import libreswan-4.15-5.el10

c10-beta imports/c10-beta/libreswan-4.15-5.el10
MSVSphere Packaging Team 1 month ago
commit f0bb75b595
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

4
.gitignore vendored

@ -0,0 +1,4 @@
SOURCES/ikev1_dsa.fax.bz2
SOURCES/ikev1_psk.fax.bz2
SOURCES/ikev2.fax.bz2
SOURCES/libreswan-4.15.tar.gz

@ -0,0 +1,4 @@
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
861eaeefff1c2f3862a8bfe0295b3e307f8e3055 SOURCES/libreswan-4.15.tar.gz

@ -0,0 +1,51 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFDjilcBEAChkfasfBKTzGys9DwgBsmDVsPConW60uyKnu16+wO1kIKMFWi6
wGllwKUJmCBY2FSQHbOBy5eHPPT1ijJhYt4j7WU+YJVh5Ca5RE3trFt31FX0vzp+
KMqdQ8HOofA7jO6bgyHUwOJ539YkqYj1jHKfrdRqOnzB9fFyEb7485sq1F8j/rHk
cSar1Hd9QfGAZHxXqgncgHFobB/xXEGRJIi+4kNL5SYasbw9tfYUGPrUXVol1+pn
tsG92736O5Qe5K+wH2nAS4hwPJ1Xr4XIKeNNwxQW25wWqn4mLa4Vly+PA2uSE7ZP
RcxE3yBCaLFMlw4rLhFAzd6TeslQONZ+9K51yfBYm7m0vWM3Ixq8yuD8E49OkKr8
QRMaA2g89NW3AuNLExiTE0zQzAs/g6eX8WZdeWCvKxhRTAUYkw0QTimFgv6LXIeS
//5DOAAO9WwzlseTGmUgek3BbnnJJiGHVLBgnLaqWLOZ1Y8ON1uC8lQnbIeYbTQq
EE5R0cbVLVXBJoKakBF8gwHF51HC2pSBYmHNZsSbjMuHpJWJM4fVldNWPNaqriKC
OkL8QgvNoapgk20k1ajLl/ibv32k7QBKy3cTMtbQYPdreXcoZuMw38ysQcgFxPCs
Zh92aaWW0ceWowkJ7CFnes2jdPcMSOYE37wodmV3/VV7cusmTD8wikyUdQARAQAB
tCxMaWJyZXN3YW4gKFNpZ25pbmcgS2V5KSA8dGVhbUBsaWJyZXN3YW4ub3JnPokC
TgQTAQoAOBYhBJB+eQ8lwejlYc1ztYX/S0OzD8b5BQJi4cg4AhsDBQsJCAcDBRUK
CQgLBRYCAwEAAh4FAheAAAoJEIX/S0OzD8b5zNcP/RuDb05Xr+IpuGWtJ38yGMWG
mZglLHrzCAOXNAr/QXt6Kz3sThJoZFIh2E4Ab5yW59iFLFpW3VuZIGVCyh7vsuVw
MuKoJtrZtdbHSdLbE+FHpY7osQDrcuodTv5b7STfG2Wje18iG/dCATVIDDgbPmuJ
FpNLcR3scuoIlgxmP3Y1AFgufLR5MiN60PKnS2Husyj0f5Gqc3USLofWKgEQ4wFa
gT1iIjkf4zkFcVlJ5K0SE1ULn8K7umkOUvLcKg6ji+1sEwEM1kCNmxI8HkiNt296
9Z/TLK1h8McFGwG7x1p8fZ7Kjmzwnv1TSxAt1wHMoa0m9LntQOXnn3hVJaC74AzX
heFtqDHmATpcGtQLR0zutrZ+ohUb6AEt+hAPfyDDYIR5y3oNdSLozJkJ1wlrhsYh
SR1Hv4b3fdD6XgyUPggituOYm+yv1PuHrSEaoznnlX2z0MaVJyJIN0zUHlPBmWKC
LmzQX2A7l9bHhkXYgHoSdeBHdwvcQQGWwkVmN2WUwsM/m9Abk8OdLdE13nI8824R
0+b6XzJ2g4L+RIsVseerX2WIMHSMvkbFuLpEE4ILOrL+9Lq5bdx9MvZPtsZ/ZutY
QVVvJ+nJtmPp0HpybnJdXzB7Za02A0r2gXIUrund32K97qe8XblCwxkZbZCeLcSL
5+mb8O1XPGD39S6CCZbRuQINBFDjilcBEADXDN9o3icyDy+ity45CsQfo1f84xL6
oJIgCLGGwm3RFPgOzdgxaE7TiLzW2NBui+yHyw48WRTxZ9XC6HtGKjH6XPvP5nF4
8wss7tjzRNzmNgTp7G47HkW3lD0VYX4NqfCmxQK9gTXob1+JFmWkEXkXmZYg2dbn
1REtHb03x370Z547rjvdpopQW6jaSw0C556DOxb9weJqLqAd2uZO4nwhuDs/VM+Q
