rpms
/
NetworkManager-libreswan
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta
...
pull from: rpms:c8
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta

No commits in common. 'c9' and 'c8' have entirely different histories.
c9 ... c8

7 changed files with 24661 additions and 382 deletions
Show Stats

2
.NetworkManager-libreswan.metadata
Unescape View File

@ -1 +1 @@
7f62450f66f2a21789fd6cfebbf3355ae99553ea SOURCES/NetworkManager-libreswan-1.2.22.tar.xz
a3ec22a8e76f3358d9f69dc505d22267e936dbae SOURCES/NetworkManager-libreswan-1.2.10.tar.xz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/NetworkManager-libreswan-1.2.22.tar.xz
SOURCES/NetworkManager-libreswan-1.2.10.tar.xz

24409
SOURCES/0001-po-import-translations-from-Red-Hat-translators.patch
View File

File diff suppressed because it is too large Load Diff

26
SOURCES/0002-properties-set-advanced-dialog-modal.patch
Unescape View File

@ -0,0 +1,26 @@
From eaf501ab7cb732a152097d2af5636b03fd3f029d Mon Sep 17 00:00:00 2001
From: Francesco Giudici <fgiudici@redhat.com>
Date: Mon, 15 Apr 2019 14:51:26 +0200
Subject: [PATCH] properties: set advanced dialog modal
https://bugzilla.redhat.com/show_bug.cgi?id=1697329
---
properties/nm-libreswan-dialog.ui | 2 ++
1 file changed, 2 insertions(+)
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
index 73522d4..e355c08 100644
--- a/properties/nm-libreswan-dialog.ui
+++ b/properties/nm-libreswan-dialog.ui
@@ -451,6 +451,8 @@
<property name="can_focus">False</property>
<property name="border_width">12</property>
<property name="title" translatable="yes">IPsec Advanced Options</property>
+ <property name="modal">True</property>
+ <property name="destroy_with_parent">True</property>
<property name="type_hint">dialog</property>
<child internal-child="vbox">
<object class="GtkBox" id="dialog-vbox1">
--
2.20.1

68
SOURCES/0003-service-fix-wrong-refcounting-in-D-Bus-handler-for-C.patch
Unescape View File

@ -0,0 +1,68 @@
From 4be4c56b4f8a52b1cd5f8aadee273706c28ae332 Mon Sep 17 00:00:00 2001
From: Beniamino Galvani <bgalvani@redhat.com>
Date: Sat, 13 Jan 2024 18:10:02 +0100
Subject: [PATCH 1/1] service: fix wrong refcounting in D-Bus handler for
Callback()
The Callback() D-Bus method is handled via a GDBus-generated skeleton
code in nm-libreswan-helper-service-dbus.c, function
_nmdbus_libreswan_helper_skeleton_handle_method_call(). The function
emits signal "handle-callback" to let the program handle the incoming
method. As documented in the GDoc comments, the signal handler must
return TRUE if it handles the call.
```
/**
* NMDBusLibreswanHelper::handle-callback:
* @object: A #NMDBusLibreswanHelper.
* @invocation: A #GDBusMethodInvocation.
* @arg_environment: Argument passed by remote caller.
* Signal emitted when a remote caller is invoking the Callback()
D-Bus method.
* If a signal handler returns %TRUE, it means the signal handler
will handle the invocation (e.g. take a reference to @invocation
and eventually call nmdbus_libreswan_helper_complete_callback()
or e.g. g_dbus_method_invocation_return_error() on it) and no
other signal handlers will run. If no signal handler handles the
invocation, the %G_DBUS_ERROR_UNKNOWN_METHOD error is returned.
* Returns: %G_DBUS_METHOD_INVOCATION_HANDLED or %TRUE if the
invocation was handled, %G_DBUS_METHOD_INVOCATION_UNHANDLED or
%FALSE to let other signal handlers run.
*/
```
At the moment, in case of error the handler first calls
nmdbus_libreswan_helper_complete_callback() which decreases the
refcount of "invocation", and then returns FALSE which tells the
skeleton code to return an error, also unreferencing the
invocation. This causes a crash.
Since the G_DBUS_METHOD_INVOCATION_HANDLED alias for TRUE is only
available since GLib 2.68 (while we target 2.36), just return TRUE.
Fixes: acb9eb9de50b ('service: process the configuration in the service, not the helper')
(cherry picked from commit 8ceb901719acac3778e1d76779d9c14289185157)
---
src/nm-libreswan-service.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
index fc470a6..4850729 100644
--- a/src/nm-libreswan-service.c
+++ b/src/nm-libreswan-service.c
@@ -1379,7 +1379,8 @@ out:
}
nmdbus_libreswan_helper_complete_callback (object, invocation);
- return success;
+
+ return TRUE;
}
/****************************************************************/
--
2.43.0

391
SOURCES/0001-ipsec-conf-escaping-cve-2024-9050.patch → SOURCES/0004-ipsec-conf-escaping-cve-2024-9050.patch
Unescape View File

