diff --git a/download b/download
index f64fd68549f1efecd94d12a9bccc5af2f314735f..8462b62690925457c86baf646fd28cd800a707fd 100644
--- a/download
+++ b/download
@@ -1 +1,4 @@
-29c39e1ae62245d6995603b7e5368113 libreswan-4.5.tar.gz
+3c6f2ab474534ead7abec57c9484ea75 libreswan-4.6.tar.gz
+d8b493de7179635a6ed2a4d0e1b35282 ikev1_dsa.fax.bz2
+c4fe7041300e6c21f4561ce818b5002f ikev1_psk.fax.bz2
+7716c48a1a2b17ba25e89b79889d4004 ikev2.fax.bz2
diff --git a/ikev1_dsa.fax.bz2 b/ikev1_dsa.fax.bz2
deleted file mode 100644
index eb1c5d87f4a5d3f70c32961756c138a1ee1f5956..0000000000000000000000000000000000000000
Binary files a/ikev1_dsa.fax.bz2 and /dev/null differ
diff --git a/ikev1_psk.fax.bz2 b/ikev1_psk.fax.bz2
deleted file mode 100644
index 7f29d6c04dd1223768b4e79ad57ab83bc97bf8ae..0000000000000000000000000000000000000000
Binary files a/ikev1_psk.fax.bz2 and /dev/null differ
diff --git a/ikev2.fax.bz2 b/ikev2.fax.bz2
deleted file mode 100644
index 1f9f433e1334cf5d514d1dc5051d7fbdd8545bdb..0000000000000000000000000000000000000000
Binary files a/ikev2.fax.bz2 and /dev/null differ
diff --git a/libreswan-3.32-1861360-nodefault-rsa-pss.patch b/libreswan-3.32-1861360-nodefault-rsa-pss.patch
deleted file mode 100644
index e9d50e06f60799d6a8fa298c079aea3c26d629b2..0000000000000000000000000000000000000000
--- a/libreswan-3.32-1861360-nodefault-rsa-pss.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -Naur libreswan-3.32-orig/lib/libipsecconf/confread.c libreswan-3.32/lib/libipsecconf/confread.c
---- libreswan-3.32-orig/lib/libipsecconf/confread.c 2020-07-28 20:25:54.618261606 -0400
-+++ libreswan-3.32/lib/libipsecconf/confread.c 2020-07-28 20:28:03.952421236 -0400
-@@ -1498,9 +1498,14 @@
- } else if (streq(val, "rsasig") || streq(val, "rsa")) {
- conn->policy |= POLICY_RSASIG;
- conn->policy |= POLICY_RSASIG_v1_5;
-+ /*
-+ * These cause failure with RSA 1024 bits because it uses RSA-PSS
-+ */
-+#if 0
- conn->sighash_policy |= POL_SIGHASH_SHA2_256;
- conn->sighash_policy |= POL_SIGHASH_SHA2_384;
- conn->sighash_policy |= POL_SIGHASH_SHA2_512;
-+#endif
- } else if (streq(val, "never")) {
- conn->policy |= POLICY_AUTH_NEVER;
- /* everything else is only supported for IKEv2 */
diff --git a/libreswan-4.1-maintain-obsolete-keywords.patch b/libreswan-4.1-maintain-obsolete-keywords.patch
deleted file mode 100644
index 539dcd1c3e23331cd9bf5acb93c466dfa49310c5..0000000000000000000000000000000000000000
--- a/libreswan-4.1-maintain-obsolete-keywords.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-diff -Naur libreswan-4.2-orig/lib/libipsecconf/keywords.c libreswan-4.2/lib/libipsecconf/keywords.c
---- libreswan-4.2-orig/lib/libipsecconf/keywords.c 2021-02-02 20:36:01.000000000 -0500
-+++ libreswan-4.2/lib/libipsecconf/keywords.c 2021-02-04 19:22:05.880228930 -0500
-@@ -374,6 +374,8 @@
- { "interfaces", kv_config, kt_string, KSF_INTERFACES, NULL, NULL, },
- { "curl-iface", kv_config, kt_string, KSF_CURLIFACE, NULL, NULL, },
- { "curl-timeout", kv_config, kt_time, KBF_CURLTIMEOUT, NULL, NULL, },
-+ { "curl_iface", kv_config | kv_alias, kt_string, KSF_CURLIFACE, NULL, NULL, }, /* obsolete _ */
-+ { "curl_timeout", kv_config | kv_alias, kt_time, KBF_CURLTIMEOUT, NULL, NULL, }, /* obsolete _ */
-
- { "myvendorid", kv_config, kt_string, KSF_MYVENDORID, NULL, NULL, },
- { "syslog", kv_config, kt_string, KSF_SYSLOG, NULL, NULL, },
-@@ -381,6 +383,7 @@
- { "logfile", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, },
- { "plutostderrlog", kv_config, kt_filename, KSF_LOGFILE, NULL, NULL, }, /* obsolete name, but very common :/ */
- { "logtime", kv_config, kt_bool, KBF_LOGTIME, NULL, NULL, },
-+ { "plutostderrlogtime", kv_config | kv_alias, kt_bool, KBF_LOGTIME, NULL, NULL, }, /* obsolete */
- { "logappend", kv_config, kt_bool, KBF_LOGAPPEND, NULL, NULL, },
- { "logip", kv_config, kt_bool, KBF_LOGIP, NULL, NULL, },
- { "audit-log", kv_config, kt_bool, KBF_AUDIT_LOG, NULL, NULL, },
-@@ -400,13 +403,20 @@
- { "global-redirect-to", kv_config, kt_string, KSF_GLOBAL_REDIRECT_TO, NULL, NULL, },
-
- { "crl-strict", kv_config, kt_bool, KBF_CRL_STRICT, NULL, NULL, },
-+ { "crl_strict", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete _ */
- { "crlcheckinterval", kv_config, kt_time, KBF_CRL_CHECKINTERVAL, NULL, NULL, },
-+ { "strictcrlpolicy", kv_config | kv_alias, kt_bool, KBF_CRL_STRICT, NULL, NULL, }, /* obsolete; used on openswan */
-
- { "ocsp-strict", kv_config, kt_bool, KBF_OCSP_STRICT, NULL, NULL, },
-+ { "ocsp_strict", kv_config | kv_alias, kt_bool, KBF_OCSP_STRICT, NULL, NULL, }, /* obsolete _ */
- { "ocsp-enable", kv_config, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, },
-+ { "ocsp_enable", kv_config | kv_alias, kt_bool, KBF_OCSP_ENABLE, NULL, NULL, }, /* obsolete _ */
- { "ocsp-uri", kv_config, kt_string, KSF_OCSP_URI, NULL, NULL, },
-+ { "ocsp_uri", kv_config | kv_alias, kt_string, KSF_OCSP_URI, NULL, NULL, }, /* obsolete _ */
- { "ocsp-timeout", kv_config, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, },
-+ { "ocsp_timeout", kv_config | kv_alias, kt_number, KBF_OCSP_TIMEOUT, NULL, NULL, }, /* obsolete _ */
- { "ocsp-trustname", kv_config, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, },
-+ { "ocsp_trust_name", kv_config | kv_alias, kt_string, KSF_OCSP_TRUSTNAME, NULL, NULL, }, /* obsolete _ */
- { "ocsp-cache-size", kv_config, kt_number, KBF_OCSP_CACHE_SIZE, NULL, NULL, },
- { "ocsp-cache-min-age", kv_config, kt_time, KBF_OCSP_CACHE_MIN, NULL, NULL, },
- { "ocsp-cache-max-age", kv_config, kt_time, KBF_OCSP_CACHE_MAX, NULL, NULL, },
-@@ -426,6 +436,7 @@
- { "virtual_private", kv_config, kt_string, KSF_VIRTUALPRIVATE, NULL, NULL, }, /* obsolete variant, very common */
- { "seedbits", kv_config, kt_number, KBF_SEEDBITS, NULL, NULL, },
- { "keep-alive", kv_config, kt_number, KBF_KEEPALIVE, NULL, NULL, },
