diff --git a/.gitignore b/.gitignore index 2b43563..1312b66 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/ikev1_dsa.fax.bz2 SOURCES/ikev1_psk.fax.bz2 SOURCES/ikev2.fax.bz2 -SOURCES/libreswan-3.23.tar.gz +SOURCES/libreswan-3.25.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata index 0e65554..ed2101e 100644 --- a/.libreswan.metadata +++ b/.libreswan.metadata @@ -1,4 +1,4 @@ b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 -1ea51c629c0f52f0dd3dce67de368ba4efc87f86 SOURCES/libreswan-3.23.tar.gz +5a83fbde704576cd5c2b6357af400d49a033e274 SOURCES/libreswan-3.25.tar.gz diff --git a/SOURCES/libreswan-3.23-fips-newkey-1544143.patch b/SOURCES/libreswan-3.23-fips-newkey-1544143.patch deleted file mode 100644 index 8991311..0000000 --- a/SOURCES/libreswan-3.23-fips-newkey-1544143.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff --git a/programs/rsasigkey/rsasigkey.c b/programs/rsasigkey/rsasigkey.c -index f525333bfd..2da148c85d 100644 ---- a/programs/rsasigkey/rsasigkey.c -+++ b/programs/rsasigkey/rsasigkey.c -@@ -266,10 +266,7 @@ int main(int argc, char *argv[]) - /* - * generate an RSA signature key - * -- * e is fixed at 3, without discussion. That would not be wise if these -- * keys were to be used for encryption, but for signatures there are some -- * real speed advantages. -- * See also: https://www.imperialviolet.org/2012/03/16/rsae.html -+ * e is fixed at F4. - */ - void rsasigkey(int nbits, int seedbits, const struct lsw_conf_options *oco) - { -@@ -285,15 +282,6 @@ void rsasigkey(int nbits, int seedbits, const struct lsw_conf_options *oco) - exit(1); - } - --#ifdef FIPS_CHECK -- if (PK11_IsFIPS() && !FIPSCHECK_verify(NULL, NULL)) { -- fprintf(stderr, -- "FIPS HMAC integrity verification test failed.\n"); -- exit(1); -- } --#endif -- -- /* Good for now but someone may want to use a hardware token */ - slot = lsw_nss_get_authenticated_slot(err); - if (slot == NULL) { - fprintf(stderr, "%s: %s\n", progname, err); diff --git a/SOURCES/libreswan-3.23-fixups.patch b/SOURCES/libreswan-3.23-fixups.patch deleted file mode 100644 index f674916..0000000 --- a/SOURCES/libreswan-3.23-fixups.patch +++ /dev/null @@ -1,507 +0,0 @@ -diff -Naur libreswan-3.23-orig/programs/pluto/connections.c libreswan-3.23/programs/pluto/connections.c ---- libreswan-3.23-orig/programs/pluto/connections.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/connections.c 2018-02-05 14:38:49.372280712 -0500 -@@ -3158,10 +3158,8 @@ - matching_peer_id && matching_peer_ca && matching_requested_ca, - matching_peer_id, matching_peer_ca, matching_requested_ca);}); - -- /* Ignore template from which we instantiated - this should never happen */ - if (c->kind == CK_INSTANCE && d->kind == CK_TEMPLATE && streq(c->name, d->name)) { -- libreswan_log("Warning: not switching back to template of current instance (FIXME)"); -- continue; -+ DBG(DBG_CONTROLMORE, DBG_log("template conn fits better than instance of it - different client on same IP/port requires new instance")); - } - - /* 'You Tarzan, me Jane' check based on received IDr */ -diff -Naur libreswan-3.23-orig/programs/pluto/hostpair.c libreswan-3.23/programs/pluto/hostpair.c ---- libreswan-3.23-orig/programs/pluto/hostpair.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/hostpair.c 2018-02-05 14:38:57.865635032 -0500 -@@ -144,17 +144,6 @@ - hisport = pluto_port; - - for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next) { -- if (p->connections != NULL && (p->connections->kind == CK_INSTANCE) && -- (p->connections->spd.that.id.kind == ID_NULL)) -- { -- DBG(DBG_CONTROLMORE, { -- char ci[CONN_INST_BUF]; -- DBG_log("find_host_pair: ignore CK_INSTANCE with ID_NULL hp:\"%s\"%s", -- p->connections->name, -- fmt_conn_instance(p->connections, ci)); -- }); -- continue; -- } - - DBG(DBG_CONTROLMORE, { - ipstr_buf b1; -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.h libreswan-3.23/programs/pluto/ikev2.h ---- libreswan-3.23-orig/programs/pluto/ikev2.h 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2.h 2018-02-05 14:39:11.171190105 -0500 -@@ -162,7 +162,9 @@ - extern bool ikev2_calculate_rsa_sha1(struct state *st, - enum original_role role, - unsigned char *idhash, -- pb_stream *a_pbs); -+ pb_stream *a_pbs, -+ bool calc_no_ppk_auth, -+ chunk_t *no_ppk_auth); - - extern bool ikev2_create_psk_auth(enum keyword_authby authby, - struct state *st, -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c ---- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-02-05 14:39:11.173190188 -0500 -@@ -2783,7 +2783,9 @@ - - switch (a.isaa_type) { - case IKEv2_AUTH_RSA: -- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { -+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, -+ FALSE, /* store-only not set */ -+ NULL /* store-only chunk unused */)) { - loglog(RC_LOG_SERIOUS, "Failed to find our RSA key"); - return STF_FATAL; - } -@@ -2792,7 +2794,7 @@ - case IKEv2_AUTH_PSK: - case IKEv2_AUTH_NULL: - if (!ikev2_create_psk_auth(authby, pst, idhash_out, &a_pbs, -- FALSE /* store-only not set */, -+ FALSE, /* store-only not set */ - NULL /* store-only chunk unused */)) { - loglog(RC_LOG_SERIOUS, "Failed to find our PreShared Key"); - return STF_FATAL; -@@ -2812,7 +2814,9 @@ - return STF_INTERNAL_ERROR; - } - -- if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs)) { -+ if (!ikev2_calculate_rsa_sha1(pst, role, idhash_out, &a_pbs, -+ FALSE, /* store-only not set */ -+ NULL /* store-only chunk unused */)) { - loglog(RC_LOG_SERIOUS, "DigSig: failed to find our RSA key"); - return STF_FATAL; - } -@@ -3224,7 +3228,7 @@ - hmac_update(&id_ctx, id_start, id_len); - hmac_final(idhash, &id_ctx); - -- if (pst->st_sk_pi_no_ppk != NULL) { -+ if (pst->st_seen_ppk && !LIN(POLICY_PPK_INSIST, pc->policy)) { - struct hmac_ctx id_ctx_npa; - - hmac_init(&id_ctx_npa, pst->st_oakley.ta_prf, pst->st_sk_pi_no_ppk); -@@ -3371,7 +3375,7 @@ - notifies++; - - if (pst->st_seen_ppk) -- notifies++; /* used for two payloads */ -+ notifies++; /* used for one or two payloads */ - - /* code does not support AH + ESP, not recommend rfc8221 section-4 */ - struct ipsec_proto_info *proto_info -@@ -3437,21 +3441,24 @@ - } - if (pst->st_seen_ppk) { - chunk_t notify_data = create_unified_ppk_id(&ppk_id_p); -+ int np = LIN(POLICY_PPK_INSIST, cc->policy) ? ISAKMP_NEXT_v2NONE : ISAKMP_NEXT_v2N; - -- notifies--; /* used for 2 payloads */ -- if (!ship_v2N(ISAKMP_NEXT_v2N, ISAKMP_PAYLOAD_NONCRITICAL, -- PROTO_v2_RESERVED, &empty_chunk, -- v2N_PPK_IDENTITY, ¬ify_data, -- &e_pbs_cipher)) -- return STF_INTERNAL_ERROR; -+ notifies--; /* used for one or two payloads */ -+ if (!ship_v2N(np, ISAKMP_PAYLOAD_NONCRITICAL, -+ PROTO_v2_RESERVED, &empty_chunk, -+ v2N_PPK_IDENTITY, ¬ify_data, -+ &e_pbs_cipher)) -+ return STF_INTERNAL_ERROR; - freeanychunk(notify_data); - -- ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); -- if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, -- PROTO_v2_RESERVED, &empty_chunk, -- v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, -- &e_pbs_cipher)) -- return STF_INTERNAL_ERROR; -+ if (!LIN(POLICY_PPK_INSIST, cc->policy)) { -+ ikev2_calc_no_ppk_auth(cc, pst, idhash_npa, &pst->st_no_ppk_auth); -+ if (!ship_v2N(ISAKMP_NEXT_v2NONE, ISAKMP_PAYLOAD_NONCRITICAL, -+ PROTO_v2_RESERVED, &empty_chunk, -+ v2N_NO_PPK_AUTH, &pst->st_no_ppk_auth, -+ &e_pbs_cipher)) -+ return STF_INTERNAL_ERROR; -+ } - } - - passert(notifies == 0); -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_ppk.c libreswan-3.23/programs/pluto/ikev2_ppk.c ---- libreswan-3.23-orig/programs/pluto/ikev2_ppk.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2_ppk.c 2018-02-05 14:39:11.173190188 -0500 -@@ -113,7 +113,24 @@ - enum keyword_authby authby = c->spd.this.authby; - switch (authby) { - case AUTH_RSASIG: -- /* TODO */ -+ if (ikev2_calculate_rsa_sha1(st, st->st_original_role, id_hash, NULL, TRUE, no_ppk_auth)) { -+ if (st->st_hash_negotiated & NEGOTIATE_AUTH_HASH_SHA1) { -+ /* make blobs separately, and somehow combine them and no_ppk_auth -+ * to get an actual no_ppk_auth */ -+ int len = ASN1_LEN_ALGO_IDENTIFIER + ASN1_SHA1_RSA_OID_SIZE + no_ppk_auth->len; -+ u_char *blobs = alloc_bytes(len, "bytes for blobs for AUTH_DIGSIG NO_PPK_AUTH"); -+ u_char *ret = blobs; -+ memcpy(blobs, len_sha1_rsa_oid_blob, ASN1_LEN_ALGO_IDENTIFIER); -+ blobs += ASN1_LEN_ALGO_IDENTIFIER; -+ memcpy(blobs, sha1_rsa_oid_blob, ASN1_SHA1_RSA_OID_SIZE); -+ blobs += ASN1_SHA1_RSA_OID_SIZE; -+ memcpy(blobs, no_ppk_auth->ptr, no_ppk_auth->len); -+ chunk_t release = *no_ppk_auth; -+ setchunk(*no_ppk_auth, ret, len); -+ freeanychunk(release); -+ } -+ } -+ return STF_OK; - break; - case AUTH_PSK: - if (ikev2_create_psk_auth(AUTH_PSK, st, id_hash, NULL, TRUE, no_ppk_auth)) -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_rsa.c libreswan-3.23/programs/pluto/ikev2_rsa.c ---- libreswan-3.23-orig/programs/pluto/ikev2_rsa.