@ -1,4 +1,4 @@
From f9f321fc00f9016569a592140d9e5a24f9c4db01 Mon Sep 17 00:00:00 2001
From dcf656747eece80e2534dc21b79c15e13bb28b5a Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Fri, 13 Sep 2024 14:49:12 +0200
Subject: [PATCH 1/6] shared/nm-glib: import newer g_steal_pointer()
@ -63,7 +63,7 @@ index 770cf0f..1b6487c 100644
--
2.46.0
From 72816f82b029063e4d8aaff6703f175da5232293 Mon Sep 17 00:00:00 2001
From 50b019de99a9005065db6d069167ffacbe62151b Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 17 Sep 2024 13:28:58 +0200
Subject: [PATCH 2/6] build: get rid of {properties,src}/libutils.la
@ -73,76 +73,49 @@ more complicated. Get rid of then, and just roll src/libutils.la.
[lkundrak@v3.sk: Backported from 1.24.0]
---
Makefile.am | 69 +++++++++++++++++++++--------------------------------
1 file changed, 27 insertions(+), 42 deletions(-)
Makefile.am | 47 ++++++++++++++++++-----------------------------
1 file changed, 18 insertions(+), 29 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 29084a9..d46cfcd 100644
index 8442d64..e2847d4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -33,6 +33,26 @@ nmvpnservice_DATA = nm-libreswan-service.name
@@ -53,23 +53,25 @@ common_CFLAGS = \
###############################################################################
-noinst_LTLIBRARIES += properties/libutils.la
+noinst_LTLIBRARIES += shared/libutils.la
+
-properties_libutils_la_SOURCES = \
- shared/utils.c \
- shared/utils.h \
- shared/nm-utils/nm-vpn-plugin-utils.c \
- shared/nm-utils/nm-vpn-plugin-utils.h \
+shared_libutils_la_SOURCES = \
+ shared/nm-utils/nm-shared-utils.c \
+ shared/nm-utils/nm-shared-utils.h \
shared/nm-utils/nm-shared-utils.c \
shared/nm-utils/nm-shared-utils.h \
+ shared/utils.c \
+ shared/utils.h \
+ shared/nm-service-defines.h
+
shared/nm-service-defines.h
-properties_libutils_la_CPPFLAGS = \
- -DNETWORKMANAGER_COMPILATION=NM_NETWORKMANAGER_COMPILATION_LIB_BASE \
- -DNM_PLUGIN_DIR=\"$(NM_PLUGIN_DIR)\" \
+shared_libutils_la_CFLAGS = \
+ -DPREFIX=\""$(prefix)"\" \
+ $(common_CFLAGS) \
+ $(LIBNM_CFLAGS)
+
$(common_CFLAGS) \
$(LIBNM_CFLAGS)
+shared_libutils_la_LIBADD = \
+ $(GLIB_LIBS) \
+ $(LIBNM_LIBS)
+
+###############################################################################
+
properties/resources.h: properties/gresource.xml
$(AM_V_GEN) $(GLIB_COMPILE_RESOURCES) $< --target=$@ --sourcedir=$(srcdir)/properties --generate-header --internal
@@ -53,10 +73,6 @@ gtk4/%.ui: properties/%.ui
EXTRA_DIST += \
gtk4/nm-libreswan-dialog.ui
-plugin_sources = \
- properties/nm-libreswan-editor-plugin.c \
- properties/nm-libreswan-editor-plugin.h
-
editor_sources = \
properties/nm-libreswan-editor.c \
properties/nm-libreswan-editor.h
@@ -68,23 +84,6 @@ common_CFLAGS = \
###############################################################################
-noinst_LTLIBRARIES += properties/libutils.la
-
-properties_libutils_la_SOURCES = \
- shared/utils.c \
- shared/utils.h \
- shared/nm-utils/nm-vpn-plugin-utils.c \
- shared/nm-utils/nm-vpn-plugin-utils.h \
- shared/nm-utils/nm-shared-utils.c \
- shared/nm-utils/nm-shared-utils.h \
- shared/nm-service-defines.h
-
-properties_libutils_la_CPPFLAGS = \
- -DPREFIX=\""$(prefix)"\" \
- -DNETWORKMANAGER_COMPILATION=NM_NETWORKMANAGER_COMPILATION_LIB_BASE \
- $(common_CFLAGS) \
- $(LIBNM_CFLAGS)
-
plugin_LTLIBRARIES += properties/libnm-vpn-plugin-libreswan.la
properties_libnm_vpn_plugin_libreswan_la_CFLAGS = \
@@ -93,10 +92,13 @@ properties_libnm_vpn_plugin_libreswan_la_CFLAGS = \
@@ -79,10 +81,13 @@ properties_libnm_vpn_plugin_libreswan_la_CFLAGS = \
$(LIBNM_CFLAGS)
properties_libnm_vpn_plugin_libreswan_la_SOURCES = \
@ -158,15 +131,7 @@ index 29084a9..d46cfcd 100644
$(LIBNM_LIBS) \
$(DL_LIBS)
@@ -198,7 +200,6 @@ auth_dialog_nm_libreswan_auth_dialog_LDADD = \
src_cppflags = \
-DBINDIR=\"$(bindir)\" \
- -DPREFIX=\""$(prefix)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DLOCALSTATEDIR=\""$(localstatedir)"\" \
@@ -230,22 +231,6 @@ src/nm-libreswan-helper-service-dbus.h: src/nm-libreswan-helper-service.xml
@@ -216,22 +221,6 @@ src/nm-libreswan-helper-service-dbus.h: src/nm-libreswan-helper-service.xml
src/nm-libreswan-helper-service-dbus.c: src/nm-libreswan-helper-service-dbus.h
@true
@ -189,7 +154,7 @@ index 29084a9..d46cfcd 100644
###############################################################################
libexec_PROGRAMS += src/nm-libreswan-service
@@ -255,7 +240,7 @@ src_nm_libreswan_service_CPPFLAGS = \
@@ -241,7 +230,7 @@ src_nm_libreswan_service_CPPFLAGS = \
src_nm_libreswan_service_LDADD = \
src/libnm-libreswan-helper-service-dbus.la \
@ -198,7 +163,7 @@ index 29084a9..d46cfcd 100644
$(GLIB_LIBS) \
$(LIBNM_LIBS) \
$(LIBNL_LIBS) \
@@ -272,7 +257,7 @@ src_nm_libreswan_service_helper_CPPFLAGS = \
@@ -258,7 +247,7 @@ src_nm_libreswan_service_helper_CPPFLAGS = \