yy+/MlHTbnsmnYIMozDLMmHZ1PMeJlTFPMfapaux9UDTgQ5dwLj2FiQ/uEMzvfVv
W23hxlpWVHsccwZR77PMDt4Nbj/7QlOIKpgid2r8SyBmhjET2u/USSzFYzK8J2Wj
oLcxiuMTwrnM6b3bqiuSDUMAEoNN814Cbpz6yLB2wyKs5N7ZA/lVLNE8MV7to8OD
ww1nS2bDDf5/JMNt5aWu/iO2bBrYE30LqHR3bSV6QP57JnzunM9Y4V1BnEKYW14A
9+rRH1k1e5CuS5tqxpSubniF80AdUyPjF8rXOY0URD6zY0s4843Nf9TNr8ke/1ma
qLEkUAF03AwBR8oz247ylu75q94ytpYUFJAkNeqpk8XypqKJMVcl4NfEP930JR82
sGjNylVu/b4EsqKfmkoU8VFM1lfuaqX1u2ZDoUpG2Io/zpeV07RQ0KTHdKBejzix
2IN0T7W4G0JXcwARAQABiQIfBBgBAgAJBQJQ44pXAhsMAAoJEIX/S0OzD8b5KR8P
/jdWNVVw74/oCPtt79V1r0XN4I0ZBTQZgKp3JmZdcZlS2Uzx4u1VhxcevDQ7fh/Z
5Y1xDBh+IKwF83hJKXy56+PJBlYIGjc2GTEmU1yo4E9iudPq56FFb6eelX1qBfxI
0ZHdWgzWmrtnCF65zGTmeYMpck4ZuKdJAX2AM6kWcBikt4jT/SqrcS8t/duWRSSV
iikwXD8aPexAz9XuezI+y3Exupt/lqUyVtCV3t0/gWRAMuwrMH/RABEPTaQdmxKz
i0OkMDlHhweXZWg0/t32XLhhmy4f/30NhKYnntN6/pdNDb8vin5OP2MRyJDHIykA
2HZcYvjdZS43+PbiuqDCTILMvxUDYjxHszgEheLariRvmRwE1HRjZWNTzGTjUgyv
83XUhrIoAlgMVy2tQAatKbNVYAn5dmA0NCDKnSszas43gApSSjh2UXmq/owwpVj6
zYHcoV0gdCuLJ1BPLstN0ZGO+g+eRpTI97+/04sgz/hImDsm7G3Diners/FDaebt
pMRzVshh5lIgVBnCT36hdHW8buyiAgRQtjq7bX8JLN4Ermxlq4a33OYc7TGNC3jF
Rm4XSY6RUDMd6uhRD5hKZB2N8az079603K7nc93x32CualHCJD+M7Z2/j9r3T3Tc
y69oM+pgP48wySo+XEGHCM5OG7YNNiJ8xQ/J+CKCyLQV
=ZaKB
-----END PGP PUBLIC KEY BLOCK-----

@ -0,0 +1,20 @@
diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in
index 40ff9f4138..41813b5258 100755
--- a/programs/ipsec/ipsec.in
+++ b/programs/ipsec/ipsec.in
@@ -758,7 +758,14 @@ ipsec_import() {
exit 1
fi
- pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}"
+ # First try blanc password to avoid uselessly prompting interactively
+ pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}" -W '' 2>/dev/null
+ # check for SEC_ERROR_BAD_PASSWORD
+ if [ $? -eq 18 ]; then
+ # Not the empty password
+ pk12util -i "${pkcs12bundle}" -d "${IPSEC_NSSDIR_SQL}"
+ fi
+
# check and correct trust bits
set_nss_db_trusts
exit 0

@ -0,0 +1,153 @@
From 4f2af7c8c3afaaa63e8e16467de3441622a5314d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 21 May 2024 20:12:17 +0900
Subject: [PATCH] kernel_xfrm: record extended ack from netlink response
This enables pluto to log any error message reported through extended
ACK attributes[1] in a netlink response, to make diagnostic easier
when an error occurs. Suggested by Sabrina Dubroca.
