From 4d88725f407d2d75897267783af79423c657b018 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Jul 29 2020 21:53:58 +0000 Subject: upstream message: Important Note: The development of ipsec-tools has been ABANDONED. ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative --- diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 2d0af59..0000000 --- a/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -ipsec-tools-0.7.3.tar.bz2 -/ipsec-tools-0.8.0.tar.bz2 -/ipsec-tools-0.8.1.tar.bz2 -/ipsec-tools-0.8.2.tar.bz2 diff --git a/dead.package b/dead.package new file mode 100644 index 0000000..a8bc488 --- /dev/null +++ b/dead.package @@ -0,0 +1 @@ +upstream message: Important Note: The development of ipsec-tools has been ABANDONED. ipsec-tools has security issues, and you should not use it. Please switch to a secure alternative diff --git a/ifdown-ipsec b/ifdown-ipsec deleted file mode 100755 index 23c5e72..0000000 --- a/ifdown-ipsec +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash -PATH=/sbin:/usr/sbin/:/bin:/usr/bin - -cd /etc/sysconfig/network-scripts -. ./network-functions - -CONFIG=$1 -[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} -source_config - -if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then - KEYING=manual -fi - - -if [ -n "$IKE_PSK" ]; then - KEYING=automatic - IKE_METHOD=PSK -fi - -if [ -n "$IKE_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_PEER_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_DNSSEC" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi -if [ -n "$RSA_KEY" ]; then - KEYING=automatic - IKE_METHOD=RSA -fi - -[ -n "$IKE_METHOD" ] && KEYING=automatic -[ -z "$KEYING" ] && KEYING=manual - -if [ -z "$SRC" ]; then - SRC=$(ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|") -fi - -if [ -n "$SRCNET" -o -n "$DSTNET" ]; then - MODE=tunnel - [ -z "$SRCNET" ] && SRCNET="$SRC/32" - [ -z "$DSTNET" ] && DSTNET="$DST/32" - SPD_SRC=$SRCNET - SPD_DST=$DSTNET - # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication - if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ - && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ - = "NETWORK=${DSTNET%%/*}" ]; then - EXCLUDE_SRCNET=yes - fi - [ -z "$SRCGW" ] && SRCGW=$(ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|") - ip route del to $DSTNET via $SRCGW src $SRCGW -else - MODE=transport - SPD_SRC=$SRC - SPD_DST=$DST - unset EXCLUDE_SRCNET -fi - -setkey -c << EOF -${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} -${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} -${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} -${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} -spddelete $SPD_SRC $SPD_DST any -P out; -spddelete $SPD_DST $SPD_SRC any -P in; -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} -EOF - -if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then - racoontmp=$(mktemp /etc/racoon/racoon.XXXXXX) - grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp - mv -f $racoontmp /etc/racoon/racoon.conf - /usr/bin/systemctl reload-or-restart racoon.service -fi - -/etc/sysconfig/network-scripts/ifdown-post $CONFIG diff --git a/ifup-ipsec b/ifup-ipsec deleted file mode 100755 index 8b44a8c..0000000 --- a/ifup-ipsec +++ /dev/null @@ -1,303 +0,0 @@ -#!/bin/sh -# -# ifup-ipsec -# -# Brings up ipsec interfaces - -handle_keys() { - [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ] && KEY_AH_IN=$KEY_AH - [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ] && KEY_AH_OUT=$KEY_AH - [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ] && KEY_ESP_IN=$KEY_ESP - [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ] && KEY_ESP_OUT=$KEY_ESP - [ -z "$KEY_AESP_IN" -a -n "$KEY_AESP" ] && KEY_AESP_IN=$KEY_AESP - [ -z "$KEY_AESP_OUT" -a -n "$KEY_AESP" ] && KEY_AESP_OUT=$KEY_AESP - - [ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \ - && KEY_AH_IN=\"$KEY_AH_IN\" - [ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \ - && KEY_AH_OUT=\"$KEY_AH_OUT\" - [ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \ - && KEY_ESP_IN=\"$KEY_ESP_IN\" - [ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \ - && KEY_ESP_OUT=\"$KEY_ESP_OUT\" - [ -n "$KEY_AESP_IN" -a "$KEY_AESP_IN" = "${KEY_AESP_IN##0x}" ] \ - && KEY_AESP_IN=\"$KEY_AESP_IN\" - [ -n "$KEY_AESP_OUT" -a "$KEY_AESP_OUT" = "${KEY_AESP_OUT##0x}" ] \ - && KEY_AESP_OUT=\"$KEY_AESP_OUT\" -} - -query_route() { - local attr=$1 - shift - ip -o route "$@" | sed "s|.*$attr \([^ ]*\).*|\1|" -} - -get_route() { - query_route src get to $1 -} - -. /etc/init.d/functions -cd /etc/sysconfig/network-scripts -. ./network-functions - -CONFIG=$1 -[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} -source_config - -handle_keys - -if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then - KEYING=manual -fi - - -if [ -n "$IKE_PSK" ]; then - KEYING=automatic - IKE_METHOD=PSK -fi - -if [ -n "$IKE_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_PEER_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_DNSSEC" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -[ -n "$IKE_METHOD" ] && KEYING=automatic -[ -z "$KEYING" ] && KEYING=manual - -if [ -z "$SRC" ]; then - SRC=$(get_route $DST) -fi - -if [ -n "$SRCNET" -o -n "$DSTNET" ]; then - TUNNEL_MODE=yes - MODE=tunnel - [ -z "$SRCNET" ] && SRCNET="$SRC/32" - [ -z "$DSTNET" ] && DSTNET="$DST/32" - SPD_SRC=$SRCNET - SPD_DST=$DSTNET - # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication - if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ - && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ - = "NETWORK=${DSTNET%%/*}" ]; then - EXCLUDE_SRCNET=yes - fi - [ -z "$SRCGW" ] && SRCGW=$(get_route $SRCNET) - ROUTE="to $DSTNET via $SRCGW src $SRCGW" - ip route add $ROUTE - for dev in all $(query_route dev list $ROUTE); do - sysctl -w net.ipv4.conf.$dev.send_redirects=0 > /dev/null - done -else - unset TUNNEL_MODE - MODE=transport - SPD_SRC=$SRC - SPD_DST=$DST - unset EXCLUDE_SRCNET -fi - -unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT -if [ "$KEYING" = "manual" ]; then - [ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1 - [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc - [ -z "$AESP_PROTO" ] && AESP_PROTO=hmac-sha1 - - [ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes - [ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes - [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes - [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes -else - [ -z "$IKE_DHGROUP" ] && IKE_DHGROUP=2 - [ -z "$AH_PROTO" ] && AH_PROTO=sha1 - [ -z "$ESP_PROTO" ] && ESP_PROTO=3des - [ -z "$IKE_AUTH" ] && IKE_AUTH=$AH_PROTO - [ -z "$IKE_ENC" ] && IKE_ENC=$ESP_PROTO - [ "$IKE_AUTH" = "none" ] && IKE_AUTH=sha1 - [ "$IKE_ENC" = "none" ] && IKE_ENC=3des - - SPD_AH_IN=yes - SPD_AH_OUT=yes - SPD_ESP_IN=yes - SPD_ESP_OUT=yes -fi - -if [ "$AH_PROTO" = "none" ]; then - unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT -fi -if [ "$ESP_PROTO" = "none" ]; then - unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT -fi - -/sbin/setkey -c >/dev/null 2>&1 << EOF -${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} -${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} -${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} -${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} -spddelete $SPD_SRC $SPD_DST any -P out; -spddelete $SPD_DST $SPD_SRC any -P in; -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} -EOF - -# ESP -if [ "$ESP_PROTO" != "none" ]; then - /sbin/setkey -c >/dev/null 2>&1 << EOF - ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ - -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ - ${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} - ;} - ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ - -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ - ${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} - ;} -EOF -fi - -# AH -if [ "$AH_PROTO" != "none" ]; then - /sbin/setkey -c >/dev/null 2>&1 << EOF - ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} - ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} -EOF -fi - -/sbin/setkey -c >/dev/null 2>&1 << EOF -${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;} -${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;} -EOF - -# This looks weird but if you use both ESP and AH you need to configure them together, not seperately. -if [ "$ESP_PROTO" != "none" ] && [ "$AH_PROTO" != "none" ]; then -/sbin/setkey -c >/dev/null 2>&1 << EOF -spdadd $SPD_SRC $SPD_DST any -P out ipsec - ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ; - -spdadd $SPD_DST $SPD_SRC any -P in ipsec - ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ; -EOF -elif [ "$AH_PROTO" = "none" ]; then -/sbin/setkey -c >/dev/null 2>&1 << EOF -spdadd $SPD_SRC $SPD_DST any -P out ipsec - ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ; - -spdadd $SPD_DST $SPD_SRC any -P in ipsec - ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ; -EOF -elif [ "$ESP_PROTO" = "none" ]; then -/sbin/setkey -c >/dev/null 2>&1 << EOF -spdadd $SPD_SRC $SPD_DST any -P out ipsec - ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ; - -spdadd $SPD_DST $SPD_SRC any -P in ipsec - ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ; -EOF -fi - -if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then - if [ "$IKE_METHOD" = "PSK" ]; then - MYID=address - if [ -n "$MYID_TYPE" ]; then - case "$MYID_TYPE" in - *fqdn*) - MYID="$MYID_TYPE \"$MYID_VALUE\"" - ;; - esac - fi - tmpfile=$(mktemp /etc/racoon/psk.XXXXXX) - grep -v "^$DST " /etc/racoon/psk.txt > $tmpfile - echo "$DST $IKE_PSK" >> $tmpfile - mv -f $tmpfile /etc/racoon/psk.txt - fi - if [ ! -f /etc/racoon/$DST.conf ] || [ /etc/racoon/$DST.conf -ot $1 ] ; then - cat > /etc/racoon/$DST.conf << EOF -remote $DST -{ - ${REMOTE_ID:+ph1id $REMOTE_ID;} - exchange_mode ${IKE_MODE:-main, aggressive}; -EOF - if [ -n "$DPD_DELAY" ]; then - echo " dpd_delay $DPD_DELAY;" >> /etc/racoon/$DST.conf - fi - if [ -n "$NAT_TRAVERSAL" ]; then - echo " nat_traversal $NAT_TRAVERSAL;" >> /etc/racoon/$DST.conf - fi - case "$IKE_METHOD" in - PSK) - cat >> /etc/racoon/$DST.conf << EOF - my_identifier $MYID; - proposal { - encryption_algorithm $IKE_ENC; - hash_algorithm $IKE_AUTH; - authentication_method pre_shared_key; - dh_group $IKE_DHGROUP; - } -} -EOF - ;; - X509) - cat >> /etc/racoon/$DST.conf << EOF - my_identifier asn1dn; - peers_identifier asn1dn; - certificate_type x509 "$IKE_CERTFILE.public" "$IKE_CERTFILE.private"; -EOF - if [ -n "$IKE_DNSSEC" ]; then - echo " peers_certfile dnssec;" >> /etc/racoon/$DST.conf - fi - if [ -n "$IKE_PEER_CERTFILE" ]; then - echo " peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf - fi - if [ -n "$IKE_CA_CERTFILE" ]; then - echo " ca_type x509 \"$IKE_CA_CERTFILE.public\";" >> /etc/racoon/$DST.conf - fi - cat >> /etc/racoon/$DST.conf << EOF - proposal { - encryption_algorithm $IKE_ENC; - hash_algorithm $IKE_AUTH; - authentication_method rsasig; - dh_group $IKE_DHGROUP; - } -} -EOF - ;; - GSSAPI) - cat >> /etc/racoon/$DST.conf << EOF - my_identifier address; - proposal { - encryption_algorithm $IKE_ENC; - hash_algorithm $IKE_AUTH; - authentication_method gssapi_krb; - dh_group $IKE_DHGROUP; - } -} -EOF - esac - fi - racoontmp=$(mktemp /etc/racoon/racoon.XXXXXX) - grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp - echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp - mv -f $racoontmp /etc/racoon/racoon.conf -fi -if [ "$KEYING" = "automatic" ]; then - if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then - /usr/sbin/racoon - elif [ -n "$IKE_METHOD" ]; then - killall -HUP racoon - fi -fi diff --git a/ipsec-tools-0.7.1-pie.patch b/ipsec-tools-0.7.1-pie.patch deleted file mode 100644 index e6b9444..0000000 --- a/ipsec-tools-0.7.1-pie.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up ipsec-tools-0.7.1/src/racoon/Makefile.am.pie ipsec-tools-0.7.1/src/racoon/Makefile.am ---- ipsec-tools-0.7.1/src/racoon/Makefile.am.pie 2008-10-17 14:13:24.000000000 +0200 -+++ ipsec-tools-0.7.1/src/racoon/Makefile.am 2008-10-17 14:16:53.000000000 +0200 -@@ -12,7 +12,7 @@ adminsockdir=${localstatedir}/racoon - BUILT_SOURCES = cfparse.h prsa_par.h - INCLUDES = -I${srcdir}/../libipsec - AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \ -- -DADMINPORTDIR=\"${adminsockdir}\" -+ -DADMINPORTDIR=\"${adminsockdir}\" -fPIE - AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto - AM_YFLAGS = -d ${$*_YFLAGS} - AM_LFLAGS = ${$*_LFLAGS} -@@ -38,6 +38,7 @@ racoon_SOURCES = \ - cftoken.l cfparse.y prsa_tok.l prsa_par.y - EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ - isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) -+racoon_LDFLAGS = -pie -Wl,-z,relro - racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ - $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@ - racoon_DEPENDENCIES = \ -diff -up ipsec-tools-0.7.1/src/libipsec/Makefile.am.pie ipsec-tools-0.7.1/src/libipsec/Makefile.am ---- ipsec-tools-0.7.1/src/libipsec/Makefile.am.pie 2008-07-23 11:07:03.000000000 +0200 -+++ ipsec-tools-0.7.1/src/libipsec/Makefile.am 2008-10-17 14:13:24.000000000 +0200 -@@ -7,7 +7,7 @@ libipsec_HEADERS = libpfkey.h - - man3_MANS = ipsec_set_policy.3 ipsec_strerror.3 - --AM_CFLAGS = @GLIBC_BUGS@ -+AM_CFLAGS = @GLIBC_BUGS@ -fPIE - AM_YFLAGS = -d -p __libipsec - AM_LFLAGS = -P__libipsec -olex.yy.c - diff --git a/ipsec-tools-0.7.2-moreleaks.patch b/ipsec-tools-0.7.2-moreleaks.patch deleted file mode 100644 index cc97b78..0000000 --- a/ipsec-tools-0.7.2-moreleaks.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up ipsec-tools-0.7.2/src/racoon/crypto_openssl.c.moreleaks ipsec-tools-0.7.2/src/racoon/crypto_openssl.c ---- ipsec-tools-0.7.2/src/racoon/crypto_openssl.c.moreleaks 2009-04-20 15:33:30.000000000 +0200 -+++ ipsec-tools-0.7.2/src/racoon/crypto_openssl.c 2009-05-13 20:07:27.000000000 +0200 -@@ -201,26 +201,24 @@ eay_str2asn1dn(str, len) - } - - i = i2d_X509_NAME(name, NULL); -- if (!i) -+ if (i <= 0) - goto err; - ret = vmalloc(i); - if (!ret) - goto err; - p = ret->v; - i = i2d_X509_NAME(name, (void *)&p); -- if (!i) -- goto err; -- -- return ret; -+ if (i <= 0) { -+ vfree(ret); -+ ret = NULL; -+ } - - err: - if (buf) - racoon_free(buf); - if (name) - X509_NAME_free(name); -- if (ret) -- vfree(ret); -- return NULL; -+ return ret; - } - - /* diff --git a/ipsec-tools-0.7.3-build.patch b/ipsec-tools-0.7.3-build.patch deleted file mode 100644 index e0947ad..0000000 --- a/ipsec-tools-0.7.3-build.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up ipsec-tools-0.7.3/configure.ac.build ipsec-tools-0.7.3/configure.ac ---- ipsec-tools-0.7.3/configure.ac.build 2010-12-07 18:36:22.000000000 +0100 -+++ ipsec-tools-0.7.3/configure.ac 2011-02-10 10:26:24.000000000 +0100 -@@ -315,7 +315,7 @@ if test "$libiconv_dir" != "no"; then - AC_MSG_ERROR([ICONV libs or includes not found. Aborting.]) - fi - fi -- LIBS="$LIBS -L$libiconv_dir/lib -R$libiconv_dir/lib -liconv" -+ LIBS="$LIBS -L$libiconv_dir/lib -liconv" - AC_CHECK_FUNCS(iconv_open) - fi - -@@ -379,7 +379,7 @@ if test "$libradius_dir" != "no"; then - fi - fi - AC_DEFINE([HAVE_LIBRADIUS], [], [Hybrid authentication uses RADIUS]) -- LIBS="$LIBS -L$libradius_dir/lib -R$libradius_dir/lib -lradius" -+ LIBS="$LIBS -L$libradius_dir/lib -lradius" - AC_CHECK_FUNCS(rad_create_request) - fi - -@@ -405,7 +405,7 @@ if test "$libpam_dir" != "no"; then - fi - fi - AC_DEFINE([HAVE_LIBPAM], [], [Hybrid authentication uses PAM]) -- LIBS="$LIBS -L$libpam_dir/lib -R$libpam_dir/lib -lpam" -+ LIBS="$LIBS -L$libpam_dir/lib -lpam" - AC_CHECK_FUNCS(pam_start) - fi - -@@ -431,7 +431,7 @@ if test "$libldap_dir" != "no"; then - fi - fi - AC_DEFINE([HAVE_LIBLDAP], [], [Hybrid authentication uses LDAP]) -- LIBS="$LIBS -L$libldap_dir/lib -R$libldap_dir/lib -lldap" -+ LIBS="$LIBS -L$libldap_dir/lib -lldap" - - saved_CFLAGS=$CFLAGS - CFLAGS="$CFLAGS -Wall -Werror" diff --git a/ipsec-tools-0.7.3-gssapi-mech.patch b/ipsec-tools-0.7.3-gssapi-mech.patch deleted file mode 100644 index 56cac9b..0000000 --- a/ipsec-tools-0.7.3-gssapi-mech.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up ipsec-tools-0.7.3/src/racoon/doc/README.gssapi ipsec-tools-0.7.3/src/racoon/doc/README -diff -up ipsec-tools-0.7.3/src/racoon/gssapi.c.gssapi ipsec-tools-0.7.3/src/racoon/gssapi.c ---- ipsec-tools-0.7.3/src/racoon/gssapi.c.gssapi 2006-09-09 18:22:09.