src_nm_libreswan_service_helper_LDADD = \
src/libnm-libreswan-helper-service-dbus.la \
@ -210,7 +175,7 @@ index 29084a9..d46cfcd 100644
--
2.46.0
From cf9777bd065ddc40c627e1d994432e95b1e70a82 Mon Sep 17 00:00:00 2001
From a076344da47a3ec930f01d7b70d1929431c301cc Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Mon, 23 Sep 2024 11:39:22 +0200
Subject: [PATCH 3/6] shared/test-utils: cover config write with unit tests
@ -226,10 +191,10 @@ cases.
create mode 100644 shared/test-utils.c
diff --git a/Makefile.am b/Makefile.am
index d46cfcd..3f4e85c 100644
index e2847d4..d97d3c3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,6 +21,8 @@ libexec_PROGRAMS =
@@ -19,6 +19,8 @@ libexec_PROGRAMS =
noinst_PROGRAMS =
@ -238,7 +203,7 @@ index d46cfcd..3f4e85c 100644
SUBDIRS = po man
###############################################################################
@@ -51,6 +53,20 @@ shared_libutils_la_LIBADD = \
@@ -70,6 +72,20 @@ shared_libutils_la_LIBADD = \
$(GLIB_LIBS) \
$(LIBNM_LIBS)
@ -258,7 +223,7 @@ index d46cfcd..3f4e85c 100644
+
###############################################################################
properties/resources.h: properties/gresource.xml
plugin_LTLIBRARIES += properties/libnm-vpn-plugin-libreswan.la
diff --git a/shared/test-utils.c b/shared/test-utils.c
new file mode 100644
index 0000000..82ee933
@ -395,7 +360,7 @@ index 0000000..82ee933
--
2.46.0
From 2b07bfeec5e67cbdce9b23b7c0648cb0ee55416d Mon Sep 17 00:00:00 2001
From 486c9e7a8517a1f376cd9f290e2e16298770e004 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Sun, 22 Sep 2024 14:20:22 +0200
Subject: [PATCH 4/6] all: rework formatting of ipsec.conf
@ -411,27 +376,24 @@ https://issues.redhat.com/browse/RHEL-59565
[lkundrak@v3.sk: Backported from 1.24.0]
---
properties/nm-libreswan-editor-plugin.c | 30 +-
shared/test-utils.c | 97 +----
shared/utils.c | 491 ++++++++++++++----------
shared/utils.h | 28 +-
src/nm-libreswan-service.c | 183 +++++----
5 files changed, 423 insertions(+), 406 deletions(-)
properties/nm-libreswan-editor-plugin.c | 29 +-
shared/test-utils.c | 99 ++----
shared/utils.c | 407 ++++++++++++++----------
shared/utils.h | 26 +-
src/nm-libreswan-service.c | 176 +++++-----
5 files changed, 375 insertions(+), 362 deletions(-)
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
index fe473d1..9393212 100644
index d6b63f2..6f23936 100644
--- a/properties/nm-libreswan-editor-plugin.c
+++ b/properties/nm-libreswan-editor-plugin.c
@@ -286,19 +286,11 @@ export_to_file (NMVpnEditorPlugin *self,
@@ -266,38 +266,25 @@ export_to_file (NMVpnEditorPlugin *self,
{
NMSettingVpn *s_vpn;
gboolean openswan = FALSE;
- int fd, errsv;
gs_free_error GError *local = NULL;
+ gs_free char *ipsec_conf = NULL;
gboolean is_openswan;
int version;
-
- fd = g_open (path, O_WRONLY | O_CREAT, 0666);
- if (fd == -1) {
- errsv = errno;
@ -439,16 +401,13 @@ index fe473d1..9393212 100644
- _("Cant open file “%s”: %s"), path, g_strerror (errsv));
- return FALSE;
- }
-
+ gs_free char *ipsec_conf = NULL;
s_vpn = nm_connection_get_setting_vpn (connection);
if (s_vpn)
openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN);
@@ -306,24 +298,18 @@ export_to_file (NMVpnEditorPlugin *self,
nm_libreswan_detect_version (nm_libreswan_find_helper_bin ("ipsec", NULL),
&is_openswan, &version, NULL);
- if (!nm_libreswan_config_write (fd,
- version,
- connection,
- nm_connection_get_id (connection),
- NULL,
@ -457,7 +416,7 @@ index fe473d1..9393212 100644
- NULL,
- &local)) {
- g_close (fd, NULL);
+ ipsec_conf = nm_libreswan_get_ipsec_conf (version, s_vpn,
+ ipsec_conf = nm_libreswan_get_ipsec_conf (s_vpn,
+ nm_connection_get_id (connection),
+ NULL, openswan, TRUE, error);
+ if (ipsec_conf == NULL)
@ -476,7 +435,7 @@ index fe473d1..9393212 100644
}
diff --git a/shared/test-utils.c b/shared/test-utils.c
index 82ee933..49aa32a 100644
index 82ee933..965daef 100644
--- a/shared/test-utils.c
+++ b/shared/test-utils.c
@@ -2,117 +2,60 @@
@ -548,7 +507,7 @@ index 82ee933..49aa32a 100644
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
- str = _setting_into_ipsec_conf (s_vpn, "con_name", &error);
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "con_name", NULL, FALSE, TRUE, &error);
+ str = nm_libreswan_get_ipsec_conf (s_vpn, "con_name", NULL, FALSE, TRUE, &error);
g_assert_no_error (error);
g_assert_cmpstr (str, ==,
"conn con_name\n"
@ -562,7 +521,8 @@ index 82ee933..49aa32a 100644
- " modecfgpull=yes\n"
" rightsubnet=0.0.0.0/0\n"
" leftxauthclient=yes\n"
" remote-peer-type=cisco\n"
- " remote-peer-type=cisco\n"
+ " remote_peer_type=cisco\n"
" rightxauthserver=yes\n"
" ikelifetime=24h\n"
" salifetime=24h\n"
@ -585,7 +545,7 @@ index 82ee933..49aa32a 100644
- str = _setting_into_ipsec_conf (s_vpn,
- "f0008435-07af-4836-a53d-b43e8730e68f",
- &error);
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn,
+ str = nm_libreswan_get_ipsec_conf (s_vpn,
