commit 28853dfc6b12a789cc3a46356d071aa52a4046ce Author: CentOS Sources Date: Tue May 16 06:11:11 2023 +0000 import libreswan-4.9-1.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..222eb50 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +SOURCES/ikev1_dsa.fax.bz2 +SOURCES/ikev1_psk.fax.bz2 +SOURCES/ikev2.fax.bz2 +SOURCES/libreswan-4.9.tar.gz diff --git a/.libreswan.metadata b/.libreswan.metadata new file mode 100644 index 0000000..e5c173b --- /dev/null +++ b/.libreswan.metadata @@ -0,0 +1,4 @@ +b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2 +861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2 +fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2 +12b7351ca7e6ba1ac787239e67027a4d82f02f10 SOURCES/libreswan-4.9.tar.gz diff --git a/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch b/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch new file mode 100644 index 0000000..631bfee --- /dev/null +++ b/SOURCES/libreswan-3.32-1861360-nodefault-rsa-pss.patch @@ -0,0 +1,31 @@ +From 1dddaa3226fe1b71b68ec9665d93864a5ec69801 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 9 Jan 2023 23:26:10 +0900 +Subject: [PATCH] libreswan-3.32-1861360-nodefault-rsa-pss.patch + +--- + lib/libipsecconf/confread.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c +index 0444118..ec87646 100644 +--- a/lib/libipsecconf/confread.c ++++ b/lib/libipsecconf/confread.c +@@ -1501,9 +1501,14 @@ static bool load_conn(struct starter_conn *conn, + hunk_streq(val, "rsa")) { + conn->authby.rsasig = true; + conn->authby.rsasig_v1_5 = true; ++ /* ++ * These cause failure with RSA 1024 bits because it uses RSA-PSS ++ */ ++#if 0 + conn->sighash_policy |= POL_SIGHASH_SHA2_256; + conn->sighash_policy |= POL_SIGHASH_SHA2_384; + conn->sighash_policy |= POL_SIGHASH_SHA2_512; ++#endif + } else if (hunk_streq(val, "never")) { + conn->authby.never = true; + /* everything else is only supported for IKEv2 */ +-- +2.39.0 + diff --git a/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch new file mode 100644 index 0000000..497dd3e --- /dev/null +++ b/SOURCES/libreswan-4.1-maintain-obsolete-keywords.patch @@ -0,0 +1,136 @@ +From a2cc5f8c80e8cb9be0b65f8e8544689e8b093c09 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 10 Jan 2023 00:18:48 +0900 +Subject: [PATCH] libreswan-4.1-maintain-obsolete-keywords.patch + +--- + lib/libipsecconf/keywords.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/lib/libipsecconf/keywords.c b/lib/libipsecconf/keywords.c +index fa8f0e0..03fb863 100644 +--- a/lib/libipsecconf/keywords.c ++++ b/lib/libipsecconf/keywords.c +@@ -343,6 +343,8 @@ const struct keyword_def ipsec_conf_keywords[] = { + { "ikev1-policy", kv_config, kt_enum, KBF_GLOBAL_IKEv1, kw_global_ikev1_list, NULL, }, + { "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NULL, NULL, }, + { "curl-timeout", kv_config, kt_time, KBF_CURLTIMEOUT_MS, NULL, NULL, }, ++ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */ ++ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT_MS, NULL, NULL, }, /* obsolete _ */ + + { "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NULL, NULL, }, + { "syslog", kv_config, kt_string, KSF_SYSLOG, NULL, NULL, }, +@@ -350,6 +352,7 @@ const struct keyword_def ipsec_conf_keywords[] = { + { "logfile", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, + { "plutostderrlog", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */ + { "logtime", kv_config, kt_bool, KBF_LOGTIME, NULL, NULL, }, ++ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */ + { "logappend", kv_config, kt_bool, KBF_LOGAPPEND, NULL, NULL, }, + { "logip", kv_config, kt_bool, KBF_LOGIP, NULL, NULL, }, + { "audit-log", kv_config, kt_bool, KBF_AUDIT_LOG, NULL, NULL, }, +@@ -369,13 +372,20 @@ const struct keyword_def ipsec_conf_keywords[] = { + { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, }, + + { "crl-strict", kv_config, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, ++ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */ + { "crlcheckinterval", kv_config, kt_time, KBF_CRL_CHECKINTERVAL_MS, NULL, NULL, }, ++ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */ + + { "ocsp-strict", kv_config, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, ++ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */ + { "ocsp-enable", kv_config, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, ++ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */ + { "ocsp-uri", kv_config, kt_string, KSF_OCSP_URI, NULL, NULL, }, ++ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */ + { "ocsp-timeout", kv_config, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, ++ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */ + { "ocsp-trustname", kv_config, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, ++ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */ + { "ocsp-cache-size", kv_config, kt_number, KBF_OCSP_CACHE_SIZE, NULL, NULL, }, + { "ocsp-cache-min-age", kv_config, kt_time, KBF_OCSP_CACHE_MIN_AGE_MS, NULL, NULL, }, + { "ocsp-cache-max-age", kv_config, kt_time, KBF_OCSP_CACHE_MAX_AGE_MS, NULL, NULL, }, +@@ -399,6 +409,7 @@ const struct keyword_def ipsec_conf_keywords[] = { + { "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */ + { "seedbits", kv_config, kt_number, KBF_SEEDBITS, NULL, NULL, }, + { "keep-alive", kv_config, kt_number, KBF_KEEPALIVE, NULL, NULL, }, ++ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */ + + { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL }, + { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL }, +@@ -410,6 +421,8 @@ const struct keyword_def ipsec_conf_keywords[] = { + #ifdef HAVE_LABELED_IPSEC + { "ikev1-secctx-attr-type", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */ + { "secctx-attr-type", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, ++ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */ ++ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */ + #endif + { "interfaces", kv_config, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsoleted but often present keyword */ + +@@ -446,6 +459,7 @@ const struct keyword_def ipsec_conf_keywords[] = { + { "username", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, + /* xauthusername is still used in NetworkManager-libreswan :/ */ + { "xauthusername", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */ ++ { "xauthname", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */ + { "addresspool", kv_conn | kv_leftright, kt_range, KSCF_ADDRESSPOOL, NULL, NULL, }, + { "auth", kv_conn | kv_leftright, kt_enum, KNCF_AUTH, kw_auth_list, NULL, }, + #ifdef HAVE_IPTABLES +@@ -471,6 +485,8 @@ const struct keyword_def ipsec_conf_keywords[] = { + { "esn", kv_conn | kv_processed, kt_enum, KNCF_ESN, kw_esn_list, NULL, }, + { "decap-dscp", kv_conn | kv_processed, kt_bool, KNCF_DECAP_DSCP, NULL, NULL, }, + { "nopmtudisc", kv_conn | kv_processed, kt_bool, KNCF_NOPMTUDISC, NULL, NULL, }, ++ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, kw_ynf_list, NULL, }, /* obsolete _ */ ++ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, kw_ynf_list, NULL, }, /* obsolete name */ + { "fragmentation", kv_conn | kv_processed, kt_enum, KNCF_IKE_FRAG, kw_ynf_list, NULL, }, + { "mobike", kv_conn, kt_bool, KNCF_MOBIKE, NULL, NULL, }, + { "narrowing", kv_conn, kt_bool, KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, }, +@@ -481,13 +497,18 @@ const struct keyword_def ipsec_conf_keywords[] = { + { "accept-redirect-to", kv_conn, kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, }, + { "pfs", kv_conn, kt_bool, KNCF_PFS, NULL, NULL, }, + ++ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */ + { "nat-keepalive", kv_conn, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, + ++ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */ + { "initial-contact", kv_conn, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, ++ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */ + { "cisco-unity", kv_conn, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, + { "send-no-esp-tfc", kv_conn, kt_bool, KNCF_NO_ESP_TFC, NULL, NULL, }, + { "fake-strongswan", kv_conn, kt_bool, KNCF_VID_STRONGSWAN, NULL, NULL, }, ++ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */ + { "send-vendorid", kv_conn, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, ++ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */ + { "sha2-truncbug", kv_conn, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, + { "ms-dh-downgrade", kv_conn, kt_bool, KNCF_MSDH_DOWNGRADE, NULL, NULL, }, + { "require-id-on-certificate", kv_conn, kt_bool, KNCF_SAN_ON_CERT, NULL, NULL, }, +@@ -505,7 +526,10 @@ const struct keyword_def ipsec_conf_keywords[] = { + {"ikepad", kv_conn, kt_bool, KNCF_IKEPAD, NULL, NULL, }, + { "nat-ikev1-method", kv_conn | kv_processed, kt_enum, KNCF_IKEV1_NATT, kw_ikev1natt_list, NULL, }, + ++ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ ++ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ + { "policy-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */ ++ { "policy_label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */ + { "sec-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */ + + /* Cisco interop: remote peer type */ +@@ -516,13 +540,17 @@ const struct keyword_def ipsec_conf_keywords[] = { + /* Network Manager support */ + #ifdef HAVE_NM + { "nm-configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, ++ { "nm_configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */ + #endif + + { "xauthby", kv_conn, kt_enum, KNCF_XAUTHBY, kw_xauthby_list, NULL, }, + { "xauthfail", kv_conn, kt_enum, KNCF_XAUTHFAIL, kw_xauthfail_list, NULL, }, + { "modecfgpull", kv_conn, kt_invertbool, KNCF_MODECONFIGPULL, NULL, NULL, }, + { "modecfgdns", kv_conn, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, ++ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */ ++ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */ + { "modecfgdomains", kv_conn, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, ++ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */ + { "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, }, + { "ignore-peer-dns", kv_conn, kt_bool, KNCF_IGNORE_PEER_DNS, NULL, NULL, }, + { "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, }, +-- +2.39.0 + diff --git a/SOURCES/libreswan-4.3-1934186-config.patch b/SOURCES/libreswan-4.3-1934186-config.patch new file mode 100644 index 0000000..022fb47 --- /dev/null +++ b/SOURCES/libreswan-4.3-1934186-config.patch @@ -0,0 +1,11 @@ +diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in +--- libreswan-4.3-orig/configs/ipsec.conf.in 2021-03-04 14:29:50.591912834 -0500 ++++ libreswan-4.3/configs/ipsec.conf.in 2021-03-04 14:30:27.227389433 -0500 +@@ -32,6 +32,7 @@ + # listen-tcp=yes + # To enable IKE and IPsec over TCP for VPN client, also specify + # tcp-remote-port=4500 in the client's conn section. ++ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + + # if it exists, include system wide crypto-policy defaults + # include /etc/crypto-policies/back-ends/libreswan.config diff --git a/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch b/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch new file mode 100644 index 0000000..68c94eb --- /dev/null +++ b/SOURCES/libreswan-4.3-maintain-different-v1v2-split.patch @@ -0,0 +1,85 @@ +From 83487373fdd77437e51cfccd41532e270e279e05 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 10 Jan 2023 00:11:26 +0900 +Subject: [PATCH] libreswan-4.3-maintain-different-v1v2-split.patch + +--- + configs/d.ipsec.conf/ikev2.xml | 14 +++++++------- + lib/libipsecconf/confread.c | 8 +++++++- + programs/whack/whack.c | 4 ++-- + 3 files changed, 16 insertions(+), 10 deletions(-) + +diff --git a/configs/d.ipsec.conf/ikev2.xml b/configs/d.ipsec.conf/ikev2.xml +index 3d03825..285db1b 100644 +--- a/configs/d.ipsec.conf/ikev2.xml ++++ b/configs/d.ipsec.conf/ikev2.xml +@@ -2,14 +2,14 @@ + ikev2 + + Whether to use IKEv2 (RFC 7296) or IKEv1 (RFC 4301). +-Currently the accepted values are yes (the