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/gssapi.c 2009-09-25 15:55:05.000000000 +0200 -@@ -215,7 +215,7 @@ gssapi_init(struct ph1handle *iph1) - } else - gssapi_get_default_name(iph1, 0, &princ); - -- maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID, -+ maj_stat = gss_canonicalize_name(&min_stat, princ, (gss_OID_desc *)gss_mech_krb5, - &canon_princ); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "canonicalize name\n"); -@@ -695,7 +695,7 @@ gssapi_get_id(struct ph1handle *iph1) - if (gssapi_get_default_name(iph1, 0, &defname) < 0) - return NULL; - -- maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID, -+ maj_stat = gss_canonicalize_name(&min_stat, defname, (gss_OID_desc *)gss_mech_krb5, - &canon_name); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "canonicalize name\n"); -diff -up ipsec-tools-0.7.3/src/racoon/gssapi.h.gssapi ipsec-tools-0.7.3/src/racoon/gssapi.h ---- ipsec-tools-0.7.3/src/racoon/gssapi.h.gssapi 2006-09-09 18:22:09.000000000 +0200 -+++ ipsec-tools-0.7.3/src/racoon/gssapi.h 2009-09-25 15:53:29.000000000 +0200 -@@ -38,6 +38,7 @@ - #include "/usr/include/gssapi.h" - #else - #include -+#include - #endif - - #define GSSAPI_DEF_NAME "host" diff --git a/ipsec-tools-0.8.0-acquires.patch b/ipsec-tools-0.8.0-acquires.patch deleted file mode 100644 index 2f4a4ec..0000000 --- a/ipsec-tools-0.8.0-acquires.patch +++ /dev/null @@ -1,101 +0,0 @@ -diff -up ipsec-tools-0.8.0/src/racoon/handler.h.acquires ipsec-tools-0.8.0/src/racoon/handler.h ---- ipsec-tools-0.8.0/src/racoon/handler.h.acquires 2010-11-17 11:40:41.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/handler.h 2011-03-21 16:31:27.000000000 +0100 -@@ -316,6 +316,8 @@ struct ph2handle { - - u_int8_t flags; /* Flags for phase 2 */ - u_int32_t msgid; /* msgid for phase 2 */ -+ -+ u_int32_t sa_count; /* num of SAs sent in SADB_ADD */ - - struct sainfo *sainfo; /* place holder of sainfo */ - struct saprop *proposal; /* SA(s) proposal. */ -diff -up ipsec-tools-0.8.0/src/racoon/pfkey.c.acquires ipsec-tools-0.8.0/src/racoon/pfkey.c ---- ipsec-tools-0.8.0/src/racoon/pfkey.c.acquires 2011-03-15 14:20:14.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/pfkey.c 2011-03-21 16:52:32.000000000 +0100 -@@ -1347,7 +1347,9 @@ pk_recvupdate(mhp) - sched_cancel(&iph2->sce); - - /* update status */ -- iph2->status = PHASE2ST_ESTABLISHED; -+ /* Do this in pk_recvadd -+ * iph2->status = PHASE2ST_ESTABLISHED; -+ */ - evt_phase2(iph2, EVT_PHASE2_UP, NULL); - - #ifdef ENABLE_STATS -@@ -1379,6 +1381,7 @@ pk_sendadd(iph2) - { - struct saproto *pr; - struct pfkey_send_sa_args sa_args; -+ u_int32_t sa_sent = 0; - - /* sanity check */ - if (iph2->approval == NULL) { -@@ -1498,6 +1501,9 @@ pk_sendadd(iph2) - return -1; - } - -+ /* keep count of SAs added */ -+ sa_sent++; -+ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - continue; - -@@ -1518,6 +1524,7 @@ pk_sendadd(iph2) - sadbsecas2str(sa_args.src, sa_args.dst, - sa_args.satype, sa_args.spi, sa_args.mode)); - } -+ iph2->sa_count = sa_sent; - racoon_free(sa_args.src); - racoon_free(sa_args.dst); - return 0; -@@ -1576,10 +1583,20 @@ pk_recvadd(mhp) - } - - /* -- * NOTE don't update any status of phase2 handle -- * because they must be updated by SADB_UPDATE message -+ * Thus, update the status of phase 2 handle after all SADB_ADD -+ * msgs have been received for the handle, rather than -+ * after SADB_UPDATE. -+ * -+ * This also removes the possibilty of processing an ACQUIRE -+ * received by kernel for SAs we are still adding. - */ - -+ if (iph2->sa_count) { -+ iph2->sa_count = iph2->sa_count - 1; -+ if (iph2->sa_count == 0) -+ iph2->status = PHASE2ST_ESTABLISHED; -+ } -+ - plog(LLV_INFO, LOCATION, NULL, - "IPsec-SA established: %s\n", - sadbsecas2str(src, dst, -@@ -1690,6 +1707,7 @@ pk_recvexpire(mhp) - plog(LLV_ERROR, LOCATION, iph2->dst, - "failed to begin ipsec sa " - "re-negotication.\n"); -+ iph2->status = PHASE2ST_EXPIRED; - remph2(iph2); - delph2(iph2); - return -1; -@@ -1855,8 +1873,17 @@ pk_recvacquire(mhp) - * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon - * has to prcesss such a acquire message because racoon may - * lost the expire message. -+ * -+ * When in responder role, an spid doesn't get added to -+ * the handler since responder didn't receive acquire. -+ * Thus there is the case that a negotiation can be occurring -+ * and responder receives acquire for same policy. So to prevent -+ * another identical negotiation, also check by address. - */ - iph2 = getph2byid(src, dst, xpl->sadb_x_policy_id); -+ if (iph2 == NULL) -+ iph2 = getph2bysaddr(src, dst); -+ - if (iph2 != NULL) { - if (iph2->status < PHASE2ST_ESTABLISHED) { - plog(LLV_DEBUG, LOCATION, NULL, diff --git a/ipsec-tools-0.8.0-aliasing.patch b/ipsec-tools-0.8.0-aliasing.patch deleted file mode 100644 index 447b6a1..0000000 --- a/ipsec-tools-0.8.0-aliasing.patch +++ /dev/null @@ -1,123 +0,0 @@ -diff -up ipsec-tools-0.8.0/src/racoon/grabmyaddr.c.aliasing ipsec-tools-0.8.0/src/racoon/grabmyaddr.c ---- ipsec-tools-0.8.0/src/racoon/grabmyaddr.c.aliasing 2011-03-14 18:18:12.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/grabmyaddr.c 2011-03-21 21:41:49.000000000 +0100 -@@ -399,10 +399,9 @@ netlink_add_del_address(int add, struct - static int - netlink_process_addr(struct nlmsghdr *h) - { -- struct sockaddr_storage addr; -+ struct sockaddr_in6 sin6; - struct ifaddrmsg *ifa; - struct rtattr *rta[IFA_MAX+1]; -- struct sockaddr_in6 *sin6; - - ifa = NLMSG_DATA(h); - parse_rtattr(rta, IFA_MAX, IFA_RTA(ifa), IFA_PAYLOAD(h)); -@@ -416,17 +415,16 @@ netlink_process_addr(struct nlmsghdr *h) - if (rta[IFA_LOCAL] == NULL) - return 0; - -- memset(&addr, 0, sizeof(addr)); -- addr.ss_family = ifa->ifa_family; -- sin6 = (struct sockaddr_in6 *) &addr; -- memcpy(&sin6->sin6_addr, RTA_DATA(rta[IFA_LOCAL]), -- sizeof(sin6->sin6_addr)); -- if (!IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) -+ memset(&sin6, 0, sizeof(sin6)); -+ sin6.sin6_family = ifa->ifa_family; -+ memcpy(&sin6.sin6_addr, RTA_DATA(rta[IFA_LOCAL]), -+ sizeof(sin6.sin6_addr)); -+ if (!IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) - return 0; -- sin6->sin6_scope_id = ifa->ifa_index; -+ sin6.sin6_scope_id = ifa->ifa_index; - - netlink_add_del_address(h->nlmsg_type == RTM_NEWADDR, -- (struct sockaddr *) &addr); -+ (struct sockaddr *) &sin6); - - return 0; - } -@@ -471,13 +469,9 @@ netlink_route_is_local(int family, const - static int - netlink_process_route(struct nlmsghdr *h) - { -- struct sockaddr_storage addr; -+ union sockaddr_any addr; - struct rtmsg *rtm; - struct rtattr *rta[RTA_MAX+1]; -- struct sockaddr_in *sin; --#ifdef INET6 -- struct sockaddr_in6 *sin6; --#endif - - rtm = NLMSG_DATA(h); - -@@ -492,21 +486,19 @@ netlink_process_route(struct nlmsghdr *h - - /* setup the socket address */ - memset(&addr, 0, sizeof(addr)); -- addr.ss_family = rtm->rtm_family; -+ addr.sa.sa_family = rtm->rtm_family; - switch (rtm->rtm_family) { - case AF_INET: -- sin = (struct sockaddr_in *) &addr; -- memcpy(&sin->sin_addr, RTA_DATA(rta[RTA_DST]), -- sizeof(sin->sin_addr)); -+ memcpy(&addr.sin.sin_addr, RTA_DATA(rta[RTA_DST]), -+ sizeof(addr.sin.sin_addr)); - break; - #ifdef INET6 - case AF_INET6: -- sin6 = (struct sockaddr_in6 *) &addr; -- memcpy(&sin6->sin6_addr, RTA_DATA(rta[RTA_DST]), -- sizeof(sin6->sin6_addr)); -+ memcpy(&addr.sin6.sin6_addr, RTA_DATA(rta[RTA_DST]), -+ sizeof(addr.sin6.sin6_addr)); - /* Link-local addresses are handled with RTM_NEWADDR - * notifications */ -- if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) -+ if (IN6_IS_ADDR_LINKLOCAL(&addr.sin6.sin6_addr)) - return 0; - break; - #endif -@@ -522,12 +514,12 @@ netlink_process_route(struct nlmsghdr *h - RTA_PAYLOAD(rta[RTA_DST]))) { - plog(LLV_DEBUG, LOCATION, NULL, - "Netlink: not deleting %s yet, it exists still\n", -- saddrwop2str((struct sockaddr *) &addr)); -+ saddrwop2str(&addr.sa)); - return 0; - } - - netlink_add_del_address(h->nlmsg_type == RTM_NEWROUTE, -- (struct sockaddr *) &addr); -+ &addr.sa); - return 0; - } - -diff -up ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.aliasing ipsec-tools-0.8.0/src/racoon/isakmp_quick.c ---- ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.aliasing 2011-03-21 18:13:15.