+ "f0008435-07af-4836-a53d-b43e8730e68f",
+ NULL, FALSE, TRUE, &error);
g_assert_no_error (error);
@ -618,10 +578,10 @@ index 82ee933..49aa32a 100644
}
diff --git a/shared/utils.c b/shared/utils.c
index 65bc603..2482311 100644
index 36af877..7533f7f 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -30,82 +30,109 @@
@@ -30,81 +30,108 @@
#include <string.h>
#include <errno.h>
@ -697,7 +657,6 @@ index 65bc603..2482311 100644
-gboolean
-nm_libreswan_config_write (gint fd,
- int ipsec_version,
- NMConnection *connection,
- const char *con_name,
- const char *leftupdown_script,
@ -774,8 +733,7 @@ index 65bc603..2482311 100644
+}
+
+char *
+nm_libreswan_get_ipsec_conf (int ipsec_version,
+ NMSettingVpn *s_vpn,
+nm_libreswan_get_ipsec_conf (NMSettingVpn *s_vpn,
+ const char *con_name,
+ const char *leftupdown_script,
+ gboolean openswan,
@ -792,8 +750,8 @@ index 65bc603..2482311 100644
+ const char *right;
const char *leftid;
const char *leftcert;
const char *rightcert;
@@ -116,129 +143,176 @@ nm_libreswan_config_write (gint fd,
const char *leftrsasigkey;
@@ -112,122 +139,158 @@ nm_libreswan_config_write (gint fd,
const char *remote_network;
const char *ikev2 = NULL;
const char *rightid;
@ -802,8 +760,6 @@ index 65bc603..2482311 100644
- const char *fragmentation;
- const char *mobike;
const char *pfs;
const char *client_family;
const char *item;
gboolean is_ikev2 = FALSE;
- g_return_val_if_fail (fd > 0, FALSE);
@ -889,41 +845,9 @@ index 65bc603..2482311 100644
+ }
}
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " hostaddrfamily=%s", item);
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, error))
+ return FALSE;
client_family = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY);
- if (client_family && strlen (client_family))
- WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
+ if (client_family && client_family[0] != '\0') {
+ g_string_append (ipsec_conf, " clientaddrfamily=");
+ if (!printable_val (ipsec_conf, client_family, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY);
+ return FALSE;
+ }
+ }
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
rightcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
authby = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_AUTHBY);
- if (rightcert && strlen (rightcert)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " rightcert=%s", rightcert);
+ if (rightcert && rightcert[0] != '\0') {
+ g_string_append (ipsec_conf, " rightcert=");
+ if (!string_val (ipsec_conf, rightcert, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_RIGHTCERT);
+ return FALSE;
+ }
if (!rightrsasigkey)
rightrsasigkey = "%cert";
}
- if (leftcert && strlen (leftcert)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftcert=%s", leftcert);
+ if (leftcert && leftcert[0] != '\0') {
@ -942,24 +866,17 @@ index 65bc603..2482311 100644
- WRITE_CHECK (fd, debug_write_fcn, error, " leftrsasigkey=%s", leftrsasigkey);
- if (rightrsasigkey && strlen (rightrsasigkey))
- WRITE_CHECK (fd, debug_write_fcn, error, " rightrsasigkey=%s", rightrsasigkey);
- if ( !(leftrsasigkey && strlen (leftrsasigkey))
- && !(rightrsasigkey && strlen (rightrsasigkey))) {
- WRITE_CHECK (fd, debug_write_fcn, error, " authby=secret");
+ if (!optional_string_val (ipsec_conf, NM_LIBRESWAN_KEY_LEFTRSASIGKEY, leftrsasigkey, error))
+ return FALSE;
+ if (!optional_string_val (ipsec_conf, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY, rightrsasigkey, error))
+ return FALSE;
- if (authby && strlen (authby)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " authby=%s", authby);
- } else if ( !(leftrsasigkey && strlen (leftrsasigkey))
- && !(rightrsasigkey && strlen (rightrsasigkey))) {
- WRITE_CHECK (fd, debug_write_fcn, error, " authby=secret");
+ if (authby == NULL || authby[0] == '\0') {
+ if ( !(leftrsasigkey && leftrsasigkey[0] != '\0')
+ && !(rightrsasigkey && rightrsasigkey[0] != '\0')) {
+ authby = "secret";
+ }
+ g_string_append (ipsec_conf, " authby=secret\n");
}
+ if (!optional_printable_val (ipsec_conf, NM_LIBRESWAN_KEY_AUTHBY, authby, error))
+ return FALSE;
left = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFT);
- if (left && strlen (left))
@ -975,18 +892,11 @@ index 65bc603..2482311 100644
+ return FALSE;
+ }
item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT);
if (nm_streq0 (item, "no")) {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftmodecfgclient=no");
+ g_string_append (ipsec_conf, " leftmodecfgclient=no\n");
} else {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftmodecfgclient=yes");
+ g_string_append (ipsec_conf, " leftmodecfgclient=yes\n");
}
- if (leftupdown_script)
- WRITE_CHECK (fd, debug_write_fcn, error, " leftupdown=%s", leftupdown_script);
-
+ g_string_append (ipsec_conf, " leftmodecfgclient=yes\n");
