import NetworkManager-libreswan-1.2.24-2.el10

cs10 imports/cs10/NetworkManager-libreswan-1.2.24-2.el10
MSVSphere Packaging Team 1 month ago
parent ad3ae5c1ea
commit 837849db16
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

@ -1 +1 @@
7f62450f66f2a21789fd6cfebbf3355ae99553ea SOURCES/NetworkManager-libreswan-1.2.22.tar.xz
b18b3e3cad755c612e576829aabc8303c8950071 SOURCES/NetworkManager-libreswan-1.2.24.tar.xz

2
.gitignore vendored

@ -1 +1 @@
SOURCES/NetworkManager-libreswan-1.2.22.tar.xz
SOURCES/NetworkManager-libreswan-1.2.24.tar.xz

@ -1,81 +0,0 @@
From 4957f0123c109df05885b2c85bfabc8f7311fe62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 9 Sep 2024 12:25:58 +0200
Subject: [PATCH] editor: connect stuff_changed_cb from populate_widget
There is no need to do it in 2 different steps, we always have to
connect it after creating the widget. Let's do it all together so no
developer forgets.
---
properties/nm-libreswan-editor.c | 47 --------------------------------
1 file changed, 47 deletions(-)
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
index b03d2fe..5687dc7 100644
--- a/properties/nm-libreswan-editor.c
+++ b/properties/nm-libreswan-editor.c
@@ -351,27 +351,6 @@ populate_widget (LibreswanEditor *self,
}
gtk_combo_box_set_active (GTK_COMBO_BOX (widget), idx);
}
-}
-
-
-/* Init the widget on the basis of its actual type.
- * widget_name: the name of the widget
- * key_name: the name of the key where the config value is stored
- * alt_key_name:alternative name of the key
- * match_value: used only for toggle_button and combo_box widgets; when matched
- * in the former it will set the toggle button as active, in the latter
- * will be used as a match for enabling the third index of possible values
- * (a three-valued logic value is expected: "no", "yes" or "match_value").
- */
-static void
-hook_stuff_changed_cb (LibreswanEditor *self,
- const char *widget_name)
-{
- LibreswanEditorPrivate *priv = LIBRESWAN_EDITOR_GET_PRIVATE (self);
- GtkWidget *widget;
-
- widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, widget_name));
- g_return_if_fail (widget);
g_signal_connect (G_OBJECT (widget),
GTK_IS_CHECK_BUTTON (widget) ? "toggled" : "changed",
@@ -471,33 +450,7 @@ init_editor_plugin (LibreswanEditor *self,
populate_widget (self, "group_entry", NM_LIBRESWAN_KEY_LEFTID, NULL, NULL);
populate_widget (self, "cert_entry", NM_LIBRESWAN_KEY_LEFTCERT, NULL, NULL);
populate_widget (self, "remoteid_entry", NM_LIBRESWAN_KEY_RIGHTID, NULL, NULL);
- hook_stuff_changed_cb (self, "gateway_entry");
- hook_stuff_changed_cb (self, "user_entry");
- hook_stuff_changed_cb (self, "group_entry");
- hook_stuff_changed_cb (self, "cert_entry");
- hook_stuff_changed_cb (self, "remoteid_entry");
-
- /* Advanced Dialog */
populate_adv_dialog (self);
- hook_stuff_changed_cb (self, "domain_entry");
- hook_stuff_changed_cb (self, "phase1_entry");
- hook_stuff_changed_cb (self, "phase2_entry");
- hook_stuff_changed_cb (self, "phase1_lifetime_entry");
- hook_stuff_changed_cb (self, "phase2_lifetime_entry");
- hook_stuff_changed_cb (self, "rekey_checkbutton");
- hook_stuff_changed_cb (self, "pfs_checkbutton");
- hook_stuff_changed_cb (self, "local_network_entry");
- hook_stuff_changed_cb (self, "remote_network_entry");
- hook_stuff_changed_cb (self, "narrowing_checkbutton");
- hook_stuff_changed_cb (self, "fragmentation_combo");
- hook_stuff_changed_cb (self, "mobike_combo");
- hook_stuff_changed_cb (self, "dpd_delay_entry");
- hook_stuff_changed_cb (self, "dpd_timeout_entry");
- hook_stuff_changed_cb (self, "dpd_action_combo");
- hook_stuff_changed_cb (self, "ipsec_interface_entry");
- hook_stuff_changed_cb (self, "authby_entry");
- hook_stuff_changed_cb (self, "disable_modecfgclient_checkbutton");
- hook_stuff_changed_cb (self, "remote_cert_entry");
priv->advanced_dialog = GTK_WIDGET (gtk_builder_get_object (priv->builder, "libreswan-advanced-dialog"));
g_return_val_if_fail (priv->advanced_dialog != NULL, FALSE);
--
2.44.0