-+ { "keep_alive", kv_config | kv_alias, kt_number, KBF_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
-
- { "listen-tcp", kv_config, kt_bool, KBF_LISTEN_TCP, NULL, NULL },
- { "listen-udp", kv_config, kt_bool, KBF_LISTEN_UDP, NULL, NULL },
-@@ -437,6 +448,8 @@
- #ifdef HAVE_LABELED_IPSEC
- { "ikev1-secctx-attr-type", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
- { "secctx-attr-type", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, },
-+ { "secctx_attr_value", kv_config | kv_alias, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete _ */
-+ { "secctx-attr-value", kv_config, kt_number, KBF_SECCTX, NULL, NULL, }, /* obsolete: not a value, a type */
- #endif
-
- /* these options are obsoleted (and not old aliases) */
-@@ -467,6 +480,7 @@
- { "username", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, },
- /* xauthusername is still used in NetworkManager-libreswan :/ */
- { "xauthusername", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
-+ { "xauthname", kv_conn | kv_leftright, kt_string, KSCF_USERNAME, NULL, NULL, }, /* old alias */
- { "addresspool", kv_conn | kv_leftright, kt_range, KSCF_ADDRESSPOOL, NULL, NULL, },
- { "auth", kv_conn | kv_leftright, kt_enum, KNCF_AUTH, &kw_authby_lr_list, NULL, },
- { "cat", kv_conn | kv_leftright, kt_bool, KNCF_CAT, NULL, NULL, },
-@@ -489,6 +503,8 @@
- { "esn", kv_conn | kv_processed, kt_enum, KNCF_ESN, &kw_esn_list, NULL, },
- { "decap-dscp", kv_conn | kv_processed, kt_bool, KNCF_DECAP_DSCP, NULL, NULL, },
- { "nopmtudisc", kv_conn | kv_processed, kt_bool, KNCF_NOPMTUDISC, NULL, NULL, },
-+ { "ike_frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete _ */
-+ { "ike-frag", kv_conn | kv_processed | kv_alias, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, }, /* obsolete name */
- { "fragmentation", kv_conn | kv_processed, kt_enum, KNCF_IKE_FRAG, &kw_ynf_list, NULL, },
- { "mobike", kv_conn, kt_bool, KNCF_MOBIKE, NULL, NULL, },
- { "narrowing", kv_conn, kt_bool, KNCF_IKEv2_ALLOW_NARROWING, NULL, NULL, },
-@@ -499,13 +515,18 @@
- { "accept-redirect-to", kv_conn, kt_string, KSCF_ACCEPT_REDIRECT_TO, NULL, NULL, },
- { "pfs", kv_conn, kt_bool, KNCF_PFS, NULL, NULL, },
-
-+ { "nat_keepalive", kv_conn | kv_alias, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, }, /* obsolete _ */
- { "nat-keepalive", kv_conn, kt_bool, KNCF_NAT_KEEPALIVE, NULL, NULL, },
-
-+ { "initial_contact", kv_conn | kv_alias, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, }, /* obsolete _ */
- { "initial-contact", kv_conn, kt_bool, KNCF_INITIAL_CONTACT, NULL, NULL, },
-+ { "cisco_unity", kv_conn | kv_alias, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, }, /* obsolete _ */
- { "cisco-unity", kv_conn, kt_bool, KNCF_CISCO_UNITY, NULL, NULL, },
- { "send-no-esp-tfc", kv_conn, kt_bool, KNCF_NO_ESP_TFC, NULL, NULL, },
- { "fake-strongswan", kv_conn, kt_bool, KNCF_VID_STRONGSWAN, NULL, NULL, },
-+ { "send_vendorid", kv_conn | kv_alias, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, }, /* obsolete _ */
- { "send-vendorid", kv_conn, kt_bool, KNCF_SEND_VENDORID, NULL, NULL, },
-+ { "sha2_truncbug", kv_conn | kv_alias, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, }, /* obsolete _ */
- { "sha2-truncbug", kv_conn, kt_bool, KNCF_SHA2_TRUNCBUG, NULL, NULL, },
- { "ms-dh-downgrade", kv_conn, kt_bool, KNCF_MSDH_DOWNGRADE, NULL, NULL, },
- { "require-id-on-certificate", kv_conn, kt_bool, KNCF_SAN_ON_CERT, NULL, NULL, },
-@@ -520,7 +541,10 @@
- {"ikepad", kv_conn, kt_bool, KNCF_IKEPAD, NULL, NULL, },
- { "nat-ikev1-method", kv_conn | kv_processed, kt_enum, KNCF_IKEV1_NATT, &kw_ikev1natt_list, NULL, },
-
-+ { "labeled_ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
-+ { "labeled-ipsec", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
- { "policy-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
-+ { "policy_label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* obsolete variant */
- { "sec-label", kv_conn, kt_string, KSCF_SA_SEC_LABEL, NULL, NULL, }, /* really stored into struct end */
-
- /* Cisco interop: remote peer type */
-@@ -531,13 +555,17 @@
- /* Network Manager support */
- #ifdef HAVE_NM
- { "nm-configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, },
-+ { "nm_configured", kv_conn, kt_bool, KNCF_NMCONFIGURED, NULL, NULL, }, /* obsolete _ */
- #endif
-
- { "xauthby", kv_conn, kt_enum, KNCF_XAUTHBY, &kw_xauthby, NULL, },
- { "xauthfail", kv_conn, kt_enum, KNCF_XAUTHFAIL, &kw_xauthfail, NULL, },
- { "modecfgpull", kv_conn, kt_invertbool, KNCF_MODECONFIGPULL, NULL, NULL, },
- { "modecfgdns", kv_conn, kt_string, KSCF_MODECFGDNS, NULL, NULL, },
-+ { "modecfgdns1", kv_conn | kv_alias, kt_string, KSCF_MODECFGDNS, NULL, NULL, }, /* obsolete */
-+ { "modecfgdns2", kv_conn, kt_obsolete, KNCF_WARNIGNORE, NULL, NULL, }, /* obsolete */
- { "modecfgdomains", kv_conn, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, },
-+ { "modecfgdomain", kv_conn | kv_alias, kt_string, KSCF_MODECFGDOMAINS, NULL, NULL, }, /* obsolete */
- { "modecfgbanner", kv_conn, kt_string, KSCF_MODECFGBANNER, NULL, NULL, },
- { "ignore-peer-dns", kv_conn, kt_bool, KNCF_IGNORE_PEER_DNS, NULL, NULL, },
- { "mark", kv_conn, kt_string, KSCF_CONN_MARK_BOTH, NULL, NULL, },
diff --git a/libreswan-4.3-1934186-config.patch b/libreswan-4.3-1934186-config.patch
deleted file mode 100644
index 022fb47ff06f789e4fa5db4c01afa7eb3f17da4a..0000000000000000000000000000000000000000
--- a/libreswan-4.3-1934186-config.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -Naur libreswan-4.3-orig/configs/ipsec.conf.in libreswan-4.3/configs/ipsec.conf.in
---- libreswan-4.3-orig/configs/ipsec.conf.in 2021-03-04 14:29:50.591912834 -0500
-+++ libreswan-4.3/configs/ipsec.conf.in 2021-03-04 14:30:27.227389433 -0500
-@@ -32,6 +32,7 @@
- # listen-tcp=yes
- # To enable IKE and IPsec over TCP for VPN client, also specify
- # tcp-remote-port=4500 in the client's conn section.