- WRITE_CHECK (fd, debug_write_fcn, error, " right=%s", nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHT));
rightid = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTID);
- if (rightid && strlen (rightid)) {
@ -1010,47 +920,23 @@ index 65bc603..2482311 100644
}
- WRITE_CHECK (fd, debug_write_fcn, error, " rightmodecfgserver=yes");
- WRITE_CHECK (fd, debug_write_fcn, error, " modecfgpull=yes");
-
local_network = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LOCALNETWORK);
if (local_network) {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftsubnet=%s", local_network);
+ g_string_append (ipsec_conf, " leftsubnet=");
+ if (!printable_val (ipsec_conf, local_network, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_LOCALNETWORK);
+ return FALSE;
+ }
}
remote_network = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK);
- if (!remote_network || !strlen (remote_network)) {
+ if (!remote_network || remote_network[0] == '\0') {
int addr_family = AF_UNSPEC;
/* Detect the address family of the remote subnet. We use in order:
@@ -259,43 +333,50 @@ nm_libreswan_config_write (gint fd,
}
if (addr_family == AF_INET6) {
- WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=::/0");
+ remote_network = "::/0";
} else {
/* For backwards compatibility, if we can't determine the family
* assume it's IPv4. Anyway, in the future we need to stop adding
* the option automatically. */
- remote_network = nm_setting_vpn_get_data_item (s_vpn,
- NM_LIBRESWAN_KEY_REMOTENETWORK);
- if (!remote_network || !strlen (remote_network))
- WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=0.0.0.0/0");
- else
- WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=%s",
- remote_network);
+ remote_network = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK);
+ if (!remote_network || remote_network[0] == '\0')
+ remote_network = "0.0.0.0/0";
}
- } else {
- WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=%s", remote_network);
+ }
+ g_string_append (ipsec_conf, " rightsubnet=");
+ if (!printable_val (ipsec_conf, remote_network, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_REMOTENETWORK);
+ return FALSE;
}
+ }
if (!is_ikev2) {
/* When IKEv1 is in place, we enforce XAUTH: so, use IKE version
@ -1061,39 +947,24 @@ index 65bc603..2482311 100644
- default_username = nm_setting_vpn_get_user_name (s_vpn);
- props_username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTXAUTHUSER);
- if (!props_username)
- props_username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTUSERNAME);
- if (props_username && strlen (props_username))
- WRITE_CHECK (fd, debug_write_fcn, error,
- ipsec_version >= 4 ? " leftusername=%s" : " leftxauthusername=%s",
- props_username);
- WRITE_CHECK (fd, debug_write_fcn, error, " leftxauthusername=%s", props_username);
- else if (default_username && strlen (default_username))
- WRITE_CHECK (fd, debug_write_fcn, error,
- ipsec_version >= 4 ? " leftusername=%s" : " leftxauthusername=%s",
- default_username);
- WRITE_CHECK (fd, debug_write_fcn, error, " leftxauthusername=%s", default_username);
+ username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTXAUTHUSER);
+ if (username == NULL || username[0] == '\0')
+ username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTUSERNAME);
+ if (username == NULL || username[0] == '\0')
+ username = nm_setting_vpn_get_user_name (s_vpn);
+ if (username != NULL && username[0] != '\0') {
+ g_string_append (ipsec_conf,
+ ipsec_version >= 4 ?
+ " leftusername=" :
+ " leftxauthusername=");
+ g_string_append (ipsec_conf, " leftxauthusername=");
+ if (!string_val (ipsec_conf, username, error)) {
+ g_prefix_error (error, _("Invalid username: "));
+ return FALSE;
+ }
+ }
- WRITE_CHECK (fd, debug_write_fcn, error,
- ipsec_version >= 4 ? " remote-peer-type=cisco" : " remote_peer_type=cisco");
- WRITE_CHECK (fd, debug_write_fcn, error, " remote_peer_type=cisco");
- WRITE_CHECK (fd, debug_write_fcn, error, " rightxauthserver=yes");
+ g_string_append (ipsec_conf,
+ ipsec_version >= 4 ?
+ " remote-peer-type=cisco\n" :
+ " remote_peer_type=cisco\n");
+ g_string_append (ipsec_conf, " remote_peer_type=cisco\n");
+ g_string_append (ipsec_conf, " rightxauthserver=yes\n");
}
@ -1102,7 +973,7 @@ index 65bc603..2482311 100644
/* When the crypto is unspecified, let Libreswan use many sets of crypto
* proposals (just leave the property unset). An exception should be made
* for IKEv1 connections in aggressive mode: there the DH group in the crypto
@@ -304,84 +385,80 @@ nm_libreswan_config_write (gint fd,
@@ -236,62 +299,70 @@ nm_libreswan_config_write (gint fd,
* force the best proposal that should be accepted by all obsolete VPN SW/HW
* acting as a remote access VPN server.
*/
@ -1191,16 +1062,8 @@ index 65bc603..2482311 100644