default), +-signifying only IKEv2 is accepted, or no, ++Currently the accepted values are insist (the default), ++signifying only IKEv2 is accepted, or no (or never), + signifying only IKEv1 is accepted. Previous versions allowed the keywords +-propose or permit +-that would allow either IKEv1 or IKEv2, but this is no longer supported. The +-permit option is interpreted as no and the propose option is interpreted as +-yes. Older versions also supported keyword +-insist which is now interpreted as yes. ++propose, yes or permit ++that would allow either IKEv1 or IKEv2, but this is no longer supported and both options ++now cause the connection to fail to load. WARNING: This behaviour differs from upstream ++libreswan, which only accepts yes or no where yes means ++the same as insist. + + + +diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c +index b95c90a..e752441 100644 +--- a/lib/libipsecconf/confread.c ++++ b/lib/libipsecconf/confread.c +@@ -1340,11 +1340,17 @@ static bool load_conn(struct starter_conn *conn, + + switch (conn->options[KNCF_IKEv2]) { + case fo_never: +- case fo_permit: + conn->ike_version = IKEv1; + break; + ++ case fo_permit: ++ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return true; ++ + case fo_propose: ++ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never"); ++ return true; ++ + case fo_insist: + conn->ike_version = IKEv2; + break; +diff --git a/programs/whack/whack.c b/programs/whack/whack.c +index b512b04..3de020e 100644 +--- a/programs/whack/whack.c ++++ b/programs/whack/whack.c +@@ -815,7 +815,7 @@ static const struct option long_opts[] = { + { "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */ + { "ikev2", no_argument, NULL, CD_IKEv2 +OO }, + { "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */ +- { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */ ++ /* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */ + + PS("allow-narrowing", IKEV2_ALLOW_NARROWING), + #ifdef AUTH_HAVE_PAM +@@ -1802,7 +1802,7 @@ int main(int argc, char **argv) + end_seen = LEMPTY; + continue; + +- /* --ikev1 --ikev2 --ikev2-propose */ ++ /* --ikev1 --ikev2 */ + case CD_IKEv1: + case CD_IKEv2: + { +-- +2.39.0 + diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec new file mode 100644 index 0000000..5fb72dd --- /dev/null +++ b/SPECS/libreswan.spec @@ -0,0 +1,499 @@ +%global _hardened_build 1 +# These are rpm macros and are 0 or 1 +%global with_efence 0 +%global with_development 0 +%global with_cavstests 1 +# minimum version for support for rhbz#1651314 +# should prob update for nss with IKEv1 quick mode support +%global nss_version 3.53.1 +%global unbound_version 1.6.6 +%global libreswan_config \\\ + FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\ + FINALMANDIR=%{_mandir} \\\ + FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\ + INITSYSTEM=systemd \\\ + NSS_HAS_IPSEC_PROFILE=true \\\ + NSS_REQ_AVA_COPY=false \\\ + PREFIX=%{_prefix} \\\ + PYTHON_BINARY=%{__python3} \\\ + SHELL_BINARY=%{_bindir}/sh \\\ + USE_DNSSEC=true \\\ + USE_FIPSCHECK=false \\\ + USE_LABELED_IPSEC=true \\\ + USE_LDAP=true \\\ + USE_LIBCAP_NG=true \\\ + USE_LIBCURL=true \\\ + USE_LINUX_AUDIT=true \\\ + USE_NM=true \\\ + USE_NSS_KDF=true \\\ + USE_SECCOMP=true \\\ + USE_AUTHPAM=true \\\ + USE_DH2=true \\\ +%{nil} + +#global prever rc1 + +Name: libreswan +Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols +# version is generated in the release script +Version: 4.9 +Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} +License: GPLv2 +Url: https://libreswan.org/ + +Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz +%if 0%{with_cavstests} +Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 +Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 +Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 +%endif + +Patch1: libreswan-4.3-maintain-different-v1v2-split.patch +Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch +Patch3: libreswan-4.1-maintain-obsolete-keywords.patch +Patch6: libreswan-4.3-1934186-config.patch + +BuildRequires: audit-libs-devel +BuildRequires: bison +BuildRequires: curl-devel +BuildRequires: flex +BuildRequires: gcc make +BuildRequires: ldns-devel +BuildRequires: libcap-ng-devel +BuildRequires: libevent-devel +BuildRequires: libseccomp-devel +BuildRequires: libselinux-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel >= %{nss_version} +BuildRequires: nss-tools +BuildRequires: openldap-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: hostname +BuildRequires: redhat-rpm-config +BuildRequires: systemd-devel +BuildRequires: unbound-devel >= %{unbound_version} +BuildRequires: xmlto +%if 0%{with_efence} +BuildRequires: ElectricFence +%endif +Requires: iproute >= 2.6.8 +Requires: nss >= %{nss_version} +Requires: nss-softokn +Requires: nss-tools +Requires: unbound-libs >= %{unbound_version} +Requires(post): bash +Requires(post): coreutils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description +Libreswan is a free implementation of IKE/IPsec for Linux. IPsec is +the Internet Protocol Security and uses strong cryptography to provide +both authentication and encryption services. These services allow you +to build secure tunnels through untrusted networks. Everything passing +through the untrusted net is encrypted by the ipsec gateway machine and +decrypted by the gateway at the other end of the tunnel. The resulting +tunnel is a virtual private network or VPN. + +This package contains the daemons and userland tools for setting up +Libreswan. + +Libreswan also supports IKEv2 (RFC7296) and Secure Labeling + +Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 + +%prep +%setup -q -n libreswan-%{version}%{?prever} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch6 -p1 + +# linking to freebl is not needed +sed -i "s/-lfreebl //" mk/config.mk + +# enable crypto-policies support +sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in + +%build +make %{?_smp_mflags} \ +%if 0%{with_development} + OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \ +%else + OPTIMIZE_CFLAGS="%{optflags}" \ +%endif +%if 0%{with_efence} + USE_EFENCE=true \ +%endif + WERROR_CFLAGS="-Werror -Wno-missing-field-initializers" \ + USERLINK="%{?__global_ldflags}" \ + %{libreswan_config} \ + programs +FS=$(pwd) + +%install +make \ + DESTDIR=%{buildroot} \ + %{libreswan_config} \ + install +FS=$(pwd) +rm -rf %{buildroot}/usr/share/doc/libreswan +rm -rf %{buildroot}%{_libexecdir}/ipsec/*check + +install -d -m 0755 %{buildroot}%{_rundir}/pluto +install -d %{buildroot}%{_sbindir} + +install -d %{buildroot}%{_sysconfdir}/sysctl.d +install -m 0644 packaging/fedora/libreswan-sysctl.conf \ + %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf + +echo "include %{_sysconfdir}/ipsec.d/*.secrets" \ + > %{buildroot}%{_sysconfdir}/ipsec.secrets +rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc* + +%if 0%{with_cavstests} +%check +# There is an elaborate upstream testing infrastructure which we do not +# run here - it takes hours and uses kvm +# We only run the CAVS tests. +cp %{SOURCE1} %{SOURCE2} %{SOURCE3} . +bunzip2 *.fax.bz2 + +: starting CAVS test for IKEv2 +%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \ + diff -u ikev2.fax - > /dev/null +: starting CAVS test for IKEv1 RSASIG +%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \ + diff -u ikev1_dsa.fax - > /dev/null +: starting CAVS test for IKEv1 PSK +%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \ + diff -u ikev1_psk.fax - > /dev/null +: CAVS tests passed + +# Some of these tests will show ERROR for negative testing - it will exit on real errors +%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; } +%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; } +: Algorithm parser tests passed + +# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode +tmpdir=$(mktemp -d /tmp/libreswan-XXXXX) +certutil -N -d sql:$tmpdir --empty-password +%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir +: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST + +%endif + +%post +%systemd_post ipsec.service + +%preun +%systemd_preun ipsec.service + +%postun +%systemd_postun_with_restart ipsec.service + +%files +%doc CHANGES COPYING CREDITS README* LICENSE +%doc docs/*.