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2_rsa.c 2018-02-05 14:39:11.173190188 -0500 -@@ -101,7 +101,9 @@ - bool ikev2_calculate_rsa_sha1(struct state *st, - enum original_role role, - unsigned char *idhash, -- pb_stream *a_pbs) -+ pb_stream *a_pbs, -+ bool calc_no_ppk_auth, -+ chunk_t *no_ppk_auth) - { - unsigned char signed_octets[SHA1_DIGEST_SIZE + 16]; - size_t signed_len; -@@ -136,8 +138,13 @@ - if (shr == 0) - return FALSE; - passert(shr == (int)sz); -- if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) -- return FALSE; -+ if (calc_no_ppk_auth == FALSE) { -+ if (!out_raw(sig_val, sz, a_pbs, "rsa signature")) -+ return FALSE; -+ } else { -+ clonetochunk(*no_ppk_auth, sig_val, sz, "NO_PPK_AUTH chunk"); -+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH payload", *no_ppk_auth)); -+ } - } - - return TRUE; -diff -Naur libreswan-3.23-orig/programs/pluto/nss_cert_verify.c libreswan-3.23/programs/pluto/nss_cert_verify.c ---- libreswan-3.23-orig/programs/pluto/nss_cert_verify.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/nss_cert_verify.c 2018-02-05 14:38:52.685418927 -0500 -@@ -498,60 +498,83 @@ - - bool cert_VerifySubjectAltName(const CERTCertificate *cert, const char *name) - { -- SECStatus rv; - SECItem subAltName; -- PLArenaPool *arena = NULL; -- CERTGeneralName *nameList = NULL; -- CERTGeneralName *current = NULL; -- bool san_ip = FALSE; -- unsigned int len = strlen(name); -- ip_address myip; -- -- rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, -+ SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, - &subAltName); - if (rv != SECSuccess) { - DBG(DBG_X509, DBG_log("certificate contains no subjectAltName extension")); - return FALSE; - } - -- if (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL) -- san_ip = TRUE; -+ ip_address myip; -+ bool san_ip = (tnatoaddr(name, 0, AF_UNSPEC, &myip) == NULL); - -- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); -+ PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - passert(arena != NULL); - -- nameList = current = CERT_DecodeAltNameExtension(arena, &subAltName); -- passert(current != NULL); -+ CERTGeneralName *nameList = CERT_DecodeAltNameExtension(arena, &subAltName); - -- do -- { -+ if (nameList == NULL) { -+ loglog(RC_LOG_SERIOUS, "certificate subjectAltName extension failed to decode"); -+ PORT_FreeArena(arena, PR_FALSE); -+ return FALSE; -+ } -+ -+ /* -+ * nameList is a pointer into a non-empty circular linked list. -+ * This loop visits each entry. -+ * We have visited each when we come back to the start. -+ * We test only at the end, after we advance, because we want to visit -+ * the first entry the first time we see it but stop when we get to it -+ * the second time. -+ */ -+ CERTGeneralName *current = nameList; -+ do { - switch (current->type) { - case certDNSName: - case certRFC822Name: -- if (san_ip) -- break; -- if (current->name.other.len == len) { -- if (memcmp(current->name.other.data, name, len) == 0) { -- DBG(DBG_X509, DBG_log("subjectAltname %s found in certificate", name)); -- PORT_FreeArena(arena, PR_FALSE); -- return TRUE; -- } -- } -+ { -+ /* -+ * Match the parameter name with the name in the certificate. -+ * The name in the cert may start with "*."; that will match -+ * any initial component in name (up to the first '.'). -+ */ -+ /* we need to cast because name.other.data is unsigned char * */ -+ const char *c_ptr = (const void *) current->name.other.data; -+ size_t c_len = current->name.other.len; -+ -+ const char *n_ptr = name; -+ static const char wild[] = "*."; -+ const size_t wild_len = sizeof(wild) - 1; -+ -+ if (c_len > wild_len && startswith(c_ptr, wild)) { -+ /* wildcard in cert: ignore first component of name */ -+ c_ptr += wild_len; -+ c_len -= wild_len; -+ n_ptr = strchr(n_ptr, '.'); -+ if (n_ptr == NULL) -+ break; /* cannot match */ - -- if (current->name.other.len != 0 && current->name.other.len < IDTOA_BUF) { -- char osan[IDTOA_BUF]; -+ n_ptr++; /* skip . */ -+ } - -- memcpy(osan,current->name.other.data, current->name.other.len); -- osan[current->name.other.len] = '\0'; -- DBG(DBG_X509, DBG_log("subjectAltname (len=%d) %s not match %s", current->name.other.len, osan, name)); -- } else { -- DBG(DBG_X509, DBG_log("subjectAltname does not match %s", name)); -+ if (c_len == strlen(n_ptr) && strncaseeq(n_ptr, c_ptr, c_len)) { -+ /* -+ * ??? if current->name.other.data contains bad characters, -+ * what prevents them being logged? -+ */ -+ DBG(DBG_X509, DBG_log("subjectAltname %s matched %*s in certificate", -+ name, current->name.other.len, current->name.other.data)); -+ PORT_FreeArena(arena, PR_FALSE); -+ return TRUE; - } - break; -+ } - - case certIPAddress: - if (!san_ip) - break; -+ - if ((current->name.other.len == 4) && (addrtypeof(&myip) == AF_INET)) { - if (memcmp(current->name.other.data, &myip.u.v4.sin_addr.s_addr, 4) == 0) { - DBG(DBG_X509, DBG_log("subjectAltname IPv4 matches %s", name)); -@@ -572,7 +595,7 @@ - break; - } - } -- DBG(DBG_X509, DBG_log("subjectAltnamea IP address family mismatch for %s", name)); -+ DBG(DBG_X509, DBG_log("subjectAltname IP address family mismatch for %s", name)); - break; - - default: -diff -Naur libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in libreswan-3.23/programs/_unbound-hook/_unbound-hook.in ---- libreswan-3.23-orig/programs/_unbound-hook/_unbound-hook.in 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/_unbound-hook/_unbound-hook.in 2018-02-05 14:38:49.373280754 -0500 -@@ -1,31 +1,52 @@ - #!/usr/bin/python -+# -+# Copyright (C) 2018 Paul Wouters -+# -+# This program is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 2 of the License, or (at your -+# option) any later version. See . -+# -+# This program is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# for more details. - - import sys --import base64 --import commands -+import subprocess - --log = "" -- --status, myip = commands.getstatusoutput("ip -o route get 1.0.0.1") -+# Get my %defaultroute IP address -+myip = subprocess.check_output("ip -o route get 8.8.8.8", shell=True) - myip = myip.split("src")[1].strip().split()[0] - - argv = sys.argv --argc = len(sys.argv) -+ourself = argv.pop(0) - --#log += "Number or arguments is %d\n"%argc --#if argc >= 4: --# log += "QNAME:%s\n"%argv[1] --# log += "TTL:%s\n"%argv[2] --# log += "IP:%s\n"%argv[3] --# log += "IPSECKEY:%s\n"%argv[4] --# rr = argv[4] --# pref, gwtype, algo, gw, pubkey = rr.split(" ") --#log += "-----------------------------\n" -- --cmdname = "@IPSEC_EXECDIR@/whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(argv[1], pubkey) --cmdip = "@IPSEC_EXECDIR@/whack --keyid %s --addkey --pubkeyrsa 0s%s"%(argv[3], pubkey) --cmdoe = "@IPSEC_EXECDIR@/whack --oppohere %s --oppothere %s"%(myip, argv[3]) --ret, output = commands.getstatusoutput(cmdname) --ret, output = commands.getstatusoutput(cmdip) --ret, output = commands.getstatusoutput(cmdoe) --ret, output = commands.getstatusoutput("@IPSEC_EXECDIR@ whack --trafficstatus") -+try: -+ qname = argv.pop(0) -+ ttl = argv.pop(0) -+ ip = argv.pop(0) -+except: -+ sys.exit("Bad arguments to ipsec _unbound") -+ -+while (argv != []): -+ try: -+ gwprec = argv.pop(0) -+ gwtype = argv.pop(0) -+ gwalg = argv.pop(0) -+ gwid = argv.pop(0) -+ pubkey = argv.pop(0) -+ addkeyip = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(ip, pubkey) -+ addkeyhostname = "ipsec whack --keyid @%s --addkey --pubkeyrsa 0s%s"%(qname, pubkey) -+ print("processing an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) -+ print(subprocess.call(addkeyip, shell=True)) -+ print(subprocess.call(addkeyhostname, shell=True)) -+ except: -+ sys.exit("failed to process an IPSECKEY record for Opportunistic IPsec to %s(%s)"%(qname,ip)) -+ -+# done injecting all IPSECKEY records into pluto - try actual OE now -+cmdoeip = "ipsec whack --oppohere %s --oppothere %s"%(myip, ip) -+print(subprocess.check_output(cmdoeip, shell=True)) -+#cmdoeqname = "ipsec whack --oppohere %s --oppothere %s"%(myip, qname) -+#ret, output = commands.getstatusoutput(cmdoeqname) -+print(subprocess.check_output("ipsec whack --trafficstatus", shell=True)) -diff --git a/include/ietf_constants.h b/include/ietf_constants.h -index 8a1ba5d..38fa4de 100644 ---- a/include/ietf_constants.h -+++ b/include/ietf_constants.h -@@ -1215,7 +1215,7 @@ enum ikev2_cp_attribute_type { - IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO = 23, - IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK = 24, - IKEv2_INTERNAL_DNS_DOMAIN = 25, -- /* IKEv2_INTERNAL_DNSSEC_TA = 26 expected */ -+ IKEv2_INTERNAL_DNSSEC_TA = 26 - }; - - -diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c -index 9ea9872..ab6db3e 100644 ---- a/lib/libswan/constants.c -+++ b/lib/libswan/constants.c -@@ -1365,13 +1365,12 @@ static const char *const ikev2_cp_attribute_type_name[] = { - "IKEv2_EXTERNAL_SOURCE_IP4_NAT_INFO", /* 3gpp */ - "IKEv2_TIMEOUT_PERIOD_FOR_LIVENESS_CHECK", /* 3gpp */ - "IKEv2_INTERNAL_DNS_DOMAIN", /* draft-ietf-ipsecme-split-dns */ -- /* "IKEv2_INTERNAL_DNSSEC_TA", draft-ietf-ipsecme-split-dns, no Code Point yet */ -+ "IKEv2_INTERNAL_DNSSEC_TA", /* draft-ietf-ipsecme-split-dns */ - }; - - enum_names ikev2_cp_attribute_type_names = { - IKEv2_CP_ATTR_RESERVED, -- IKEv2_INTERNAL_DNS_DOMAIN, -- /* IKEv2_INTERNAL_DNSSEC_TA, */ -+ IKEv2_INTERNAL_DNSSEC_TA, - ARRAY_REF(ikev2_cp_attribute_type_name), - NULL, /* prefix */ - NULL -diff --git a/programs/addconn/addconn.c b/programs/addconn/addconn.c -index ae56972..e818e0e 100644 ---- a/programs/addconn/addconn.c -+++ b/programs/addconn/addconn.c -@@ -416,12 +416,11 @@ int main(int argc, char *argv[]) - if (verbose) - printf(" Pass #1: Loading auto=add, auto=route and auto=start connections\n"); - -- for (conn = cfg->conns.tqh_first; -- conn != NULL; -- conn = conn->link.tqe_next) { -+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { - if (conn->desired_state == STARTUP_ADD || - conn->desired_state == STARTUP_ONDEMAND || -- conn->desired_state == STARTUP_START) { -+ conn->desired_state == STARTUP_START) -+ { - if (verbose) - printf(" %s", conn->name); - resolve_defaultroute(conn); -@@ -436,30 +435,22 @@ int main(int argc, char *argv[]) - starter_whack_listen(cfg); - - if (verbose) -- printf(" Pass #2: Routing auto=route and auto=start connections\n"); -+ printf(" Pass #2: Routing auto=route connections\n"); - -- for (conn = cfg->conns.tqh_first; -- conn != NULL; -- conn = conn->link.tqe_next) { -- if (conn->desired_state == STARTUP_ADD || -- conn->desired_state == STARTUP_ONDEMAND || -- conn->desired_state == STARTUP_START) { -+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { -+ if (conn->desired_state == STARTUP_ONDEMAND) -+ { - if (verbose) - printf(" %s", conn->name); -- resolve_defaultroute(conn); -- if (conn->desired_state == STARTUP_ONDEMAND || -- conn->desired_state == STARTUP_START) { -+ if (conn->desired_state == STARTUP_ONDEMAND) - starter_whack_route_conn(cfg, conn); -- } - } - } - - if (verbose) - printf(" Pass #3: Initiating auto=start connections\n"); - -- for (conn = cfg->conns.tqh_first; -- conn != NULL; -- conn = conn->link.tqe_next) { -+ for (conn = cfg->conns.tqh_first; conn != NULL; conn = conn->link.tqe_next) { - if (conn->desired_state == STARTUP_START) { - if (verbose) - printf(" %s", conn->name); -diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in -index 64b2808..b343445 100644 ---- a/programs/_updown.netkey/_updown.netkey.in -+++ b/programs/_updown.netkey/_updown.netkey.in -@@ -745,6 +745,7 @@ case "${PLUTO_VERB}" in - up-client) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. -+ addvtiiface - updateresolvconf - addcat - addsource diff --git a/SOURCES/libreswan-3.23-liveness-1553406.patch b/SOURCES/libreswan-3.23-liveness-1553406.patch deleted file mode 100644 index a98bb65..0000000 --- a/SOURCES/libreswan-3.23-liveness-1553406.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c ---- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-04-27 14:08:15.514571020 -0400 -+++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-04-27 14:08:53.835299450 -0400 -@@ -6076,6 +6076,14 @@ - md->st = st = NULL; - } else if (!responding && - md->chain[ISAKMP_NEXT_v2D] == NULL) { -+ /* A liveness update response */ -+ /* ??? why wouldn't any INFORMATIONAL count, even one that -+ * is actually deleting SAs? -+ */ -+ DBG(DBG_CONTROLMORE, -+ DBG_log("Received an INFORMATIONAL response; updating liveness, no longer pending.")); -+ st->st_last_liveness = mononow(); -+ st->st_pend_liveness = FALSE; - } else if (del_ike) { - /* - * If we are deleting the Parent SA, the Child SAs will be torn down as well, diff --git a/SOURCES/libreswan-3.23-ppk-update.patch b/SOURCES/libreswan-3.23-ppk-update.patch deleted file mode 100644 index fe9d9fb..0000000 --- a/SOURCES/libreswan-3.23-ppk-update.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff --git a/include/ietf_constants.h b/include/ietf_constants.h -index 38fa4de..08c8d9e 100644 ---- a/include/ietf_constants.h -+++ b/include/ietf_constants.h -@@ -1486,12 +1486,14 @@ typedef enum { - v2N_SENDER_REQUEST_ID = 16429, /* draft-yeung-g-ikev2 */ - v2N_IKEV2_FRAGMENTATION_SUPPORTED = 16430, /* RFC-7383 */ - v2N_SIGNATURE_HASH_ALGORITHMS = 16431, /* RFC-7427 */ -- -- v2N_USE_PPK = 40960, /* draft-ietf-ipsecme-qr-ikev2-01 */ -- v2N_PPK_IDENTITY = 40961, /* draft-ietf-ipsecme-qr-ikev2-01 */ -- v2N_NO_PPK_AUTH = 40962, /* draft-ietf-ipsecme-qr-ikev2-01 */ -- -- /* 16432 - 40969 Unassigned */ -+ v2N_CLONE_IKE_SA_SUPPORTED = 16432, /* RFC-7791 */ -+ v2N_CLONE_IKE_SA = 16433, /* RFC-7791 */ -+ v2N_PUZZLE = 16434, /* RFC-8019 */ -+ v2N_USE_PPK = 16435, /* draft-ietf-ipsecme-qr-ikev2 */ -+ v2N_PPK_IDENTITY = 16436, /* draft-ietf-ipsecme-qr-ikev2 */ -+ v2N_NO_PPK_AUTH = 16437, /* draft-ietf-ipsecme-qr-ikev2 */ -+ -+ /* 16438 - 40969 Unassigned */ - /* 40960 - 65535 Private Use */ - } v2_notification_t; - -diff --git a/lib/libswan/constants.c