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_MOBIKE, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_DPDDELAY, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_DPDTIMEOUT, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_DPDACTION, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_TYPE, error))
+ return FALSE;
- narrowing = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_NARROWING);
- if (narrowing && strlen (narrowing))
@ -1218,26 +1081,6 @@ index 65bc603..2482311 100644
- if (mobike && strlen (mobike))
- WRITE_CHECK (fd, debug_write_fcn, error, " mobike=%s", mobike);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDDELAY);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " dpddelay=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDTIMEOUT);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " dpdtimeout=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDACTION);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " dpdaction=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " ipsec-interface=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_TYPE);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " type=%s", item);
-
- WRITE_CHECK (fd, debug_write_fcn, error, " nm-configured=yes");
-
- WRITE_CHECK_NEWLINE (fd, trailing_newline, debug_write_fcn, error, " auto=add");
@ -1245,13 +1088,11 @@ index 65bc603..2482311 100644
- return TRUE;
+ return g_string_free (g_steal_pointer (&ipsec_conf), FALSE);
}
static const char *
diff --git a/shared/utils.h b/shared/utils.h
index 7e89841..2e2450c 100644
index b5d8f53..839c03a 100644
--- a/shared/utils.h
+++ b/shared/utils.h
@@ -24,27 +24,13 @@
@@ -24,26 +24,12 @@
#ifndef __UTILS_H__
#define __UTILS_H__
@ -1268,7 +1109,6 @@ index 7e89841..2e2450c 100644
-
-gboolean
-nm_libreswan_config_write (gint fd,
- int ipsec_version,
- NMConnection *connection,
- const char *con_name,
- const char *leftupdown_script,
@ -1276,8 +1116,7 @@ index 7e89841..2e2450c 100644
- gboolean trailing_newline,
- NMDebugWriteFcn debug_write_fcn,
- GError **error);
+char *nm_libreswan_get_ipsec_conf (int ipsec_version,
+ NMSettingVpn *s_vpn,
+char *nm_libreswan_get_ipsec_conf (NMSettingVpn *s_vpn,
+ const char *con_name,
+ const char *leftupdown_script,
+ gboolean openswan,
@ -1287,10 +1126,10 @@ index 7e89841..2e2450c 100644
static inline gboolean
nm_libreswan_utils_setting_is_ikev2 (NMSettingVpn *s_vpn, const char **out_ikev2)
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
index e5956af..35f602c 100644
index e69deb8..24108f6 100644
--- a/src/nm-libreswan-service.c
+++ b/src/nm-libreswan-service.c
@@ -101,12 +101,13 @@ typedef struct {
@@ -103,6 +103,8 @@ typedef struct {
const char *whack_path;
char *secrets_path;
@ -1299,13 +1138,7 @@ index e5956af..35f602c 100644
gboolean openswan;
gboolean interactive;
gboolean pending_auth;
gboolean managed;
gboolean xauth_enabled;
- int version;
GPid pid;
guint watch_id;
@@ -152,12 +153,6 @@ _LOGD_enabled (void)
@@ -153,12 +155,6 @@ _LOGD_enabled (void)
#define _LOGW(...) _NMLOG(LOG_WARNING, __VA_ARGS__)
#define _LOGE(...) _NMLOG(LOG_EMERG, __VA_ARGS__)
@ -1317,8 +1150,8 @@ index e5956af..35f602c 100644
-
/****************************************************************/
static gboolean pr_cb (GIOChannel *source, GIOCondition condition, gpointer user_data);
@@ -666,9 +661,9 @@ nm_libreswan_config_psk_write (NMSettingVpn *s_vpn,
guint32
@@ -726,9 +722,9 @@ nm_libreswan_config_psk_write (NMSettingVpn *s_vpn,
GError **error)
{
const char *pw_type, *psk, *leftid, *right;
@ -1331,7 +1164,7 @@ index e5956af..35f602c 100644
/* Check for ignored group password */
pw_type = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_PSK_INPUT_MODES);
@@ -679,47 +674,32 @@ nm_libreswan_config_psk_write (NMSettingVpn *s_vpn,
@@ -739,47 +735,32 @@ nm_libreswan_config_psk_write (NMSettingVpn *s_vpn,
if (!psk)
return TRUE;
@ -1399,7 +1232,7 @@ index e5956af..35f602c 100644
}
/****************************************************************/
@@ -1766,6 +1746,44 @@ done:
@@ -1547,6 +1528,44 @@ done:
return success ? G_SOURCE_CONTINUE : G_SOURCE_REMOVE;
}
@ -1444,7 +1277,7 @@ index e5956af..35f602c 100644
static gboolean
connect_step (NMLibreswanPlugin *self, GError **error)
{
@@ -1848,37 +1866,12 @@ connect_step (NMLibreswanPlugin *self, GError **error)
@@ -1629,36 +1648,12 @@ connect_step (NMLibreswanPlugin *self, GError **error)
return TRUE;
case CONNECT_STEP_CONFIG_ADD: {
@ -1471,7 +1304,6 @@ index e5956af..35f602c 100644
- bus_name);
-
- if (!nm_libreswan_config_write (fd,
- priv->version,
- priv->connection,
- uuid,
- ifupdown_script,
@ -1483,14 +1315,14 @@ index e5956af..35f602c 100644
g_close (fd, NULL);
return FALSE;
}
@@ -1928,19 +1921,31 @@ _connect_common (NMVpnServicePlugin *plugin,
@@ -1721,12 +1716,24 @@ _connect_common (NMVpnServicePlugin *plugin,
NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (self);
NMSettingVpn *s_vpn;
const char *con_name = nm_connection_get_uuid (connection);