1. https://docs.kernel.org/userspace-api/netlink/intro.html#ext-ack
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Andrew Cagney <cagney@gnu.org>
---
include/netlink_attrib.h | 4 +++
lib/libswan/netlink_attrib.c | 29 +++++++++++++++++++++
programs/pluto/kernel_xfrm.c | 49 ++++++++++++++++++++++++++++++++++++
3 files changed, 82 insertions(+)
diff --git a/include/netlink_attrib.h b/include/netlink_attrib.h
index 4c952ae3e9..fff35d83f1 100644
--- a/include/netlink_attrib.h
+++ b/include/netlink_attrib.h
@@ -46,4 +46,8 @@ void nl_addattrstrz(struct nlmsghdr *n, int maxlen, int type,
const char *str);
void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data);
+const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset);
+const char *nl_getattrvalstrz(const struct nlmsghdr *n,
+ const struct nlattr *attr);
+
#endif
diff --git a/lib/libswan/netlink_attrib.c b/lib/libswan/netlink_attrib.c
index 34bb4bec83..ccc08cba8f 100644
--- a/lib/libswan/netlink_attrib.c
+++ b/lib/libswan/netlink_attrib.c
@@ -66,3 +66,32 @@ void nl_addattr32(struct nlmsghdr *n, int maxlen, int type, const uint32_t data)
{
nl_addattr_l(n, maxlen, type, &data, sizeof(uint32_t));
}
+
+const struct nlattr *nl_getattr(const struct nlmsghdr *n, size_t *offset)
+{
+ struct nlattr *attr = (void *)n + NLMSG_HDRLEN + NLMSG_ALIGN(*offset);
+ struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
+
+ if (attr == tail) {
+ return NULL;
+ }
+
+ *offset += NLA_ALIGN(attr->nla_len);
+ return attr;
+}
+
+const char *nl_getattrvalstrz(const struct nlmsghdr *n,
+ const struct nlattr *attr)
+{
+ struct nlattr *tail = (void *)n + NLMSG_ALIGN(n->nlmsg_len);
+
+ ptrdiff_t len = (void *)tail - (void *)attr;
+ if (len < (ptrdiff_t)sizeof(struct nlattr) ||
+ attr->nla_len <= sizeof(struct nlattr) ||
+ attr->nla_len > len ||
+ !memchr(attr + NLA_HDRLEN, '\0', attr->nla_len - NLA_HDRLEN)) {
+ return NULL;
+ }
+
+ return (void *)attr + NLA_HDRLEN;
+}
diff --git a/programs/pluto/kernel_xfrm.c b/programs/pluto/kernel_xfrm.c
index eed307f42b..25d1b16bc9 100644
--- a/programs/pluto/kernel_xfrm.c
+++ b/programs/pluto/kernel_xfrm.c
@@ -260,6 +260,22 @@ static void init_netlink(struct logger *logger)
"socket() in init_netlink()");
}
+#ifdef SOL_NETLINK
+ const int on = true;
+ if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_CAP_ACK,
+ (const void *)&on, sizeof(on)) < 0) {
+ llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_CAP_ACK) failed: ");
+ } else {
+ ldbg(logger, "xfrm: setsockopt(NETLINK_CAP_ACK) ok");
+ }
+ if (setsockopt(nl_send_fd, SOL_NETLINK, NETLINK_EXT_ACK,
+ (const void *)&on, sizeof(on)) < 0) {
+ llog_errno(RC_LOG, logger, errno, "xfrm: setsockopt(NETLINK_EXT_ACK) failed: ");
+ } else {
+ ldbg(logger, "xfrm: setsockopt(NETLINK_EXT_ACK) ok");
+ }
+#endif
+
nl_xfrm_fd = cloexec_socket(AF_NETLINK, SOCK_DGRAM|SOCK_NONBLOCK, NETLINK_XFRM);
if (nl_xfrm_fd < 0) {
fatal_errno(PLUTO_EXIT_FAIL, logger, errno,
@@ -301,6 +317,37 @@ static void init_netlink(struct logger *logger)
}
}
+static void llog_ext_ack(lset_t rc_flags, struct logger *logger,
+ const struct nlmsghdr *n)
+{
+#ifdef SOL_NETLINK
+ if (n->nlmsg_type != NLMSG_ERROR ||
+ !(n->nlmsg_flags & NLM_F_ACK_TLVS)) {
+ return;
+ }
+
+ struct nlmsgerr *err = (void *)n + NLMSG_HDRLEN;
+ size_t offset = sizeof(*err);
+ if (!(n->nlmsg_flags & NLM_F_CAPPED)) {
+ offset += err->msg.nlmsg_len - NLMSG_HDRLEN;
+ }
+
+ for (const struct nlattr *attr = nl_getattr(n, &offset);
+ attr != NULL; attr = nl_getattr(n, &offset)) {
+ if ((attr->nla_type & NLA_TYPE_MASK) == NLMSGERR_ATTR_MSG) {