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/isakmp_quick.c 2011-03-21 21:30:05.000000000 +0100 -@@ -2173,15 +2173,15 @@ get_sainfo_r(iph2) - if (iph2->ph1->mode_cfg != NULL) { - if ((iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) || - (iph2->ph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)){ -- struct sockaddr saddr; -- saddr.sa_family = AF_INET; -+ struct sockaddr_in saddr; -+ saddr.sin_family = AF_INET; - #ifndef __linux__ -- saddr.sa_len = sizeof(struct sockaddr_in); -+ saddr.sin_len = sizeof(struct sockaddr_in); - #endif -- ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY; -- memcpy(&((struct sockaddr_in *)&saddr)->sin_addr, -+ saddr.sin_port = IPSEC_PORT_ANY; -+ memcpy(&saddr.sin_addr, - &iph2->ph1->mode_cfg->addr4, sizeof(struct in_addr)); -- client = ipsecdoi_sockaddr2id(&saddr, 32, IPSEC_ULPROTO_ANY); -+ client = ipsecdoi_sockaddr2id((struct sockaddr *)&saddr, 32, IPSEC_ULPROTO_ANY); - } - } - diff --git a/ipsec-tools-0.8.0-loopback.patch b/ipsec-tools-0.8.0-loopback.patch deleted file mode 100644 index 6d1d464..0000000 --- a/ipsec-tools-0.8.0-loopback.patch +++ /dev/null @@ -1,383 +0,0 @@ -diff -up ipsec-tools-0.8.0/configure.ac.loopback ipsec-tools-0.8.0/configure.ac ---- ipsec-tools-0.8.0/configure.ac.loopback 2011-03-18 14:25:12.000000000 +0100 -+++ ipsec-tools-0.8.0/configure.ac 2011-03-21 16:54:55.000000000 +0100 -@@ -794,6 +794,27 @@ AC_TRY_COMPILE( - AC_MSG_RESULT(yes)], - [AC_MSG_RESULT(no)]) - -+AC_MSG_CHECKING(whether to support Auditing) -+AC_ARG_ENABLE(audit, -+ [ --enable-audit build audit daemon support for SELinux], -+ enable_audit=$enableval,enable_audit=auto) -+ -+AC_MSG_RESULT($enable_audit) -+ -+# libaudit detection -+if test x$enable_audit = xno ; then -+ have_libaudit=no; -+else -+ AC_CHECK_LIB(audit, audit_log_user_avc_message, -+ have_libaudit=yes, have_libaudit=no) -+fi -+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes) -+if test x$have_libaudit = xyes ; then -+ AUDIT_LIBS="-laudit" -+ AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support]) -+fi -+AC_SUBST(AUDIT_LIBS) -+ - CFLAGS="$CFLAGS $CFLAGS_ADD" - CPPFLAGS="$CPPFLAGS $CPPFLAGS_ADD" - -diff -up ipsec-tools-0.8.0/src/racoon/handler.h.loopback ipsec-tools-0.8.0/src/racoon/handler.h ---- ipsec-tools-0.8.0/src/racoon/handler.h.loopback 2011-03-21 16:54:55.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/handler.h 2011-03-21 16:54:55.000000000 +0100 -@@ -318,6 +318,7 @@ struct ph2handle { - u_int32_t msgid; /* msgid for phase 2 */ - - u_int32_t sa_count; /* num of SAs sent in SADB_ADD */ -+ u_int8_t loopback; - - struct sainfo *sainfo; /* place holder of sainfo */ - struct saprop *proposal; /* SA(s) proposal. */ -diff -up ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.loopback ipsec-tools-0.8.0/src/racoon/isakmp_quick.c ---- ipsec-tools-0.8.0/src/racoon/isakmp_quick.c.loopback 2011-03-14 18:18:13.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/isakmp_quick.c 2011-03-21 18:10:37.000000000 +0100 -@@ -99,11 +99,10 @@ static vchar_t *quick_ir1mx __P((struct - static int get_sainfo_r __P((struct ph2handle *)); - static int get_proposal_r __P((struct ph2handle *)); - static int ph2_recv_n __P((struct ph2handle *, struct isakmp_gen *)); --static void quick_timeover_stub __P((struct sched *)); - static void quick_timeover __P((struct ph2handle *)); - - /* called from scheduler */ --static void -+void - quick_timeover_stub(p) - struct sched *p; - { -diff -up ipsec-tools-0.8.0/src/racoon/isakmp_quick.h.loopback ipsec-tools-0.8.0/src/racoon/isakmp_quick.h ---- ipsec-tools-0.8.0/src/racoon/isakmp_quick.h.loopback 2006-09-09 18:22:09.000000000 +0200 -+++ ipsec-tools-0.8.0/src/racoon/isakmp_quick.h 2011-03-21 18:10:57.000000000 +0100 -@@ -47,4 +47,5 @@ extern int quick_r3recv __P((struct ph2h - extern int quick_r3send __P((struct ph2handle *, vchar_t *)); - extern int quick_r3prep __P((struct ph2handle *, vchar_t *)); - -+extern void quick_timeover_stub __P((struct sched *)); - #endif /* _ISAKMP_QUICK_H */ -diff -up ipsec-tools-0.8.0/src/racoon/main.c.loopback ipsec-tools-0.8.0/src/racoon/main.c ---- ipsec-tools-0.8.0/src/racoon/main.c.loopback 2009-01-26 19:13:06.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/main.c 2011-03-21 16:54:55.000000000 +0100 -@@ -297,6 +297,9 @@ main(ac, av) - #ifdef HAVE_SECCTX - init_avc(); - #endif -+#ifdef HAVE_LIBAUDIT -+ audit_init(); -+#endif - eay_init(); - initrmconf(); - oakley_dhinit(); -diff -up ipsec-tools-0.8.0/src/racoon/Makefile.am.loopback ipsec-tools-0.8.0/src/racoon/Makefile.am ---- ipsec-tools-0.8.0/src/racoon/Makefile.am.loopback 2009-12-11 10:04:04.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/Makefile.am 2011-03-21 16:54:55.000000000 +0100 -@@ -39,7 +39,7 @@ racoon_SOURCES = \ - EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \ - isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS) - racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \ -- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la -+ $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@ - racoon_DEPENDENCIES = \ - $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \ - vmbuf.o sockmisc.o misc.o -diff -up ipsec-tools-0.8.0/src/racoon/pfkey.c.loopback ipsec-tools-0.8.0/src/racoon/pfkey.c ---- ipsec-tools-0.8.0/src/racoon/pfkey.c.loopback 2011-03-21 17:43:02.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/pfkey.c 2011-03-21 18:10:02.000000000 +0100 -@@ -87,6 +87,7 @@ - #include "isakmp_var.h" - #include "isakmp.h" - #include "isakmp_inf.h" -+#include "isakmp_quick.h" - #include "ipsec_doi.h" - #include "oakley.h" - #include "pfkey.h" -@@ -101,6 +102,7 @@ - #include "nattraversal.h" - #include "crypto_openssl.h" - #include "grabmyaddr.h" -+#include "sockmisc.h" - - #if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC) - #define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC -@@ -1043,6 +1045,56 @@ pk_recvgetspi(mhp) - return -1; - } - -+#ifdef HAVE_SECCTX -+ if (iph2->loopback == 1) { -+ u_int satype, reqid; -+ struct sockaddr *src; -+ -+ src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); -+ if (cmpsaddr(src, dst) != CMPSADDR_MISMATCH) { -+ struct pfkey_send_sa_args sa_args; -+ /* yep, this is loopback. install SA */ -+ satype = ipsecdoi2pfkey_proto(iph2->proposal->head->proto_id); -+ if (satype == ~0) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "invalid proto_id %d\n", -+ iph2->proposal->head->proto_id); -+ return -1; -+ } -+ -+ reqid = iph2->proposal->head->reqid_in; -+ -+ iph2->status = PHASE2ST_ADDSA; -+ -+ memset (&sa_args, 0, sizeof (sa_args)); -+ sa_args.so = lcconf->sock_pfkey; -+ sa_args.satype = satype; -+ sa_args.mode = IPSEC_MODE_TRANSPORT; -+ sa_args.src = src; -+ sa_args.dst = dst; -+ sa_args.spi = sa->sadb_sa_spi; -+ sa_args.reqid = reqid; -+ sa_args.e_type = SADB_EALG_NULL; -+ sa_args.a_type = SADB_AALG_NONE; -+ sa_args.l_addtime = iph2->proposal->lifetime; -+ sa_args.seq = iph2->seq; -+ sa_args.ctxdoi = iph2->proposal->sctx.ctx_doi; -+ sa_args.ctxalg = iph2->proposal->sctx.ctx_alg; -+ sa_args.ctxstr = iph2->proposal->sctx.ctx_str; -+ sa_args.ctxstrlen = iph2->proposal->sctx.ctx_strlen; -+ if (pfkey_send_update2(&sa_args) < 0) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to update loopback SA: %s\n", -+ ipsec_strerror()); -+ remph2(iph2); -+ delph2(iph2); -+ return -1; -+ } -+ } -+ return 0; -+ } -+#endif /* HAVE SECCTX */ -+ - /* set SPI, and check to get all spi whether or not */ - allspiok = 1; - notfound = 1; -@@ -1304,6 +1356,26 @@ pk_recvupdate(mhp) - return -1; - } - -+#ifdef HAVE_SECCTX -+ /* get update for loopback here */ -+ if (iph2->loopback == 1 && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) { -+ plog(LLV_INFO, LOCATION, NULL, -+ "IPsec-SA established without ISAKMP: %s\n", -+ sadbsecas2str(iph2->dst, iph2->src, -+ msg->sadb_msg_satype, sa->sadb_sa_spi, -+ IPSEC_MODE_TRANSPORT)); -+ -+ /* turn off the timer for calling quick_timeover() */ -+ sched_cancel(&iph2->sce); -+ -+ sched_schedule(&iph2->sce, iph2->proposal->lifetime, -+ isakmp_ph2expire_stub); -+ -+ iph2->status = PHASE2ST_ESTABLISHED; -+ return 0; -+ } -+#endif -+ - /* check to complete all keys ? */ - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); -@@ -1343,7 +1415,7 @@ pk_recvupdate(mhp) - if (incomplete) - return 0; - -- /* turn off the timer for calling pfkey_timeover() */ -+ /* turn off the timer for calling quick_timeover() */ - sched_cancel(&iph2->sce); - - /* update status */ -@@ -1768,6 +1840,12 @@ pk_recvacquire(mhp) - m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX]; - - if (m_sec_ctx != NULL) { -+ if (m_sec_ctx->sadb_x_ctx_len > MAX_CTXSTR_SIZE) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "ignoring ACQUIRE: security context is greater than MAX, %d.