-+ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
-
- # if it exists, include system wide crypto-policy defaults
- # include /etc/crypto-policies/back-ends/libreswan.config
diff --git a/libreswan-4.3-maintain-different-v1v2-split.patch b/libreswan-4.3-maintain-different-v1v2-split.patch
deleted file mode 100644
index 33bf0fb0be6e26e2321b247b43d63c81a615b56a..0000000000000000000000000000000000000000
--- a/libreswan-4.3-maintain-different-v1v2-split.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-diff -Naur libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml libreswan-4.3/configs/d.ipsec.conf/ikev2.xml
---- libreswan-4.3-orig/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:03:03.000000000 -0500
-+++ libreswan-4.3/configs/d.ipsec.conf/ikev2.xml 2021-02-21 12:33:36.226284499 -0500
-@@ -1,15 +1,15 @@
-
- ikev2
-
--Whether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) settings to be used.
--Currently the accepted values are no(the default),
--signifying only IKEv1 is accepted, or yes,
-+Wether to use IKEv1 (RFC 4301) or IKEv2 (RFC 7296) as the Internet Key Exchange (IKE) protcol.
-+Currently the accepted values are no (or never)
-+signifying only IKEv1 is accepted, or insist(the default),
- signifying only IKEv2 is accepted. Previous versions allowed the keywords
--propose or permit
--that would allow either IKEv1 or IKEv2, but this is no longer supported. The
--permit option is interpreted as no and the propose option is interpreted as
--yes. Older versions also supported keyword
--insist which is now interpreted as yes.
-+propose, yes or permit
-+that would allow either IKEv1 or IKEv2, but this is no longer supported and both options
-+now cause the connection to fail to load. WARNING: This behaviour differs from upstream
-+libreswan, which only accepts yes or no where yes means
-+the same as insist.
-
-
-
-diff -Naur libreswan-4.3-orig/lib/libipsecconf/confread.c libreswan-4.3/lib/libipsecconf/confread.c
---- libreswan-4.3-orig/lib/libipsecconf/confread.c 2021-02-21 12:03:03.000000000 -0500
-+++ libreswan-4.3/lib/libipsecconf/confread.c 2021-02-21 12:37:43.138031929 -0500
-@@ -1310,11 +1310,17 @@
-
- switch (conn->options[KNCF_IKEv2]) {
- case fo_never:
-- case fo_permit:
- conn->ike_version = IKEv1;
- break;
-
-+ case fo_permit:
-+ starter_error_append(perrl, "ikev2=permit is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+ return TRUE;
-+
- case fo_propose:
-+ starter_error_append(perrl, "ikev2=propose or ikev2=yes is no longer accepted. Use ikev2=insist or ikev2=no|never");
-+ return TRUE;
-+
- case fo_insist:
- conn->ike_version = IKEv2;
- break;
-diff -Naur libreswan-4.3-orig/programs/whack/whack.c libreswan-4.3/programs/whack/whack.c
---- libreswan-4.3-orig/programs/whack/whack.c 2021-02-21 12:03:03.000000000 -0500
-+++ libreswan-4.3/programs/whack/whack.c 2021-02-21 12:39:27.066188354 -0500
-@@ -801,7 +801,7 @@
- { "ikev1-allow", no_argument, NULL, CD_IKEv1 + OO }, /* obsolete name */
- { "ikev2", no_argument, NULL, CD_IKEv2 +OO },
- { "ikev2-allow", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete name */
-- { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, /* obsolete, map onto allow */
-+ /* not in RHEL8 { "ikev2-propose", no_argument, NULL, CD_IKEv2 +OO }, */
-
- PS("allow-narrowing", IKEV2_ALLOW_NARROWING),
- #ifdef AUTH_HAVE_PAM
-@@ -1762,7 +1762,7 @@
- end_seen = LEMPTY;
- continue;
-
-- /* --ikev1 --ikev2 --ikev2-propose */
-+ /* --ikev1 --ikev2 */
- case CD_IKEv1:
- case CD_IKEv2:
- {
diff --git a/libreswan-4.4-ikev1-disable-diagnostics.patch b/libreswan-4.4-ikev1-disable-diagnostics.patch
deleted file mode 100644
index 0f5bc475778154aa8bf9f8a6c195989e114d7e6c..0000000000000000000000000000000000000000
--- a/libreswan-4.4-ikev1-disable-diagnostics.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Index: libreswan-4.4/programs/pluto/ikev1.c
-===================================================================
---- libreswan-4.4.orig/programs/pluto/ikev1.c
-+++ libreswan-4.4/programs/pluto/ikev1.c
-@@ -2102,7 +2102,6 @@ void process_packet_tail(struct msg_dige
- diag_t d = pbs_in_struct(&md->message_pbs, &isakmp_ignore_desc,
- &pd->payload, sizeof(pd->payload), &pd->pbs);
- if (d != NULL) {
-- llog_diag(RC_LOG, st->st_logger, &d, "%s", "");
- LOG_PACKET(RC_LOG_SERIOUS,
- "%smalformed payload in packet",
- excuse);
-@@ -2171,7 +2170,6 @@ void process_packet_tail(struct msg_dige
- &pd->payload, sizeof(pd->payload),
- &pd->pbs);
- if (d != NULL) {
-- llog_diag(RC_LOG, st->st_logger, &d, "%s", "");
- LOG_PACKET(RC_LOG_SERIOUS,
- "%smalformed payload in packet",
- excuse);
diff --git a/libreswan-4.6-ikev1-aggr.patch b/libreswan-4.6-ikev1-aggr.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3b76b5c73edbaadd7b0f0aaf7e3f9e2576ad0ebe
--- /dev/null
+++ b/libreswan-4.6-ikev1-aggr.patch
@@ -0,0 +1,217 @@
+From 35cf6a8ff4ebb6d163040ec8080eb9e6a2d3fcd9 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno
+Date: Tue, 18 Apr 2023 10:36:06 +0900
+Subject: [PATCH 1/2] Fix CVE-2023-30570
+
+Signed-off-by: Daiki Ueno
+---
+ programs/pluto/ikev1.c | 61 +++++++++++++++++++++++++++++++++++--
+ programs/pluto/ikev1_aggr.c | 5 +--
+ 2 files changed, 61 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index ebd0d8af9b..22e2a48cd9 100644
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -1098,10 +1098,20 @@ void process_v1_packet(struct msg_digest *md)
+ struct state *st = NULL;
+ enum state_kind from_state = STATE_UNDEFINED; /* state we started in */
+
++ /*
++ * For the initial responses, don't leak the responder's SPI.