+ const char *msg = nl_getattrvalstrz(n, attr);
+ if (msg) {
+ llog(rc_flags, logger, "netlink ext_ack: %s",
+ msg);
+ }
+ }
+ }
+#else
+ /* use the arguments */
+ ldbg(logger, "ignoring "PRI_LSET" %p", rc_flags, n);
+#endif
+}
+
/*
* sendrecv_xfrm_msg()
*
@@ -403,6 +450,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
if (rsp.u.e.error != 0) {
llog_error(logger, -rsp.u.e.error,
"netlink response for %s %s", description, story);
+ llog_ext_ack(RC_LOG, logger, &rsp.n);
return false;
}
/*
@@ -413,6 +461,7 @@ static bool sendrecv_xfrm_msg(struct nlmsghdr *hdr,
*/
dbg("netlink response for %s %s included non-error error",
description, story);
+ llog_ext_ack(DEBUG_STREAM, logger, &rsp.n);
/* ignore */
}
if (rbuf == NULL) {
--
2.45.2

@ -0,0 +1,52 @@
From 0b91406427cf7292d61900991fd665f076b6d43f Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 2 Jul 2024 20:37:07 +0900
Subject: [PATCH] tcp: call kernel_ops->poke_ipsec_policy_hole before connect
This fixes ondemand initiation with TCP. Without the policy hole, a
TCP handshake will not complete, as it cannot receive SYN-ACK packet
in plaintext and thus connect blocks until timeout.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Signed-off-by: Andrew Cagney <cagney@gnu.org>
---
programs/pluto/iface_tcp.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/programs/pluto/iface_tcp.c b/programs/pluto/iface_tcp.c
index c63e8bfe4d..55fe639174 100644
--- a/programs/pluto/iface_tcp.c
+++ b/programs/pluto/iface_tcp.c
@@ -473,6 +473,15 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
return NULL;
}
+ /* This needs to be called before connect, so TCP handshake
+ * (in plaintext) completes. */
+ if (kernel_ops->poke_ipsec_policy_hole != NULL &&
+ !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
+ /* already logged */
+ close(fd);
+ return NULL;
+ }
+
/*
* Connect
*
@@ -551,13 +560,6 @@ struct iface_endpoint *connect_to_tcp_endpoint(struct iface_dev *local_dev,
}
}
- if (kernel_ops->poke_ipsec_policy_hole != NULL &&
- !kernel_ops->poke_ipsec_policy_hole(fd, afi, logger)) {
- /* already logged */
- close(fd);
- return NULL;
- }
-
struct iface_endpoint *ifp =
alloc_iface_endpoint(fd, local_dev, &iketcp_iface_io,
/*esp_encapsulation_enabled*/true,
--
2.45.2

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJHBAABCgAxFiEEkH55DyXB6OVhzXO1hf9LQ7MPxvkFAmYXR8ETHHRlYW1AbGli
cmVzd2FuLm9yZwAKCRCF/0tDsw/G+WmID/46LnJ04rvj7RBZDzZg1nUnZyquuWd+
vqGSFG54Ku5p62/JqL3+8Eu6dQ2o8DI1SJwMJFdaSFIwxNHTvZSr1wOwaSa+NQrI
y/zTSAdZP04P0SqqJyOQxqYFMAEoRZhRE1gD4+1KGlQwPKzAtHi+2sHlfVryZEuF
ZRRpuEcYrsdRneWxzRHKguDLb58b159yvt/HIQNOe7/BGnlq1rkBMgT0rD98A8Qb
EOeZh6TcV9OnW2qm4QcJ5fm0ihvZpO/h3gih4KopwZQa7fUJYUPVRrS2AO40MVIM
peq9/V+wD/+gthVh2eqtNzghGWxxwpZgBDQCmAUTr60QdCYeR2XsB/MGG5BJBs4m
zFgXqsSHnEVJisUxnynNIFhUECo2A0CbVTAZnqBWgGkSO82VLu7506eaxJcJW84s
QpNM7shHVdmV3lroqbJU2zBMKEHvCldFTDO2YTvfOV0Twytyn5gmT1sVqGiwdGpR
XhfoRWILy+ViExhv6ZTubIYc1c8yo5wCG1tAq2iYfdLIcZVvqZIWB5LCv0rN2iPl
0OrKo7bOQEmf7C+AL/LoAKWPpQeS79CYzwSKDfYHzE559yks0KPiTE5nLu8VrWH9
zDTJ+2Ket3Ve93cz7zdqWcD7+HfKN7CxBW/bfCrysldsEjDBmvMiUI46kwPI99Y2
w08DOHUAwSUgDg==
=nCeA
-----END PGP SIGNATURE-----

@ -0,0 +1,63 @@
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 7 Jan 2022 18:36:47 -0500
Subject: [PATCH] ikev1-policy defaults to drop
IKEv2 has been available for 16 years (RFC 4306 was published December
2005). At some point, we should be discouraging IKEv1 adoption.
To the extent that a user needs IKEv1, they can manually add
ikev1-policy=accept to /etc/ipsec.conf.