* docs/examples +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d +%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf +%attr(0755,root,root) %dir %{_rundir}/pluto +%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf +%attr(0644,root,root) %{_unitdir}/ipsec.service +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto +%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan +%{_sbindir}/ipsec +%{_libexecdir}/ipsec +%attr(0644,root,root) %doc %{_mandir}/*/* + +%changelog +* Mon Jan 9 2023 Daiki Ueno - 4.9-1 +- Resolves: rhbz#2128672 Rebase libreswan to 4.9 +- Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary + +* Thu Jan 13 2022 Daiki Ueno - 4.5-1 +- Resolves: rhbz#2017352 Rebase libreswan to 4.5 +- Resolves: rhbz#2036903 ikev1: disable diagnostics logging on receiving malformed packets + +* Wed May 26 2021 Daiki Ueno - 4.4-1 +- Resolves: rhbz#1958968 Rebase libreswan to 4.4 +- Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers + +* Thu Mar 04 2021 Paul Wouters - 4.3-3 +- Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec +- Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229 +- Resolves: rhbz#1935339 virtual_private setting is missing in the default config + +* Sun Feb 21 2021 Paul Wouters - 4.3-1 +- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update] + +* Thu Feb 04 2021 Paul Wouters - 4.2-1 +- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2 +- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec + +* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters - 4.1-1 +- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1 +- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch + +* Wed Jul 29 2020 Paul Wouters - 3.32-6 +- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss + +* Wed Jul 22 2020 Paul Wouters - 3.32-5 +- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF] + +* Wed Jul 01 2020 Paul Wouters - 3.32-4 +- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled + +* Wed Jun 17 2020 Paul Wouters - 3.32-3 +- Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script +- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly +- Resolves: rhbz#1840212 protect libreswan against unannounced nss ABI change + +* Thu Jun 11 2020 Paul Wouters - 3.32-2 +- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [addconn fix] + +* Thu Apr 30 2020 Paul Wouters - 3.32-1 +- Resolves: rhbz#1820206 Rebase to libreswan 3.32 +- Resolves: rhbz#1816265 Use NSS to check whether FIPS mode is enabled +- Resolves: rhbz#1826337 libreswan in FIPS mode rejects ECDSA keys based on faulty RSA key size check being applied + +* Tue Aug 13 2019 Paul Wouters - 3.29-6 +- Resolves: rhbz#1714331 support NSS based IKE KDF's [require updated nss for rhbz 1738689, memleak fix] + +* Thu Aug 08 2019 Paul Wouters - 3.29-5 +- Resolves: rhbz#1714331 support NSS based IKE KDF's so libreswan does not need FIPS certification + +* Thu Aug 01 2019 Paul Wouters - 3.29-4 +- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax + +* Thu Jul 04 2019 Paul Wouters - 3.29-3 +- Resolves: rhbz#1725205 XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire + +* Thu Jun 27 2019 Paul Wouters - 3.29-2 +- Resolves: rhbz#1723957 libreswan is missing linux audit calls for failed IKE SAs and failed IPsec SAs required for Common Criteria + +* Mon Jun 10 2019 Paul Wouters - 3.29-1 +- Resolves: rhbz#1712555 libreswan rebase to 3.29 + +* Tue May 28 2019 Paul Wouters - 3.28-2 +- Resolves: rhbz#1713734: barf: shell syntax error in barf diagnostic tool + +* Tue May 21 2019 Paul Wouters - 3.28-1 +- Resolves: rhbz#1712555 libreswan rebase to 3.28 +- Resolves: rhbz#1683706 Libreswan shows incorrect error messages +- Resolves: rhbz#1706180 Remove last usage of old (unused) PF_KEY API +- Resolves: rhbz#1677045 