++ * Hence the use of send_v1_notification_from_md().
++ *
++ * AGGR mode is a mess in that the R0->R1 transition happens
++ * well before the transition succeeds.
++ */
+ #define SEND_NOTIFICATION(t) \
+ { \
+ pstats(ikev1_sent_notifies_e, t); \
+- if (st != NULL) \
++ if (st != NULL && \
++ st->st_state->kind != STATE_AGGR_R0 && \
++ st->st_state->kind != STATE_AGGR_R1 && \
++ st->st_state->kind != STATE_MAIN_R0) \
+ send_notification_from_state(st, from_state, t); \
+ else \
+ send_notification_from_md(md, t); \
+@@ -1165,17 +1175,26 @@ void process_v1_packet(struct msg_digest *md)
+ from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ?
+ STATE_MAIN_R0 : STATE_AGGR_R0);
+ } else {
+- /* not an initial message */
++ /*
++ * Possibly not an initial message. Possibly
++ * from initiator. Possibly from responder.
++ *
++ * Possibly. Which is probably hopeless.
++ */
+
+ st = find_state_ikev1(&md->hdr.isa_ike_spis,
+ md->hdr.isa_msgid);
+
+ if (st == NULL) {
+ /*
+- * perhaps this is a first message
++ * Perhaps this is a first message
+ * from the responder and contains a
+ * responder cookie that we've not yet
+ * seen.
++ *
++ * Perhaps this is a random message
++ * with a bogus non-zero responder IKE
++ * SPI.
+ */
+ st = find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi,
+ md->hdr.isa_msgid);
+@@ -1186,6 +1205,21 @@ void process_v1_packet(struct msg_digest *md)
+ /* XXX Could send notification back */
+ return;
+ }
++ if (st->st_state->kind == STATE_AGGR_R0) {
++ /*
++ * The only way for this to
++ * happen is for the attacker
++ * to guess the responder's
++ * IKE SPI that hasn't been
++ * sent over the wire?
++ *
++ * Well that or played 1/2^32
++ * odds.
++ */
++ llog_pexpect(md->md_logger, HERE,
++ "phase 1 message matching AGGR_R0 state");
++ return;
++ }
+ }
+ from_state = st->st_state->kind;
+ }
+@@ -2904,7 +2938,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s
+ delete_state(st);
+ /* wipe out dangling pointer to st */
+ md->v1_st = NULL;
++ } else if (st->st_state->kind == STATE_AGGR_R0 ||
++ st->st_state->kind == STATE_AGGR_R1 ||
++ st->st_state->kind == STATE_MAIN_R0) {
++ /*
++ *
++ * Wipe out the incomplete larval state.
++ *
++ * ARGH! In <=v4.10, the aggr code flipped the
++ * larval state to R1 right at the start of
++ * the transition and not the end, so using
++ * state to figure things out is close to
++ * useless.
++ *
++ * Deleting the state means that pluto has no
++ * way to detect and ignore amplification
++ * attacks.
++ */
++ delete_state(st);
++ /* wipe out dangling pointer to st */
++ md->v1_st = NULL;
+ }
++
+ break;
+ }
+ }
+diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c
+index b533ebb482..7039327b70 100644
+--- a/programs/pluto/ikev1_aggr.c
++++ b/programs/pluto/ikev1_aggr.c
+@@ -160,7 +160,7 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED,
+ struct ike_sa *ike = new_v1_rstate(c, md);
+ struct state *st = &ike->sa;
+ md->v1_st = st; /* (caller will reset cur_state) */
+- change_state(st, STATE_AGGR_R1);
++ change_state(st, STATE_AGGR_R0);
+
+ /* warn for especially dangerous Aggressive Mode and PSK */
+ if (LIN(POLICY_PSK, c->policy) && LIN(POLICY_AGGRESSIVE, c->policy)) {
+@@ -177,7 +177,8 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED,
+
+ if (!v1_decode_certs(md)) {
+ log_state(RC_LOG, st, "X509: CERT payload bogus or revoked");
+- return false;
++ /* XXX notification is in order! */
++ return STF_FAIL + INVALID_ID_INFORMATION;
+ }
+
+ /*
+--
+2.39.2
+
+
+From 59a25e2ecfe7cf5192f91a872d775e6ef2044478 Mon Sep 17 00:00:00 2001
+From: Andrew Cagney
+Date: Sat, 25 Mar 2023 19:40:52 -0400
+Subject: [PATCH 2/2] ikev1: add --impair
+ copy_v1_notify_response_SPIs_to_retransmission
+
+---
+ include/impair.h | 2 ++
+ lib/libswan/impair.c | 6 ++++++
+ programs/pluto/ikev1.c | 10 ++++++++++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/include/impair.h b/include/impair.h
+index 6b045b6125..9fb1ed1be5 100644
+--- a/include/impair.h
++++ b/include/impair.h
+@@ -155,6 +155,8 @@ struct impair {
+
+ bool event_check_crls;
+
++ bool copy_v1_notify_response_SPIs_to_retransmission;
++
+ /*
+ * add more here
+ */
+diff --git a/lib/libswan/impair.c b/lib/libswan/impair.c
+index e4ab1f9b00..a6261451ce 100644
+--- a/lib/libswan/impair.c
++++ b/lib/libswan/impair.c
+@@ -97,6 +97,8 @@ struct impairment impairments[] = {
+
+ #define A(WHAT, ACTION, PARAM, HELP, UNSIGNED_HELP, ...) { .what = WHAT, .action = CALL_##ACTION, .param = PARAM, .help = HELP, .unsigned_help = UNSIGNED_HELP, ##__VA_ARGS__, }
+ #define V(WHAT, VALUE, HELP, ...) { .what = WHAT, .action = CALL_IMPAIR_UPDATE, .value = &impair.VALUE, .help = HELP, .sizeof_value = sizeof(impair.VALUE), ##__VA_ARGS__, }
++#define B(VALUE, HELP, ...) \
++ { .what = #VALUE, .action = CALL_IMPAIR_UPDATE, .value = &impair.VALUE, .help = HELP, .sizeof_value = sizeof(impair.VALUE), ##__VA_ARGS__, }
+
+ V("allow-dns-insecure", allow_dns_insecure, "allow IPSECKEY lookups without DNSSEC protection"),
+ V("allow-null-none", allow_null_none, "cause pluto to allow esp=null-none and ah=none for testing"),
+@@ -202,6 +204,10 @@ struct impairment impairments[] = {
+ A("event-sa-replace", STATE_EVENT_HANDLER, EVENT_SA_REPLACE,
+ "trigger the replace event", "SA"),
+
++ B(copy_v1_notify_response_SPIs_to_retransmission,
++ "copy SPIs in IKEv1 notify response to last sent packet and then retransmit"),
++
++#undef B
+ #undef V
+ #undef A
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index 22e2a48cd9..91628e5a2c 100644
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -2240,6 +2240,16 @@ void process_packet_tail(struct msg_digest *md)
+ str_enum(& ikev1_notify_names,
+ p->payload.notification.isan_type, &b));
+ } else {
++ if (impair.copy_v1_notify_response_SPIs_to_retransmission) {
++ ldbg(st->st_logger, "IMPAIR: copying notify response SPIs to recorded message and then resending it");
++ /* skip non-ESP marker if needed */
++ size_t skip = (st->st_interface->esp_encapsulation_enabled ? NON_ESP_MARKER_SIZE : 0);
++ size_t spis = sizeof(md->hdr.isa_ike_spis);
++ PASSERT(st->st_logger, st->st_v1_tpacket.len >= skip + spis);
++ memcpy(st->st_v1_tpacket.ptr + skip, &md->hdr.isa_ike_spis, spis);
++ resend_recorded_v1_ike_msg(st, "IMPAIR: retransmitting mangled packet");
++ }
++
+ enum_buf b;
+ LOG_PACKET(RC_LOG_SERIOUS,
+ "ignoring informational payload %s, msgid=%08" PRIx32 ", length=%d",
+--
+2.39.2
+
diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch
new file mode 100644
index 0000000000000000000000000000000000000000..ebcb2e004d2fb332b18a397d71f1b2b1c5d304b4
--- /dev/null
+++ b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch
@@ -0,0 +1,80 @@
+From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor
+Date: Fri, 7 Jan 2022 18:36:47 -0500
+Subject: [PATCH] ikev1-policy defaults to drop
+
+IKEv2 has been available for 16 years (RFC 4306 was published December
+2005). At some point, we should be discouraging IKEv1 adoption.
