[openswan/f18] 848132: dpd issue
avesh
avesh at fedoraproject.org
Thu Dec 6 21:04:49 UTC 2012
commit d567a59828dd5661b66b7592aa43e04e4902a7c4
Author: Avesh Agarwal <avagarwa at redhat.com>
Date: Thu Dec 6 16:04:13 2012 -0500
848132: dpd issue
- 884556: Fixed relro issue as it was done incorrectly upstream.
-DPIE was missing so fixed it now. Removed RAEDME.Fedora
from doc as it is not relevant.
- 833910: Enabled labeled ipsec
- fixed zeroization of a message during IKEv2 exchange that
was missed from rhel merge.
- fixed a bad commit from openswan upstream that caused ikev2
crashes and left it unusable.
- Incorrect unbound changes caused restore resolveconf failures,
which has been fixed now.
openswan-848132.patch | 12 +++++++++
openswan-884556.patch | 12 +++++++++
openswan-ikev2-crash.patch | 46 +++++++++++++++++++++++++++++++++++++
openswan-ikev2-missed-merge.patch | 18 ++++++++++++++
openswan-resolveconf.patch | 37 +++++++++++++++++++++++++++++
openswan.spec | 34 +++++++++++++++++++++++++-
6 files changed, 157 insertions(+), 2 deletions(-)
---
diff --git a/openswan-848132.patch b/openswan-848132.patch
new file mode 100644
index 0000000..da7d4a8
--- /dev/null
+++ b/openswan-848132.patch
@@ -0,0 +1,12 @@
+diff -urNp openswan-2.6.38-patched/programs/pluto/timer.c openswan-2.6.38-current/programs/pluto/timer.c
+--- openswan-2.6.38-patched/programs/pluto/timer.c 2012-09-10 13:46:11.019066044 -0400
++++ openswan-2.6.38-current/programs/pluto/timer.c 2012-11-08 13:06:44.425166049 -0500
+@@ -542,7 +542,7 @@ handle_next_timer_event(void)
+ newest = (IS_PHASE1(st->st_state) || IS_PHASE15(st->st_state ))
+ ? c->newest_isakmp_sa : c->newest_ipsec_sa;
+
+- if (newest != st->st_serialno
++ if (newest > st->st_serialno
+ && newest != SOS_NOBODY)
+ {
+ /* not very interesting: no need to replace */
diff --git a/openswan-884556.patch b/openswan-884556.patch
new file mode 100644
index 0000000..ec81b8f
--- /dev/null
+++ b/openswan-884556.patch
@@ -0,0 +1,12 @@
+diff -urNp openswan-2.6.38-patched/Makefile.inc openswan-2.6.38-current/Makefile.inc
+--- openswan-2.6.38-patched/Makefile.inc 2012-09-10 13:46:10.962066036 -0400
++++ openswan-2.6.38-current/Makefile.inc 2012-12-06 14:00:55.710687146 -0500
+@@ -201,7 +201,7 @@ KLIPSCOMPILE=-O3 -DCONFIG_KLIPS_ALG -DDI
+ #export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+ # extra link flags
+-USERLINK?=-Wl,-z,relro
++USERLINK?=-Wl,-z,relro -Wl,-z,now
+
+ PORTINCLUDE?=
+
diff --git a/openswan-ikev2-crash.patch b/openswan-ikev2-crash.patch
new file mode 100644
index 0000000..5f95b97
--- /dev/null
+++ b/openswan-ikev2-crash.patch
@@ -0,0 +1,46 @@
+commit 13ef3f8a414bc4ee3d9f369ade8d2611d1bf0b5b
+Author: Avesh Agarwal <avagarwa at redhat.com>
+Date: Wed Nov 7 11:38:37 2012 -0500
+
+ This was caused by the bad upstream commit:
+ 3d277cebda58d2a24bc4fa1591d2e0c59c457f37
+ and caused ikev2 crashes making it completely unusable.