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart +- Resolves: rhbz#1686990 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE +- Resolves: rhbz#1608353 /usr/sbin/ipsec part of the libreswan packages still invokes commands that were deprecated a decade ago +- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax +- Resolves: rhbz#1679394 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure + +* Thu Feb 21 2019 Paul Wouters - 3.27-9 +- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default [man page update] + +* Fri Feb 15 2019 Paul Wouters - 3.27-8 +- Resolves: rhbz#1664101 system wide crypto policies causing IKE_INIT packet fragmentation + +* Tue Feb 05 2019 Paul Wouters - 3.27-7 +- Resolves: rhbz#1671793 proessing ISAKMP_NEXT_D with additional payloads causes dangling pointer to deleted state + +* Fri Feb 01 2019 Paul Wouters - 3.27-6 +- Resolves: rhbz#1668342 SELinux prevents libreswan from using some outbound ports causing DNS resolution failures at connection at load time + +* Thu Jan 10 2019 Paul Wouters - 3.27-5 +- Resolves: rhbz#1664522 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits + +* Mon Dec 10 2018 Paul Wouters - 3.27-4 +- Resolves: rhbz#1657846 libreswan no longer needs to provide openswan in rhel8 +- Resolves: rhbz#1643388 libreswan: Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth +- Resolves: rhbz#1657854 remove userland support for deprecated KLIPS IPsec stack support + +* Sun Dec 09 2018 Paul Wouters - 3.27-3 +- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default + +* Thu Nov 08 2018 Paul Wouters - 3.27-2 +- Resolves: rhbz#1645137 Libreswan segfaults when it loads configuration file with more then 5 connections + +* Mon Oct 08 2018 Paul Wouters - 3.27-1 +- Resolves: rhbz#1566574 Rebase to libreswan 3.27 + +* Mon Sep 17 2018 Paul Wouters - 3.26-1 +- Resolves: rhbz#1566574 Rebase to libreswan 3.26 +- Resolves: rhbz#1527037 libreswan IPSEC implementation: should follow the policies of system-wide crypto policy +- Resolves: rhbz#1375779 [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed +- Resolves: rhbz#1085758 [TAHI][IKEv2] IKEv2.EN.I.1.2.1.1: Can't observe CREATE_CHILD_SA request for rekey +- Resolves: rhbz#1053048 [TAHI][IKEv2] IKEv2.EN.I.1.2.4.1-7: libreswan doesn't sent CREATE_CHILD_SA after IKE_SA Lifetime timeout + +* Mon Aug 13 2018 Paul Wouters - 3.25-4 +- Resolves: rhbz#1590823 libreswan: Use Python 3 in RHEL 8 + +* Wed Aug 01 2018 Charalampos Stratakis - 3.25-3.1 +- Rebuild for platform-python + +* Mon Jul 09 2018 Paul Wouters - 3.25-3 +- Cleanup shebangs for python3 +- Use the same options via macro for make programs and make install +- Remove old ifdefs +- Sync up patches to new upstream version +- Add Requires: for unbound-libs >= 1.6.6 +- Enable crypto-policies support +- Make rundir world readable for easier permission granting for socket + +* Tue Jun 26 2018 Charalampos Stratakis - 3.23-2.2 +- Make python shebangs point to python3 + +* Fri Jun 22 2018 Troy Dawson - 3.23-2.1 +- Fix python shebangs (#1580773) + +* Mon Feb 19 2018 Paul Wouters - 3.23-2 +- Support crypto-policies package +- Pull in some patches from upstream and IANA registry updates +- gcc7 format-truncate fixes and workarounds + +* Wed Feb 07 2018 Fedora Release Engineering - 3.23-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 25 2018 Paul Wouters - 3.23-1 +- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements + +* Sat Jan 20 2018 Björn Esser - 3.22-1.1 +- Rebuilt for switch to libxcrypt + +* Mon Oct 23 2017 Paul Wouters - 3.22-1 +- Updated to 3.22 - many bugfixes, and unbound ipsecmod support + +* Wed Aug 9 2017 Paul Wouters - 3.21-1 +- Updated to 3.21 + +* Thu Aug 03 2017 Fedora Release Engineering - 3.20-1.