---
configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
include/ipsecconf/keywords.h | 2 +-
lib/libipsecconf/confread.c | 1 +
programs/pluto/server.c | 5 -----
4 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
index 17d1747e3b..3bd6702564 100644
--- a/configs/d.ipsec.conf/ikev1-policy.xml
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
@@ -3,9 +3,10 @@
<listitem>
<para>
What to do with received IKEv1 packets. Valid options are
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
+If this option is set to drop or reject, an attempt to load an
IKEv1 connection will fail, as these connections would never be able to receive a packet
for processing.
</para>
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 660847733c..31b519242a 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
KBF_ROOF
};
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 5b5aba723f..68fbccf442 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
/* Don't inflict BSI requirements on everyone */
SOPT(KBF_SEEDBITS, 0);
SOPT(KBF_DROP_OPPO_NULL, false);
+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
#ifdef HAVE_LABELED_IPSEC
SOPT(KBF_SECCTX, SECCTX);
--
2.34.1

@ -0,0 +1,588 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 5;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
%global _hardened_build 1
# These are rpm macros and are 0 or 1
%global with_efence 0
%global with_development 0
%global with_cavstests 1
%global nss_version 3.52
%global unbound_version 1.6.6
# Libreswan config options
%global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
PREFIX=%{_prefix} \\\
INITSYSTEM=systemd \\\
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\
USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\
USE_NM=true \\\
USE_NSS_IPSEC_PROFILE=true \\\
USE_SECCOMP=true \\\
USE_AUTHPAM=true \\\
%{nil}
#global prever dr1
Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.15
Release: %autorelease
# The code in lib/libswan/nss_copies.c is under MPL-2.0, while the
# rest is under GPL-2.0-or-later
License: GPL-2.0-or-later AND MPL-2.0
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
Source1: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz.asc
Source2: https://download.libreswan.org/LIBRESWAN-OpenPGP-KEY.txt
%if 0%{with_cavstests}
Source3: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch1: libreswan-4.15-ipsec_import.patch
Patch2: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Patch3: libreswan-4.15-ondemand-tcp.patch
Patch4: libreswan-4.15-netlink-extack.patch
BuildRequires: audit-libs-devel
BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gcc
BuildRequires: gnupg2
BuildRequires: hostname
BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: make
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: nss-tools >= %{nss_version}
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: systemd
BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
BuildRequires: unbound-devel >= %{unbound_version}
BuildRequires: xmlto
%if 0%{with_efence}
BuildRequires: ElectricFence
%endif
Requires: iproute >= 2.6.8
Requires: nss >= %{nss_version}
Requires: nss-softokn
Requires: nss-tools
Requires: unbound-libs >= %{unbound_version}
Requires: logrotate
# for pidof
Requires: procps-ng
Requires(post): bash
Requires(post): coreutils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
through the untrusted net is encrypted by the ipsec gateway machine and
decrypted by the gateway at the other end of the tunnel. The resulting
tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up
Libreswan.
Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%setup -q -n libreswan-%{version}%{?prever}
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
%ifarch s390x
# throws error on s390x
sed -i "s/SUBDIRS += hunkcheck/#SUBDIRS += hunkcheck/" testing/programs/Makefile
%endif
%autopatch -p1
%build
%make_build \
%if 0%{with_development}
OPTIMIZE_CFLAGS="%{?_hardened_cflags}" \
%else
OPTIMIZE_CFLAGS="%{optflags}" \
%endif
WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence}
USE_EFENCE=true \
%endif
USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
%{libreswan_config} \
programs
FS=$(pwd)
%install
%make_install \
%{libreswan_config} \
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
# avoids python depency and are old / aging tools that are not very useful
rm -rf %{buildroot}%{_libexecdir}/ipsec/show
rm -rf %{buildroot}%{_libexecdir}/ipsec/verify
install -d -m 0755 %{buildroot}%{_rundir}/pluto
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysctldir}
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
%{buildroot}%{_sysctldir}/50-libreswan.conf
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
> %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%if 0%{with_cavstests}
%check
# There is an elaborate upstream testing infrastructure which we do not
# run here - it takes hours and uses kvm
# We only run the CAVS tests and startup selftest
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} .