+
+To the extent that a user needs IKEv1, they can manually add
+ikev1-policy=accept to /etc/ipsec.conf.
+---
+ configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
+ include/ipsecconf/keywords.h | 2 +-
+ lib/libipsecconf/confread.c | 1 +
+ programs/pluto/server.c | 5 -----
+ 4 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
+index 17d1747e3b..3bd6702564 100644
+--- a/configs/d.ipsec.conf/ikev1-policy.xml
++++ b/configs/d.ipsec.conf/ikev1-policy.xml
+@@ -3,9 +3,10 @@
+
+
+ What to do with received IKEv1 packets. Valid options are
+-accept (default), reject which
+-will reply with an error, and drop which will silently drop
+-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
++drop (default) which will silently drop
++any received IKEv1 packet, accept, and
++reject which will reply with an error.
++If this option is set to drop or reject, an attempt to load an
+ IKEv1 connection will fail, as these connections would never be able to receive a packet
+ for processing.
+
+diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
+index 660847733c..31b519242a 100644
+--- a/include/ipsecconf/keywords.h
++++ b/include/ipsecconf/keywords.h
+@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
+
+ KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
+ KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
+- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
++ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
+ KBF_ROOF
+ };
+
+diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
+index 5b5aba723f..68fbccf442 100644
+--- a/lib/libipsecconf/confread.c
++++ b/lib/libipsecconf/confread.c
+@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
+ /* Don't inflict BSI requirements on everyone */
+ SOPT(KBF_SEEDBITS, 0);
+ SOPT(KBF_DROP_OPPO_NULL, false);
++ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
+
+ #ifdef HAVE_LABELED_IPSEC
+ SOPT(KBF_SECCTX, SECCTX);
+diff --git a/programs/pluto/server.c b/programs/pluto/server.c
+index 665f0ed8b9..448dbca076 100644
+--- a/programs/pluto/server.c
++++ b/programs/pluto/server.c
+@@ -188,12 +188,7 @@ bool pluto_listen_tcp = false;
+ enum ddos_mode pluto_ddos_mode = DDOS_AUTO; /* default to auto-detect */
+
+ enum global_ikev1_policy pluto_ikev1_pol =
+-#ifdef USE_IKEv1
+- GLOBAL_IKEv1_ACCEPT;
+-#else
+- /* there is no IKEv1 code compiled in to send a REJECT */
+ GLOBAL_IKEv1_DROP;
+-#endif
+
+ #ifdef HAVE_SECCOMP
+ enum seccomp_mode pluto_seccomp_mode = SECCOMP_DISABLED;
+--
+2.34.1
+
diff --git a/libreswan-4.6-openssl3.patch b/libreswan-4.6-openssl3.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a5e0f9d3aae797b8a1a3b7399dd526db7f79a427
--- /dev/null
+++ b/libreswan-4.6-openssl3.patch
@@ -0,0 +1,52 @@
+From 0212bc6a7c0ac3aa5d8da82bf22132993d339ffc Mon Sep 17 00:00:00 2001
+From: Paul Wouters
+Date: Thu, 13 Jan 2022 15:31:50 -0500
+Subject: [PATCH] building: fix fedora rawhide build
+
+Avoid clashing openssl/nss headers
+
+Patch based on work by Daiki Ueno
+
+Resolves: https://github.com/libreswan/libreswan/pull/611
+---
+ programs/pluto/ikev2_ipseckey.h | 4 ++--
+ programs/pluto/ikev2_ipseckey_dnsr.c | 4 +++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h
+index 243e5b1776..5ef3f966ec 100644
+--- a/programs/pluto/ikev2_ipseckey.h
++++ b/programs/pluto/ikev2_ipseckey.h
+@@ -1,5 +1,3 @@
+-#include "state.h"
+-
+ #ifndef _IKEV2_IPSECKEY_H
+ #define _IKEV2_IPSECKEY_H
+
+@@ -11,6 +9,8 @@
+
+ #define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED
+
++struct ike_sa;
++
+ typedef enum {
+ DNS_OK = STF_OK,
+ DNS_FATAL = STF_FATAL,
+diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c
+index b07ed72f2b..09767bf65d 100644
+--- a/programs/pluto/ikev2_ipseckey_dnsr.c
++++ b/programs/pluto/ikev2_ipseckey_dnsr.c
+@@ -32,7 +32,9 @@
+ #include "dnssec.h" /* includes unbound.h */
+ #include "ikev2_ipseckey.h" /* for dns_status */
+ #include "ikev2_ipseckey_dnsr.h"
+-#include "secrets.h"
++
++/* Do not include secrets.h as it will cause conflicts via NSS/OPENSSL headers */
++extern const struct pubkey_type pubkey_type_rsa;
+
+ struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */
+
+--
+2.31.1
+
diff --git a/libreswan.spec b/libreswan.spec
index 77ec46646d19b43f8c83d2a95ed8084e854c9177..6aeebba5d0749635561eb0ad29de783b5ddfd512 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -4,56 +4,46 @@
%global with_efence 0
%global with_development 0
%global with_cavstests 1
-# minimum version for support for rhbz#1651314
-# should prob update for nss with IKEv1 quick mode support
-%global nss_version 3.53.1
+%global nss_version 3.52
%global unbound_version 1.6.6
+# Libreswan config options
%global libreswan_config \\\
FINALLIBEXECDIR=%{_libexecdir}/ipsec \\\
FINALMANDIR=%{_mandir} \\\
- FINALNSSDIR=%{_sysconfdir}/ipsec.d \\\
- INITSYSTEM=systemd \\\
- NSS_HAS_IPSEC_PROFILE=true \\\
- NSS_REQ_AVA_COPY=false \\\
PREFIX=%{_prefix} \\\
+ INITSYSTEM=systemd \\\
PYTHON_BINARY=%{__python3} \\\
SHELL_BINARY=%{_bindir}/sh \\\
USE_DNSSEC=true \\\
- USE_FIPSCHECK=false \\\
USE_LABELED_IPSEC=true \\\
USE_LDAP=true \\\
USE_LIBCAP_NG=true \\\
USE_LIBCURL=true \\\
USE_LINUX_AUDIT=true \\\
USE_NM=true \\\
- USE_NSS_KDF=true \\\
+ USE_NSS_IPSEC_PROFILE=true \\\
USE_SECCOMP=true \\\
USE_AUTHPAM=true \\\
- USE_DH2=true \\\
%{nil}
-#global prever rc1
+#global prever dr1
Name: libreswan
-Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
+Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
-Version: 4.5
-Release: %{?prever:0.}1%{?prever:.%{prever}}%{anolis_release}%{?dist}
+Version: 4.6
+Release: %{?prever:0.}3%{?prever:.%{prever}}%{anolis_release}%{?dist}.1
License: GPLv2
Url: https://libreswan.org/
-
