) && pss != &empty_chunk && pss != NULL) { -+ const size_t key_size_min = crypt_prf_fips_key_size_min(ta.prf); -+ -+ if (pss->len < key_size_min) { -+ if (libreswan_fipsmode()) { -+ ugh = builddiag("FIPS: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", -+ st->st_connection->name, -+ pss->len, -+ ta.prf->common.name, -+ key_size_min); -+ } else { -+ libreswan_log("WARNING: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", -+ st->st_connection->name, -+ pss->len, -+ ta.prf->common.name, -+ key_size_min); -+ } -+ } -+ -+ } -+ -+ } -+ - /* - * ML: at last check for allowed transforms in alg_info_ike - */ -diff -Naur libreswan-3.20-orig/programs/pluto/ikev2_psk.c libreswan-3.20/programs/pluto/ikev2_psk.c ---- libreswan-3.20-orig/programs/pluto/ikev2_psk.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/ikev2_psk.c 2017-04-22 19:02:37.669000000 -0400 -@@ -57,6 +57,7 @@ - #include "keys.h" - #include "crypt_prf.h" - #include "crypt_symkey.h" -+#include "lswfips.h" - - #include - #include -@@ -91,6 +92,24 @@ - return FALSE; /* failure: no PSK to use */ - } - DBG(DBG_PRIVATE, DBG_dump_chunk("User PSK:", *pss)); -+ const size_t key_size_min = crypt_prf_fips_key_size_min(st->st_oakley.prf); -+ if (pss->len < key_size_min) { -+ if (libreswan_fipsmode()) { -+ loglog(RC_LOG_SERIOUS, -+ "FIPS: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", -+ st->st_connection->name, -+ pss->len, -+ st->st_oakley.prf->common.name, -+ key_size_min); -+ return FALSE; -+ } else { -+ libreswan_log("WARNING: connection %s PSK length of %zu bytes is too short for %s PRF in FIPS mode (%zu bytes required)", -+ st->st_connection->name, -+ pss->len, -+ st->st_oakley.prf->common.name, -+ key_size_min); -+ } -+ } - } else { - /* - * RFC-7619 -@@ -137,9 +156,19 @@ - { - struct crypt_prf *prf = - crypt_prf_init_chunk(" = prf(,\"Key Pad for IKEv2\")", -- DBG_CRYPT, -- st->st_oakley.prf, -- "shared secret", *pss); -+ DBG_CRYPT, -+ st->st_oakley.prf, -+ "shared secret", *pss); -+ if (prf == NULL) { -+ if (libreswan_fipsmode()) { -+ PASSERT_FAIL("FIPS: failure creating %s PRF context for digesting PSK", -+ st->st_oakley.prf->common.name); -+ } -+ loglog(RC_LOG_SERIOUS, -+ "failure creating %s PRF context for digesting PSK", -+ st->st_oakley.prf->common.name); -+ return FALSE; -+ } - crypt_prf_update_bytes(psk_key_pad_str/*name*/, prf, - psk_key_pad_str, psk_key_pad_str_len); - prf_psk = crypt_prf_final_symkey(&prf); diff --git a/SOURCES/libreswan-3.20-1372279-down-error.patch b/SOURCES/libreswan-3.20-1372279-down-error.patch deleted file mode 100644 index d0ef6ea..0000000 --- a/SOURCES/libreswan-3.20-1372279-down-error.patch +++ /dev/null @@ -1,154 +0,0 @@ -diff -Naur libreswan-3.20-orig/programs/pluto/connections.c libreswan-3.20/programs/pluto/connections.c ---- libreswan-3.20-orig/programs/pluto/connections.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/connections.c 2017-05-30 15:00:02.409386255 -0400 -@@ -97,13 +97,13 @@ - * Move the winner (if any) to the front. - * If none is found, and strict, a diagnostic is logged to whack. - */ --struct connection *con_by_name(const char *nm, bool strict) -+struct connection *con_by_name(const char *nm, bool strict, bool quiet) - { - struct connection *p, *prev; - - for (prev = NULL, p = connections;; prev = p, p = p->ac_next) { - if (p == NULL) { -- if (strict) -+ if (strict && !quiet) - whack_log(RC_UNKNOWN_NAME, - "no connection named \"%s\"", nm); - break; -@@ -401,13 +401,13 @@ - bool f = FALSE; - - passert(name != NULL); -- struct connection *c = con_by_name(name, strict); -+ struct connection *c = con_by_name(name, strict, TRUE); - - if (c == NULL) { - (void)foreach_connection_by_alias(name, delete_connection_wrap, - &f); - } else { -- for (; c != NULL; c = con_by_name(name, FALSE)) -+ for (; c != NULL; c = con_by_name(name, FALSE, FALSE)) - delete_connection(c, FALSE); - } - } -@@ -1269,7 +1269,7 @@ - - alg_info_ike = NULL; - -- if (con_by_name(wm->name, FALSE) != NULL) { -+ if (con_by_name(wm->name, FALSE, FALSE) != NULL) { - loglog(RC_DUPNAME, "attempt to redefine connection \"%s\"", - wm->name); - return; -@@ -1927,7 +1927,7 @@ - snprintf(namebuf, sizeof(namebuf), "%s#%s", group->name, targetbuf); - } - -- if (con_by_name(namebuf, FALSE) != NULL) { -+ if (con_by_name(namebuf, FALSE, FALSE) != NULL) { - loglog(RC_DUPNAME, - "group name + target yields duplicate name \"%s\"", - namebuf); -diff -Naur libreswan-3.20-orig/programs/pluto/connections.h libreswan-3.20/programs/pluto/connections.h ---- libreswan-3.20-orig/programs/pluto/connections.h 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/connections.h 2017-05-30 15:00:21.716149232 -0400 -@@ -413,7 +413,7 @@ - - struct state; /* forward declaration of tag (defined in state.h) */ - extern struct connection --*con_by_name(const char *nm, bool strict); -+*con_by_name(const char *nm, bool strict, bool quiet); - - stf_status ikev2_find_host_connection(struct connection **cp, - const ip_address *me, u_int16_t my_port, const ip_address *him, -diff -Naur libreswan-3.20-orig/programs/pluto/foodgroups.c libreswan-3.20/programs/pluto/foodgroups.c ---- libreswan-3.20-orig/programs/pluto/foodgroups.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/foodgroups.c 2017-05-30 15:00:02.409386255 -0400 -@@ -344,7 +344,7 @@ - for (t = targets; t != NULL; t = t->next) { - if (t->group == g) { - struct connection *ci = con_by_name(t->name, -- FALSE); -+ FALSE, FALSE); - - if (ci != NULL) { - set_cur_connection(ci); -@@ -367,7 +367,7 @@ - g->connection->policy &= ~POLICY_GROUTED; - for (t = targets; t != NULL; t = t->next) { - if (t->group == g) { -- struct connection *ci = con_by_name(t->name, FALSE); -+ struct connection *ci = con_by_name(t->name, FALSE, FALSE); - - if (ci != NULL) { - set_cur_connection(ci); -diff -Naur libreswan-3.20-orig/programs/pluto/ikev1.c libreswan-3.20/programs/pluto/ikev1.c ---- libreswan-3.20-orig/programs/pluto/ikev1.