gs_free char *ipsec_banner = NULL;
+ gs_free char *ipsec_banner = NULL;
+ gs_free char *ifupdown_script = NULL;
+ gs_free char *bus_name = NULL;
+ gboolean trailing_newline;
+ int version;
if (_LOGD_enabled ()) {
_LOGD ("connection:");
@ -1505,19 +1337,10 @@ index e5956af..35f602c 100644
+ return FALSE;
+ }
+
priv->ipsec_path = nm_libreswan_find_helper_bin ("ipsec", error);
priv->ipsec_path = find_helper_bin ("ipsec", error);
if (!priv->ipsec_path)
return FALSE;
- nm_libreswan_detect_version (priv->ipsec_path, &priv->openswan, &priv->version, &ipsec_banner);
+ nm_libreswan_detect_version (priv->ipsec_path, &priv->openswan, &version, &ipsec_banner);
_LOGD ("ipsec: version banner: %s", ipsec_banner);
- _LOGD ("ipsec: detected version %d (%s)", priv->version, priv->openswan ? "Openswan" : "Libreswan");
+ _LOGD ("ipsec: detected version %d (%s)", version, priv->openswan ? "Openswan" : "Libreswan");
if (!priv->openswan) {
priv->pluto_path = nm_libreswan_find_helper_libexec ("pluto", error);
@@ -1960,13 +1965,31 @@ _connect_common (NMVpnServicePlugin *plugin,
@@ -1750,13 +1757,30 @@ _connect_common (NMVpnServicePlugin *plugin,
if (!nm_libreswan_secrets_validate (s_vpn, error))
return FALSE;
@ -1542,8 +1365,7 @@ index e5956af..35f602c 100644
+
+ /* Compose the ipsec.conf early, to catch configuration errors before
+ * we initiate the conneciton. */
+ priv->ipsec_conf = nm_libreswan_get_ipsec_conf (version,
+ s_vpn,
+ priv->ipsec_conf = nm_libreswan_get_ipsec_conf (s_vpn,
+ con_name,
+ ifupdown_script,
+ priv->openswan,
@ -1555,7 +1377,7 @@ index e5956af..35f602c 100644
/* XAUTH is not part of the IKEv2 standard and we always enforce it in IKEv1 */
priv->xauth_enabled = !nm_libreswan_utils_setting_is_ikev2 (s_vpn, NULL);
@@ -2141,6 +2164,7 @@ real_disconnect (NMVpnServicePlugin *plugin, GError **error)
@@ -1928,6 +1952,7 @@ real_disconnect (NMVpnServicePlugin *plugin, GError **error)
priv->watch_id = g_child_watch_add (priv->pid, child_watch_cb, plugin);
g_clear_object (&priv->connection);
@ -1563,7 +1385,7 @@ index e5956af..35f602c 100644
return ret;
}
@@ -2173,6 +2197,7 @@ finalize (GObject *object)
@@ -1960,6 +1985,7 @@ finalize (GObject *object)
{
NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (object);
@ -1574,7 +1396,7 @@ index e5956af..35f602c 100644
--
2.46.0
From 8cbc188222d6a3dcff7ed937d44415f75e34b503 Mon Sep 17 00:00:00 2001
From b3ab419db37186d2e888cfe1d91ca0a82c0be884 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 24 Sep 2024 10:55:02 +0200
Subject: [PATCH 6/6] shared/test-utils: add more test cases
@ -1583,11 +1405,11 @@ Test ipsec.conf formatting more thoroughly, include negative cases.
[lkundrak@v3.sk: Backported from 1.24.0]
---
shared/test-utils.c | 82 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
shared/test-utils.c | 81 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/shared/test-utils.c b/shared/test-utils.c
index 49aa32a..0a92d2b 100644
index 965daef..35d9a76 100644
--- a/shared/test-utils.c
+++ b/shared/test-utils.c
@@ -2,6 +2,8 @@
@ -1599,7 +1421,7 @@ index 49aa32a..0a92d2b 100644
static void
test_config_write (void)
{
@@ -57,6 +59,86 @@ test_config_write (void)
@@ -57,6 +59,85 @@ test_config_write (void)
" rightmodecfgserver=yes\n"
" modecfgpull=yes\n");
g_free (str);
@ -1609,7 +1431,7 @@ index 49aa32a..0a92d2b 100644
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "leftrsasigkey", "hello");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "rightrsasigkey", "world");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ str = nm_libreswan_get_ipsec_conf (s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_no_error (error);
+ g_assert_cmpstr (str, ==,
+ "conn conn\n"
@ -1626,10 +1448,9 @@ index 49aa32a..0a92d2b 100644
+ " modecfgpull=yes\n");
+ g_free (str);
+
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ str = nm_libreswan_get_ipsec_conf (3, s_vpn,
+ str = nm_libreswan_get_ipsec_conf (s_vpn,
+ "my_con",
+ "/foo/bar/ifupdown hello 123 456",
+ TRUE, FALSE, &error);
@ -1657,7 +1478,7 @@ index 49aa32a..0a92d2b 100644
+ g_free (str);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ str = nm_libreswan_get_ipsec_conf (s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);
@ -1665,21 +1486,21 @@ index 49aa32a..0a92d2b 100644
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "ikev2", "hello world");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ str = nm_libreswan_get_ipsec_conf (s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12\n13.14");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ str = nm_libreswan_get_ipsec_conf (s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "rightcert", "\"cert\"");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ str = nm_libreswan_get_ipsec_conf (s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);