-Source0: https://download.libreswan.org/%{?prever:with_development/}%{name}-%{version}%{?prever}.tar.gz
+Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
%if 0%{with_cavstests}
Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
-
-Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
-Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
-Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
-Patch6: libreswan-4.3-1934186-config.patch
-Patch7: libreswan-4.4-ikev1-disable-diagnostics.patch
+Patch0: libreswan-4.6-openssl3.patch
+Patch1: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
+Patch2: libreswan-4.6-ikev1-aggr.patch
#Add by Anolis
Patch1000: 0001-libreswan-anolis-rebrand-to-anolis.patch
@@ -64,6 +54,7 @@ BuildRequires: bison
BuildRequires: curl-devel
BuildRequires: flex
BuildRequires: gcc make
+BuildRequires: hostname
BuildRequires: ldns-devel
BuildRequires: libcap-ng-devel
BuildRequires: libevent-devel
@@ -71,12 +62,10 @@ BuildRequires: libseccomp-devel
BuildRequires: libselinux-devel
BuildRequires: nspr-devel
BuildRequires: nss-devel >= %{nss_version}
-BuildRequires: nss-tools
+BuildRequires: nss-tools >= %{nss_version}
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
-BuildRequires: hostname
-BuildRequires: redhat-rpm-config
BuildRequires: systemd-devel
BuildRequires: unbound-devel >= %{unbound_version}
BuildRequires: xmlto
@@ -95,7 +84,7 @@ Requires(preun): systemd
Requires(postun): systemd
%description
-Libreswan is a free implementation of IKE/IPsec for Linux. IPsec is
+Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
the Internet Protocol Security and uses strong cryptography to provide
both authentication and encryption services. These services allow you
to build secure tunnels through untrusted networks. Everything passing
@@ -112,16 +101,11 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
%prep
%setup -q -n libreswan-%{version}%{?prever}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
-%patch7 -p1
+%patch0 -p1 -b .openssl3
+%patch1 -p1 -b .ikev1-drop
+%patch2 -p1 -b .ikev1-aggr
%patch1000 -p1
-# linking to freebl is not needed
-sed -i "s/-lfreebl //" mk/config.mk
-
# enable crypto-policies support
sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
@@ -132,20 +116,21 @@ make %{?_smp_mflags} \
%else
OPTIMIZE_CFLAGS="%{optflags}" \
%endif
+ WERROR_CFLAGS="-Werror -Wno-missing-field-initializers -Wno-lto-type-mismatch -Wno-maybe-uninitialized" \
%if 0%{with_efence}
USE_EFENCE=true \
%endif
- WERROR_CFLAGS="-Werror -Wno-missing-field-initializers" \
- USERLINK="%{?__global_ldflags}" \
+ USERLINK="%{?__global_ldflags} -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -flto --no-lto" \
%{libreswan_config} \
programs
FS=$(pwd)
+
%install
make \
- DESTDIR=%{buildroot} \
- %{libreswan_config} \
- install
+ DESTDIR=%{buildroot} \
+ %{libreswan_config} \
+ install
FS=$(pwd)
rm -rf %{buildroot}/usr/share/doc/libreswan
rm -rf %{buildroot}%{_libexecdir}/ipsec/*check
@@ -155,10 +140,10 @@ install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_sysconfdir}/sysctl.d
install -m 0644 packaging/fedora/libreswan-sysctl.conf \
- %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
+ %{buildroot}%{_sysconfdir}/sysctl.d/50-libreswan.conf
echo "include %{_sysconfdir}/ipsec.d/*.secrets" \
- > %{buildroot}%{_sysconfdir}/ipsec.secrets
+ > %{buildroot}%{_sysconfdir}/ipsec.secrets
rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
%if 0%{with_cavstests}
@@ -179,6 +164,7 @@ bunzip2 *.fax.bz2
%{buildroot}%{_libexecdir}/ipsec/cavp -v1psk ikev1_psk.fax | \
diff -u ikev1_psk.fax - > /dev/null
: CAVS tests passed
+%endif
# Some of these tests will show ERROR for negative testing - it will exit on real errors
%{buildroot}%{_libexecdir}/ipsec/algparse -tp || { echo prooposal test failed; exit 1; }
@@ -191,8 +177,6 @@ certutil -N -d sql:$tmpdir --empty-password
%{buildroot}%{_libexecdir}/ipsec/pluto --selftest --nssdir $tmpdir --rundir $tmpdir
: pluto self-test passed - verify FIPS algorithms allowed is still compliant with NIST
-%endif
-
%post
%systemd_post ipsec.service
@@ -212,151 +196,169 @@ certutil -N -d sql:$tmpdir --empty-password
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysctl.d/50-libreswan.conf
%attr(0755,root,root) %dir %{_rundir}/pluto
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec
+%attr(0700,root,root) %dir %{_sharedstatedir}/ipsec/nss
%attr(0644,root,root) %{_tmpfilesdir}/libreswan.conf
%attr(0644,root,root) %{_unitdir}/ipsec.service
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/pluto
%config(noreplace) %{_sysconfdir}/logrotate.d/libreswan
%{_sbindir}/ipsec
%{_libexecdir}/ipsec
-%attr(0644,root,root) %doc %{_mandir}/*/*
+%doc %{_mandir}/*/*
%changelog
-* Mon Apr 18 2022 yangxiaoxuan - 4.5-1.0.1
+* Fri May 5 2023 yangxiaoxuan - 4.6-3.0.1.1
- Rebrand to anolis
-* Thu Jan 13 2022 Daiki Ueno - 4.5-1
-- Resolves: rhbz#2017352 Rebase libreswan to 4.5
-- Resolves: rhbz#2036903 ikev1: disable diagnostics logging on receiving malformed packets
+* Fri Apr 21 2023 Daiki Ueno - 4.6-3.1
+- Resolves: rhbz#2187170 fix handling of IKEv1 aggressive mode packets
-* Wed May 26 2021 Daiki Ueno - 4.4-1
-- Resolves: rhbz#1958968 Rebase libreswan to 4.4
-- Resolves: rhbz#1954423 Libreswan: TS_UNACCEPTABLE on multiple connections between the same peers
+* Wed Feb 2 2022 Daiki Ueno - 4.6-3
+- Drop IKEv1 packets by default, based on the Debian patch
+ by Daniel Kahn Gillmor (rhbz#2039877)
-* Thu Mar 04 2021 Paul Wouters - 4.3-3
-- Resolves: rhbz#1933064 - IKEv2 support for Labeled IPsec
-- Resolves: rhbz#1935150 RFE: Support IKE and ESP over TCP: RFC 8229
-- Resolves: rhbz#1935339 virtual_private setting is missing in the default config