\n", -+ MAX_CTXSTR_SIZE); -+ return -1; -+ } - plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n", - m_sec_ctx->sadb_x_ctx_doi); - plog(LLV_INFO, LOCATION, NULL, -@@ -1974,6 +2052,73 @@ pk_recvacquire(mhp) - iph2->sa_dst = dupsaddr(sa_dst); - } - -+#ifdef HAVE_SECCTX -+ /* -+ * If the src address in the ACQUIRE is one we listen on and -+ * the src and dst addresses are the same, then assume this -+ * packet arrived over loopback and just get an SPI and -+ * install the SA. -+ */ -+ if (m_sec_ctx && (cmpsaddr(src, dst) != CMPSADDR_MISMATCH)) { -+ struct saprop *newpp; -+ struct saproto *newpr; -+ iph2->loopback = 1; -+ newpp = newsaprop(); -+ if (newpp == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to allocate saprop.\n"); -+ delph2(iph2); -+ return -1; -+ } -+ /* allocate to hold reqid */ -+ newpr = newsaproto(); -+ if (newpr == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "failed to allocate saproto.\n"); -+ delph2(iph2); -+ return -1; -+ } -+ -+ newpr->reqid_out = sp_out->req->saidx.reqid; -+ newpr->reqid_in = sp_in->req->saidx.reqid; -+ newpr->proto_id = ipproto2doi(sp_out->req->saidx.proto); -+ -+ inssaprotorev(newpp, newpr); -+ iph2->proposal = newpp; -+ printsaprop0(LLV_DEBUG, newpp); -+ -+ set_secctx_in_proposal(iph2, spidx); -+ iph2->proposal->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; -+ -+ insph2(iph2); -+ -+ iph2->status = PHASE2ST_GETSPISENT; -+ plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); -+ if (pfkey_send_getspi( -+ lcconf->sock_pfkey, -+ iph2->satype, -+ IPSEC_MODE_TRANSPORT, -+ dst, /* src of SA */ -+ src, /* dst of SA */ -+ 0, 0, -+ newpr->reqid_in, iph2->seq) < 0) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "ipseclib failed send getspi (%s)\n", -+ ipsec_strerror()); -+ delph2(iph2); -+ return -1; -+ } -+ sched_schedule(&iph2->sce, lcconf->wait_ph2complete, -+ quick_timeover_stub); -+ -+ plog(LLV_DEBUG, LOCATION, NULL, -+ "pfkey GETSPI sent: %s\n", -+ sadbsecas2str(dst, src, iph2->satype, 0, -+ IPSEC_MODE_TRANSPORT)); -+ return 0; -+ } -+#endif /* HAVE_SECCTX */ -+ - if (isakmp_get_sainfo(iph2, sp_out, sp_in) < 0) { - delph2(iph2); - return -1; -diff -up ipsec-tools-0.8.0/src/racoon/policy.h.loopback ipsec-tools-0.8.0/src/racoon/policy.h ---- ipsec-tools-0.8.0/src/racoon/policy.h.loopback 2008-12-05 07:02:20.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/policy.h 2011-03-21 16:54:55.000000000 +0100 -@@ -38,7 +38,12 @@ - - - #ifdef HAVE_SECCTX --#define MAX_CTXSTR_SIZE 50 -+ -+/* Current LSPP policy is 1024 compartments, 5 chars each 'c1024'. SE Linux -+ * will attempt to combine so, worst case is all odd or even numbers. The -+ * context size of SE Linux types is max'ed around 256. We allow 16 for -+ * sensitivity */ -+#define MAX_CTXSTR_SIZE 3344 /* (6 * 512) + 256 + 16 */ - struct security_ctx { - u_int8_t ctx_doi; /* Security Context DOI */ - u_int8_t ctx_alg; /* Security Context Algorithm */ -@@ -158,6 +163,9 @@ extern void initsp __P((void)); - extern struct ipsecrequest *newipsecreq __P((void)); - - extern const char *spidx2str __P((const struct policyindex *)); -+#ifdef HAVE_LIBAUDIT -+extern void audit_init __P((void)); -+#endif - #ifdef HAVE_SECCTX - #include - extern int get_security_context __P((vchar_t *, struct policyindex *)); -diff -up ipsec-tools-0.8.0/src/racoon/security.c.loopback ipsec-tools-0.8.0/src/racoon/security.c ---- ipsec-tools-0.8.0/src/racoon/security.c.loopback 2007-05-31 21:54:55.000000000 +0200 -+++ ipsec-tools-0.8.0/src/racoon/security.c 2011-03-21 16:54:55.000000000 +0100 -@@ -55,6 +55,61 @@ - #include "proposal.h" - #include "strnames.h" - #include "handler.h" -+#ifdef HAVE_LIBAUDIT -+#include -+#include -+#include "libaudit.h" -+#endif -+ -+static void log_callback (const char *fmt, ...); -+ -+static const struct avc_log_callback log_cb = -+{ -+ .func_log = log_callback, -+ .func_audit = NULL -+}; -+ -+#ifdef HAVE_LIBAUDIT -+static int audit_fd = -1; -+void -+audit_init(void) -+{ -+ audit_fd = audit_open(); -+ if (audit_fd < 0) { -+ /* If kernel doesn't support audit, bail out */ -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return; -+ /* If unprivileged, bail out */ -+ if (errno == EPERM && getuid() != 0) -+ return; -+ plog (LLV_ERROR, LOCATION, NULL, -+ "Failed opening connection to the audit subsystem"); -+ } -+} -+#endif /* HAVE_LIBAUDIT */ -+ -+static void -+log_callback (const char *fmt, ...) -+{ -+ va_list ap; -+ va_start(ap, fmt); -+#ifdef HAVE_LIBAUDIT -+ if (audit_fd >= 0) { -+ char buf[PATH_MAX*2]; -+ -+ /* FIXME: need to change this to show real user */ -+ vsnprintf(buf, sizeof(buf), fmt, ap); -+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, -+ buf, NULL, NULL, NULL, -1); -+ return; -+ } else -+#endif /* HAVE_LIBAUDIT */ -+ { -+ vsyslog (LOG_INFO, fmt, ap); -+ va_end(ap); -+ } -+} - - /* - * Get the security context information from SA. diff --git a/ipsec-tools-0.8.0-nodevel.patch b/ipsec-tools-0.8.0-nodevel.patch deleted file mode 100644 index 1abb6bf..0000000 --- a/ipsec-tools-0.8.0-nodevel.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff -up ipsec-tools-0.8.0/src/libipsec/Makefile.am.nodevel ipsec-tools-0.8.0/src/libipsec/Makefile.am ---- ipsec-tools-0.8.0/src/libipsec/Makefile.am.nodevel 2011-03-21 17:26:37.000000000 +0100 -+++ ipsec-tools-0.8.0/src/libipsec/Makefile.am 2011-03-21 17:26:37.000000000 +0100 -@@ -1,11 +1,10 @@ - - #bin_PROGRAMS = test-policy test-policy-priority --lib_LTLIBRARIES = libipsec.la -+noinst_LTLIBRARIES = libipsec.la - - libipsecdir = $(includedir)/libipsec --libipsec_HEADERS = libpfkey.h - --man3_MANS = ipsec_set_policy.3 ipsec_strerror.3 -+#man3_MANS = ipsec_set_policy.3 ipsec_strerror.3 - - AM_CFLAGS = @GLIBC_BUGS@ -fPIE - AM_YFLAGS = -d -p __libipsec -@@ -28,7 +27,7 @@ libipsec_la_SOURCES = \ - libipsec_la_LDFLAGS = -version-info 0:1:0 - libipsec_la_LIBADD = $(LEXLIB) - --noinst_HEADERS = ipsec_strerror.h -+noinst_HEADERS = ipsec_strerror.h libpfkey.h - - #test_policy_SOURCES = test-policy.c - #test_policy_LDFLAGS = libipsec.la -diff -up ipsec-tools-0.8.0/src/racoon/Makefile.am.nodevel ipsec-tools-0.8.0/src/racoon/Makefile.am ---- ipsec-tools-0.8.0/src/racoon/Makefile.am.nodevel 2011-03-21 17:26:37.000000000 +0100 -+++ ipsec-tools-0.8.0/src/racoon/Makefile.am 2011-03-21 17:27:57.000000000 +0100 -@@ -2,10 +2,10 @@ - - sbin_PROGRAMS = racoon racoonctl plainrsa-gen - noinst_PROGRAMS = eaytest --include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ -+racoonhdr = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ - schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \ - isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h --lib_LTLIBRARIES = libracoon.la -+noinst_LTLIBRARIES = libracoon.la - - adminsockdir=${localstatedir}/racoon - -@@ -64,7 +64,7 @@ eaytest_LDADD = crypto_openssl_test.o vm - eaytest_DEPENDENCIES = crypto_openssl_test.o vmbuf.o str2val.o \ - misc_noplog.o $(CRYPTOBJS) - --noinst_HEADERS = \ -+noinst_HEADERS = $(racoonhdr) \ - admin.h dnssec.h isakmp_base.h oakley.h session.h \ - admin_var.h dump.h isakmp_ident.h pfkey.h sockmisc.h \ - algorithm.h gcmalloc.h isakmp_inf.h plog.h str2val.h \ diff --git a/ipsec-tools-0.8.2-952413.patch b/ipsec-tools-0.8.2-952413.patch deleted file mode 100644 index 41e5c19..0000000 --- a/ipsec-tools-0.8.2-952413.