bunzip2 *.fax.bz2
: starting CAVS test for IKEv2
%{buildroot}%{_libexecdir}/ipsec/cavp -v2 ikev2.fax | \
diff -u ikev2.fax - > /dev/null
: starting CAVS test for IKEv1 RSASIG
%{buildroot}%{_libexecdir}/ipsec/cavp -v1dsa ikev1_dsa.fax | \
diff -u ikev1_dsa.fax - > /dev/null
: starting CAVS test for IKEv1 PSK
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed
%endif
# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
%{buildroot}%{_libexecdir}/ipsec/algparse -ta || { echo algorithm test failed; exit 1; }
: Algorithm parser tests passed
# self test for pluto daemon - this also shows which algorithms it allows in FIPS mode
tmpdir=$(mktemp -d /tmp/libreswan-XXXXX)
certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
%post
%systemd_post ipsec.service
%sysctl_apply 50-libreswan.conf
%preun
%systemd_preun ipsec.service
%postun
%systemd_postun_with_restart ipsec.service
%files
%doc CHANGES COPYING CREDITS README* LICENSE
%doc docs/*.* docs/examples
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ipsec.secrets
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d/policies
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysctldir}/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
%doc %{_mandir}/*/*
%changelog
## START: Generated by rpmautospec
* Tue Aug 06 2024 Daiki Ueno <dueno@redhat.com> - 4.15-5
- Make use of Netlink extack for additional error reporting
* Tue Aug 06 2024 Daiki Ueno <dueno@redhat.com> - 4.15-4
- Fix auto=ondemand connection initialization with TCP
* Tue Aug 06 2024 Daiki Ueno <dueno@redhat.com> - 4.15-3
- Re-introduce libreswan-4.6-ikev1-policy-defaults-to-drop.patch
* Thu Jun 27 2024 Paul Wouters <paul.wouters@aiven.io> - 4.15-2
- Add libreswan-4.15-ipsec_import.patch
* Thu Jun 27 2024 Paul Wouters <paul.wouters@aiven.io> - 4.15-1
- Update libreswan to 4.15 for CVE-2024-3652
- Resolves rhbz#2274448 CVE-2024-3652 libreswan: IKEv1 default AH/ESP
responder can crash and restart
- Allow "ipsec import" to try importing PKCS#12 non-interactively if there
is no password
* Thu Jun 27 2024 Paul Wouters <paul.wouters@aiven.io> - 4.14-1
- Update to 4.14 for CVE-2024-2357
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.12-3.3
- Bump release for June 2024 mass rebuild
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.12-3.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.12-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Sep 08 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-3
- Update libcap-ng patch, fix email addresses in changelog
* Tue Sep 05 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-2
- Remove ipsec show and ipsec verify sub commands (not very useful, causes python requirement)
- Patch for handling libcap-ng return values and fix capng_apply() call
* Fri Aug 11 2023 Paul Wouters <paul.wouters@aiven.io> - 4.12-1
- Update to 4.12 for CVE-2023-38710, CVE-2023-38711 and CVE-2023-38712
- Resolves: rhbz#2230225 libreswan-4.12 is available
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.11-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu May 04 2023 Paul Wouters <paul.wouters@aiven.io> - 4.11-1
- Update to 4.11 for CVE-2023-30570
* Wed Mar 01 2023 Paul Wouters <paul.wouters@aiven.io> - 4.10-1
- Update to 4.10 for CVE-2023-23009
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.9-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Jan 10 2023 Paul Wouters <paul.wouters@aiven.io> - 4.9-2
- Use new GPG key location.
* Thu Oct 13 2022 Paul Wouters <paul.wouters@aiven.io> - 4.9-1
- Update to 4.9 (maxbytes/maxpackets support, raw ECDSA support, misc fixes)
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue May 24 2022 Paul Wouters <paul.wouters@aiven.io> - 4.7-1
- Updated to 4.7 (EAPTLS support, bugfixes)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.6-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jan 13 2022 Paul Wouters <paul.wouters@aiven.io> - 4.6-2
- Re-enable USE_DNSSEC again with patch to resolve header conflicts
* Wed Jan 12 2022 Paul Wouters <paul.wouters@aiven.io> - 4.6-1
- Resolves: CVE-2022-23094
- Resolves: rhbz#2039604 libreswan-4.6 is available
- Add gpg key and signature check for build
- Temporarilly disable USE_DNSSEC in rawhide while we figure out openssl vs nss include clash
* Thu Aug 26 2021 Paul Wouters <paul.wouters@aiven.io> - 4.5-1
- Resolves rhbz#1996250 libreswan-4.5 is available
* Tue Aug 03 2021 Paul Wouters <paul.wouters@aiven.io> - 4.4-3
- Resolves rhbz#1989198 libreswan should depend on procps-ng or pidof
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.4-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jun 07 2021 Paul Wouters <paul.wouters@aiven.io> - 4.4-2
- Properly handle rpm sysctl config
* Wed May 12 2021 Paul Wouters <paul.wouters@aiven.io> - 4.4-1