b/lib/libswan/constants.c -index ab6db3e..a0dab63 100644 ---- a/lib/libswan/constants.c -+++ b/lib/libswan/constants.c -@@ -1634,20 +1634,6 @@ static enum_names ikev2_ppk_id_type_names = { - }; - */ - --static const char *const ikev2_notify_name_private[] = { -- "v2N_USE_PPK", -- "v2N_PPK_IDENTITY", -- "v2N_NO_PPK_AUTH", --}; -- --static enum_names ikev2_notify_names_private = { -- v2N_USE_PPK, -- v2N_NO_PPK_AUTH, -- ARRAY_REF(ikev2_notify_name_private), -- "v2N_", /* prefix */ -- NULL --}; -- - /* http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-13 */ - static const char *const ikev2_notify_name_16384[] = { - "v2N_INITIAL_CONTACT", /* 16384 */ -@@ -1698,14 +1684,20 @@ static const char *const ikev2_notify_name_16384[] = { - "v2N_SENDER_REQUEST_ID", - "v2N_IKEV2_FRAGMENTATION_SUPPORTED", /* 16430 */ - "v2N_SIGNATURE_HASH_ALGORITHMS", -+ "v2N_CLONE_IKE_SA_SUPPORTED", -+ "v2N_CLONE_IKE_SA", -+ "v2N_PUZZLE", -+ "v2N_USE_PPK", /* 16435 */ -+ "v2N_PPK_IDENTITY", -+ "v2N_NO_PPK_AUTH", - }; - - static enum_names ikev2_notify_names_16384 = { - v2N_INITIAL_CONTACT, -- v2N_SIGNATURE_HASH_ALGORITHMS, -+ v2N_NO_PPK_AUTH, - ARRAY_REF(ikev2_notify_name_16384), - "v2N_", /* prefix */ -- &ikev2_notify_names_private -+ NULL - }; - - static const char *const ikev2_notify_name[] = { -diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c -index 258ba85..b86eea8 100644 ---- a/programs/pluto/ikev2_parent.c -+++ b/programs/pluto/ikev2_parent.c -@@ -3749,18 +3749,14 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) - break; - } - -- if (LIN(POLICY_PPK_ALLOW, policy)) { -- no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); -+ no_ppk_auth = alloc_chunk(len, "NO_PPK_AUTH"); - -- if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { -- loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); -- return STF_FATAL; -- } -- DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); -- st->st_no_ppk_auth = no_ppk_auth; -- } else { -- libreswan_log("ignored received NO_PPK_AUTH - connection does not allow PPK"); -+ if (!in_raw(no_ppk_auth.ptr, len, &pbs, "NO_PPK_AUTH extract")) { -+ loglog(RC_LOG_SERIOUS, "Failed to extract %zd bytes of NO_PPK_AUTH from Notify payload", len); -+ return STF_FATAL; - } -+ DBG(DBG_PRIVATE, DBG_dump_chunk("NO_PPK_AUTH:", no_ppk_auth)); -+ st->st_no_ppk_auth = no_ppk_auth; - break; - } - case v2N_MOBIKE_SUPPORTED: -@@ -3774,8 +3770,11 @@ stf_status ikev2_parent_inI2outR2_id_tail(struct msg_digest *md) - } - } - -- /* if we found proper PPK ID, we should use that without fallback to no ppk */ -- if (found_ppk) -+ /* -+ * If we found proper PPK ID and policy allows PPK, use that. -+ * Otherwise use NO_PPK_AUTH -+ */ -+ if (found_ppk && LIN(POLICY_PPK_ALLOW, policy)) - freeanychunk(st->st_no_ppk_auth); - - if (!found_ppk && LIN(POLICY_PPK_INSIST, policy)) { diff --git a/SOURCES/libreswan-3.23-rekey-1572425.patch b/SOURCES/libreswan-3.23-rekey-1572425.patch deleted file mode 100644 index 7af43f7..0000000 --- a/SOURCES/libreswan-3.23-rekey-1572425.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2.c libreswan-3.23/programs/pluto/ikev2.c ---- libreswan-3.23-orig/programs/pluto/ikev2.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/ikev2.c 2018-04-26 21:55:22.841931926 -0400 -@@ -917,7 +917,12 @@ - - if (is_msg_request(md)) { - /* this a new IKE request and not a response */ -- if (md->from_state == STATE_V2_CREATE_R) { -+ if (resp_state_with_msgid(pst->st_serialno, -+ htonl(md->msgid_received)) != NULL) { -+ what = "CREATE_CHILD_SA Request retransmission ignored"; -+ st = NULL; -+ -+ } else if (md->from_state == STATE_V2_CREATE_R) { - what = "Child SA Request"; - st = duplicate_state(pst, IPSEC_SA); - change_state(st, STATE_V2_CREATE_R); -diff -Naur libreswan-3.23-orig/programs/pluto/ikev2_parent.c libreswan-3.23/programs/pluto/ikev2_parent.c ---- libreswan-3.23-orig/programs/pluto/ikev2_parent.c 2018-04-26 21:54:36.863176992 -0400 -+++ libreswan-3.23/programs/pluto/ikev2_parent.c 2018-04-26 21:55:22.843931915 -0400 -@@ -5009,6 +5009,8 @@ - ikev2_print_ts(&rst->st_ts_this); - ikev2_print_ts(&rst->st_ts_that); - -+ st->st_connection = rst->st_connection; -+ - ret = STF_OK; - } - -diff -Naur libreswan-3.23-orig/programs/pluto/state.c libreswan-3.23/programs/pluto/state.c ---- libreswan-3.23-orig/programs/pluto/state.