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/ikev1.c 2017-05-30 15:00:02.410386295 -0400 -@@ -696,7 +696,7 @@ - - /* to find and store the connection associated with tmp_name */ - /* ??? how do we know that tmp_name hasn't been freed? */ -- struct connection *tmp_c = con_by_name(tmp_name, FALSE); -+ struct connection *tmp_c = con_by_name(tmp_name, FALSE, FALSE); - - DBG_cond_dump(DBG_PARSING, - "redirected remote end info:", n_pbs->cur + pbs_left( -diff -Naur libreswan-3.20-orig/programs/pluto/initiate.c libreswan-3.20/programs/pluto/initiate.c ---- libreswan-3.20-orig/programs/pluto/initiate.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/initiate.c 2017-05-30 15:00:02.410386295 -0400 -@@ -344,7 +344,7 @@ - char *remote_host) - { - struct initiate_stuff is; -- struct connection *c = con_by_name(name, FALSE); -+ struct connection *c = con_by_name(name, FALSE, FALSE); - int count; - - passert(name != NULL); -diff -Naur libreswan-3.20-orig/programs/pluto/rcv_whack.c libreswan-3.20/programs/pluto/rcv_whack.c ---- libreswan-3.20-orig/programs/pluto/rcv_whack.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/rcv_whack.c 2017-05-30 15:00:02.411386334 -0400 -@@ -301,7 +301,7 @@ - set_debugging(base_debugging); - } else if (!m->whack_connection) { - struct connection *c = con_by_name(m->name, -- TRUE); -+ TRUE, FALSE); - - if (c != NULL) { - c->extra_debugging = m->debugging; -@@ -456,7 +456,7 @@ - if (!listening) { - whack_log(RC_DEAF, "need --listen before --route"); - } else { -- struct connection *c = con_by_name(m->name, TRUE); -+ struct connection *c = con_by_name(m->name, TRUE, FALSE); - - if (c != NULL) { - set_cur_connection(c); -@@ -476,7 +476,7 @@ - } - - if (m->whack_unroute) { -- struct connection *c = con_by_name(m->name, TRUE); -+ struct connection *c = con_by_name(m->name, TRUE, FALSE); - - if (c != NULL) { - const struct spd_route *sr; -diff -Naur libreswan-3.20-orig/programs/pluto/terminate.c libreswan-3.20/programs/pluto/terminate.c ---- libreswan-3.20-orig/programs/pluto/terminate.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/pluto/terminate.c 2017-05-30 15:00:02.411386334 -0400 -@@ -92,8 +92,9 @@ - /* - * Loop because more than one may match (master and instances) - * But at least one is required (enforced by con_by_name). -+ * Don't log an error if not found before we checked aliases - */ -- struct connection *c = con_by_name(name, TRUE); -+ struct connection *c = con_by_name(name, TRUE, TRUE); - - if (c != NULL) { - while (c != NULL) { diff --git a/SOURCES/libreswan-3.20-1444115-fips-F4.patch b/SOURCES/libreswan-3.20-1444115-fips-F4.patch deleted file mode 100644 index 7dc7447..0000000 --- a/SOURCES/libreswan-3.20-1444115-fips-F4.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml ---- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.8.xml 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/rsasigkey/rsasigkey.8.xml 2017-04-21 10:31:57.902023584 -0400 -@@ -89,12 +89,12 @@ - The output format looks like this (with long numbers trimmed down for clarity): - - -- # RSA 2048 bits xy.example.com Sat Apr 15 13:53:22 2000 -+ # RSA 3744 bits road.toad.com Mon Apr 17 22:20:35 2017 - # for signatures only, UNSAFE FOR ENCRYPTION -- #pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/ -- #ckaid=7ddad7f1d5842e...043c499babf0a -- Modulus: 0xcc2a86fcf440...cf1011abb82d1 -- PublicExponent: 0x03 -+ #ckaid=a953473e6014dd4e08eb051e4679dc39be160fea -+ #pubkey=0sBAEAA...sKbTzwE= -+ Modulus: 0xb84ae7d...b0a6d3cf01 -+ PublicExponent: 0x010001 - - - The first (comment) line, indicating the nature and date of the key, and -diff -Naur libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c libreswan-3.20/programs/rsasigkey/rsasigkey.c ---- libreswan-3.20-orig/programs/rsasigkey/rsasigkey.c 2017-03-14 11:53:11.000000000 -0400 -+++ libreswan-3.20/programs/rsasigkey/rsasigkey.c 2017-04-21 10:31:57.902023584 -0400 -@@ -5,7 +5,7 @@ - * Copyright (C) 2003-2008 Michael C Richardson - * Copyright (C) 2003-2009 Paul Wouters - * Copyright (C) 2009 Avesh Agarwal -- * Copyright (C) 2012-2015 Paul Wouters -+ * Copyright (C) 2012-2017 Paul Wouters - * Copyright (C) 2016 Andrew Cagney - * Copyright (C) 2016 Tuomo Soini - * -@@ -18,6 +18,8 @@ - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. -+ * -+ * NOTE: This should probably be rewritten to use NSS RSA_NewKey() - */ - - #include -@@ -76,8 +78,8 @@ - - #define DEFAULT_SEED_BITS 60 /* 480 bits of random seed */ - --#define E 3 /* standard public exponent */ --/* #define F4 65537 */ /* possible future public exponent, Fermat's 4th number */ -+/* No longer use E=3 to comply to FIPS 186-4, section B.3.1 */ -+#define F4 65537 - - char usage[] = - "rsasigkey [--verbose] [--seeddev ] [--nssdir ]\n" -@@ -111,17 +113,15 @@ - /* - * bundle - bundle e and n into an RFC2537-format chunk_t - */ --static char *base64_bundle(int e, chunk_t modulus) -+static char *base64_bundle(int f4, chunk_t modulus) - { - /* -- * Pack the single-byte exponent into a byte array. -+ * Pack the exponent into a byte array. - */ -- assert(e <= 255); -- u_char exponent_byte = e; -- chunk_t exponent = { -- .ptr = &exponent_byte, -- .len = 1, -- }; -+ chunk_t exponent; -+ u_int32_t f4_bytes = (u_int32_t)f4; -+ -+ clonetochunk(exponent, &f4_bytes, sizeof(u_int32_t), "exponent"); - - /* - * Create the resource record. -@@ -134,6 +134,7 @@ - exit(1); - } - -+ freeanychunk(exponent); - return bundle; - } - -@@ -293,7 +294,7 @@ - */ - void rsasigkey(int nbits, int seedbits, const struct lsw_conf_options *oco) - { -- PK11RSAGenParams rsaparams = { nbits, (long) E }; -+ PK11RSAGenParams rsaparams = { nbits, (long) F4 }; - PK11SlotInfo *slot = NULL; - SECKEYPrivateKey *privkey = NULL; - SECKEYPublicKey *pubkey = NULL; -@@ -373,7 +374,7 @@ - - /* RFC2537/RFC3110-ish format */ - { -- char *bundle = base64_bundle(E, public_modulus); -+ char *bundle = base64_bundle(F4, public_modulus); - printf("\t#pubkey=%s\n", bundle); - pfree(bundle); - } diff --git a/SOURCES/libreswan-3.21-xauth-passwd.patch b/SOURCES/libreswan-3.21-xauth-passwd.patch deleted file mode 100644 index 38cad62..0000000 --- a/SOURCES/libreswan-3.21-xauth-passwd.