- Resolves: rhbz#1952602 libreswan-4.4 is available
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.3-1.1
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Sun Feb 21 2021 Paul Wouters <pwouters@redhat.com> - 4.3-1
- update to 4.3 (minor bugfix release)
* Wed Feb 03 2021 Paul Wouters <pwouters@redhat.com> - 4.2-1
- Update to 4.2
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.2-0.1.rc1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Dec 19 19:59:55 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.2-0.1.rc1
- Resolves: rhbz#1867580 pluto process frequently dumps core
(disable USE_NSS_KDF until nss fixes have propagated)
* Sat Dec 19 2020 Adam Williamson <awilliam@redhat.com> - 4.1-4
- Rebuild for ldns soname bump
* Mon Nov 23 11:50:41 EST 2020 Paul Wouters <pwouters@redhat.com> - 4.1-3
- Resolves: rhbz#1894381 Libreswan 4.1-2 breaks l2tp connection to Windows VPN server
* Mon Oct 26 10:21:57 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-2
- Resolves: rhbz#1889538 libreswan's /var/lib/ipsec/nss missing
* Sun Oct 18 21:49:39 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.1-1
- Updated to 4.1 - interop fix for Cisco
* Thu Oct 15 10:27:14 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-1
- Resolves: rhbz#1888448 libreswan-4.0 is available
* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.2.rc1
- Rebuild for libevent 2.1.12 with a soname bump
* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters <pwouters@redhat.com> - 4.0-0.1.rc1
- Updated to 4.0rc1
* Thu Aug 27 2020 Paul Wouters <pwouters@redhat.com> - 3.32-4
- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.2
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.32-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 3.32-3
- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
object
* Tue May 26 2020 Paul Wouters <pwouters@redhat.com> - 3.32-2
- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
* Mon May 11 2020 Paul Wouters <pwouters@redhat.com> - 3.32-1
- Resolves: rhbz#1809770 libreswan-3.32 is available
* Tue Apr 14 2020 Paul Wouters <pwouters@redhat.com> - 3.31-2
- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
* Tue Mar 03 2020 Paul Wouters <pwouters@redhat.com> - 3.31-1
- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
* Fri Feb 14 2020 Paul Wouters <pwouters@redhat.com> - 3.30-1
- Resolves: rhbz#1802896 libreswan-3.30 is available
- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jan 09 2020 Paul Wouters <pwouters@redhat.com> - 3.29-2
- _updown.netkey: fix syntax error in checking routes
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.29-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jun 10 2019 Paul Wouters <pwouters@redhat.com> - 3.29-1
- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
* Tue May 21 2019 Paul Wouters <pwouters@redhat.com> - 3.28-1
- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.27-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 3.27-1.1
- Rebuilt for libcrypt.so.2 (#1666033)
* Mon Oct 08 2018 Paul Wouters <pwouters@redhat.com> - 3.27-1
- Updated to 3.27 (various bugfixes)
* Thu Sep 27 2018 Paul Wouters <pwouters@redhat.com> - 3.26-3
- Add fedora python fixup for _unbound-hook
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-2
- linking against freebl is no longer needed (and wasn't done in 3.25)
* Mon Sep 17 2018 Paul Wouters <pwouters@redhat.com> - 3.26-1
- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.25-3.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 09 2018 Paul Wouters <pwouters@redhat.com> - 3.25-3
- Fix Opportunistic IPsec _unbound-hook argument parsing
- Make rundir readable for all (so we can hand out permissions later)
* Mon Jul 02 2018 Paul Wouters <pwouters@redhat.com> - 3.25-2
- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
* Wed Jun 27 2018 Paul Wouters <pwouters@redhat.com> - 3.25-1
- Updated to 3.25
* Mon Feb 19 2018 Paul Wouters <pwouters@redhat.com> - 3.23-2
- Support crypto-policies package
- Pull in some patches from upstream and IANA registry updates
- gcc7 format-truncate fixes and workarounds
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.23-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jan 25 2018 Paul Wouters <pwouters@redhat.com> - 3.23-1
- Updated to 3.23 - support for MOBIKE, PPK, CMAC, nic offload and performance improvements
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 3.22-1.1
- Rebuilt for switch to libxcrypt
* Mon Oct 23 2017 Paul Wouters <pwouters@redhat.com> - 3.22-1
- Updated to 3.22 - many bugfixes, and unbound ipsecmod support
* Wed Aug 9 2017 Paul Wouters <pwouters@redhat.com> - 3.21-1
- Updated to 3.21
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.20-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Mar 14 2017 Paul Wouters <pwouters@redhat.com> - 3.20-1