@ -1,182 +0,0 @@
From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 9 Sep 2024 11:47:57 +0200
Subject: [PATCH] properties: add require-id-on-certificate
From `man ipsec.conf`:
require-id-on-certificate:
When using certificates, check whether the IKE peer ID is present as
a subjectAltName (SAN) on the peer certificate. Accepted values are
yes (the default) or no. This check should only be disabled when
intentionally using certificates that do not have their peer ID specified
as a SAN on the certificate. These certificates violate RFC 4945 Section
3.1 and are normally rejected to prevent a compromised host from assuming
the IKE identity of another host. The SAN limits the IDs that the
peer is able to assume.
---
properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++
properties/nm-libreswan-editor-plugin.c | 2 ++
properties/nm-libreswan-editor.c | 9 +++++++++
shared/nm-service-defines.h | 1 +
shared/utils.c | 5 +++++
src/nm-libreswan-service.c | 1 +
6 files changed, 44 insertions(+)
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
index b682895..17a7171 100644
--- a/properties/nm-libreswan-dialog.ui
+++ b/properties/nm-libreswan-dialog.ui
@@ -1222,6 +1222,32 @@ config: authby &lt;value&gt;
<property name="top_attach">0</property>
</packing>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">Don't require remote certificate name</property>
+ <property name="use_underline">True</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="receives_default">False</property>
+ <property name="draw_indicator">True</property>
+ </object>
+ <packing>
+ <property name="left_attach">1</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
</object>
</child>
</object>
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
index fe473d1..7aa528e 100644
--- a/properties/nm-libreswan-editor-plugin.c
+++ b/properties/nm-libreswan-editor-plugin.c
@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self,
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
else if (g_str_has_prefix (str, "clientaddrfamily="))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
+ else if (g_str_has_prefix (str, "require-id-on-certificate="))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate="));
else if (g_str_has_prefix (str, "rightsubnet=")) {
if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
index 5687dc7..b350819 100644
--- a/properties/nm-libreswan-editor.c
+++ b/properties/nm-libreswan-editor.c
@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self)
populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL);
populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no");
populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL);
+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no");
}
static gboolean
@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn)
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str);
else
nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
+
+ /* Disable Require ID on certificate */
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton"));
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget)))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no");
+ else
+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+
}
static gboolean
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index 167b837..5f523bd 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -73,6 +73,7 @@
#define NM_LIBRESWAN_KEY_TYPE "type"
#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily"
#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily"
+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate"
#define NM_LIBRESWAN_IKEV2_NO "no"
#define NM_LIBRESWAN_IKEV2_NEVER "never"
diff --git a/shared/utils.c b/shared/utils.c
index 65bc603..9394099 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd,
const char *mobike;
const char *pfs;
const char *client_family;
+ const char *require_id_on_certificate;
const char *item;
gboolean is_ikev2 = FALSE;
@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd,
if (client_family && strlen (client_family))
WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+ if (require_id_on_certificate && strlen (require_id_on_certificate))
+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate);
+
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
index e5956af..984e991 100644
--- a/src/nm-libreswan-service.c
+++ b/src/nm-libreswan-service.c
@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
{ NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 },
+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 },
/* Ignored option for internal use */
{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 },
{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
--- a/gtk4/nm-libreswan-dialog.ui
+++ b/gtk4/nm-libreswan-dialog.ui
@@ -979,6 +979,27 @@
</layout>
</object>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="label" translatable="1">Don&apos;t require remote certificate name</property>
+ <property name="use_underline">1</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ <layout>
+ <property name="column">0</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="focusable">1</property>
+ <layout>
+ <property name="column">1</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
</object>
</child>
</object>
--
2.44.0

@ -14,8 +14,8 @@
Summary: NetworkManager VPN plug-in for IPsec VPN
Name: NetworkManager-libreswan
Version: 1.2.22
Release: 3%{?dist}
Version: 1.2.24
Release: 2%{?dist}
License: GPL-2.0-or-later
URL: https://gitlab.gnome.org/GNOME/NetworkManager-libreswan
Source0: https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{name}-%{version}.tar.xz
@ -26,8 +26,6 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{nam
# Bugfixes that are only relevant until next rebase of the package.
# Patch1001: 1001-some.patch
Patch1001: 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch
Patch1002: 1002-properties-add-require-id-on-certificate.patch
BuildRequires: make
BuildRequires: gcc
@ -132,6 +130,14 @@ mv %{buildroot}%{_sysconfdir}/dbus-1 %{buildroot}%{_datadir}/
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.2.24-2
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Tue Oct 22 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.24-1
- Update to 1.2.24 release
- Fix improper escaping of Libreswan configuration (CVE-2024-9050)
* Thu Sep 12 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.22-3
- Support require-id-on-certificate (RHEL-58812)

Loading…
Cancel
Save