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/programs/pluto/ikev1_xauth.c b/programs/pluto/ikev1_xauth.c -index 5a8e92b68..f023e119f 100644 ---- a/programs/pluto/ikev1_xauth.c -+++ b/programs/pluto/ikev1_xauth.c -@@ -2103,7 +2103,7 @@ static stf_status xauth_client_resp(struct state *st, - } - - if (st->st_xauth_password.ptr == NULL) { -- char xauth_password[64]; -+ char xauth_password[XAUTH_MAX_PASS_LENGTH]; - - if (st->st_whack_sock == -1) { - loglog(RC_LOG_SERIOUS, diff --git a/SOURCES/libreswan-3.21-xauth-state.patch b/SOURCES/libreswan-3.21-xauth-state.patch deleted file mode 100644 index fae458c..0000000 --- a/SOURCES/libreswan-3.21-xauth-state.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -Naur libreswan-3.21-orig/programs/pluto/ikev1.c libreswan-3.21/programs/pluto/ikev1.c ---- libreswan-3.21-orig/programs/pluto/ikev1.c 2017-08-09 13:47:34.000000000 -0700 -+++ libreswan-3.21/programs/pluto/ikev1.c 2017-10-16 14:43:10.057639590 -0700 -@@ -2273,16 +2273,17 @@ - * actual end of phase 1. With modecfg, negotiation ends with - * STATE_MAIN_I4 already. - */ --#if 0 /* ??? what's this code for? */ - if (st->st_connection->spd.this.xauth_client -- && st->hidden_variables.st_xauth_client_done -- && !st->st_connection->spd.this.modecfg_client -- && st->st_state == STATE_XAUTH_I1) { -- DBG(DBG_CONTROL, -- DBG_log("As XAUTH is done and modecfg is not configured, so Phase 1 neogtiation finishes successfully")); -- change_state(st, STATE_MAIN_I4); -+ && st->hidden_variables.st_xauth_client_done -+ && !st->st_connection->spd.this.modecfg_client -+ && st->st_state == STATE_XAUTH_I1) -+ { -+ bool aggrmode = (st->st_connection->policy & POLICY_AGGRESSIVE); -+ -+ libreswan_log("XAUTH completed, ModeCFG skipped as per configuration"); -+ change_state(st, aggrmode ? STATE_AGGR_I2 : STATE_MAIN_I4); -+ st->st_msgid_phase15 = v1_MAINMODE_MSGID; - } --#endif - - /* Schedule for whatever timeout is specified */ - if (!md->event_already_set) { -@@ -2332,6 +2333,15 @@ - bool agreed_time = FALSE; - struct connection *c = st->st_connection; - -+ /* fixup in case of state machine jump for xauth without modecfg */ -+ if (c->spd.this.xauth_client -+ && st->hidden_variables.st_xauth_client_done -+ && !c->spd.this.modecfg_client -+ && (st->st_state == STATE_MAIN_I4 || st->st_state == STATE_AGGR_I2)) { -+ DBG(DBG_CONTROL, DBG_log("fixup XAUTH without ModeCFG event from EVENT_v1_RETRANSMIT to EVENT_SA_REPLACE")); -+ kind = EVENT_SA_REPLACE; -+ } -+ - switch (kind) { - case EVENT_v1_RETRANSMIT: /* Retransmit packet */ - delay_ms = c->r_interval; diff --git a/SOURCES/libreswan-3.23-fixups.patch b/SOURCES/libreswan-3.23-fixups.patch new file mode 100644 index 0000000..f674916 --- /dev/null +++ b/SOURCES/libreswan-3.23-fixups.patch @@ -0,0 +1,507 @@ +diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c +--- libreswan-3.23-orig/programs/pluto/connections.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/connections.c 2018-02-05 14:38:49.372280712 -0500 +@@ -3158,10 +3158,8 @@ + matching_peer_id && matching_peer_ca && matching_requested_ca, + matching_peer_id, matching_peer_ca, matching_requested_ca);}); + +- /* Ignore template from which we instantiated - this should never happen */ + if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) { +- libreswan_log("Warning: not switching back to template of current instance (FIXME)"); +- continue; ++ DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance")); + } + + /* 'You Tarzan, me Jane' check based on received IDr */ +diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c +--- libreswan-3.23-orig/programs/pluto/hostpair.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/hostpair.c 2018-02-05 14:38:57.865635032 -0500 +@@ -144,17 +144,6 @@ + hisport = pluto_port; + + for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { +- if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) && +- (p->connections->spd.that.id.kind == ID_NULL)) +- { +- DBG(DBG_CONTROLMORE, { +- char ci[CONN_INST_BUF]; +- DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s", +- p->connections->name, +- fmt_conn_instance(p->connections, ci)); +- }); +- continue; +- } + + DBG(DBG_CONTROLMORE, { + ipstr_buf b1; +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h +--- libreswan-3.23-orig/programs/pluto/ikev2.h 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2.h 2018-02-05 14:39:11.171190105 -0500 +@@ -162,7 +162,9 @@ + extern bool ikev2_calculate_rsa_sha1(struct state *st, + enum original_role role, + unsigned char *idhash, +- pb_stream *a_pbs); ++ pb_stream *a_pbs, ++ bool calc_no_ppk_auth, ++ chunk_t *no_ppk_auth); + + extern bool ikev2_create_psk_auth(enum keyword_authby authby, + struct state *st, +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c +--- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-02-05 14:39:11.173190188 -0500 +@@ -2783,7 +2783,9 @@ + + switch (a.isaa_type) { + case IKEv2_AUTH_RSA: +- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { ++ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, ++ FALSE, /* store-only not set */ ++ NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "Failed to find our RSA key"); + return STF_FATAL; + } +@@ -2792,7 +2794,7 @@ + case IKEv2_AUTH_PSK: + case IKEv2_AUTH_NULL: + if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs, +- FALSE /* store-only not set */, ++ FALSE, /* store-only not set */ + NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key"); + return STF_FATAL; +@@ -2812,7 +2814,9 @@ + return STF_INTERNAL_ERROR; + } + +- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { ++ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, ++ FALSE, /* store-only not set */ ++ NULL /* store-only chunk unused */)) { + loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key"); + return STF_FATAL; + } +@@ -3224,7 +3228,7 @@ + hmac_update(&id_ctx, id_start, id_len); + hmac_final(idhash, &id_ctx); + +- if (pst->st_sk_pi_no_ppk != NULL) { ++ if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) { + struct hmac_ctx id_ctx_npa; + + hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk); +@@ -3371,7 +3375,7 @@ + notifies++; + + if (pst->st_seen_ppk) +- notifies++; /* used for two payloads */ ++ notifies++; /* used for one or two payloads */ + + /* code does not support AH + ESP, not recommend rfc8221 section-4 */ + struct ipsec_proto_info *proto_info +@@ -3437,21 +3441,24 @@ + } + if (pst->st_seen_ppk) { + chunk_t notify_data = create_unified_ppk_id(&ppk_id_p); ++ int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N; + +- notifies--; /* used for 2 payloads */ +- if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL, +- PROTO_v2_RESERVED, &empty_chunk, +- v2N_PPK_IDENTITY, ¬ify_data, +- &e_pbs_cipher)) +- return STF_INTERNAL_ERROR; ++ notifies--; /* used for one or two payloads */ ++ if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL, ++ PROTO_v2_RESERVED, &empty_chunk, ++ v2N_PPK_IDENTITY, ¬ify_data, ++ &e_pbs_cipher)) ++ return STF_INTERNAL_ERROR; + freeanychunk(notify_data); + +- ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); +- if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, +- PROTO_v2_RESERVED, &empty_chunk, +- v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, +- &e_pbs_cipher)) +- return STF_INTERNAL_ERROR; ++ if (!LIN(POLICY_PPK_INSIST, cc->policy)) { ++ ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); ++ if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, ++ PROTO_v2_RESERVED, &empty_chunk, ++ v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, ++ &e_pbs_cipher)) ++ return STF_INTERNAL_ERROR; ++ } + } + + passert(notifies == 0); +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c +--- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_ppk.c 2018-02-05 14:39:11.173190188 -0500 +@@ -113,7 +113,24 @@ + enum keyword_authby authby = c->spd.this.authby; + switch (authby) { + case AUTH_RSASIG: +- /* TODO */ ++ if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) { ++ if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) { ++ /* make blobs separately, and somehow combine them and no_ppk_auth ++ * to get an actual no_ppk_auth */ ++ int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len; ++ u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH"); ++ u_char *ret = blobs; ++ memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER); ++ blobs += ASN1_LEN_ALGO_IDENTIFIER; ++ memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE); ++ blobs += ASN1_SHA1_RSA_OID_SIZE; ++ memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len); ++ chunk_t release = *no_ppk_auth; ++ setchunk(*no_ppk_auth, ret, len); ++ freeanychunk(release); ++ } ++ } ++ return STF_OK; + break; + case AUTH_PSK: + if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth)) +diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c +--- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/ikev2_rsa.c 2018-02-05 14:39:11.173190188 -0500 +@@ -101,7 +101,9 @@ + bool ikev2_calculate_rsa_sha1(struct state *st, + enum original_role role, + unsigned char *idhash, +- pb_stream *a_pbs) ++ pb_stream *a_pbs, ++ bool calc_no_ppk_auth, ++ chunk_t *no_ppk_auth) + { + unsigned char signed_octets[SHA1_DIGEST_SIZE + 16]; + size_t signed_len; +@@ -136,8 +138,13 @@ + if (shr == 0) + return FALSE; + passert(shr == (int)sz); +- if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) +- return FALSE; ++ if (calc_no_ppk_auth == FALSE) { ++ if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) ++ return FALSE; ++ } else { ++ clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk"); ++ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth)); ++ } + } + + return TRUE; +diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c +--- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/nss_cert_verify.c 2018-02-05 14:38:52.685418927 -0500 +@@ -498,60 +498,83 @@ + + bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name) + { +- SECStatus rv; + SECItem subAltName; +- PLArenaPool *arena = NULL; +- CERTGeneralName *nameList = NULL; +- CERTGeneralName *current = NULL; +- bool san_ip = FALSE; +- unsigned int len = strlen(name); +- ip_address myip; +- +- rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, ++ SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, + &subAltName); + if (rv != SECSuccess) { + DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension")); + return FALSE; + } + +- if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL) +- san_ip = TRUE; ++ ip_address myip; ++ bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL); + +- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + passert(arena != NULL); + +- nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName); +- passert(current != NULL); ++ CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName); + +- do +- { ++ if (nameList == NULL) { ++ loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode"); ++ PORT_FreeArena(arena, PR_FALSE); ++ return FALSE; ++ } ++ ++ /* ++ * nameList is a pointer into a non-empty circular linked list. ++ * This loop visits each entry. ++ * We have visited each when we come back to the start. ++ * We test only at the end, after we advance, because we want to visit ++ * the first entry the first time we see it but stop when we get to it ++ * the second time. ++ */ ++ CERTGeneralName *current = nameList; ++ do { + switch (current->type) { + case certDNSName: + case certRFC822Name: +- if (san_ip) +- break; +- if (current->name.other.len == len) { +- if (memcmp(current->name.other.data, name, len) == 0) { +- DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name)); +- PORT_FreeArena(arena, PR_FALSE); +- return TRUE; +- } +- } ++ { ++ /* ++ * Match the parameter name with the name in the certificate. ++ * The name in the cert may start with "*."; that will match ++ * any initial component in name (up to the first '.'). ++ */ ++ /* we need to cast because name.other.data is unsigned char * */ ++ const char *c_ptr = (const void *) current->name.other.data; ++ size_t c_len = current->name.other.len; ++ ++ const char *n_ptr = name; ++ static const char wild[] = "*."; ++ const size_t wild_len = sizeof(wild) - 1; ++ ++ if (c_len > wild_len && startswith(c_ptr, wild)) { ++ /* wildcard in cert: ignore first component of name */ ++ c_ptr += wild_len; ++ c_len -= wild_len; ++ n_ptr = strchr(n_ptr, '.'); ++ if (n_ptr == NULL) ++ break; /* cannot match */ + +- if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) { +- char osan[IDTOA_BUF]; ++ n_ptr++; /* skip . */ ++ } + +- memcpy(osan,current->name.other.data, current->name.other.len); +- osan[current->name.other.len] = '\0'; +- DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name)); +- } else { +- DBG(DBG_X509, DBG_log("subjectAltname does not match %s", name)); ++ if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) { ++ /* ++ * ??? if current->name.other.data contains bad characters, ++ * what prevents them being logged? ++ */ ++ DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate", ++ name, current->name.other.len, current->name.other.data)); ++ PORT_FreeArena(arena, PR_FALSE); ++ return TRUE; + } + break; ++ } + + case certIPAddress: + if (!san_ip) + break; ++ + if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) { + if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) { + DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name)); +@@ -572,7 +595,7 @@ + break; + } + } +- DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name)); ++ DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name)); + break; + + default: +diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in +--- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in 2018-02-05 14:38:49.373280754 -0500 +@@ -1,31 +1,52 @@ + #!/usr/bin/python ++# ++# Copyright (C) 2018 Paul Wouters ++# ++# This program is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at your ++# option) any later version. See . ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# for more details. + + import sys +-import base64 +-import commands ++import subprocess + +-log = "" +- +-status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1") ++# Get my %defaultroute IP address ++myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True) + myip = myip.split("src")[1].strip().split()[0] + + argv = sys.argv +-argc = len(sys.argv) ++ourself = argv.pop(0) + +-#log += "Number or arguments is %d\n"%argc +-#if argc >= 4: +-# log += "QNAME:%s\n"%argv[1] +-# log += "TTL:%s\n"%argv[2] +-# log += "IP:%s\n"%argv[3] +-# log += "IPSECKEY:%s\n"%argv[4] +-# rr = argv[4] +-# pref, gwtype, algo, gw, pubkey = rr.split(" ") +-#log += "-----------------------------\n" +- +-cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey) +-cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey) +-cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3]) +-ret, output = commands.getstatusoutput(cmdname) +-ret, output = commands.getstatusoutput(cmdip) +-ret, output = commands.getstatusoutput(cmdoe) +-ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus") ++try: ++ qname = argv.pop(0) ++ ttl = argv.pop(0) ++ ip = argv.pop(0) ++except: ++ sys.exit("Bad arguments to ipsec _unbound") ++ ++while (argv != []): ++ try: ++ gwprec = argv.pop(0) ++ gwtype = argv.pop(0) ++ gwalg = argv.pop(0) ++ gwid = argv.pop(0) ++ pubkey = argv.pop(0) ++ addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) ++ addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) ++ print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) ++ print(subprocess.call(addkeyip, shell=True)) ++ print(subprocess.call(addkeyhostname, shell=True)) ++ except: ++ sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) ++ ++# done injecting all IPSECKEY records into pluto - try actual OE now ++cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip) ++print(subprocess.check_output(cmdoeip, shell=True)) ++#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname) ++#ret, output = commands.getstatusoutput(cmdoeqname) ++print(subprocess.check_output("ipsec whack --trafficstatus", shell=True)) +diff --git a/include/ietf_constants.h b/include/ietf_constants.h +index 8a1ba5d..38fa4de 100644 +--- a/include/ietf_constants.h ++++ b/include/ietf_constants.h +@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type { + IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23, + IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24, + IKEv2_INTERNAL_DNS_DOMAIN = 25, +- /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */ ++ IKEv2_INTERNAL_DNSSEC_TA = 26 + }; + + +diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c +index 9ea9872..ab6db3e 100644 +--- a/lib/libswan/constants.c ++++ b/lib/libswan/constants.c +@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = { + "IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */ + "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */ + "IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */ +- /* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */ ++ "IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */ + }; + + enum_names ikev2_cp_attribute_type_names = { + IKEv2_CP_ATTR_RESERVED, +- IKEv2_INTERNAL_DNS_DOMAIN, +- /* IKEv2_INTERNAL_DNSSEC_TA, */ ++ IKEv2_INTERNAL_DNSSEC_TA, + ARRAY_REF(ikev2_cp_attribute_type_name), + NULL, /* prefix */ + NULL +diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c +index ae56972..e818e0e 100644 +--- a/programs/addconn/addconn.c ++++ b/programs/addconn/addconn.c +@@ -416,12 +416,11 @@ int main(int argc, char *argv[]) + if (verbose) + printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { + if (conn->desired_state == STARTUP_ADD || + conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ conn->desired_state == STARTUP_START) ++ { + if (verbose) + printf(" %s", conn->name); + resolve_defaultroute(conn); +@@ -436,30 +435,22 @@ int main(int argc, char *argv[]) + starter_whack_listen(cfg); + + if (verbose) +- printf(" Pass #2: Routing auto=route and auto=start connections\n"); ++ printf(" Pass #2: Routing auto=route connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { +- if (conn->desired_state == STARTUP_ADD || +- conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { ++ if (conn->desired_state == STARTUP_ONDEMAND) ++ { + if (verbose) + printf(" %s", conn->name); +- resolve_defaultroute(conn); +- if (conn->desired_state == STARTUP_ONDEMAND || +- conn->desired_state == STARTUP_START) { ++ if (conn->desired_state == STARTUP_ONDEMAND) + starter_whack_route_conn(cfg, conn); +- } + } + } + + if (verbose) + printf(" Pass #3: Initiating auto=start connections\n"); + +- for (conn = cfg->conns.tqh_first; +- conn != NULL; +- conn = conn->link.tqe_next) { ++ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { + if (conn->desired_state == STARTUP_START) { + if (verbose) + printf(" %s", conn->name); +diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in +index 64b2808..b343445 100644 +--- a/programs/_updown.netkey/_updown.netkey.in ++++ b/programs/_updown.netkey/_updown.netkey.in +@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in + up-client) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. ++ addvtiiface + updateresolvconf + addcat + addsource diff --git a/SOURCES/libreswan-3.23-ppk-update.patch b/SOURCES/libreswan-3.23-ppk-update.patch new file mode 100644 index 0000000..fe9d9fb --- /dev/null +++ b/SOURCES/libreswan-3.23-ppk-update.patch @@ -0,0 +1,116 @@ +diff --git a/include/ietf_constants.h b/include/ietf_constants.h +index 38fa4de..08c8d9e 100644 +--- a/include/ietf_constants.h ++++ b/include/ietf_constants.h +@@ -1486,12 +1486,14 @@ typedef enum { + v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */ + v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */ + v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */ +- +- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */ +- +- /* 16432 - 40969 Unassigned */ ++ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */ ++ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */ ++ v2N_PUZZLE = 16434, /* RFC-8019 */ ++ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */ ++ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */ ++ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */ ++ ++ /* 16438 - 40969 Unassigned */ + /* 40960 - 65535 Private Use */ + } v2_notification_t; + +diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c +index ab6db3e..a0dab63 100644 +--- a/lib/libswan/constants.c ++++ b/lib/libswan/constants.c +@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = { + }; + */ + +-static const char *const ikev2_notify_name_private[] = { +- "v2N_USE_PPK", +- "v2N_PPK_IDENTITY", +- "v2N_NO_PPK_AUTH", +-}; +- +-static enum_names ikev2_notify_names_private = { +- v2N_USE_PPK, +- v2N_NO_PPK_AUTH, +- ARRAY_REF(ikev2_notify_name_private), +- "v2N_", /* prefix */ +- NULL +-}; +- + /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */ + static const char *const ikev2_notify_name_16384[] = { + "v2N_INITIAL_CONTACT", /* 16384 */ +@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = { + "v2N_SENDER_REQUEST_ID", + "v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */ + "v2N_SIGNATURE_HASH_ALGORITHMS", ++ "v2N_CLONE_IKE_SA_SUPPORTED", ++ "v2N_CLONE_IKE_SA", ++ "v2N_PUZZLE", ++ "v2N_USE_PPK", /* 16435 */ ++ "v2N_PPK_IDENTITY", ++ "v2N_NO_PPK_AUTH", + }; + + static enum_names ikev2_notify_names_16384 = { + v2N_INITIAL_CONTACT, +- v2N_SIGNATURE_HASH_ALGORITHMS, ++ v2N_NO_PPK_AUTH, + ARRAY_REF(ikev2_notify_name_16384), + "v2N_", /* prefix */ +- &ikev2_notify_names_private ++ NULL + }; + + static const char *const ikev2_notify_name[] = { +diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c +index 258ba85..b86eea8 100644 +--- a/programs/pluto/ikev2_parent.c ++++ b/programs/pluto/ikev2_parent.c +@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) + break; + } + +- if (LIN(POLICY_PPK_ALLOW, policy)) { +- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); ++ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); + +- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { +- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); +- return STF_FATAL; +- } +- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); +- st->st_no_ppk_auth = no_ppk_auth; +- } else { +- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK"); ++ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { ++ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); ++ return STF_FATAL; + } ++ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); ++ st->st_no_ppk_auth = no_ppk_auth; + break; + } + case v2N_MOBIKE_SUPPORTED: +@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) + } + } + +- /* if we found proper PPK ID, we should use that without fallback to no ppk */ +- if (found_ppk) ++ /* ++ * If we found proper PPK ID and policy allows PPK, use that. ++ * Otherwise use NO_PPK_AUTH ++ */ ++ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy)) + freeanychunk(st->st_no_ppk_auth); + + if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) { diff --git a/SOURCES/libreswan-3.23-seccomp.patch b/SOURCES/libreswan-3.23-seccomp.patch new file mode 100644 index 0000000..0e3679a --- /dev/null +++ b/SOURCES/libreswan-3.23-seccomp.patch @@ -0,0 +1,24 @@ +diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c +--- libreswan-3.23-orig/programs/addconn/addconn.