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.20-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Mar 14 2017 Paul Wouters - 3.20-1 +- Updated to 3.20 + +* Fri Mar 03 2017 Paul Wouters - 3.20-0.1.dr4 +- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA + +* Fri Feb 10 2017 Fedora Release Engineering - 3.19-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 03 2017 Paul Wouters - 3.19-2 +- Resolves: rhbz#1392191 libreswan: crash when OSX client connects +- Improved uniqueid and session replacing support +- Test Buffer warning fix on size_t +- Re-introduce --configdir for backwards compatibility + +* Sun Jan 15 2017 Paul Wouters - 3.19-1 +- Updated to 3.19 (see download.libreswan.org/CHANGES) + +* Mon Dec 19 2016 Miro Hrončok - 3.18-1.1 +- Rebuild for Python 3.6 + +* Fri Jul 29 2016 Paul Wouters - 3.18-1 +- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support +- Remove support for /etc/sysconfig/pluto (use native systemd instead) + +* Thu May 05 2016 Paul Wouters - 3.17-2 +- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used + +* Thu Apr 07 2016 Paul Wouters - 3.17-1 +- Updated to 3.17 for CVE-2016-3071 +- Disable LIBCAP_NG as it prevents unbound-control from working properly +- Temporarilly disable WERROR due to a few minor known issues + +* Thu Feb 04 2016 Fedora Release Engineering - 3.16-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Dec 18 2015 Paul Wouters - 3.16-1 +- Updated to 3.16 (see https://download.libreswan.org/CHANGES) + +* Tue Aug 11 2015 Paul Wouters - 3.15-1 +- Updated to 3.15 (see http://download.libreswan.org/CHANGES) +- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx +- NSS database creation moved from spec file to service file +- Run CAVS tests on package build +- Added BuildRequire systemd-units and xmlto +- Bumped minimum required nss to 3.16.1 +- Install tmpfiles +- Install sysctl file +- Update doc files to include + +* Mon Jul 13 2015 Paul Wouters - 3.13-2 +- Resolves: rhbz#1238967 Switch libreswan to use python3 + +* Wed Jun 17 2015 Fedora Release Engineering - 3.13-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 01 2015 Paul Wouters - 3.13-1 +- Updated to 3.13 for CVE-2015-3204 + +* Fri Nov 07 2014 Paul Wouters - 3.12-1 +- Updated to 3.12 Various IKEv2 fixes + +* Wed Oct 22 2014 Paul Wouters - 3.11-1 +- Updated to 3.11 (many fixes, including startup fixes) +- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs +- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade +- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running + +* Tue Sep 09 2014 Paul Wouters - 3.10-3 +- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines + +* Mon Sep 01 2014 Paul Wouters - 3.10-1 +- Updated to 3.10, major bugfix release, new xauth status options + +* Sun Aug 17 2014 Fedora Release Engineering - 3.9-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Jul 10 2014 Paul Wouters - 3.9-1 +- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements +- Mark libreswan-fips.conf as config file +- attr modifier for man pages no longer needed +- BUGS file no longer exists upstream + +* Sat Jun 07 2014 Fedora Release Engineering - 3.8-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Jan 18 2014 Paul Wouters - 3.8-1 +- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102) + +* Wed Dec 11 2013 Paul Wouters - 3.7-1 +- Updated to 3.7, fixes CVE-2013-4564 +- Fixes creating a bogus NSS db on startup (rhbz#1005410) + +* Thu Oct 31 2013 Paul Wouters - 3.6-1 +- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes) +- Generate empty NSS db if none exists + +* Mon Aug 19 2013 Paul Wouters - 3.5-3 +- Add a Provides: for openswan-doc + +* Sat Aug 03 2013 Fedora Release Engineering - 3.5-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Paul Wouters - 3.5-2 +- Added interop patch for (some?) Cisco VPN clients sending 16 zero + bytes of extraneous IKE data +- Removed fipscheck_version + +* Sat Jul 13 2013 Paul Wouters - 3.5-1 +- Updated to 3.5 + +* Thu Jun 06 2013 Paul Wouters - 3.4-1 +- Updated to 3.4, which only contains style changes to kernel coding style +- IN MEMORIAM: June 3rd, 2013 Hugh Daniel + +* Mon May 13 2013 Paul Wouters - 3.3-1 +- Updated to 3.3, which resolves CVE-2013-2052 + +* Sat Apr 13 2013 Paul Wouters - 3.2-1 +- Initial package for Fedora