+
+diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
+index 1a93db2..0120158 100644
+--- a/programs/pluto/ikev2_parent.c
++++ b/programs/pluto/ikev2_parent.c
+@@ -563,7 +563,6 @@ stf_status ikev2parent_inI1outR1(struct msg_digest *md)
+ /* set up new state */
+ memcpy(st->st_icookie, md->hdr.isa_icookie, COOKIE_SIZE);
+ /* initialize_new_state expects valid icookie/rcookie values, so create it now */
+- get_cookie(FALSE, st->st_rcookie, COOKIE_SIZE, &md->sender);
+ initialize_new_state(st, c, policy, 0, NULL_FD, pcim_stranger_crypto);
+ st->st_ikev2 = TRUE;
+ change_state(st, STATE_PARENT_R1);
+@@ -739,6 +738,8 @@ ikev2_parent_inI1outR1_tail(struct pluto_crypto_req_cont *pcrc
+ #endif
+
+ /* note that we don't update the state here yet */
++ memcpy(st->st_icookie, md->hdr.isa_icookie, COOKIE_SIZE);
++ get_cookie(FALSE, st->st_rcookie, COOKIE_SIZE, &md->sender);
+
+ /* record first packet for later checking of signature */
+ clonetochunk(st->st_firstpacket_him, md->message_pbs.start
+@@ -2361,7 +2362,7 @@ send_v2_notification(struct state *p1st, u_int16_t type
+ u_char buffer[1024];
+ pb_stream reply;
+ pb_stream rbody;
+- chunk_t child_spi, notify_data;
++ chunk_t child_spi;
+ /* this function is not generic enough yet just enough for 6msg
+ * TBD accept HDR FLAGS as arg. default ISAKMP_FLAGS_R
+ * TBD when there is a child SA use that SPI in the notify paylod.
+@@ -2419,7 +2420,6 @@ send_v2_notification(struct state *p1st, u_int16_t type
+
+ /* build and add v2N payload to the packet */
+ memset(&child_spi, 0, sizeof(child_spi));
+- memset(¬ify_data, 0, sizeof(notify_data));
+ ship_v2N (ISAKMP_NEXT_NONE, DBGP(IMPAIR_SEND_BOGUS_ISAKMP_FLAG) ?
+ (ISAKMP_PAYLOAD_NONCRITICAL | ISAKMP_PAYLOAD_OPENSWAN_BOGUS) :
+ ISAKMP_PAYLOAD_NONCRITICAL, PROTO_ISAKMP,
diff --git a/openswan-ikev2-missed-merge.patch b/openswan-ikev2-missed-merge.patch
new file mode 100644
index 0000000..504ca60
--- /dev/null
+++ b/openswan-ikev2-missed-merge.patch
@@ -0,0 +1,18 @@
+commit 5b192129368cffe54e8915ea7eb6a60581fb72ff
+Author: Avesh Agarwal <avagarwa at redhat.com>
+Date: Wed Nov 7 11:33:50 2012 -0500
+
+ Missed this commit during merge from rhel6.
+
+diff --git a/programs/pluto/ikev2_parent.c b/programs/pluto/ikev2_parent.c
+index a96ede5..1a93db2 100644
+--- a/programs/pluto/ikev2_parent.c
++++ b/programs/pluto/ikev2_parent.c
+@@ -2986,6 +2986,7 @@ void ikev2_delete_out(struct state *st)
+
+
+ /* insert an Encryption payload header */
++ zero(&e);
+ e.isag_np = ISAKMP_NEXT_v2D;
+ e.isag_critical = ISAKMP_PAYLOAD_NONCRITICAL;
+
diff --git a/openswan-resolveconf.patch b/openswan-resolveconf.patch
new file mode 100644
index 0000000..3a34c04
--- /dev/null
+++ b/openswan-resolveconf.patch
@@ -0,0 +1,37 @@
+diff -urNp openswan-2.6.38-patched/programs/_updown.klips/_updown.klips.in openswan-2.6.38-current/programs/_updown.klips/_updown.klips.in
+--- openswan-2.6.38-patched/programs/_updown.klips/_updown.klips.in 2012-03-23 17:33:43.000000000 -0400
++++ openswan-2.6.38-current/programs/_updown.klips/_updown.klips.in 2012-12-06 14:56:38.043040877 -0500
+@@ -275,8 +275,8 @@ restoreresolvconf() {
+ echo "flushing local nameserver of $PLUTO_CISCO_DOMAIN_INFO"
+ /usr/sbin/unbound-control forward_remove $PLUTO_CISCO_DOMAIN_INFO
+ /usr/sbin/unbound-control flush_zone $PLUTO_CISCO_DOMAIN_INFO
+- fi
+ return
++ fi
+ fi
+
+ if [ -z "$PLUTO_NM_CONFIGURED" -o "$PLUTO_NM_CONFIGURED" = 0 ]; then
+diff -urNp openswan-2.6.38-patched/programs/_updown.mast/_updown.mast.in openswan-2.6.38-current/programs/_updown.mast/_updown.mast.in
+--- openswan-2.6.38-patched/programs/_updown.mast/_updown.mast.in 2012-03-23 17:33:43.000000000 -0400
++++ openswan-2.6.38-current/programs/_updown.mast/_updown.mast.in 2012-12-06 14:56:56.491032475 -0500