+* Mon Jan 17 2022 Daiki Ueno - 4.6-2
+- Related: rhbz#2017355 rebuild to reflect gating.yaml change
-* Sun Feb 21 2021 Paul Wouters - 4.3-1
-- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec [update]
+* Mon Jan 17 2022 Daiki Ueno - 4.6-1
+- Update to 4.6. Resolves: rhbz#2017355
-* Thu Feb 04 2021 Paul Wouters - 4.2-1
-- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.2
-- Resolves: rhbz#1025061 - IKEv2 support for Labeled IPsec
+* Mon Jan 10 2022 Daiki Ueno - 4.5-1
+- Update to 4.5. Resolves: rhbz#2017355
-* Tue Oct 27 22:11:42 EDT 2020 Paul Wouters - 4.1-1
-- Resolves: rhbz#1891128 [Rebase] rebase libreswan to 4.1
-- Resolves: rhbz#1889836 libreswan: add 3.x compat patches for obsoleted/removed keywords of 4.0 and re-port ikev2= patch
+* Mon Aug 09 2021 Mohan Boddu - 4.4-3.1
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
-* Wed Jul 29 2020 Paul Wouters - 3.32-6
-- Resolves: rhbz#1861360 authby=rsasig must not imply usage of rsa-pss
+* Wed Jul 21 2021 Daiki Ueno - 4.4-3
+- Backport removal gethostbyname2 uses from the upstream
+- Fix issues spotted by covscan (rhbz#1938784)
-* Wed Jul 22 2020 Paul Wouters - 3.32-5
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [rebuild for USE_NSS_PRF]
+* Tue Jul 13 2021 Daiki Ueno - 4.4-2
+- Rebuild with newer GCC to fix annocheck failures
-* Wed Jul 01 2020 Paul Wouters - 3.32-4
-- Resolves: rhbz#1544463 ipsec service does not work correctly when seccomp filtering is enabled
+* Thu Jul 1 2021 Daiki Ueno - 4.4-1
+- Update to 4.4. Resolves: rhbz#1975812
+- Port compiler warning suppression by Paul Wouters:
+ https://src.fedoraproject.org/rpms/libreswan/c/8d7f98d41444ac77c562f735b4b93038f5346ce2?branch=rawhide
-* Wed Jun 17 2020 Paul Wouters - 3.32-3
-- Resolves: rhbz#1842597 regression: libreswan does not send PLUTO_BYTES env variables to updown script
-- Resolves: rhbz#1847766 subsequent xfrmi interfaces configured outside of libreswan are not recognised properly
-- Resolves: rhbz#1840212 protect libreswan against unannounced nss ABI change
+* Thu Jun 24 2021 Daiki Ueno - 4.2-1.3
+- Fix FTBFS with OpenSSL 3.0 (rhbz#1975439)
-* Thu Jun 11 2020 Paul Wouters - 3.32-2
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32 [addconn fix]
+* Tue Jun 22 2021 Mohan Boddu - 4.2-1.2
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+ Related: rhbz#1971065
-* Thu Apr 30 2020 Paul Wouters - 3.32-1
-- Resolves: rhbz#1820206 Rebase to libreswan 3.32
-- Resolves: rhbz#1816265 Use NSS to check whether FIPS mode is enabled
-- Resolves: rhbz#1826337 libreswan in FIPS mode rejects ECDSA keys based on faulty RSA key size check being applied
+* Fri Apr 16 2021 Mohan Boddu - 4.2-1.1
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-* Tue Aug 13 2019 Paul Wouters - 3.29-6
-- Resolves: rhbz#1714331 support NSS based IKE KDF's [require updated nss for rhbz 1738689, memleak fix]
+* Wed Feb 03 2021 Paul Wouters - 4.2-1
+- Update to 4.2
-* Thu Aug 08 2019 Paul Wouters - 3.29-5
-- Resolves: rhbz#1714331 support NSS based IKE KDF's so libreswan does not need FIPS certification
+* Tue Jan 26 2021 Fedora Release Engineering - 4.2-0.1.rc1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-* Thu Aug 01 2019 Paul Wouters - 3.29-4
-- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
+* Sat Dec 19 19:59:55 EST 2020 Paul Wouters - 4.2-0.1.rc1
+- Resolves: rhbz#1867580 pluto process frequently dumps core
+ (disable USE_NSS_KDF until nss fixes have propagated)
-* Thu Jul 04 2019 Paul Wouters - 3.29-3
-- Resolves: rhbz#1725205 XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire
+* Sat Dec 19 2020 Adam Williamson - 4.1-4
+- Rebuild for ldns soname bump
-* Thu Jun 27 2019 Paul Wouters - 3.29-2
-- Resolves: rhbz#1723957 libreswan is missing linux audit calls for failed IKE SAs and failed IPsec SAs required for Common Criteria
+* Mon Nov 23 11:50:41 EST 2020 Paul Wouters - 4.1-3
+- Resolves: rhbz#1894381 Libreswan 4.1-2 breaks l2tp connection to Windows VPN server
-* Mon Jun 10 2019 Paul Wouters - 3.29-1
-- Resolves: rhbz#1712555 libreswan rebase to 3.29
+* Mon Oct 26 10:21:57 EDT 2020 Paul Wouters - 4.1-2
+- Resolves: rhbz#1889538 libreswan's /var/lib/ipsec/nss missing
-* Tue May 28 2019 Paul Wouters - 3.28-2
-- Resolves: rhbz#1713734: barf: shell syntax error in barf diagnostic tool
+* Sun Oct 18 21:49:39 EDT 2020 Paul Wouters - 4.1-1
+- Updated to 4.1 - interop fix for Cisco
-* Tue May 21 2019 Paul Wouters - 3.28-1
-- Resolves: rhbz#1712555 libreswan rebase to 3.28
-- Resolves: rhbz#1683706 Libreswan shows incorrect error messages
-- Resolves: rhbz#1706180 Remove last usage of old (unused) PF_KEY API
-- Resolves: rhbz#1677045 Opportunistic IPsec instances of /32 groups or auto=start that receive delete won't restart
-- Resolves: rhbz#1686990 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE
-- Resolves: rhbz#1608353 /usr/sbin/ipsec part of the libreswan packages still invokes commands that were deprecated a decade ago
-- Resolves: rhbz#1699318 'ipsec show' has python3 invalid syntax
-- Resolves: rhbz#1679394 libreswan using NSS IPsec profiles regresses when critical flags are set causing validation failure
+* Thu Oct 15 10:27:14 EDT 2020 Paul Wouters - 4.0-1
+- Resolves: rhbz#1888448 libreswan-4.0 is available
+
+* Wed Sep 30 14:05:58 EDT 2020 Paul Wouters - 4.0-0.2.rc1
+- Rebuild for libevent 2.1.12 with a soname bump
-* Thu Feb 21 2019 Paul Wouters - 3.27-9
-- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default [man page update]
+* Sun Sep 27 22:49:40 EDT 2020 Paul Wouters - 4.0-0.1.rc1
+- Updated to 4.0rc1
-* Fri Feb 15 2019 Paul Wouters - 3.27-8