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/state.c 2018-04-26 21:55:22.842931921 -0400 -@@ -592,6 +592,39 @@ - } - return FALSE; - } -+ -+static bool ikev2_child_resp_eq_pst_msgid(const struct state *st, -+ so_serial_t psn, msgid_t st_msgid) -+{ -+ if (st->st_clonedfrom == psn && -+ st->st_msgid == st_msgid && -+ IS_CHILD_SA_RESPONDER(st)) { -+ return TRUE; -+ } -+ return FALSE; -+} -+ -+/* -+ * Find the state object that match the following: -+ * st_msgid (IKEv2 Child responder state) -+ * parent duplicated from -+ * expected state -+ */ -+ -+struct state *resp_state_with_msgid(so_serial_t psn, msgid_t st_msgid) -+{ -+ passert(psn >= SOS_FIRST); -+ -+ FOR_EACH_COOKIED_STATE(st, { -+ if (ikev2_child_resp_eq_pst_msgid(st, psn, st_msgid)) -+ return st; -+ }); -+ DBG(DBG_CONTROL, -+ DBG_log("no waiting child state matching pst #%lu msg id %u", -+ psn, ntohs(st_msgid))); -+ return NULL; -+} -+ - /* - * Find the state object that match the following: - * st_msgid (IKE/IPsec initiator state) -diff -Naur libreswan-3.23-orig/programs/pluto/state.h libreswan-3.23/programs/pluto/state.h ---- libreswan-3.23-orig/programs/pluto/state.h 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/state.h 2018-04-26 21:55:22.842931921 -0400 -@@ -684,7 +684,9 @@ - const struct connection *c, - lset_t ok_states); - --struct state *state_with_parent_msgid_expect(so_serial_t psn, msgid_t st_msgid, -+extern struct state *resp_state_with_msgid(so_serial_t psn, msgid_t st_msgid); -+ -+extern struct state *state_with_parent_msgid_expect(so_serial_t psn, msgid_t st_msgid, - enum state_kind expected_state); - - extern struct state *find_state_ikev2_parent(const u_char *icookie, diff --git a/SOURCES/libreswan-3.23-seccomp.patch b/SOURCES/libreswan-3.23-seccomp.patch deleted file mode 100644 index 0e3679a..0000000 --- a/SOURCES/libreswan-3.23-seccomp.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -Naur libreswan-3.23-orig/programs/addconn/addconn.c libreswan-3.23/programs/addconn/addconn.c ---- libreswan-3.23-orig/programs/addconn/addconn.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/addconn/addconn.c 2018-02-05 14:13:25.758711788 -0500 -@@ -140,7 +140,9 @@ - rc |= S_RULE_ADD(set_robust_list); - rc |= S_RULE_ADD(set_tid_address); - rc |= S_RULE_ADD(socket); -+ rc |= S_RULE_ADD(socketcall); - rc |= S_RULE_ADD(socketpair); -+ rc |= S_RULE_ADD(stat); - rc |= S_RULE_ADD(statfs); - rc |= S_RULE_ADD(uname); - rc |= S_RULE_ADD(write); -diff -Naur libreswan-3.23-orig/programs/pluto/pluto_seccomp.c libreswan-3.23/programs/pluto/pluto_seccomp.c ---- libreswan-3.23-orig/programs/pluto/pluto_seccomp.c 2018-01-25 15:19:46.000000000 -0500 -+++ libreswan-3.23/programs/pluto/pluto_seccomp.c 2018-02-05 14:13:38.390239502 -0500 -@@ -109,6 +109,7 @@ - rc |= S_RULE_ADD(set_robust_list); - rc |= S_RULE_ADD(setsockopt); - rc |= S_RULE_ADD(socket); -+ rc |= S_RULE_ADD(socketcall); - rc |= S_RULE_ADD(socketpair); - rc |= S_RULE_ADD(sysinfo); - rc |= S_RULE_ADD(uname); diff --git a/SOURCES/libreswan-3.25-alg_info.patch b/SOURCES/libreswan-3.25-alg_info.patch new file mode 100644 index 0000000..3e47c47 --- /dev/null +++ b/SOURCES/libreswan-3.25-alg_info.patch @@ -0,0 +1,13 @@ +diff --git a/lib/libswan/alg_info.c b/lib/libswan/alg_info.c +index fd45e4991..ade54db06 100644 +--- a/lib/libswan/alg_info.c ++++ b/lib/libswan/alg_info.c +@@ -426,7 +426,7 @@ static bool parser_alg_info_add(const struct proposal_parser *parser, + LSWDBGP(DBG_PROPOSAL_PARSER, buf) { + lswlogs(buf, "algs:"); + for (struct token *token = tokens; token->alg.ptr != NULL; token++) { +- lswlogf(buf, " algs[%zu] = '"PRISHUNK"'", ++ lswlogf(buf, " algs[%tu] = '"PRISHUNK"'", + token - tokens, SHUNKF(token->alg)); + } + } diff --git a/SOURCES/libreswan-3.25-relax-delete.patch b/SOURCES/libreswan-3.25-relax-delete.patch new file mode 100644 index 0000000..e5a0280 --- /dev/null +++ b/SOURCES/libreswan-3.25-relax-delete.patch @@ -0,0 +1,62 @@ +diff --git a/programs/pluto/state.c b/programs/pluto/state.c +index 7b33145..a3bcc3c 100644 +--- a/programs/pluto/state.c ++++ b/programs/pluto/state.c +@@ -3155,27 +3155,40 @@ void ISAKMP_SA_established(const struct state *pst) + d = next; + } + +- if (c->newest_isakmp_sa != SOS_NOBODY && +- c->newest_isakmp_sa != pst->st_serialno) { +- struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa); ++ /* ++ * This only affects IKEv2, since we don't store any ++ * received INITIAL_CONTACT for IKEv1. ++ * We don't do this on IKEv1, because it seems to ++ * confuse various third parties (Windows, Cisco VPN 300, ++ * and juniper ++ * likely because this would be called before the IPsec SA ++ * of QuickMode is installed, so the remote endpoints view ++ * this IKE SA still as the active one? ++ */ ++ if (pst->st_seen_initialc) { + +- DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s", +- old_p1->st_connection->name)); +- old_p1->st_suppress_del_notify = TRUE; +- event_force(EVENT_SA_EXPIRE, old_p1); +- } ++ if (c->newest_isakmp_sa != SOS_NOBODY && ++ c->newest_isakmp_sa != pst->st_serialno) { ++ struct state *old_p1 = state_by_serialno(c->newest_isakmp_sa); + +- if (pst->st_seen_initialc && (c->newest_ipsec_sa != SOS_NOBODY)) +- { +- struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa); +- struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection; ++ DBG(DBG_CONTROL, DBG_log("deleting replaced IKE state for %s", ++ old_p1->st_connection->name)); ++ old_p1->st_suppress_del_notify = TRUE; ++ event_force(EVENT_SA_EXPIRE, old_p1); ++ } + +- if (c == d && same_id(&c->spd.that.id, &d->spd.that.id)) ++ if (c->newest_ipsec_sa != SOS_NOBODY) + { +- DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'", +- c->newest_ipsec_sa, c->name)); +- old_p2->st_suppress_del_notify = TRUE; +- event_force(EVENT_SA_EXPIRE, old_p2); ++ struct state *old_p2 = state_by_serialno(c->newest_ipsec_sa); ++ struct connection *d = old_p2 == NULL ? NULL : old_p2->st_connection; ++ ++ if (c == d && same_id(&c->spd.that.id, &d->spd.that.id)) ++ { ++ DBG(DBG_CONTROL, DBG_log("Initial Contact received, deleting old state #%lu from connection '%s'", ++ c->newest_ipsec_sa, c->name)); ++ old_p2->st_suppress_del_notify = TRUE; ++ event_force(EVENT_SA_EXPIRE, old_p2); ++ } + } + } + diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index f7acbd5..f20c017 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -23,8 +23,8 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols -Version: 3.23 -Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist} +Version: 3.25 +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} License: GPLv2 Group: System Environment/Daemons Url: https://libreswan.org/ @@ -33,15 +33,8 @@ Source1: ikev1_dsa.fax.bz2 Source2: ikev1_psk.fax.bz2 Source3: ikev2.fax.bz2 -Patch1: libreswan-3.23-seccomp.patch -Patch2: libreswan-3.23-fixups.patch -Patch3: libreswan-3.23-ppk-update.patch -# rhbz#1573949 -Patch4: libreswan-3.23-fips-newkey-1544143.patch -# rhbz#1574456 -Patch5: libreswan-3.23-rekey-1572425.patch -# rhbz#1574457 -Patch6: libreswan-3.23-liveness-1553406.patch +Patch1: libreswan-3.25-alg_info.patch +Patch2: libreswan-3.25-relax-delete.patch Requires: iproute >= 2.6.8 Requires: nss-tools nss-softokn @@ -130,10 +123,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %setup -q -n libreswan-%{version}%{?prever} %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build %if %{buildefence} @@ -265,7 +254,7 @@ export NSS_DISABLE_HW_GCM=1 : "starting CAVS test for IKEv2" %{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | diff -u ikev2.fax - > /dev/null : "starting CAVS test for IKEv1 RSASIG" -%{buildroot}%{_libexecdir}/ipsec/cavp -v1sig ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null +%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | diff -u ikev1_dsa.fax - > /dev/null : "starting CAVS test for IKEv1 PSK" %{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | diff -u ikev1_psk.fax - > /dev/null : "CAVS tests passed" @@ -335,13 +324,19 @@ fi %endif %changelog -* Fri May 25 2018 Paul Wouters - 3.23-5 -- Resolves: rhbz#1573949 ipsec newhostkey fails in FIPS mode [spec file only update] - -* Wed May 02 2018 Paul Wouters - 3.23-4 -- Resolves: rhbz#1573949 ipsec newhostkey fails in FIPS mode when RSA key is generated -- Resolves: rhbz#1574456 Shared IKE SA leads to rekey interop issues -- Resolves: rhbz#1574457 IKEv2 liveness false positive on IKEv2 idle connections causes tunnel to be restarted +* Mon Jul 02 2018 Paul Wouters - 3.25-2 +- Resolves: rhbz#1597322 Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors + +* Wed Jun 27 2018 Paul Wouters - 3.25-1 +- Resolves: rhbz#1591817 rebase libreswan to 3.25 +- Resolves: rhbz#1536404 CERT_PKCS7_WRAPPED_X509 error +- Resolves: rhbz#1544143 ipsec newhostkey fails in FIPS mode when RSA key is generated +- Resolves: rhbz#1574011 libreswan is missing a Requires: unbound-libs >= 1.6.6 + +* Fri Apr 27 2018 Paul Wouters - 3.23-4 +- Resolves: rhbz#1544143 ipsec newhostkey fails in FIPS mode when RSA key is generated +- Resolves: rhbz#1553406 IKEv2 liveness false positive on IKEv2 idle connections causes tunnel to be restarted +- Resolves: rhbz#1572425 shared IKE SA leads to rekey interop issues * Wed Feb 07 2018 Paul Wouters - 3.23-3 - Resolves: rhbz#1471553 libreswan postquantum preshared key (PPK) support [IANA update]