131
SPECS/NetworkManager-libreswan.spec
Unescape View File

@ -1,37 +1,26 @@
%if 0%{?fedora} < 28 && 0%{?rhel} < 8
%bcond_without libnm_glib
%else
# Disable the legacy version by default
%bcond_with libnm_glib
%endif
%if 0%{?fedora} < 36 && 0%{?rhel} < 10
%bcond_with gtk4
%else
%bcond_without gtk4
%endif
%global real_version 1.2.22
%global rpm_version 1.2.22
%global release_version 4
%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')
%global nm_version 1:1.2.0
%global nma_version 1.2.0
Summary: NetworkManager VPN plug-in for IPsec VPN
Name: NetworkManager-libreswan
Version: %{rpm_version}
Release: %{release_version}%{?dist}
Version: 1.2.10
Release: 7%{?dist}
License: GPLv2+
URL: http://www.gnome.org/projects/NetworkManager/
Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_version_major}/%{name}-%{real_version}.tar.xz
# Patch1: 0001-some.patch
Patch1: 0001-ipsec-conf-escaping-cve-2024-9050.patch
Group: System Environment/Base
Source0: https://download.gnome.org/sources/NetworkManager-libreswan/1.2/%{name}-%{version}.tar.xz
Patch0: 0001-po-import-translations-from-Red-Hat-translators.patch
Patch1: 0002-properties-set-advanced-dialog-modal.patch
Patch2: 0003-service-fix-wrong-refcounting-in-D-Bus-handler-for-C.patch
Patch3: 0004-ipsec-conf-escaping-cve-2024-9050.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gtk3-devel
BuildRequires: libnl3-devel
BuildRequires: NetworkManager-libnm-devel >= %{nm_version}
@ -45,10 +34,6 @@ BuildRequires: NetworkManager-glib-devel >= %{nm_version}
BuildRequires: libnm-gtk-devel >= %{nma_version}
%endif
%if %with gtk4
BuildRequires: libnma-gtk4-devel
%endif
Requires: NetworkManager >= %{nm_version}
Requires: dbus
Requires: /usr/sbin/ipsec
@ -60,14 +45,13 @@ Obsoletes: NetworkManager-openswan < %{version}-%{release}
%global __provides_exclude ^(%{_privatelibs})$
%global __requires_exclude ^(%{_privatelibs})$
%description
This package contains software for integrating the libreswan VPN software
with NetworkManager and the GNOME desktop
%package -n NetworkManager-libreswan-gnome
Summary: NetworkManager VPN plugin for libreswan - GNOME files
Group: System Environment/Base
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: shared-mime-info
@ -79,17 +63,12 @@ Obsoletes: NetworkManager-openswan-gnome < %{version}-%{release}
This package contains software for integrating VPN capabilities with
the libreswan server with NetworkManager (GNOME files).
%prep
%autosetup -p1 -n "%{name}-%{real_version}"
%autosetup -p1 -n %{name}-%{version}
%build
%configure \
--disable-static \
%if %with gtk4
--with-gtk4 \
%endif
%if %without libnm_glib
--without-libnm-glib \
%endif
@ -97,13 +76,18 @@ the libreswan server with NetworkManager (GNOME files).
--with-dist-version=%{version}-%{release}
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot}
rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
%find_lang %{name}
%post
update-desktop-database &> /dev/null || :
%postun
update-desktop-database &> /dev/null || :
%files -f %{name}.lang
%{_libdir}/NetworkManager/libnm-vpn-plugin-libreswan.so
%{_sysconfdir}/dbus-1/system.d/nm-libreswan-service.conf
@ -111,84 +95,55 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
%{_libexecdir}/nm-libreswan-service
%{_libexecdir}/nm-libreswan-service-helper
%{_mandir}/man5/nm-settings-libreswan.5.gz
%doc AUTHORS NEWS
%doc AUTHORS ChangeLog NEWS
%license COPYING
%files -n NetworkManager-libreswan-gnome
%{_libexecdir}/nm-libreswan-auth-dialog
%{_libdir}/NetworkManager/libnm-vpn-plugin-libreswan-editor.so
%{_metainfodir}/network-manager-libreswan.metainfo.xml
%dir %{_datadir}/gnome-vpn-properties/libreswan
%{_datadir}/gnome-vpn-properties/libreswan/nm-libreswan-dialog.ui
%{_datadir}/appdata/network-manager-libreswan.metainfo.xml
%if %with libnm_glib
%{_libdir}/NetworkManager/libnm-*-properties.so
%{_sysconfdir}/NetworkManager/VPN/nm-libreswan-service.name
%endif
%if %with gtk4
%{_libdir}/NetworkManager/libnm-gtk4-vpn-plugin-libreswan-editor.so
%endif
%changelog
* Thu Oct 03 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.22-4
* Thu Oct 03 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-7
- Unbreak validation of unknown keys
* Wed Sep 25 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.22-2
* Wed Sep 25 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-6
- Fix improper escaping of Libreswan configuration (CVE-2024-9050)
* Wed May 22 2024 Beniamino Galvani <bgalvani@redhat.com> - 1.2.22-1
- Add IPv6 support (RHEL-21875)
* Wed Apr 17 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.20-1
- Support "leftsubnet" property (RHEL-26776)
- Support "rightcert" property (RHEL-30370)
* Wed Jan 17 2024 Fernando Fernandez Mancera <ferferna@redhat.com> - 1.2.18-2
- Support point-to-point IPSec tunnel (RHEL-20690)
- Fix crash in libreswan_nmstate_iface_dpd_rsa (RHEL-21221)
- Support configuring IPSec mode with 'type' (RHEL-21554)
* Fri Dec 15 2023 Fernando Fernandez Mancera <ferferna@redhat.com> - 1.2.18-1
- Update to 1.2.18 release
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.14-1.3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.14-1.2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.14-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 12 2021 Beniamino Galvani <bgalvani@redhat.com> - 1.2.14-1
- Update to 1.2.14 release
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.12-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Feb 5 2024 Wen Liang <wenliang@redhat.com> - 1.2.10-5
- Fix crash in libreswan_add_profile_wrong_password (RHEL-13123)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.12-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Jul 9 2019 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-4
- Fix Gnome IPsec advanced options dialog (rh #1697329)
* Wed Jul 31 2019 Francesco Giudici <fgiudici@redhat.com> - 1.2.12-1
- Updated to 1.2.12
* Mon Dec 10 2018 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-3
- Update the translations (rh #1608329)
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.10-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Oct 16 2018 Lubomir Rintel <lkundrak@v3.sk> - 1.2.10-2
- Import the translations (rh #1608329)
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.10-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Oct 15 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-1
- Update to 1.2.10 release (rh #1637867)
- Fix import functionality (rh #1633174)
* Thu Oct 18 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.10-1
- Updated to 1.2.10
- Import latest translations from upstream
* Wed Oct 3 2018 Beniamino Galvani <bgalvani@redhat.com> - 1.2.8-2
- Rebuild with updated annobin (rh #1630605)
* Wed Aug 22 2018 Paul Wouters <pwouters@redhat.com> - 1.2.6-1
- Updated to 1.2.6
- Upstream patches for IKEv2 support
* Mon Sep 17 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.8-1
- Update to 1.2.8 release
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Aug 13 2018 Francesco Giudici <fgiudici@redhat.com> - 1.2.8-0.1
- Update to latest development snapshot of NetworkManager-libreswan 1.2.8
- Introduced IKEv2 support (rh #1557035)
- Introduced support to more Libreswan properties (rh #1557035)
- Updated translations
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

Write Preview
Loading…
Cancel
Save