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -Naur ipsec-tools-0.8.2-orig/src/racoon/isakmp_xauth.c ipsec-tools-0.8.2/src/racoon/isakmp_xauth.c ---- ipsec-tools-0.8.2-orig/src/racoon/isakmp_xauth.c 2013-02-05 01:23:42.000000000 -0500 -+++ ipsec-tools-0.8.2/src/racoon/isakmp_xauth.c 2015-05-26 12:35:45.852730976 -0400 -@@ -595,6 +595,10 @@ - return -1; - } - -+ if (rad_put_string(radius_auth_state, RAD_CALLING_STATION_ID, -+ saddr2str(iph1->remote)) != 0) -+ return -1; -+ - if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0) - return -1; - diff --git a/ipsec-tools-0.8.2-CVE-2015-4047.patch b/ipsec-tools-0.8.2-CVE-2015-4047.patch deleted file mode 100644 index 6b7d96c..0000000 --- a/ipsec-tools-0.8.2-CVE-2015-4047.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -Naur ipsec-tools-0.8.1-orig/src/racoon/gssapi.c ipsec-tools-0.8.1/src/racoon/gssapi.c ---- ipsec-tools-0.8.1-orig/src/racoon/gssapi.c 2015-05-26 12:10:35.561653780 -0400 -+++ ipsec-tools-0.8.1/src/racoon/gssapi.c 2015-05-26 12:11:36.482514547 -0400 -@@ -192,6 +192,11 @@ - gss_name_t princ, canon_princ; - OM_uint32 maj_stat, min_stat; - -+ if (iph1->rmconf == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); -+ return -1; -+ } -+ - gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); diff --git a/ipsec-tools-0.8.2-bsdsource.patch b/ipsec-tools-0.8.2-bsdsource.patch deleted file mode 100644 index 898af86..0000000 --- a/ipsec-tools-0.8.2-bsdsource.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- ipsec-tools-0.8.2-orig/src/include-glibc/glibc-bugs.h 2006-09-09 12:22:08.000000000 -0400 -+++ ipsec-tools-0.8.2/src/include-glibc/glibc-bugs.h 2017-01-24 11:30:37.361353289 -0500 -@@ -4,7 +4,8 @@ - #define __GLIBC_BUGS_H__ 1 - - #define _XOPEN_SOURCE 500 --#define _BSD_SOURCE -+//#define _BSD_SOURCE -+#define _DEFAULT_SOURCE - - #include - #include diff --git a/ipsec-tools.spec b/ipsec-tools.spec deleted file mode 100644 index c6be79e..0000000 --- a/ipsec-tools.spec +++ /dev/null @@ -1,515 +0,0 @@ -%global racoonconfdir %{_sysconfdir}/racoon - -Name: ipsec-tools -Version: 0.8.2 -Release: 18%{?dist} -Summary: Tools for configuring and using IPSEC -License: BSD -URL: http://ipsec-tools.sourceforge.net/ - -Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-%{version}.tar.bz2 -Source1: racoon.conf -Source2: psk.txt -Source3: p1_up_down -Source4: racoon.service -Source5: racoon.pam -Source6: ifup-ipsec -Source7: ifdown-ipsec - -# Ignore acquires that are sent by kernel for SAs that are already being -# negotiated (#234491) -Patch3: ipsec-tools-0.8.0-acquires.patch -# Support for labeled IPSec on loopback -Patch4: ipsec-tools-0.8.0-loopback.patch -# Create racoon as PIE -Patch11: ipsec-tools-0.7.1-pie.patch -# Fix leak in certification handling -Patch14: ipsec-tools-0.7.2-moreleaks.patch -# Do not install development files -Patch16: ipsec-tools-0.8.0-nodevel.patch -# Use krb5 gssapi mechanism -Patch18: ipsec-tools-0.7.3-gssapi-mech.patch -# Drop -R from linker -Patch19: ipsec-tools-0.7.3-build.patch -# Silence strict aliasing warnings -Patch20: ipsec-tools-0.8.0-aliasing.patch -# CVE-2015-4047 -Patch21: ipsec-tools-0.8.2-CVE-2015-4047.patch -# Calling_station-Id attribute for xauth RADIUS requests -Patch22: ipsec-tools-0.8.2-952413.patch - -BuildRequires: audit-libs-devel >= 1.3.1 -BuildRequires: automake -BuildRequires: bison -BuildRequires: compat-openssl10-devel -BuildRequires: flex -BuildRequires: flex-static -BuildRequires: krb5-devel -BuildRequires: libtool -BuildRequires: libselinux-devel -BuildRequires: openldap-devel -BuildRequires: pam-devel -BuildRequires: systemd - -Requires: pam -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd - - -%description -This package contains tools necessary for establishing -keys for IPSEC connections including the rekeying during -the connection lifetime. - -The main tools of this package are: - -- setkey, a program to directly manipulate policies and SAs in the kernel -- racoon, an IKEv1 keying daemon - -%prep -%setup -q -%patch3 -p1 -b .acquires -%patch4 -p1 -b .loopback - -%patch11 -p1 -b .pie -%patch14 -p1 -b .moreleaks -%patch16 -p1 -b .nodevel -%patch18 -p1 -b .gssapi-mech -%patch19 -p1 -b .build -%patch20 -p1 -b .aliasing -%patch21 -p1 -b .cve_2015_4047 -%patch22 -p1 -b .station_id - -%build -./bootstrap -# Needed because some bad sizeof()'s -sed -i 's|-Werror||g' configure -# Needed to avoid error on gethostbyname, enable full relro -LDFLAGS="$LDFLAGS -Wl,--as-needed" -# Enable full relro hardening -export LDFLAGS="$LDFLAGS -fPIC -pie -Wl,-z,relro -Wl,-z,now" -%configure \ - --with-kernel-headers=/usr/include \ - --sysconfdir=%{racoonconfdir} \ - --without-readline \ - --enable-adminport \ - --enable-hybrid \ - --enable-frag \ - --enable-dpd \ - --enable-gssapi \ - --enable-natt \ - --enable-security-context \ - --enable-audit \ - --with-libpam \ - --with-libldap \ -# --with-libradius requires an unknown radius library -# and complains about our -liconv being broken. -make - -%install -mkdir -p $RPM_BUILD_ROOT/sbin -mkdir -p $RPM_BUILD_ROOT%{racoonconfdir} -make install DESTDIR=$RPM_BUILD_ROOT - -install -m 600 %{SOURCE1} \ - $RPM_BUILD_ROOT%{racoonconfdir}/racoon.conf -install -m 600 %{SOURCE2} \ - $RPM_BUILD_ROOT%{racoonconfdir}/psk.txt - -mv $RPM_BUILD_ROOT%{_sbindir}/setkey $RPM_BUILD_ROOT/sbin - -mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/certs -mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/scripts -install -m 700 %{SOURCE3} \ - $RPM_BUILD_ROOT%{racoonconfdir}/scripts/p1_up_down -install -D -m644 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/racoon.service -install -D -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/racoon - -mkdir -m 0755 -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/network-scripts -install -p -m755 %{SOURCE6} %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/network-scripts - - -%post -%systemd_post racoon.service - -%preun -%systemd_preun racoon.service - -%postun -%systemd_postun_with_restart racoon.service - -%files -%doc src/racoon/samples/racoon.conf src/racoon/samples/psk.txt -%doc src/racoon/doc/FAQ -%doc NEWS README -/sbin/* -%{_sbindir}/* -%{_mandir}/man*/* -%{_unitdir}/racoon.service -%dir %{racoonconfdir} -%{racoonconfdir}/scripts/* -%dir %{racoonconfdir}/certs -%dir %{racoonconfdir}/scripts -%dir %{_localstatedir}/racoon -%config(noreplace) %{racoonconfdir}/psk.txt -%config(noreplace) %{racoonconfdir}/racoon.conf -%config(noreplace) %{_sysconfdir}/pam.d/racoon -%{_sysconfdir}/sysconfig/network-scripts/ifup-ipsec -%{_sysconfdir}/sysconfig/network-scripts/ifdown-ipsec - -%changelog -* Tue Jul 28 2020 Fedora Release Engineering - 0.8.2-18 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jan 29 2020 Fedora Release Engineering - 0.8.2-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Thu Jul 25 2019 Fedora Release Engineering - 0.8.2-16 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Fri Feb 01 2019 Fedora Release Engineering - 0.8.2-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Jan 14 2019 Björn Esser - 0.8.2-14 -- Rebuilt for libcrypt.so.2 (#1666033) - -* Fri Jul 13 2018 Fedora Release Engineering - 0.8.2-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Feb 07 2018 Fedora Release Engineering - 0.8.2-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Sat Jan 20 2018 Björn Esser - 0.8.2-11 -- Rebuilt for switch to libxcrypt - -* Thu Jan 11 2018 Peter Robinson 0.8.2-10 -- Spec cleanup and modernise, build with compat-openssl10 (fix FTBFS) - -* Wed Aug 02 2017 Fedora Release Engineering - 0.8.2-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.8.2-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Fri Feb 10 2017 Fedora Release Engineering - 0.8.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Tue Jan 24 2017 Paul Wouters - 0.8.2-6 -- Resolves: rhbz#1416122 ipsec-tools component racoon.service triggers complaints from systemd - -* Thu Apr 28 2016 Paul Wouters - 0.8.2-5 -- Resolves: rhbz#1251691 ifup-ipsec causes invalid ICMP redirects - (Patch by Kaarle Ritvanen ) - -* Thu Feb 04 2016 Fedora Release Engineering - 0.8.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Thu Dec 17 2015 Paul Wouters - 0.8.2-2 -- Resolves: rhbz#1292522 Add remoteid/ph1id configuration feature - -* Wed Jun 17 2015 Fedora Release Engineering - 0.8.