Bug 1591817

Summary: rebase libreswan to 3.25
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Moriš <omoris>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.5CC: mjahoda, mthacker, pwouters
Target Milestone: betaKeywords: Rebase
Target Release: 7.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
_libreswan_ rebased to version 3.25 The _libreswan_ packages have been upgraded to upstream version 3.25, which provides a number of bug fixes and enhancements over the previous version. Note that previously, an incorrect configuration forbidding Perfect Forward Secrecy with the "pfs=no" option and setting an ESP/AH PFS *modp* group (for example, "esp=aes-sha2;modp2048") would load and ignore the *modp* setting. With this update, these connections fail to load with the `ESP DH algorithm MODP2048 is invalid as PFS policy is disabled` error message.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:51:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2018-06-15 16:01:07 UTC 
Description of problem:

Rebase libreswan to upstream version 3.24. Full changelog between 3.23 and 3.24 follows

* IKEv2: MOBIKE Initiator support (RFC 4555) [Antony]
* IKEv2: Support for IKE SA rekeying RFC7296 1.3.2, initiator [Antony]
* IKEv2: Support for IPsec SA rekeying RFC7296 1.3.3, initiator [Antony]
* IKEv2: Support for IKE SA reauth=yes|no RFC7296  2.8.3 [Antony]
* IKEv2: No longer allow contradicting esp= and pfs= options [Andrew]
* IKEv2: PPK support for authby=rsasig [Vukasin Karadzic]
* IKEv2: IANA INTERNAL_DNSSEC_TA allocation added [Paul]
* IKEv2: Add PPK support to authby=rsasig [Vukasin]
* IKEv2: Don't calculate NO_PPK_AUTH when the POLICY is INSIST [Vukasin]
* IKEv2: fix PPK when responder is ppk=no but has a valid PPKID [Paul/Vukasin]
* IKEv2: Support for protoport based Opportunistic IPsec [Paul]
* IKEv2: Support multiple authby values (eg authby=rsasig,null) [Paul]
* IKEv2: Support for AUTHNULL fallback via private use Notify [Vukasin]
* IKEv2: Fix v3.23 regression causing liveness check to always fail [Tuomo]
* IKEv2: Support for Microsoft rekey bug: ms-dh-downgrade=yes|no [Andrew/Paul]
* IKEv2: Allow switching between OE instances with different protoports [Paul]
* IKEv2: process INITIAL_CONTACT and delete old states from a connection [Paul]
* IKEv2: Only retransmit on the first fragment [Andrew]
* IKEv2: when sending fragments, also update st_msgid_lastreplied [Paul]
* IKEv1: Prevent crashes with IKEv1 mistakenly allowing narrowing=yes [Paul]
* X509: Extend support for wildcard certs matching remote peer ID [Paul/Hugh]
* X509: Support PKCS7 for Microsoft interop with intermediate certs [Andrew]
* pluto: Obsoleted connaddrfamily= (fixes 6in4 and 4in6) [Paul]
* pluto: New hostaddrfamily= and clientaddrfamily= (only needed w DNS) [Paul]
* pluto: Cleanup of state/md passing code [Andrew]
* pluto: Allow switching back from wrong instance to template conn [Paul]
* pluto: disentangle IKEv1 and IKEv2 packet sending code [Andrew]
* IKEv2: simplify constructing packets with next-payload-type [Andrew]
* IKEv2: construct and send encrypt IKEv2 notification payloads [Andrew]
* IKEv2: test/fix handling of corrupt encrypted packets [Andrew]
* pluto: Allow rightsubnets= without leftsubnet(s)= [Paul]
* pluto: don't share IP leases for authby=secret [Paul]
* pluto: Parser bug prevented 4in6 config [mhuntxu at github, Daniel M. Weeks]
* pluto: Find and delete old connection/states with same ID [Paul/Hugh]
* pluto: traffic log (and updown) line had in/out bytes swapped [Paul/Tuomo]
* addconn: Fix auto=route and auto=start processing [Paul]
* whack/auto: Ensure all status and list commands return no error code [Paul]
* FIPS: Don't attempt HMAC integrity test on rsasigkey (rhbz#1544143) [Paul]
* FIPS: Don't allow RSA keys < 3072 [Matt/Paul]
* FIPS: Enable our PRF aes_xcbc wrapper on NSS hash code in FIPS mode [Andrew]
* portexcludes: new command ipsec portexcludes (see portexcludes.conf) [Paul]
*  _updown.netkey: fix deleting routes when half routes are used [Tuomo]
* _unbound-hook: Pass all IPSECKEY's to pluto, not just the first [Paul]
* contrib/python-swan: module to check if trafic get be encrypted [Kim]
* contrib/c-swan: example code to check if trafic get be encrypted [Kim]
* building: added USE_GLIBC_KERN_FLIP_HEADERS (default off) [Paul]
* ipsec: add checknss option --settrusts to reset CA trusts in nss db [Tuomo]
* _updown.netkey: force routing when necessary for IPsec to work [Tuomo]
* _updown.netkey: do not proxyarp for host-host tunnels [Tuomo]
* look: sort XFRM output by priority [Andrew]
* Bugtracker bugs fixed:
   #318: vti interface gets down on previous initiator if roles switch [Tuomo]
   #328: Addcon crash on duplicit "left" or "leftid" keys in conn config [Stepan Broz]
#311: segfault in crl fetching git master f5b17dc [Andrew, Tuomo]

Version-Release number of selected component (if applicable):

libreswan-3.23-3.el7

How reproducible:

N/A

Steps to Reproduce:

N/A

Actual results:

N/A

Expected results:

N/A

Additional info:

Please notice that notice that 3.24 is not yet released upstream.
Comment 2 Ondrej Moriš 2018-06-15 16:04:52 UTC 
Paul, could you please point out the most important new features and bugfixes in the changelog?
Comment 7 errata-xmlrpc 2018-10-30 10:51:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:3174