-- Resolves: rhbz#1664101 system wide crypto policies causing IKE_INIT packet fragmentation
+* Thu Aug 27 2020 Paul Wouters - 3.32-4
+- Resolves: rhbz#1864043 libreswan: FTBFS in Fedora rawhide/f33
-* Tue Feb 05 2019 Paul Wouters - 3.27-7
-- Resolves: rhbz#1671793 proessing ISAKMP_NEXT_D with additional payloads causes dangling pointer to deleted state
+* Sat Aug 01 2020 Fedora Release Engineering - 3.32-3.2
+- Second attempt - Rebuilt for
+ https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-* Fri Feb 01 2019 Paul Wouters - 3.27-6
-- Resolves: rhbz#1668342 SELinux prevents libreswan from using some outbound ports causing DNS resolution failures at connection at load time
+* Tue Jul 28 2020 Fedora Release Engineering - 3.32-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-* Thu Jan 10 2019 Paul Wouters - 3.27-5
-- Resolves: rhbz#1664522 libreswan 3.25 in FIPS mode is incorrectly rejecting X.509 public keys that are >= 3072 bits
+* Tue Jun 30 2020 Jeff Law - 3.32-3
+- Initialize ppk_id_p in ikev2_parent_inR1outI2_tail to avoid uninitialized
+ object
-* Mon Dec 10 2018 Paul Wouters - 3.27-4
-- Resolves: rhbz#1657846 libreswan no longer needs to provide openswan in rhel8
-- Resolves: rhbz#1643388 libreswan: Unable to verify certificate with non-empty Extended Key Usage which does not include serverAuth or clientAuth
-- Resolves: rhbz#1657854 remove userland support for deprecated KLIPS IPsec stack support
+* Tue May 26 2020 Paul Wouters - 3.32-2
+- Backport NSS guarding fix for unannounced changed api in NSS causing segfault
-* Sun Dec 09 2018 Paul Wouters - 3.27-3
-- Resolves: rhbz#1648776 limit connections to be ikev1only or ikev2only and make ikev2only the default
+* Mon May 11 2020 Paul Wouters - 3.32-1
+- Resolves: rhbz#1809770 libreswan-3.32 is available
-* Thu Nov 08 2018 Paul Wouters - 3.27-2
-- Resolves: rhbz#1645137 Libreswan segfaults when it loads configuration file with more then 5 connections
+* Tue Apr 14 2020 Paul Wouters - 3.31-2
+- Resolves: rhbz#1823823 Please drop the dependency on fipscheck
+
+* Tue Mar 03 2020 Paul Wouters - 3.31-1
+- Resolves: rhbz#1809770 libreswan-3.31 is available (fixes rekey regression)
+
+* Fri Feb 14 2020 Paul Wouters - 3.30-1
+- Resolves: rhbz#1802896 libreswan-3.30 is available
+- Resolves: rhbz#1799598 libreswan: FTBFS in Fedora rawhide/f32
+- Resolves: rhbz#1760571 [abrt] libreswan: configsetupcheck(): verify:366:configsetupcheck:TypeError:
+
+* Wed Jan 29 2020 Fedora Release Engineering - 3.29-2.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 09 2020 Paul Wouters - 3.29-2
+- _updown.netkey: fix syntax error in checking routes
+
+* Thu Jul 25 2019 Fedora Release Engineering - 3.29-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 10 2019 Paul Wouters - 3.29-1
+- Resolves: rhbz#1718986 Updated to 3.29 for CVE-2019-10155
+
+* Tue May 21 2019 Paul Wouters - 3.28-1
+- Updated to 3.28 (many imported bugfixes, including CVE-2019-12312)
+
+* Fri Feb 01 2019 Fedora Release Engineering - 3.27-1.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser - 3.27-1.1
+- Rebuilt for libcrypt.so.2 (#1666033)
* Mon Oct 08 2018 Paul Wouters - 3.27-1
-- Resolves: rhbz#1566574 Rebase to libreswan 3.27
+- Updated to 3.27 (various bugfixes)
-* Mon Sep 17 2018 Paul Wouters - 3.26-1
-- Resolves: rhbz#1566574 Rebase to libreswan 3.26
-- Resolves: rhbz#1527037 libreswan IPSEC implementation: should follow the policies of system-wide crypto policy
-- Resolves: rhbz#1375779 [IKEv2 Conformance] Test IKEv2.EN.R.1.1.6.7: Sending INVALID_KE_PAYLOAD failed
-- Resolves: rhbz#1085758 [TAHI][IKEv2] IKEv2.EN.I.1.2.1.1: Can't observe CREATE_CHILD_SA request for rekey
-- Resolves: rhbz#1053048 [TAHI][IKEv2] IKEv2.EN.I.1.2.4.1-7: libreswan doesn't sent CREATE_CHILD_SA after IKE_SA Lifetime timeout
+* Thu Sep 27 2018 Paul Wouters - 3.26-3
+- Add fedora python fixup for _unbound-hook
+
+* Mon Sep 17 2018 Paul Wouters - 3.26-2
+- linking against freebl is no longer needed (and wasn't done in 3.25)
-* Mon Aug 13 2018 Paul Wouters - 3.25-4
-- Resolves: rhbz#1590823 libreswan: Use Python 3 in RHEL 8
+* Mon Sep 17 2018 Paul Wouters - 3.26-1
+- Updated to 3.26 (CHACHA20POLY1305, ECDSA and RSA-PSS support)
-* Wed Aug 01 2018 Charalampos Stratakis - 3.25-3.1
-- Rebuild for platform-python
+* Fri Jul 13 2018 Fedora Release Engineering - 3.25-3.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 09 2018 Paul Wouters - 3.25-3
-- Cleanup shebangs for python3
-- Use the same options via macro for make programs and make install
-- Remove old ifdefs
-- Sync up patches to new upstream version
-- Add Requires: for unbound-libs >= 1.6.6
-- Enable crypto-policies support
-- Make rundir world readable for easier permission granting for socket
+- Fix Opportunistic IPsec _unbound-hook argument parsing
+- Make rundir readable for all (so we can hand out permissions later)
-* Tue Jun 26 2018 Charalampos Stratakis - 3.23-2.2
-- Make python shebangs point to python3
+* Mon Jul 02 2018 Paul Wouters - 3.25-2
+- Relax deleting IKE SA's and IPsec SA's to avoid interop issues with third party VPN vendors
-* Fri Jun 22 2018 Troy Dawson - 3.23-2.1
-- Fix python shebangs (#1580773)
+* Wed Jun 27 2018 Paul Wouters - 3.25-1
+- Updated to 3.25
* Mon Feb 19 2018 Paul Wouters - 3.23-2
- Support crypto-policies package
@@ -410,7 +412,7 @@ certutil -N -d sql:$tmpdir --empty-password
- Remove support for /etc/sysconfig/pluto (use native systemd instead)
* Thu May 05 2016 Paul Wouters - 3.17-2
-- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
+- Resolves: rhbz#1324956 prelink is gone, /etc/prelink.conf.d/* is no longer used
* Thu Apr 07 2016 Paul Wouters - 3.17-1
- Updated to 3.17 for CVE-2016-3071