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Tue May 26 2015 Paul Wouters - 0.8.2-1 -- Upgraded to 0.8.2 -- Resolves rhbz#1223420 CVE-2015-4047 NULL pointer dereference in racoon/gssapi.c -- Resolves rhbz#1154906 fix port 4500 vs 500 isakmp initiator issue -- Resolves rhbz#952413 Support for Calling-Station-Id attribute for xauth RADIUS requests - -* Fri Jan 09 2015 Paul Wouters - 0.8.1-6 -- Resolves: rhbz#1029503 missing depdendency on psmisc (fixup systemd scripts) - -* Sat Aug 16 2014 Fedora Release Engineering - 0.8.1-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Sat Jun 07 2014 Fedora Release Engineering - 0.8.1-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Thu Nov 14 2013 Paul Wouters - 0.8.1-3 -- Enable ldap support (rhbz#895965) -- Update systemd macros (rhbz#850016) -- Enable full relro hardening - -* Sat Aug 03 2013 Fedora Release Engineering - 0.8.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Wed Feb 27 2013 Tomáš Mráz - 0.8.1-1 -- new upstream release -- enabled ldap support (#895965) -- macroized systemd script calls (#850165) - -* Thu Feb 14 2013 Fedora Release Engineering - 0.8.0-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Thu Jul 19 2012 Fedora Release Engineering - 0.8.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jan 26 2012 Tomas Mraz - 0.8.0-4 -- prefer the main IKE exchange mode (#475337) -- allow specification of additional parameters for the ifup-ipsec (#784859) -- convert the init script to systemd unit (#662714) - -* Fri Jan 13 2012 Fedora Release Engineering - 0.8.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Fri Jun 17 2011 Tomas Mraz - 0.8.0-2 -- take over ifup-ipsec, ifdown-ipsec from initscripts - -* Mon Mar 21 2011 Tomas Mraz - 0.8.0-1 -- update to a new upstream version - -* Thu Feb 10 2011 Tomas Mraz - 0.7.3-8 -- fix build - drop -R from compiler invocation - -* Wed Feb 09 2011 Fedora Release Engineering - 0.7.3-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Tue Dec 7 2010 Tomas Mraz - 0.7.3-6 -- fix FTBFS, add flex-static to buildrequires (#660865) - -* Wed Apr 14 2010 Tomas Mraz - 0.7.3-5 -- fix the initscript (#500571, #521647) - -* Fri Sep 25 2009 Tomas Mraz - 0.7.3-4 -- properly check for errors on gssapi_get_token_to_send() -- use proper mechanism when canonicalizing gss names -- use password-auth common PAM configuration instead of system-auth - -* Fri Aug 21 2009 Tomas Mraz - 0.7.3-3 -- rebuilt with new openssl - -* Wed Aug 19 2009 Tomas Mraz - 0.7.3-2 -- enable xauth over PAM (#470793) -- add TMPDIR setting to the p1_up_down script - -* Tue Aug 18 2009 Tomas Mraz - 0.7.3-1 -- update to a new upstream version -- fix service stop in preun (#515880) - -* Fri Jul 24 2009 Fedora Release Engineering - 0.7.2-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 15 2009 Tomas Mraz - 0.7.2-2 -- fix FTBFS (#511556) -- fix some memory leaks and compilation warnings found by review - -* Thu Apr 23 2009 Tomas Mraz - 0.7.2-1 -- Update to a new upstream version - -* Wed Feb 25 2009 Fedora Release Engineering - 0.7.1-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Thu Jan 15 2009 Tomas Mraz - 0.7.1-7 -- rebuild with new openssl - -* Mon Nov 10 2008 Tomas Mraz - 0.7.1-6 -- fix patch porting error in the dpd-fixes patch (#470575) - -* Fri Oct 17 2008 Tomas Mraz - 0.7.1-5 -- fix CVE-2008-3652 (memory leak DoS) -- compile racoon as PIE -- another fix for teardown of the IPSEC SAs on DPD in some circumstances - -* Sun Aug 10 2008 Tomas Mraz - 0.7.1-4 -- Even better fix for IPSEC SA purging avoiding code duplication - (original idea by Darrel Goeddel) - -* Fri Aug 8 2008 Tomas Mraz - 0.7.1-3 -- Fix IPSEC SA purge with NAT_T enabled - -* Wed Jul 30 2008 Tomas Mraz - 0.7.1-2 -- Different approach to allow racoon to add loopback SAs for - labeled IPSec (without ISAKMP) - -* Tue Jul 29 2008 Tomas Mraz - 0.7.1-1 -- Update to a new upstream version - -* Thu Feb 28 2008 Steve Conklin - 0.7-13 -- Resolves bz#273261 remote-access client connection to Cisco ASA - -* Mon Feb 25 2008 Steve Conklin - 0.7-12 -- And again - -* Mon Feb 25 2008 Steve Conklin - 0.7-11 -- Messed that up, bumping - -* Mon Feb 25 2008 Steve Conklin - 0.7-10 -- Added upstream patch to fix ipv6 cookie alen - -* Thu Feb 14 2008 Steve Conklin - 0.7-9 -- rebuild for gcc4.3 - -* Wed Dec 19 2007 Steve Conklin - 0.7-8 -- sourced krb5-devel.sh to set path - -* Tue Dec 18 2007 Steve Conklin - 0.7-7 -- bumped for retag - -* Tue Dec 18 2007 Steve Conklin - 0.7-6 -- Added a patch for context size change -- Resolves #413331 racoon dies with buffer overflow in MCS/MLS loopback - -* Fri Dec 7 2007 Steve Conklin - 0.7-5 -- Bump for retagging - -* Fri Dec 7 2007 Steve Conklin - 0.7-4 -- Rebuild for dependencies - -* Thu Sep 20 2007 Steve Conklin - 0.7-3 -- Applied the following patches from Gabriel Somlo -- Patches for connecting to Cisco ASA in remote-access (road-warrior) mode -- Added phase1_up_down mode config script -- Including our own .h files (ipsec, pfkeyv2, xfrm, udp) no longer necessary -- Added init script for racoon daemon - -* Tue Aug 28 2007 Steve Conklin - 0.7-2 -- Fixed the loopback patch - -* Tue Aug 28 2007 Steve Conklin - 0.7-1 -- Rebase to upstream 0.7 - -* Mon Apr 23 2007 Steve Grubb - 0.6.5-8 -- Upstream fix for Racoon DOS, informational delete must be encrypted -- Resolves: rhbz#235388 - CVE-2007-1841 ipsec-tools racoon DoS - -* Fri Apr 20 2007 Steve Grubb - 0.6.5-7 -- Resolves: #218386 labeled ipsec does not work over loopback - -* Mon Apr 16 2007 Steve Grubb - 0.6.5-6.6 -- Related: #232508 add auditing to racoon - -* Sat Apr 14 2007 Steve Grubb - 0.6.6-6%{?dist} -- Resolves: #235680 racoon socket descriptor exhaustion - -* Fri Apr 13 2007 Steve Grubb - 0.6.6-4%{?dist} -- Resolves: #236121 increase buffer for context -- Resolves: #234491 kernel sends ACQUIRES that racoon is not catching -- Resolves: #218386 labeled ipsec does not work over loopback - -* Tue Mar 20 2007 Harald Hoyer - 0.6.6-3%{?dist} -- fix for setting the security context into a - proposal (32<->64bit) (rhbz#232508) - -* Wed Jan 17 2007 Harald Hoyer - 0.6.6-1 -- version 0.6.6 - -* Sun Oct 01 2006 Jesse Keating - 0.6.5-6 -- rebuilt for unwind info generation, broken in gcc-4.1.1-21 - -* Mon Sep 25 2006 Harald Hoyer - 0.6.5-5 -- added patch for selinux integration (bug #207159) - -* Fri Aug 4 2006 Harald Hoyer - 0.6.5-4 -- backport of important 0.6.6 fixes: - - sets NAT-T ports to 0 if no NAT encapsulation - - fixed memory leak - -* Wed Jul 12 2006 Jesse Keating - 0.6.5-3.1 -- rebuild - -* Wed Jun 21 2006 Harald Hoyer - 0.6.5-3 -- more build requirements - -* Tue Apr 18 2006 Dan Walsh - 0.6.5-2 -- Fix patch to build MLS Stuff correctly - -* Tue Apr 18 2006 Dan Walsh - 0.6.5-1 -- Update to latest upstream version -- Add MLS Patch to allow use of labeled networks -- Patch provided by Joy Latten - -* Fri Feb 10 2006 Jesse Keating - 0.6.4-1.