- Updated to 3.20
* Fri Mar 03 2017 Paul Wouters <pwouters@redhat.com> - 3.20-0.1.dr4
- Update to 3.20dr4 to test mozbz#1336487 export CERT_CompareAVA
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.19-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Feb 03 2017 Paul Wouters <pwouters@redhat.com> - 3.19-2
- Resolves: rhbz#1392191 libreswan: crash when OSX client connects
- Improved uniqueid and session replacing support
- Test Buffer warning fix on size_t
- Re-introduce --configdir for backwards compatibility
* Sun Jan 15 2017 Paul Wouters <pwouters@redhat.com> - 3.19-1
- Updated to 3.19 (see download.libreswan.org/CHANGES)
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 3.18-1.1
- Rebuild for Python 3.6
* Fri Jul 29 2016 Paul Wouters <pwouters@redhat.com> - 3.18-1
- Updated to 3.18 for CVE-2016-5391 rhbz#1361164 and VTI support
- Remove support for /etc/sysconfig/pluto (use native systemd instead)
* Thu May 05 2016 Paul Wouters <pwouters@redhat.com> - 3.17-2
- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
* Thu Apr 07 2016 Paul Wouters <pwouters@redhat.com> - 3.17-1
- Updated to 3.17 for CVE-2016-3071
- Disable LIBCAP_NG as it prevents unbound-control from working properly
- Temporarilly disable WERROR due to a few minor known issues
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.16-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Dec 18 2015 Paul Wouters <pwouters@redhat.com> - 3.16-1
- Updated to 3.16 (see https://download.libreswan.org/CHANGES)
* Tue Aug 11 2015 Paul Wouters <pwouters@redhat.com> - 3.15-1
- Updated to 3.15 (see http://download.libreswan.org/CHANGES)
- Resolves: rhbz#CVE-2015-3240 IKE daemon restart when receiving a bad DH gx
- NSS database creation moved from spec file to service file
- Run CAVS tests on package build
- Added BuildRequire systemd-units and xmlto
- Bumped minimum required nss to 3.16.1
- Install tmpfiles
- Install sysctl file
- Update doc files to include
* Mon Jul 13 2015 Paul Wouters <pwouters@redhat.com> - 3.13-2
- Resolves: rhbz#1238967 Switch libreswan to use python3
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Mon Jun 01 2015 Paul Wouters <pwouters@redhat.com> - 3.13-1
- Updated to 3.13 for CVE-2015-3204
* Fri Nov 07 2014 Paul Wouters <pwouters@redhat.com> - 3.12-1
- Updated to 3.12 Various IKEv2 fixes
* Wed Oct 22 2014 Paul Wouters <pwouters@redhat.com> - 3.11-1
- Updated to 3.11 (many fixes, including startup fixes)
- Resolves: rhbz#1144941 libreswan 3.10 upgrade breaks old ipsec.secrets configs
- Resolves: rhbz#1147072 ikev1 aggr mode connection fails after libreswan upgrade
- Resolves: rhbz#1144831 Libreswan appears to start with systemd before all the NICs are up and running
* Tue Sep 09 2014 Paul Wouters <pwouters@redhat.com> - 3.10-3
- Fix some coverity issues, auto=route on bootup and snprintf on 32bit machines
* Mon Sep 01 2014 Paul Wouters <pwouters@redhat.com> - 3.10-1
- Updated to 3.10, major bugfix release, new xauth status options
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 10 2014 Paul Wouters <pwouters@redhat.com> - 3.9-1
- Updated to 3.9. IKEv2 enhancements, ESP/IKE algo enhancements
- Mark libreswan-fips.conf as config file
- attr modifier for man pages no longer needed
- BUGS file no longer exists upstream
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.8-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat Jan 18 2014 Paul Wouters <pwouters@redhat.com> - 3.8-1
- Updated to 3.8, fixes rhbz#CVE-2013-6467 (rhbz#1054102)
* Wed Dec 11 2013 Paul Wouters <pwouters@redhat.com> - 3.7-1
- Updated to 3.7, fixes CVE-2013-4564
- Fixes creating a bogus NSS db on startup (rhbz#1005410)
* Thu Oct 31 2013 Paul Wouters <pwouters@redhat.com> - 3.6-1
- Updated to 3.6 (IKEv2, MODECFG, Cisco interop fixes)
- Generate empty NSS db if none exists
* Mon Aug 19 2013 Paul Wouters <pwouters@redhat.com> - 3.5-3
- Add a Provides: for openswan-doc
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.5-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon Jul 15 2013 Paul Wouters <pwouters@redhat.com> - 3.5-2
- Added interop patch for (some?) Cisco VPN clients sending 16 zero
bytes of extraneous IKE data
- Removed fipscheck_version
* Sat Jul 13 2013 Paul Wouters <pwouters@redhat.com> - 3.5-1
- Updated to 3.5
* Thu Jun 06 2013 Paul Wouters <pwouters@redhat.com> - 3.4-1
- Updated to 3.4, which only contains style changes to kernel coding style
- IN MEMORIAM: June 3rd, 2013 Hugh Daniel
* Mon May 13 2013 Paul Wouters <pwouters@redhat.com> - 3.3-1
- Updated to 3.3, which resolves CVE-2013-2052
* Sat Apr 13 2013 Paul Wouters <pwouters@redhat.com> - 3.2-1
- Initial package for Fedora
## END: Generated by rpmautospec
Loading…
Cancel
Save