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/addconn/addconn.c 2018-02-05 14:13:25.758711788 -0500 +@@ -140,7 +140,9 @@ + rc |= S_RULE_ADD(set_robust_list); + rc |= S_RULE_ADD(set_tid_address); + rc |= S_RULE_ADD(socket); ++ rc |= S_RULE_ADD(socketcall); + rc |= S_RULE_ADD(socketpair); ++ rc |= S_RULE_ADD(stat); + rc |= S_RULE_ADD(statfs); + rc |= S_RULE_ADD(uname); + rc |= S_RULE_ADD(write); +diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c +--- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c 2018-01-25 15:19:46.000000000 -0500 ++++ libreswan-3.23/programs/pluto/pluto_seccomp.c 2018-02-05 14:13:38.390239502 -0500 +@@ -109,6 +109,7 @@ + rc |= S_RULE_ADD(set_robust_list); + rc |= S_RULE_ADD(setsockopt); + rc |= S_RULE_ADD(socket); ++ rc |= S_RULE_ADD(socketcall); + rc |= S_RULE_ADD(socketpair); + rc |= S_RULE_ADD(sysinfo); + rc |= S_RULE_ADD(uname); diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index eb3c4c4..51209f3 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -1,27 +1,30 @@ +# These are rpm macros and are 0 or 1 +%global crl_fetching 1 +%global _hardened_build 1 +%global buildefence 0 +%global development 0 +%global cavstests 1 + +# These are libreswan/make macros and are false or true %global USE_FIPSCHECK true %global USE_LIBCAP_NG true %global USE_LABELED_IPSEC true -%global USE_CRL_FETCHING true +%global USE_DNSSEC true %global USE_NM true %global USE_LINUX_AUDIT true -%global USE_SECCOMP 0 -%global USE_DNSSEC true +%global USE_SECCOMP true -%global _hardened_build 1 -%global buildefence 0 -%global development 0 -%global cavstests 1 %if 0%{?fedora} %global rhel 7 %endif -#global prever rc1 +#global prever dr1 Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols -Version: 3.20 -Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist} +Version: 3.23 +Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} License: GPLv2 Group: System Environment/Daemons Url: https://libreswan.org/ @@ -30,14 +33,12 @@ Source1: ikev1_dsa.fax.bz2 Source2: ikev1_psk.fax.bz2 Source3: ikev2.fax.bz2 -Patch1: libreswan-3.20-1372279-down-error.patch -Patch2: libreswan-3.20-1444115-fips-F4.patch -Patch3: libreswan-3.20-1341353-psk-fips.patch -Patch4: libreswan-3.2-1458227-cavp-fips.patch -Patch5: libreswan-3.21-xauth-state.patch -Patch6: libreswan-3.21-xauth-passwd.patch +Patch1: libreswan-3.23-seccomp.patch +Patch2: libreswan-3.23-fixups.patch +Patch3: libreswan-3.23-ppk-update.patch -Requires: iproute >= 2.6.8 nss-tools nss-softokn +Requires: iproute >= 2.6.8 +Requires: nss-tools nss-softokn BuildRequires: bison flex redhat-rpm-config pkgconfig BuildRequires: nss-devel >= 3.16.1 nspr-devel @@ -62,7 +63,17 @@ Requires(postun): systemd %endif %if %{USE_DNSSEC} -BuildRequires: unbound-devel +BuildRequires: ldns-devel +# should really be >= 1.6.4 once available +BuildRequires: unbound-devel >= 1.6.6 +%endif + +%if %{USE_SECCOMP} +BuildRequires: libseccomp-devel +%endif + +%if %{USE_LABELED_IPSEC} +BuildRequires: libselinux-devel %endif %if %{USE_FIPSCHECK} @@ -79,7 +90,7 @@ Buildrequires: audit-libs-devel BuildRequires: libcap-ng-devel %endif -%if %{USE_CRL_FETCHING} +%if %{crl_fetching} BuildRequires: openldap-devel curl-devel %endif @@ -90,11 +101,7 @@ BuildRequires: ElectricFence Conflicts: openswan < %{version}-%{release} Provides: openswan = %{version}-%{release} Provides: openswan-doc = %{version}-%{release} - -%if %{?rhel} == 7 -# Will be obsoleted in RHEL6 when moved from optional to core Obsoletes: openswan < %{version}-%{release} -%endif %description Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is @@ -118,9 +125,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build %if %{buildefence} @@ -129,11 +133,17 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 make %{?_smp_mflags} \ %if %{development} - USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie " \ + USERCOMPILE="-g -DGCC_LINT %(echo %{optflags} | sed -e s/-O[0-9]*/ /) %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \ %else - USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie " \ + USERCOMPILE="-g -DGCC_LINT %{optflags} %{?efence} -fPIE -pie -fno-strict-aliasing -Wformat-nonliteral -Wformat-security" \ %endif USERLINK="-g -pie -Wl,-z,relro,-z,now %{?efence}" \ + INC_USRLOCAL=%{_prefix} \ + FINALLIBDIR=%{_libexecdir}/ipsec \ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + FINALRUNDIR=%{_rundir}/pluto \ + MANTREE=%{buildroot}%{_mandir} \ + INC_RCDEFAULT=%{_initrddir} \ %if %{?rhel} <= 6 INITSYSTEM=sysvinit \ %else @@ -141,26 +151,20 @@ make %{?_smp_mflags} \ %endif USE_NM=%{USE_NM} \ USE_XAUTHPAM=true \ -%if %{USE_FIPSCHECK} USE_FIPSCHECK="%{USE_FIPSCHECK}" \ - FIPSPRODUCTCHECK=/etc/system-fips \ -%endif USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ - USE_LINUX_AUDIT=true \ -%if %{USE_CRL_FETCHING} + USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \ +%if %{crl_fetching} USE_LDAP=true \ USE_LIBCURL=true \ +%else + USE_LDAP=false \ + USE_LIBCURL=false \ %endif - USE_DNSSEC=false \ - INC_USRLOCAL=%{_prefix} \ - FINALLIBDIR=%{_libexecdir}/ipsec \ - FINALLIBEXECDIR=%{_libexecdir}/ipsec \ - MANTREE=%{_mandir} \ - INC_RCDEFAULT=%{_initrddir} \ - MODPROBE="modprobe -q -b" \ - USE_DH22=true \ + USE_DNSSEC="%{USE_DNSSEC}" \ USE_SECCOMP="%{USE_SECCOMP}" \ + USE_DH22=true \ programs FS=$(pwd) @@ -171,32 +175,28 @@ FS=$(pwd) %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - fipshmac %{buildroot}%{_libexecdir}/ipsec/* \ - fipshmac %{buildroot}%{_sbindir}/ipsec \ + fipshmac %{buildroot}%{_libexecdir}/ipsec/pluto \ %{nil} - %else %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ mkdir -p %{buildroot}%{_libdir}/fipscheck/ \ - fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/* \ - fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_sbindir}/ipsec \ + fipshmac -d %{buildroot}%{_libdir}/fipscheck %{buildroot}%{_libexecdir}/ipsec/pluto %{nil} %endif %endif %install -rm -rf ${RPM_BUILD_ROOT} make \ DESTDIR=%{buildroot} \ INC_USRLOCAL=%{_prefix} \ FINALLIBDIR=%{_libexecdir}/ipsec \ FINALLIBEXECDIR=%{_libexecdir}/ipsec \ + FINALRUNDIR=%{_rundir}/pluto \ MANTREE=%{buildroot}%{_mandir} \ INC_RCDEFAULT=%{_initrddir} \ - INSTMANFLAGS="-m 644" \ %if %{?rhel} <= 6 INITSYSTEM=sysvinit \ %else @@ -204,28 +204,23 @@ make \ %endif USE_NM=%{USE_NM} \ USE_XAUTHPAM=true \ -%if %{USE_FIPSCHECK} USE_FIPSCHECK="%{USE_FIPSCHECK}" \ - FIPSPRODUCTCHECK=/etc/system-fips \ -%endif USE_LIBCAP_NG="%{USE_LIBCAP_NG}" \ USE_LABELED_IPSEC="%{USE_LABELED_IPSEC}" \ - USE_LINUX_AUDIT=true \ -%if %{USE_CRL_FETCHING} + USE_LINUX_AUDIT="%{USE_LINUX_AUDIT}" \ +%if %{crl_fetching} USE_LDAP=true \ USE_LIBCURL=true \ +%else + USE_LDAP=false \ + USE_LIBCURL=false \ %endif - USE_DNSSEC=true \ - INC_USRLOCAL=%{_prefix} \ - FINALLIBDIR=%{_libexecdir}/ipsec \ - FINALLIBEXECDIR=%{_libexecdir}/ipsec \ - MODPROBE="modprobe -q -b" \ - USE_DH22=true \ + USE_DNSSEC="%{USE_DNSSEC}" \ USE_SECCOMP="%{USE_SECCOMP}" \ + USE_DH22=true \ install FS=$(pwd) rm -rf %{buildroot}/usr/share/doc/libreswan -# needed to activate v6neighbor-hole.conf sed -i "s:^#include /etc/ipsec.d/\*.conf$:include /etc/ipsec.d/*.conf:" %{buildroot}%{_sysconfdir}/ipsec.conf install -d -m 0755 %{buildroot}%{_localstatedir}/run/pluto @@ -248,9 +243,6 @@ install -m644 packaging/fedora/libreswan-prelink.conf %{buildroot}%{_sysconfdir} echo "include /etc/ipsec.d/*.secrets" > %{buildroot}%{_sysconfdir}/ipsec.secrets -# cavs testing -cp -a OBJ.linux.*/programs/pluto/cavp %{buildroot}%{_libexecdir}/ipsec - %if %{cavstests} %check # There is an elaborate upstream testing infrastructure which we do not run here @@ -262,11 +254,11 @@ bunzip2 *.fax.bz2 export NSS_DISABLE_HW_GCM=1 : "starting CAVS test for IKEv2" -OBJ.linux.*/programs/pluto/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null +%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null : "starting CAVS test for IKEv1 RSASIG" -OBJ.linux.*/programs/pluto/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null +%{buildroot}%{_libexecdir}/ipsec/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null : "starting CAVS test for IKEv1 PSK" -OBJ.linux.*/programs/pluto/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null +%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null : "CAVS tests passed" %endif @@ -305,7 +297,6 @@ fi %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d -%attr(0644,root,root) %{_sysconfdir}/ipsec.d/v6neighbor-hole.conf %attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* %attr(0700,root,root) %dir %{_localstatedir}/log/pluto/peer @@ -335,12 +326,51 @@ fi %endif %changelog -* Tue Oct 24 2017 Paul Wouters - 3.20-5 -- Resolves: rhbz#1503949 [updated - USE_DNSSEC setting was updated] - -* Thu Oct 19 2017 Paul Wouters - 3.20-4 -- Resolves: rhbz#1501809 libreswan does not establish IKE with xauth enabled but modecfg disabled -- Resolves: rhbz#1503949 xauth password length limited to 64 bytes while XAUTH_MAX_PASS_LENGTH (128) +* Wed Feb 07 2018 Paul Wouters - 3.23-3 +- Resolves: rhbz#1471553 libreswan postquantum preshared key (PPK) support [IANA update] + +* Tue Feb 06 2018 Paul Wouters - 3.23-2 +- Resolves: rhbz#1457904 rebase libreswan to 3.23 [updated] +- Resolves: rhbz#1375750 SECCOMP support for libreswan [updated] + +* Thu Jan 25 2018 Paul Wouters - 3.23-1 +- Resolves: rhbz#1457904 rebase libreswan to 3.23 [updated] + +* Thu Jan 11 2018 Paul Wouters - 3.23-0.1.rc4 +- Resolves: rhbz#1471763 RFE: libreswan MOBIKE support (RFC-4555) [client support] +- Resolves: rhbz#1457904 rebase libreswan to 3.23 [updated] +- Resolves: rhbz#1471553 libreswan postquantum preshared key (PPK) support +- Resolves: rhbz#1492501 Reboot or 'systemctl stop ipsec' brings down _ethernet_ interfaces on _both_ ends of ipv4 ipsec tunnel +- Resolves: rhbz#1324421 libreswan works not well when setting leftid field to be email address +- Resolves: rhbz#1136076 After IKE rekeying Pluto sends DPD even if there is active SA + +* Tue Dec 12 2017 Paul Wouters - 3.22-5 +- Resolves: rhbz#1471763 RFE: libreswan MOBIKE support (RFC-4555) [updated] +- Resolves: rhbz#1471553 libreswan postquantum preshared key (PPK) support +- Resolves: rhbz#1375776 [IKEv2 Conformance] Test IKEv2.EN.R.1.2.2.1: Receipt of retransmitted CREATE_CHILD_SA reques failed +- Resolves: rhbz#1375750 SECCOMP support for libreswan [updated for libunbound syscalls] +- Resolves: rhbz#1300763 Implement draft-ietf-ipsecme-split-dns for libreswan + +* Thu Nov 30 2017 Paul Wouters - 3.22-4 +- Resolves: rhbz#1463062 NIC-card hardware offload support backport + +* Thu Nov 16 2017 Paul Wouters - 3.22-3 +- Resolves: rhbz#1475434 Add support for AES-GMAC for ESP (RFC-4543) to libreswan +- Resolves: rhbz#1300759 Implement RFC-7427 Digital Signature authentication + +* Tue Oct 31 2017 Paul Wouters - 3.22-2 +- Resolves: rhbz#1471763 RFE: libreswan MOBIKE support (RFC-4555) +- Resolves: rhbz#1372050 RFE: Support IKE and ESP over TCP: RFC 8229 + +* Mon Oct 23 2017 Paul Wouters - 3.22-1 +- Resolves: rhbz#1457904 rebase libreswan to 3.22 [updated] + +* Mon Oct 16 2017 Paul Wouters - 3.21-2 +- Resolves: rhbz#1499845 libreswan does not establish IKE with xauth enabled but modecfg disabled +- Resolves: rhbz#1497158 xauth password length limited to 64 bytes while XAUTH_MAX_PASS_LENGTH (128) + +* Wed Sep 20 2017 Paul Wouters - 3.21-1 +- Resolves: rhbz#1457904 rebase libreswan to 3.22 * Mon Jun 12 2017 Paul Wouters - 3.20-3 - Resolves: rhbz#1372279 ipsec auto --down CONNECTION returns error for tunnels [updated]