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Harald Hoyer 0.6.4-1 -- version 0.6.4 - -* Tue Feb 07 2006 Jesse Keating - 0.6.3-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Mon Dec 05 2005 Harald Hoyer 0.6.3-1 -- version 0.6.3, which contains fixes for various DoS problems - -* Wed Nov 9 2005 Tomas Mraz 0.6.1-2 -- rebuilt against new openssl - -* Wed Oct 12 2005 Harald Hoyer 0.6.1-1 -- version 0.6.1 - -* Mon Mar 28 2005 Bill Nottingham 0.5-4 -- fix 64-bit issue in setph1attr() () - -* Mon Mar 14 2005 Bill Nottingham 0.5-3 -- add patch for DoS (CAN-2005-0398, #145532) - -* Sat Mar 5 2005 Uwe Beck 0.5-2 -- now racoon use /etc/racoon/racoon.conf as default -- add the /var/racoon directory for racoon.sock - -* Wed Feb 23 2005 Bill Nottingham 0.5-1 -- update to 0.5 - -* Thu Nov 4 2004 Bill Nottingham 0.3.3-2 -- don't use new 0.3.3 handling of stdin in setkey; it breaks the - format (#138105) - -* Mon Sep 27 2004 Bill Nottingham 0.3.3-1 -- update to 0.3.3 (#122211) - -* Sun Aug 08 2004 Alan Cox 0.2.5-6 -- fix buildreqs (Steve Grubb) - -* Mon Jun 28 2004 Nalin Dahyabhai 0.2.5-5 -- rebuild - -* Fri Jun 25 2004 Nalin Dahyabhai 0.2.5-4 -- backport certificate validation fixes from 0.3.3 (#126568) - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 14 2004 Bill Nottingham - 0.2.5-2 -- add patch for potential remote DoS (CAN-2004-0403) - -* Tue Apr 6 2004 Bill Nottingham -- update to 0.2.5 - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Mon Feb 23 2004 Bill Nottingham -- update to 0.2.4, fix racoon install location (#116374, ) - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Mon Dec 8 2003 Bill Nottingham 0.2.2-8 -- rebuild - -* Fri Aug 29 2003 Bill Nottingham 0.2.2-7 -- add fix for #103238 - -* Tue Aug 5 2003 Bill Nottingham 0.2.2-6 -- update kernel interface bits, rebuild against them - -* Tue Jul 29 2003 Bill Nottingham 0.2.2-5 -- rebuild - -* Wed Jul 2 2003 Bill Notitngham 0.2.2-4 -- ship a much more pared-down racoon.conf and psk.txt - -* Thu Jun 5 2003 Bill Notitngham 0.2.2-3 -- update pfkey header for current kernels - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Fri May 2 2003 Bill Nottingham 0.2.2-1 -- update to 0.2.2 - -* Fri Mar 7 2003 Bill Nottingham -- initial build diff --git a/p1_up_down b/p1_up_down deleted file mode 100755 index 0eceb61..0000000 --- a/p1_up_down +++ /dev/null @@ -1,164 +0,0 @@ -#!/bin/bash - -# -# manipulate IPSec SA database on behalf of the racoon daemon -# Gabriel Somlo , 08/27/2007 -# - -#FIXME: read this from, e.g., /etc/sysconfig/racoon -NAT_T="yes" - - -shopt -s nocasematch -umask 0022 - -PATH=/bin:/sbin:/usr/bin:/usr/sbin -# we must not touch /tmp -TMPDIR="/var/racoon" - -# set up NAT-T -case "${NAT_T}" in - yes|true|on|enable*|1) - LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]" - REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]" - ;; - *) - LOCAL="${LOCAL_ADDR}" - REMOTE="${REMOTE_ADDR}" - ;; -esac - -# determine interface and next-hop for our default route -DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}') -DFLT_IF=${DFLT_RT#*;} -DFLT_GW=${DFLT_RT%;*} - - -# bring up phase1 -phase1_up() { - # check if VPN address already set up on default interface (dupe script call) - ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && { - echo "p1_up_down: phase1_up has already run !!!" - exit 4 - } - - # save current resolv.conf and create new one based on info from VPN server - [ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf /etc/resolv.conf.prevpn - { - echo "# Generated by racoon on $(date)" - echo "search ${DEFAULT_DOMAIN}" - for NS in ${INTERNAL_DNS4_LIST}; do - echo "nameserver ${NS}" - done - } > /etc/resolv.conf - - # add VPN address to default interface - ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 - # set up host route to VPN server - ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF} - - if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then - # split tunnel: keep existing default, insert specific tunnel routes - for N in ${SPLIT_INCLUDE_CIDR}; do - ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} - done - else - # full tunnel: set up any applicable exceptions - for N in ${SPLIT_LOCAL_CIDR}; do - ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} - done - # ... then replace default route with vpn tunnel - ip route del default - ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} - fi - - # update SA database - setkey -c << EOT -spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec - esp/tunnel/${LOCAL}-${REMOTE}/require; -spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec - esp/tunnel/${REMOTE}-${LOCAL}/require; -EOT -} - -# bring down phase1 -phase1_down() { - # restore previous resolv.conf - [ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn /etc/resolv.conf - - if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then - # split tunnel: remove specific tunnel routes - for N in ${SPLIT_INCLUDE_CIDR}; do - ip route del ${N} - done - else - # full tunnel: remove any applicable exceptions - for N in ${SPLIT_LOCAL_CIDR}; do - ip route del ${N} - done - # ... then restore original default route - ip route del default - ip route add default via ${DFLT_GW} dev ${DFLT_IF} - fi - - # remove host route to VPN server - ip route del ${REMOTE_ADDR} - # remove VPN address from default interface - ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 - - # clean up SA database - setkey -c << EOT -spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec - esp/tunnel/${LOCAL}-${REMOTE}/require; -spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec - esp/tunnel/${REMOTE}-${LOCAL}/require; -deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; -deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; -# deleteall still broken on Linux, using 'flush esp' as workaround: -flush esp; -EOT -} - - -# print out parameters we received -echo "p1_up_down: $1 starting..." -echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}" -echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}" -echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}" -echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}" -echo "p1_up_down: DFLT_GW = ${DFLT_GW}" -echo "p1_up_down: DFLT_IF = ${DFLT_IF}" -echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" -echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}" -echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}" -echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}" -echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}" - -# check for valid VPN address -echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || { - echo "p1_up_down: error: invalid INTERNAL_ADDR4." - exit 1 -} - -# check for valid default nexthop -echo ${DFLT_GW} | grep -q '[0-9]' || { - echo "p1_up_down: error: invalid DFLT_GW." - exit 2 -} - -# main "program" -case "$1" in - phase1_up) - phase1_up - ;; - phase1_down) - phase1_down - ;; - *) - echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]" - exit 3 - ;; -esac - -echo "p1_up_down: $1 completed successfully." -exit 0 diff --git a/psk.txt b/psk.txt deleted file mode 100644 index ee0a348..0000000 --- a/psk.txt +++ /dev/null @@ -1,7 +0,0 @@ -# file for pre-shared keys used for IKE authentication -# format is: 'identifier' 'key' -# For example: -# -# 10.1.1.1 flibbertigibbet -# www.example.com 12345 -# foo@www.example.com micropachycephalosaurus diff --git a/racoon.conf b/racoon.conf deleted file mode 100644 index aa7a045..0000000 --- a/racoon.conf +++ /dev/null @@ -1,35 +0,0 @@ - -# Racoon IKE daemon configuration file. -# See 'man racoon.conf' for a description of the format and entries. - -path include "/etc/racoon"; -path pre_shared_key "/etc/racoon/psk.txt"; -path certificate "/etc/racoon/certs"; -path script "/etc/racoon/scripts"; - -sainfo anonymous -{ - #pfs_group 2; - lifetime time 1 hour ; - encryption_algorithm 3des, blowfish 448, rijndael ; - authentication_algorithm hmac_sha1, hmac_md5 ; - compression_algorithm deflate ; -} - -#remote -#{ -# exchange_mode main; -# my_identifier fqdn "host.name.of.vpn.client"; -# certificate_type x509 "client.crt" "client.key"; -# ca_type x509 "ca.crt"; -# mode_cfg on; -# script "p1_up_down" phase1_up; -# script "p1_up_down" phase1_down; -# proposal -# { -# encryption_algorithm 3des; -# hash_algorithm sha1; -# authentication_method xauth_rsa_client; -# dh_group 2; -# } -#} diff --git a/racoon.pam b/racoon.pam deleted file mode 100644 index 5047dad..0000000 --- a/racoon.pam +++ /dev/null @@ -1,8 +0,0 @@ -#%PAM-1.0 -# do not allow ipsec xauth for root -auth required pam_succeed_if.so user != root -auth include password-auth -account required pam_nologin.so -account include password-auth -password include password-auth -session include password-auth diff --git a/racoon.service b/racoon.service deleted file mode 100644 index f1ad652..0000000 --- a/racoon.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Racoon IKEv1 key management daemon for IPSEC -After=syslog.target network.target - -[Service] -Type=forking -ExecStart=/usr/sbin/racoon -ExecReload=/usr/bin/kill -HUP $MAINPID - -[Install] -WantedBy=multi-user.target diff --git a/sources b/sources deleted file mode 100644 index 3d1cbae..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -d53ec14a0a3ece64e09e5e34b3350b41 ipsec-tools-0.8.2.tar.bz2