+@@ -355,6 +355,7 @@ if [ -n "`pidof unbound`" ]; then
+ /usr/sbin/unbound-control forward_remove $PLUTO_CISCO_DOMAIN_INFO
+ /usr/sbin/unbound-control flush_zone $PLUTO_CISCO_DOMAIN_INFO
+ return
++ fi
+ fi
+
+ if [ -z "$PLUTO_NM_CONFIGURED" -o "$PLUTO_NM_CONFIGURED" = 0 ]; then
+diff -urNp openswan-2.6.38-patched/programs/_updown.netkey/_updown.netkey.in openswan-2.6.38-current/programs/_updown.netkey/_updown.netkey.in
+--- openswan-2.6.38-patched/programs/_updown.netkey/_updown.netkey.in 2012-09-10 13:46:11.014066042 -0400
++++ openswan-2.6.38-current/programs/_updown.netkey/_updown.netkey.in 2012-12-06 14:57:11.211022810 -0500
+@@ -273,8 +273,8 @@ restoreresolvconf() {
+ echo "flushing local nameserver of $PLUTO_CISCO_DOMAIN_INFO"
+ /usr/sbin/unbound-control forward_remove $PLUTO_CISCO_DOMAIN_INFO
+ /usr/sbin/unbound-control flush_zone $PLUTO_CISCO_DOMAIN_INFO
+- fi
+ return
++ fi
+ fi
+
+ if [ -z "$PLUTO_NM_CONFIGURED" -o "$PLUTO_NM_CONFIGURED" = 0 ]; then
diff --git a/openswan.spec b/openswan.spec
index 291c7e3..4dcf3bc 100644
--- a/openswan.spec
+++ b/openswan.spec
@@ -2,6 +2,7 @@
%define USE_FIPSCHECK 1
%define USE_LIBCAP_NG 1
%define USE_NM 1
+%define USE_LABELED_IPSEC 1
%define nss_version 3.12.3-2
%define fipscheck_version 1.3.0
%define USE_CRL_FECTCHING 1
@@ -9,7 +10,7 @@
Summary: IPSEC implementation with IKEv1 and IKEv2 keying protocols
Name: openswan
Version: 2.6.38
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -37,6 +38,11 @@ Patch18: openswan-834400.patch
Patch19: openswan-2.6.38-noperl.patch
Patch20: openswan-systemd-service.patch
Patch21: openswan-readme-nss.patch
+Patch22: openswan-ikev2-missed-merge.patch
+Patch23: openswan-ikev2-crash.patch
+Patch24: openswan-848132.patch
+Patch25: openswan-884556.patch
+Patch26: openswan-resolveconf.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -118,11 +124,17 @@ install -m 644 %{SOURCE3} docs/README.x509
%patch19 -p1
%patch20 -p1
%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
%build
#796683: -fno-strict-aliasing
+#884556: added missed -DPIE
%{__make} \
- USERCOMPILE="-g %{optflags} -fno-strict-aliasing -fPIE -pie" \
+ USERCOMPILE="-g %{optflags} -fno-strict-aliasing -fPIE -DPIE" \
USERLINK="-g -pie" \
INC_USRLOCAL=%{_prefix} \
FINALLIBDIR=%{_libexecdir}/ipsec \
@@ -141,6 +153,9 @@ install -m 644 %{SOURCE3} docs/README.x509
%if %{USE_NM}
USE_NM=true \
%endif
+%if %{USE_LABELED_IPSEC}
+ USE_LABELED_IPSEC=true \
+%endif
%if %{USE_CRL_FECTCHING}
USE_LDAP=true \
USE_LIBCURL=true \
@@ -188,6 +203,8 @@ rm -f $RPM_BUILD_ROOT/usr/share/man/man3/*
chmod a-x $RPM_BUILD_ROOT%{_mandir}/*/*
# nuke duplicate docs to save space. this leaves html and ps
rm -f doc/HOWTO.pdf doc/HOWTO.txt
+#884556: remove README.Fedora as it does not seem relevant now.
+rm -rf docs/README.Fedora
%if %{USE_FIPSCHECK}
# Add generation of HMAC checksums of the final stripped binaries
@@ -244,6 +261,19 @@ if [ $1 -ge 1 ] ; then
fi
%changelog
+* Thu Dec 7 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-10
+- 848132: dpd issue
+- 884556: Fixed relro issue as it was done incorrectly upstream.
+ -DPIE was missing so fixed it now. Removed RAEDME.Fedora
+ from doc as it is not relevant.
+- 833910: Enabled labeled ipsec
+- fixed zeroization of a message during IKEv2 exchange that
+ was missed from rhel merge.
+- fixed a bad commit from openswan upstream that caused ikev2
+ crashes and left it unusable.
+- Incorrect unbound changes caused restore resolveconf failures,
+ which has been fixed now.
+
* Mon Oct 29 2012 Avesh Agarwal <avagarwa at redhat.com> - 2.6.38-9
- Removed fips integrity checking of systemd service file.
More information about the scm-commits
mailing list